如何在终端验证服务器并移除恶意JavaScript代码?
First, let's break down what the code you're dealing with does: it dynamically loads an external script from a suspicious domain associated with malicious activity. Here's how to clean up your server and harden it to prevent future attacks:
Step 1: Locate and Remove the Injected Code
The first task is to find where this malicious snippet is hiding. It could be embedded in HTML templates, CMS theme files, database entries, or compromised server-side scripts.
Use Terminal Commands to Hunt for the Code
Connect to your server via SSH and run these commands to pinpoint infected files:
- Search for the unique variable name from the malicious code:
grep -r "gdjfgjfgj235f" /path/to/your/web/root - Or search for the suspicious domain linked in the script:
grep -r "scripts.transnaltemyrecovers.com" /path/to/your/web/root
Replace /path/to/your/web/root with your actual web directory (e.g., /var/www/html for Apache on Debian/Ubuntu).
Delete the Malicious Snippet
Once you’ve found the infected files:
- Back up the file first (e.g.,
cp infected-file.html infected-file.html.bak) to avoid accidental data loss. - Open the file with a text editor like
nanoorvimand delete the entire malicious JavaScript block. - If the code is in a database (common with CMS platforms like WordPress), use a tool like phpMyAdmin or the
mysqlCLI to search for the snippet in post content, options tables, etc., and remove it.
Step 2: Verify Server Security & Block Future Attacks
Removing the code isn’t enough—you need to fix the vulnerabilities that allowed the injection in the first place.
Check for Compromised Accounts
- Review recent server logins to spot unauthorized access:
last # Shows recent successful logins grep "Failed password" /var/log/auth.log # Checks for brute-force attempts (Debian/Ubuntu) - For CMS admin accounts: Delete any unknown users and reset all admin passwords to strong, unique values.
Scan for Malware & Backdoors
- Install and run ClamAV, a free open-source antivirus tool:
apt update && apt install clamav # Debian/Ubuntu freshclam # Update virus definitions clamscan -r /path/to/your/web/root # Scan your web root recursively - Hunt for suspicious PHP backdoors that might be lingering:
find /path/to/your/web/root -type f -name "*.php" -exec grep -l "eval\|base64_decode\|shell_exec" {} \;
Delete any files that look suspicious (back them up first if you want to analyze them later).
Update All Software
Outdated software is the top entry point for attackers:
- Update your server OS and packages:
apt update && apt upgrade # Debian/Ubuntu yum update # RHEL/CentOS - Update your web server (Apache/Nginx), CMS platform, and all plugins/themes to their latest secure versions.
Harden File Permissions
Ensure files and directories aren’t unnecessarily writable by the web server user:
# Set files to read-write for owner, read-only for others find /path/to/your/web/root -type f -exec chmod 644 {} \; # Set directories to read-write-execute for owner, read-execute for others find /path/to/your/web/root -type d -exec chmod 755 {} \;
Avoid giving the web server user (e.g., www-data) write access to core system files or CMS core files.
Configure Firewall & SSH Security
- Use UFW to restrict incoming traffic to only essential ports:
ufw allow 22/tcp # SSH ufw allow 80/tcp # HTTP ufw allow 443/tcp # HTTPS ufw enable - Disable password authentication for SSH and use SSH keys instead:
- Generate an SSH key pair on your local machine if you don’t have one.
- Copy the public key to your server:
ssh-copy-id user@your-server-ip - Edit
/etc/ssh/sshd_configand set:PasswordAuthentication no - Restart SSH to apply changes:
systemctl restart sshd
Monitor for Re-infection
After cleaning up, keep an eye on your server for a few days. If the malicious code reappears, you likely missed a persistent backdoor—repeat the malware scan and check for unusual cron jobs or hidden files.
内容的提问来源于stack exchange,提问作者Jonas Rafael Rossatto
