PHP Wordpress网站受到感染,此混淆代码在做什么?
[英]PHP Wordpress site compromised, what is this obfuscated code doing?
问题描述
Found this code on a friend's compromised Wordpress site, any ideas? 
在朋友遭到入侵的Wordpress网站上找到此代码,有什么想法吗?
Pastebin since it's too long for SO Pastebin,因为太长了
$OO_OO0_00_='1515';
$O__OO_00O0='1515';
$O0O0_0_OO_='0';
$O_00OOO0__='1';
$OOO_0O_00_='1';
$O0__O0O_O0=urldecode("see pastebin
https://pastebin.com/WJv1p2uQ https://pastebin.com/WJv1p2uQ
I see references to opening a socket. 我看到了有关打开套接字的参考。
3 个解决方案
解决方案1
3 2019-03-24 02:07:08
What @Chris said . @克里斯怎么说 。 But out of personal curiosity, I've decoded enough of it to get the gist of what it does. 但是出于个人的好奇心,我已经对其进行了足够的解码,以了解其工作的要旨。 This code does several things. 这段代码可以做几件事。
Most importantly, this code will accept arbitrary file uploads that overwrite any existing file (if the file permissions allow it) by sending a request with a supfiles , sfilename and sfilecontent parameter. 最重要的是,此代码将接受通过发送带有supfiles , sfilename和sfilecontent参数的请求来覆盖任何现有文件(如果文件权限允许)的任意文件上传。 There's no path checking on sfilename either, so this script could potentially write files anywhere on the filesystem the user has permission to write to (which may or may not include such useful locations as ~/.ssh/authorized_keys ). 也不对sfilename进行路径检查,因此该脚本可能会在用户有权写入的文件系统上的任何位置写入文件(该文件可能包含或不包含~/.ssh/authorized_keys类的有用位置)。
But its core activity appears to be: 但其核心活动似乎是:
- It checks the User-Agent and Referer headers to see if the visitor is a search engine crawler or someone who came from Bing or the Japanese sites of Google and Yahoo. 它检查User-Agent和Referer标头,以查看访问者是否是搜索引擎搜寻器,或者是来自Bing或Google和Yahoo日语网站的人。 If so, it logs the request details to a remote server (www50.bcsad.top, but I've also seen references to
www%d.bcsad.topwhich is fed intosprintf()so the exact hostname is at least somewhat dynamic)如果是这样,它将请求详细信息记录到远程服务器(www50.bcsad.top,但是我也看到了对www%d.bcsad.top引用,该引用被馈送到sprintf()因此确切的主机名至少在某种程度上是动态的) - If the request is for a
sitemap.xmlfile or a variant thereof (egsitemap-video-1-20.xml), it will generate one containing links to that remote server.如果请求是针对sitemap.xml文件或其变体(例如sitemap-video-1-20.xml),它将生成一个包含指向该远程服务器的链接的请求。 - If the infected site does not have a
.htaccessfile that redirects non-existing requests to the infected file, it will try to create one that does that (Wordpress does have such a file, but not in all subfolders).如果受感染的网站不具有.htaccess重定向不存在的请求,被感染的文件的文件,它会尝试创建一个没有那个(WordPress的确实有这样的文件,但不是在所有子文件夹)。
There's a similar piece of code on unphp.net ( cached since it seems to be down at the moment) which is not identical to yours (it appears to be missing the file upload option) but still has a lot of overlap so it'll give you a general idea of what this code does. 在unphp.net上有一段类似的代码(由于目前似乎已关闭,因此已缓存 ),与您的代码不同(它似乎缺少文件上传选项),但仍然有很多重叠之处,因此它将让您大致了解此代码的功能。
解决方案2
2 2019-03-23 22:39:07
