Malicious JavaScript scripts. How to search for malicious code without antiviruses and scanners. The most frequent problems

Malicious code hits the site by negligence or malicious intent. Destinations of malicious code are different, but, in fact, it harms or interferes with the normal operation of the site. To remove malicious code On WordPress you need to first find it.

What is malicious code on WordPress website

By appearanceMost often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code that is executed, a particular action. Actions can be the most different, such as your new posts, are immediately published on a third-party resource. In fact, it is theft of your content. Codes and other "tasks", for example, placement of outgoing links on the site pages. The tasks may be the most sophisticated, but one thing is clear that the malicious codes need to be hunted and deleted.

How do malicious codes come to the site

Lazakes to hit the codes to the site, also set.

Most often, these are topics and plugins downloaded from the "left" resources. Although, such penetration is characteristic of the so-called encrypted links. Explicit code does not fall into the site.
Penetration of the virus when hacking the site, the most dangerous. As a rule, the site hacking allows you to place not only a "disposable code", but set the code with Malware elements (malware). For example, you find the code, and removes it, and it is restored, after a while. Options, again many.

Immediately notice, the fight against such viruses is difficult, and manual removal requires knowledge. There are three solutions to the problem: first decision - Use Antelorisian plugins, for example, plug-in called Bulletproof Security.

Such a solution gives good results, but takes time, although small. There is a more radical solution, getting rid of malicious codes, including complex viruses, it is to restore the site from pre-made backups of the site.

Since, a good webmaster makes periodically, then roll back to a not infected version will work out without any problems. Third decision For the rich and lazy, just contact the specialized "office" or a specialist of an individual.

How to search for malicious code on WordPress

It is important to understand that malicious code on WordPress can be in any site file, and not necessarily in the working topic. He can be laid with a plugin, with the topic, with the "self-made" code of the brought from the Internet. Try to find malicious code in several ways.

Method 1. Manually. List all the site files and compare them with the files of the unreleased backup. Find someone else's code - delete.

Method 2. With WordPress security plugins. For example, . This plugin has a wonderful function, scanning the site files for someone else's code and plugin perfectly copes with this task.

Method 3. If you have a reasonable support hosting, and it seems to you that on the site "Alien", ask them to scan your site with your antivirus. All infected files will be indicated in their report. Next, open these files in text editor And remove a malicious code.

Method 4. If you can work with SSH access to the site catalog, then forward, there is your kitchen.

Important! No matter how much you searched for malicious code, before searching and submitting code deletion, close access to the site files (turn on the maintenance mode). Remember about the codes that themselves are restored when they are removed.

Search for malicious codes by Eval function

There is such a php eval function. It allows you to execute any code in its row. Moreover, the code can be encoded. It is because of the encoding a malicious code looks like a set of letters and symbols. Two encodings are popular:

BASE64;
Rot13.

Accordingly, in these encodings, the Eval function looks like this:

eval (Base64_Decode (...))
eVAL (STR_ROT13 (...)) // in internal quotes, long not clear sets of letters and symbols ..

Algorithm for finding a malicious code according to the EVAL function Next (we work from the administrative panel):

go to the site editor (appearance → editor).
copy Functions.php file.
open it in a text editor (for example, NotePad ++) and search for word: eval..
if found, do not rush to remove anything. It must be understood that this function "asks" to execute. To understand this code needs to be decomposed. For decoding is online tools, called decoders.

Decoders / Coders

Work decoders simply. Copy the code to be decrypted, insert into the decoder field and decoder.

At the time of this writing, I did not find any encrypted code found in WordPress. I found the code from the Joomla site. In principle, there is no difference for understanding the decoding. We watch photos.

As you can see in the photo, the EVAL function after decoding, it brought not a terrible code that threatens the safety of the site, and copyright encrypted link, author template. It can also be deleted, but it will return after updating the template, if you do not use.

At the end, I note not to get a virus to the site:

Malicious code on WordPress more often comes with themes and plugins. Therefore, do not put templates and plugins from the "left", not proven resources, and if you put, carefully pump them, for the presence of references and executive functions of PHP. After installing plugins and those with "illegal" resources, check the site by antivirus.
Be sure to do periodic backups and perform others.

