My host has been infiltrated by a pernicious shell that rewrites htaccess - how do you prevent the re-emergence?



  • Hello. The problem is, my record of the hosting has been infiltrated by the Baekdor Shell, who rewritten all the htaccess files on the websites and now with mobile devices, constantly redesigns to the outside sites, and the re-recording of files with rights 644, unfortunately, doesn't give anything - 30 minutes the files will be rewritten. ♪ ♪ (grunts) (sighs) Unfortunately, the date I don't know exactly when it happened was on weekends. Maybe who's done this kind of parasite and knows what to do?

    On the simplicity of the inlet, it came to such a decision to connect on the SSH and describe the replacement:

    find ./ -type f -exec sed -i 's/eval(base64_decode(\"DQplcn[^;]*;//g' {} \;
    

    Do you think it'll be efficient and not hurt the site?

    Supplement 1:During the experiments, a feature has been found: on websites with moving wordpress (not the most recent), where there is one and the same subject and similar plates (e.g. Internet stores), only the main page is downloaded, and in the transition to the rest, it makes 404 mistakes in one of the costs of its own user-recording cryp. Ibolite is talking about problems in the plagins standard for this topic. evanto wordpress toolkit and safeguard pro♪ On one site, they've been filmed, but they haven't produced results yet. ♪

    Supplement 2: I've found and spent it with help! https://www.revisium.com/ai/ @xaja and @Mike. The question now is, how do we defend ourselves to the future and close the hole? The movements of the wordpress site, updated to the last version, the anti-Virus plaguins will come or will not escape the silks?



  • In principle, of course, you found the right thing to find, a large percentage of the hacker elevator uses this way of encryption and launch. But big is not 100%.

    Maybe a simple line. if(isset($_GET['A'])) eval($_GET['A']);Well, this line is just a convenient way of entering a hacker and performing an arbitrary code.

    Given that there's a change of ...htaccess for cellphones is probably an automatic worm that sends viruses to mobile devices. And once the files change often, one of your files is infected.

    You can put a full copy of the site on your car and just search the word eval, but some CMSs use it. In addition, the encrypted code is often triggered by a preg_replace.

    In 90 per cent of cases, the worm code is functional and/or encrypted. And it's hard to read the blighbourd, so you can just run a php of files to try to find these pieces.

    You can try to target the date of the change of files, the really good hackers have to re-establish it after the recording, but I'm sure they don't seem to be very excited about it.

    But all the above-mentioned doesn't provide any guarantee that you will find all the hacker's mortgages and clean them up. And all the more, there's no guarantee that you'll be infected again, since you've done it once. Good, if you have some standard move without change at the php of the files, you just need to make an archive of the current site, a database archive, and then reset the move and reschedule the file from the current site, making sure there's no eval and preg_replace.

    But, and that doesn't give any guarantees, since you've been hit, it means there's vulnerability in your web site and the worm will find them again. You can just go on the Internet to your version of the move and the flames to find him in the google on the word exploited. See, like, https://www.exploit-db.com/

    The safest thing is to keep the base from the current site, search the dam for the word 'eval' (some moves are possible through the contents of the database) and put on the site the most recent version of the drive and the necessary flames while watching the infu about their safety online. Well, we're going to start a new version instead of planting the previous base.

    And there's a possibility that you've been climbing through your neighbors on the hostel (although for automatic worms it's very low). If the hostess has security problems, it can be determined with some experience, trying to get to the catalogues of other sites.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2