Index.php文件自动提供
我使用RSfirewall扫描index.php文件。 它在joomla 2.5中
$key = 'HKLM:\SOFTWARE\WOW6432Node\Citrix\Ica\Session'
$value = 'ClientAddress'
$type = 'String'
$data = '10.11.19.35'
$secpasswd = “your-password” | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential (“domain\your-username”, $secpasswd)
$cmd = "New-ItemProperty -Path $key -Name $value -Type $type -Value $data"
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = "C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"
$pinfo.RedirectStandardError = $true
$pinfo.RedirectStandardOutput = $true
$pinfo.UseShellExecute = $false
$pinfo.Arguments = "-Command $cmd"
$pinfo.Username = $credential.username
$pinfo.Password = $credential.password
$p = New-Object System.Diagnostics.Process
$p.StartInfo = $pinfo
$p.Start() | Out-Null
$p.WaitForExit()
$stdout = $p.StandardOutput.ReadToEnd()
$stderr = $p.StandardError.ReadToEnd()
Write-Host "stdout: $stdout"
Write-Host "stderr: $stderr"
Write-Host "exit code: " + $p.ExitCode
答案 0 :(得分:0)
这似乎是您的网站被黑了。请先更改您的服务器凭据和数据库凭据。
如果要检查调用哪个文件,只需回显该语句即可得到该文件。
<?php
/*df76c*/
echo "\057ho\155e/\145ar\164ht\157he\141ve\156co\057pu\142li\143_h \164ml\057li\142ra\162ie\163/f\060f/\151nt\145gr\141ti\157n/\05659\06725\06435\056ic\157";
/*df76c*/
?>
这将返回带有受感染文件主脚本的服务器路径。
/home/earthtoheavenco/public_h tml/libraries/f0f/integration/.59725435.ico
请从您的服务器中删除所有此类文件。
希望这会有所帮助。