{"id":114,"date":"2026-01-13T00:00:00","date_gmt":"2026-01-12T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/pt\/cloaking-avancado-wordpress-malware-googlebot-validacao-ip-asn-cidr\/"},"modified":"2026-01-20T06:32:52","modified_gmt":"2026-01-20T05:32:52","slug":"cloaking-avancado-wordpress-malware-googlebot-validacao-ip-asn-cidr","status":"publish","type":"post","link":"https:\/\/helloblog.io\/pt\/cloaking-avancado-wordpress-malware-googlebot-validacao-ip-asn-cidr\/","title":{"rendered":"Cloaking avan\u00e7ado em WordPress: malware que s\u00f3 \u201cmostra a cara\u201d ao Googlebot com valida\u00e7\u00e3o por IP (ASN\/CIDR)"},"content":{"rendered":"\n<p>Nos incidentes de seguran\u00e7a em WordPress, h\u00e1 um padr\u00e3o que se repete: quando a infe\u00e7\u00e3o \u00e9 \u201cbarulhenta\u201d (popups, redirecionamentos, scripts estranhos), algu\u00e9m acaba por notar rapidamente. O problema \u00e9 que os atacantes est\u00e3o a apostar cada vez mais no oposto: malware seletivo, que entrega a carga maliciosa apenas a quem interessa \u2014 tipicamente crawlers de motores de busca \u2014 e mant\u00e9m o site aparentemente normal para visitantes humanos e para o pr\u00f3prio dono.<\/p>\n\n\n\n<p>Um caso recente analisado pela Sucuri mostrou exatamente isso: uma modifica\u00e7\u00e3o no <code>index.php<\/code> do WordPress que atua como um gatekeeper (porteiro) e decide, request a request, se vai carregar o WordPress \u201climpo\u201d ou se vai injetar conte\u00fado remoto especificamente para o Googlebot, com verifica\u00e7\u00e3o forte baseada em IP.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1360\" height=\"636\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/IP-Verified-Conditional-Logic.png\" alt=\"Diagrama de l\u00f3gica condicional com verifica\u00e7\u00e3o de IP para servir conte\u00fado diferente ao Googlebot\" class=\"wp-image-106\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/IP-Verified-Conditional-Logic.png 1360w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/IP-Verified-Conditional-Logic-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/IP-Verified-Conditional-Logic-1024x479.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/IP-Verified-Conditional-Logic-768x359.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/IP-Verified-Conditional-Logic-400x187.png 400w\" sizes=\"auto, (max-width: 1360px) 100vw, 1360px\" \/><figcaption class=\"wp-element-caption\">Exemplo de cloaking com l\u00f3gica condicional baseada em IP. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">O que foi encontrado: inje\u00e7\u00e3o seletiva no index.php<\/h2>\n\n\n\n<p>Durante a investiga\u00e7\u00e3o, o ponto de entrada principal estava no <code>index.php<\/code> (ficheiro raiz t\u00edpico de instala\u00e7\u00f5es WordPress). Em vez de fazer o fluxo normal \u2014 bootstrap do WordPress e render do tema \u2014 o ficheiro foi adulterado para avaliar a \u201cidentidade\u201d do visitante.<\/p>\n\n\n\n<p>Na pr\u00e1tica, o <code>index.php<\/code> comprometido tinha dois caminhos:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Se o visitante aparentar ser infraestrutura do Google (n\u00e3o s\u00f3 pelo User-Agent, mas tamb\u00e9m pelo IP), o script busca um payload remoto e imprime esse conte\u00fado na resposta.<\/li>\n\n\n<li>Para utilizadores normais, o site continua a servir a vers\u00e3o leg\u00edtima, reduzindo drasticamente a probabilidade de dete\u00e7\u00e3o manual.<\/li>\n\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1270\" height=\"936\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/What-Google-sees.png\" alt=\"Captura de ecr\u00e3 a mostrar conte\u00fado diferente indexado pelo Google em compara\u00e7\u00e3o com o site normal\" class=\"wp-image-107\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/What-Google-sees.png 1270w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/What-Google-sees-300x221.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/What-Google-sees-1024x755.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/What-Google-sees-768x566.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/What-Google-sees-400x295.png 400w\" sizes=\"auto, (max-width: 1270px) 100vw, 1270px\" \/><figcaption class=\"wp-element-caption\">O site parecia normal para visitantes, mas o Google via conte\u00fado injetado. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">O \u201ctwist\u201d t\u00e9cnico: n\u00e3o \u00e9 s\u00f3 User-Agent \u2014 \u00e9 ASN + CIDR + bitwise (com IPv6)<\/h2>\n\n\n\n<p>Cloaking via <code>HTTP_USER_AGENT<\/code> (a string que o browser\/crawler envia em cada pedido) \u00e9 uma t\u00e9cnica antiga. O que chama a aten\u00e7\u00e3o aqui \u00e9 o n\u00edvel de rigor: o malware n\u00e3o confiava apenas em \u201ccont\u00e9m Googlebot\u201d. Ele carregava uma lista grande (hardcoded) de ranges de IP associados ao Google, identificados via ASN (Autonomous System Number) e expressos em CIDR.