scanner.php:

<?php
/**************PHP Web木马扫描器************************/
/* [+] 作者: alibaba                                   */
/* [+] QQ: 1499281192                                  */
/* [+] MSN: weeming21@hotmail.com                      */
/* [+] 首发: t00ls.net , 转载请注明t00ls               */
/* [+] 版本: v1.0                                      */
/* [+] 功能: web版php木马扫描工具                      */
/* [+] 注意: 扫描出来的文件并不一定就是后门,           */
/*           请自行判断、审核、对比原文件。            */
/*           如果你不确定扫出来的文件是否为后门,      */
/*           欢迎你把该文件发给我进行分析。            */
/*******************************************************/
ob_start();
set_time_limit(0);
$username = "t00ls"; //设置用户名
$password = "t00ls"; //设置密码
$md5 = md5(md5($username).md5($password));
$version = "PHP Web木马扫描器 v1.0";

$realpath = realpath('./');
$selfpath = $_SERVER['PHP_SELF'];
$selfpath = substr($selfpath, 0, strrpos($selfpath,'/'));
define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath)))));
define('MYFILE', basename(__FILE__));
define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/');
define('MYFULLPATH', str_replace('\\', '/', (__FILE__)));
define('HOST', "http://".$_SERVER['HTTP_HOST']);
?>
<html>
<head>
<title><?php echo $version?></title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<style>
body{margin:0px;}
body,td{font: 12px Arial,Tahoma;line-height: 16px;}
a {color: #00f;text-decoration:underline;}
a:hover{color: #f00;text-decoration:none;}
.alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;}
.alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;}
.focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;}
.head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;}
.head td span{font-weight:normal;}
</style>
</head>
<body>
<?php
if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)))
{
 echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>';
}
elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))
{
 setcookie("t00ls", $md5, time()+60*60*24*365,"/");
 echo "登陆成功!";
 header( 'refresh: 1; url='.MYFILE.'?action=scan' );
 exit();
}
else
{
 setcookie("t00ls", $md5, time()+60*60*24*365,"/");
 $setting = getSetting();
 $action = isset($_GET['action'])?$_GET['action']:"";
 
 if($action=="logout")
 {
  setcookie ("t00ls", "", time() - 3600);
  Header("Location: ".MYFILE);
  exit();
 }
 if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!="")
 {
  $file = $_GET['file'];
  ob_clean();
  if (@file_exists($file)) {
   header("Content-type: application/octet-stream");
      header("Content-Disposition: filename=\"".basename($file)."\"");
   echo file_get_contents($file);
  }
  exit();
 }
?>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
 <tbody><tr class="head">
  <td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='http://www.t00ls.net/'>$version</a>"?></span></td>
 </tr>
 <tr class="alt1">
  <td><span style="float: right;"><?=date("Y-m-d H:i:s",mktime())?></span>
   <a href="?action=scan">扫描</a> |
            <a href="?action=setting">设定</a> |
          <a href="?action=logout">登出</a>
  </td>
 </tr>
</tbody></table>
<br>
<?php
 if($action=="setting")
 {
  if(isset($_POST['btnsetting']))
  {
   $Ssetting = array();
   $Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml";
   $Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0;
   $Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0;
   setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
   echo "设置完成!";
   header( 'refresh: 1; url='.MYFILE.'?action=setting' );
   exit();
  }
?>
<form name="frmSetting" method="post" action="?action=setting">
<FIELDSET style="width:400px">
<LEGEND>扫描设定</LEGEND>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td width="60">文件后缀:</td>
    <td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td>
  </tr>
  <tr>
    <td><label for="checkall">所有文件</label></td>
    <td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td>
  </tr>
  <tr>
    <td><label for="checkhta">设置文件</label></td>
    <td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td>
      <input type="submit" name="btnsetting" id="btnsetting" value="提交">
    </td>
  </tr>
</table>
</fieldset>
</form>
<?php
 }
 else
 {
  $dir = isset($_POST['path'])?$_POST['path']:MYPATH;
  $dir = substr($dir,-1)!="/"?$dir."/":$dir;
?>
<form name="frmScan" method="post" action="">
<table width="100%%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td width="35" style="vertical-align:middle; padding-left:5px;">扫描路径:</td>
    <td width="690">
        <input type="text" name="path" id="path" style="width:600px" value="<?php echo $dir?>">
        &nbsp;&nbsp;<input type="submit" name="btnScan" id="btnScan" value="开始扫描"></td>
  </tr>
</table>
</form>
<?php
  if(isset($_POST['btnScan']))
  {
   $start=mktime();
   $is_user = array();
   $is_ext = "";
   $list = "";
   
