文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >使用主题编辑器上传脚本破坏网站

使用主题编辑器上传脚本破坏网站
EN

WordPress Development用户
提问于 2012-08-02 08:35:27
回答 1查看 6.9K关注 0票数 1

我们有几个Wordpress站点被破坏了,它们都有相同的模式(至少原始访问日志是这么说的)。从日志中可以直接登录到Wordpress,然后转到主题编辑器>用恶意代码编辑404.php文件,他们现在运行代码来破坏站点。

下面是日志(站点被example.com替换)

代码语言:javascript
复制
125.167.118.62 - - [01/Aug/2012:14:22:58 +0800] "GET / HTTP/1.1" 200 6318 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/css/supersized.css HTTP/1.1" 200 2556 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/js/effects.js?ver=3.4.1 HTTP/1.1" 200 890 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/js/superfish.js?ver=3.4.1 HTTP/1.1" 200 3083 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/style.css HTTP/1.1" 200 23095 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:01 +0800] "GET /wp-content/themes/Wallbase/js/supersized.3.1.3.min.js?ver=3.4.1 HTTP/1.1" 200 11671 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-content/themes/Wallbase/css/prettyphoto.css HTTP/1.1" 200 19697 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:01 +0800] "GET /wp-content/themes/Wallbase/js/jquery.prettyPhoto.js?ver=3.4.1 HTTP/1.1" 200 22373 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:02 +0800] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:00 +0800] "GET /wp-includes/js/jquery/jquery.js?ver=1.7.2 HTTP/1.1" 200 94861 "http://example.com/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:02 +0800] "GET /wp-login.php HTTP/1.1" 200 2171 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:04 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 200 36317 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:04 +0800] "GET /wp-admin/css/wp-admin.css?ver=3.4.1 HTTP/1.1" 200 108246 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:07 +0800] "GET /wp-admin/images/button-grad.png HTTP/1.1" 200 243 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:23:07 +0800] "GET /wp-admin/images/wordpress-logo.png?ver=20120216 HTTP/1.1" 200 5048 "http://example.com/wp-admin/css/wp-admin.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:13 +0800] "POST /wp-login.php HTTP/1.1" 302 - "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:14 +0800] "GET /wp-admin/ HTTP/1.1" 200 52163 "http://example.com/wp-login.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:19 +0800] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1 HTTP/1.1" 200 28480 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-includes/js/thickbox/thickbox.css?ver=3.4.1 HTTP/1.1" 200 3870 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-content/themes/Wallbase/images/slide.png HTTP/1.1" 200 198 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:21 +0800] "GET /wp-admin/load-styles.php?c=1&dir=ltr&load=wp-jquery-ui-dialog&ver=3.4.1 HTTP/1.1" 200 1087 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:22 +0800] "GET /wp-admin/images/wpspin_light.gif HTTP/1.1" 200 2193 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:24 +0800] "GET /wp-admin/images/media-button.png?ver=20111005 HTTP/1.1" 200 3117 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-includes/css/editor.css?ver=3.4.1 HTTP/1.1" 200 43861 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:20 +0800] "GET /wp-admin/load-scripts.php?c=1&load=jquery,utils&ver=3.4.1 HTTP/1.1" 200 37529 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:21 +0800] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color,wp-ajax-response,wp-lists,quicktags,jquery-query,admin-comments,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,postbox,dashboard,thickbox,plugin-install,media-upload,word-count,jquery-ui-resizable,jquery-ui-draggable,jquery-ui-button,jquery-ui-position,jquery-ui-dialog,wpdialogs,wplink,wpdialogs-popup&ver=3.4.1 HTTP/1.1" 200 56368 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-includes/images/admin-bar-sprite.png?d=20111130 HTTP/1.1" 200 3999 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/arrows.png HTTP/1.1" 200 494 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/menu-shadow.png HTTP/1.1" 200 131 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/wp-badge.png?ver=20111120 HTTP/1.1" 200 14352 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-admin/images/white-grad.png HTTP/1.1" 200 210 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-admin/images/xit.gif HTTP/1.1" 200 182 "http://example.com/wp-admin/load-styles.php?c=1&dir=ltr&load=admin-bar,wp-admin&ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/menu.png?ver=20120201 HTTP/1.1" 200 13585 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:52 +0800] "GET /wp-includes/js/thickbox/loadingAnimation.gif HTTP/1.1" 200 5886 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:24:51 +0800] "GET /wp-admin/images/icons32.png?ver=20111206 HTTP/1.1" 200 13441 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:00 +0800] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 47622 "http://example.com/wp-admin/" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:03 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:04 +0800] "GET /wp-admin/load-scripts.php?c=1&load=admin-bar,hoverIntent,common,jquery-color&ver=3.4.1 HTTP/1.1" 200 5480 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:25 +0800] "POST /wp-admin/theme-editor.php HTTP/1.1" 200 48032 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:28 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:48 +0800] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyten HTTP/1.1" 200 26759 "http://example.com/wp-admin/theme-editor.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:25:50 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:20 +0800] "GET /wp-admin/images/button-grad-active.png HTTP/1.1" 200 284 "http://example.com/wp-admin/css/colors-fresh.css?ver=3.4.1" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:20 +0800] "POST /wp-admin/theme-editor.php HTTP/1.1" 302 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:27:58 +0800] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22492&updated=true HTTP/1.1" 200 151535 "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:28:06 +0800] "GET /wp-admin/css/colors-fresh.css?ver=3.4.1 HTTP/1.1" 304 - "http://example.com/wp-admin/theme-editor.php?file=404.php&theme=twentyten&scrollto=22492&updated=true" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:01 +0800] "GET /wp-content/themes/twentyten/404.php HTTP/1.1" 200 39291 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=sort_asc HTTP/1.1" 200 85 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_lnk HTTP/1.1" 200 572 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=small_dir HTTP/1.1" 200 498 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_diz HTTP/1.1" 200 1034 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=change HTTP/1.1" 200 290 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_php HTTP/1.1" 200 1125 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:04 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=download HTTP/1.1" 200 161 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=arrow_ltr HTTP/1.1" 200 88 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_png HTTP/1.1" 200 175 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_css HTTP/1.1" 200 134 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:05 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_txt HTTP/1.1" 200 132 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:29 +0800] "GET /wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a HTTP/1.1" 200 27424 "http://example.com/wp-content/themes/twentyten/404.php" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:31 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_htaccess HTTP/1.1" 200 117 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:29:32 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_html HTTP/1.1" 200 1125 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:17 +0800] "GET /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html HTTP/1.1" 200 7686 "http://example.com/wp-content/themes/twentyten/404.php?x=ls&d=%2Fhome%2Fexample%2Fpublic_html%2F&sort=0a" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:20 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_exe HTTP/1.1" 200 118 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_gif HTTP/1.1" 200 175 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_ini HTTP/1.1" 200 134 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:30:21 +0800] "GET /wp-content/themes/twentyten/404.php?x=img&img=ext_rtf HTTP/1.1" 200 164 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:31:14 +0800] "POST /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html%2F HTTP/1.1" 200 11608 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:33:28 +0800] "GET / HTTP/1.1" 200 3336 "-" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"
125.167.118.62 - - [01/Aug/2012:14:34:25 +0800] "GET /wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html%2F HTTP/1.1" 200 11597 "http://example.com/wp-content/themes/twentyten/404.php?x=f&f=index.php&ft=edit&d=%2Fhome%2Fexample%2Fpublic_html" "Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0"

现在让我感到困惑的是,根据日志,他们似乎都直接登录到Wordpress,好像他们知道密码一样(因为上面第16行只有一次登录尝试)。即使是在一天前的网站上也是如此,而且密码也不是简单的ABC。

值得注意的是,只有安装了Wordpress的帐户才会被玷污。在同一台服务器上,只有HTML的正常站点没有被破坏。虽然有可能在客户端站点上有关键记录器,但这显然是没有意义的,因为黑客可以简单地使用cpanel而不是锣来解决WP中的所有问题。

考虑到这些事实,黑客如何登录Wordpress并在一次尝试中获得成功?

