Drupal 网站收到嵌入可疑代码的 url 请求，推测可能是黑客攻击 [英] Drupal site received url request embedding suspicious codes presuming attempt of hacking

问题描述

我发现一个对我的 Drupal 站点有可疑代码的 url 请求.有人会解释此代码的深度并建议采取任何预防措施.代码:

I found a url request having suspicious code to one of my Drupal site. Will someone explain what will be the depth of this code and advise any precautions to be taken. Code:

function (){try{var _0x5757=["/x6C/x65/x6E/x67/x74/x68","/x72/x61/x6E/x64/x6F/x6D","/x66/x6C/x6F/x6F/x72"],_0xa438x1=this[_0x5757[0]],_0xa438x2,_0xa438x3;if(_0xa438x1==0){return};while(--_0xa438x1){_0xa438x2=Math[_0x5757[2]](Math[_0x5757[1]]()*(_0xa438x1 1));_0xa438x3=this[_0xa438x1];this[_0xa438x1]=this[_0xa438x2];this[_0xa438x2]=_0xa438x3;};}catch(e){}finally{return this}}

站点返回页面未找到错误，我没有发现任何问题.

Site returned page not found error and I observed no issues.

推荐答案

通过beatifier运行此代码，您将收到:

Run this code through a beatifier and you will receive:

function () {
    try {
        var _0x5757 = ["/x6C/x65/x6E/x67/x74/x68", "/x72/x61/x6E/x64/x6F/x6D", "/x66/x6C/x6F/x6F/x72"],
            _0xa438x1 = this[_0x5757[0]],
            _0xa438x2, _0xa438x3;
        if (_0xa438x1 == 0) {
            return
        };
        while (--_0xa438x1) {
            _0xa438x2 = Math[_0x5757[2]](Math[_0x5757[1]]() * (_0xa438x1 1));
            _0xa438x3 = this[_0xa438x1];
            this[_0xa438x1] = this[_0xa438x2];
            this[_0xa438x2] = _0xa438x3;
        };
    } catch (e) {} finally {
        return this
    }
}

首先，让我们重命名一些变量并解密第三行中的字符串数组.我已将 _0x5757 重命名为 arr 并转义了数组中的十六进制字符.这给了你:

First, let's rename some variables and decrypt the array of strings in the third line. I've renamed _0x5757 to arr and escaped the hex-chars within the array. That gives you:

    var arr = ["length", "random", "floor"],

所以这里我们有一个很快会用到的函数列表.替换字符串并重命名变量，您将收到:

So here we have a list of functions that will be used shortly. Substitute the strings in and rename the variables and you will receive:

function () {
    try {
        var arr = ["length", "random", "floor"],
            length_func = "length",
            rand_number, temp;
        if (length_func == 0) {
            return
        };
        while (--length_func) {
            rand_number = Math["floor"](Math["random"]() * (length_func 1));
            temp = this[length_func];
            this[length_func] = this[rand_number];
            this[rand_number] = temp;
        };
    } catch (e) {} finally {
        return this
    }
}

请注意在生成随机数时脚本中存在语法错误.

Notice how there is a syntax error in the script when generating a random number.

* (length_func 1)

with length_func = "length" 不是有效的 JavaScript 语法，因此代码实际上不起作用.我仍然可以猜测它应该做什么:如果我们通过执行 Math["floor"] 而不是 Math.floor() 重要的几行是

with length_func = "length" is not valid JavaScript syntax, so the code is actually not functional. I can still make a guess on what it was supposed to do: If we remove the obfuscation of calling a function by doing Math["floor"] instead of Math.floor() the important lines are

        while (--length_func) {
            rand_number = Math.floor( Math.random() * ( length 1 ));
            temp = this.length_func;
            this.length_func = this.rand_number;
            this.rand_number = temp;
        };

它似乎尝试使用 Math.random() 和 Math.floor() 计算一个随机整数，然后交换变量 的内容length_func 和 rand_numerber，都包裹在 while(--length_func) 循环中.这里没有任何功能或任何有意义的东西.尝试无限循环挂起浏览器?就目前而言，该代码是非功能性的.它甚至无法生成随机数，因为 Math.floor() 总是会向下取整输入的浮点数，而 Math.rand() 会生成 0.0 以内的数字到 1.0，所以几乎总是略低于 1.0，因此大部分时间都是 rand_number = 0.rand() 输出与 length_func 1 的乘法可能会使数字变大，但语法无效.当我使用浏览器的控制台执行 length 时，它给了我 0，当我尝试执行 length(1) 时，然后是 length 不是函数，这里唯一有意义的 length 是字符串长度或数组长度，但它必须明确地是 "someString".length.希望对您有所帮助.

It seems that it tries to compute a random integer using Math.random() and Math.floor(), then swaps the contents of the variables length_func and rand_numerber, all wrapped in a while(--length_func) loop. There's nothing functional here or anything that makes sense. An attempt at an infinte loop hanging the browser maybe? The code is, as it stands, non-functional. It even fails to generate a random number, because Math.floor() will always round-down the inputted float, and Math.rand() will generate a number within 0.0 to 1.0, so nearly always something slightly below 1.0, therefore rand_number = 0 for most of the time. The multiplication with the rand() output with the length_func 1 maybe should have made the number bigger, but the syntax is invalid. When I use my browser's console to execute length, it gives me 0, when I try to do length(1), then length is not a function, the only length that makes sense here is a string-length or array length, but then it would have to explicitly be "someString".length. Hope this helps you.

这篇关于Drupal 网站收到嵌入可疑代码的 url 请求，推测可能是黑客攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！