qzmjef 发表于 2024-10-8 15:05:26

我是一名白帽黑客,今天博客被黑了(附全套日志分析及模块代码)


    <div style="color: black; text-align: left; margin-bottom: 10px;">
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">前言:</strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">人在江湖漂,哪能不挨刀。我的博客在21号被黑了,想不到从来都是我黑人,如今却惨被人黑(<span style="color: black;">哀痛</span>脸)</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">其实挨刀不可怕,可怕的是他砍到了我这块铁板上,滋出了一溜的火花。<span style="color: black;">所说</span>知己知彼方能百战不殆,必须<span style="color: black;">晓得</span>对方是<span style="color: black;">怎样</span>拿下我网站的,<span style="color: black;">倘若</span>不分析出<span style="color: black;">原由</span>,下次被黑的还是我。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>接下来,<span style="color: black;">咱们</span>要对<span style="color: black;">全部</span>入侵事件进行一次简单的分析。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">博客基本<span style="color: black;">状况</span></strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我博客用的系统是 centos6,博客程序是emlog的cms。模块是一个付费模块【fly】</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">说实话这个模块挺好看的,首次安装的时候我就D盾扫了下,<span style="color: black;">瞧瞧</span>是不是有后门,扫描结果除了<span style="color: black;">发掘</span>几个加密的php文件,其他看起来<span style="color: black;">亦</span>没啥毛病,<span style="color: black;">因此</span>就没管了,想不到<span style="color: black;">便是</span>这几个加密文件,才<span style="color: black;">引起</span>了博客被入侵。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">被入侵的时间是8月21号,登录服务器后<span style="color: black;">发掘</span>文件被删,index.php文件被篡改。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 文件修改时间是2018年8月21日18:04:15</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 被挂的黑页如下:</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153508913127947ae85d0d6~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=AodkqhUpr%2FOT91z12Mn1c5hwheg%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">等等,这不是我<span style="color: black;">运用</span>的模块售后群吗?</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 难道是作者黑了我的站点?</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 当然不排除是其他黑客黑了以后故意甩锅给作者,<span style="color: black;">因此</span><span style="color: black;">咱们</span>先来分析一下日志再说。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">入侵过程分析</strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">首先我博客是用宝塔的<span style="color: black;">掌控</span>面板,<span style="color: black;">然则</span>我888端口做了白名单,<span style="color: black;">仅有</span>跳板IP<span style="color: black;">能够</span><span style="color: black;">拜访</span>这个端口,ssh端口<span style="color: black;">亦</span>做了白名单,<span style="color: black;">无</span>开放ftp,mysql<span style="color: black;">无</span>开放外联,waf用的云锁。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">第1</span>步<span style="color: black;">咱们</span>先登录云锁<span style="color: black;">瞧瞧</span>,在20号<span style="color: black;">上下</span><span style="color: black;">无</span><span style="color: black;">发掘</span>可疑日志。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">那样</span><span style="color: black;">咱们</span>先<span style="color: black;">瞧瞧</span>日志吧,先拨号上跳板,<span style="color: black;">而后</span>输入xxxx.cc:888登录云锁<span style="color: black;">掌控</span>台。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">而后</span>进入【安全】菜单,点击web日志的路径进入。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131052f52d33a4a4~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=Nf16qbHdNQ0q61ywdwxrkkSQG6g%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>下载19号之前和22号以后的日志</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891311650ee2c333cb~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=hhCMR9UdYbheQ%2FB%2Buc8vePULuuE%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我的博客<span style="color: black;">亦</span>没啥流量,<span style="color: black;">因此</span>日志文件比较小,直接notepad++打开就行了。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">由于</span>之前看到那个黑页的修改时间是2018年8月21日16:15:15</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">因此</span>直接定位到8月21日18点04分<span style="color: black;">上下</span>的部分<span style="color: black;">起始</span>看.</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">直接在notepad++里面<span style="color: black;">查询</span>关键词【.php】</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131033a89c7f4442~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=AwQoxIGs%2Bkegf%2FoQiAcaD%2BiU9Hg%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>定位到18点以后的部分。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131332bd3f16cbde~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=1NIJ5zMbYUSWeeNSa7OQmoUYJfk%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">疑似入侵者IP:222.240.56.48</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">查找</span>一下,湖南长沙的</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">此刻</span>咱们挨个文件<span style="color: black;">瞧瞧</span>他是<span style="color: black;">怎样</span>发起攻击的。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"> 多做备份<span style="color: black;">才可</span>减少损失</strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">由于</span>博客上的文件<span style="color: black;">已然</span>被他删得差不多了,只剩下<span style="color: black;">有些</span>配图文件夹,<span style="color: black;">不外</span>还好对接了阿里云的oss。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">每3天自动备份整站到阿里云oss。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这儿</span>不得不赞一下阿里云的oss,<span style="color: black;">倘若</span>只是归档存储的话,价格很便宜,不下载备份文件<span style="color: black;">不消</span>付费,只要购买储存空间就行了</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>登录阿里云<span style="color: black;">掌控</span>台,进入oss存储。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131003e15614a309~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=pYt%2FTIvKfRHyzwaWYHq74AwgCAQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>进入文件管理,<span style="color: black;">能够</span>看到在19号之前的备份文件都是30多M</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">然则</span>22号以后备份<span style="color: black;">仅有</span>10多M了</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891312741c1f8ec918~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=WwuSTfJ7tufSxuiwZFcZf%2Fr31T8%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span><span style="color: black;">咱们</span>得下载19号的这个备份文件去恢复到博客。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">点击19号这个文件,进入以后解冻文件,<span style="color: black;">而后</span>等大概两分钟就会解冻成功。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131271783ffb8a0b~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=UhTBNVv6FRtOrTMv13Bd94zYKPs%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>就能看到下载<span style="color: black;">位置</span>了,直接下载后上传到<span style="color: black;">咱们</span>博客,<span style="color: black;">而后</span>解压就行了。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">----小提示----</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在恢复站点前,<span style="color: black;">咱们</span>先闭站。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 先把80端口和443端口加个白名单,只<span style="color: black;">准许</span><span style="color: black;">咱们</span>的IP<span style="color: black;">拜访</span>,<span style="color: black;">这般</span><span style="color: black;">能够</span>避免在你<span style="color: black;">无</span>查出问题之前,又被人给黑了。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">官方后门 最为致命</strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">他<span style="color: black;">拜访</span>的<span style="color: black;">第1</span>个文件 </p>/include/lib/checkcode.php