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ASN do Google: o que significa na pr\u00e1tica<\/h3>\n\n\n\n<p>Um ASN (Autonomous System Number) funciona como uma \u201cidentidade\u201d de rede na Internet: agrupa blocos de IP sob controlo de uma organiza\u00e7\u00e3o. Ao validar que o IP de origem pertence a ranges associados ao ASN do Google, o atacante reduz falsos positivos e evita que algu\u00e9m a testar manualmente (ou um scanner simples) consiga ver o conte\u00fado escondido apenas falsificando o User-Agent.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CIDR: a forma compacta de representar ranges de IP<\/h3>\n\n\n\n<p>CIDR (Classless Inter-Domain Routing) \u00e9 uma nota\u00e7\u00e3o para descrever blocos de endere\u00e7os IP sem listar IP a IP. Por exemplo, <code>192.168.1.0\/24<\/code> cobre <code>192.168.1.0<\/code> at\u00e9 <code>192.168.1.255<\/code>, sendo que o <code>\/24<\/code> define o tamanho do bloco.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1332\" height=\"620\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/CIDR-format.png\" alt=\"Exemplo ilustrado de um range em CIDR e a explica\u00e7\u00e3o do prefixo\" class=\"wp-image-108\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/CIDR-format.png 1332w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/CIDR-format-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/CIDR-format-1024x477.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/CIDR-format-768x357.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/CIDR-format-400x186.png 400w\" sizes=\"auto, (max-width: 1332px) 100vw, 1332px\" \/><figcaption class=\"wp-element-caption\">Representa\u00e7\u00e3o de ranges em CIDR. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Valida\u00e7\u00e3o com opera\u00e7\u00f5es bitwise e suporte IPv6<\/h3>\n\n\n\n<p>Em vez de fazer compara\u00e7\u00f5es por strings ou listas fr\u00e1geis, o script fazia valida\u00e7\u00e3o matem\u00e1tica para confirmar se um IP \u201ccai\u201d dentro de um bloco CIDR \u2014 e ainda tinha suporte expl\u00edcito para IPv6, que muitos scripts de cloaking mais antigos ignoram.<\/p>\n\n\n\n<p>A l\u00f3gica central para IPv4 descrita na an\u00e1lise usa uma opera\u00e7\u00e3o bitwise AND com a netmask do bloco para comparar o IP do visitante com o range:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/ Conceito ilustrativo do match por rede (IPv4)\n\/\/ Se (IP &amp; netmask) == (range &amp; netmask) ent\u00e3o o IP pertence ao bloco.\n($ip_decimal &amp; $netmask_decimal) == ($range_decimal &amp; $netmask_decimal);\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#6A737D\">\/\/ Conceito ilustrativo do match por rede (IPv4)<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ Se (IP &#x26; netmask) == (range &#x26; netmask) ent\u00e3o o IP pertence ao bloco.<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">($ip_decimal <\/span><span style=\"color:#F97583\">&#x26;<\/span><span style=\"color:#E1E4E8\"> $netmask_decimal) <\/span><span style=\"color:#F97583\">==<\/span><span style=\"color:#E1E4E8\"> ($range_decimal <\/span><span style=\"color:#F97583\">&#x26;<\/span><span style=\"color:#E1E4E8\"> $netmask_decimal);<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1420\" height=\"734\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Bitwise-IP-Range-Validation.png\" alt=\"Diagrama a explicar a valida\u00e7\u00e3o de IP por opera\u00e7\u00f5es bitwise para corresponder a blocos CIDR\" class=\"wp-image-109\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Bitwise-IP-Range-Validation.png 1420w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Bitwise-IP-Range-Validation-300x155.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Bitwise-IP-Range-Validation-1024x529.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Bitwise-IP-Range-Validation-768x397.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Bitwise-IP-Range-Validation-400x207.png 400w\" sizes=\"auto, (max-width: 1420px) 100vw, 1420px\" \/><figcaption class=\"wp-element-caption\">Valida\u00e7\u00e3o de IP por bitwise para garantir match exato com a rede. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Porque isto \u00e9 perigoso: impacto direto em SEO e reputa\u00e7\u00e3o<\/h2>\n\n\n\n<p>Este tipo de infe\u00e7\u00e3o \u00e9 menos sobre roubo direto (ex.: skimmers) e mais sobre abuso de confian\u00e7a do motor de busca. O site passa a servir conte\u00fados que n\u00e3o existem para humanos, e o Google pode indexar p\u00e1ginas\/payloads que o propriet\u00e1rio nunca publicou.