Malicious JavaScript.

My opinion, consisting in the fact that from the implemented malicious browser scripts (stored XSS attacks) is easier and efficiently protected by means of browsers, it was stated earlier :. Browser protection against JavaScript-A, consisting of the addition of the filter code to HTML pages, it is necessary to assume, it is reliable, however, the presence of such protection does not cancel the need to use another server filter. With regard to the same XSS attacks on the server, an additional defense line can be organized. It is necessary to remember about the possibility of introducing an attacker to an HTML message sent from the site, not browser, but server scripts (PHP), in which the browser will not be strong.

An attacker script, even a browser, at least a server is a program, it is necessary to think that the program will always have some symbolic differences from "pure" HTML. Let's try to find such differences and use them to build an HTML filter on the server. Below are examples of malicious JavaScript.

XSS:

Some text

Encrypted XSS:

Some text

Browsers restore text from symbolic primitives not only inside HTML containers (between the opening and closing tag), but also inside the tags themselves (between< и >). URL encoding is allowed in HTTP addresses. The specified complicates the recognition of a malicious code on the server side, since the same symbolic sequence can be represented in different ways.

Xss-worms:

"+ innerhtml.slice (Action \u003d (Method \u003d" POST ") +". PHP ", 155)))"\u003e

"] .join (" "); WITH (" POST "," POST.PHP "), SEND (C); Alert (" xss ")"\u003e</p> <br><p><form><input name="content"><iframe onload="i=parentNode;i.action=(i.method="post")+".php"; i.value="\u003cForm\u003e (! lang:"+i.innerHTML;i.submit(alert("XSS"))">!}</p> <br><p><b><iframe onload="with(new XMLHttpRequest)open("POST","post.php"), setRequestHeader("content-type","application/x-www-form-urlencoded"),send("content= "+parentNode.innerHTML.bold(alert("XSS")))"></b></p> <br><p><script id=_> alert("xss");with(new XMLHttpRequest)open("POST","post.php"),send("content="+_.outerHTML) </script></p> <p>The above XSS worms is just a few of the many sent to Robert Hansen held in January 2008 (Aka Rsnake) on the minimum (the shortest) malware javascript-worm (the results of the contest).</p> <h3><b>Signs of XSS attacks</b></h3> <p>The XSS script is a program referring to DOM objects (Document Object Model) and their methods. It can hardly be any malicious. For example, JavaScript string <br><b>oNCKICK \u003d "VAR A \u003d" XSS ""</b> <br> Does not affect the object model of the document, therefore, even being implemented in the HTML tag, such a string is harmless. Only manipulating the objects of the HTML document and their methods, the hacker is able to cause noticeable harm to the site. For example, string <br><b>onmousemove \u003d "Document.getelementsBytagname (" Body "). Innerhtml \u003d" xss ""</b> <br> Already replaces the contents of the page.</p> <p>A sign of access to DOM methods is round brackets, also points facing the left of the equality sign. Round brackets can be used in HTML - to specify a color in format <b>rGB ()</b>However, the color of the font and background in HTML is set at least three more ways. Therefore, round brackets can be sacrificed without prejudice to the expressiveness of HTML text. It is necessary to take the rule that brackets inside the tag (that is, between< и >) - It is very dangerous if we received a message from the user, in this message brackets are detected inside tags, the most appropriate thing we must do is block such a message.</p> <p>The point may be contained in HTML tags: when specifying the address of the link (tag <b><A> </b>); When specifying the size of HTML elements ( <b>style \u003d "Height: 1.5in; width: 2.5in;"</b>). But symbolic sequences of the form <br><b>point letter is equal</b> <br> In HTML tags can not be. If there is a specified sequence within the HTML tag, a message from the user is likely to contain a script and must be blocked.