{"id":96,"date":"2026-01-13T00:00:00","date_gmt":"2026-01-12T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/ro\/googlebot-cloaking-malware-verificare-ip-asn-wordpress\/"},"modified":"2026-01-20T06:32:55","modified_gmt":"2026-01-20T05:32:55","slug":"googlebot-cloaking-malware-verificare-ip-asn-wordpress","status":"publish","type":"post","link":"https:\/\/helloblog.io\/ro\/googlebot-cloaking-malware-verificare-ip-asn-wordpress\/","title":{"rendered":"C\u00e2nd Googlebot vede altceva dec\u00e2t utilizatorii: cloaking malware cu verificare IP pe ASN (WordPress)"},"content":{"rendered":"\n<p>\u00cen ultimii ani, multe infec\u021bii WordPress au mers pe varianta \u201ezgomotoas\u0103\u201d: redirecturi evidente, pop-up-uri dubioase, pagini care se rup \u00een fa\u021ba utilizatorilor. Tot mai des \u00eens\u0103 apare o alt\u0103 direc\u021bie: atacuri selective, care \u00ee\u021bi las\u0103 site-ul s\u0103 par\u0103 perfect normal pentru tine \u0219i vizitatori, dar livreaz\u0103 alt con\u021binut c\u0103tre motoarele de c\u0103utare.<\/p>\n\n\n\n<p>Un caz analizat de Sucuri arat\u0103 o versiune mai avansat\u0103 de <em>cloaking<\/em> (tehnic\u0103 SEO \u00een care crawlerul vede altceva dec\u00e2t omul): cod injectat \u00een <code>index.php<\/code> care \u201eintercepteaz\u0103\u201d Googlebot \u0219i \u00eei serve\u0219te un payload dintr-un domeniu extern, dar doar dup\u0103 ce confirm\u0103 c\u0103 IP-ul chiar apar\u021bine infrastructurii Google.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Ce a fost compromis: <code>index.php<\/code> ca \u201egatekeeper\u201d pentru trafic<\/h2>\n\n\n\n<p>\u00cen loc s\u0103 lase WordPress s\u0103 booteze normal, <code>index.php<\/code> a fost modificat astfel \u00eenc\u00e2t s\u0103 decid\u0103 ce r\u0103spuns prime\u0219te vizitatorul. Practic, fi\u0219ierul devine un filtru la intrare:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>dac\u0103 vizitatorul pare a fi Google (nu doar prin <code>User-Agent<\/code>, ci \u0219i prin IP), prime\u0219te con\u021binut injectat dintr-o surs\u0103 remote;<\/li>\n\n\n<li>dac\u0103 nu, site-ul se comport\u0103 normal \u0219i \u00eencarc\u0103 WordPress ca de obicei.<\/li>\n\n<\/ul>\n\n\n\n<p>Din perspectiva proprietarului, problema poate trece complet neobservat\u0103: navighezi site-ul, totul arat\u0103 bine. \u00cen schimb, \u00een indexarea Google apar pagini\/fragmente care nu exist\u0103 \u00een mod real pe site.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">De ce e diferit fa\u021b\u0103 de cloaking-ul \u201eclasic\u201d<\/h2>\n\n\n\n<p>Majoritatea scripturilor de cloaking se bazeaz\u0103 pe verific\u0103ri simpliste pe headerul <code>HTTP_USER_AGENT<\/code> (de exemplu, dac\u0103 include \u201eGooglebot\u201d). Asta e u\u0219or de p\u0103c\u0103lit: \u00ee\u021bi schimbi User-Agent-ul \u0219i reproduci comportamentul.<\/p>\n\n\n\n<p>\u00cen cazul acesta, partea interesant\u0103 e c\u0103 malware-ul include o list\u0103 hardcodata de intervale IP asociate ASN-urilor Google (Autonomous System Number), \u00een format CIDR, \u0219i valideaz\u0103 matematic apartenen\u021ba IP-ului la acel range. Cu alte cuvinte, nu \u00eei ajunge s\u0103 \u201espui\u201d c\u0103 e\u0219ti Googlebot \u2014 vrea s\u0103 vad\u0103 c\u0103 vii din re\u021beaua Google.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">ASN pe scurt<\/h3>\n\n\n\n<p>ASN (Autonomous System Number) este, practic, identitatea unei re\u021bele pe internet \u2014 un set de IP-uri controlate de o organiza\u021bie (aici, Google) \u0219i folosite de serviciile ei. Dac\u0103 un request vine dintr-un ASN de Google, probabilitatea s\u0103 fie crawlerul real (sau infrastructur\u0103 Google legitim\u0103) cre\u0219te drastic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">CIDR pe scurt<\/h3>\n\n\n\n<p>CIDR este nota\u021bia compact\u0103 pentru un bloc de IP-uri, de tipul <code>192.168.1.0\/24<\/code>. Sufixul <code>\/24<\/code> descrie masca de re\u021bea \u0219i m\u0103rimea blocului, evit\u00e2nd listarea fiec\u0103rui IP individual.