grep -r –include=*.php ‘[^a-z]eval($_POST’ . > grep.txt grep -r –include=*.php ‘file_put_contents(.*$_POST\[.*\]);’ . > grep.txt 结合find . -name [*.php]-type f -print0|xargs -0 egrep [(phpspy|c99sh|milw0rm|eval\(gzuncompress\(base64_decode|eval\(base64_decode|spider_bc|gzinflate) ]|awk -F: ‘{print $1}’|sort|uniq 查找的更彻底 find -type f -name \*.php -exec chmod 444 {} \; find -mtime -1 -type f -name \*.php find /websitedir/ -type f -name [*.php] |xargs grep [eval(] > /home/test.txt find ./ -name [*.php] -type f -print0|xargs -0 egrep [(phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decode|spider_bc)]|awk -F: ‘{print $1}’ |sort|uniq find ./ -name [*.php] -type f -print0|xargs -0 egrep [(phpspy|c99sh|milw0rm|eval\(gunerpress|eval\(base64_decode|spider_bc)]|awk -F: ‘{print $1}’ |sort|uniq /websitedir/www.2cto.com 改成你自己的 论坛 程序目录 最后看这个test.txt 文件 看看有没有特别的非论坛程序 如果不是你自己上传的 那请备份 好删除 Find ./ -Name [*.Php] | Xargs Grep ‘Eval($_POST’ Find ./ -Name [*.Php] | Xargs Grep ‘Phpspy’ 查杀木马、后门 常见的一句话后门: grep -r –include=*.php ‘[^a-z]eval($_POST’ . > grep.txt grep -r –include=*.php ‘file_put_contents(.*$_POST\[.*\]);’ . > grep.txt 作者:问君几多愁
查看更多关于正则表达式查找webshell,一句话木马 - 网站安全的详细内容...