Web (PHP) Hacking, Risk Code Checker

It was created to monitor the installation of malicious PHP through server hacking and to make it easy to check for dangerous code.

  1. Write the code in the server account and upload it.
    * Name: Kilho's PHP Diagnosis
    * Author: Kilho Oh ([email protected])
    * Author URI: http://kilho.net/
    class TDiagnosis
    public $dir;public function __construct()
    $this->dir = $_SERVER['DOCUMENT_ROOT'].'/';
    }private function SeekFile($dir, &$files)
    $hnd = opendir($dir);
    while (false !== ($entry = readdir($hnd)))
    if(in_array($entry, array('.', '..'))) continue;if(is_dir($dir.$entry) && !in_array($entry, array('.', '..')))
    $this->SeekFile($dir.$entry.'/', $files);
    if(!in_array(substr($entry, strrpos($entry, '.')+1), array('php', 'inc', 'html', 'htm', 'php3'))) continue;$file = $dir.$entry;
    if(!in_array($file, $files)) $files[] = $file;
    }private function Diagnosis($files)
    $suspicion = array();
    $loop = 0;
    do {
    $file = $files[$loop];
    $loop++;if($file == $_SERVER['SCRIPT_FILENAME']) continue;$data = file_get_contents($file);
    $data = preg_replace('//*(.*?)*//is', '', $data);
    $data = preg_replace('///*(.*)n/', '', $data);if(preg_match('/(^|s|?php3|[?])(eval|system|exec)s*(/i', $data))
    $suspicion[] = $file;
    } while ($loop < count($files));return $suspicion;
    }public function Run()
    $files = array();
    $this->SeekFile($_SERVER['DOCUMENT_ROOT'].'/', $files);
    return $this->Diagnosis($files);
    * Main
    $diagnosis = new TDiagnosis;$result['host'] = $_SERVER['HTTP_HOST'];
    $result['suspicion'] = $diagnosis->run();
    echo json_encode($result);
  2. Click the Download button below to download the monitoring program.
  3. Run the downloaded program and enter the URL created in (1) in URL (s).
  4. If you click Diagnose, the name of the suspicious file will be shown below.
  5. If you have any unusual code, be sure to check the file.



  • sh y

    Download and compress
    Malware / Gen.Generic.C1094687 in v3
    Detect and delete it.

    • Kilho Oh

      V3 is wrong. This is a very serious vaccine, so there is nothing wrong with Delphi source. Thank you ^ ^

      • sh y

        Ah… Is v3 wrong?
        So what should we change?

        • Kilho Oh

          Only Windows Defender built into Windows 10 is enough. ^^

          • sh y

            I have not installed Windows 10 yet
            Windows 7 is easy to write.
            And I have another question.
            You can not arbitrarily designate a program to force shutdown with K cleaner?
            I'm using the Ransom Way program called AppCheck.
            It ends with it.

          • Kilho Oh

            Enter the app check file name in noclean.txt and it will not be terminated.
            And Windows 7 has also installed Defender. ^^

          • sh y

            It does not end.
            Real-time protection turned off in app check
            Is this necessary?

          • Kilho Oh

            Programs related to real-time protection are expected to have ended.
            Please check if there is any related processor that has been terminated.

          • sh y

            Aha ~ ~ solved Thank you ~~~~

  • skypass

    I'm a computer star, so I do not know how to get the code to the server account at once.

    • Kilho Oh

      Copy and paste the contents into Notepad or other editor and save it as a file.

      • Kim Min Soo

        I do not know what the code is .. I do not know .. I will ask for it .. If you can do it by e-mail .. [email protected] I'm sorry ㅠ

        • I do not know if I sent the mail ^^; I did not check the comment properly during the server recovery process with Nanyana Ransomware.

  • diana ak

    Warning: preg_replace(): Unknown modifier ‘*’ in /html/php.php on line 33

    Warning: preg_replace(): Unknown modifier ‘/’ in /html/php.php on line 34

    Warning: preg_match(): Compilation failed: nothing to repeat at offset 5 in /html/php.php on line 34

    I'm getting an error.

  • A few days ago I saw this program and thought it would be great if I made it into a WordPress plugin (a simple plugin that works just by installing it without options).

    I am writing a WordPress article in the Chosun Ilbo IT magazine (I do not remember the exact name now). Hehe

    I've been working on the WordPress tutorial for developers over the last six weeks, and I thought that if I had a young front-end friend who started up with my friend Kilho, I would be able to pick one MVP that's not difficult. If MVP comes out, I will receive funding (of course, give me a stake).

    I think MVP will package Kilho's utilities into one ... ... .

    Ah,… My idea, if you are interested, I will email you. Hehe

    • I tried to see the comments ^^

      Ah. And, I'm curious about the idea ^^ I will ask you sooner or later.

      • I have tested both the localhost and the real server, and when I run this program, it looks like the file kh_scan.dat should be created and probably send the data of the file to the windows program. .

        I have not created a file called kh_scan.dat.

        I have tested both the plugin and just the php file.

        Both my localhost and the real server are Nginx. I do not know if it's related to this, or because I'm not on the back-end. ^^ ;;

        Oh, the download page is jQuery script error. haha

        • Thank you ^^ The jQuery error part has been fixed.
          And I tried to save the kh_scan.dat creation to the plugins / kh-scan folder, but it failed because of permissions problem. (The test server was created because it is Windows.
          The generated files were placed in / wp-content / uploads / kh-scan.

          You can download new ones ^ ^

      • Oh, and not because of Nginx, but because my php version is 7.14 ... 100% It is an unfounded guess.

      • What? Is there a difference between the description in the text and the actual code?

        Looking back at the source file, the plugin seems to be sending the scan results to the admin email.

        wp_mail(get_bloginfo('admin_email'), $title, $content);

        Is that right?

        And check the email now ... .

        I think Kilho's plugin sent the email correctly.

        Success !!!! Hehe

        Works well.

        I will write an introduction to Kilho's plug-in, and I will also mention this plug-in in Chosun Ilbo IT magazine article.

        Thank you for developing and sharing a good plugin. ^^

    • Is not it microsoft software of IT shipbuilding?

      • Yes. I am checking it now.

        But I've never heard it before ... IT shipbuilding is ... Hehe

        I do not know what magazine company ... .

        I do not like to write because it looks like a magazine that does not even look a few.

        I wrote it halfway ... . Ha ha ha

        I like to write blog posts, I do not like to write this article.

        • I understand that almost all magazines in our country have only a small number of subscribers.

          People in our country do not see the book itself.

          I do not know if these days, but I used to deal with Japanese news reading on the Japanese train. I do not read books because my internet people are not reading books.

  • It's a good program.

    I have been backing up frequently while watching the Ransomware case. And I installed a little heavy security plug-in, and I do not know how effective it is.