Phpstudy is hidden back door there is violence - inspection methods
One, incident background
Phpstudy domestic software is a free PHP debugging environment integrated package of programs, by integrating Apache, PHP, MySQL, phpMyAdmin, ZendOptimizer variety of one-time installation of software, eliminating the need to install and use directly with PHP PHP development and debugging environment function in the country has nearly a million PHP language learners, developers user.
September 20 micro-channel public account Hangzhou Public Security issued a "briefing Hangzhou police to combat criminal networks involved and the" 2019 "special action victories" net net article, the article explained the presence of a "back door" phpstudy.
Second, the version
Backdoor (software author statement) phpstudy edition 2016 PHP5.4.
Actual Actual official website to download a test version phpstudy2018 php-5.2.17 and php-5.4.45 also exist back door
Third, the method of detecting backdoor
1. Tell me what network said in a statement as long as there is no loophole downloaded from the official website ( routine deep ~~~~~ )
2, Oh, scared I quickly check your computer to download from the official website there is no back door installed phpstudy.
By analysis, the back door code exists in \ ext \ php_xmlrpc.dll module
phpStudy2016 and phpStudy2018 carrying php-5.2.17, php-5.4.45
phpStudy2016 path
PHP \ PHP-5.2.17 \ EXT \ php_xmlrpc.dll
PHP \ PHP-5.4.45 \ EXT \ php_xmlrpc.dll
phpStudy2018 path
PHPTutorial\php\php-5.2.17\ext\php_xmlrpc.dll
PHPTutorial\php\php-5.4.45\ext\php_xmlrpc.dl
Notepad to open the file with the lookup @eval, the presence @eval (% s ( '% s')) documented loopholes
File MD5 value attached to the back door:
The MD5: 0F7AD38E7A9857523DFBCE4BCE43A9E9 the
MD5: C339482FD2B233FB0A555B629C0EA5D5
3, manual analysis
3.1, if there are loopholes View phpstudy2016 php 5.4.45 version, indicating the presence backdoor
3.2, calculated using the online file md5, md5 file view suspected back door, found that indeed the MD5 value md5 value backdoor file.
3.3, if there are loopholes in view phpstudy2016 php version 5.2.17, found the back door
3.4, calculated using the online file md5, md5 file view suspected back door, found that indeed the MD5 value md5 value backdoor file.
3.5, if there are loopholes View phpstudy2018 php version 5.2.17, specify the presence backdoor
3.6, calculated using the online file md5, md5 file view suspected back door, found that indeed the MD5 value md5 value backdoor file. (0f7ad38e7a9857523dfbce4bce43a9e9)
3.7, if there are loopholes View phpstudy2018 php 5.4.45 version, indicating the presence backdoor
3.8, calculated using the online file md5, md5 file view suspected back door, found that indeed the MD5 value md5 value backdoor file. (C339482fd2b233fb0a555b629c0ea5d5)
Fourth, the repair method
1, you can download the original version of php-5.4.45 or php-5.2.17 PHP version from the official website, which replaced php_xmlrpc.dll
https://windows.php.net/downloads/releases/archives/php-5.2.17-Win32-VC6-x86.zip
https://windows.php.net/downloads/releases/archives/php-5.4.45-Win32-VC9-x86.zip
2, currently phpstudy official online version there is no back door, you can download the installation package in phpsudy official website updated