Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

What is the analysis and traceability of phpStudy batch intrusion?

2025-03-13 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/03 Report--

Today, I will talk to you about the analysis and traceability of phpStudy batch intrusion, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

I. Preface

Recently, Tencent security Yunding lab detected that a large number of hosts were hacked and added a hidden account called "vusr_dx$". At the same time, Yunding lab also detected that a large number of such accounts were created while corresponding accounts were logged in from other places.

When the Windows account name is followed by a "$" symbol, the account information will not be displayed in the net user command. It is a common way for attackers to hide accounts, and developers generally do not add this type of account. Yunding lab tracked and analyzed the incident and restored the attacker's intrusion techniques and post-invasion operations.

Second, the analysis of invasion methods.

Through the analysis and statistics of all the hosts that have been hacked and added "vusr_dx$" hidden accounts, it is found that most hosts have installed phpStudy components, phpinfo and phpMyAdmin exist in the Web directory, and 50% of the root users of MySQL have weak passwords. From this, we can infer the possible causes of the intrusion:

Users deploy PHP environment on their CVM with one click of phpStudy, which includes phpinfo and phpMyAdmin by default and can be accessed by anyone. At the same time, the default password of MySQL installed is a weak password, so hackers log in to MySQL with a weak password through phpMyAdmin, and then use some means of MySQL to obtain system permissions.

There are several ways to obtain system permissions by using MySQL:

Take advantage of SELECT "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Attacks attackers accounts hackers analysis passwords ports logins hosts at the same time permissions users entry information commands situations tactics detection security content vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple OPPO Reno Microsoft Shulou Tech Info Redmi macOS Docker Huawei MariaDB MySQL Shulou Technology Apple Linux vpn Shulou Information Xiaomi NVidia OPPO Reno Microsoft Shulou Tech Info Redmi macOS Docker Huawei MariaDB MySQL Shulou Technology Apple Linux vpn Shulou Information Xiaomi NVidia

Share To

Related

Development

More Development >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report