记录一次基于ThinkPHP网站被入侵到溯源的过程

昨天晚上，正准备入睡，朋友突然发消息说他的网站被黑客攻击了，首页内容被篡改，于是我开始了紧急的修复工作

知道这个情况后，立即翻身起来，让朋友发给我必要的信息，把网站的日志下载到本地，因为网站本身的访问量不是很大，所以直接使用 notepad++ 来手动分析。

0x01 下载必要文件

首先将日志文件、现在网站空间的源码以及之前的网站备份下载到本地，这一步是为了比较分析。

0x02 日志分析

从网站首页被篡改，可知道攻击者应该拿下了网站的权限，并上传了 webshell，因此从攻击日志中查找网站非常规的访问URL记录。

发现如下的访问日志：

203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:46 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "POST //plus/mytag_js.php?aid=9527 HTTP/1.1" 301 178 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:48 +0800] "GET /plus/mytag_js.php?aid=9527 HTTP/1.1" 404 564 "http://pay.top15.cn//plus/mytag_js.php?aid=9527" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/asd.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/asd.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/asd.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/result.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/result.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/result.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/read.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/read.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/read.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //data/cache/flye.php HTTP/1.1" 301 178 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /data/cache/flye.php HTTP/1.1" 404 564 "http://pay.top15.cn//data/cache/flye.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //plus/moon.php HTTP/1.1" 301 178 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /plus/moon.php HTTP/1.1" 404 564 "http://pay.top15.cn//plus/moon.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //api.php HTTP/1.1" 301 178 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "GET /api.php HTTP/1.1" 404 564 "http://pay.top15.cn//api.php" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
203.171.228.159 - - [30/Jan/2019:09:52:49 +0800] "POST //lequ.php HTTP/1.1" 301 178 "http://pay.top15.cn//lequ.php" "Mozilla/4.0 (compatible; MSIE