      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">咱们</span>本地<span style="color: black;">拜访</span>以下<span style="color: black;">瞧瞧</span>,<span style="color: black;">发掘</span>这是验证码的文件。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131339a7c25985d8~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=ld4k4oJMNTqUTdJ%2F8146bVqxpK0%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">第二个文件</p>/content/templates/FLY/inc/ajax.php?a=ajax

      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">咱们</span>直接<span style="color: black;">拜访</span>后<span style="color: black;">表示</span>;</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> {"code":"208"}</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891314851818c6d22a~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=zikeOK8j%2FlGP5QOU51WKXcwwScQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>管理员<span style="color: black;">处在</span>登录博客状态,会返回账号密码等等数据。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131459a79e6e2f00~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=bnD842nKqJ%2FeuLtoz36ApchK7Uo%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">那样</span>问题肯定出在这个ajax.php上面了,<span style="color: black;">咱们</span>打开<span style="color: black;">瞧瞧</span>。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 厉害厉害,加密了,<span style="color: black;">这儿</span>非常感谢“空格表哥”帮忙解密了这个文件</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891315031e465c2902~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=7sZK76DrePtYsTD1mfIVfWmKl%2FQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span><span style="color: black;">查询</span>ajax<span style="color: black;">瞧瞧</span>,<span style="color: black;">发掘</span>在<span style="color: black;">这儿</span>,账号<span style="color: black;">秘码</span>被打印出来了。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891317239301546e4d~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=7Y3ZsIj1yHa1jFiWjeyBPF9qvZw%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">日志里面<span style="color: black;">发掘</span>post了一个数据</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">/content/templates/FLY/inc/ajax.php?a=login</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153508913181910ee58b45f~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=VSOrMgGkAV8%2FMHB9j1GcUVYvM2c%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>在解密后的ajax.php里面搜索login<span style="color: black;">瞧瞧</span></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 好家伙,官方后门真可怕,看到我注释的<span style="color: black;">地区</span>,<span style="color: black;">已然</span>明白大概是啥意思了。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089131884c7d1c1a770~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=OqXzWlFwiq21Jk911CjHQ%2BL1lVw%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>登录博客后台后,会把url 账号 <span style="color: black;">秘码</span>等等数据传送到作者的以下<span style="color: black;">位置</span>。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">https://api.pjax.cn/i.php?data=</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">贴上代码</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535090426632ea8aac7b89~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=pOpCpR78dIHnbYwBbesukgMbO8U%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">咱们</span>继续往下看。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在<span style="color: black;">这儿</span>他上传了一个模块文件,<span style="color: black;">而后</span>安装。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089132101d5d2625a86~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=yRXc2yPV7okv6AN0IO7WH3W9TiM%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">由于</span>日志里面<span style="color: black;">无</span><span style="color: black;">发掘</span>他<span style="color: black;">拜访</span>了其他PHP文件,<span style="color: black;">因此</span>我首页文件index.php被修改的可能<span style="color: black;">仅有</span>一个,<span style="color: black;">便是</span>他上传的模块里面<span style="color: black;">已然</span>写好了黑页,<span style="color: black;">而后</span>上传模块,覆盖掉我网站上面的首页文件。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">而后</span>删除我的模块,这<span style="color: black;">亦</span>证明了<span style="color: black;">为何</span>只删除了模块,而我<span style="color: black;">文案</span>配图文件夹都还在的<span style="color: black;">原由</span>。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891320808f61d02660~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=nNXjUz2ynKD%2B2%2F7v4NaJYaIozhc%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"> <span style="color: black;">咱们</span>该去找找攻击者了</strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">先再确认一下是不是作者干的,<span style="color: black;">经过</span>日志<span style="color: black;">已然</span><span style="color: black;">晓得</span>IP<span style="color: black;">位置</span>了。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 222.240.56.48</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">查找</span>是湖南长沙的。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089132114db739c498d~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=eIyEPx9e19t%2Bf9LIZRx0NZWOkns%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">没错了,<span style="color: black;">便是</span>你了,直接问下作者是啥意思。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089132106a9bbe11c95~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=ePNAiSWU8nccvdNcfmb9rwLED5Y%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153508913220914e3fb9015~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=pN%2BWfvFGL%2Fns3NXGhEEoU6cQzMk%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089132047c220f821c8~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=eVr58fOxMWA%2BrHsV8JR6QT4qx3Q%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">事情<span style="color: black;">已然</span>很明了啦,<span style="color: black;">由于</span>我之前购买以后换过一次域名,作者以为我<span style="color: black;">此刻</span>这个域名是盗用了他的模块,<span style="color: black;">而后</span>把我日的,躺枪了,这他妈是误伤啊。<span style="color: black;">然则</span>模块存在后门这个是事实。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">总结下过程</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.作者在</p>/content/templates/FLY/inc/ajax.php文件里面写了个后门

