doufangyan6862 2017-08-15 22:25
浏览 157

恶意软件或必要文件? eval(GoDaddy / Installatron Wordpress网站上的base64_decode

everyone!

Should I delete this file, or any related files?

File Name: deleteme.4a768ebd031b45c884f93d1314642dbb.php

File Location: public_html/domain-name.com/wp-content

File Contents: ("CODED CONTENT" used as a placeholder, Decoded Below) 

   <?php
/******************************************************************************\
|*                                                                            *|
|* All text, code and logic contained herein is copyright by Installatron LLC *|
|* and is a part of 'the Installatron program' as defined in the Installatron *|
|* license: http://installatron.com/plugin/eula                               *|
|*                                                                            *|
|* THE COPYING OR REPRODUCTION OF ANY TEXT, PROGRAM CODE OR LOGIC CONTAINED   *|
|* HEREIN IS EXPRESSLY PROHIBITED. VIOLATORS WILL BE PROSECUTED TO THE FULL   *|
|* EXTENT OF THE LAW.                                                         *|
|*                                                                            *|
|* If this license is not clear to you, DO NOT CONTINUE;                      *|
|* instead, contact Installatron LLC at: support@installatron.com             *|
|*                                                                            *|
\******************************************************************************/
eval(base64_decode('CODED CONTENT'));

Decoded Content: 

$file =( $p = strpos(__FILE__,"(") )=== false ? __FILE__ : substr(__FILE__,0,$p);if (!unlink($file)){   chmod($file,0777);  unlink($file);}define("ABSPATH", dirname(dirname($file))."/");include_once(ABSPATH."wp-config.php");include_once(ABSPATH."wp-admin/includes/file.php");include_once(ABSPATH."wp-admin/includes/plugin.php");include_once(ABSPATH."wp-admin/includes/theme.php");include_once(ABSPATH."wp-admin/includes/misc.php");$k = substr($_SERVER["QUERY_STRING"],0,32);$u = substr($_SERVER["QUERY_STRING"],32);$h = $wpdb->get_var( $wpdb->prepare( "SELECT user_pass FROM {$wpdb->users} WHERE ID = %s", $u ) );if ( is_string($h) &&( $k === md5(mktime(date("H"), date("i"), 0).md5($h))                    || $k === md5(mktime(date("H"), date("i")-1, 0).md5($h))                    || $k === md5(mktime(date("H"), date("i")+1, 0).md5($h)) )){ wp_set_auth_cookie($u);}header("Location: ".'http://www.domain-name.com/wp-admin/');

Background: I recently reset my CPanel on GoDaddy because a programmer off of Fiverr told me that my sites are all being infected by malware being served from GoDaddy's side. Each time he removes the Malware, it returns. My RAM and I/O usage was overloaded and all my sites became non functional. GoDaddy tells me this is a false statement and that their "firewalls" would prevent it. I reset the CPanel, installed a fresh Wordpress site, and things are functional, but I found this in the files. I hesitate to continue a fresh site build, not understanding this.

Using WordFence, does not trigger a warning.

A little advice, please? Thanks!

  • 写回答

3条回答 默认 最新

  • dongmou2389 2017-08-15 22:30
    关注

    This looks very suspicious. Apparently, this is a very popular way to embed malware into php sites. https://aw-snap.info/articles/php-examples.php.

    No reasonable programmer would embed code like that into a page. It also looks like it tries to delete itself, which is strange. It also selects passwords from the database, which is strange. I'm gonna call it 100% malware.

    评论

报告相同问题?

悬赏问题

  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?
  • ¥15 c++头文件不能识别CDialog