混淆恶意PHP
[英]Obfuscated Malicious PHP
问题描述
I found this code on a hacked Drupal installation, and I'd like to know what the code was capable of doing. 
我在被黑客入侵的Drupal安装中找到了此代码 ,我想知道这些代码可以做什么。 I've tried various tools to de-obfuscate it, but I've been unsuccessful. 我尝试了各种工具来消除混淆,但是我一直没有成功。 I'm getting tripped up with the $r76 variable. 我被$ r76变量绊倒了。 I can't figure out how it's encoded. 我不知道它是如何编码的。 Translation or suggestions? 翻译或建议?
<?php $r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?";
1 个解决方案
解决方案1
2 2014-12-05 15:43:36
$r76 is a cipher key. $r76是密码密钥。 Access bits and letters of the string using array access through the rest of the code and you can construct a completely different string (like function names, variables, etc.) from it. 使用数组访问代码的其余部分来访问字符串的位和字母,您可以从中构造一个完全不同的字符串(如函数名,变量等)。
Here are the evaluations for the globals that were defined at the top of the script. 这是在脚本顶部定义的全局变量的评估。 Use them to figure out the rest of the script... if you feel like wasting any more time on this than I did: 用它们找出脚本的其余部分...如果您想花更多的时间在我身上:
[vtton6] => error_reporting
[jlxru64] => ini_set
[vajox38] => define
[qobdl72] => hvcug13
[yhrfr40] => xyhxn92
[quzii24] => md5
[tlyiy12] => count
[kyioa8] => time
[glyac65] => constant
[nhnww15] => npufi61
[igajs32] => potcc11
[cpukq94] => omauf87
[bdonk12] => hwgbo88
[aurku4] => ioxgo29
[yqqkt30] => function_exists
[tnmsd36] => mail
[chqql44] => armtx32
[cvtxr40] => ecyws30
[eavur97] => usleep
[ptlaz26] => urvfu78
[xcnkh30] => xllez0
[wnlxd28] => trim
[laepm94] => preg_replace
[nxseo15] => gethostbyname
[cyzbs96] => preg_match
[yoejz48] => rzekg39
[lzjpr73] => wdtjf68
[osnjl91] => rxrmp70
[zhjzv93] => prcux47
[brkww19] => strlen
[yhcum29] => oyysg80
[ibere91] => foftg27
[vszxc90] => array_keys
[qtgcq90] => socket_select
[bwpvf88] => ucfirst
[bdvxl14] => str_replace
[xizmx47] => ini_get
[stkuy98] => vkaqq98
[duiid33] => date
[grxdw62] => getmxrr
[nvuxa92] => ybewy88
[ysmvf63] => min
[vbhwy58] => Array
(
)
[wdbfr89] => fewfx40
[vxogc32] => preg_split
[inenw32] => xwses24
[xyxdn38] => chr
[rtdlc97] => ord
[cnrfe78] => urldecode
[wzekj92] => stripslashes
[yrqxp89] => array_flip
[xavtv19] => preg_match_all
[zjheh80] => base64_encode
[gisxn89] => socket_create
[oqikt29] => socket_last_error
[tvxvt28] => socket_strerror
[fmlld76] => socket_set_option
[zwafy86] => socket_set_nonblock
[uocvp26] => socket_connect
[xvxof76] => fsockopen
[vzqix48] => stream_set_blocking
[sltum36] => stream_set_timeout
[clkxn20] => stream_socket_client
[unkvq75] => socket_close
[yoxhh65] => fclose
[dskbo69] => socket_read
[jhtbn88] => feof
[zflfl64] => fread
[uwnpx27] => socket_write
[stdvp96] => fwrite
[ocmvf65] => rand
[bkenc7] => explode
[llpxl21] => pack
[efljc33] => unpack
[zndda55] => cgzhg7
[lzlla40] => array_merge
[axqrn63] => long2ip
If I had to guess, the mention of mail in the obfuscated variables just means that this is a malicious mailing script designed to turn your PHP server into a spam server - or maybe it's a "phone home" functionality for much more evil purposes. 如果我猜到了,在混淆变量中提到mail只是意味着这是一个恶意邮件脚本,旨在将您的PHP服务器转变为垃圾邮件服务器-或它可能是出于更邪恶目的的“电话回家”功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.