{"id":98,"date":"2026-01-13T00:00:00","date_gmt":"2026-01-12T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/hr\/malver-koji-propusta-samo-googlebot-ip-verificirano-cloaking-ubrizgavanje-u-wordpressu\/"},"modified":"2026-01-20T06:33:03","modified_gmt":"2026-01-20T05:33:03","slug":"malver-koji-propusta-samo-googlebot-ip-verificirano-cloaking-ubrizgavanje-u-wordpressu","status":"publish","type":"post","link":"https:\/\/helloblog.io\/hr\/malver-koji-propusta-samo-googlebot-ip-verificirano-cloaking-ubrizgavanje-u-wordpressu\/","title":{"rendered":"Malver koji \u201cpropu\u0161ta\u201d samo Googlebot: IP-verificirano cloaking ubrizgavanje u WordPressu"},"content":{"rendered":"\n<p>U WordPress incidentima smo se navikli na o\u010dite signale: preusmjeravanja, pop-upove, sumnjive skripte u headeru. No napada\u010di sve \u010de\u0161\u0107e idu u suprotnom smjeru: umjesto da \u201czaprljaju\u201d iskustvo posjetitelja, ciljaju tra\u017eilice i crawlers (automatizirane botove koji indeksiraju sadr\u017eaj). Rezultat je perfidan: ti i korisnici vidite ispravnu stranicu, a Google vidi spam ili potpuno drugi sadr\u017eaj.<\/p>\n\n\n\n<p>U jednom nedavnom slu\u010daju, injekcija je bila u glavnom WordPress <code>index.php<\/code> i pona\u0161ala se kao gatekeeper: odlu\u010duje ho\u0107e li se u\u010ditati normalni WordPress ili \u0107e se, ali samo za Google infrastrukturu, povu\u0107i udaljeni sadr\u017eaj s tre\u0107e domene i \u201cposlu\u017eiti\u201d ga kao da je dio tvoje stranice.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u0160to je druga\u010dije u ovoj varijanti cloakinga?<\/h2>\n\n\n\n<p>Cloaking (serviranje razli\u010ditog sadr\u017eaja tra\u017eilici i ljudima) nije nov, ali ovdje je zanimljiv nivo verifikacije identiteta posjetitelja. Mnogi skripteri se za detekciju bota oslanjaju samo na <code>User-Agent<\/code> header. Problem: <code>User-Agent<\/code> je trivijalno la\u017eirati.<\/p>\n\n\n\n<p>Ovaj malver ide korak dalje: uz <code>User-Agent<\/code> provjerava i je li IP adresa zaista iz Googleove mre\u017ee. Konkretno, ima ugra\u0111enu (hardcodanu) listu Google ASN (Autonomous System Number) IP raspona u CIDR formatu, te provodi matemati\u010dku provjeru pripadnosti IP-a rasponu. Uz to, uklju\u010duje i podr\u0161ku za IPv6, \u0161to stariji cloaking kod \u010desto zanemaruje.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ASN i CIDR u dvije re\u010denice (kontekst za developere)<\/h3>\n\n\n\n<p>ASN mo\u017ee\u0161 gledati kao \u201cinternet identitet\u201d velikog sustava (npr. Google) \u2013 skup mre\u017ea i IP adresa koje pripadaju toj organizaciji. CIDR je zapis poput <code>192.168.1.0\/24<\/code> koji opisuje blok IP adresa (raspon) kompaktnije od nabrajanja svake IP adrese.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1360\" height=\"636\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/IP-Verified-Conditional-Logic.png\" alt=\"Dijagram IP-verificirane uvjetne logike za selektivno poslu\u017eivanje sadr\u017eaja botovima\" class=\"wp-image-90\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/IP-Verified-Conditional-Logic.png 1360w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/IP-Verified-Conditional-Logic-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/IP-Verified-Conditional-Logic-1024x479.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/IP-Verified-Conditional-Logic-768x359.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/IP-Verified-Conditional-Logic-400x187.png 400w\" sizes=\"auto, (max-width: 1360px) 100vw, 1360px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Kako izgleda napad u praksi (za\u0161to ga je te\u0161ko uo\u010diti)<\/h2>\n\n\n\n<p>Najve\u0107a vrijednost ovakvog napada napada\u010du je nevidljivost. Ako ru\u010dno otvori\u0161 web u browseru, naj\u010de\u0161\u0107e \u0107e\u0161 vidjeti uredan, \u201c\u010dist\u201d site. \u010cak i ako si svjestan da treba\u0161 provjeriti Googlebot, samo promjena <code>User-Agent<\/code>a ne\u0107e pomo\u0107i jer IP ne\u0107e pro\u0107i provjeru.