用PHP检查特洛伊木马NETBUS的代码
时间:2007-02-17 来源:PHP爱好者
<?php
//特洛伊木马NETBUS的功力很强,用过的人可能印象比较深,我的影响也算是比较深的
//下面的测试只是对部分端口,而NETBUS是可以改变监听端口的。
function connectToPort ($host, $port) {
$status = 0;
print "<p><code>Trying port $port at $host...";
//打开端口
$socket = fsockopen($host, $port, &$errno, &$errstr);
if ($socket) {
//看端口是否打开,打开的话,那就糟了
print "<br>Port $port connection established - BAD!</code></p>";
$status = 1;
set_socket_blocking($socket, 0);
$count = 0;
$portOutput = "";
// We will not keep trying for ever; let's stop after
// 10000 glances
while ($count <10000) {
if ($readString = fread($socket, 1)) {
// Convert <, >, " and & to HTML entities
$readString = htmlspecialchars($readString);
// Add the output to the sum of output
$portOutput .= $readString;
}
$count++;
}
// Enough of this. Close the connection.
fclose($socket);
if ($portOutput != "") {
print "<p><code>Output:</code></p><pre>$portOutput</pre>";
}
} else {
// In case we have good news:
print "<br>Port $port connection refused - good</code></p>";
}
// Return status for the port we just examined
return $status;
}
function printForm ($host, $uri) {
// Make sure the user knows what's going on.
// This should not be dangerous in any way, but let's ask anyway
print "
<form method=post action="$uri">
<p>Permission to <span class=permit>connect to ports 12345
and 12346 at host
<code>$host</code></span> granted: <input
type=checkbox name=permission value="ok"></p>
<p><input class=submit type=submit></p>
</form>
";
}
// **********
// MAIN
// **********
// Some definitions - the standard Netbus ports
$netBusPortA = 12345; //这是NETBUS监听的缺省端口
$netBusPortB = 12346;
// This may seem stupid; but if PHP is running in 'safe mode',
// the script_URI environment variable doesn't seem to
// be readily available
$uri = "http://" . $SERVER_NAME . $REQUEST_URI;
// Standard CGI environment variable; we are not using CGI, but
// fortunately, the variable is still avaliable
$host = gethostbyaddr($REMOTE_ADDR);
// Requesting host innocent until otherwise proven
$netBusStatus = 0;
// Trying to make sure that the user actually wants me
// to scan his/her ports. - And trying to make sure that nobody is
// directly linking to the script.
if (!(($permission == "ok") &&
($REQUEST_METHOD == "POST") && ($HTTP_REFERER == $uri))) {
// Write the permission-asking form - i.e. call the
// previously defined 'printForm' function
printForm($host, $uri);
} else {
// Paranoia checks OK. Let's do it
print "
<h2>Processing host $host...</h2>
<table border=1 cellpadding=5>
";
print "<tr><td>";
// Call script and add the status to the sum of status
// codes. The function 'connectToPort' is defined above
$netBusStatus += connectToPort($host, $netBusPortA);
print "</td></tr>";
print "<tr><td>";
// Call the connect-function again for the other port
$netBusStatus += connectToPort($host, $netBusPortB);
print "</td></tr>";
print "</table>";
// Summarize results
print "<h2>Conclusion</h2>";
if ($netBusStatus > 0) {
// Damn. The sum of status codes should be zero.
// User probably has Netbus installed.
print "
<p>Connection to at least one Netbus port
succeeded. That's a <strong class=bad>bad</strong> sign!</p>
<p>This means that you probably have Netbus installed
on your computer. See
<a href="http://www.iss.net/xforce/alerts/advise8.html">ISS'
alert summary</a> for removal instructions.</p>
";
} else {
// It's nice to bring good news
print "
<p>No Netbus ports responded at host $host.
Congratulations - that's a <strong class=good>good</strong> sign!</p>
<p>This may not be a definitive test, though:
<br> - If Netbus is installed at non-standard ports or
<br> - if you are sitting behind a firewall,
<br>this utility will fail to detect Netbus.</p>
<p>You may <a href="$uri">try again</a>.</p>
";
}
}
?>
php爱好 者站 http://www.phpfans.net php基础|php进阶|php模板.
