HEX
Server: nginx/1.22.1
System: Linux iZuf67d4hh2ssx30nkok6dZ 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64
User: www (1000)
PHP: 7.4.33
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /tmp/
Upload Files
File: //tmp/count_malicious_users.sh
#!/bin/bash
echo "=== 恶意用户统计 ==="

# joyrun.cn
config="/www/wwwroot/joyrun.cn/wp-config.php"
db_name=$(grep "DB_NAME" "$config" | cut -d "'" -f 4)
db_user=$(grep "DB_USER" "$config" | cut -d "'" -f 4)
db_pass=$(grep "DB_PASSWORD" "$config" | cut -d "'" -f 4)

echo ""
echo "【joyrun.cn】"
echo "SEO 垃圾账户(blogspot 模式):"
mysql -u"$db_user" -p"$db_pass" "$db_name" -e "SELECT COUNT(*) as count FROM wp_users WHERE user_login LIKE '%blogspot%' AND user_registered > '2026-02-01';" 2>/dev/null

# topcheersoftware.com
config="/www/wwwroot/topcheersoftware.com/wp-config.php"
db_name=$(grep "DB_NAME" "$config" | cut -d "'" -f 4)
db_user=$(grep "DB_USER" "$config" | cut -d "'" -f 4)
db_pass=$(grep "DB_PASSWORD" "$config" | cut -d "'" -f 4)

echo ""
echo "【topcheersoftware.com】"
echo "恶意管理员账户:"
mysql -u"$db_user" -p"$db_pass" "$db_name" -e "SELECT ID, user_login, user_email, user_registered FROM wp_users WHERE user_login LIKE '%admin%' AND user_registered > '2026-02-01';" 2>/dev/null
@ Telegram