Joomla网站被黑了吗

Joomla网站被黑了吗

关注
发信
关注(28)粉丝(399)

Joomla网站被黑了吗?

本文介绍了Joomla网站被黑了吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我们的Joomla网站已经有一段时间没有被触摸了.当我去添加新内容时,我们遇到以下问题.初始页面显示正常,但是每当您单击任何菜单项或链接时,我们都会显示以下俄语文本:

Файлключевиковkeys/sharperdevelopment.com.txtпустилинесуществует. Пропишитетудахотябыодинключевик.

翻译为:

文件关键字keys/sharperdevelopment.com.txt为空或不存在.规定至少一个关键字.

是否有人对这是黑客问题还是配置问题有任何线索?网页上的视图源仅显示上面的文本,没有显示其他HTML.

我们的Joomla版本刚刚升级到:Joomla! 3.4.8稳定该网站是SharperDevelopment.com

当然,这是在我们遇到新的潜在客户之前发生的.任何帮助或建议,将不胜感激.

解决方案

如果您的网站在更新之前遭到黑客入侵,则需要在文件系统中梳理已修改和/或添加的文件.

上传Joomla 3.4.8的新副本将无法解决此问题.

我要假设使用linux,因为那是我在上面运行的时间.我管理多个LAMP服务器,每个服务器托管多个域.

保存备份并将其标记为已感染.这样做是因为该站点虽然被感染但仍在工作.

第一件事... 

run tail -f path/to/logs/* | grep POST

您需要查看谁在您的网站上发布了奇数文件.关闭自动换行.每个发现到的发现都需要进行目视检查.joomla文件以<?php\n开头,然后是注释标题.如果看到一串PHP代码,则需要将其删除.

这是我看到很多的一些文件的列表.

nnnnnnnnnnnnnnnnn.php
alias.php
article.php
css.php
blog66.php
defines.php < Joomla file that has been modified.
dirs.php
footer4.php
functions14.php
global.php
lib87.php
trust.php
functions.php

/includes/defines.php不应为长文件.如果看到//istart,则需要从此删除所有内容.

您需要对使用eval或GLOBAL的文件进行grep. istart也应该检查.这些命令很可能会输出大量数据,因此将其传输到更少的数据.

find /home -iname \*.php | xargs pcregrep -M "^<?php.*\n.*fun"
find /home/ -iname \*.php | xargs grep "eval("
find ./ -iname \*.php | xargs grep "globals"

将较少的管道这样工作.

find ./ -name \*.php | xargs grep -r "eval(" | less
grep -r "eval(" | less

您将查找包含以下这样的编码字符串但更长的文件:(发布的代码无效)1ktebHkKHMHM7oMftoPA4evcfEoVJs4sUmcTtLCl5Jq0IGoKAUnbzDC1f6C2rJpduyVxvDvRsEztPwWb6y73tAVt>

很多时候文件会以eval base64_decode和gzuncompress结尾.

许多合法文件使用eval和base64解码.如果看到很长的编码数据块,则很可能是恶意文件.一段时间后,您将能够看到看起来不正确的模式.

某些文件可能也具有google bot的用户代理.我最近一直在看这个,所以寻找字符串googlebot

grep文件也包含以下字符串. 

74.125
lnkfarm.pw   # this is an actual host. It has been reported to Interpol

您可以备份所获取的所有文件,并对照joomla的github存储库检查它们.

https://github.com/joomla/joomla-cms

还要检查mailq以查找由垃圾邮件机器人引起的延迟邮件,这就是其中许多文件的用途.

我还添加了如下所示的iptables规则,以在开始时将其停止.

-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /libraries/joomla/exporter.php" --algo bm --to 90 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /modules/bmvlfj.php" --algo bm --to 90 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /modules/7595mb.php" --algo bm --to 90 -j REJECT --reject-with icmp-port-unreachable

搜索恶意文件可能还有很多其他方法,但这是我现在拥有的方法.

清除所有恶意文件后,进行备份,然后更新所有扩展名.之后,我将再次检查您的文件,并将Joomla文件的新副本加载到您的网站上,然后在您的Web目录中搜索最早的文件.

