刚刚一个客户的网站被黑了,看了一下是主题的header.php中多了一段代码,这段代码虽然不会搞的网站死掉,但会在页面中加一段spam信息,用户看不到,但搜索引擎可以,不注意的话或许不会发现,所以多多注意一下自己的WP站点。

用Sucuri SiteCheck会得到如下结果

检测结果

这段js代码位于主题的header.php中,如下所示

<script language="JavaScript">
function xViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}

在body里有这样一段文字

<p class="nemonn">
Often there has bad about easy as they <a href="http://onlinepaydayloan2two.com/">http://onlinepaydayloan2two.com</a> only have high interest or night. So having money our instant loans should try and deposited Advance Payday Loan <a href="http://statelicensedcashadvances2two.com/payday-loan/advance-payday-loan" title="Get Your Finances Back on Track With an Advance Payday Loan">Advance Payday Loan</a> into the our frequent some necessary funds. Be aware that there would like that consumers view your Understanding Cash Loans A Comprehensive Listing Of Loan Terms And Definitions <a href="http://guaranteedpaydayadvancerates2two.com/cash-loans/understanding-cash-loans-a-comprehensive-listing-of-loan-terms-and-definitions" title="Understanding Cash Loans: A Comprehensive Listing of Loan Terms and Definitions">Understanding Cash Loans A Comprehensive Listing Of Loan Terms And Definitions</a> due on how quickly many other purpose. Everyone has high income are easier than ever applied for Major Benefits Of A Cash Advance <a href="http://emergencycash2two.com/cash-advance/major-benefits-of-a-cash-advance" title="Major Benefits of a Cash Advance">Major Benefits Of A Cash Advance</a> people a citizen of paying all that. Generally we understand a reasonably small business check payday loans <a href="http://paydayloan2two.com/" title="payday loan">payday loans</a> as fifteen minutes using the industry. Hard to how the borrowing population not require depending on <a href="http://paydayadvanceonline2two.com/">http://paydayadvanceonline2two.com</a> you out our approvals at financial promises. Thankfully there has made by physically arriving at Bad Credit Cash Advance <a href="http://safepaydayadvances2two.com/cash-advance/bad-credit-cash-advance" title="Bad Credit Cash Advance Guide">Bad Credit Cash Advance</a> how poor consumer credit score? Thanks to people immediately begin to really payday advance <a href="http://paydayadvance2two.com/" title="payday advance">payday advance</a> need these types available. Called an otherwise known as opposed to qualify for Military Payday Loan <a href="http://cashadvances2two.com/payday-loan/military-payday-loan" title="Differences Between Non-Military and Military Payday Loans">Military Payday Loan</a> between and applying for insufficient funds. Using our customers to fit your require are fast cash loans <a href="http://fastcashloans2two.com/" title="fast cash loans">fast cash loans</a> no down an outside source. Simply plug your way you cannot go online borrowing fast payday loan <a href="http://paydayloansonlineka.co.uk/" title="payday loans">fast payday loan</a> money emergency bills get this problem. Unfortunately borrowing has probably already suffering payday cash advance <a href="http://paydaycashadvance2two.com/" title="payday cash advance">payday cash advance</a> from application can use. Where borrowers are required is making payday loan <a href="http://paydayloansonlineva.com/" title="payday loans">payday loan</a> use for getting it. Fortunately when repayment term cash payday fast our Bad Credit Cash Loan <a href="http://statelicensedpaydayloans2two.com/cash-loan/bad-credit-cash-loan" title="Five Things to Look for in a Bad Credit Cash Loan">Bad Credit Cash Loan</a> bad one year to traditional banks. People who really bad one is given all your Quick Cash Advances <a href="http://cashadvanceho.com/cash-advance/quick-cash-advances" title="What You Need to Know About Quick Cash Advances">Quick Cash Advances</a> office or with living paycheck is available. 
</p>

这段文字时spam信息,被上面的javascript代码隐藏了,那段代码会输出一段样式,如下

<style undefined>.nemonn{position:absolute;top:-9999px}</style>

在网上搜索的结果是,最近这个攻击多针对WordPress和Joomla网站,所以大家要多多留意了。

另外,千万不要安装这个插件http://wordpress.org/support/plugin/break-out-of-frames,会注入恶意代码。

下面这些链接是相关信息,比较有帮助

Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

A new spam hack – including on wordpress.org

Spam Hacks, The Pharmacy Hack, The Porn Hack, etc.

6条留言

  1. 可是怎么删除呢。。郁闷,刚刚发现也被挂了黑链

    1. 删除简单,在header.php里找到那段代码删掉就可以了,麻烦的是检查还有没有后门,比如是不是有没升级的timthumb.php,是不是装了有问题的插件之类的。还要确认wp里没有不该有的文件,核心代码的目录要看一下。

      1. 留给将来需要的人,在header.php相关代码删除干净,然后再wp-admin里有一个PHP,名为update-随机-随机.php,也要删除了。就OK了

评论功能已关闭