PHP木马查杀文件，木马查杀插件

将以下文件上传到网站的根目录，然后访问这个文件即可；

<?php
define("WEBSCAN_KEY", "4996c09effad40fcbdcdaaf1f589895a");
date_default_timezone_set('GMT');
ini_set('display_errors', '0');
class scan{
    private $directory = '.';
    private $extension = array('php');
    private $_files = array();
    private $filelimit = 5000;
    private $scan_hidden = true;
    private $_self = '';
    private $_regex ='(preg_replace.*/e|`.*?$.*?`|create_function|passthru|shell_exec|exec|base64_decode|edoced_46esab|eval|system|proc_open|popen|curl_exec|curl_multi_exec|parse_ini_file|show_source|cmd.exe|KAdot@ngs.ru|小组专用大马|提权|PHPs?反弹|shells?加强版|WScript.shell|PHPs?Shell|EvalsPHPsCode|Udp1-fsockopen|xxddos|SendsFlow|fsockopen("(udp|tcp)|SYNsFlood)';
    private $_shellcode='';
    private $_shellcode_line=array();
    private $_log_array= array();
    private $_log_count=0;
    private $webscan_url="http://safe.webscan.360.cn/webshell/upload";
    private $action='';
    private $taskid=0;
    private $_tmp='';

    function __construct(){
        if (isset($_POST['action'])&&isset($_POST['key'])&&$_POST['key']==WEBSCAN_KEY&&isset($_POST['task'])) {
            $this->action = $_POST['action'];
            $this->taskid = $_POST['task'];
        }
        if (is_writable('./')) {
            $this->_tmp='./';
        }
        elseif (is_writable(sys_get_temp_dir())) {
            $this->_tmp=substr(sys_get_temp_dir(), -1)=='/'||substr(sys_get_temp_dir(), -1)=='\' ? sys_get_temp_dir() : sys_get_temp_dir().'/';
        }

    }

    private function is__writable($path) {

        if ($path{strlen($path)-1}=='/')
        return is__writable($path.uniqid(mt_rand()).'.tmp');

        if (file_exists($path)) {
            if (!($f = @fopen($path, 'r+')))
            return false;
            fclose($f);
            return true;
        }

        if (!($f = @fopen($path, 'w')))
        return false;
        fclose($f);
        @unlink($path);
        return true;
    }


    private function ck_state(){
        $a=fopen($this->_tmp.'scan_lock.tmp', 'w+');
        fwrite($a, "scannig");
        fclose($a);

    }

    public function del_state(){
        $a=fopen($this->_tmp.'scan_lock.tmp', 'w+');
        fwrite($a, '');
        fclose($a);
        @unlink($this->_tmp.'scan_lock.tmp');
        $this->post($this->webscan_url,array('state'=>'1','key'=>WEBSCAN_KEY,'task'=>$this->taskid));
    }

    private function is_utf8($word)
    {
        if (preg_match("/^([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){1}/",$word) == true || preg_match("/([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){1}$/",$word) == true || preg_match("/([".chr(228)."-".chr(233)."]{1}[".chr(128)."-".chr(191)."]{1}[".chr(128)."-".chr(191)."]{1}){2,}/",$word) == true)
        {
            return true;
        }
        else
        {

            return false;
        }
    }

    private    function check_environment()
    {

        $r = array("status"=>1,"allow_url_fopen"=>0,"writeable"=>0);

        if (ini_get('allow_url_fopen')||function_exists('curl_init')) {
            $r["allow_url_fopen"] = 1;
        }

        if ($this->is__writable($this->_tmp.'test.tmp'))
        {
            $r["writeable"] = 1;
        }

        if($r["allow_url_fopen"] && $r["writeable"])
        {
            $r["status"] = 1;
        }

        echo json_encode($r);
        exit;
    }


    private function webscan_curl($url , $postdata = array()){
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($ch, CURLOPT_TIMEOUT, 15);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
        $response = curl_exec($ch);
        $httpcode = curl_getinfo($ch,CURLINFO_HTTP_CODE);
        curl_close($ch);
        return array('httpcode'=>$httpcode,'response'=>$response);
    }

    private function post($url,$log=array()){
        if(! function_exists('curl_init')) {
         $postdata = http_build_query($log);
         $context = stream_context_create(array('http' => array('method' => 'POST', 'header' => "Content-type: application/x-www-form-urlencoded
",'content' => $postdata)));
         $server_version = @file_get_contents($url, 0, $context);
        }
        else{
            $this->webscan_curl($url,$log);
        }

