php木马一般含有<?php eval($_POST[cmd]);?>或者<?php assert($_POST[cmd]);?>

find ./ -type f -name "*" | xargs grep "eval("

http://bbs.dianlan.cn/phpimg/bbs/upload/2731435152797.jpg/.php

37351437201717.jpg/.php

http://www.nginx.cn/316.html

http://blog.sina.com.cn/s/blog_4bf0ab590101mkm0.html

http://blog.sina.com.cn/s/blog_4bf0ab590101mkm0.html

http://www.server110.com/nginx/201309/1805.html

http://hx100.blog.51cto.com/44326/619925/

http://www.jb51.net/article/19292.htm

**************************************************

1.禁止某个目录执行执行php

【nginx】

location ~* ^/(upload|images)/.*\.(php|php5)$

{

deny all;

}

2.避免伪装其它后缀的脚本执行

【php.ini】

·关闭cgi.fix_pathinfo = 1→0

【nginx】

·判断

location ~* .*\.php($|/)

{

    if ($request_filename ~* (.*)\.php) {

        set $php_url $1;

    }

    if (!-e $php_url.php) {

        return 403;

    }

}

3.工程上传目录及cache目录以外，给只读权限

4.限制php执行权限

【php.ini】

·disable_functions =

  phpinfo,system,passthru,shell_exec,exec,popen,proc_open,chroot,scandir,chgrp,chown

  phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

  phpinfo,exec,system,passthru,popen,pclose,shell_exec,proc_open,dl,curl_exec,multi_exec,chmod,gzinflate,set_time_limit