混淆恶意PHP

时间:2014-12-05 15:13:20

标签: php security

我在黑客入侵的Drupal上找到this code,我想知道代码能做什么。我尝试过各种工具对其进行去混淆,但我没有成功。我用$ r76变量绊倒了。我无法弄清楚它是如何编码的。翻译或建议?

<?php $r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?";

1 个答案:

答案 0 :(得分:2)

$r76是一个密钥。使用通过其余代码的数组访问来访问字符串的位和字母,您可以从中构造完全不同的字符串(如函数名,变量等)。

以下是对脚本顶部定义的全局变量的评估。用它们来弄清楚脚本的其余部分...如果你想浪费时间比我做的更多:

[vtton6] => error_reporting
[jlxru64] => ini_set
[vajox38] => define
[qobdl72] => hvcug13
[yhrfr40] => xyhxn92
[quzii24] => md5
[tlyiy12] => count
[kyioa8] => time
[glyac65] => constant
[nhnww15] => npufi61
[igajs32] => potcc11
[cpukq94] => omauf87
[bdonk12] => hwgbo88
[aurku4] => ioxgo29
[yqqkt30] => function_exists
[tnmsd36] => mail
[chqql44] => armtx32
[cvtxr40] => ecyws30
[eavur97] => usleep
[ptlaz26] => urvfu78
[xcnkh30] => xllez0
[wnlxd28] => trim
[laepm94] => preg_replace
[nxseo15] => gethostbyname
[cyzbs96] => preg_match
[yoejz48] => rzekg39
[lzjpr73] => wdtjf68
[osnjl91] => rxrmp70
[zhjzv93] => prcux47
[brkww19] => strlen
[yhcum29] => oyysg80
[ibere91] => foftg27
[vszxc90] => array_keys
[qtgcq90] => socket_select
[bwpvf88] => ucfirst
[bdvxl14] => str_replace
[xizmx47] => ini_get
[stkuy98] => vkaqq98
[duiid33] => date
[grxdw62] => getmxrr
[nvuxa92] => ybewy88
[ysmvf63] => min
[vbhwy58] => Array
    (
    )

[wdbfr89] => fewfx40
[vxogc32] => preg_split
[inenw32] => xwses24
[xyxdn38] => chr
[rtdlc97] => ord
[cnrfe78] => urldecode
[wzekj92] => stripslashes
[yrqxp89] => array_flip
[xavtv19] => preg_match_all
[zjheh80] => base64_encode
[gisxn89] => socket_create
[oqikt29] => socket_last_error
[tvxvt28] => socket_strerror
[fmlld76] => socket_set_option
[zwafy86] => socket_set_nonblock
[uocvp26] => socket_connect
[xvxof76] => fsockopen
[vzqix48] => stream_set_blocking
[sltum36] => stream_set_timeout
[clkxn20] => stream_socket_client
[unkvq75] => socket_close
[yoxhh65] => fclose
[dskbo69] => socket_read
[jhtbn88] => feof
[zflfl64] => fread
[uwnpx27] => socket_write
[stdvp96] => fwrite
[ocmvf65] => rand
[bkenc7] => explode
[llpxl21] => pack
[efljc33] => unpack
[zndda55] => cgzhg7
[lzlla40] => array_merge
[axqrn63] => long2ip

如果我不得不猜测,在混淆变量中提及mail只是意味着这是一个恶意邮件脚本,旨在将您的PHP服务器变成垃圾邮件服务器 - 或者它可能是“电话之家”功能为了更多邪恶的目的。

相关问题
最新问题