How phpStudy backdoor detection and repair

Server 2019-09-24 11:47:24 views: null

Original: http://soft.antted.com/news/8

background

A "Phpstudy official website was into in 2016 *, criminal tampering with the software and backdoor" shocking, official download the installation package from the official website will have problems, so we can imagine now how many sites have fallen . The first time received the news, we were tested on an installation package previously downloaded from the official website phpStudySetup.exe, we found md5 = fc44101432b8c3a5140fcb18284d2797, and she has also been involved in the list of vulnerabilities.

From the article's words: "It is the main suspect named Ma confessed that writing in 2016 a" back door ", the use of illegal means to invade *** software's official website, tampering with the contents of the software installation package." Backdoor "virus can not be delete scanning software, and hiding in the software code for a functional, extremely difficult to find. "

Technically, a tampering phpStudy extension library, we detected the installation package (md5 = fc44101432b8c3a5140fcb18284d2797) to a back door of the following three dll (other installation packages may have different):

  • PHPTutorial/php/php-5.2.17/ext/php_xmlrpc.dll
  • PHPTutorial/php/php-5.4.45-nts/ext/php_xmlrpc.dll
  • PHPTutorial/php/php-5.4.45/ext/php_xmlrpc.dll

Implanted backdoors mainly remote code can be executed directly, great harm, specifically refer to "hundreds of thousands of users PhpStudy be implanted backdoors, come to detect whether you have become a" chicken "! . "

Repair dll vulnerability

The restoration of security incidents is relatively more trouble, because they do not know has suffered back door site has been leaked anything, because the backdoor can do on the word sum up: do anything.

Now that security incidents have taken place, we still need to try to remedy.

phpStudy the first time has been given in the official website of the vulnerability detection and repair tool, you can download, at this point a little heart to heart.

By the way: pay attention to see the bottom left corner click on the download link to download and do not know how PHPStudy official website Xiao Bian careless, name of the downloaded file is: phsptudy security self fix .exe, phpStudy did not fight for T_T (2019 September March 22 shots)

image

After the download is complete, follow the prompts to the software, select the installation directory, and then starts to detect, so you can repair itself dll software vulnerabilities.

image

image

After using the software to check and repair, we compared what the system found updated three dll file, you should file is malicious tampering.

image

The vulnerability of the site could easily lead to investigation

A step above just fix the software vulnerabilities themselves, but in fact you did not know, if your site has been left back door if the back door has been left, we should find out as much as possible.

use tools

Such as recommending "D Shield _ firewall" on your Web site files to check, to exclude some common vulnerabilities.

Manual inspection

The second step will need to rely on experience, if you are using an open source system, and most of the original source code of the site to do comparison, self-comparison tool to find what diff content.

In this step we just identify the problems have been found as far as possible, and no universal solutions must be able to identify all the problems, so it is necessary to observe anomalies in the daily continued.

Security Patch

To reduce the risk of bring back door system has been generated, we can continue to do the following:

  • It does not require opening the same port closed, or do IP access restrictions to prevent backdoor has continued to maintain communications with the outside world
  • URL record for all access requests (by Apache or nginx access log records), regular analysis of all requests for unusual circumstances

lesson

How many times security incidents remind us to have a treat technology awe, Antted the security issue is the first time to respond, we have been committed to providing the most secure website system for everyone.

reference

Guess you like

Origin blog.51cto.com/14313004/2440185
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com