继续在我的 Wordpress 主题文件中发现注入胡言乱语的 PHP [英] Keep finding inject gibberish PHP in my Wordpress theme files

问题描述

我为客户的网站构建了一个自定义主题，但我猜它不断被黑客入侵.我发现的是每个主题文件和插件顶部的一堆乱码.这一切都是超级压缩的，不是很容易阅读，但它看起来就像一堆数字.它不会在网站本身上输出任何内容.我知道它发生的唯一原因是将代码添加到插件会破坏插件并且 WP 会自动禁用它.这种情况已经发生了大约 5 到 6 次.

I built a custom theme for a client's site and it keeps getting hacked, I guess. What I'm finding is a bunch of gibberish code at the top of each theme file and plugins as well. It's all super-compressed and not very easy to read, but it just looks like a bunch of numbers. It's not outputting anything on the site itself. The only reason I know it's happening is because the addition of the code to the plugins breaks the plugin and WP auto-disables it. This has happened about 5 or 6 times.

第二次之后我意识到默认设置并没有削减它.所以我安装了 WordFence 并在一个月内完美运行.WordFence 开始描绘在任何给定时刻对站点进行的尝试攻击的次数.这太疯狂了.我还更改了所有密码(用户、FTP 等)、更改了表前缀、阻止 wp-admin 并使用不同的 URL 访问破折号，并且几乎跟踪了 强化 Wordpress 文章.还听取了一些帖子的建议.

After the second time I realized that the default setup was not cutting it. So I installed WordFence and for a month it worked perfectly. WordFence started to paint a picture of just how many attacks are attempted against a site at any given moment. It's insane. I also changed all passwords (users, FTP, etc.), changed the table prefix, block wp-admin and used a different URL to access the dash, and followed pretty much every single item on the Hardening Wordpress article. Also took the advice of a few posts here.

虽然看起来一无是处.经过一个月的成功，插件和我的措施停止工作.无用的字符串开始出现在主题文件的顶部.但奇怪的是，不是插件文件.我清理了一切并尝试了 iThemes 安全套件而不是 WordFence.不！醒来发现网站又被黑了.

All for nothing though it seems. After a solid month of success, the plugin and my measures stopped working. The useless strings started appearing at the top of theme files. But oddly enough, not plugin files. I cleared things out and tried the iThemes security suite instead of WordFence. NOPE! Woke up to find the site had been hacked again.

除上述之外，我还将我的插件列表缩小到一些已在其他网站上证明无害的可信赖插件:强大和高级自定义字段.我担心我以某种方式搞砸了我的主题中的某些内容，但我已经编写了十几个代码，并且在任何这些网站上都没有出现过这个问题.

In addition to the above I've also narrowed down my plugins list to a select trusted few that have proven harmless on other sites: Formidable and Advanced Custom Fields. I'm worried I screwed up something in my theme somehow, but I've coded a dozen or so and never had this issue on any of those sites at all.

我不知所措.我觉得如果我了解黑客"做了什么，我就能更好地对抗它，但我不知所措.这些东西很难用谷歌搜索.任何指导将不胜感激.

I'm at a loss for what to do. I feel like if I understood what the 'hack' did I'd be able to combat it better, but I'm at a loss. These things are very difficult to google. Any guidance would be appreciated.

这里是注入代码的链接

推荐答案

我曾经在服务器中发现了这个问题，我最终制作了一个 bash 脚本来查找此代码，只从每个受感染的 PHP 文件中删除第一行.它解决了这个问题.

I once found this issue in a server and I finally made a bash script that looks for this code removing only the top line from every infected PHP file. It resolved the issue.

我把它放在这里是为了你可以用它来摆脱恶意代码，但请记住尝试找出服务器是如何被黑客入侵的，以免再次被黑客入侵.

I put here so you can use it to get rid of the malicious code, but remember to try to find how the server was hacked, so that you do not get hacked again.

在 bash shell 中使用非常简单:

It is quite simple to use in the bash shell:

测试是否有被感染的文件

Test if there are infected files

./remove_malware.sh /var/www/wp_path/

清理受感染的文件

./remove_malware.sh /var/www/wp_path/ clean

脚本(remove_malware.sh):

#!/bin/bash
#
# This script remove malware of PHP files.
#
# In this case it will remove some malicious code
# from all Wordpress PHP files that is at top of
#  every PHP file.
#
# The string at the top of every file is:
#
# <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$
#
# This script tries to find the string inside $_SERVER
# of the above line at the top of the files to determine
# if the file is infected. If you run the script and
# nothing seems to be infected but you suspect and you 
# want to be sure, just open any PHP of Wordpress and 
# check if the malicious line code is present. If is 
# present but the script did not detect, it is because 
# the content inside $_SERVER may be diferent.
# In these cases, just replace in this script the string
# in the -e parameter of grep line with the content of 
# $_SERVER found in your PHP (remember to escape 
# the \ with \\\\) and run again this removal script.
#
#
# JavocSoft 2014
#

if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
else
  grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" | while read -r filename ; do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
       mv $filename $filename.bck
       mv $filename.purged $filename
    else
      echo "Found file $filename."
    fi

  done
  echo "Done."
fi

这篇关于继续在我的 Wordpress 主题文件中发现注入胡言乱语的 PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！