doublestar2014 2014-07-29 11:44
浏览 44
已采纳

病毒文件系统.php在我的服务器上?

I found a file systems.php on my webserver that neither I - as user - placed there, nor my webserver provider has placed in there. I viewed the file, it only contains one preg_replace() statement with an extremly long $replacement part, which seems to be somehow encoded.

preg_replace("/.*/e","\x28\x65\...\x29\x29\x3B",".");

If I interpret this statement correctly, it would mean that basically everything shall be replaced be the $replacement part (which might be encrypted/encoded virus injection stuff).

I have uploaded the whole code as pastebin here. Someone has an idea in what way the code is encrypted/how it can be decrypted in order to assess the grade of compromisation of my server?

Update

This might be the attack vector:

So after some digging, we found that this script was planted using a vulnerability in the Uploadify jQuery library. The library's existence was discovered by the attacker through google. source

  • 写回答

2条回答 默认 最新

  • dsdioa9545 2014-07-29 12:17
    关注

    Unhexxing the shellcode shows it's executing eval(gzinflate(base64_decode(huge string));

    I changed this eval to an echo and the full output is on pastebin here:

    http://pastebin.com/t1iZ5LQ8

    I haven't looked much further into this but it certainly seems dodgy. Just thought I'd do some of the legwork for anyone interested in looking at it further

    EDIT

    Little bit more detailed look, it appears to allow an attacker to upload files to your server, and take a dump of any databases on the box

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作