在确保一切都干净之后,更改所有密码并备份.不要将备份存储在本地.

Our Joomla website has not been touched by us in a while. When I went to add new content, we have the following problem. The initial page displays fine, but whenever you click on any menu item or link we get the following russian text displayed:

Файл ключевиков keys/sharperdevelopment.com.txt пуст или не существует. Пропишите туда хотя бы один ключевик.

Which translates to:

File keywords keys / sharperdevelopment.com.txt is empty or does not exist. Prescribe to at least one of keywords.

Does anyone have any clue as to whether this is a hacking problem or a configuration problem? A view source on the web page shows no other HTML just the text shown above.

Our Joomla version was just upgraded to: Joomla! 3.4.8 StableThe website is SharperDevelopment.com

And of course this is happening just before we are meeting a new potential client. Any help or suggestions would be appreciated.

解决方案

If your website has been hacked previous to the update, you'll need to comb through the file system for the files that have been modified and/or added.

Uploading a fresh copy of Joomla 3.4.8 will not resolve this problem.

I'm going to assume linux because that's when I run on. I manage multiple LAMP servers each hosting multiple domains.

Save a backup and mark it as infected. Do this because the site is working although infected.

first things... 

run tail -f path/to/logs/* | grep POST

You need to see who's posting to odd files on your website.Turn off word wrapping.Each find that gets posted to needs to be visually looked at.joomla files start with <?php\n then comment header. If you see a string of PHP code, you need to remove it.

here's a list of some files posted to that I see a lot.

nnnnnnnnnnnnnnnnn.php
alias.php
article.php
css.php
blog66.php
defines.php < Joomla file that has been modified.
dirs.php
footer4.php
functions14.php
global.php
lib87.php
trust.php
functions.php

/includes/defines.php shouldn't be a long file. if you see //istart then you need to remove everything from that point on.

you need to grep for files that use eval or GLOBAL. istart should also be checked. These commands will most likely output a lot of data so pipe it to less.

find /home -iname \*.php | xargs pcregrep -M "^<?php.*\n.*fun"
find /home/ -iname \*.php | xargs grep "eval("
find ./ -iname \*.php | xargs grep "globals"

Pipe to less works like this.

find ./ -name \*.php | xargs grep -r "eval(" | less
grep -r "eval(" | less

You'll be looking for files that contain encoded strings like this but longer: (code posted is not valid) 1ktebHkKHMh7oMftoPA4evcfEoVJs4sUmcTtLCl5Jq0IGoKAUnbzDC1f6C2rJpduyVxvDvRsEztPwSUb6ey73tAVtx8A6BPK+SwyqR/edx3BsfPnmsfbwCFG2kYk

Many times the file will end with eval base64_decode and gzuncompress.

Many legit files use eval and base64 decode. If you see a really long block of encoded data, it's most likely a malicious file. After a while, you'll be able to see patterns that don't look right.

Some files may have the user agents for google bots also. I've been seeing this recently so look for the string googlebot

grep files for the following strings too. 

74.125
lnkfarm.pw   # this is an actual host. It has been reported to Interpol

You can make a backup of any files you got and check them against joomla's github repo.

https://github.com/joomla/joomla-cms

Also check mailq for deferred messages that are cause by spam bots, that's what many of these files are used for..

I also added iptables rules like the following to stop it initially.

-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /libraries/joomla/exporter.php" --algo bm --to 90 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /modules/bmvlfj.php" --algo bm --to 90 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -m string --string "POST /modules/7595mb.php" --algo bm --to 90 -j REJECT --reject-with icmp-port-unreachable

There's probably a lot of other ways to search for malicious files but this is the method I have right now.

After you get all the malicious files off, make a backup then update all extensions. I would check your files again after that and load the a fresh copy of the Joomla files onto your website, then search for the oldest files in your web directory.

After you're sure it's all clean, change all your passwords and backup. Do not store the backup locally.

这篇关于Joomla网站被黑了吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-28 08:51
Powered by LMLPHP ©2024 Joomla网站被黑了吗 0.032402