查找是否存在后门脚本
文件大概时间 2025-01-16 15:14:05
find . -name "hplfuns.php"
查找并删除
find . -name "hplfuns.php" -print0 | xargs -0 rm -rvf
查找所有index.php文件是否乱码,看情况修复
find . \( -path "*/index.php" -type f \) -exec grep -Hn "error_reporting" {} \;
显示修改时间
find . \( -path "*/index.php" -type f \) -exec grep -Hn "error_reporting" {} \; -exec stat --format="%y %n" {} \;
30天内修改过的文件
find . \( -path "*.php" -type f \) -mtime -30 -exec grep -Hn "error_reporting(0)" {} \; -exec stat --format="%y %n" {} \;
结果
./chuying50/wp-content/plugins/0x5oFSRBaxEEW4WLAIJz80/src/ui/hplfuns.php
./edu.nuws.cn/template/hplfuns.php
./edu.nuws.cn/web/hplfuns.php
./edu.nuws.cn/install/hplfuns.php
./edu.nuws.cn/enter/hplfuns.php
./edu.nuws.cn/hplfuns.php
./bank.alizzy.com/web/hplfuns.php
./bank.alizzy.com/app/hplfuns.php
./bank.alizzy.com/hplfuns.php
./tuoke.nuws.cn/public/hplfuns.php
./tuoke.nuws.cn/hplfuns.php
./5bj.alizzy.com/hplfuns.php
./51mn.alizzy.com/hplfuns.php
./study.nuws.cn/public/hplfuns.php
./study.nuws.cn/hplfuns.php
后门文件 关键词
public/hplfuns.php
public/index.php
BiaoJiOk
来源IP
45.204.8.167
日志
45.204.8.167 - - [17/Jan/2025:10:06:04 +0800] "GET /hplfuns.php?ARRAY=7o2230223n313733373038333134312p2231223n22687474703n5p2s5p2s3230342r31322r3233382r37345p2s3s6p633q706p68745s62616r26743q313733373037393534312q3035363732666163383131373639383566363562333332326530333966346363222p2232223n223462386430633165323536383232306665396362363964646335363339373935222p2233223n226638613531633563383166656138353739393038393634373032363437643264222p226175746s5s66696p655s6r616q65223n2274656q7066756r732r706870222p226175746s5s70617373223n2232322q35302q35382q36332q37342q39302q3135222p2262696r675s70617373223n2232322q35302q35382q36332q37342q39302q3135222p2262696r675s737973223n7o226175746s5s6o756s5s7n68616r223n2231222p22756r696r7374616p6p223n2231227q7q HTTP/2.0" 200 36 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
部分后门文件
find . \( -path "*.php" -type f \) -mtime -30 -exec grep -Hn "error_reporting(0)" {} \; -exec stat --format="%y %n" {} \;
./chuying50/wp-content/uploads/2023/02/02/cache.php:2:error_reporting(0);
2025-02-08 09:33:40.998788882 +0800 ./chuying50/wp-content/uploads/2023/02/02/cache.php
./chuying50/wordpress/wordpress/cache.php:2:error_reporting(0);
2025-02-05 22:52:42.998908379 +0800 ./chuying50/wordpress/wordpress/cache.php
./chuying50/wp-admin/images/images/cache.php:2:error_reporting(0);
2025-02-05 14:04:23.998735469 +0800 ./chuying50/wp-admin/images/images/cache.php
./chuying50/wp-includes/blocks/image/image/cache.php:2:error_reporting(0);
2025-02-01 15:30:23.999686009 +0800 ./chuying50/wp-includes/blocks/image/image/cache.php
./chuying50/images/images/cache.php:2:error_reporting(0);
2025-01-29 19:37:42.936836253 +0800 ./chuying50/images/images/cache.php
./chuying50/style2.php:220: error_reporting(0);
2025-01-22 16:39:46.395890655 +0800 ./chuying50/style2.php