Created
April 11, 2012 14:03
-
-
Save M1zh0rY/2359497 to your computer and use it in GitHub Desktop.
Тетя ася
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
/** | |
* @name Aunt Asya has arrived =) | |
* @author M1zh0rY | |
* @category js clear script | |
* Infected Script: | |
* JS/Agent.* (all, ESET) | |
* JS/Kryptik.LP (ESET) | |
* Trojan:JS/BlacoleRef.BC (MCE) | |
* @license GNU | |
* @version 2.1 | |
* @tutorial Is script clear js infected file of infected script (see up) | |
* @date 10082012 0106 | |
* @update signature 06072012 2043 | |
* | |
* 8 | |
* +1 | |
* Rt | |
* ,&& | |
* ] M&& | |
* Q :K$QL | |
* )g #T### | |
* 4&Q MKW#M w | |
* |KE&1 i0&3ZE, _qO | |
* MM@&A, G&HW4$$ ,p#g | |
* 7!?�_ &&&%0B' _J7kZ' | |
* 'H0&&&4, &#mFQA! ,r%BrA9 | |
* #k&*#N0g &Z&F&&g r##04&0 | |
* Q&dk#GNg m{E&&#F Mp#$pB# | |
* YQ&&mEWL #M0$E0N 0M8m#0Q, | |
* ]RmmK$E0 {#WN40, M#M8Q&T' | |
* Mg, "g8DTm@&_ *GORMD`j&Qg@0M6 | |
* \NN#pw_ ]K04jMMV ^Gb5hNpKN60Mm/ | |
* ~DKKZG#0\, 08@0M@T,@M1@8Vx@M00 | |
* `!Q&E%0ZNwn,&0xm&&,Fd@@p3$WWQ ___a_u,,_ __ | |
* !&FN&QMEREW&#mLBI&GMWME&~# ,$MRb^#&&EZ8BF"~ | |
* "&OB0ng$GmEQ&T&&g0#h4&f,v0&D0EEZ%mGxqN~ | |
* "4rj#8WK&&0&&#MM&H0MK0EWBQSDL&xB~ | |
* ~"&x0&#By:#St0ne#db#TpF#W#^` | |
* +4&MMMhS$#M)QD0hgQK#^P | |
* yzaT&MMB00g8#EqmGVK7B@$ML_ | |
* /2ZRSM10g#&~#0&E0$@R0NZ&Efp#4w_ | |
* +E&CWw87!^ ,Mm&WPj0 0m@0#jMDhhR0Zy | |
* *' /#420! "M, +Q8G,"~"08KqUQ, | |
* N@"` g `V4 `~~# | |
* ]' & 4 | |
* ! | |
* ]l | |
* * | |
* | |
* | |
* | |
* | |
*/ | |
define("DEBUG", true); # for view find infected files | |
Class __auntAsya { | |
static $js_files_list = Array(); | |
static $js_signature = Array( | |
"\\x68", "\\x61r", "\\x43o", | |
"\\x64", "\\x65At", "\\x43", | |
"\\x61rCod", "\\x86", "\\x61", | |
"\\x65", "\\x66r", "\\x6fm", | |
"\\x43h", "\\x72", "\\x6fd", | |
"\\x68a", "\\x43o", "\\x41", | |
"\\x74", "\"fr\"+\"omC\"+\"harCode\"", | |
"=\"ev\"+\"al\"", "fr\\x6fmChar", "\\x43", | |
"\\x6fd", "\\x65","\\x63", | |
"\\x68", "\\x61", "\\x72C", | |
"\\x6f", "\\x64e", "\\x41t", | |
"[((e)?\"s\":\"\")+\"p\"+\"lit\"](\"a$\"[((e)?\"su\":\"\")+\"bstr\"](1));", | |
"\\x6dC", "\\x66r", "\\x68arC", | |
"\\x72o", "\\x6dCha", "\\x6fde", | |
"\\x6fde", "\\x43ode", "\\x72om", | |
"\\x43ha", "\\x72Co", "\\x6d", | |
"\\x43ode", | |
"f='fr'+'om'+'Ch';f+='arC';f+='ode';", | |
"f+=(h)?'ode':\"\";", | |
"f='f'+'r'+'o'+'m'+'Ch'+'arC'+'ode';", | |
"f='fromCh';f+='arC';f+='qgode'[\"substr\"](2);", | |
); | |
static $js_infected_file_list = Array(); | |
} | |
#function [find js infected files]: | |
function find_js_files($dir){ | |
if (is_dir($dir)){ | |
$__dir = opendir($dir); | |
while ($item = readdir($__dir)){ | |
if ($item == '.' || $item == '..') continue; | |
find_js_files($dir . DIRECTORY_SEPARATOR . $item); | |
} | |
closedir($__dir); | |
} else { | |
if(substr($dir, -3) == '.js') __auntAsya::$js_files_list[] = $dir; | |
} | |
} | |
function choice_infected_files(){ | |
for ($q=0;count(__auntAsya::$js_files_list)>$q;$q++){ | |
$_code = file_get_contents(__auntAsya::$js_files_list[$q]); | |
$_code = str_replace("\r\n", "\n", $_code); | |
for($w=0;count(__auntAsya::$js_signature)>$w;$w++){ | |
if(strpos($_code, __auntAsya::$js_signature[$w])){ | |
__auntAsya::$js_infected_file_list[] = Array( | |
"finded_sign" => __auntAsya::$js_signature[$w], | |
