我的服务器端 PHP 在 reCaptcha 后仍然被黑客攻击(数百封垃圾邮件) [英] my server side PHP still got hacked after reCaptcha (hundreds-spam-emails)

问题描述

我之前关于 StackOverflow 的问题是关于有人每隔几个小时就向我发送数百封垃圾邮件.现在，我在服务器端修复了脚本，但第二天早上我仍然收到 30 封电子邮件之类的，我的托管公司给了我一个新的 FTP 密码，并将我的索引文件移动到备份地图(网站离线)，他们说由于下面的可疑脚本而被黑客入侵.他们说这通常是通过您网站中泄露的脚本发生的，一个过时"的脚本.这是什么意思?他们在电子邮件中说这个脚本文件中有一些东西.这是不可能正确破解的因为我在服务器端使用了reCaptcha，是不是有什么遗漏?

My previous question on StackOverflow was about that someone was sending me hundreds of spam emails every few hours. Now, I fixed the script on the server side but the next morning I still got 30 emails or something and my hosting company gave me a new password to my FTP and moved my index files to a backup map(website offline), they said it was hacked because of the suspicious script below. They said "This often happens via a leaked script in your website, a script that is "out of date". What does that mean? They say in the email that there is something with this script file. Which is impossible to hack in right because I used reCaptcha on the server side, is there something missing?

<?php

if(isset($_POST['g-recaptcha-response'])){
      $captcha=$_POST['g-recaptcha-response'];


      }


/* OUTCOMMENTED CODE BELOW DOESN'T LET FORM SEND IF EVERYTHING IS CHECKED???? 


    if(!$captcha){
          echo '<h2>Check captcha .</h2>';
          exit;
        }*/



    $response=file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret=(SECRETKEY)&response=".$captcha."&remoteip=".$_SERVER['REMOTE_ADDR']);
            if($response.success==false)
            {
                echo '<span id="status" style="font-size:1vmax;color:red;">ReCaptcha ERROR</span>';
            }else
            {

        if( isset($_POST['n']) && isset($_POST['e']) && isset($_POST['mn']) && 

isset($_POST['m']) ){
        $n = $_POST['n']; // HINT: use preg_replace() to filter the data
        $e = $_POST['e'];
        $mn = $_POST['mn'];
        $m = nl2br($_POST['m']);
        $to = "gesternl@gester.nl"; 
        $from = $e;
        $subject = 'Contact Formulier-eng';
        $message = '<b>Naam:</b> '.$n.' <br><b>Email:</b> '.$e.' <br><b>Mobiel-nummer:</b> '.$mn.' <p>'.$m.'</p>';
        $headers = "Van: $from\n";
        $headers .= 'MIME-Version: 1.0' . "\r\n";
        $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
        if( mail($to, $subject, $message, $headers) ){
            echo "success";
        } else {
            echo "The server failed to send a message. Please try again later. Thank you!";
        }
    }
        }
    ?>

我刚刚再次上传了它，看看现在会发生什么.有人可以帮助我使这个文件对黑客来说是安全的.没有人在上一个问题中真正提供帮助，但只提供了没有代码的建议(我是菜鸟).

I just uploaded it again to see what is going to happen now. Can someone please help me make this file secure for a hacker. Nobody really helped in the previous question but only gave advice without code (and I am nooby).

(第 8 行的注释代码不起作用，我不明白，有人知道为什么有人可以入侵它吗?)

(The outcommented code around line 8 doesn't work which i don't understand, does someone know why is that why someone can hack into it maybe?)

是的，用于 recaptcha 的 HTML 中的代码与公钥有很好的联系

And yes the code in the HTML for recaptcha is well linked with the public key

推荐答案

1. 你必须像@kevin Cai 所说的那样清理用户输入

2. 你有一个错误:if($response.success==false)

$response=file_get_contents("......");

$result = json_decode($response);

if($result->success==false){

这篇关于我的服务器端 PHP 在 reCaptcha 后仍然被黑客攻击(数百封垃圾邮件)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！