Answer the question
In order to leave comments, you need to log in
R
R
Raz1el2016-12-05 22:44:24
Raz1el, 2016-12-05 22:44:24
Where to dig if the virus is in php?
There is a virus on php, lil somewhere on the site
Every 1-3 seconds it tries to change the access rights of index.php (before that it managed to change them, now for some reason it doesn’t)
part of the logs
[��� ��� 05 22:41:23 2016] [warn-ioncube] mmap cache can't open /home/users/9/9266138229/domains/graalsalon.ru/index.php - ����� ��� � ������� (pid 26540)
[Mon Dec 05 22:41:23 2016] [error] [client 141.8.132.64] Directory index forbidden by Options directive: /home/users/9/9266138229 /domains/9266138229.myjino.ru/
[��� ��� 05 22:41:23 2016] [warn-ioncube] mmap cache can't open /home/users/9/9266138229/domains/graalsalon.ru/ index.php - �������� �� �������� (pid 26589)
[�� ���� 05 22:41:24 2016] [warn-ioncube] mmap cache can't open /home/users/9/9266138229/domains/graalsalon.ru/index.php - �������� � ������� (pid 26589)
UPD: appeals for the interval:
194.165.16.76 - - [05/Dec/2016:22:58:43 +0300] "GET /mdp/kdjf3.php HTTP/1.0" 404 625 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/ 537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36" 66.249.64.177 - -
[05/Dec/2016:22:59:02 +0300] "GET /afj/glnoa.php?hl=tere-bina2 -fariyad-m HTTP/1.0" 404 625 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; + www.google.com/bot.html) " 46.161.58.45 - -
[05/Dec/2016:22: 59:12 +0300] "GET / HTTP/1.0" 403 633 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" 5.189 .200.166 - -
[05/Dec/2016:22:59:12 +0300] "GET / HTTP/1.0" 403 633 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome /53.0.2785.143 Safari/537.36" 95.181.177.151 - -
[05/Dec/2016:22:59:16 +0300] "GET / HTTP/1.0" 403 633 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" 178.154.189.28 - -
[05/Dec/2016:22:59:20 +0300] "GET /?p=220 HTTP/ 1.0" 403 633 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; + yandex.com/bots) " 194.165.16.76 - -
[05/Dec/2016:22:59:54 +0300] "GET /afj /kdjf3.php HTTP/1.0" 404 625 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/48.0.2564.109 Safari/537.36"
logs for the same period:
[Mon Dec 05 22:58:43 2016] [error] [client 194.165.16.76] File does not exist: /home/users/9/9266138229/domains/9266138229.myjino.ru/mdp [Mon Dec 05 22:59 :02 2016] [error] [client 66.249.64.177] File does not exist: /home/users/9/9266138229/domains/9266138229.myjino.ru/afj [Mon Dec 05 22:59:12 2016] [error] [client 46.161.58.45] Directory index forbidden by Options directive: /home/users/9/9266138229/domains/9266138229.myjino.ru/ [Mon Dec 05 22:59:12 2016] [error] [client 5.189.200.166] Directory index forbidden by Options directive: /home/users/9/9266138229/domains/9266138229.myjino.ru/ [Mon Dec 05 22:59:16 2016] [error] [client 95.181.177.151] Directory index forbidden by Options directive : /home/users/9/9266138229/domains/9266138229.myjino.ru/ [Mon Dec 05 22:59:20 2016] [error] [client 178.154.189.28] Directory index forbidden by Options directive: /home/users/9/9266138229/domains/9266138229.myjino.ru/ [Mon Dec 05 22:59:54 2016] [error] [client 194.165.16.76] File does not exist : /home/users/9/9266138229/domains/9266138229.myjino.ru/afj
Similar questions
V
P
A
H
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question