编辑:

我也在日志中找到了这个,但这是来自服务器的IP而不是黑客的。但有趣的是,"Alexa“这个短语与我找到的脚本相同:http://pastebin.com/raw.php?i=hcvPE8YV

代码语言:javascript
复制
[01/Aug/2012:14:22:47 +0800] "POST /wp-login.php HTTP/1.1" 200 3266 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
[01/Aug/2012:14:22:48 +0800] "GET /wp-admin/theme-editor.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
[01/Aug/2012:14:22:48 +0800] "GET /wp-login.php?redirect_to=http%3A%2F%2Fexample.com%2Fwp-admin%2Ftheme-editor.php&reauth=1 HTTP/1.1" 200 2187 "-" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1; .NET CLR 1.1.4322; Alexa Toolbar; .NET CLR 2.0.50727)"
login
security
hacked
EN

回答 1

WordPress Development用户

回答已采纳

发布于 2012-08-03 21:14:32

现在让我感到困惑的是,根据日志,他们似乎都直接登录到Wordpress,好像他们知道密码一样(因为上面第16行只有一次登录尝试)。即使是在一天前的网站上也是如此,而且密码也不是简单的ABC。值得注意的是,只有安装了Wordpress的帐户才会被玷污。在同一台服务器上,只有HTML的正常站点没有被破坏。虽然有可能在客户端站点上有关键记录器,但这显然是没有意义的,因为黑客可以简单地使用cpanel而不是锣来解决WP中的所有问题。考虑到这些事实,黑客如何登录Wordpress并在一次尝试中获得成功?

你在那里回答了自己的问题,尽管你可能没有意识到。但我会继续为你说清楚的。

重要的一点要理解:这是一个完全自动化的攻击。一旦你理解了这一点和它的含义,那么答案就很清楚了。

首先,初始攻击向量不会出现在您的http日志中,因为这不是他们进入的方式。他们要么直接访问您的服务器,要么直接访问mySQL服务器。无论哪种方式,都会在站点上创建假用户,或者使用SQL命令直接更改管理密码。

之后,通过主题编辑器登录和注入脚本是完全自动化的。你看到的是攻击的“有效载荷”部分。

像这样的脚本攻击包括三个阶段:

  1. 实际的攻击,这使他们能够以某种形式进入系统。在某些情况下,这可能是手动的,但在大多数情况下,它是通过一个自动化的过程,它尝试了大量的攻击迅速,直到其中任何一个成功。
  2. 升级,其中攻击利用初始入口点以获得更高级别的权限。例如,可以使用SQL注入漏洞在数据库中创建新用户,然后利用该漏洞获得对PHP的访问权,PHP可用于运行任意代码。
  3. 有效负载注入,其中升级的特权用于插入有效负载。通常是垃圾邮件或者其他预置的垃圾。

关键是每个阶段都是独立于下一个阶段的。你只看到你的日志上的最后一步。攻击者可以立即访问您的站点,因为脚本已经知道密码。密码被修改,或通过其他一些方式获得访问权限。

是的,有时这种方法意味着以愚蠢的方式利用。这与所使用的系统的自动化脚本-孩子的本质有关。我看到了一次攻击:利用FTP帐户,上传PHP文件,修改WordPress安装,然后使用WordPress安装将垃圾邮件注入主题。最初的攻击允许直接注入任何PHP并不重要,攻击系统被连接到一个特定的进程中,即使大多数进程在某些情况下是无用的。

票数 4
EN
页面原文内容由WordPress Development提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://wordpress.stackexchange.com/questions/60585

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档