</p> <p>Another obvious sign of danger is a symbol " <b>+ </b>"Inside the tag. There is no such thing in the HTML vapor. When the advantages are detected within the tags, the message is ruthlessly blocking.</p> <p>To encrypt symbolic primitives inside HTML tags, a kind-money user who adds a comment through <a href="https://neonkaraoke.ru/en/internet/vizualnyi-redaktor-veb-stranic-redaktor-css-topstyle-vizualnyi/">visual editor</a>, never resorts. No benefits in the form of additional expressive means, the use of symbol primitives in tags does not give, only requires additional costs for writing. In most cases, it is necessary to think, a kind-grounded user does not even know that there are some symbolic primitives in HTML. Hence the rule: ampersand inside the tag - proof of attack on the site. Accordingly, if we see this, then block the message.</p> <p>A similar rule should be taken on the symbol " <b>% </b>", which can be applied to URL coding. However, interest are used in" clean "HTML - to set the relative size of the elements. Dangerous are combinations in which the sign" <b>% </b>"Directly follow the letter or digit.</p> <h3><b>Disposal of server scripts</b></h3> <p>Unlike JavaScript interpreters in browsers, the PHP interpreter on the server does not allow liberties when writing the text of the program. Therefore, to neutralize a possible server script, it suffices to make through the replacement in the HTML message of the user of all characters substantial when writing a PHP program, their HTML primitives. The replacement is subject to, first of all, the signs of the dollar and underscore, the point, round, square and curly brackets, signs plus and minus, sign inverse slash.</p> <h3><b>PHP filter for HTML messages</b></h3> <p>$ Message is the HTML message received from the visual editor.</p> <p>// remember the length of the message</span> $ lementage \u003d strlen ($ message); <span>// Cut the comment tag</span> $ message \u003d preg_replace ("// "," ", $ message); <span>// Cut out each tag in which the "SRC" attribute refers to the external resource</span> $ message \u003d preg_replace ("/<[^>] +? src [\\ w \\ w] + \\ / \\ / [^\u003e] +?\u003e / i "," ", $ message); <span>// Cut out each tag in which there is any character except: - A-Z 0-9 /. :; "\u003d% # space</span> $ message \u003d preg_replace ("/<[^>] + [^ -\u003e a - z0-9 \\ / \\. \\: \\; \\ "\\ \u003d \\% \\ # \\ s] + [^\u003e] +?\u003e / I", "", $ message); <span>// Cut out each tag in which there is a sequence. "A-Z \u003d"</span> $ message \u003d preg_replace ("/<[^>] +? \\. +? \\ \u003d [^\u003e] +?\u003e / I "," ", $ message); <span>// Cut out each tag in which there is a sequence "% A-Z" or "% 0-9"</span> $ message \u003d preg_replace ("/<[^>] +? \\% +? [^\u003e] +?\u003e / i "," ", $ message); <span>// Cut each tag in which there is a sequence "script" or "js:"</span> $ message \u003d preg_replace ("/<[^>] *? script [^\u003e] *?\u003e / i "," ", $ message); $ message \u003d preg_replace (" /<[^>] *? js: [^\u003e] *?\u003e / i "," ", $ message); <span>// Cut each tag that begins on the character besides "A-Z" or "/"</span> $ message \u003d preg_replace ("/<[^a-z\/]{1}[^>] *?\u003e / I "," ", $ message); <span>// Check: If the message is shortened, then we complete the program</span> $ lementage2 \u003d strlen ($ message); if ($ lementage! \u003d $ lementage2) (Print "message cannot be added"; exit;) <span>// Make through the replacement of dangerous characters with the corresponding primitives</span> $ Message \u003d STR_REPLACE ("$", "$", $ message); $ Message \u003d STR_REPLACE ("_", "_", $ message); $ message \u003d STR_REPLACE (".", ".", $ Message); $ Message \u003d STR_REPLACE (CHR (92), "\\", $ message); // \\ $ Message \u003d STR_REPLACE ("(", "(", $ message); $ message \u003d str_replace (")", ")", $ message); $ Message \u003d STR_REPLACE ("[", "[", $ Message); $ message \u003d STR_REPLACE ("]", "]", $ message); $ Message \u003d STR_REPLACE ("(", "(", $ message); $ message \u003d str_replace (")", ")", $ Message); $ message \u003d STR_REPLACE ("?", "?", $ message); <span>// Now the message is verified, the scripts in it are neutralized</p> <p>It should be noted that the filter does not remove pair tags. Suppose we got <br><b><DIV onclick="alert("XSS")">CLICK HERE!