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1360\" height=\"636\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/IP-Verified-Conditional-Logic.png\" alt=\"Diagram\u0103: logic\u0103 condi\u021bional\u0103 cu verificare IP pentru livrarea payload-ului doar c\u0103tre crawler\" class=\"wp-image-88\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/IP-Verified-Conditional-Logic.png 1360w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/IP-Verified-Conditional-Logic-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/IP-Verified-Conditional-Logic-1024x479.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/IP-Verified-Conditional-Logic-768x359.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/IP-Verified-Conditional-Logic-400x187.png 400w\" sizes=\"auto, (max-width: 1360px) 100vw, 1360px\" \/><figcaption class=\"wp-element-caption\">Atac selectiv: con\u021binut diferit \u00een func\u021bie de identitatea vizitatorului \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Cum func\u021bioneaz\u0103 atacul, pe etape<\/h2>\n\n\n\n<p>Scriptul din <code>index.php<\/code> combin\u0103 mai multe straturi de verificare \u0219i, abia la final, decide dac\u0103 serve\u0219te con\u021binutul mali\u021bios sau \u00eencarc\u0103 site-ul curat.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Verificare multi-layer: User-Agent + IP<\/h3>\n\n\n\n<p>Mai \u00eent\u00e2i, se verific\u0103 <code>HTTP_USER_AGENT<\/code> pentru mai multe string-uri asociate ecosistemului Google (nu doar \u201eGooglebot\u201d, ci \u0219i unelte de verificare\/inspec\u021bie \u0219i crawleri API). Pentru c\u0103 User-Agent-ul poate fi spoof-uit u\u0219or, pasul al doilea este validarea IP-ului \u00een intervalele Google.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1880\" height=\"498\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification.png\" alt=\"Diagram\u0103: verificare identitate pe baza User-Agent-ului \u0219i a IP-ului\" class=\"wp-image-89\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification.png 1880w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification-300x79.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification-1024x271.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification-768x203.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification-1536x407.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Multi-Layer-Identity-Verification-400x106.png 400w\" sizes=\"auto, (max-width: 1880px) 100vw, 1880px\" \/><figcaption class=\"wp-element-caption\">Verificare \u00een dou\u0103 trepte: header + provenien\u021ba IP-ului \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">2) Validare IP cu opera\u021bii bitwise (IPv4\/IPv6)<\/h3>\n\n\n\n<p>\u00cen loc de simple compara\u021bii de string, codul face calcule <em>bitwise<\/em> pentru a determina dac\u0103 IP-ul se \u00eencadreaz\u0103 exact \u00eentr-un bloc CIDR. Pentru IPv4, logica central\u0103 arat\u0103 a\u0219a:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>\/\/ Ideea: dac\u0103 (IP &amp; netmask) == (range &amp; netmask), IP-ul apar\u021bine blocului\n($ip_decimal &amp; $netmask_decimal) == ($range_decimal &amp; $netmask_decimal);\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#6A737D\">\/\/ Ideea: dac\u0103 (IP &#x26; netmask) == (range &#x26; netmask), IP-ul apar\u021bine blocului<\/span><\/span>\n<span class=\"line\"><span style=\"color:#E1E4E8\">($ip_decimal <\/span><span style=\"color:#F97583\">&#x26;<\/span><span style=\"color:#E1E4E8\"> $netmask_decimal) <\/span><span style=\"color:#F97583\">==<\/span><span style=\"color:#E1E4E8\"> ($range_decimal <\/span><span style=\"color:#F97583\">&#x26;<\/span><span style=\"color:#E1E4E8\"> $netmask_decimal);<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Detaliul care ridic\u0103 \u0219tacheta aici este suportul robust pentru IPv6, pe care multe scripturi mai vechi \u00eel ignor\u0103. Asta reduce mult \u0219ansele s\u0103 \u201eprinzi\u201d infec\u021bia prin testare manual\u0103, pentru c\u0103 atacatorul poate restr\u00e2nge livrarea payload-ului la infrastructura real\u0103 Google.