Robots - implementers of virus code began to spoil sites
Previously, as a rule, they simply added the iframe to the site code. What was treated by the method of "search and destroy", that is, a simple search for the inclusion of text in files and the removal thereof.
Over the past week, there have been some disturbing changes in the behavior of malicious robots. At first, I discovered that in one of the cms files (the common paid domestic one), the lines responsible for displaying the layout disappeared. The first time I thought was an accident or someone who had access accidentally deleted it when I met the second time I thought that the robot was trained to delete lines from specific cms files (it was set on it).
But then an even more interesting fact came to light. The lines displaying the layout were deleted in a handwritten copy, which eliminated the possibility of setback.
')
Summary. The new generation of robots analyzes php code (I don’t know about other languages) and deletes lines in which it recognizes the layout output. In my case, the following lines were deleted from different cms-ok:
eval ("echo \" $ Template-> header \ ";");
eval ("echo \" ". $ template_header." \ ";");
So it goes.
UPD : I forgot to write what is happening under this scheme.
The trojan steals FTP access data from your computer, saved most often in total commander. I also heard that they steal from FAR, but I don’t know if it’s true or not. Sends to your server. And a server after a vulnerability has been discovered in some browser, with a sharp blow it writes an iframe on all available sites, forcing the user to perform an exploit.
The simplest solution that I see is to restrict access to FTP through the PU. By ip, by region. But for now, as far as I know this is not. Do not save FTP passwords are too hemorrhoids. Pull out of the text file every time ...
Over the past week, there have been some disturbing changes in the behavior of malicious robots. At first, I discovered that in one of the cms files (the common paid domestic one), the lines responsible for displaying the layout disappeared. The first time I thought was an accident or someone who had access accidentally deleted it when I met the second time I thought that the robot was trained to delete lines from specific cms files (it was set on it).
But then an even more interesting fact came to light. The lines displaying the layout were deleted in a handwritten copy, which eliminated the possibility of setback.
')
Summary. The new generation of robots analyzes php code (I don’t know about other languages) and deletes lines in which it recognizes the layout output. In my case, the following lines were deleted from different cms-ok:
eval ("echo \" $ Template-> header \ ";");
eval ("echo \" ". $ template_header." \ ";");
So it goes.
UPD : I forgot to write what is happening under this scheme.
The trojan steals FTP access data from your computer, saved most often in total commander. I also heard that they steal from FAR, but I don’t know if it’s true or not. Sends to your server. And a server after a vulnerability has been discovered in some browser, with a sharp blow it writes an iframe on all available sites, forcing the user to perform an exploit.
The simplest solution that I see is to restrict access to FTP through the PU. By ip, by region. But for now, as far as I know this is not. Do not save FTP passwords are too hemorrhoids. Pull out of the text file every time ...
Source: https://habr.com/ru/post/64755/
All Articles