Bonjour,
A l'occasion de la refonte de mon site (WP), nous venons de nous apercevoir qu'il y avait des fichiers étranges en racine du site sur le serveur. Autre fait étrange de nombreuses images (ex: https://www.9lives-magazine.com/wp-content/uploads/2020/06/Jean-Michel-Fauque-Sans-titre-2010-1.jpg) apparaissent bien sur le site, sur le WP, mais n'existent pas sur le serveur !
Autre inquiétude, aujourd'hui le site pèse 33,48Go, alors qu'il y a 2 semaines, je suis presque sure qu'il pesait 2x moins.
Le développeur qui gère la refonte du site, pense à un virus, une attaque.
Quels sont vos conseils ?
Merci à vous
> Quels sont vos conseils ?
faire analyser ton site car là vu de loin, rien de visible, si ce n'est un probléme de SEO potentiel: uniquement 9 page référencées ? 
de ce que je vois, si infecté, c'est normal vu l’ancienneté: aucunes mises à jour 
> qu'il y avait des fichiers étranges en racine du site sur le serveur.
quels noms?
quel contenu?
Merci de ton retour kyodev !
C'est en effet le but de la refonte, de procéder à toutes les mises à jour.
uniquement 9 page référencées ?
Comment ça ?? J'ai un plugin SEO pourtant et il y a plus de 5000 articles sur ce site !
quels noms?
quel contenu?
android-app.php
api-oiezgjfoizrhgozrghorigsj-3.php
api-oiezgjfoizrhgozrghorigsj2.php
J'ai un fichier wp-snapshots…
> Comment ça ??
erreur en rafraîchissant, j'en vois "10000+"
https://www.google.fr/search?q=site:9lives-magazine.com
> api-oiezgjfoizrhgozrghorigsj-3.php
il y a quoi dedans?
Je suis rassurée sur le référencement 
Voici le contenu du fichier :
include "wp-config.php";
$link = mysqli_connect(explode(':', DB_HOST)[0], DB_USER, DB_PASSWORD, DB_NAME);
mysqli_set_charset($link, 'utf8');
$params = $_GET;
switch ($params['page']) {
case "allEvents":
$sql = "
SELECT DISTINCT event.event_name AS event_name,
event.event_id AS event_id,
event.location_id AS location_id,
event.post_content AS post_content,
postAttachment.guid AS event_image,
postAttachment.post_excerpt AS event_image_legend,
event.event_start_date AS event_start_date,
event.event_end_date AS event_end_date,
'8.50' AS event_price,
'$' AS event_price_devise,
(
SELECT mod229_term_relationships.term_taxonomy_id
FROM mod229_postmeta
LEFT JOIN mod229_term_relationships ON mod229_term_relationships.object_id = mod229_postmeta.post_id
LEFT JOIN mod229_term_taxonomy ON mod229_term_relationships.term_taxonomy_id = mod229_term_taxonomy.term_taxonomy_id
WHERE mod229_postmeta.post_id = post.ID
AND mod229_term_taxonomy.taxonomy = 'event-categories'
LIMIT 1
) AS event_category_id, users.ID AS event_artist_id
FROM mod229_em_events AS event LEFT JOIN mod229_posts AS post ON event.post_id = post.ID
LEFT JOIN mod229_postmeta AS postmeta ON post.ID = postmeta.post_id AND postmeta.meta_key = '_thumbnail_id'
LEFT JOIN mod229_posts AS postAttachment ON postmeta.meta_value = postAttachment.ID
LEFT JOIN mod229_term_relationships AS artistRelationship ON artistRelationship.object_id = post.ID
LEFT JOIN mod229_term_taxonomy AS artistTaxonomy ON artistRelationship.term_taxonomy_id = artistTaxonomy.term_taxonomy_id
LEFT JOIN
(
SELECT REPLACE(slug,'cap-', '') AS slug, term_id
FROM mod229_terms
) AS terms ON artistTaxonomy.term_id = terms.term_id
LEFT JOIN mod229_users AS users ON terms.slug = users.user_nicename
LEFT JOIN mod229_em_locations AS location ON event.location_id = location.location_id
WHERE event.event_status = 1 AND event.event_end_date >= NOW()
";
// if ($whereDistanceFormule) {