</DIV> </b> <br> The filter will cut only <b><DIV onclick="alert("XSS")"> </b>but paired (closing) tag <b></DIV> </b> will remain. If you give messages in which there are tags without the corresponding pairs, a browser is possible in the form of a "skew" of the site. It is not known how to some opening tag browser compare the remaining closing tag that remains without a pair. Therefore, as well as for security considerations, the messages in which something is cut out with a filter is not worth given to the browser. It is better to output something like "Message cannot be added" and completing the program.</p> <p>It is assumed that the message will be recorded in the file (not in the database).</p> <h3><b>Discussion</b></h3> <p>I would be grateful for criticism. Write to the Support Forum, in the section</p> <p>1. Unpack in the site folder. <br> 2. Skip the link Your_Site / FSCure / <br> 3. All</p> <h2>What can?</h2> <p>1. <a href="https://neonkaraoke.ru/en/news/licenzii-dlya-eset-nod-32-avtomaticheskii-poisk-i-obnovlenie/">Automatic search</a> Viruses by signatures. <br> 2. Search string in files <br> 3. Delete files <br> 4. Malic Code Patch with regular expressions</p> <p>The script will not make all the work for you and requires some minimal knowledge. Before work, it is recommended to make a backup site.</p> <h2>How does it work?</h2> <p>When you first start, the file index is. File FSCURE.LST in folder. Displays a list of files containing <b>potentially malicious signatures</b>. "Potentially malicious" it means that it is necessary to solve the virus or not the virus. The list of signatures is configured in the config.php file, the SCAN_SIGN constant. When default settings, the script does not check the JS files and does not contain signatures for them. <br></p> <h2>The most frequent problems</h2> <p>1. Does not create the fscure.lst index. It may happen if not enough rights. Put 777 to FSCURE folder</p> <p>2. 5xx error. Most often "504 Gateway Time-Out". The script does not have time to work out and crashes along Taimaut. In this case, there are several ways to speed up its work. The speed primarily depends on the size of the index. It is in the FSCure.lst file. Usually the file up to 5MB in 90% of cases has time to process. If you do not have time, you can reduce the "greed" of the script forbing scanning * .jpg; *. PNG; *. CSS in the config. <br> In the config.php file.</p> <p>// delimiter; Define ("Files_exClude", "*. js; *. jpg; *. PNG; *. CSS");</p> <p>3. Hosting issues a prevention of the type <br> (Hex) base64.inject.unclassed.6: u56565656: /var/www/u65656565/data/www/34535335353.ru/fscure/index.php</p> <p>There is no virus in the script and there was no. A (Hex) base64.inject.unclassed.6 This design of the form "Echo Base64_Decode (", which is often found and by itself quite harmless. Nevertheless, in <a href="https://neonkaraoke.ru/en/mts-bank/kak-obnovit-gugl-hrom-do-poslednei-versii-obzor-rasshirenii-i/">latest version</a>I replaced this code.</p> <h2>What to do if you can't find a virus yourself?</h2> <p>You can contact me for help. Rates I have modest. I give a guarantee of 6 months. Cost of 800 p. For 1 site. If the account has several sites the price is determined individually.</p> <p>If you have done everything yourself, I will be grateful for the material reward or link to my site.</p> <p><b>My requisites:</b><br> yandex <br> 41001151597934</p> <p>webMoney. <br> Z959263622242. <br> R356304765617. <br> E172301357329.</p> <p>The truth of life is such that the site can be hacked sooner or later. After successfully operating the vulnerability, the hacker is trying to gain a foothold on the site, placing hacker web shells in the system directors, downloaders and embarking backdors into script code and CMS database.