IYATT-yx 的博客

ideology and talent - 引序

WordPress 插件 Increase Media Upload File Size 被阿里云警告有后门(The WordPress plugin “Increase Media Upload File Size” was flagged by Alibaba Cloud for containing a webshell/backdoor.)

By IYATT-yxPosted on Posted in all, 日常, 杂记
阅读量: 2

最近更新于 2025-11-26 21:47

2025/11/26
这个月初的时候就收到阿里云多次提醒存在 WebShell 后门,应该是发现有疑似特征,但是没有给出具体文件,我就没管。
今天又收到了警告
file

这次阿里云给出了具体文件的警告信息,是 wp-maximum-upload-file-size 插件目录下的文件

{
  "filePathMd5": "9d00787d79fec9685e0c54e67bdc184b",
  "knowngraphlabels": "分支对抗绕过/任意文件写入/任意文件删除/对主机的文件信息进行探测/绕过open_basedir安全机制",
  "sha256": "N/A",
  "level": 80,
  "operateTime": "2025-11-26 21:12:25",
  "virusType": "Webshell",
  "filePath": "        /wordpress/wp-content/plugins/wp-maximum-upload-file-size/inc/class-wmufs-chunk-files.php",
  "notifyStatus": 0,
  "source": 22,
  "fileMd5": "b88d9816a19366033a0597984420958f",
  "fileModifyTime": "2025-11-02 15:58:03",
  "displayEventName": "发现后门(Webshell)文件",
  "lastFound": "2025-11-26 21:12:25",
  "fileSha256": "N/A",
  "fileCreateTime": 1762070283000,
  "securityEventExt": {
    "highlight": {
      "ruleVersion": "highlight_20210908",
      "ruleId": 600106,
      "events": [
        [0, 1000]
      ]
    },
    "eventLevel": "high",
    "knowngraph": {
      "ruleVersion": "known-graph-v4",
      "ruleId": 600157,
      "events": {
        "filter_signature": [
          "侦查.收集受害者主机信息.对主机的文件信息进行探测.is_writable",
          "持久化控制.任意文件写入.fwrite",
          "持久化控制.任意文件删除.unlink",
          "侦查.收集受害者主机信息.对主机的文件信息进行探测.file_exists",
          "防御规避.文本内容对抗.分支对抗绕过.if",
          "防御规避.文本内容对抗.分支对抗绕过.foreach",
          "持久化控制.文件写入.写入内容包含PHP文件标识",
          "防御规避.关闭安全机制.绕过open_basedir安全机制.glob",
          "侦查.收集受害者主机信息.对主机的文件信息进行探测.is_dir"
        ],
        "event_name": [
          "发现网站后门"
        ],
        "label": [
          "分支对抗绕过",
          "任意文件写入",
          "任意文件删除",
          "对主机的文件信息进行探测",
          "绕过open_basedir安全机制",
          "文件写入"
        ],
        "label_key": "分支对抗绕过/任意文件写入/任意文件删除/对主机的文件信息进行探测/绕过open_basedir安全机制"
      }
    }
  },
  "clientIp": "172.17.38.188",
  "firstFound": "2025-10-27 18:43:01",
  "ruleId": 600157,
  "fileOwner": "USER:,GROUP:",
  "assetInfo": "{\\\"aliUid\\\":1785921576475877,\\\"bid\\\":\\\"26842\\\",\\\"clientStatus\\\":\\\"online\\\",\\\"eip\\\":\\\"\\\",\\\"flag\\\":8,\\\"groupId\\\":12591195,\\\"groupName\\\":\\\"default\\\",\\\"internetIp\\\":\\\"47.237.106.25\\\",\\\"intranetIp\\\":\\\"172.17.38.188\\\",\\\"machineInstanceId\\\":\\\"i-t4n2ebz9sgcsgum9vc46\\\",\\\"machineIp\\\":\\\"47.237.106.25\\\",\\\"machineName\\\":\\\"-\\\",\\\"machineRegion\\\":\\\"ap-southeast-os30-a01\\\",\\\"machineType\\\":0,\\\"os\\\":\\\"linux\\\",\\\"regionId\\\":\\\"ap-southeast-1\\\",\\\"status\\\":\\\"Running\\\",\\\"tag\\\":\\\"InternetIp\\\",\\\"uuid\\\":\\\"e3e90487-54db-4ca0-b439-22e04629d06f\\\",\\\"vpcInstanceId\\\":\\\"-\\\"}",
  "status": 1
}

我提交给 ChatGPT 分析,它告诉我几乎不可能是误报,我已经把插件禁用并删除了,再继续观察一下
file

这个插件是用来提高上传文件限制的,以做到在 WordPress 中上传较大文件。不知道是不是插件本身留了后门,或者是被其它攻击感染了,或者误报。

WordPress 插件 Increase Media Upload File Size 被阿里云警告有后门(The WordPress plugin “Increase Media Upload File Size” was flagged by Alibaba Cloud for containing a webshell/backdoor.)
Scroll to top