<\/p>\n\n\n\n<p>U Sucurijevom primjeru, razlika je bila jasna tek kad se usporedi ono \u0161to se prikazuje u indeksu\/previewu tra\u017eilice i ono \u0161to vidi \u010dovjek. Google je dobivao spam\/payload sadr\u017eaj, dok su posjetitelji ostajali na legitimnom sadr\u017eaju.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1270\" height=\"936\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/What-Google-sees.png\" alt=\"Primjer rezultata: Google vidi druga\u010diji sadr\u017eaj od stvarnih posjetitelja\" class=\"wp-image-91\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/What-Google-sees.png 1270w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/What-Google-sees-300x221.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/What-Google-sees-1024x755.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/What-Google-sees-768x566.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/What-Google-sees-400x295.png 400w\" sizes=\"auto, (max-width: 1270px) 100vw, 1270px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Anatomija malvera: pet klju\u010dnih koraka<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1) Vi\u0161eslojna provjera identiteta<\/h3>\n\n\n\n<p>Prva linija je provjera <code>HTTP_USER_AGENT<\/code> stringa za Googleove crawlere i prate\u0107e alate (npr. razni verifikacijski\/inspection agenti). To omogu\u0107ava da napada\u010dev sadr\u017eaj bude indeksiran i verificiran u vi\u0161e Google servisa, ali se ne oslanja samo na to.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1880\" height=\"498\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification.png\" alt=\"Shema vi\u0161eslojne provjere: User-Agent + IP verifikacija\" class=\"wp-image-92\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification.png 1880w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification-300x79.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification-1024x271.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification-768x203.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification-1536x407.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Multi-Layer-Identity-Verification-400x106.png 400w\" sizes=\"auto, (max-width: 1880px) 100vw, 1880px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2) Bitwise validacija IP raspona (umjesto jednostavnog matchanja)<\/h3>\n\n\n\n<p>Umjesto da radi string usporedbu ili povr\u0161no provjerava prefiks, skripta radi bitwise (bitovne) operacije kako bi matemati\u010dki utvrdila pripada li IP to\u010dno odre\u0111enom CIDR rasponu. Za IPv4 logika se tipi\u010dno svodi na maskiranje IP-a i usporedbu s maskiranim rasponom.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/ Pojednostavljeni primjer ideje (konceptualno)\n\/\/ Provjera pripada li IP odre\u0111enom CIDR bloku preko netmask-a\n($ip_decimal &amp; $netmask_decimal) == ($range_decimal &amp; $netmask_decimal);\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#6A737D\">\/\/ Pojednostavljeni primjer ideje (konceptualno)<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ Provjera pripada li IP odre\u0111enom CIDR bloku preko netmask-a<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">($ip_decimal <\/span><span style=\"color:#F97583\">&#x26;<\/span><span style=\"color:#E1E4E8\"> $netmask_decimal) <\/span><span style=\"color:#F97583\">==<\/span><span style=\"color:#E1E4E8\"> ($range_decimal <\/span><span style=\"color:#F97583\">&#x26;<\/span><span style=\"color:#E1E4E8\"> $netmask_decimal);<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1420\" height=\"734\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Bitwise-IP-Range-Validation.png\" alt=\"Dijagram provjere IP adrese u CIDR rasponu pomo\u0107u bitwise operacija\" class=\"wp-image-93\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Bitwise-IP-Range-Validation.png 1420w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Bitwise-IP-Range-Validation-300x155.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Bitwise-IP-Range-Validation-1024x529.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Bitwise-IP-Range-Validation-768x397.