      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 2.<span style="color: black;">咱们</span>正常登录后台以后,会自动把你的后台<span style="color: black;">位置</span>,账号<span style="color: black;">秘码</span>发送到作者哪里</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 3.<span style="color: black;">而后</span>作者那边有个授权列表,会做对比,<span style="color: black;">倘若</span>不在授权列表里面,会单独标记出来。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 4.<span style="color: black;">而后</span>某一天你就被作者删模块,挂黑页了.....</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">避免被日<span style="color: black;">办法</span></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">以防护软件【云锁】为例;</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 打开云锁,进入<span style="color: black;">仔细</span>设置</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891322559824bb6015~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=3J18Mpl6lSEBILyEHOT4pbkk%2FlQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">进入漏洞防护设置</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/15350891322429aabd63c0a~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=bj11JdsSMGFFSNohxcxP4IqjZuI%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">新增一条防护规则</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/153508913226520849b8e1b~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=XwY0HLSJ1mAmsSZCJfCBw6WW1sg%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">用正则禁止<span style="color: black;">拜访</span>/admin后台下的文件。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 正则表达式;</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> /admin([\s\S]*?)</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重视</span>:新增这个规则以后你会<span style="color: black;">没法</span><span style="color: black;">拜访</span>后台,<span style="color: black;">不外</span>你<span style="color: black;">能够</span>把你ip<span style="color: black;">或</span>跳板机加入白名单,以后<span style="color: black;">仅有</span>你跳板机和你IP<span style="color: black;">能够</span><span style="color: black;">拜访</span>/admin下面的所有文件。</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089132438a78ce3e569~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=Hm%2FlIb1ZXcmgPJP3fDhzJxiBQdc%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">继续禁止ajax=login</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> ([\s\S]*?)?a=login</p>
      <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/1535089132424b0533058b6~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1728120600&amp;x-signature=zCOmJXTHxSP6AAE42txEnkodjEQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">禁止下列几个文件<span style="color: black;">拜访</span></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> useragent_setting.php</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> install.php.lock</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> setting.php</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> functions.php</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">写在最后</strong></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">虽然这是<span style="color: black;">一块</span>误伤事件,<span style="color: black;">然则</span>改变不了把我站黑了的事实,<span style="color: black;">因此</span>,我做了一个决定,直接公开你的模块,并写出避免被日的<span style="color: black;">办法</span>。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 收费模块链接<span style="color: black;">大众</span>关注我后发私信索要<span style="color: black;">就可</span></p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ajax文件后门部分<span style="color: black;">已然</span>被我注释掉了,表哥们安心<span style="color: black;">运用</span><span style="color: black;">便是</span>了。</p>
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">另一</span>有几个加密文件<span style="color: black;">无</span><span style="color: black;">科研</span>,有兴趣的表哥们<span style="color: black;">自动</span>解密<span style="color: black;">科研</span><span style="color: black;">瞧瞧</span>。</p>
    </div>




nqkk58 发表于 2024-10-10 12:49:50

感谢你的精彩评论,为我的思绪打开了新的窗口。

qzmjef 发表于 2024-10-20 00:27:15

我完全同意你的看法,期待我们能深入探讨这个问题。

4lqedz 发表于 2024-11-6 19:41:44

我深感你的理解与共鸣,愿对话长流。

qzmjef 发表于 6 天前

谢谢、感谢、感恩、辛苦了、有你真好等。
页: [1]
查看完整版本: 我是一名白帽黑客,今天博客被黑了(附全套日志分析及模块代码)