</p> <p>Scanners help to detect downloaded web shells, backdoors, phishing pages, spam crashing and other types <a href="https://neonkaraoke.ru/en/mts-bank/vredonosnye-skripty-kak-iskat-vredonosnyi-kod-bez-antivirusov-i/">malicious scripts</a> - All that they know and pre-added in the database of malicious code signatures. Some scanners, such as Ai-Bolit, have a set of heuristic rules that allow you to detect suspicious code files, which is often used in malicious scripts, or suspicious attribute files that can be loaded with hackers. But, unfortunately, even in the case of using multiple scanners on hosting, there are situations where some hacker scripts remain not discovered, which actually means that the attacker remains a "black move" and he can hack the site and get full control over it moment.</p> <p>Modern malicious and hacker scripts differ significantly from those that were 4-5 years ago. Now the developers of a malicious code combine obfuscation, encryption, decomposition, external loading of a malicious code and use other tricks in order to deceive antivirus software. Therefore, the probability of missing new "maliciousness" is significantly higher than before.</p> <p>What can be done in this case to more effectively detect viruses on the site and hacker scripts on hosting? It is necessary to use an integrated approach: initial automated scanning and further manual analysis. In this article, we will talk about the options for detecting a malicious code without scanners.</p> <p>First, consider what you should look for when hacking.</p> <ol><li><b>Hacker scripts.</b><br> Most often, when hacking uploaded files that are web shells, backdors, "downloaders" (uploaders), scripts for spam mailings, phishing pages + form handlers, roads and hacking files (pictures from a hacker group, <a href="https://neonkaraoke.ru/en/rates/programma-dlya-printera-chtoby-pechatat-kak-nazyvaetsya-prilozhenie-gde-mozhno/">text files</a> With "Message" from hackers, etc.)</li> <li><b>Injects (code embeds) in existing files</b>.<br> The second most popular type of placement of malicious and hacker code is injections. In existing site files.htaccess can be introduced mobile and search redirects, in PHP / Perl scripts to inject backdors, V.js i.html templates embedding viral javascript fragments or redirects on <a href="https://neonkaraoke.ru/en/mts-bank/zasorilsya-disk-s-chto-mozhno-udalit-lokalnyi-disk-s-perepolnen/">third-party resources</a>. Injects and media files are possible, for example.jpg or. Often, malicious code consists of several components: the malicious code itself is stored in an EXIF \u200b\u200bheader of the JPG file, and is executed using a small control script, which does not look suspicious for the scanner.</li> <li><b>Injects in the database</b><b>.<br></b>The database is the third target for hacker. Static inserts are possible here.<script>, <iframe>, <embed>, <object>, которые перенаправляют посетителей на сторонние ресурсы, “шпионят” за ними или заражают компьютер/мобильное устройство посетителя в результате drive-by атаки.<br> Кроме того во многих современных CMS (IPB, vBulletin, modx и др.) шаблонизаторы позволяют исполнять php код, а сами шаблоны хранятся в базе данных, поэтому php код веб-шеллов и бэкдоров может быть встроен непосредственно в БД.</li> <li><b>Инжекты в кэширующих сервисах. </b><br> В результате некорректной или небезопасной настройки кэширующих сервисов, например, memcached, возможны инжекты в закэшированные данные “на лету”. В некоторых случаях хакер может внедрять вредоносный код на страницы сайта без непосредственного взлома последнего.</li> <li><b>Инжекты </b><b>/ </b><b>инцицированные элементы в <a href="https://neonkaraoke.ru/en/mts-bank/vosstanovlenie-povrezhdennogo-hranilishcha-sistemnyh-komponentov-windows-7/">системных компонентах</a> сервера. </b><br> Если хакер получил привелегированный (root) доступ к серверу, он может подменить элементы веб-сервера или кэширующего сервера на инфицированные. Такой веб-сервер будет с одной стороны обеспечивать контроль над сервером с помощью управляющих команд, с другой – время от времени внедрять динамические редиректы и вредоносный код на страницы сайта. Как и в случае инжекта в кэширующий сервис, администратора сайта скорее всего не сможет обнаружить факт взлома сайта, так как все файлы и база данных будут оригинальными. Этот вариант наиболее сложный для лечения.