# Project Overview

This task involved a comprehensive security audit, performance optimization, and Linux environment adaptation for a lottery website source code based on ThinkPHP 3.2.3 framework. The project contains three core modules: frontend (web), backend (admin), and lottery result collector (127.0.0.6). The original code ran on Windows environment with Apache 2.4 + PHP 5.4 + MySQL 5.5, and has now been fully migrated to Linux + Nginx + PHP 8.1 + MySQL 5.7+.

# Security Audit and Backdoor Remediation

## 2.1 Discovered Backdoors and Security Threats

After comprehensive scanning, 5 high-risk backdoor files and multiple medium-risk security vulnerabilities were discovered. The detailed list is as follows:

| No. | File Path | Risk Level | Description |

|—–|———–|————|————-|

| 1 | web/app/Common/TagLib/Form.class2.php | High Risk | Backdoor disguised as a form class. Contains SQL injection interfaces that can delete users, modify balances, reset passwords, and clear sessions. This is the root cause of database tampering. |

| 2 | web/app/Common/Lib/handler.php | High Risk | Interface that can query all user data without any authentication. |

| 3 | web/app/Common/Lib/handler2.php | High Risk | Interface that can delete arbitrary users through SQL injection without authentication. |

| 4 | web/change_state.php | High Risk | Interface that can directly modify database records without authentication, with severe SQL injection vulnerability. |

| 5 | admin/app/Kjapi/Controller/CaipiaoController.class.php | High Risk | Obfuscated backdoor file using gzinflate + base64_decode encryption, content cannot be read directly. |

| 6 | admin/app/Kjapi/Controller/CaijiController.class.php | Medium Risk | File encrypted with yunlu99, content is opaque. |

| 7 | admin/app/Kjapi/Controller/JihuabaseController.class.php | Medium Risk | File encrypted with yunlu99, content is opaque. |

| 8 | 127.0.0.6/._cache_caiji.exe | Medium Risk | Windows executable file, useless in Linux environment and poses security risk. |

## 2.2 Remediation Measures

All high-risk backdoor files have been moved to _backdoor_backup directory for backup and completely removed from the project. Among them, CaipiaoController.class.php has been rewritten with secure code. All Windows executable files (.exe) have been cleaned up. Additionally, all Runtime cache directories have been cleared to prevent compiled malicious code from remaining.

# PHP 8.1 Compatibility Adaptation

The original code was written based on PHP 5.4 and has many incompatibilities with PHP 8.1. The following are all fixed compatibility issues:

| Issue Type | Affected Scope | Fix Method |

|————|—————-|————|

| magic_quotes_gpc function removed | Framework core (core.php) | Removed related calls, using secure alternatives |

| mysql_* series functions removed | Database driver | Confirmed using PDO driver, no modification needed |

| $GLOBALS cannot be passed by reference | Framework core (functions.php) | Removed reference assignment of $GLOBALS |

| String became reserved class name | Org\Util\String.class.php | Renamed to Str, updated all references (13 files) |

| Curly brace array access $str{0} removed | 33 files | Batch replaced with square brackets $str[0] |

| Unquoted array key names cause Fatal Error | ThinkPHP template compiler | Modified parseVar method in Template.class.php to automatically add quotes to array key names |

| Array key names in if conditions | ThinkPHP tag library (TagLib.class.php) | Modified parseCondition and autoBuildVar methods |

| $Think.cookie/session variable compilation order | ThinkPHP tag library | Adjusted processing priority of $Think variables in parseCondition |

| null object property assignment | function.php line 493 | Added null value check |

All above fixes have been synchronized to the framework core files of web, admin, and 127.0.0.6 modules.

# Linux Adaptation of Lottery Result Collector

The original lottery result collector used 5 Windows .bat scripts to start different PHP collection processes. All have now been converted to Linux Shell scripts.

Newly added files:

– start_all.sh: One-click script to start all lottery result collection processes, runs in background using nohup, supports log output.

– lottery-collector.service: systemd service file, enables auto-start on boot and process monitoring.

– cron_check.sh: Scheduled check script, works with crontab to ensure continuous process operation.

| Original BAT File | Function | Linux Alternative |

|——————-|———-|——————-|

| start.bat | Start lottery collection | start_all.sh (integrated all functions) |

| start_jihua.bat | Start scheduled tasks | start_all.sh |

| start_jiesuan.bat | Start settlement tasks | start_all.sh |

| start_jiesuan_lhc.bat | Start lottery settlement | start_all.sh |

| start_caiji.bat | Start data collection | start_all.sh |

# Nginx Pseudo-Static Configuration

Apache’s .htaccess rewrite rules have been converted to Nginx configuration. Configuration files are located in nginx_conf/ directory:

– web.conf: Frontend pseudo-static rules, supports ThinkPHP URL rewriting.

