У меня есть один старый сайтик, который работает на Joomla 1.5 + VirtueMart 1.1.x, обновляться до 3.0 мороки много, но видимо придется, может быть после этого его заражать будут меньше. Сегодня обнаружил в корневом каталоге новые файлы. PHP запущено под nobody, поэтому чтобы найти все новые файлы рекурсивно я использую команду (по SSH):
find . -user nobody -iname "*.php"
Список новых файлов получается достаточно длинный, в основном они рассылают почтовый спам:
./w3191288n.php ./z_w_reg.php ./9return.php ./w8266589n.php ./_delete_me.php ./w5056636n.php ./infohq3.php ./w3597225n.php ./w4634379n.php ./w7883736n.php ./index_backup.php ./LICESNE.php ./administrator/components/com_virtuemart/a6eff.php ./administrator/components/com_virtuemart/dfa6.php ./administrator/components/com_virtuemart/languages/help/e0043.php ./administrator/components/com_virtuemart/languages/help/534da.php ./administrator/components/com_virtuemart/languages/help/index.php ./administrator/components/com_virtuemart/languages/help/f0a1.php ./administrator/components/com_virtuemart/languages/manufacturer/manufacturer.php ./administrator/components/com_virtuemart/languages/manufacturer/index.php ./administrator/components/com_virtuemart/languages/checkout/c263b917.php ./administrator/components/com_virtuemart/languages/checkout/6744981dff.php ./administrator/components/com_virtuemart/languages/checkout/index.php ./administrator/components/com_virtuemart/languages/product/4d4766.php ./administrator/components/com_virtuemart/languages/product/55b0353c.php ./administrator/components/com_virtuemart/languages/product/19baa948a7.php ./administrator/components/com_virtuemart/languages/product/2c902b.php ./administrator/components/com_virtuemart/languages/admin/043e8.php ./administrator/components/com_virtuemart/languages/admin/index.php ./administrator/components/com_virtuemart/languages/order/index.php ./administrator/components/com_virtuemart/languages/account/index.php ./administrator/components/com_virtuemart/languages/account/d5b4c5.php ./administrator/components/com_virtuemart/languages/shop/fe8f2a14.php ./administrator/components/com_virtuemart/languages/shipping/shipping.php ./administrator/components/com_virtuemart/languages/shipping/13ceeda.php ./administrator/components/com_virtuemart/languages/shipping/efb71.php ./administrator/components/com_virtuemart/languages/shipping/33be148.php ./administrator/components/com_virtuemart/languages/shipping/a0a84f0939.php ./administrator/components/com_virtuemart/languages/tax/a26f22c13.php ./administrator/components/com_virtuemart/languages/tax/8b78af8.php ./administrator/components/com_virtuemart/languages/store/gallery.php ./administrator/components/com_virtuemart/languages/store/4c83ba2f6e.php ./administrator/components/com_virtuemart/languages/msgs/461bf.php ./administrator/components/com_virtuemart/languages/msgs/6af57242.php ./administrator/components/com_virtuemart/languages/msgs/index.php ./administrator/components/com_virtuemart/languages/vendor/index.php ./administrator/components/com_virtuemart/languages/common/f5a47d69a.php ./administrator/components/com_virtuemart/languages/common/index.php ./administrator/components/com_virtuemart/languages/coupon/7f06a907.php ./administrator/components/com_virtuemart/languages/coupon/coupon.php ./administrator/components/com_virtuemart/languages/coupon/index.php ./administrator/components/com_virtuemart/languages/shopper/index.php ./administrator/components/com_virtuemart/languages/reportbasic/index.php ./administrator/components/com_virtuemart/languages/index.php ./administrator/components/com_virtuemart/languages/zone/820c.php ./administrator/components/com_virtuemart/languages/zone/index.php ./administrator/components/com_virtuemart/index.php ./components/com_virtuemart/shop_image/product/b5439.php ./components/com_virtuemart/shop_image/product/9f17.php ./components/com_virtuemart/shop_image/product/4302.php ./components/com_virtuemart/shop_image/product/index.php ./components/com_virtuemart/shop_image/product/resized/19ee16a8.php ./components/com_virtuemart/shop_image/product/resized/index.php ./components/com_virtuemart/shop_image/ps_image/epay_images/d3a00335f9.php ./components/com_virtuemart/shop_image/ps_image/epay_images/0637e.php ./components/com_virtuemart/shop_image/ps_image/epay_images/2935d9.php ./components/com_virtuemart/shop_image/ps_image/epay_images/436c4.php ./components/com_virtuemart/shop_image/ps_image/epay_images/cb734883f3.php ./components/com_virtuemart/shop_image/ps_image/epay_images/index.php ./components/com_virtuemart/shop_image/ps_image/12d2e8.php ./components/com_virtuemart/shop_image/ps_image/index.php ./components/com_virtuemart/shop_image/vendor/da9e9c.php ./components/com_virtuemart/shop_image/vendor/15f5f4926.php ./components/com_virtuemart/shop_image/vendor/33ae43b6.php ./components/com_virtuemart/shop_image/vendor/index.php ./components/com_virtuemart/shop_image/category/3f000.php ./components/com_virtuemart/shop_image/category/d082e7.php ./components/com_virtuemart/shop_image/category/f222f62.php ./components/com_virtuemart/shop_image/category/1bc4ed.php ./components/com_virtuemart/shop_image/category/48fbc4cf8.php ./components/com_virtuemart/shop_image/category/index.php ./components/com_virtuemart/shop_image/category/resized/4803bda.php ./components/com_virtuemart/shop_image/category/resized/547628.php ./components/com_virtuemart/shop_image/category/resized/559c6079f8.php ./components/com_virtuemart/shop_image/category/resized/e1a99838b.php ./components/com_virtuemart/shop_image/category/resized/a6238.php ./components/com_virtuemart/shop_image/category/resized/5f55e238.php ./components/com_virtuemart/shop_image/category/resized/index.php ./components/com_virtuemart/shop_image/category/resized/b16b218ca3.php ./wp-conf.php ./images/stories/wlw/2012/07/9070fcf804.php ./images/stories/wlw/2012/07/a49c2d.php ./images/stories/wlw/2012/07/6260fa3.php ./images/stories/wlw/2012/07/6826b55eba.php ./images/stories/wlw/2012/07/index.php ./images/stories/wlw/2012/07/3402.php ./images/stories/wlw/2012/02/7c604.php ./images/stories/wlw/2012/02/1652452d.php ./images/stories/wlw/2012/02/index.php ./images/stories/wlw/2012/b433.php ./images/stories/wlw/7cc7914d2.php ./images/stories/wlw/b984e3c2.php ./images/stories/wlw/index_backup.php ./images/stories/wlw/2011/07/426813cc07.php ./images/stories/wlw/2011/07/0a41c329a.php ./images/stories/wlw/2011/07/index.php ./images/stories/wlw/2011/09/f1ac59.php ./images/stories/wlw/2011/09/318c56.php ./images/stories/wlw/2011/09/a44eb.php ./images/stories/wlw/2011/09/index.php ./images/stories/wlw/2011/e5ca2d0.php ./images/stories/wlw/2011/08/index.php ./images/stories/wlw/2011/9fc4.php ./images/stories/wlw/2011/53c26.php ./images/stories/wlw/index.php ./images/stories/wlw/02e6c.php ./images/stories/wlw/d46d897fd6.php ./images/stories/soap/6c79442.php ./images/stories/soap/cf312b248.php ./images/stories/soap/9d1b.php ./images/stories/soap/index_backup.php ./images/stories/soap/index.php ./images/stories/wthm8596g.php ./images/stories/6658.php ./images/stories/fruit/e7cd5fba.php ./images/stories/fruit/40a1ab73.php ./images/stories/fruit/f8f7615b.php ./images/stories/fruit/index_backup.php ./images/stories/wthm2027g.php ./images/stories/oc5ft4.php ./images/stories/index_backup.php ./images/stories/wp-conf.php ./images/stories/food/index_backup.php ./images/stories/food/08282386.php ./images/stories/491e43b.php ./w5954321n.php ./wthm9696g.php
Наверное самый простой способ временно запретить PHP скрипту создавать новые файлы и модифицировать старые:
cd ~ chmod -R g-w www
теперь PHP ничего писать не может, однако перед добавлением новых товаров с картинками нужно сделать следующее:
cd www chmod g+w components/com_virtuemart/shop_image/product chmod g+w components/com_virtuemart/shop_image/product/resized
Ищем скрипты на инфицированном сайте, которые менялись за последние 120 дней:
find . -user beauty -name "*.php" -mtime -120
