使用主题编辑器上传脚本而损坏的网站

时间:2012-08-02 作者:IMB

我们已经有几个Wordpress网站被破坏了,所有这些网站都有相同的模式(至少原始的访问日志是这样说的)。从日志中可以看出,他们直接登录Wordpress,然后进入主题编辑器>编辑404。php文件带有恶意代码,他们现在运行该代码来破坏网站。

这是日志(该站点替换为example.com)

125.167.118.62 - - [01/Aug/2012:14:22:58 +0800] "GET / HTTP/1.1" 200 6318 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/css/supersized.css HTTP/1.1" 200 2556 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/js/effects.js?ver=3.4.1 HTTP/1.1" 200 890 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/js/superfish.js?ver=3.4.1 HTTP/1.1" 200 3083 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/style.css HTTP/1.1" 200 23095 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:01 +0800] "GET /wp-content/themes/Wallbase/js/supersized.3.1.3.min.js?ver=3.4.1 HTTP/1.1" 200 11671 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/css/prettyphoto.css HTTP/1.1" 200 19697 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:01 +0800] "GET /wp-content/themes/Wallbase/js/jquery.prettyPhoto.js?ver=3.4.1 HTTP/1.1" 200 22373 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:02 +0800] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-includes/js/jquery/jquery.js?ver=1.7.2 HTTP/1.1" 200 94861 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:02 +0800] "GET /wp-login.php HTTP/1.1" 200 2171 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:04 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 200 36317 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:04 +0800] "GET /wp-admin/css/wp-admin.css?ver=3.4.1 HTTP/1.1" 200 108246 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:07 +0800] "GET /wp-admin/images/button-grad.png HTTP/1.1" 200 243 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:07 +0800] "GET /wp-admin/images/wordpress-logo.png?ver=20120216 HTTP/1.1" 200 5048 "http://example.com/wp-admin/css/wp-admin.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:13 +0800] "POST /wp-login.php HTTP/1.1" 302 - "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:14 +0800] "GET /wp-admin/ HTTP/1.1" 200 52163 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:19 +0800] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1 HTTP/1.1" 200 28480 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-includes/js/thickbox/thickbox.css?ver=3.4.1 HTTP/1.1" 200 3870 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-content/themes/Wallbase/images/slide.png HTTP/1.1" 200 198 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:21 +0800] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3.4.1 HTTP/1.1" 200 1087 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:22 +0800] "GET /wp-admin/images/wpspin_light.gif HTTP/1.1" 200 2193 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:24 +0800] "GET /wp-admin/images/media-button.png?ver=20111005 HTTP/1.1" 200 3117 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-includes/css/editor.css?ver=3.4.1 HTTP/1.1" 200 43861 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=3.4.1 HTTP/1.1" 200 37529 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:21 +0800] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,thickbox,plugin-install,media-upload,word-count,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=3.4.1 HTTP/1.1" 200 56368 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-includes/images/admin-bar-sprite.png?d=20111130 HTTP/1.1" 200 3999 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/arrows.png HTTP/1.1" 200 494 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/menu-shadow.png HTTP/1.1" 200 131 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/wp-badge.png?ver=20111120 HTTP/1.1" 200 14352 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-admin/images/white-grad.png HTTP/1.1" 200 210 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-admin/images/xit.gif HTTP/1.1" 200 182 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/menu.png?ver=20120201 HTTP/1.1" 200 13585 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1" 200 5886 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/icons32.png?ver=20111206 HTTP/1.1" 200 13441 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:00 +0800] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 47622 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:03 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:04 +0800] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color&ver=3.4.1 HTTP/1.1" 200 5480 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:25 +0800] "POST /wp-admin/theme-editor.php HTTP/1.1" 200 48032 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:28 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:48 +0800] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyten HTTP/1.1" 200 26759 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:50 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:20 +0800] "GET /wp-admin/images/button-grad-active.png HTTP/1.1" 200 284 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:20 +0800] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:58 +0800] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22492&updated=true HTTP/1.1" 200 151535 "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:06 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22492&updated=true" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:01 +0800] "GET /wp-content/themes/twentyten/404.php HTTP/1.1" 200 39291 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=sort_asc HTTP/1.1" 200 85 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_lnk HTTP/1.1" 200 572 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=small_dir HTTP/1.1" 200 498 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_diz HTTP/1.1" 200 1034 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=change HTTP/1.1" 200 290 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_php HTTP/1.1" 200 1125 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=download HTTP/1.1" 200 161 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=arrow_ltr HTTP/1.1" 200 88 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_png HTTP/1.1" 200 175 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_css HTTP/1.1" 200 134 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_txt HTTP/1.1" 200 132 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:29 +0800] "GET /wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 27424 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:31 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_htaccess HTTP/1.1" 200 117 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:32 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_html HTTP/1.1" 200 1125 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:17 +0800] "GET /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html HTTP/1.1" 200 7686 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:20 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_exe HTTP/1.1" 200 118 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_gif HTTP/1.1" 200 175 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_ini HTTP/1.1" 200 134 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_rtf HTTP/1.1" 200 164 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:31:14 +0800] "POST /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html%2F HTTP/1.1" 200 11608 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:33:28 +0800] "GET / HTTP/1.1" 200 3336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:34:25 +0800] "GET /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html%2F HTTP/1.1" 200 11597 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
现在让我感到困惑的是,从日志来看,他们似乎都直接登录到Wordpress,好像他们知道密码一样(因为在上面第16行中只有一次登录尝试)。即使是一天前刚刚上线的网站也是如此,密码也不是简单的ABC。