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1420\" height=\"734\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Bitwise-IP-Range-Validation.png\" alt=\"Fragment vizual cu validare bitwise a IP-ului \u00een intervalele CIDR\" class=\"wp-image-90\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Bitwise-IP-Range-Validation.png 1420w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Bitwise-IP-Range-Validation-300x155.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Bitwise-IP-Range-Validation-1024x529.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Bitwise-IP-Range-Validation-768x397.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Bitwise-IP-Range-Validation-400x207.png 400w\" sizes=\"auto, (max-width: 1420px) 100vw, 1420px\" \/><figcaption class=\"wp-element-caption\">Validarea apartenen\u021bei IP-ului la un bloc CIDR folosind opera\u021bii bitwise \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1332\" height=\"620\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/CIDR-format.png\" alt=\"Diagram\u0103 explicativ\u0103 pentru formatul CIDR\" class=\"wp-image-91\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/CIDR-format.png 1332w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/CIDR-format-300x140.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/CIDR-format-1024x477.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/CIDR-format-768x357.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/CIDR-format-400x186.png 400w\" sizes=\"auto, (max-width: 1332px) 100vw, 1332px\" \/><figcaption class=\"wp-element-caption\">CIDR: o reprezentare compact\u0103 pentru intervale de IP \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">3) Payload remote livrat prin cURL<\/h3>\n\n\n\n<p>Dup\u0103 ce vizitatorul este confirmat ca fiind \u201eGoogle legitim\u201d, scriptul cere con\u021binut extern prin cURL \u0219i \u00eel afi\u0219eaz\u0103 direct \u00een r\u0103spunsul paginii. Domeniul men\u021bionat \u00een analiz\u0103 este:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#24292e\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" style=\"color:#e1e4e8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><pre class=\"code-block-pro-copy-button-pre\" aria-hidden=\"true\"><textarea class=\"code-block-pro-copy-button-textarea\" tabindex=\"-1\" aria-hidden=\"true\" readonly>hxxps:\/\/amp-samaresmanor[.]pages[.]dev\n<\/textarea><\/pre><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki github-dark\" style=\"background-color:#24292e;color:#e1e4e8\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color:#B392F0\">hxxps:\/\/amp-samaresmanor[.]pages[.]dev<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<p>Ideea e simpl\u0103 \u0219i eficient\u0103: Google crede c\u0103 pagina site-ului t\u0103u g\u0103zduie\u0219te acel con\u021binut (pentru c\u0103 \u00eel vede \u00een HTML-ul final), de\u0219i el este de fapt injectat la runtime din alt\u0103 parte.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1444\" height=\"836\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Remote-Payload-Execution-via-cURL.png\" alt=\"Diagram\u0103: \u00eenc\u0103rcare payload remote prin cURL \u0219i afi\u0219are \u00een pagin\u0103\" class=\"wp-image-92\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Remote-Payload-Execution-via-cURL.png 1444w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Remote-Payload-Execution-via-cURL-300x174.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Remote-Payload-Execution-via-cURL-1024x593.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Remote-Payload-Execution-via-cURL-768x445.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Remote-Payload-Execution-via-cURL-400x232.png 400w\" sizes=\"auto, (max-width: 1444px) 100vw, 1444px\" \/><figcaption class=\"wp-element-caption\">Con\u021binutul este preluat de la distan\u021b\u0103 \u0219i \u201elipit\u201d \u00een r\u0103spunsul livrat crawlerului \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">4) Filtrare extins\u0103 pe User-Agent (nu doar Googlebot)<\/h3>\n\n\n\n<p>Un alt semn c\u0103 scriptul a fost g\u00e2ndit pentru rezultate SEO: lista de User-Agent-uri acoper\u0103 inclusiv instrumente de verificare \u0219i indexare, astfel \u00eenc\u00e2t atacatorul s\u0103 ob\u021bin\u0103 con\u021binutul mali\u021bios \u00eenregistrat \u0219i validat \u00een c\u00e2t mai multe fluxuri Google.