记社区的一次挂马分析

今天开会又提起了挂马的问题，索性把以前的一次分析发出来，也不枉曾经辛辛苦苦写了那么多内容。以下是历史内容

---------------------------------------------------------------------------------------------------------

起因是一次DDOS攻击引起的，为了排查DDOS攻击的来源，我分析各种日志，突然发现php的error.log有许多下面的错误,但此时并没有引起我的重视。

PHP Parse error: syntax error, unexpected T_STRING in /data/www/dx2.scol.cn/archiver/index.php on line 1

过了一会另一同事也发现这个错误告诉我，我想着这里不可能造成DDOS，但出于对错误的排查，还是去看了下/archiver/index.php这个文件。

粗略看了一下也没发现异常，后面又看了几次，突然发现阿里妈妈的部署代码，意识到文件可能被篡改了。

查看了archiver目录下的文件，发现如下异常：

-rwxrwxrwx 1 www www 21378 09-04 00:46 index.php

凌晨00:46更新index.php，那肯定有问题，对比discuz原来的代码，发现这个文件压根不是原来的文件。

那么这个文件什么时候被篡改，是通过什么途径修改的呢？开始从访问日志里找线索，发现这么一条：

222.246.237.151 - - [04/Sep/2014:00:46:16 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2472 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

查看Spider.php文件，一眼看到如下代码：
$password = “hsmw”; //登录密码

直觉告诉我，这是木马，遂访问，发现木马地址，查看/uc_client/control/Spider.php文件的信息：

-rw-r–r– 1 www www 158478 09-02 20:29 Spider.php

这说明Spider.php文件是9月2日  20:29创建，关于Spider.php的日志，继续追踪9月2号之前的行迹

#########################################################################################

web1  

116.8.66.54 www.scol.cn - - [02/Sep/2014:20:29:35 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1597 “-“ “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.66 Safari/537.36” - “PHPSESSID=1jru9u5846vcpjkc6ahantifu0; tVi9_9a35_saltkey=yXRgr33R; tVi9_9a35_lastvisit=1408844645; pgv_pvi=7757539924; pgv_info=ssi=s231940800; Hm_lvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lpvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; Hm_lpvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; CNZZDATA3469692=cnzz_eid%3D495590263-1408848260-%26ntime%3D1408848260” - “-“
116.8.66.54 www.scol.cn - - [02/Sep/2014:20:29:35 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2794 “http://www.scol.cn/uc\_client/control/Spider.php" “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.66 Safari/537.36” - “PHPSESSID=1jru9u5846vcpjkc6ahantifu0; tVi9_9a35_saltkey=yXRgr33R; tVi9_9a35_lastvisit=1408844645; pgv_pvi=7757539924; pgv_info=ssi=s231940800; Hm_lvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lpvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; Hm_lpvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; CNZZDATA3469692=cnzz_eid%3D495590263-1408848260-%26ntime%3D1408848260” - “-“
116.8.66.54 www.scol.cn - - [02/Sep/2014:20:29:44 +0800] “GET /uc_client/control/Spider.php?s=g HTTP/1.1” 200 1185 “http://www.scol.cn/uc\_client/control/Spider.php" “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.66 Safari/537.36” - “PHPSESSID=1jru9u5846vcpjkc6ahantifu0; tVi9_9a35_saltkey=yXRgr33R; tVi9_9a35_lastvisit=1408844645; pgv_pvi=7757539924; pgv_info=ssi=s231940800; Hm_lvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lpvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; Hm_lpvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; CNZZDATA3469692=cnzz_eid%3D495590263-1408848260-%26ntime%3D1408848260” - “-“
112.90.78.25 www.scol.cn - - [02/Sep/2014:20:29:52 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 4481 “-“ “Mozilla/4.0” - “-“ - “-“
116.8.66.54 www.scol.cn - - [02/Sep/2014:20:30:09 +0800] “GET /uc_client/control/Spider.php?s=i HTTP/1.1” 200 614 “http://www.scol.cn/uc\_client/control/Spider.php" “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.66 Safari/537.36” - “PHPSESSID=1jru9u5846vcpjkc6ahantifu0; tVi9_9a35_saltkey=yXRgr33R; tVi9_9a35_lastvisit=1408844645; pgv_pvi=7757539924; pgv_info=ssi=s231940800; Hm_lvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lpvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; Hm_lpvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; CNZZDATA3469692=cnzz_eid%3D495590263-1408848260-%26ntime%3D1408848260” - “-“
116.8.66.54 www.scol.cn - - [02/Sep/2014:20:30:10 +0800] “POST /uc_client/control/Spider.php?s=i HTTP/1.1” 200 715 “http://www.scol.cn/uc\_client/control/Spider.php?s=i" “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.66 Safari/537.36” - “PHPSESSID=1jru9u5846vcpjkc6ahantifu0; tVi9_9a35_saltkey=yXRgr33R; tVi9_9a35_lastvisit=1408844645; pgv_pvi=7757539924; pgv_info=ssi=s231940800; Hm_lvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lpvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; Hm_lpvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; CNZZDATA3469692=cnzz_eid%3D495590263-1408848260-%26ntime%3D1408848260” - “-“

