我的服务器上有病毒文件systems.php?
[英]Virus file systems.php on my server?
问题描述
I found a file systems.php on my webserver that neither I - as user - placed there, nor my webserver provider has placed in there. 
我在网络服务器上找到了一个文件systems.php ,但我(作为用户)都没有放置在该文件中,也没有我的网络服务器提供商在其中放置了文件。 I viewed the file, it only contains one preg_replace() statement with an extremly long $replacement part, which seems to be somehow encoded. 我查看了该文件,它仅包含一个preg_replace()语句,该语句带有一个非常长的$replacement部分,该部分似乎以某种方式进行了编码。
preg_replace("/.*/e","\x28\x65\...\x29\x29\x3B",".");
If I interpret this statement correctly, it would mean that basically everything shall be replaced be the $replacement part (which might be encrypted/encoded virus injection stuff). 如果我正确地解释了这句话,那意味着基本上所有的东西都将被$replacement部分$replacement (它可能是加密/编码的病毒注入材料)。
I have uploaded the whole code as pastebin here . 我在这里将整个代码上传为pastebin 。 Someone has an idea in what way the code is encrypted/how it can be decrypted in order to assess the grade of compromisation of my server? 有人想到了以哪种方式对代码进行加密/如何对其解密,以便评估服务器的安全等级?
Update 更新资料
This might be the attack vector: 这可能是攻击媒介:
So after some digging, we found that this script was planted using a vulnerability in the Uploadify jQuery library.
2 个解决方案
解决方案1
1 2014-07-29 11:52:13
It's look like a Shellcode, which can be disastrous for your server, shellcode executed by the CPU can give access to a shell or shuch of things. 看起来像Shellcode,对您的服务器可能是灾难性的,CPU执行的Shellcode可以访问Shell或其他东西。 For more informations about shellcodes here's a good article : 有关shellcode的更多信息,这里有一篇不错的文章:
http://www.vividmachines.com/shellcode/shellcode.html http://www.vividmachines.com/shellcode/shellcode.html
This upload may hide a possible exploit on your server which grant access to upload or write data into, try to check your logs to identify the problem. 此上载可能会在您的服务器上隐藏一个可能的漏洞,该漏洞会授予访问权限以上传或写入数据,请尝试检查您的日志以找出问题所在。
解决方案2
1 已采纳 2014-07-29 12:17:37
Unhexxing the shellcode shows it's executing eval(gzinflate(base64_decode(huge string)); 解开shellcode显示它正在执行eval(gzinflate(base64_decode(huge string));
I changed this eval to an echo and the full output is on pastebin here: 我将此eval更改为echo ,完整的输出在此处的pastebin上:
http://pastebin.com/t1iZ5LQ8 http://pastebin.com/t1iZ5LQ8
I haven't looked much further into this but it certainly seems dodgy. 我对此没有做进一步的研究,但是看起来确实很狡猾。 Just thought I'd do some of the legwork for anyone interested in looking at it further 只是以为我愿意为有兴趣进一步研究它的人做一些工作
EDIT 编辑
Little bit more detailed look, it appears to allow an attacker to upload files to your server, and take a dump of any databases on the box 稍微详细一点,它似乎允许攻击者将文件上传到您的服务器,并转储包装箱上的所有数据库
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.