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1682\" height=\"554\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering.png\" alt=\"Fragment vizual: list\u0103 de User-Agent-uri filtrate de malware\" class=\"wp-image-93\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering.png 1682w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering-300x99.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering-1024x337.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering-768x253.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering-1536x506.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/User-Agent-Filtering-400x132.png 400w\" sizes=\"auto, (max-width: 1682px) 100vw, 1682px\" \/><figcaption class=\"wp-element-caption\">Filtrare pe mai multe User-Agent-uri asociate serviciilor Google \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">5) Logic\u0103 condi\u021bional\u0103 + logging de erori<\/h3>\n\n\n\n<p>Scriptul are \u0219i mecanisme de decizie cu fallback \u0219i logging, ca s\u0103 reduc\u0103 riscul de pagini \u201estricate\u201d pentru crawler. Conform descrierii:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>dac\u0103 User-Agent-ul \u0219i IP-ul sunt valide: serve\u0219te payload-ul remote \u0219i logheaz\u0103 succesul; dac\u0103 payload-ul nu se poate \u00eenc\u0103rca, redirec\u021bioneaz\u0103 botul c\u0103tre <code>\/home\/<\/code> ca s\u0103 nu expun\u0103 o pagin\u0103 goal\u0103;<\/li>\n\n\n<li>dac\u0103 User-Agent-ul arat\u0103 a Google, dar IP-ul nu se potrive\u0219te: logheaz\u0103 \u201eFake GoogleBot detected\u201d \u0219i redirec\u021bioneaz\u0103 c\u0103tre pagina legitim\u0103;<\/li>\n\n\n<li>pentru utilizatori obi\u0219nui\u021bi: redirec\u021bioneaz\u0103 direct c\u0103tre home\/pagina normal\u0103.<\/li>\n\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1694\" height=\"680\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging.png\" alt=\"Diagram\u0103: decizie condi\u021bional\u0103, redirecturi \u0219i logging \u00een func\u021bie de validarea Googlebot\" class=\"wp-image-94\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging.png 1694w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging-300x120.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging-1024x411.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging-768x308.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging-1536x617.png 1536w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/Conditional-Logic-and-Error-Logging-400x161.png 400w\" sizes=\"auto, (max-width: 1694px) 100vw, 1694px\" \/><figcaption class=\"wp-element-caption\">Motorul de decizie: verific\u0103, serve\u0219te, redirec\u021bioneaz\u0103, logheaz\u0103 \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">De ce sunt atinse fi\u0219ierele core WordPress (\u0219i de ce e grav)<\/h2>\n\n\n\n<p>Un motiv pentru care astfel de infec\u021bii sunt greu de detectat: atacatorul p\u0103streaz\u0103 func\u021bionalitatea normal\u0103 a site-ului, \u201ebootstrapp\u00e2nd\u201d WordPress doar c\u00e2nd are nevoie. \u00cen analiza Sucuri apar explicit dou\u0103 fi\u0219iere:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li><code>wp-load.php<\/code> \u2013 \u00eenc\u0103rcat prin <code>require_once __DIR__ . '\/wp-load.php'<\/code> pentru a ini\u021bializa mediul WordPress (config, DB, etc.);<\/li>\n\n\n<li><code>wp-blog-header.php<\/code> \u2013 parte din fluxul normal al <code>index.php<\/code> standard, inclus la final \u00een mod obi\u0219nuit.<\/li>\n\n<\/ul>\n\n\n\n<p>C\u00e2nd un fi\u0219ier core precum <code>index.php<\/code> este modificat, efectul se propag\u0103 imediat: orice request intr\u0103 prin acel \u201epunct de control\u201d. Din acest motiv, monitorizarea integrit\u0103\u021bii fi\u0219ierelor (file integrity monitoring) devine o m\u0103sur\u0103 critic\u0103, nu un nice-to-have.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Impactul real: SEO, reputa\u021bie \u0219i timp mare p\u00e2n\u0103 la detec\u021bie<\/h2>\n\n\n\n<p>Scopul principal aici nu este neap\u0103rat furtul de date, ci compromiterea index\u0103rii \u0219i a reputa\u021biei \u00een c\u0103utare. Pentru c\u0103 Google vede con\u021binut diferit fa\u021b\u0103 de utilizatori, consecin\u021bele tipice includ:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>blacklisting sau semnale de spam\/malware \u00een search;<\/li>\n\n\n<li>deindexare sau sc\u0103deri bru\u0219te de vizibilitate;<\/li>\n\n\n<li>\u201eresource hijacking\u201d (site-ul t\u0103u devine vehicul pentru con\u021binutul altcuiva);<\/li>\n\n\n<li>detec\u021bie \u00eent\u00e2rziat\u0103, pentru c\u0103 proprietarul nu vede nimic suspect \u00een browsing normal.<\/li>\n\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1270\" height=\"936\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/What-Google-sees.png\" alt=\"Captur\u0103: con\u021binut spam afi\u0219at \u00een Google \u00een timp ce site-ul pare normal pentru vizitatori\" class=\"wp-image-95\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/What-Google-sees.png 1270w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/What-Google-sees-300x221.png 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/What-Google-sees-1024x755.png 1024w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/What-Google-sees-768x566.png 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/10\/2026\/01\/What-Google-sees-400x295.png 400w\" sizes=\"auto, (max-width: 1270px) 100vw, 1270px\" \/><figcaption class=\"wp-element-caption\">Diferen\u021ba tipic\u0103 \u00een atacurile de tip cloaking: Google indexeaz\u0103 alt con\u021binut dec\u00e2t cel pe care \u00eel vezi tu \u2014 <em>Forr\u00e1s: Sucuri Blog<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Semne c\u0103 ai putea avea o infec\u021bie de tip \u201ecrawler interception\u201d<\/h2>\n\n\n\n<p>\u00cen practic\u0103, indicatorii sunt mai degrab\u0103 indirec\u021bi. Dac\u0103 suspectezi o compromitere de tipul acesta, merit\u0103 verificat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>rezultate dubioase \u00een Google (titluri\/descrieri care nu corespund, pagini noi pe care nu le-ai creat);<\/li>\n\n\n<li>fi\u0219iere modificate recent, \u00een special \u00een r\u0103d\u0103cina site-ului (ex. <code>index.php<\/code>);<\/li>\n\n\n<li>URL-uri suspecte \u00een cod sau \u00een loguri;<\/li>\n\n\n<li>loguri neobi\u0219nuite (requesturi c\u0103tre domenii externe, redirecturi condi\u021bionale, erori care apar doar pentru anumite User-Agent-uri).<\/li>\n\n<\/ul>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">Indicator din analiz\u0103<\/h4>\n\n\n<p>Domeniul <code>amp-samaresmanor[.]pages[.]dev<\/code> apare ca surs\u0103 de payload. La momentul analizei, URL-ul era raportat pe VirusTotal \u0219i existau mai multe site-uri afectate (conform Sucuri).<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Remediere: ce are sens s\u0103 faci imediat<\/h2>\n\n\n\n<p>\u00cen astfel de cazuri, \u201e\u0219terg doar un snippet\u201d rar e suficient. Abordarea corect\u0103 e s\u0103 tratezi incidentul ca o compromitere complet\u0103:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li>Elimin\u0103 fi\u0219iere \u0219i directoare necunoscute sau care nu apar\u021bin deployment-ului t\u0103u. Aten\u021bie special\u0103 la fi\u0219iere core modificate (ex. <code>index.php<\/code>).<\/li>\n\n\n<li>Auditeaz\u0103 utilizatorii WordPress: elimin\u0103 conturi de ajutor (\u201ehelp account\u201d) sau admini suspec\u021bi.<\/li>\n\n\n<li>Reseteaz\u0103 creden\u021biale: admin WordPress, FTP\/SFTP, hosting panel, DB. (Dac\u0103 r\u0103m\u00e2ne o parol\u0103 expus\u0103, reinfectarea e foarte probabil\u0103.)<\/li>\n\n\n<li>Ruleaz\u0103 scanare antivirus\/malware pe sta\u021bia ta de lucru. Un laptop compromis poate reintroduce fi\u0219iere modificate prin FTP sau tokenuri salvate.<\/li>\n\n\n<li>Actualizeaz\u0103 tot: WordPress core, pluginuri, teme. (Plus eliminarea componentelor abandonate.)