#########################################################################################

web2  

121.12.111.141 - - [02/Sep/2014:20:29:55 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.8 Safari/537.36 LBBROWSER”
121.12.111.141 - - [02/Sep/2014:20:29:55 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.8 Safari/537.36 LBBROWSER”
183.60.15.14 - - [02/Sep/2014:20:30:02 +0800] “GET /uc_client/control/Spider.php HTTP/1.0” 499 0 “-“ “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
183.60.15.14 - - [02/Sep/2014:20:30:02 +0800] “GET /uc_client/control/Spider.php HTTP/1.0” 200 4477 “-“ “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
113.142.11.149 - - [02/Sep/2014:20:30:04 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.0” 200 13098 “http://www.scol.cn/uc\_client/control/Spider.php" “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)”
223.152.26.56 - - [02/Sep/2014:20:37:12 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:37:12 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:46:43 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:46:43 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:46:45 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:46:45 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:46:50 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:46:50 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:55:44 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
223.152.26.56 - - [02/Sep/2014:20:55:44 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

222.246.237.151 - - [04/Sep/2014:00:09:53 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:09:53 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:15:08 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2F HTTP/1.1” 200 4559 “http://www.scol.cn/uc\_client/control/Spider.php?s=a" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:15:15 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fgg HTTP/1.1” 200 10177 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2F" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:15:39 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fgg%2F.. HTTP/1.1” 200 4565 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fgg" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:15:43 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fgg%2F..%2F.. HTTP/1.1” 200 3153 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fgg%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:22:56 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fucpass.scol.com.cn HTTP/1.1” 200 3257 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fgg%2F..%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:23:52 +0800] “GET /uc_client/control/Spider.php?s=a&p=C:/ HTTP/1.1” 200 1799 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fucpass.scol.com.cn" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:23:55 +0800] “GET /uc_client/control/Spider.php?s=a&p=/data/www/dx2.scol.cn/uc_client/control HTTP/1.1” 200 2795 “http://www.scol.cn/uc_client/control/Spider.php?s=a&p=C:/" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:24:04 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F.. HTTP/1.1” 200 2587 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=/data/www/dx2.scol.cn/uc\_client/control" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:24:08 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.. HTTP/1.1” 200 4576 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc\_client%2Fcontrol%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:24:23 +0800] “GET /uc_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn&fn=qq.txt HTTP/1.1” 200 1349 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:24:30 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn HTTP/1.1” 200 4559 “http://www.scol.cn/uc\_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn&fn=qq.txt" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:25:38 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2266 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:29:53 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2266 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:30:31 +0800] “GET /uc_client/control/Spider.php?s=q&p=/data/www/dx2.scol.cn/archiver HTTP/1.1” 200 825 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:31:00 +0800] “POST /uc_client/control/Spider.php?s=q&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 849 “http://www.scol.cn/uc\_client/control/Spider.php?s=q&p=/data/www/dx2.scol.cn/archiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:31:15 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2336 “http://www.scol.cn/uc\_client/control/Spider.php?s=q&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:31:22 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&dn=index_files HTTP/1.1” 200 2473 “http://www.scol.cn/uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:31:49 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files HTTP/1.1” 200 2103 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&dn=index\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:31:54 +0800] “GET /uc_client/control/Spider.php?s=q&p=/data/www/dx2.scol.cn/archiver/index_files HTTP/1.1” 200 837 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:32:22 +0800] “POST /uc_client/control/Spider.php?s=q&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files HTTP/1.1” 200 900 “http://www.scol.cn/uc\_client/control/Spider.php?s=q&p=/data/www/dx2.scol.cn/archiver/index\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:32:28 +0800] “POST /uc_client/control/Spider.php?s=q&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files HTTP/1.1” 200 850 “http://www.scol.cn/uc\_client/control/Spider.php?s=q&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:32:30 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files HTTP/1.1” 200 2648 “http://www.scol.cn/uc\_client/control/Spider.php?s=q&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:33:26 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files%2F.. HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:33:42 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2482 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:34:40 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2484 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:36:24 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2479 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:37:04 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:37:04 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:37:07 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F.. HTTP/1.1” 200 2587 “http://www.scol.cn/uc_client/control/Spider.php?s=a" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:37:09 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.. HTTP/1.1” 200 4580 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc\_client%2Fcontrol%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:37:11 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:18 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:22 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:24 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F.. HTTP/1.1” 200 2587 “http://www.scol.cn/uc_client/control/Spider.php?s=a" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:26 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.. HTTP/1.1” 200 4580 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc\_client%2Fcontrol%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:28 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:35 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:36 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:37 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:37 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:38 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:39 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:39 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:41:40 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:42:04 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:42:05 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:42:06 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2478 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:44:07 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2397 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:44:15 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2481 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:44:35 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2397 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:45:20 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files HTTP/1.1” 200 2648 “http://www.scol.cn/uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:45:56 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files%2F.. HTTP/1.1” 200 2403 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex\_files" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:46:16 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2472 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2Findex_files%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:46:45 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.php&rn=wap.html HTTP/1.1” 200 2480 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
222.246.237.151 - - [04/Sep/2014:00:47:12 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.html&rn=wap.php HTTP/1.1” 200 2479 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.php&rn=wap.html" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:34:42 +0800] “GET /uc_client/control/Spider.php HTTP/1.1” 200 1605 “-“ “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:34:42 +0800] “GET /uc_client/control/Spider.php?s=a HTTP/1.1” 200 2795 “http://www.scol.cn/uc\_client/control/Spider.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:34:46 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F.. HTTP/1.1” 200 2587 “http://www.scol.cn/uc_client/control/Spider.php?s=a" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:34:48 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.. HTTP/1.1” 200 4582 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc\_client%2Fcontrol%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:34:51 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2473 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fuc_client%2Fcontrol%2F..%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:37:05 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2468 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:37:56 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.php&rn=wap.html HTTP/1.1” 200 2472 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:40:10 +0800] “GET /uc_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&fn=.htaccess HTTP/1.1” 200 1293 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.php&rn=wap.html" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:41:38 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2538 “http://www.scol.cn/uc\_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&fn=.htaccess" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:41:57 +0800] “GET /uc_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&fn=wap.html HTTP/1.1” 200 7898 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:42:03 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2534 “http://www.scol.cn/uc\_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&fn=wap.html" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:42:09 +0800] “GET /uc_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&fn=.htaccess HTTP/1.1” 200 1356 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:50:53 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2534 “http://www.scol.cn/uc\_client/control/Spider.php?s=p&fp=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&fn=.htaccess" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:50:58 +0800] “POST /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver HTTP/1.1” 200 2464 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:51:44 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.html&rn=wap.php HTTP/1.1” 200 2472 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:57:19 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2F.. HTTP/1.1” 200 4563 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver&mn=wap.html&rn=wap.php" “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
113.243.196.168 - - [04/Sep/2014:23:57:41 +0800] “GET /uc_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Fdata HTTP/1.1” 200 3746 “http://www.scol.cn/uc\_client/control/Spider.php?s=a&p=%2Fdata%2Fwww%2Fdx2.scol.cn%2Farchiver%2F.." “Googlebot/2.1 (+http://www.googlebot.com/bot.html)"

