• View the access log

    See if there’s a file upload (POST method):

    IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"  
    IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"  

    The default log format for nginx is:

    access_log logs/access.log  
    access_log logs/access.log combined  

    Find files containing malicious php code

    Find the recent changes in the php file

    • find . -type f -name '*.php' -mtime -7  

      -type f means that the normal search of normal files
      -mtime -7 that 7 * 24 hours to modify the file

    The results may be as follows:


    Find out if there is any suspected code in the file

    find . -type f -name '*.php' | xargs grep -l "eval *(" --color  
    find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color  
    find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color  
    find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color 

    Note: Many commands do not support pipelining parameters, but in fact need this, so it used the xargs command, the command can be used to pipe transmission parameters; grep-l said that only contains a string of file names, if removed – L The contents of the line matching the specified string are displayed

    The meaning of several special strings:

    • eval() The string in accordance with the PHP code to implement, is the most common php Trojans
    • base64_decode() Will be the base64 string decoding, attack time payload is base64 encoding, then this function is useless
    • gzinflate() The string decompression processing, when the attack with gzdeflate payload compression, the use of this function for decompression
    • str_rot13() The string is encoded with rot13

    Regular expressions can also be used to search for documents, can find code:

    find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("  
    The following explains webshell commonly used functions:
    • mail() Can be used to send spam to the site user
    • fsockopen() Open a network connection or a Unix socket connection that can be used to send remote requests for payload
    • pfsockopen() And fsockopen () role similar
    • exec() Command execution function
    • system() With the exec ()
    • passthru() With the exec ()
    • stream_socket_client() To establish a remote connection, examples are as follows:
    $fp = stream_socket_client("tcp://www.example.com:80", $errno, $errstr, 30);  
    if (!$fp) {  
        echo "$errstr ($errno)<br />\n";  
    } else {  
        fwrite($fp, "GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n");  
        while (!feof($fp)) {  
            echo fgets($fp, 1024);  
    • preg_replace()When the regular expression is modified by the modifier “e”, the replacement string needs to be executed in accordance with the php code before the substitution. This also needs to be taken into account. In this case,
    find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color  

    Compares the code file

    This situation requires a clean code, the code and the code being used to compare. E.g

    diff -r wordpress-clean/ wordpress-compromised/ -x wp-content

    The above example compares wordpress-clean / and wordpress-comprised directories, and the directory wp-content / subdirectory does not compare.

    Search for writable directories

    Look at the list of whether there are suspicious files, the following script to find the permissions for the 777 directory exists php file

    writable_dirs=$(find $search_dir -type d -perm 0777)  
    for dir in $writable_dirs  
            #echo $dir
            find $dir -type f -name '*.php'

    Hackers often insert jpg php code in the document, so when inquiries in these directories have to query jpg files:

    find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

    Note: -iname said the file name is not case-sensitive, grep-i also said that case-insensitive

    The iframe tag is detected

    Hackers often do is to embed iframe tags, so you can view the source code of the page, and search for the existence of iframe tags, you can use the following command:

    grep -i '<iframe' mywebsite.txt

    For dynamically generated pages can be used ff of Live HTTP Headers plug-in, and then downloaded to the source to find out whether the presence of iframe tag

    Finds if there is a sensitive string in the database

    Including% base64 _%,% eval (% <and so on some of the above-mentioned keywords

    0x07 Examine the .htaccess file

    Whether it contains auto_prepend_file and auto_append_file, use the following command

    find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file  
    find . -type f -name '\.htaccess' | xargs grep -i auto_append_file

    Auto_prepend_file role is to load the current script file before loading the php script auto_append_file role is to load the current script file, and then load the php script. Hackers if so modified. Htaccess file, you can access. Htaccess directory php script, you want to load the load on the malicious script.

    Htaccess file can also be used to hijack the traffic to the site to the hacker’s Web site,

    RewriteCond %{HTTP_USER_AGENT}^.*hacker.*$  
    Rewriterule ^(.*)$ http://www.hacker.com/muma.php [R=301]