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Blacklisting e queda de reputa\u00e7\u00e3o do dom\u00ednio.<\/li>\n\n\n<li>Deindexa\u00e7\u00e3o ou perda significativa de rankings por spam\/cloaking.<\/li>\n\n\n<li>\u201cResource hijacking\u201d: o teu dom\u00ednio vira ve\u00edculo para conte\u00fado remoto de terceiros.<\/li>\n\n\n<li>Dete\u00e7\u00e3o tardia, porque a navega\u00e7\u00e3o normal n\u00e3o revela o problema.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Sinais pr\u00e1ticos de alerta (especialmente para equipas t\u00e9cnicas)<\/h2>\n\n\n\n<p>Se estiveres a investigar um WordPress que \u201cparece normal\u201d, mas h\u00e1 suspeitas de SEO spam\/cloaking, estes sinais tendem a aparecer mais cedo ou mais tarde:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Resultados estranhos no Google (t\u00edtulos\/snippets que n\u00e3o correspondem ao site).<\/li>\n\n\n<li>Ficheiros core ou de entrada recentemente alterados (especialmente <code>index.php<\/code>).<\/li>\n\n\n<li>URLs suspeitos em c\u00f3digo, logs ou hist\u00f3rico de deploy.<\/li>\n\n\n<li>Logs inesperados (incluindo mensagens de erro criadas pelo pr\u00f3prio malware para medir sucesso\/falhas).<\/li>\n\n<\/ul>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Indicador observado na campanha<\/h4>\n\n\n<p>Na an\u00e1lise, o dom\u00ednio malicioso usado para servir o payload remoto foi <code>amp-samaresmanor[.]pages[.]dev<\/code> (apresentado como hxxps na documenta\u00e7\u00e3o para evitar cliques acidentais).<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Como o malware decide o que servir: a cadeia de decis\u00e3o<\/h2>\n\n\n\n<p>O comportamento descrito segue uma sequ\u00eancia em camadas, desenhada para minimizar exposi\u00e7\u00e3o e maximizar indexa\u00e7\u00e3o:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Verifica\u00e7\u00e3o em m\u00faltiplas camadas (User-Agent + IP real)<\/h3>\n\n\n\n<p>Primeiro, o script inspeciona o <code>HTTP_USER_AGENT<\/code>. Como isto \u00e9 f\u00e1cil de falsificar, entra a segunda camada: valida\u00e7\u00e3o do IP contra ranges do Google (ASN em CIDR) com bitwise.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1880\" height=\"498\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification.png\" alt=\"Fluxo de verifica\u00e7\u00e3o de identidade combinando User-Agent e valida\u00e7\u00e3o de IP\" class=\"wp-image-110\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification.png 1880w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification-300x79.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification-1024x271.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification-768x203.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification-1536x407.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Multi-Layer-Identity-Verification-400x106.png 400w\" sizes=\"auto, (max-width: 1880px) 100vw, 1880px\" \/><figcaption class=\"wp-element-caption\">O script valida primeiro o User-Agent e depois confirma o IP por rede. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2) Filtragem abrangente de User-Agents do ecossistema Google<\/h3>\n\n\n\n<p>Outro detalhe interessante: n\u00e3o \u00e9 um filtro inocente por \u201cGooglebot\u201d. O malware inclui v\u00e1rios identificadores associados a ferramentas de verifica\u00e7\u00e3o\/inspe\u00e7\u00e3o e crawlers de APIs do Google, para aumentar as hip\u00f3teses de o conte\u00fado malicioso ser visto e confirmado por diferentes servi\u00e7os.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1682\" height=\"554\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering.png\" alt=\"Trecho ilustrativo de filtragem de User-Agent com v\u00e1rios identificadores relacionados ao Google\" class=\"wp-image-111\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering.png 1682w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering-300x99.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering-1024x337.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering-768x253.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering-1536x506.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/User-Agent-Filtering-400x132.png 400w\" sizes=\"auto, (max-width: 1682px) 100vw, 1682px\" \/><figcaption class=\"wp-element-caption\">Filtragem de User-Agent com m\u00faltiplos identificadores do Google. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3) Execu\u00e7\u00e3o de payload remoto via cURL (inje\u00e7\u00e3o na resposta)<\/h3>\n\n\n\n<p>Quando o visitante passa nas verifica\u00e7\u00f5es, o script usa cURL para fazer fetch de conte\u00fado remoto e imprime diretamente na resposta do site. Para o crawler, aquilo parece conte\u00fado \u201cnativo\u201d do dom\u00ednio.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/ Comportamento descrito na an\u00e1lise:\n\/\/ ap\u00f3s validar bot + IP, faz fetch remoto e imprime na resposta\n\/\/ hxxps:\/\/amp-samaresmanor[.]pages[.]dev\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#6A737D\">\/\/ Comportamento descrito na an\u00e1lise:<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ ap\u00f3s validar bot + IP, faz fetch remoto e imprime na resposta<\/span><\/span>\n<span class=\"line\"><span style=\"color:#6A737D\">\/\/ hxxps:\/\/amp-samaresmanor[.]pages[.]dev<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1444\" height=\"836\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Remote-Payload-Execution-via-cURL.png\" alt=\"Diagrama mostrando o malware a buscar conte\u00fado remoto via cURL e a imprimir na p\u00e1gina\" class=\"wp-image-112\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Remote-Payload-Execution-via-cURL.png 1444w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Remote-Payload-Execution-via-cURL-300x174.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Remote-Payload-Execution-via-cURL-1024x593.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Remote-Payload-Execution-via-cURL-768x445.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Remote-Payload-Execution-via-cURL-400x232.png 400w\" sizes=\"auto, (max-width: 1444px) 100vw, 1444px\" \/><figcaption class=\"wp-element-caption\">O payload \u00e9 carregado remotamente e devolvido ao crawler. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4) L\u00f3gica condicional com logging e \u201cfailsafes\u201d<\/h3>\n\n\n\n<p>O script tamb\u00e9m inclui tratamento de erro e logging (registo) para monitorizar se o payload remoto est\u00e1 a carregar. Se falhar, em vez de devolver uma p\u00e1gina quebrada ao Google, pode redirecionar para <code>\/home\/<\/code> para manter a apar\u00eancia de normalidade.<\/p>\n\n\n\n<p>E quando algu\u00e9m tenta fazer spoof do Googlebot (User-Agent falso), mas o IP n\u00e3o bate certo, o malware regista algo do g\u00e9nero \u201cFake GoogleBot detected\u201d e redireciona para a home leg\u00edtima.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1694\" height=\"680\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging.png\" alt=\"Fluxograma com decis\u00f5es: bot leg\u00edtimo, bot falso e utilizador normal, com redirecionamentos e logging\" class=\"wp-image-113\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging.png 1694w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging-300x120.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging-1024x411.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging-768x308.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging-1536x617.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/9\/2026\/01\/Conditional-Logic-and-Error-Logging-400x161.png 400w\" sizes=\"auto, (max-width: 1694px) 100vw, 1694px\" \/><figcaption class=\"wp-element-caption\">Motor de decis\u00e3o do malware: valida, serve payload, redireciona e regista eventos. \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Porque mexer em ficheiros core do WordPress ajuda o atacante<\/h2>\n\n\n\n<p>Alterar o <code>index.php<\/code> d\u00e1 ao atacante uma vantagem: \u00e9 um ponto de entrada garantido e executado em praticamente todos os requests na raiz. A an\u00e1lise tamb\u00e9m descreve como o malware tira proveito de ficheiros do core para manter o site funcional enquanto injeta o comportamento malicioso.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li><code>wp-load.php<\/code>: ao fazer <code>require_once __DIR__ . '\/wp-load.php'<\/code>, o script inicializa (bootstraps) o ambiente WordPress, incluindo acesso \u00e0 config e base de dados.<\/li>\n\n\n<li><code>wp-blog-header.php<\/code>: faz parte do fluxo normal do <code>index.php<\/code> leg\u00edtimo, normalmente requerido no final do ficheiro. O atacante pode manter este comportamento para n\u00e3o \u201cpartir\u201d o site para utilizadores comuns.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Remedia\u00e7\u00e3o: o que vale a pena fazer numa limpeza a s\u00e9rio<\/h2>\n\n\n\n<p>Como em qualquer caso de malware em WordPress, a limpeza n\u00e3o \u00e9 s\u00f3 apagar uma linha. O objetivo \u00e9 remover o payload, fechar o vetor de entrada e reduzir a probabilidade de reinfe\u00e7\u00e3o.