Results 1 to 6 of 6
  1. #1

    Virus detect in my website

    I Have a Wordpress site




    This is my solution to find malware in my webportal:



    <html><head><title>Buscar Virus en sitios web</title></head><body>
    <!-- Autor: Luis Mariscal mariscalradios@gmail.com -->
    <?php
    // ini_set('max_execution_time', '0');
    // ini_set('set_time_limit', '0');
    find_files('.');
    function find_files($seed) {
    if(! is_dir($seed)) return false;
    $files = array();
    $dirs = array($seed);
    while(NULL !== ($dir = array_pop($dirs)))
    {
    if($dh = opendir($dir))
    {
    while( false !== ($file = readdir($dh)))
    {
    if($file == '.' || $file == '..' || $file == '64.php') continue;
    $path = $dir . '/' . $file;
    if(is_dir($path)) { $dirs[] = $path; }
    else { if(preg_match('/^.*\.(php[\d]?|txt|js|htaccess)$/i', $path)) { check_files($path); }}
    }
    closedir($dh);
    }
    }
    }
    function check_files($this_file)
    {

    //$str_to_find[]='base64_decode';
    $str_to_find[]='counter.php'; // base64_decode reversed
    //$str_to_find[]='preg_replace';
    //$str_to_find[]='HTTP_REFERER';
    //$str_to_find[]='HTTP_USER_AGENT';
    $str_to_find[]='eval(gzinflate(';
    $str_to_find[]='if (!isset($sRetry))';
    $str_to_find[]='if (99shell))';
    $str_to_find[]='if (.ru))';
    $str_to_find[]='if (r57))';
    $str_to_find[]='if (r99))';
    $str_to_find[]='proxgator.com';
    $str_to_find[]='linkjsname';
    $str_to_find[]='zhead';
    //$str_to_find[]='unescape(';
    $str_to_find[]='r00t';
    $str_to_find[]='ftpcracker';
    $str_to_find[]='priv9';
    $str_to_find[]='sn22.php';
    $str_to_find[]='ssi.php';
    $str_to_find[]='dayi';
    $str_to_find[]='cgi.r1z';
    $str_to_find[]='config.r1z';
    $str_to_find[]='issw';
    $str_to_find[]='perlbypass.php';
    $str_to_find[]='python.izo ';




    if(!($content = file_get_contents($this_file)))
    { echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); }
    else
    {
    while(list(,$value)=each($str_to_find))
    {
    if (stripos($content, $value) !== false)
    {
    echo("<p><b><font color='red'>$this_file -> contains $value</b></font></p>\n");

    if(@ereg("default.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }

    if(@ereg("c99.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }

    if(@ereg("wport.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }
    if(@ereg("g_process.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }
    if(@ereg("xdesk.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }
    if(@ereg("a_seed.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }

    if(@ereg("gdeck.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }

    if(@ereg("pzreset.php", $this_file)){
    unlink( $this_file);
    echo "Eliminado: ". $this_file . "<br>";

    }




    }
    }
    }
    unset($content);
    }?>
    </body></html>

  2. #2
    Join Date
    Jun 2002
    Posts
    1,682
    So what do you need now?

  3. #3
    Hi,

    Is this what you suggest. Is this HTML page good enough to find the infection?
    www.24x7servermanagement.com
    Server Management, Server Security, Server Monitoring.
    India's Leading Managed Service Provider !! Skype: techs24x7

  4. #4
    Download your site contents to your PC and scan for viruses. Thus, the malicious code will be deleted from your scripts. If your hosting provider is using maldet virus scanner, please ask the server administrator to scan your site for malicious code.

  5. #5
    Join Date
    Aug 2014
    Posts
    69
    That is an exploit for sure. You'll want to immediately launch an investigation into this WordPress install and try to determine how it was exploited. Typically your hosting provider can go through the logs to see what the initial exploit request was based on the time stamps of the abusive files. They should be able to pinpoint this issue down to an out of date theme, plugin, or other WordPress file.

    As WordPress is widely used, sadly it is a prime target for exploits, specifically by bots. Make sure to always keep your WordPress install - including the main version, themes, and plugins, always updated.

    As gasyoun said, most web hosting providers will run a scanner such as ClamAV, maldet, AVG, etc to help pinpoint the abusive files. Otherwise, any administrator should be able to check the most recently modified files to help pinpoint issues too. Good luck!

  6. #6
    Join Date
    Oct 2004
    Location
    Celebration, Florida
    Posts
    209
    That is an exploit for sure.
    The OP created a script designed to test WP files to see if a WP installation was infected. He's not reporting an exploit or virus. He's asking if his script is good enough to catch most exploits. And, his script doesn't clean anything, but rather reports the potentially infected file to the admin so that the admin can manually investigate.
    Richard C. Hay - Celebration, Florida
    Web Application Development, Graphic Design & Organization Management Services

Similar Threads

  1. Detect what website the users has just come from?
    By josephgarbett in forum Programming Discussion
    Replies: 8
    Last Post: 03-29-2011, 09:51 AM
  2. How do you get your website to detect users country
    By TheHostingHeroes in forum Web Design and Content
    Replies: 1
    Last Post: 12-30-2009, 09:29 PM
  3. Can some body detect the Costa Rica ISP's website?
    By loveoscommerce in forum Web Hosting
    Replies: 2
    Last Post: 09-29-2009, 12:26 PM
  4. Virus in client's website
    By Innerplanet in forum Running a Web Hosting Business
    Replies: 8
    Last Post: 01-24-2005, 12:00 PM
  5. Virus from visiting a website....
    By Rewdog in forum Web Hosting Lounge
    Replies: 19
    Last Post: 12-10-2002, 04:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •