about costabrava hack and some fix.


Türkçe:
Hostunuzdaki bütün php dosyalarınıza eval ve base64_decode kodunu kullanan ve google’da sitenizi aratıp linkinize tıkladığınız zaman costabrava diye bir siteye yönlendiren bir enfeksiyonunuz varsa altta paylaştığım fixcosta.rar dosyasını açıp içindeki PHP dosyasını hostunuza yüklüyorsunuz ve çalıştırıyorsunuz. sitenizdeki zararlı kodlar (eğer modifikasyona uğramamamışsa) temizleniyor.

Kaynak olarak http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html adresindeki virüs bulucu kodu kullandım ve üzerine temizleyen kodu ekledim.

Daha sonra, eğer hostunuzda wordpress kurulu ise ve temalarınız arasında TwentyTen teması varsa, ve kullanmıyorsanız, silin.

 

English: Today I had this on my server and needed to fix like a hundred files which are infected with some nasty redirection script. So I wrote this php file to remove all the injected codes from my php files and I decided to share with you.

You can check if your server is infected or not by googling your web site and then clicking the link. If it opens your site, it’s ok. But if it redirects to “costabrava.bee.pl“, your server is infected. You should do something.

Its based on http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html which finds the infected files, and I added the code to remove the costabrava.bee.pl header.

First, download the code below here and unrar it. there’s one php file named “fixcosta.php” and upload it into your server’s root directory. then run it.

Second, if you’re not using TwentyTen theme, delete the folder from wp-content/themes.

This’ll fix it for now. Then you should search how the hacker got into your ftp and uploaded these files. And find a fix for that too.

3 thoughts on “about costabrava hack and some fix.

Leave a Reply

Your email address will not be published. Required fields are marked *

Last.fm RPS

Follow me on Twitter

GiottoPress by Enrique Chavez

%d bloggers like this: