In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/02 Report--
What is the role of Keylogger events in Wordpress? I believe many inexperienced people don't know what to do about it. Therefore, this paper summarizes the causes and solutions of the problems. Through this article, I hope you can solve this problem.
0x01 event description
The cause is that WordPress was injected with a confusing js script. Populate from the theme's function.php file. The address of the loaded js script is:
Where reconnecting-websocket.js is used as websocket communication, and cors.js contains a back door. Cors.js changes the front page, releases the javascript script for input listening, and then sends the data to the toolmaker (wss://cloudflare [.] solutions:8085/).
Analysis of 0x02 attack script
There are two JS at the bottom of the home page of the user WordPress. The first one is used for websocket communication. Backdoor core file http://cloudflare[.]solutions/ajax/libs/cors/cors.js. Cors.js is confused, and the attack script is obtained after simple processing:
The attack script first calls linter (), which decodes the linterkey1,linterkey2.
Https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js?657[.............................] The domain name cdnjs.cloudflare.com does not exist, according to the code logic, the useful part should be? The following is the content:
Decrypt:
The logic is easy to understand, listening for blur events (the input box loses focus) and sending user input content through websocket.
Finally, addyandexmetrix () is executed after the window is loaded. This function is a js similar to cnzz, which is used for access statistics.
Https://yandex.com/support/metrica/code/counter-initialize.xml
0x03 attack impact View cloudflare [.] solutionsDNS request record:
As you can see, there was a peak in June. And recently, the trend of attack has risen sharply. The following is the record of today's request as of writing:
As you can see, today, the attack has intensified.
Search the page and find that nearly 5,000 sites around the world have been infected:
Some of the following infected domain names:
0x04 mitigation measures
Check if there is a JS request to cloudflare [.] solutions in the source code of the page, and do self-test in this way.
The malicious JS is populated through the function.php file of the WordPress theme. Please immediately delete the part of the file where the page renders malicious JS. At this time, the password may have been stolen, please change the password in time.
After reading the above, have you mastered the role of Keylogger events in Wordpress? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.