</li> </ol><p>Итак, предположим, что сканерами вы уже проверили файлы на хостинге и дамп базы данных, но они ничего не обнаружили, а вирусный <script …> по-прежнему на странице или мобильный редирект продолжает отрабатывать при открытии страниц. Как искать дальше?</p> <h2><b>Поиск вручную </b></h2> <p>В unix сложно найти более ценную пару команд для поиска файлов и фрагментов, чем find / grep.</p> <p>find . -name ‘*.ph*’ -mtime -7 </p> <p>найдет все файлы, которые были изменены за последнюю неделю. Иногда хакеры “скручивают” дату изменения у скриптов, чтобы таким образом не обнаружить новые скрипты. Тогда можно поискать файлы php/phtml, у которых менялись атрибуты</p> <p>find . -name ‘*.ph*’ -сtime -7 </p> <p>Если нужно найти изменения в каком-то временном интервале, можно воспользоваться тем же find</p> <p>find . -name ‘*.ph*’ -newermt 2015-01-25 ! -newermt 2015-01-30 -ls </p> <p>Для поиска в файлах незаменим grep. Он может искать рекурсивно по файлам указанный фрагмент</p> <p>grep -ril ‘stummann.net/steffen/google-analytics/jquery-1.6.5.min.js’ * </p> <p>При взломе сервера полезно проанализировать файлы, у которых установлен guid/suid флаг</p> <p>find / -perm -4000 -o -perm -2000 </p> <p>Чтобы определить, какие скрипты запущены в <a href="https://neonkaraoke.ru/en/news/nomer-bezgranichnoi-lyubvi-megafon-kak-podklyuchit-otklyuchit/">данный момент</a> и грузят CPU хостинга, можно вызвать</p> <p>lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ { if(!str) { str= } else { str=str»,»}}END{print str}’` | grep vhosts | grep php </p> <h2><b>Используем мозг и руки для анализа файлов на хостинге </b></h2> <ol><li><b>Идем в директории </b><b>upload, cache, tmp, backup, log, images </b>, в которые что-то пишется скриптами или загружается пользователями, и просматриваем содержимое на наличие новых файлов с подозрительными расширениями. Например, для joomla можно проверить.php файлы в каталоге images:find ./images -name ‘*.ph*’Скорее всего, если что-то найдется, то это будет вредонос.<br> Для WordPress имеет смысл проверить на скрипты директорию wp-content/uploads, backup и cache каталоги тем.</li> <li><b>Ищем файлы со странными именами </b><br> Например, php, fyi.php, n2fd2.php. Файлы можно искать <ul><li>- по нестандартным сочетаниям символов,</li> <li>- наличию цифр 3,4,5,6,7,8,9 в имени файлов</li> </ul></li> </ol><ol><li><b>Ищем файлы с нехарактерными расширениями </b><br> Допустим, у вас сайт на WordPress или Для них файлы с расширениями.py, .pl, .cgi, .so, .c, .phtml, .php3 будут не совсем обычными. Если какие-то скрипты и файлы с данными расширениями будут обнаружены, скорее всего это будут хакерские инструменты. Возможен процент ложных обнаружений, но он не велик.</li> <li><b>Ищем файлы с нестандартными атрибутами или датой создания </b><br> Подозрения могут вызывать файлы с атрибутами, отличающимися от существующих на сервере. Например, все.php скрипты были загружены по ftp/sftp и имеют пользователя user, а некоторые созданы пользователем www-data. Имеет смысл проверить последние. Или если дата создания файла скрипта раньше даты создания сайта.<br> Для ускорения поиска файлов с подозрительными атрибутами удобно пользоваться unix командой find.</li> <li><b>Ищем дорвеи по большому числу файлов </b><b>.html </b><b>или.php<br></b>Если в каталоге несколько тысяч файлов.php или.html, скорее всего это дорвей.</li> </ol><h2><b>Логи в помощь </b></h2> <p>Логи веб-сервера, <a href="https://neonkaraoke.ru/en/services/chto-budet-otvetit-na-spam-chto-takoe-spam-i-kak-borotsya-so-spamerami-v/">почтового сервиса</a> и FTP можно использовать для обнаружения вредоносных и хакерских скриптов.</p> <ul><li>Корреляция даты и времени отправки письма (которые можно узнать из лога <a href="https://neonkaraoke.ru/en/services/opyt-vvedeniya-svoego-pochtovogo-servera-v-kompanii-vnedrenie-pochtovogo/">почтового сервера</a> или служебного заголовка спам-письма) с запросами из access_log помогают выявить способ рассылки спама или найти скрипт спам-рассыльщика.</li> </ul><ul><li>Анализ трансфер-лога FTP xferlog позволяет понять, какие файлы были загружены в момент взлома, какие изменены и кем.