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Bitwise-IP-Range-Validation-400x207.png 400w\" sizes=\"auto, (max-width: 1420px) 100vw, 1420px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3) Dohvat udaljenog payloada preko cURL-a<\/h3>\n\n\n\n<p>Kad \u201cpro\u0111e\u201d identitet (Googleov <code>User-Agent<\/code> + IP iz Google ASN raspona), malver radi <code>cURL<\/code> request prema vanjskoj domeni i sadr\u017eaj direktno ispisuje u response. Time crawler dobiva dojam da je sadr\u017eaj hostan na kompromitiranoj domeni.<\/p>\n\n\n\n<p>U analiziranom slu\u010daju, spominje se udaljena domena <code>amp-samaresmanor[.]pages[.]dev<\/code> (u izvornom zapisu namjerno obfuscan s uglatim zagradama).<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/ Konceptualno: nakon verifikacije bota, povuci HTML s udaljenog hosta\n\/\/ i echo-aj ga u response (crawleri \u0107e ga indeksirati)\n\/\/ hxxps:\/\/amp-samaresmanor[.]pages[.]dev\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#6A737D\">\/\/ Konceptualno: nakon verifikacije bota, povuci HTML s udaljenog hosta<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ i echo-aj ga u response (crawleri \u0107e ga indeksirati)<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ hxxps:\/\/amp-samaresmanor[.]pages[.]dev<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1444\" height=\"836\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Remote-Payload-Execution-via-cURL.png\" alt=\"Shema dohva\u0107anja udaljenog sadr\u017eaja preko cURL-a i direktnog ispisa\" class=\"wp-image-94\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Remote-Payload-Execution-via-cURL.png 1444w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Remote-Payload-Execution-via-cURL-300x174.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Remote-Payload-Execution-via-cURL-1024x593.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Remote-Payload-Execution-via-cURL-768x445.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Remote-Payload-Execution-via-cURL-400x232.png 400w\" sizes=\"auto, (max-width: 1444px) 100vw, 1444px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4) \u0160ire filtriranje User-Agent stringova<\/h3>\n\n\n\n<p>Script ne tra\u017ei samo \u201cGooglebot\u201d. Uklju\u010deni su i stringovi za razne Googleove servise povezane s validacijom, inspekcijom i API crawlingom. To pove\u0107ava \u0161ansu da se zlonamjerni sadr\u017eaj pojavi u indeksu i pro\u0111e Googleove procese provjere.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1682\" height=\"554\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering.png\" alt=\"Primjer filtriranja User-Agent stringova za Googleove botove i alate\" class=\"wp-image-95\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering.png 1682w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering-300x99.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering-1024x337.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering-768x253.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering-1536x506.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/User-Agent-Filtering-400x132.png 400w\" sizes=\"auto, (max-width: 1682px) 100vw, 1682px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">5) Uvjetna logika, fallback pona\u0161anje i logiranje gre\u0161aka<\/h3>\n\n\n\n<p>Ovo je dio koji napad \u010dini \u201curednim\u201d iz perspektive napada\u010da. Ako je bot legitiman, dobiva udaljeni sadr\u017eaj i uspjeh se logira. Ako dohvat payloada zaka\u017ee, bot se preusmjerava na <code>\/home\/<\/code> kako Google ne bi vidio broken page.<\/p>\n\n\n\n<p>Ako netko la\u017eira <code>User-Agent<\/code> (fake Googlebot), ali IP ne pro\u0111e verifikaciju, skripta mo\u017ee zapisati poruku tipa \u201cFake GoogleBot detected\u201d i poslati korisnika na normalnu po\u010detnu stranicu. Za sve ostale posjetitelje pona\u0161anje je isto: brzo ih vodi na legitimni sadr\u017eaj.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1694\" height=\"680\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging.png\" alt=\"Dijagram uvjetne logike: legit bot dobiva payload, fake bot i korisnici se preusmjeravaju\" class=\"wp-image-96\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging.png 1694w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging-300x120.