还值得注意的是,只有安装了Wordpress的帐户被破坏。同一服务器上的普通HTML站点未被破坏。虽然客户端站点中可能有关键的日志记录者,但这显然没有意义,因为黑客可能只是简单地使用cpanel而不是gong来解决WP中的所有问题。

鉴于这些事实,黑客如何登录Wordpress并一次成功?

编辑:

我在日志中也找到了这个,但它来自服务器的IP而不是黑客的IP。但有趣的是,“Alexa Toolbar”短语与我找到的这个脚本相同:http://pastebin.com/raw.php?i=hcvPE8YV

[01/Aug/2012:14:22:47 +0800] "POST /wp-login.php HTTP/1.1" 200 3266 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
[01/Aug/2012:14:22:48 +0800] "GET /wp-admin/theme-editor.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
[01/Aug/2012:14:22:48 +0800] "GET /wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2Ftheme-editor.php&reauth=1 HTTP/1.1" 200 2187 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"

1 个回复
最合适的回答,由SO网友:Otto 整理而成

现在让我感到困惑的是,从日志来看,他们似乎都直接登录到Wordpress,好像他们知道密码一样(因为在上面第16行中只有一次登录尝试)。即使是一天前刚刚上线的网站也是如此,密码也不是简单的ABC。

还值得注意的是,只有安装了Wordpress的帐户被破坏。同一服务器上的普通HTML站点未被破坏。虽然客户端站点中可能有关键的日志记录者,但这显然没有意义,因为黑客可能只是简单地使用cpanel而不是gong来解决WP中的所有问题。

鉴于这些事实,黑客如何登录Wordpress并一次成功?

你回答了自己的问题,虽然你可能没有意识到。但我会继续向你解释清楚的。

需要了解的要点:This is a completely automated attack. 一旦你理解了这一点及其含义,那么答案就很清楚了。

首先,最初的攻击向量不会出现在您的http日志中,因为它们不是以这种方式进入的。他们要么直接访问您的服务器,要么直接访问mySQL服务器。无论哪种方式,都会在站点上创建一个虚假用户,或者直接使用SQL命令更改管理员密码。

在此之后,通过主题编辑器登录和注入脚本是完全自动化的。你看到的是攻击的“有效载荷”部分。

像这样的脚本攻击包括三个阶段:

实际的攻击,使他们获得某种形式的系统访问权。在某些情况下,这可能是手动的,但在大多数情况下,这是通过一个自动过程来完成的,该过程会快速尝试许多攻击,直到其中任何一个成功。

升级,即攻击利用初始入口点获取更高级别的权限。例如,可以使用SQL注入漏洞在数据库中创建新用户,然后利用该漏洞访问PHP,PHP可用于运行任意代码。

有效负载注入,其中升级的权限用于插入有效负载。通常是垃圾代码或其他预制垃圾。

关键是这些阶段中的每一个都与下一个阶段基本上是独立的。您在这里只看到日志中的最后一步。攻击者立即访问了您的站点,因为the script knew the password already. 密码被修改或通过其他方式获得访问权限。

是的,有时这种方法意味着漏洞利用以愚蠢的方式运行。这与所使用系统的自动脚本kiddie性质有关。我见过一次攻击,其中一个FTP帐户被利用,一个PHP文件被上传,PHP文件修改了它发现的WordPress安装,然后WordPress安装被用来向主题中注入垃圾邮件。最初的攻击允许直接注入所需的任何PHP这一事实并不重要,攻击系统被连接到一个特定的进程中,即使在某些情况下大多数进程都是无用的。

结束
标签: login   security   hacked   小码农  

相关推荐

Security updates to 3.3.2

我知道所有的安全更新都很重要,但从1到10的范围来看,从3.1.3升级到3.3.2有多重要。我有一些网站需要升级,但主机将我锁定在一个旧版本的php中,限制我使用3.1.3。我目前正在运行php的5.2.3版本。谢谢Bart