// $sql .= "AND " . $whereDistanceFormule;
// }
// if ($filterID) {
// $sql .= "AND event.event_id = " . $filterID;
// }
$sql = $sql . " ORDER BY event.event_id";
break;
case "allPlaces":
$sql = "
SELECT location.location_id as location_id,
location.location_name as location_name,
location.location_latitude as location_latitude,
location.location_longitude as location_longitude,
location.location_address as location_address,
location.location_town as location_town,
location.location_postcode as location_postcode,
location.location_country as location_country,
post.post_content as post_content, postAttachment.guid as place_image,
postmetaMail.meta_value as mail,
postmetaWeb.meta_value as website,
postmetaTel.meta_value as tel
";
// if ($selectDistanceFormule) {
// $sql .= ", " . $selectDistanceFormule . " as distance";
// }
$sql = $sql . "
FROM mod229_em_locations as location
LEFT JOIN mod229_posts as post ON location.post_id = post.ID
LEFT JOIN mod229_postmeta as postmetaImage ON post.ID = postmetaImage.post_id AND postmetaImage.meta_key = '_thumbnail_id'
LEFT JOIN mod229_posts as postAttachment ON postmetaImage.meta_value = postAttachment.ID
LEFT JOIN mod229_postmeta as postmetaMail ON post.ID = postmetaMail.post_id AND postmetaMail.meta_key = 'email'
LEFT JOIN mod229_postmeta as postmetaWeb ON post.ID = postmetaWeb.post_id AND postmetaWeb.meta_key = 'site_web'
LEFT JOIN mod229_postmeta as postmetaTel ON post.ID = postmetaTel.post_id AND postmetaTel.meta_key = 'telephone'
";
// if ($whereDistanceFormule) {
// $sql .= "WHERE " . $whereDistanceFormule;
// if ($filterID) {
// $sql .= " AND location.location_id = " . $filterID;
// }
// } elseif ($filterID) {
// $sql .= "WHERE location.location_id = " . $filterID;
// }
break;
case "allCategories":
$sql = "
SELECT terms.term_id AS category_id,
terms.name AS category_name,
imageEventMeta.meta_value AS category_image,
backgroundColorEventMeta.meta_value AS 'category_background-color'
FROM mod229_term_taxonomy AS taxonomy
INNER JOIN mod229_terms AS terms ON taxonomy.term_id = terms.term_id
LEFT JOIN mod229_em_meta AS imageEventMeta ON imageEventMeta.object_id = terms.term_id AND imageEventMeta.meta_key = 'category-image'
LEFT JOIN mod229_em_meta AS backgroundColorEventMeta ON backgroundColorEventMeta.object_id = terms.term_id AND backgroundColorEventMeta.meta_key = 'category-bgcolor'
WHERE taxonomy.taxonomy = 'event-categories'
AND terms.term_id IN (SELECT term_taxonomy_id FROM mod229_term_relationships)";
// if ($filterID) {
// $sql .= "AND terms.term_id = " . $filterID;
// }
break;
case "allArtists":
// $sql = "
// SELECT DISTINCT(users.ID),
// users.display_name,
// users.user_email AS mail,
// metaBiography.meta_value AS biography,
// users.user_url AS website,
// postPicture.guid AS artist_picture
// FROM mod229_term_taxonomy AS taxonomy
// INNER JOIN
// (
// SELECT REPLACE(slug,'cap-', '') AS slug, term_id
// FROM mod229_terms
// ) AS terms ON taxonomy.term_id = terms.term_id
// INNER JOIN mod229_users AS users ON terms.slug = users.user_nicename
// LEFT JOIN mod229_usermeta AS metaBiography ON metaBiography.user_id = users.ID
// AND metaBiography.meta_key = 'description'
// LEFT JOIN mod229_usermeta AS metaPicture ON metaPicture.user_id = users.ID
// AND metaPicture.meta_key = 'avatar_manager_custom_avatar'
// LEFT JOIN mod229_posts AS postPicture ON postPicture.ID = metaPicture.meta_value
// WHERE taxonomy.taxonomy = 'author'
// ORDER BY ID DESC
// ";
$sql = "
SELECT DISTINCT(users.ID),
