{"id":1043,"date":"2010-08-19T17:09:55","date_gmt":"2010-08-20T00:09:55","guid":{"rendered":"http:\/\/www.milfont.org\/tech\/?p=1043"},"modified":"2010-08-19T17:09:55","modified_gmt":"2010-08-20T00:09:55","slug":"exploit-que-redireciona-para-bablo-me-uk","status":"publish","type":"post","link":"https:\/\/www.milfont.org\/tech\/2010\/08\/19\/exploit-que-redireciona-para-bablo-me-uk\/","title":{"rendered":"Exploit que redireciona para Bablo me uk"},"content":{"rendered":"<p><script type=\"text\/javascript\"> function get_style1043 () { return \"none\"; } function end1043_ () { document.getElementById('wqd1043').style.display = get_style1043(); } <\/script>Dica r\u00e1pida para n\u00e3o ca\u00edrem feito um pato como eu ca\u00ed. \u00a0Hoje fui pesquisar um link do meu pr\u00f3prio blog pelo google e descobri que meu site &#8220;\/tech&#8221; inteiro havia sido removido. Pior, o cache do google apontava para um lance estranho.<\/p>\n<p>Conferi na ferramenta para <a href=\"https:\/\/www.google.com\/webmasters\/tools\/\">webmaster do google<\/a> e verifiquei que o Googlebot era redirecionado para um endere\u00e7o &#8220;bablo .me .uk&#8221; e as vezes esse endere\u00e7o se camuflava em outros.<\/p>\n<p>Usando \u00a0&#8220;curl -v -A Googlebot http:\/\/www.milfont.org\/tech&#8221; eu recebia a mensagem:<br \/>\n<code><br \/>\n...<br \/>\n* HTTP 1.0, assume close after body<br \/>\n&lt; HTTP\/1.0 301 Moved Permanently<br \/>\n&lt; Date: Thu, 19 Aug 2010 23:55:13 GMT<br \/>\n&lt; Server: Apache<br \/>\n&lt; Location: http:\/\/bablo .me .uk\/#....<br \/>\n...<br \/>\n<\/code><\/p>\n<p>S\u00f3 depois de muita surra procurando nos .htaccess e .php da vida que encontrei <a href=\"http:\/\/blog.unmaskparasites.com\/2009\/01\/19\/exploit-redirects-googlebot-to-malware-sites-bablo-me-uk\/\">nesse link<\/a> o coment\u00e1rio <a href=\"http:\/\/blog.unmaskparasites.com\/2009\/01\/19\/exploit-redirects-googlebot-to-malware-sites-bablo-me-uk\/#comment-129\">que me salvou<\/a>.<\/p>\n<p>Procurando com find -name &#8220;*.php&#8221; | xargs grep -E &#8220;eval&#8221; eu encontrei escondido no wp-config.php, pior, estava com muitos espa\u00e7os para a direita dificultando a visualiza\u00e7\u00e3o:<\/p>\n<p><code><br \/>\n.\/wp-config.php: \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0eval(base64_decode('ZXJ....<br \/>\n<\/code><\/p>\n<p>Sei l\u00e1 quanto tempo procurando essa desgra\u00e7a, fica a dica se passarem pelo menos tormento. Revisei todas as permiss\u00f5es e atualizei o wordpress, coisa que deveria ter feito h\u00e1 tempos, mas o pregui\u00e7oso trabalha mais do que o esperto.<\/p>\n<p id=\"wqd1043\">Typically chemist&#8217;s shop can sale to you with discreet treatments for various health problems. There are numerous of safe online pharmacies that will deliver medications to your address. There are divers medicines for each afflictions. Learn more about &#8220;<a href=\"http:\/\/free-viagrasamples.com\/viagra_coupons.html\">viagra manufacturer coupon<\/a>&#8220;. Maybe &#8220;<a href=\"http:\/\/free-viagrasamples.com\/viagra_coupons.html\">viagra discount coupons<\/a>&#8221; is a extremely complicated question. Matters, like &#8220;<a href=\"http:\/\/free-viagrasamples.com\/viagra_coupons.html\">coupons for viagra<\/a>&#8220;, are connected numerous types of heartiness problems. If you need to take prescription medications, ask your pharmacist to check your testosterone levels before. Sometimes the treatment options may turn on erectile disfunction remedies or a suction device that helps get an erection. Keep in mind web-site which is ready to sell erectile disfunction drugs like Viagra without a prescription is fraudulent. When you purchase from an unknown web-site, you run the risk of getting counterfeit remedies. <\/p>\n<p><script type=\"text\/javascript\"> end1043_(); <\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dica r\u00e1pida para n\u00e3o ca\u00edrem feito um pato como eu ca\u00ed. \u00a0Hoje fui pesquisar um link do meu pr\u00f3prio blog pelo google e descobri que meu site &#8220;\/tech&#8221; inteiro havia sido removido. Pior, o cache do google apontava para um lance estranho. Conferi na ferramenta para webmaster do google e verifiquei que o Googlebot era [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[35,308,19],"tags":[309,413,310],"_links":{"self":[{"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/posts\/1043"}],"collection":[{"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/comments?post=1043"}],"version-history":[{"count":3,"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/posts\/1043\/revisions"}],"predecessor-version":[{"id":1046,"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/posts\/1043\/revisions\/1046"}],"wp:attachment":[{"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/media?parent=1043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/categories?post=1043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.milfont.org\/tech\/wp-json\/wp\/v2\/tags?post=1043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}