Drupal 网站收到嵌入可疑代码的 url 请求,推测可能是黑客攻击 [英] Drupal site received url request embedding suspicious codes presuming attempt of hacking
问题描述
我发现一个对我的 Drupal 站点有可疑代码的 url 请求.有人会解释此代码的深度并建议采取任何预防措施.代码:
I found a url request having suspicious code to one of my Drupal site. Will someone explain what will be the depth of this code and advise any precautions to be taken. Code:
function (){try{var _0x5757=["/x6C/x65/x6E/x67/x74/x68","/x72/x61/x6E/x64/x6F/x6D","/x66/x6C/x6F/x6F/x72"],_0xa438x1=this[_0x5757[0]],_0xa438x2,_0xa438x3;if(_0xa438x1==0){return};while(--_0xa438x1){_0xa438x2=Math[_0x5757[2]](Math[_0x5757[1]]()*(_0xa438x1 1));_0xa438x3=this[_0xa438x1];this[_0xa438x1]=this[_0xa438x2];this[_0xa438x2]=_0xa438x3;};}catch(e){}finally{return this}}
站点返回页面未找到错误,我没有发现任何问题.
Site returned page not found error and I observed no issues.
推荐答案
通过beatifier运行此代码,您将收到:
Run this code through a beatifier and you will receive:
function () {
try {
var _0x5757 = ["/x6C/x65/x6E/x67/x74/x68", "/x72/x61/x6E/x64/x6F/x6D", "/x66/x6C/x6F/x6F/x72"],
_0xa438x1 = this[_0x5757[0]],
_0xa438x2, _0xa438x3;
if (_0xa438x1 == 0) {
return
};
while (--_0xa438x1) {
_0xa438x2 = Math[_0x5757[2]](Math[_0x5757[1]]() * (_0xa438x1 1));
_0xa438x3 = this[_0xa438x1];
this[_0xa438x1] = this[_0xa438x2];
this[_0xa438x2] = _0xa438x3;
};
} catch (e) {} finally {
return this
}
}
首先,让我们重命名一些变量并解密第三行中的字符串数组.我已将 _0x5757
重命名为 arr
并转义了数组中的十六进制字符.这给了你:
First, let's rename some variables and decrypt the array of strings in the third line. I've renamed _0x5757
to arr
and escaped the hex-chars within the array. That gives you:
var arr = ["length", "random", "floor"],
所以这里我们有一个很快会用到的函数列表.替换字符串并重命名变量,您将收到:
So here we have a list of functions that will be used shortly. Substitute the strings in and rename the variables and you will receive:
function () {
try {
var arr = ["length", "random", "floor"],
length_func = "length",
rand_number, temp;
if (length_func == 0) {
return
};
while (--length_func) {
rand_number = Math["floor"](Math["random"]() * (length_func 1));
temp = this[length_func];
this[length_func] = this[rand_number];
this[rand_number] = temp;
};
} catch (e) {} finally {
return this
}
}
请注意在生成随机数时脚本中存在语法错误.
Notice how there is a syntax error in the script when generating a random number.
* (length_func 1)
with length_func = "length"
不是有效的 JavaScript 语法,因此代码实际上不起作用.我仍然可以猜测它应该做什么:如果我们通过执行 Math["floor"]
而不是 Math.floor()来消除调用函数的混淆code> 重要的几行是
with length_func = "length"
is not valid JavaScript syntax, so the code is actually not functional. I can still make a guess on what it was supposed to do: If we remove the obfuscation of calling a function by doing Math["floor"]
instead of Math.floor()
the important lines are
while (--length_func) {
rand_number = Math.floor( Math.random() * ( length 1 ));
temp = this.length_func;
this.length_func = this.rand_number;
this.rand_number = temp;
};
它似乎尝试使用 Math.random()
和 Math.floor()
计算一个随机整数,然后交换变量 的内容length_func
和 rand_numerber
,都包裹在 while(--length_func)
循环中.这里没有任何功能或任何有意义的东西.尝试无限循环挂起浏览器?就目前而言,该代码是非功能性的.它甚至无法生成随机数,因为 Math.floor()
总是会向下取整输入的浮点数,而 Math.rand()
会生成 0.0 以内的数字到 1.0,所以几乎总是略低于 1.0,因此大部分时间都是 rand_number = 0
.rand()
输出与 length_func 1
的乘法可能会使数字变大,但语法无效.当我使用浏览器的控制台执行 length
时,它给了我 0
,当我尝试执行 length(1)
时,然后是 length 不是函数
,这里唯一有意义的 length
是字符串长度或数组长度,但它必须明确地是 "someString".length代码>.希望对您有所帮助.
It seems that it tries to compute a random integer using Math.random()
and Math.floor()
, then swaps the contents of the variables length_func
and rand_numerber
, all wrapped in a while(--length_func)
loop. There's nothing functional here or anything that makes sense. An attempt at an infinte loop hanging the browser maybe? The code is, as it stands, non-functional. It even fails to generate a random number, because Math.floor()
will always round-down the inputted float, and Math.rand()
will generate a number within 0.0 to 1.0, so nearly always something slightly below 1.0, therefore rand_number = 0
for most of the time. The multiplication with the rand()
output with the length_func 1
maybe should have made the number bigger, but the syntax is invalid. When I use my browser's console to execute length
, it gives me 0
, when I try to do length(1)
, then length is not a function
, the only length
that makes sense here is a string-length or array length, but then it would have to explicitly be "someString".length
. Hope this helps you.
这篇关于Drupal 网站收到嵌入可疑代码的 url 请求,推测可能是黑客攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!