"code" => $_code, | |
"file" => __auntAsya::$js_files_list[$q] | |
); | |
break; | |
} | |
} | |
} | |
} | |
#function [view infected files]: | |
function view_infected_js_files(){ | |
for($i=0;count(__auntAsya::$js_infected_file_list)>$i;$i++){ | |
$html = "<pre> | |
&&&&& | |
&& File: ".__auntAsya::$js_infected_file_list[$i]['file']." | |
&& File finded signature: ".__auntAsya::$js_infected_file_list[$i]['finded_sign']." | |
&&&&& | |
</pre>"; | |
print_r($html); | |
} | |
} | |
#function [file clear]: | |
function load_js_code($js_file){ | |
return file($js_file); | |
} | |
function edit_js_code($js_code, $infected_code, $js_file, $finded_sign){ | |
for($i=0;count($js_code)>$i;$i++){ | |
if(strpos($js_code[$i], $finded_sign)){ | |
unset($js_code[$i]); | |
} | |
} | |
return implode("", $js_code); | |
} | |
#function [save infected file without ext]: | |
function rename_old_js_file($js_file){ | |
$pathArr = explode("/", $js_file); | |
$file_name_old = explode(".", $pathArr[count($pathArr)-1]); | |
$file_name_old = "_".$file_name_old[0]; | |
unset($pathArr[count($pathArr)-1]); | |
if(!is_dir(implode("/", $pathArr)."/infected/")) mkdir(implode("/", $pathArr)."/infected/"); | |
$path_fileold = implode("/", $pathArr)."/infected/".$file_name_old; | |
if (file_exists($path_fileold)) $path_fileold .= time(); | |
return copy($js_file, $path_fileold); | |
} | |
#function [save cleared new file & set mod(644)]: | |
function save_new_js_file($js_file, $js_code){ | |
$res = fopen($js_file, "w"); | |
fwrite($res, $js_code); | |
fclose($res); | |
chmod($js_file, 0644); | |
} | |
#------------------------------------------------------------------------------------------------------------ | |
find_js_files(dirname(__FILE__).DIRECTORY_SEPARATOR); | |
choice_infected_files(); | |
#------------------------------------------------------------------------------------------------------------ | |
if (DEBUG) view_infected_js_files(); | |
#------------------------------------------------------------------------------------------------------------ | |
for($i=0;count(__auntAsya::$js_infected_file_list)>$i;$i++){ | |
$js_code = load_js_code(__auntAsya::$js_infected_file_list[$i]['file']); | |
$cleared_js_code = edit_js_code($js_code, __auntAsya::$js_infected_file_list[$i]['code'], __auntAsya::$js_infected_file_list[$i]['file'], __auntAsya::$js_infected_file_list[$i]['finded_sign']); | |
$renamed = rename_old_js_file(__auntAsya::$js_infected_file_list[$i]['file']); | |
if(!$renamed) print_r ("<pre>!!!!!!!!!!!!!!!!!!!!!!!!!!!\n\r!!! ERROR! Error rename file: ".__auntAsya::$js_infected_file_list[$i]['file']."\n\r!!!!!!!!!!!!!!!!!!!!!!!!!!!</pre>"); | |
save_new_js_file(__auntAsya::$js_infected_file_list[$i]['file'], $cleared_js_code); | |
} | |
#------------------------------------------------------------------------------------------------------------ | |
exit(print_r("script finished the work")); | |
#EOF | |
?> |
Супер. Очень-очень кстати пришлось. Не знаю, что бы я делал без Тёти Аси ;-)
M1zh0rY, опишите пожалуйста формат массива сигнатур ( $js_signature ).
Пришлось только запускать скрипт аж 6 раз. Ну ничего страшного :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
А как пользоваться то?