#########################################################################################

通过上面的日志，结合Spider.php的修改日期，我们定位Spider.php的第一次访问时间是02/Sep/2014:20:29:35，访问IP是116.8.66.54
我们导出IP为116.8.66.54的所有访问日志，发现最早的一条日志如下：

116.8.66.54 www.scol.cn - - [02/Sep/2014:12:51:43 +0800] “POST /uc_client/control/member.php HTTP/1.1” 200 4388 “-“ “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.66 Safari/537.36” - “PHPSESSID=1jru9u5846vcpjkc6ahantifu0; tVi9_9a35_saltkey=yXRgr33R; tVi9_9a35_lastvisit=1408844645; pgv_pvi=7757539924; pgv_info=ssi=s231940800; Hm_lvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lpvt_fbe7fb3d30b94a2182402df0f75339a0=1408848596; Hm_lvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; Hm_lpvt_3655798ef3e7d6f0b0ffacdc386fa14d=1408848596; CNZZDATA3469692=cnzz_eid%3D495590263-1408848260-%26ntime%3D1408848260” - “-“

很明显，第一条日志是向/uc_client/control/member.php提交POST请求，还是有不少同样的POST，其它GET请求倒无多大问题。多次POST和GET请求之后，终于粗线了Spider.php，那这个POST就十分可疑，基本可以认为是通过member.php的POST请求上传的Spider.php

但是不幸的是，线索到此终止，从SESSIONID和IP都无法查到该用户更早的访问记录（服务器只保存了10天的日志）。那到底member.php有何问题,找了很多线索后没有收获，于是打算看看member.php的源代码从中找找BUG。

不看不知道，一看吓一跳，从我的本地代码只找出/uc_server/member.php,马上查看服务器上的/uc_client/control/member.php，果然，此文件为一句话木马！

查看该文件的创建时间，尼玛，2012-07-26号就存在了。NN个熊

-rwxrwxrwx 1 www www 213 2012-07-26 member.php

突然想起，尼玛，这个日期不正是社区2012年升级的那一次么？ 木马到底怎么传上去的呢？？？我们不得而知。还有没有其它木马，我也无从知晓。只能是尽可能做好防护，发现问题解决问题。