users.display_name,
users.user_email AS mail,
metaBiography.meta_value AS biography,
users.user_url AS website,
postPicture.guid AS artist_picture,
metaFacebook.meta_value AS facebook,
metaLinkedin.meta_value AS linkedin,
metaInstagram.meta_value AS instagram,
metaTwitter.meta_value AS twitter,
metaVimeo.meta_value AS vimeo
FROM mod229_users AS users
LEFT JOIN mod229_usermeta AS metaBiography ON metaBiography.user_id = users.ID
AND metaBiography.meta_key = 'description'
LEFT JOIN mod229_usermeta AS metaPicture ON metaPicture.user_id = users.ID
AND metaPicture.meta_key = 'avatar_manager_custom_avatar'
LEFT JOIN mod229_posts AS postPicture ON postPicture.ID = metaPicture.meta_value
LEFT JOIN mod229_usermeta AS metaFacebook ON metaFacebook.user_id = users.ID
AND metaFacebook.meta_key = 'unpress_author_facebook'
LEFT JOIN mod229_usermeta AS metaLinkedin ON metaLinkedin.user_id = users.ID
AND metaLinkedin.meta_key = 'unpress_author_linkedin'
LEFT JOIN mod229_usermeta AS metaInstagram ON metaInstagram.user_id = users.ID
AND metaInstagram.meta_key = 'unpress_author_instagram'
LEFT JOIN mod229_usermeta AS metaTwitter ON metaTwitter.user_id = users.ID
AND metaTwitter.meta_key = 'unpress_author_twitter'
LEFT JOIN mod229_usermeta AS metaVimeo ON metaVimeo.user_id = users.ID
AND metaVimeo.meta_key = 'unpress_author_vimeo'
";
//
// if ($filterID) {
// $sql .= "AND users.ID = " . $filterID;
// }
break;
default:
error(404, "route not found");
quit($link);
break;
}
// excecute SQL statement
$result = mysqli_query($link, $sql);
// die if SQL statement failed
if (!$result) {
error(500, mysqli_error($link));
quit($link);
}
$data = ;
while ($datum = mysqli_fetch_assoc($result)) {
$data = $datum;
}
http_response_code(200);
header("Content-Type: application/json");
echo json_encode(
[
'data' => $data,
'status' => 'success',
]
);
// close mysql connec
mysqli_close($link);
function error($status, $message)
{
http_response_code($status);
echo json_encode(
[
"error" => [
"status" => $status,
"message" => $message,
],
"status" => "fail",
]
);
}
function quit($link)
{
// close mysql connec
mysqli_close($link);
die();
}
> Voici le contenu du fichier :
rien qui ressemble à un virus
ça ressemble plus à des tests et des fichiers mal placés, la racine n'est pas l'endroit légitime à long terme
> aujourd'hui le site pèse 33,48Go
> J'ai un fichier wp-snapshots…
ça tu pourrais regarder le réglage de ton plugin de sauvegarde, tu as peut-être un nombre de sauvegardes inutiles (hormis qu'on ne doit pas garder une sauvegarde sur Ovh, ça n'a pas de sens)
Merciiii !
Une idée sur l'image qui n'existe pas sur le serveur, là je sèche!!!
> Une idée sur l'image qui n'existe pas sur le serveur, là je sèche!!!<br /><br />je ne sais pas de quoi tu parles<br />```text<br />curl --head https://www.9lives-magazine.com/wp-content/uploads/2020/06/Jean-Michel-Fauque-Sans-titre-2010-1.jpg<br /> HTTP/2 200 <br />```<br />ce fichier est sur le serveur<br /><br />> Le développeur qui gère<br /><br />je fais son boulot là....<br />mais attention, pour le virus, pas les moyens de trancher<br /><br />j'en arrête là donc
HTTP/2 200
Merci pour tes réponses. Juste pour préciser que nous ne "voyons" pas ce fichier sur le serveur en FTP. Alors qu'il apparaît bien sur le site et sur les médias WP… Mais merci quand même nous allons "chercher"...
> que nous ne "voyons" pas ce fichier
il y est, forcément, je t'ai donné l'emplacement (url)
activer/utiliser sftp: https://framagit.org/sdeb/web/-/wikis/sftp_ovh