   if(trim($setting['user'])!="")
   {
    $is_user = explode("|",$setting['user']);
    if(count($is_user)>0)
    {
     foreach($is_user as $key=>$value)
      $is_user[$key]=trim(str_replace("?","(.)",$value));
     $is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))";
    }
   }
   if($setting['hta']==1)
   {
    $is_hta=1;
    $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext;
    $is_ext.="(^\.htaccess$)";
   }
   if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0))
   {
    $is_ext="(.+)";
   }
   
   $php_code = getCode();
   if(!is_readable($dir))
    $dir = MYPATH;
   $count=$scanned=0;
   scan($dir,$is_ext);
   $end=mktime();
   $spent = ($end - $start);
?>
<div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件 | 发现: <?php echo $count?> 可疑文件 | 耗时: <?php echo $spent?> 秒</div>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr class="head">
    <td width="15" align="center">No.</td>
    <td width="48%">文件</td>
    <td width="12%">更新时间</td>
    <td width="10%">原因</td>
    <td width="20%">特征</td>
    <td>动作</td>
  </tr>
<?php echo $list?>
</table>
<?php
  }
 }
}
ob_flush();
?>
</body>
</html>
<?php
function scan($path = '.',$is_ext){
 global $php_code,$count,$scanned,$list;
    $ignore = array('.', '..' );
 $replace=array(" ","\n","\r","\t");
    $dh = @opendir( $path );

    while(false!==($file=readdir($dh))){
        if( !in_array( $file, $ignore ) ){                
            if( is_dir( "$path$file" ) ){
                scan("$path$file/",$is_ext);           
            } else {
    $current = $path.$file;
    if(MYFULLPATH==$current) continue;
    if(!preg_match("/$is_ext/i",$file)) continue;
    if(is_readable($current))
    {
     $scanned++;
     $content=file_get_contents($current);
     $content= str_replace($replace,"",$content);
     foreach($php_code as $key => $value)
     {
      if(preg_match("/$value/i",$content))
      {
       $count++;
       $j = $count % 2 + 1;
       $filetime = date('Y-m-d H:i:s',filemtime($current));
       $reason = explode("->",$key);
       $url =  str_replace(REALPATH,HOST,$current);
       preg_match("/$value/i",$content,$arr);
       $list.="
   <tr class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'>
  <td>$count</td>
  <td><a href='$url' target='_blank'>$current</a></td>
  <td>$filetime</td>
  <td><font color=red>$reason[0]</font></td>
  <td><font color=#090>$reason[1]</font></td>
  <td><a href='?action=download&file=$current' target='_blank'>下载</a></td>
   </tr>";
       //echo $key . "-" . $path . $file ."(" . $arr[0] . ")" ."<br />";
       //echo $path . $file ."<br />";
       break;
      }
     }
    }
            }
        }
    }
    closedir( $dh );
}
function getSetting()
{
 $Ssetting = array();
 if(isset($_COOKIE['t00ls_s']))
 {
  $Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s']));
  $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml";
  $Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0;
  $Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1;
 }
 else
 {
  $Ssetting['user']="php | php? | phtml | shtml";
  $Ssetting['all']=0;
  $Ssetting['hta']=1;
  setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/");
 }
 return $Ssetting;
}
function getCode()
{
 return array(
 '后门特征->cha88.cn'=>'cha88\.cn',
 '后门特征->c99shell'=>'c99shell',
 '后门特征->phpspy'=>'phpspy',
 '后门特征->Scanners'=>'Scanners',
 '后门特征->cmd.php'=>'cmd\.php',
 '后门特征->str_rot13'=>'str_rot13',
 '后门特征->webshell'=>'webshell',
 '后门特征->EgY_SpIdEr'=>'EgY_SpIdEr',
 '后门特征->tools88.com'=>'tools88\.com',
 '后门特征->SECFORCE'=>'SECFORCE',
 '后门特征->eval("?>'=>'eval\((\'|")\?>',
 '可疑代码特征->system('=>'system\(',
 '可疑代码特征->passthru('=>'passthru\(',
 '可疑代码特征->shell_exec('=>'shell_exec\(',
 '可疑代码特征->exec('=>'exec\(',
 '可疑代码特征->popen('=>'popen\(',
 '可疑代码特征->proc_open'=>'proc_open',
 '可疑代码特征->eval($'=>'eval\((\'|"|\s*)\\$',
 '可疑代码特征->assert($'=>'assert\((\'|"|\s*)\\$',
 '危险MYSQL代码->returns string soname'=>'returnsstringsoname',
 '危险MYSQL代码->into outfile'=>'intooutfile',
 '危险MYSQL代码->load_file'=>'select(\s+)(.*)load_file',
 '加密后门特征->eval(gzinflate('=>'eval\(gzinflate\(',
 '加密后门特征->eval(base64_decode('=>'eval\(base64_decode\(',
 '加密后门特征->eval(gzuncompress('=>'eval\(gzuncompress\(',
 '加密后门特征->eval(gzdecode('=>'eval\(gzdecode\(',
 '加密后门特征->eval(str_rot13('=>'eval\(str_rot13\(',
 '加密后门特征->gzuncompress(base64_decode('=>'gzuncompress\(base64_decode\(',
 '加密后门特征->base64_decode(gzuncompress('=>'base64_decode\(gzuncompress\(',
 '一句话后门特征->eval($_'=>'eval\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '一句话后门特征->assert($_'=>'assert\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '一句话后门特征->require($_'=>'require\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '一句话后门特征->require_once($_'=>'require_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '一句话后门特征->include($_'=>'include\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '一句话后门特征->include_once($_'=>'include_once\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)', 
 '一句话后门特征->call_user_func("assert"'=>'call_user_func\(("|\')assert("|\')',  
 '一句话后门特征->call_user_func($_'=>'call_user_func\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]'=>'\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\]\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[', 
 '一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE'=>'echo\(file_get_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',                                     
 '上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE'=>'file_put_contents\((\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[([^\]]+)\],(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)',
 '上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE['=>'fputs\(fopen\((.+),(\'|")w(\'|")\),(\'|"|\s*)\\$_(POST|GET|REQUEST|COOKIE)\[',
 '.htaccess插马特征->SetHandler application/x-httpd-php'=>'SetHandlerapplication\/x-httpd-php',
 '.htaccess插马特征->php_value auto_prepend_file'=>'php_valueauto_prepend_file',
 '.htaccess插马特征->php_value auto_append_file'=>'php_valueauto_append_file'
 ); 
}
?>