It really does not matter what it is. 到底是什么无关紧要。 the problem is that it is there in the first place. 问题是它首先存在。
You have a couple of options, either scrap the site and start over with the latest wordpress release, hopefully this hole is patched. 您有两种选择,可以是删除网站,然后从最新的wordpress版本开始,希望此漏洞已得到解决。
Or and you really need to determine whether its worth doind (and if not convince your friend to start over). 或者,您真的需要确定它是否值得(如果不能说服您的朋友重新开始)。 However if there is too much important data to lose, you will need to clean up the site and its not going to be easy, you will need to inspect each and every file including hidden files, directories etc, inspect the database, is it safe to keep it, if not can you clean it of any harmful data. 但是,如果丢失了太多重要数据,您将需要清理站点,这将变得不容易,您将需要检查每个文件(包括隐藏文件,目录等),检查数据库,是否安全?保留它,如果不能保留,则可以清除其中的任何有害数据。
However, to my mind, this server is compromised, bin it and start over. 但是,在我看来,此服务器已损坏,请对其进行装箱并重新启动。 Hopefully the host has a backup prior to this breach, though i suspect that might be more wishful thinking. 希望主机在此突破之前有一个备份,尽管我怀疑这可能是一厢情愿的想法。
解决方案3
1 2019-03-23 23:51:45
Seems that it'll took hours to decode that. 似乎需要花费几个小时才能对其进行解码。 Variables like $OO0O_0_O_0 transforms to function names. $OO0O_0_O_0类的变量将转换为函数名称。
$OO0O_0_O_0 = 'preg_replace_callback';
$O0__O0_OO0 = 'stream_socket_client';
$O0OO0_0__O = 'stream_get_meta_data';
$OO0O_0_0O_ = 'stream_set_blocking';
$OO_00_0O_O = 'stream_set_timeout';
$O0_00OO__O = 'ignore_user_abort';
$OO_00__OO0 = 'file_put_contents';
$O0O0_O_O0_ = 'file_get_contents';
$OOO0__00O_ = 'http_build_query';
$OOO0_00O__ = 'function_exists';
$O_00O_O_O0 = 'error_reporting';
$O_00OO_0_O = 'create_function';
$O_00O__O0O = 'set_time_limit';
$O000O_O__O = 'gethostbyname';
$O__0O_0O0O = 'base64_decode';
$OO0OO_0__0 = 'preg_replace';
$OO00O_0O__ = 'str_replace';
$OO00_O0O__ = 'file_exists';
$O0_0O_0O_O = 'curl_setopt';
$OO_OO00__0 = 'array_shift';
$O0_OO00_O_ = 'preg_match';
$OO0O0__0O_ = 'curl_error';
$OO00__O_0O = 'curl_close';
$O_0O_O00O_ = 'urlencode';
$O_O0O0__0O = 'parse_url';
$O___0OOO00 = 'gzinflate';
$O0_0O_OO_0 = 'curl_init';
$O0_O0__O0O = 'curl_exec';
$O0_0_O0O_O = 'is_array';
$OO00OO_0__ = 'strrpos';
$O__OO00O_0 = 'mt_rand';
$O_00_OO_0O = 'implode';
$O_O00__OO0 = 'gzclose';
$O_00O_0O_O = 'explode';
$O_O0__O00O = 'usleep';
$O0_O_OO00_ = 'unlink';
$O0O__0OO0_ = 'strstr';
$O_0O0O0O__ = 'strpos';
$OO_0_0O_O0 = 'strlen';
$O00___0OOO = 'hexdec';
$O_000OOO__ = 'gzopen';
$O0__0OO_0O = 'fwrite';
$O00OO0_O__ = 'fclose';
$O__0_0OOO0 = 'mkdir';
$OO0OO__0_0 = 'fread';
$OO0O_O0__0 = 'fgets';
$OO_O_O0_00 = 'count';
$O00O_0_O_O = 'chmod';
$O_O00_O0_O = 'trim';
$OO__O00O_0 = 'join';
$O0_OOO__00 = 'feof';
$OOOO___000 = 'date';
It's possible to write some scripts to decode all that junk (or do it by hands)... if you have some free time. 如果您有空闲时间,可以编写一些脚本来解码所有垃圾(或手动执行)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.