PHP 正则表达式修复被黑的 Wordpress 网站 [英] PHP regex to fix hacked Wordpress site

问题描述

我有一个客户安装了多个 Wordpress，但他没有及时更新.结果，他被黑了.当我试图找出黑客是如何入侵的并永久解决问题时，我正在尝试创建一个脚本来快速、自动地修复它们.

I have a client that has multiple Wordpress installations, which he didn't keep up to date. As a result, he got hacked. While I try to find how the hackers got in, and fix the problem permanently, I'm trying to create a script to fix them quickly, automatically.

我找到了这个脚本，它可以满足我的要求:http://designpx.com/tutorials/wordpress-security/

I found this script, which does what I want: http://designpx.com/tutorials/wordpress-security/

它会自动从每个 php 文件中删除 <?php eval(base64_decode("aWY..."); ?>，但是它用来执行此操作的正则表达式也删除了 如果它遵循恶意代码.

It automatically removes the <?php eval(base64_decode("aWY..."); ?> from every php file, but the regex it's using to do this, removes also <?php get_header(); ?> if it follows the malicious code.

所以，我想要的是改变它，所以它只会删除恶意代码，而不是第一行的php代码.这是执行替换的脚本部分:

So, what I want is to change it, so it only removes the malicious code, but not the first line of php code as well. Here's the part of the script that does the replacing:

find $dir -name "*.php" -type f \  
|xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1

我需要改变什么，让它在第一个 ?> 处停止，而不是在第二个处?

What would I have to change, so it stops at the first ?>, and not at the second?

注意:我知道这是一个快速、临时的修复方法，但在客户决定要修复哪些网站以及要删除哪些网站之前，它会一直有效.

Note: I know this is a quick, temporary fix, but it will do until the client makes up his mind about which sites he wants to fix, an which to erase.

推荐答案

除了建议重新安装的评论外，手头的正则表达式问题可能是贪婪..*? 占位符应该匹配最短的字符数，但是 sed 可能对行长度等有一些限制(不确定.)

Apart from the comments advising a reinstall, the regex question at hand might be greediness. The .*? placeholder ought to match the shortest amount of characters, but sed might have some limitations regarding line length etc. (Not sure.)

但是为了进一步限制它，您可以使用 [^>]* 代替它:

But for constraining it further you could use [^>]* in its place:

 's#<?php /\*\*/ eval(base64_decode("aWY[^>]*?>##g'

这将确保它不会运行在结束 ?> 上.base64 无论如何都不可能包含这个.

This will ensure it can't run over a closing ?>. The base64 couldn't possibly contain this anyway.

这篇关于PHP 正则表达式修复被黑的 Wordpress 网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！