<\/li>\n\n\n<li>Pune un WAF (Web Application Firewall) \u00een fa\u021b\u0103. Un WAF bun poate bloca comunicarea cu infrastructur\u0103 mali\u021bioas\u0103 (C2) \u0219i poate reduce \u0219ansele de upload ini\u021bial sau exploatare repetat\u0103.<\/li>\n\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Preven\u021bie pragmatic\u0103 pentru site-uri WordPress<\/h2>\n\n\n\n<p>Dou\u0103 m\u0103suri ies \u00een eviden\u021b\u0103 \u00een contextul acestui tip de atac:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li><strong>File Integrity Monitoring<\/strong> pentru fi\u0219iere core (\u00een special <code>index.php<\/code>) \u2013 vrei s\u0103 afli imediat c\u00e2nd ceva s-a schimbat, nu dup\u0103 s\u0103pt\u0103m\u00e2ni, c\u00e2nd SEO-ul deja a fost afectat.<\/li>\n\n\n<li>Audit regulat \u00een Google Search Console \u2013 verific\u0103 pagini nea\u0219teptate, cre\u0219teri anormale \u00een num\u0103rul de URL-uri indexate, query-uri spam, sitemap-uri ciudate.<\/li>\n\n<\/ul>\n\n\n\n<p>Linia de fund: malware-ul modern nu mai are nevoie s\u0103 fie vizibil ca s\u0103 produc\u0103 pagube. Dac\u0103 atacatorul poate abuza \u00eencrederea motorului de c\u0103utare f\u0103r\u0103 s\u0103 te alerteze prin simptome evidente, detectarea devine o problem\u0103 de procese (monitorizare, audit, controlul schimb\u0103rilor), nu doar de \u201enoroc\u201d sau browsing manual.<\/p>\n\n\n<div class=\"references-section\">\n                <h2>Referin\u021be \/ Surse<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/malware-intercepts-googlebot-via-ip-verified-conditional-logic.html\" target=\"_blank\" rel=\"noopener noreferrer\">Malware Intercepts Googlebot via IP-Verified Conditional Logic<\/a><\/li><li><a href=\"https:\/\/blog.sucuri.net\/2026\/01\/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html\" target=\"_blank\" rel=\"noopener noreferrer\">Google Sees Spam, You See Your Site: A Cloaked SEO Spam Attack<\/a><\/li><li><a href=\"https:\/\/www.virustotal.com\/gui\/url\/5a006beedf563c6215a31746d011d13fd4f2561a1bf3b557484c4532b13e1ec6?nocache=1\" target=\"_blank\" rel=\"noopener noreferrer\">VirusTotal URL report (amp-samaresmanor.pages.dev)<\/a><\/li><li><a href=\"https:\/\/publicwww.com\/websites\/amp-samaresmanor.pages\/\" target=\"_blank\" rel=\"noopener noreferrer\">PublicWWW results for amp-samaresmanor.pages<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/website-firewall\/\" target=\"_blank\" rel=\"noopener noreferrer\">Sucuri Website Firewall<\/a><\/li><li><a href=\"https:\/\/sucuri.net\/malware-detection-scanning\/\" target=\"_blank\" rel=\"noopener noreferrer\">File Integrity Monitoring \/ Malware Detection Scanning<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>Exist\u0103 infec\u021bii care nu \u00ee\u021bi stric\u0103 site-ul la vedere, dar \u00ee\u021bi compromit reputa\u021bia \u00een Google. Un exemplu recent: malware \u00een `index.php` care livreaz\u0103 con\u021binut remote doar crawlerelor Google, verific\u00e2nd IP-ul pe ASN, nu doar pe User-Agent.<\/p>\n","protected":false},"author":32,"featured_media":87,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,56,54,55,53],"class_list":["post-96","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securitate","tag-file-integrity","tag-googlebot","tag-malware","tag-seo-cloaking","tag-wordpress-security"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts\/96","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/comments?post=96"}],"version-history":[{"count":1,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts\/96\/revisions"}],"predecessor-version":[{"id":142,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/posts\/96\/revisions\/142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/media\/87"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/media?parent=96"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/categories?post=96"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/ro\/wp-json\/wp\/v2\/tags?post=96"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}