Results 1 to 6 of 6
Thread: Virus detect in my website
-
09-01-2014, 05:07 AM #1New Member
- Join Date
- Sep 2014
- Posts
- 1
Virus detect in my website
I Have a Wordpress site
This is my solution to find malware in my webportal:
<html><head><title>Buscar Virus en sitios web</title></head><body>
<!-- Autor: Luis Mariscal mariscalradios@gmail.com -->
<?php
// ini_set('max_execution_time', '0');
// ini_set('set_time_limit', '0');
find_files('.');
function find_files($seed) {
if(! is_dir($seed)) return false;
$files = array();
$dirs = array($seed);
while(NULL !== ($dir = array_pop($dirs)))
{
if($dh = opendir($dir))
{
while( false !== ($file = readdir($dh)))
{
if($file == '.' || $file == '..' || $file == '64.php') continue;
$path = $dir . '/' . $file;
if(is_dir($path)) { $dirs[] = $path; }
else { if(preg_match('/^.*\.(php[\d]?|txt|js|htaccess)$/i', $path)) { check_files($path); }}
}
closedir($dh);
}
}
}
function check_files($this_file)
{
//$str_to_find[]='base64_decode';
$str_to_find[]='counter.php'; // base64_decode reversed
//$str_to_find[]='preg_replace';
//$str_to_find[]='HTTP_REFERER';
//$str_to_find[]='HTTP_USER_AGENT';
$str_to_find[]='eval(gzinflate(';
$str_to_find[]='if (!isset($sRetry))';
$str_to_find[]='if (99shell))';
$str_to_find[]='if (.ru))';
$str_to_find[]='if (r57))';
$str_to_find[]='if (r99))';
$str_to_find[]='proxgator.com';
$str_to_find[]='linkjsname';
$str_to_find[]='zhead';
//$str_to_find[]='unescape(';
$str_to_find[]='r00t';
$str_to_find[]='ftpcracker';
$str_to_find[]='priv9';
$str_to_find[]='sn22.php';
$str_to_find[]='ssi.php';
$str_to_find[]='dayi';
$str_to_find[]='cgi.r1z';
$str_to_find[]='config.r1z';
$str_to_find[]='issw';
$str_to_find[]='perlbypass.php';
$str_to_find[]='python.izo ';
if(!($content = file_get_contents($this_file)))
{ echo("<p>Could not check $this_file You should check the contents manually!</p>\n"); }
else
{
while(list(,$value)=each($str_to_find))
{
if (stripos($content, $value) !== false)
{
echo("<p><b><font color='red'>$this_file -> contains $value</b></font></p>\n");
if(@ereg("default.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("c99.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("wport.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("g_process.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("xdesk.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("a_seed.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("gdeck.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
if(@ereg("pzreset.php", $this_file)){
unlink( $this_file);
echo "Eliminado: ". $this_file . "<br>";
}
}
}
}
unset($content);
}?>
</body></html>
-
09-01-2014, 11:22 AM #2Web Hosting Master
- Join Date
- Jun 2002
- Posts
- 1,682
So what do you need now?
-
09-02-2014, 02:41 AM #3Web Hosting Master
- Join Date
- Oct 2007
- Posts
- 2,349
Hi,
Is this what you suggest. Is this HTML page good enough to find the infection?www.24x7servermanagement.com
Server Management, Server Security, Server Monitoring.
India's Leading Managed Service Provider !! Skype: techs24x7
-
09-02-2014, 09:14 AM #4Disabled
- Join Date
- Aug 2007
- Posts
- 165
Download your site contents to your PC and scan for viruses. Thus, the malicious code will be deleted from your scripts. If your hosting provider is using maldet virus scanner, please ask the server administrator to scan your site for malicious code.
-
09-02-2014, 08:50 PM #5Junior Guru Wannabe
- Join Date
- Aug 2014
- Posts
- 69
That is an exploit for sure. You'll want to immediately launch an investigation into this WordPress install and try to determine how it was exploited. Typically your hosting provider can go through the logs to see what the initial exploit request was based on the time stamps of the abusive files. They should be able to pinpoint this issue down to an out of date theme, plugin, or other WordPress file.
As WordPress is widely used, sadly it is a prime target for exploits, specifically by bots. Make sure to always keep your WordPress install - including the main version, themes, and plugins, always updated.
As gasyoun said, most web hosting providers will run a scanner such as ClamAV, maldet, AVG, etc to help pinpoint the abusive files. Otherwise, any administrator should be able to check the most recently modified files to help pinpoint issues too. Good luck!
-
09-03-2014, 08:45 AM #6Junior Guru
- Join Date
- Oct 2004
- Location
- Celebration, Florida
- Posts
- 209
That is an exploit for sure.▒ Richard C. Hay - Celebration, Florida
▒ Web Application Development, Graphic Design & Organization Management Services
Similar Threads
-
Detect what website the users has just come from?
By josephgarbett in forum Programming DiscussionReplies: 8Last Post: 03-29-2011, 09:51 AM -
How do you get your website to detect users country
By TheHostingHeroes in forum Web Design and ContentReplies: 1Last Post: 12-30-2009, 09:29 PM -
Can some body detect the Costa Rica ISP's website?
By loveoscommerce in forum Web HostingReplies: 2Last Post: 09-29-2009, 12:26 PM -
Virus in client's website
By Innerplanet in forum Running a Web Hosting BusinessReplies: 8Last Post: 01-24-2005, 12:00 PM -
Virus from visiting a website....
By Rewdog in forum Web Hosting LoungeReplies: 19Last Post: 12-10-2002, 04:15 PM