网站被挂马
网站被挂马
转载自:扶凯[http://www.php-oa.com]
从前天晚上开始,我的服务器一直不正常,显示不正常,打开后台也不正常,认真看看了很久,才发现在页面上发现了恶意代码,一直以为是服务器被黑客攻陷了,想想我做了不少的防护,能入侵这台的也不是简单的人啊。。。难道 wordpress 本身有问题。
问题现象如下
因为没有时间,工作事情实在太多,真到昨天晚上才开始看认真排查了所有可能,并未发现服务器异常的东西;后来使用 tcpdump 抓一下,看看是不是 arp 挂马 。证实是 arp 挂马。不是我的服务器有问题,同网段内有二台机器的 MAC 地址都不正常了。和网关的地址一样。内容如下
[root@localhost ~] # tcpdump -qne arp tcpdump: verbose output suppressed, use - v or -vv for full protocol decode listening on eth0, link- type EN10MB (Ethernet), capture size 96 bytes 01:12:28.874824 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.26 tell 221.9.252.1 01:12:28.894981 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.59 tell 221.9.252.33 01:12:28.905141 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.56 tell 221.9.252.33 01:12:28.915787 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.30 tell 221.9.252.1 01:12:28.925851 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.54 tell 221.9.252.33 01:12:28.941453 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.16 tell 221.9.252.1 01:12:28.941458 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.25 tell 221.9.252.1 01:12:28.947469 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.34 tell 221.9.252.33 01:12:28.948341 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.51 tell 221.9.252.33 01:12:37.607996 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.206 tell 221.9.251.193 01:12:40.580420 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.206 tell 221.9.251.193 01:12:40.755736 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.23 tell 221.9.252.1 01:12:45.907790 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.57 tell 221.9.252.33 01:13:02.874002 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.47 tell 221.9.252.33 01:13:04.055118 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.47 tell 221.9.252.33 01:13:04.589391 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.252.59 tell 221.9.252.33 01:13:08.155945 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.204 tell 221.9.251.193 01:13:08.166247 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.205 tell 221.9.251.193 01:13:08.166252 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.201 tell 221.9.251.193 01:13:08.166925 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.197 tell 221.9.251.193 01:13:08.166929 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.200 tell 221.9.251.193 01:13:08.166932 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.203 tell 221.9.251.193 01:13:08.176642 00:0f:e2:6b:02:d4 > Broadcast, ARP, length 60: arp who -has 221.9.251.202 tell 221.9.251.193 |
可以从上面的 tcpdump 看到三台 mac 地址一样.
221.9.251.193
221.9.252.1
221.9.252.33
因为 arp 伪装装成网关,所以给通过网关的数据修改了。所以网页内容异常。所以其中一定有二台机器有问题。这个也没有什么好的解决方法,只能让机房处理一下那二台机器,要不在网关上绑定你的 MAC 的 ip 也行。
我没法子,只能修改另一个网段的 ip ,先这样用着。
目录 返回
首页