    }

    private function findstr($filepath,$shellstr){
        $a=false;
        $text=@file_get_contents($filepath);
        if(!$this->is_utf8($text)){
            $text=iconv("GBK","UTF-8",$text);
        }
        $_content = explode("
", $text);
        for ($line = 0; $line < count($_content); $line++)
        {
            $date = preg_match_all("/".$shellstr."/i", $_content[$line],$matches);
            if($date){
                $this->_shellcode[$line+1]=$_content[$line];
                $a=true;
            }
        }
        return $a;
    }
    private function upload_log($a = array()) {
        if($this->_log_count==50){
            $this->post($this->webscan_url,array('log' => json_encode($this->_log_array),'key'=>WEBSCAN_KEY,'task'=>$this->taskid));
            $this->_log_count=0;
            $this->_log_array=array();
        }
        else{
            $this->_log_array[]=$a;
            $this->_log_count++;
        }

    }
    private function listdir($dir) {
        $handle = @opendir($dir);
        if ($this->filelimit > 0) {
            if (count($this->_files) > $this->filelimit) {
                return true;
            }
        }
        while (($file = @readdir($handle)) !== false) {
            if ($file == '.' || $file == '..') {
                continue;
            }
            $filepath = $dir == '.' ? $file : $dir . '/' . $file;

            if (is_link($filepath)) {
                continue;
            }
            if (is_file($filepath)) {
                if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) {
                    $extension = pathinfo($filepath);
                    if (is_string($this->extension) && $this->extension == '*') {
                        if ($this->filelimit > 0) {
                            $this->_files[] = $filepath;
                        }
                    } else {
                        if (isset($extension['extension']) && in_array($extension['extension'], $this->extension)) {
                            if ($this->_self != basename($filepath)) {
                                if ($this->filelimit > 0) {
                                    $this->_files[] = $filepath;
                                }
                            }

                        }
                    }
                }
            } else if (is_dir($filepath)) {
                if (substr(basename($filepath), 0, 1) != "." || $this->scan_hidden) {
                    if (is_readable($filepath)) {
                        $this->listdir($filepath);
                    }
                }
            }
        }
        closedir($handle);
    }

    private function anaylize() {
        foreach ($this->_files as $file) {
            if(!$this->is_utf8($file)){
                $filename=@iconv("GBK","UTF-8",$file);
            }
            if($this->findstr($file,$this->_regex))
            {
                    
                self::upload_log(array($filename => array('Trojan' => 1,'time' => date("Y-m-d H:i:s",filemtime($file)),'md5'=>md5(file_get_contents($file)),'size'=>filesize($file),'shellcode'=>$this->_shellcode) ));
                $this->_shellcode=array();
            }
            /*    else{
                self::upload_log(array($filename => array('Trojan' => 0)));
                }
                */
        }
        if ($this->_log_count>0) {
            $this->post($this->webscan_url,array('log' => json_encode($this->_log_array),'key'=>WEBSCAN_KEY,'task'=>$this->taskid));
        }
        sleep(5);
        $this->del_state();
    }

    public function start() {
        if($this->action=='del_state'){
            $this->del_state();
        }
        if (@file_get_contents(($this->_tmp.'scan_lock.tmp'))=='scannig')  {
            exit("scannig");
        }
        switch ($this->action) {
            case 'check_environment':
                $this->check_environment();
                break;
            case 'shell_scan':
                set_time_limit(0);
                ignore_user_abort();
                register_shutdown_function(array($this,"del_state"));
                $this->ck_state();
                $this->listdir($this->directory);
                $this->anaylize();
                $this->del_state();
                break;
            default:
                echo "360webscan v1.4";
                break;
        }
    }

}

$a=new scan();
$a->start();
?>

1. 下载木马查杀插件 

2. 将该插件解压后上传到：http://tiaowode.com

3. 用浏览器访问 http://domain.com/scan.php，确认安装成功