Fiime分享有宝塔中了木马,摸索了半个月左右,大致清楚了这些东西的前后操作手段,由于长期修改标题描述关键词不是办法,且数量较多。为了防止木马修改TDK,于是开始写了一个python脚本与之对抗,还原原本的TDK
中毒症状分析:
1.TDK被加密替换掉了
2.真正的description和keywords还在,那就把有乱码的行直接清洗掉
3.原本的标题在这里,计划用正则提取回来
清理掉包含'String.fromCharCode(c+29):'这个字符串的js脚本,让木马失效
然后上成品代码:
# -*- coding: utf-8 -*-
import os
import re
list_dir = ['//www//wwwroot//iugw.com','//www//wwwroot//7838.net'] # 这里举例说明宝塔路径,找的是对应路径下面的index.html或者index.php
for item in list_dir:
index_file = item + r"/index.html"
index_php = item + r"/index.php"
if os.path.exists(index_file) != True:
if os.path.exists(index_php) != True:
print("当前目录不存在操作文件index.html或者index.php,退出程序!")
pass
else:
with open(index_php,'r') as f:
if 'tbty20000' in f.read(): # 这里是判断逻辑,如果存在这个字符则是中毒的表现,根据实际情况进行修改
print('当前路径为:%s'%(item))
print('找到木马js正在处理!')
with open(index_php,'r') as f,open('out.php','w') as n:
for line in f.readlines(): # 下面是跳过一些木马的js手段,清洗掉
if ';&#' in line:
pass
elif 'String.fromCharCode(c+29)' in line:
pass
elif 'baiduspider|sogou|360spider|yisou' in line: # 正则提取需要的标题信息
title_re = re.search(r'(title =\'.{0,}\')', line, re.I)
if title_re:
key = title_re.group().replace('title =','').replace('\'','')
line = '' + key + ''
n.write(line+'\n')
else:
n.write(line)
os.remove(index_php)
os.rename('out.php',index_php)
else:
pass
else:
with open(index_file,'r') as f:
if 'tbty20000' in f.read():
print('当前路径为:%s'%(item))
print('找到木马js正在处理!')
with open(index_file,'r') as f,open('out.html','w') as n:
for line in f.readlines():
if ';&#' in line:
pass
elif 'String.fromCharCode(c+29)' in line:
pass
elif 'baiduspider|sogou|360spider|yisou' in line:
title_re = re.search(r'(title =\'.{0,}\')', line, re.I)
if title_re:
key = title_re.group().replace('title =','').replace('\'','')
line = '' + key + ''
n.write(line+'\n')
else:
n.write(line)
os.remove(index_file)
os.rename('out.html',index_file)
else:
pass
print('处理完毕!')
为了能够省心省力,开始宝塔计划任务进行执行,进入到宝塔设置
然后10分钟去你设置的list中的目录中杀毒还原TDK
具体问题具体分析
这个也祝愿大家可以解决问题!
根据设置,如果有病毒 会具体输出改动的地方!