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging-1024x411.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging-768x308.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging-1536x617.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/Conditional-Logic-and-Error-Logging-400x161.png 400w\" sizes=\"auto, (max-width: 1694px) 100vw, 1694px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Za\u0161to se napad \u010desto \u201cparkira\u201d ba\u0161 u core datotekama<\/h2>\n\n\n\n<p>U ovom incidentu kompromitiran je <code>index.php<\/code> na razini roota WordPress instalacije. To je pametan izbor: <code>index.php<\/code> je ulazna to\u010dka i napada\u010d dobiva potpunu kontrolu nad time \u0161to \u0107e se servirati prije nego WordPress uop\u0107e normalno krene.<\/p>\n\n\n\n<p>Skripta mo\u017ee i dalje \u201cbootstrappati\u201d WordPress kada joj to odgovara. Primjer iz analize spominje <code>require_once __DIR__ . '\/wp-load.php'<\/code> kako bi se inicijalizirao WordPress runtime (konfiguracija, DB pristup). U \u010distom WordPressu, standardni <code>index.php<\/code> zavr\u0161ava s uklju\u010divanjem <code>wp-blog-header.php<\/code> \u2013 napada\u010di to \u010desto ostave ili uvjetno izvr\u0161avaju kako bi site radio normalno za ljude.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Posljedice: vi\u0161e SEO incident nego \u201cklasi\u010dni malware\u201d (ali jednako ozbiljan)<\/h2>\n\n\n\n<p>Primarni cilj ovdje nije kra\u0111a podataka posjetitelja, nego kompromitacija reputacije domene i manipulacija indeksom. Tipi\u010dne posljedice su:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>deindeksiranje ili ru\u0161enje pozicija zbog spam sadr\u017eaja<\/li>\n\n\n<li>blacklisting (tra\u017eilice ili sigurnosni alati)<\/li>\n\n\n<li>\u201cresource hijacking\u201d \u2013 tvoja domena postaje kanal za tu\u0111i sadr\u017eaj<\/li>\n\n\n<li>odgo\u0111ena detekcija jer vlasnik ne vidi problem u browseru<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Signali koji upu\u0107uju na ovakav tip kompromitacije<\/h2>\n\n\n\n<p>Kod crawler-interception napada, najbolji tragovi su \u010desto izvan samog frontenda:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>neo\u010dekivani ili lo\u0161i rezultati u Google Searchu (naslovi\/opisi\/URL-ovi koji nisu tvoji)<\/li>\n\n\n<li>nedavno mijenjane core datoteke (posebno <code>index.php<\/code>) bez jasnog razloga<\/li>\n\n\n<li>sumnjivi vanjski URL-ovi\/domene u kodu ili logovima<\/li>\n\n\n<li>neobi\u010dni zapisi u access\/error logovima (redirecti, poku\u0161aji dohva\u0107anja vanjskog sadr\u017eaja)<\/li>\n\n<\/ul>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Konkretan IOC iz analiziranog slu\u010daja<\/h4>\n\n\n<p>U izvje\u0161taju se navodi domena <code>amp-samaresmanor[.]pages[.]dev<\/code> kao izvor udaljenog payloada. Prema navodu, URL je u trenutku pisanja bio ozna\u010den (blocklisted) od strane dijela sigurnosnih vendora na VirusTotalu i vi\u0111en na vi\u0161e kompromitiranih webova.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Sanacija i prevencija (prakti\u010dni check-list za WordPress tim)<\/h2>\n\n\n\n<p>Ako sumnja\u0161 na ovakav napad, prioritet je vratiti integritet aplikacije i zatvoriti vektor upada. Fokusiraj se na ove korake:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li>Ukloni nepoznate datoteke i direktorije: sve \u0161to nije dio WordPress corea, teme ili provjerenih pluginova.<\/li>\n\n\n<li>Provjeri i o\u010disti <code>index.php<\/code> i ostale core datoteke: svaka neautorizirana promjena je crvena zastavica.<\/li>\n\n\n<li>Audit korisnika: ukloni sumnjive admin ra\u010dune i \u201chelp\u201d ra\u010dune koji se ne koriste.<\/li>\n\n\n<li>Resetiraj kredencijale: WordPress admin lozinke, FTP\/SFTP, hosting panel, baze podataka.<\/li>\n\n\n<li>Skeniraj lokalno ra\u010dunalo: kompromitiran dev stroj \u010desto je skriveni uzrok ponovne infekcije.