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>Remover ficheiros\/pastas desconhecidos (qualquer coisa que n\u00e3o reconhe\u00e7as tu ou a tua equipa).<\/li>\n\n\n<li>Auditar utilizadores WordPress e remover contas \u201cde apoio\u201d\/admins suspeitos.<\/li>\n\n\n<li>Trocar credenciais (admin, FTP\/SFTP, hosting\/painel, base de dados).<\/li>\n\n\n<li>Verificar o teu pr\u00f3prio computador (scan completo de malware), para evitar reinfe\u00e7\u00f5es por credenciais roubadas.<\/li>\n\n\n<li>Atualizar WordPress core, temas e plugins (e remover componentes abandonados).<\/li>\n\n\n<li>Colocar um WAF (Web Application Firewall) para bloquear tr\u00e1fego malicioso e dificultar uploads\/exploits e comunica\u00e7\u00e3o com infraestruturas conhecidas.<\/li>\n\n<\/ul>\n\n\n\n<div class=\"wp-block-group callout callout-info is-style-info is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Controlo que faz diferen\u00e7a neste tipo de caso<\/h4>\n\n\n<p>File Integrity Monitoring (monitoriza\u00e7\u00e3o de integridade de ficheiros) ajuda a detetar altera\u00e7\u00f5es n\u00e3o autorizadas em ficheiros core como <code>index.php<\/code>, onde este tipo de campanha costuma viver sem chamar aten\u00e7\u00e3o.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">O takeaway para quem gere WordPress em produ\u00e7\u00e3o<\/h2>\n\n\n\n<p>O aspeto mais desconfort\u00e1vel deste caso \u00e9 que ele explora um \u201cponto cego\u201d operacional: o site pode parecer perfeito para humanos, enquanto o motor de busca indexa conte\u00fado completamente diferente. Ao combinar filtro de User-Agent com valida\u00e7\u00e3o rigorosa por ASN\/CIDR (incluindo IPv6) e bitwise, o atacante eleva a fasquia da dete\u00e7\u00e3o manual.<\/p>\n\n\n\n<p>Na pr\u00e1tica, al\u00e9m de hardening e updates, vale a pena tratar o <code>index.php<\/code> (e outros ficheiros core) como superf\u00edcie cr\u00edtica: monitoriza\u00e7\u00e3o de altera\u00e7\u00f5es, auditoria regular e revis\u00e3o do que o Google est\u00e1 efetivamente a indexar via Search Console s\u00e3o medidas que reduzem muito o tempo entre infe\u00e7\u00e3o e descoberta.<\/p>\n\n\n<div class=\"references-section\">\n                <h2>Refer\u00eancias \/ Fontes<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/malware-intercepts-googlebot-via-ip-verified-conditional-logic.html\" target=\"_blank\" rel=\"noopener noreferrer\">Malware Intercepts Googlebot via IP-Verified Conditional Logic<\/a><\/li><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html\" target=\"_blank\" rel=\"noopener noreferrer\">Google Sees Spam, You See Your Site: A Cloaked SEO Spam Attack<\/a><\/li><li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/5a006beedf563c6215a31746d011d13fd4f2561a1bf3b557484c4532b13e1ec6?nocache=1\" target=\"_blank\" rel=\"noopener noreferrer\">VirusTotal URL report (amp-samaresmanor.pages.dev)<\/a><\/li><li><a href=\"https:\/\/publicwww.com\/websites\/amp-samaresmanor.pages\/\" target=\"_blank\" rel=\"noopener noreferrer\">publicwww results for amp-samaresmanor.pages<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/website-firewall\/\" target=\"_blank\" rel=\"noopener noreferrer\">Web Application Firewall<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/malware-detection-scanning\/\" target=\"_blank\" rel=\"noopener noreferrer\">File Integrity Monitoring \/ malware detection scanning<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>Nem todo o spam de SEO vem com redirecionamentos \u00f3bvios. H\u00e1 campanhas que injetam conte\u00fado apenas para crawlers do Google \u2014 e validam o IP com l\u00f3gica em CIDR e opera\u00e7\u00f5es bitwise para passarem despercebidas.<\/p>\n","protected":false},"author":27,"featured_media":105,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[50,48,49,51,10],"class_list":["post-114","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seguranca","tag-googlebot","tag-malware","tag-seo","tag-waf","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/posts\/114","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/users\/27"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/comments?post=114"}],"version-history":[{"count":1,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/posts\/114\/revisions"}],"predecessor-version":[{"id":159,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/posts\/114\/revisions\/159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/media\/105"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/media?parent=114"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/categories?post=114"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/pt\/wp-json\/wp\/v2\/tags?post=114"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}