</li> </ul><ul><li>В правильно настроенном логе почтового сервера или в служебном заголовке спам-письма при <a href="https://neonkaraoke.ru/en/services/chto-nastraivat-v-biose-neskolko-sovetov-po-pravilnoi-nastroike-bios/">правильной настройке</a> PHP будет имя или полный путь до скрипта-отправителя, что помогает определять источник спама.</li> </ul><ul><li>По логам проактивной защиты современных CMS и плагинов можно определять, какие атаки были выполнены на сайт и сумела ли CMS им противостоять.</li> </ul><ul><li>По access_log и error_log можно анализировать действия хакера, если известны имена скриптов, которые он вызывал, IP адрес или User Agent. В крайнем случае можно просмотреть POST запросы в день взлома и заражения сайта. Часто анализ позволяет найти другие хакерские скрипты, которые были загружены или уже находились на сервере в момент взлома.</li> </ul><h2><b>Контроль целостности </b></h2> <p>Намного проще анализировать взлом и искать вредоносные скрипты на сайте, если заранее позаботить о его безопасности. Процедура контроля целостности (integrity check) помогает своевременно обнаруживать изменения на хостинге и определять факт взлом. Один из самых простых и <a href="https://neonkaraoke.ru/en/rates/ne-daet-udalit-avast-ispolzovanie-utility-ot-razrabotchikov-avast/">эффективных способов</a> – положить сайт под систему контроля версий (git, svn, cvs). Если грамотно настроить.gitignore, то процесс контроля за изменениями выглядит как вызов команды git status, а поиск вредоносных скриптов и измененных файлов – git diff.</p> <p>Также у вас всегда будет <a href="https://neonkaraoke.ru/en/mts-bank/rezervnaya-kopiya-samsung-kak-sdelat-bekap-android-ustroistva-pered/">резервная копия</a> файлов, до которой можно «откатить» сайт в считанные секунды. Администраторам сервера и продвинутым веб-мастерам можно использовать inotify, tripwire, auditd и другие механизмы для отслеживания обращений к файлам и директориям, и контроля за изменениями в файловой системе.</p> <p>К сожалению, не всегда есть возможность настроить систему контроля версий или <a href="https://neonkaraoke.ru/en/news/pochemu-ne-rabotaet-gmail-na-androide-kak-ustranit-nepoladki-svyazannye/">сторонние сервисы</a> на сервере. В случае shared-хостинга не получится установить систему контроля версий и системные сервисы. Но это не беда, есть достаточно много <a href="https://neonkaraoke.ru/en/services/sozdanie-besshumnogo-i-kompaktnogo-htpc-v-domashnih-usloviyah-video-gotovye/">готовых решений</a> для CMS. На сайте можно установить плагин или отдельный скрипт, который будет отслеживать изменения в файлах. В некоторых CMS уже реализован эффективный мониторинг изменений и механизм integrity check (Например, в Битрикс, DLE). В крайнем случае, если на хостинге есть ssh, можно сформировать эталонный слепок <a href="https://neonkaraoke.ru/en/mts-bank/imazing-novoe-slovo-v-upravlenii-failovoi-sistemoi-iphone-i-ipad-kak-prosmatrivat/">файловой системы</a> командой</p> Акция «2 по цене 1» <p> <i> </i> Акция действует до конца месяца.</p> <p>При подключении услуги "Сайт под наблюдением" для одного сайта, второй на том же аккаунте подключается бесплатно. Последующие сайты на аккаунте - 1500 руб в месяц за каждый сайт.</p> <script>document.write("<img style='display:none;' src='//counter.yadro.ru/hit;artfast_after?t44.1;r"+ escape(document.referrer)+((typeof(screen)=="undefined")?"": ";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth? screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+";h"+escape(document.title.substring(0,150))+ ";"+Math.random()+ "border='0' width='1' height='1' loading=lazy loading=lazy>");</script> </div> </div> </div> </div> <div id="sidebar" class="span4 sidebar_right"> <div class="inside"> <div class="sidebar_module sidebar_module_"> <h3 class="sidebar_module_heading"><span>Last</span></h3> <div class="sidebar_module_content"> <ul class="nav menu"> <li class="item"><a href="https://neonkaraoke.ru/en/internet/davaite-razberemsya-chto-zhe-takoe-brauzer-chto-takoe-brauzer/">Let's see what browser is</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/rates/ne-mesta-na-diske-chto-delat-esli-net-mesta-na-diske-s-v-windows/">What to do if there is no disk space in Windows?