<\/li>\n\n\n<li>Update svega: WordPress core, teme, pluginovi \u2013 posebno ako su ranije bili zapu\u0161teni.<\/li>\n\n\n<li>Uvedi WAF (Web Application Firewall): sloj koji mo\u017ee blokirati komunikaciju s poznatim zlonamjernim endpointima i sprije\u010diti inicijalni upload\/eksploit.<\/li>\n\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">\u0160to ponijeti iz ovog slu\u010daja<\/h2>\n\n\n\n<p>Ova kampanja je dobar podsjetnik da moderno WordPress zlonamjerno pona\u0161anje \u010desto nije \u201cglasno\u201d. Napada\u010d mo\u017ee pretvoriti legitimnu stranicu u kontrolirani gateway koji servira drugi sadr\u017eaj isklju\u010divo tra\u017eilicama, dok vlasnik mjesecima vidi sve normalno.<\/p>\n\n\n\n<p>U praksi, to zna\u010di da uz klasi\u010dne sigurnosne mjere (update, najmanje privilegije, hardening) vrijedi imati i kontrolu integriteta datoteka (File Integrity Monitoring) te redovito pratiti Google Search Console za neo\u010dekivane URL-ove u indeksu. Core datoteke poput <code>index.php<\/code> su posebno osjetljive jer jedna mala injekcija mo\u017ee promijeniti cijeli tok requesta.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1332\" height=\"620\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/CIDR-format.png\" alt=\"Ilustracija CIDR zapisa IP raspona i zna\u010denja prefiksa\" class=\"wp-image-97\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/CIDR-format.png 1332w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/CIDR-format-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/CIDR-format-1024x477.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/CIDR-format-768x357.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/22\/2026\/01\/CIDR-format-400x186.png 400w\" sizes=\"auto, (max-width: 1332px) 100vw, 1332px\" \/><figcaption class=\"wp-element-caption\"><em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n<div class=\"references-section\">\n                <h2>Reference \/ Izvori<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/malware-intercepts-googlebot-via-ip-verified-conditional-logic.html\" target=\"_blank\" rel=\"noopener noreferrer\">Malware Intercepts Googlebot via IP-Verified Conditional Logic<\/a><\/li><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html\" target=\"_blank\" rel=\"noopener noreferrer\">Google sees spam, you see your site: a cloaked SEO spam attack<\/a><\/li><li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/5a006beedf563c6215a31746d011d13fd4f2561a1bf3b557484c4532b13e1ec6?nocache=1\" target=\"_blank\" rel=\"noopener noreferrer\">VirusTotal URL report<\/a><\/li><li><a href=\"https:\/\/publicwww.com\/websites\/amp-samaresmanor.pages\/\" target=\"_blank\" rel=\"noopener noreferrer\">publicwww.com results for amp-samaresmanor.pages<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/website-firewall\/\" target=\"_blank\" rel=\"noopener noreferrer\">Website Firewall<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/malware-detection-scanning\/\" target=\"_blank\" rel=\"noopener noreferrer\">Malware Detection &amp; Scanning (File Integrity Monitoring mention)<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>Sve \u010de\u0161\u0107e se pojavljuje malver koji ne radi klasi\u010dne redirekcije, nego selektivno servira spam sadr\u017eaj isklju\u010divo Googleu. Vlasnik weba vidi \u201cnormalnu\u201d stranicu, dok crawler indeksira ne\u0161to sasvim drugo.<\/p>\n","protected":false},"author":42,"featured_media":89,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[54,52,53,55,10],"class_list":["post-98","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sigurnost","tag-cloaking","tag-malware","tag-seo","tag-waf","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/users\/42"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":1,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":138,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/posts\/98\/revisions\/138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/media\/89"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/hr\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}