dongmu5596 2013-08-10 05:54
浏览 78
已采纳

托管在不同服务器上的网站被“一次又一次”黑客攻击,使用相同的base64恶意软件代码[关闭]

My Websites hosted on different servers being hacked again and again with same base64 malware codes. When I decoded the base64 code I got the link to mbrowserstats.com/statH/stat.php.

Please note: My websites with core php and also wordpress are being hacked. They are placing base64 malware codes in following files - index.php, main.php, footer.php, template files of wordpress (index.php, main.php, footer.php), index.php files in wp-admin, plugins, themes folders etc.

I have already tried below things but all websites are being hacked again and again.

  • Changed all ftp passwords

  • Changed ftp client fileZilla to winSCP

  • Removed all malware codes and re-upload all files to server

  • Uploaded old backup files without malware codes

  • Disabled magic_quotes_gpc, register_globals, also exec & shell_exec functions

  • Used index files to prevent direct folder access

  • Used mysql_real_escape_string function to sanitize data for insert queries in php websites

  • Updated WordPress and also all Plugins to latest version

  • Installed malwarebytes anti-malware and scanned my computer for malwares (Full Scan)

  • Confirmed that my websites are not using timthumb.php file

  • Changed file permissions (755 for folders & 644 for files). Now only image upload folders have 777 permission.

When I checked the websites' visitor details I found some IPs like 150.70.172.111 / 150.70.172.202, Hostname:150-70-172-111.trendmicro.com, Country - Japan. They accessed websites in close times to the time that of modified files (malware injected files).

Additional Information: I'm using Trend Micro antivirus from last 1 year. I'm wondering that the IPs with hostname 'trendmicro.com' have any relation with hacking or in stealing my ftp passwords.

I suspect that they are using ftp access to insert malware codes. Also the time between file modifications is very low. They have updated all files within seconds. So I think they are using a program for that. Manually they cannot edit all files within seconds as I have so many files in different folders of same website.

Please help me to resolve this issue. I have tried many things but it happens again. Thanks

  • 写回答

1条回答 默认 最新

  • doushantun0614 2013-08-10 06:14
    关注

    It's tricky to handle this. One of the common ways this happens is that on a shared server a malicious user can use another account and insert a file in your upload directory (which is often world writeable on shared servers) by going down and back up the filesystem. It's not really an issue of passwords being cracked. Things you can do:

    1. Use a private/virtual server- just not the standard shared type with more than one user in the same filesytem
    2. Keep WordPress updated
    3. Check all your theme and plugins for online notices of vulnerabilities. A big one is that many themes use timthumb.php for image resize which had a big security hole last year. You can continue using it but make sure to replace it with the current version.

    For hosting I highly recommend using something such as http://WPEngine.com as you will not only get a private experience but they will also be more top of security scans than standard hosting companies.

    Also if your site has been hacked you must be very very careful to remove all backdoors - I recommend doing a clean install which is obviously tough since you have to put your theme back and that can contain backdoors as well. Malicious users will create multiple backdoors in case one gets taken down. There are a few scripts online that will scan for these but none that is perfect. Making a cleab install, then backing it up offline in case of a hack is a good option.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 用三极管设计—个共射极放大电路
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮
  • ¥15 ads仿真结果在圆图上是怎么读数的
  • ¥20 Cotex M3的调试和程序执行方式是什么样的?
  • ¥20 java项目连接sqlserver时报ssl相关错误
  • ¥15 一道python难题3
  • ¥15 牛顿斯科特系数表表示