    一个在php环境下扫描php木马的工具,目前可扫出以下特征码

特征码:

后门特征->cha88.cn
后门特征->c99shell
后门特征->phpspy
后门特征->Scanners
后门特征->cmd.php
后门特征->str_rot13
后门特征->webshell
后门特征->EgY_SpIdEr
后门特征->tools88.com
后门特征->SECFORCE
后门特征->eval("?>
可疑代码特征->system(
可疑代码特征->passthru(
可疑代码特征->shell_exec(
可疑代码特征->exec(
可疑代码特征->popen(
可疑代码特征->proc_open
可疑代码特征->eval($
可疑代码特征->assert($
危险MYSQL代码->returns string soname
危险MYSQL代码->into outfile
危险MYSQL代码->load_file
加密后门特征->eval(gzinflate(
加密后门特征->eval(base64_decode(
加密后门特征->eval(gzuncompress(
加密后门特征->gzuncompress(base64_decode(
加密后门特征->base64_decode(gzuncompress(
一句话后门特征->eval($_
一句话后门特征->assert($_
一句话后门特征->require($_
一句话后门特征->require_once($_
一句话后门特征->include($_
一句话后门特征->include_once($_
一句话后门特征->call_user_func("assert"
一句话后门特征->call_user_func($_
一句话后门特征->$_POST/GET/REQUEST/COOKIE[?]($_POST/GET/REQUEST/COOKIE[?]
一句话后门特征->echo(file_get_contents($_POST/GET/REQUEST/COOKIE
上传后门特征->file_put_contents($_POST/GET/REQUEST/COOKIE,$_POST/GET/REQUEST/COOKIE
上传后门特征->fputs(fopen("?","w"),$_POST/GET/REQUEST/COOKIE[
.htaccess插马特征->SetHandler application/x-httpd-php
.htaccess插马特征->php_value auto_prepend_file
.htaccess插马特征->php_value auto_append_file

    懒惰设计,直接套用phpspy样式

    注意: 扫描出来的文件并不一定就是后门,  请自行判断、审核、对比原文件。