收到google小组的邮件
主题: Malware notification regarding www.c1gstudio.com
Dear site owner or webmaster of www.c1gstudio.comm,
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):
http://www.c1gstudio.com/?q=Asp
http://www.c1gstudio.com/?q=CPA
http://www.c1gstudio.com/?q=LTEHere is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.c1gstudio.com/%3Fq%3DAspWe strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiserIf your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/securityOnce you’ve secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.Sincerely,
Google Search Quality Team
1.在网页查到恶意js代码
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return
…
2.粗览下web根目录,没有找到可疑文件
在日志报告中也没找到可疑请求
用命令搜一下特征码,找出所有被感染的文件。
grep -R ‘eval’ /opt/htdocs > /tmp/eval
3.过滤出可能含用木马的php文件
cat /tmp/eval |grep ‘.php’ > /tmp/evalphp
在evalphp中找到木马
eval(gzinflate(base64_decode(‘ZJ1Hj4NsloX3/Uf6k1iQkzSaFjmaYEzctMg5Z379UOspqRZ2VWF4773nnAew6z//+z//marpX//Kj7j7p3zqoejiLf8ni
….
4.确认是dede文章的漏洞
5.把木马改名
在web日志中找访问时文件的请求,可以得攻击者ip,并可查看都做了什么操作
参照
http://blog.c1gstudio.com/archives/448
打上补丁,恢复被感染文件
dede程序真不告谱,给其加上ip限制。
No Responses (yet)
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.