</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/mts-bank/pochemu-telefon-ne-zaryazhaetsya-ot-yusb-pochemu-ne-zaryazhaetsya-cherez-usb-kabel/">Why not charging via usb cable</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/ispravit-problemu-s-yutubom-pochemu-ne-pokazyvaet-video-v/">Why does not show video in YouTube?</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/udalit-nomer-ot-vk-kak-otvyazat-nomer-ot-vk-kak-otvyazat-nomer-ot-stranicy/">How to untie the number from VK</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/kak-otvyazat-nomer-ot-chuzhoi-stranicy-vkontakte-kak-bystro-i-bez/">How quickly and without difficulty untie the number from the page VK</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/news/chto-takoe-plazma-televizor-chto-vybrat-plazmu-ili-zhk-televizor-chto/">What to choose a plasma or LCD TV</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/services/adobe-dreamweaver-cs6-otpravka-formy-uroki-obuchenie-dreamweaver-vybor/">Adobe Dreamweaver CS6 Sending Form Lessons</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/pochemu-televizor-nazyvaetsya-plazmoi-a-vy-znaete-kakoi-televizor-luchshe-zhk/">And you know which TV is better: LCD or plasma?</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/mts-bank/princip-raboty-golubinoi-pochty-golubinaya-pochta-istoriya-pochtovyh/">Principle of operation of pigeon mail</a></li> </ul> </div> </div> <div class="sidebar_module sidebar_module_"> <h3 class="sidebar_module_heading"><span>It is necessary to know</span></h3> <div class="sidebar_module_content"> <ul class="nav menu"> <li class="item"><a href="https://neonkaraoke.ru/en/news/princip-raboty-golubinoi-pochty-kak-rabotaet-golubinaya-pochta-kak-pticy-ishchut/">How does pigeon mail works</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/news/richard-hammond-filmy-foto-i-lichnaya-zhizn-aktera-richard-hammond-o-vedushchem/">Richard Hammond - About the lead, biography, career facts on radio and television</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/besplatnye-obyavleniya-po-prodazhe-avtomobilei-kak-kupit-avto-v-litve-kakie/">How to buy cars in Lithuania which documents can be with a car</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/services/posledovatelnost-podkl-navigacii-na-telefon-kak-nastroit-navigator-na/">How to configure navigator on your mobile phone: step by step instructions</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/news/uroki-flesh-animacii-novichkam-s-chego-nachat-izuchenie-flesh/">Novice: where to start learning a flash?</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/kak-besplatno-obnovit-brauzer-na-telefone-opisanie-raznyh-sposobov-kak/">How to update the browser for free - a description of different ways</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/news/karusel-vkontakte-novyi-reklamnyi-format-karusel/">Carousel VKontakte - a new advertising format what is advertising carousel</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/rates/kak-risovat-na-android-sozda-m-hudozhestvennye-proizvedeniya-s-pomoshchyu/">Draw on the tablet: The best apps for Android and iOS download games drawing on tablet</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/services/bonpriks-skachat-na-android-skachat-bonpriks-preimushchestva-prilozheniya/">Bonprix download for android</a></li> <li class="item"><a href="https://neonkaraoke.ru/en/internet/prilozhenie-bonpriks-skachat-na-android-oformlenie-zakaza-s-pomoshchyu/">Ordering an order using the phone through the BONPRIX application</a></li> </ul> </div> </div> <div class="sidebar_module sidebar_module_"> </div> </div> </div> </div> </div> </section> <footer id="footer" class="container"> <div id="copyright"> <div> <p class="copytext"> 2021 NEONKARAOKE.RU - Internet. News. Tariffs. Services. MTS</p> <ul class="nav menu"> <li class="item-113"><a href="https://neonkaraoke.ru/en/sitemap.xml">site `s map</a></li> </ul> </div> </div> </footer> <div id="gotop" class=""> <a href="#" class="scrollup">TPL_TPL_FIELD_SCROLL</a> </div> </body> </html>