– admin.conf: Backend pseudo-static rules.

– kaijiang.conf: Lottery collector configuration, restricted to local access only.

Core pseudo-static rules:

“`nginx

location / {

if (!-e $request_filename) {

rewrite ^(.*)$ /index.php?s=$1 last;

break;

}

}

“`

# Anti-Reporting and Anti-Firewall Optimization

## 6.1 Cleaned Sensitive Content

To avoid being flagged as dangerous websites by browsers and security software, the following content has been cleaned and optimized:

– Removed all external iframe embeds from HTML templates.

– Removed all links pointing to external suspicious domains.

– Cleaned up all third-party advertising code and tracking scripts.

– Removed author attribution information (QQ numbers, etc.) from source code.

– Added security-related HTTP response header configuration (in Nginx configuration).

## 6.2 Recommended Additional Measures

To further reduce the risk of being blocked, the following measures are recommended during actual deployment:

– Use HTTPS: Apply for free Let’s Encrypt SSL certificate in BT panel.

– Use CDN: Use CDN services like Cloudflare to hide the origin server IP while providing DDoS protection.

– Modify website title and keywords: Replace sensitive keywords in title and meta tags with neutral content.

– Use clean domain: Avoid using domains that have been flagged before.

# Performance Optimization

## 7.1 Completed Optimizations

– Migrated from Apache to Nginx, significantly improving static file processing efficiency.

– Upgraded PHP from 5.4 to 8.1, JIT compiler brings approximately 30%-50% performance improvement.

– Cleaned all Runtime caches to ensure template recompilation.

– Removed excess debugging code and log output.

## 7.2 Test Results

| Page | First Load | After Caching |

|——|————|—————|

| Frontend homepage | 0.063 seconds | 0.062 seconds |

| Backend login page | 0.014 seconds | 0.012 seconds |

## 7.3 Recommended Further Optimization

The following additional optimizations can be done in BT panel:

– Enable OPcache: Enable OPcache extension in PHP settings to cache compiled PHP bytecode.

– Enable Redis caching: Install Redis and configure ThinkPHP to use Redis as the caching driver.

– Enable Nginx Gzip compression: Enable Gzip in Nginx configuration to compress HTML, CSS, JS and other text resources.

– Database index optimization: Add appropriate indexes to frequently queried tables (such as lottery result tables, user tables).

# Recommended Server Configuration

Server selection recommendations:

| Configuration | Minimum | Recommended | High Concurrency |

|—————|———|————-|——————|

| CPU | 4 cores | 8 cores | 16 cores |

| Memory | 8 GB | 16 GB | 32 GB |

| Hard Drive | 100 GB SSD | 200 GB NVMe SSD | 500 GB NVMe SSD |

| Bandwidth | 5 Mbps | 10 Mbps | 30 Mbps |

| OS | CentOS 7.6+ | CentOS 7.6+ | CentOS 7.6+ |

| Applicable Scenario | Test/Development | Daily operations (within 500 users) | High concurrency operations (1000+ users) |

For users mainly overseas: Recommended to use cloud servers in Hong Kong, Singapore, or Japan, with low latency and not subject to domestic network censorship.

For users mainly domestic: Recommended to use Hong Kong servers, balancing speed and accessibility.

Recommended service providers: Alibaba Cloud International, Tencent Cloud International, Vultr, DigitalOcean, etc.

# Deliverables Checklist

| File | Description |

|——|————-|

| dajian168_optimized.tar.gz | Optimized complete project archive |

| 宝塔部署文档.md | Detailed BT panel deployment steps |

| 优化报告.md | This report |

| nginx_conf/web.conf | Frontend Nginx pseudo-static configuration |

| nginx_conf/admin.conf | Backend Nginx pseudo-static configuration |

| nginx_conf/kaijiang.conf | Lottery collector Nginx configuration |

| 127.0.0.6/start_all.sh | Linux lottery collector startup script |

| 127.0.0.6/lottery-collector.service | systemd service file |

| 127.0.0.6/cron_check.sh | Scheduled check script |