//特洛伊木马NETBUS的功力很强,用过的人可能印象比较深,我的影响也算是比较深的
//下面的测试只是对部分端口,而NETBUS是可以改变监听端口的。
function connectToPort ($host, $port) {
$status = 0;
print "<p><code>Trying port $port at $host...";
//打开端口
$socket = fsockopen($host, $port, &$errno, &$errstr);
if ($socket) {
//看端口是否打开,打开的话,那就糟了
print "<br>Port $port connection established - BAD!</code></p>";
$status = 1;
set_socket_blocking($socket, 0);
$count = 0;
$portOutput = "";
// We will not keep trying for ever; let's stop after
// 10000 glances
while ($count <10000) {
if ($readString = fread($socket, 1)) {
// Convert <, >, " and & to HTML entities
$readString = htmlspecialchars($readString);
// Add the output to the sum of output
$portOutput .= $readString;
}
$count++;
}
// Enough of this. Close the connection.
fclose($socket);
if ($portOutput != "") {
print "<p><code>Output:</code></p><pre>$portOutput</pre>";
}
} else {
// In case we have good news:
print "<br>Port $port connection refused - good</code></p>";
}
// Return status for the port we just examined
return $status;
}
function printForm ($host, $uri) {
// Make sure the user knows what's going on.
// This should not be dangerous in any way, but let's ask anyway
print "
<form method=post action="$uri">
<p>Permission to <span class=permit>connect to ports 12345
and 12346 at host
<code>$host</code></span> granted: <input
type=checkbox name=permission value="ok"></p>
<p><input class=submit type=submit></p>
</form>
";
}
// **********
// MAIN
// **********
// Some definitions - the standard Netbus ports
$netBusPortA = 12345; //这是NETBUS监听的缺省端口
$netBusPortB = 12346;
// This may seem stupid; but if PHP is running in 'safe mode',
// the script_URI environment variable doesn't seem to
// be readily available
$uri = "http://" . $SERVER_NAME . $REQUEST_URI;
// Standard CGI environment variable; we are not using CGI, but
// fortunately, the variable is still avaliable
$host = gethostbyaddr($REMOTE_ADDR);
// Requesting host innocent until otherwise proven
$netBusStatus = 0;
// Trying to make sure that the user actually wants me
// to scan his/her ports. - And trying to make sure that nobody is
// directly linking to the script.
if (!(($permission == "ok") &&
($REQUEST_METHOD == "POST") && ($HTTP_REFERER == $uri))) {
// Write the permission-asking form - i.e. call the
// previously defined 'printForm' function
printForm($host, $uri);
} else {
// Paranoia checks OK. Let's do it
print "
<h2>Processing host $host...</h2>
<table border=1 cellpadding=5>
";
print "<tr><td>";
// Call script and add the status to the sum of status
// codes. The function 'connectToPort' is defined above
$netBusStatus += connectToPort($host, $netBusPortA);
print "</td></tr>";
print "<tr><td>";
// Call the connect-function again for the other port
$netBusStatus += connectToPort($host, $netBusPortB);
print "</td></tr>";
print "</table>";
// Summarize results
print "<h2>Conclusion</h2>";
if ($netBusStatus > 0) {
// Damn. The sum of status codes should be zero.
// User probably has Netbus installed.
print "
<p>Connection to at least one Netbus port
succeeded. That's a <strong class=bad>bad</strong> sign!</p>
<p>This means that you probably have Netbus installed
on your computer. See
<a href="http://www.iss.net/xforce/alerts/advise8.html">ISS'
alert summary</a> for removal instructions.</p>
";
} else {
// It's nice to bring good news
print "
<p>No Netbus ports responded at host $host.
Congratulations - that's a <strong class=good>good</strong> sign!</p>
<p>This may not be a definitive test, though:
<br> - If Netbus is installed at non-standard ports or
<br> - if you are sitting behind a firewall,
<br>this utility will fail to detect Netbus.</p>
<p>You may <a href="$uri">try again</a>.</p>
";
}
}
?>
php爱好 者站 http://www.phpfans.net php基础|php进阶|php模板.
相关阅读 更多 +
