我有我没有shell访问（仅FTP可用）的共享主机上运行一个Joomla 1.0网站。最近我的网站已被标记为恶意网站通过谷歌，我通知了.htaccess文件被修改了恶意内容。这些重定向规则，以一个名为depositpeter.ru被添加到的.htaccess网站：

I have a Joomla 1.0 website running on a shared host which I don't have shell access (only FTP available). Recently my website has been marked as malware site by Google and I notify that the .htaccess file is modified with malicious contents. These redirections rule to a website called 'depositpeter.ru' are added to the .htaccess:

ErrorDocument的400 http://depositpeter.ru/mnp/index.php ErrorDocument的401 http://depositpeter.ru/mnp/index.php ......

ErrorDocument 400 http://depositpeter.ru/mnp/index.php ErrorDocument 401 http://depositpeter.ru/mnp/index.php ...

如果我清除这个.htaccess文件，它会被修改回来恶意内容的几分钟后。

If I clean this .htaccess file, it will be modified back with malicious contents a few minutes later.

我怀疑有一些后门PHP和JavaScript已经注入到我们的codeBase的其中不断修改.htaccess文件。不过，我不知道摆在首位，这些恶意软件如何登陆我的网站上。我是pretty的确定没有FTP用户上传的到我的网站。病毒扫描发现有用户上传的图像被注射PHP.ShellExec恶意软件（我不知道这PHP.ShellExec是如何工作的，如果是涉及到的.htaccess病毒虽然）。

I suspect there are some backdoor PHP and javascript has been injected to our codebase which constantly modifies the .htaccess file. However I have no idea how these malware landed on my site in the first place. I'm pretty sure that no FTP users have uploaded those to my site. A virus scan found that there is a user-uploaded image being injected with PHP.ShellExec malware (I'm not sure how this PHP.ShellExec work and if it is related to the .htaccess virus though).

我的问题是我应该如何开始排查和清理此类恶意软件？我是pretty的无能，并有应对网络恶意软件的经验。任何帮助是极大的AP preciate！

My question is how should I start troubleshooting and cleaning this malware? I'm pretty clueless and have little experience dealing with web malware. Any help is greatly appreciate!

推荐答案

这可能超出你的力量来解决这个自己。但这里有一些东西，你应该做的。

It might be beyond your power to fix this yourself. But here are some things that you should do.

下载您有任何的Apache / PHP的日志 - 这些都指向安全漏洞被利用。如果你能找到的条目，确保孔盖。 在卸下指示为受感染。图像 与你的主机 - 几个托管公司已经自动化解决方案，寻找和清理常见的漏洞。另外，如果你的网站被感染，赔率是，其他客户在同一台​​服务器上，太。 相反，它可能是对你造成这个问题在同一台服务器上的其他客户端。 Download any apache/php logs you have - these can point to the security holes being exploited. If you can find the entries, make sure the holes are covered. Remove the image that is indicated as infected. Contact your host - several hosting companies have automated solutions to find and clean up common vulnerabilities. Also, if your site is infected, odds are, other clients on the same server are, too. Conversely, it might be another client on the same server that's causing this problem for you.

添加了上传目录，将prevent访问以外的任何上传的图片以外的的.htaccess 文件。它看起来是这样的：

Add an .htaccess file in the uploads directory that would prevent access to anything other than uploaded images. It might look something like this:

订单拒绝，允许 所有拒绝 ＆LT; FilesMatch（？JPE G | BMP | PNG）$> 所有允许 ＆LT; / FilesMatch>

Order deny,allow Deny from all <FilesMatch ".(jpe?g|bmp|png)$"> Allow from all </FilesMatch>

如果你的主机没有阻挡功能，使PHP调用系统命令（你会惊奇地发现），你知道该怎么做，你可以使用模拟一个自定义的PHP脚本shell访问系统， EXEC ，的popen 和其他一些功能。我用一个脚本我自己：的https：// github上.COM / D codeRLT / Misc_Tools / BLOB /主/ SH / sh.php 。这是相当原始的，但得到的时候，我需要它来完成这项工作。

If your host hasn't blocked functions that allow php to invoke system commands (you'd be surprised) and you know what to do, you can mimic shell access with a custom php script using system, exec, popen and some other functions. I use a script I made myself: https://github.com/DCoderLT/Misc_Tools/blob/master/sh/sh.php . It's fairly primitive, but got the job done when I needed it to.

未来走向的思考：

请备份。托管公司可能会提供这些回去的一定时间内。 在不断更新的眼球。订阅的Joomla公告邮件列表。尽快可以应用这些更新。流行的应用程序，如Joomla和话语preSS是一个频繁，容易攻击的目标脚本小子和自动机器人。 请备份。 确保您的托管公司专门成立了正确的服务器，这样用户A可以在不影响用户B的文件（文件权限，suexec的或类似）。我不知道如何共同的，这是这些天，但它曾经是一个经常的监督中来。 请备份。 请不要留下写权限的文件和文件夹不需要它启动。 请备份。