应急响应记录之水坑挂马事件分析与恢复<\/h1>

一、水坑攻击概述<\/h2>
水坑攻击（Watering Hole Attack）是一种针对特定目标群体的网络攻击方式。攻击者通过入侵目标经常访问的网站，植入恶意代码或篡改网页内容，当目标用户访问这些被篡改的网站时，就会触发恶意代码执行，从而达到攻击目的。<\/p>

二、事件背景<\/h2>
客户反映用户访问应用首页时出现异常弹窗，诱导用户下载伪装成"弱口令"扫描工具的恶意文件。已有用户下载并安装，杀毒软件提示恶意文件告警。<\/p>

三、攻击手法分析<\/h2>

1. JSP文件篡改攻击<\/h3>

攻击特征：<\/h4>

攻击者篡改了login.jsp文件<\/li>
植入的恶意代码会在页面加载时检查是否存在特定cookie<\/li>
如果不存在指定cookie，则设置cookie并弹出诱导下载的窗口<\/li>

弹窗内容伪装成"重要通知"，诱导用户点击下载恶意文件<\/li> <\/ul>

植入代码分析：<\/h4>

window.onload<\/span> =<\/span> function<\/span>() {
<\/span><\/span>    function<\/span> getCookie<\/span>(name<\/span>) {
<\/span><\/span>        \/\/ cookie获取函数
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    if<\/span> (getCookie<\/span>('inself'<\/span>) ==<\/span> null<\/span>) {
<\/span><\/span>        \/\/ 设置cookie有效期100天
<\/span><\/span><\/span><\/span>        var<\/span> expires<\/span> =<\/span> 100<\/span>;
<\/span><\/span>        var<\/span> exp<\/span> =<\/span> new<\/span> Date();
<\/span><\/span>        exp<\/span>.setTime<\/span>(exp<\/span>.getTime<\/span>() +<\/span> expires<\/span> *<\/span> 24<\/span> *<\/span> 60<\/span> *<\/span> 60<\/span> *<\/span> 1000<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 创建弹窗元素
<\/span><\/span><\/span><\/span>        var<\/span> div<\/span> =<\/span> document.createElement<\/span>('div'<\/span>);
<\/span><\/span>        div<\/span>.innerHTML<\/span> =<\/span> '弹窗HTML内容'<\/span>;
<\/span><\/span>        document.body<\/span>.appendChild<\/span>(div<\/span>);
<\/span><\/span>        
<\/span><\/span>        \/\/ 关闭弹窗逻辑
<\/span><\/span><\/span><\/span>        var<\/span> back<\/span> =<\/span> document.getElementById<\/span>("back"<\/span>);
<\/span><\/span>        var<\/span> close<\/span> =<\/span> document.getElementById<\/span>("close"<\/span>);
<\/span><\/span>        close<\/span>.onclick<\/span> =<\/span> function<\/span>() {
<\/span><\/span>            document.cookie<\/span> =<\/span> "inself=true;path=\/;expires="<\/span> +<\/span> exp<\/span>.toUTCString<\/span>();
<\/span><\/span>            back<\/span>.style<\/span>.display<\/span> =<\/span> "none"<\/span>;
<\/span><\/span>            login<\/span>.style<\/span>.display<\/span> =<\/span> "none"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. JS篡改+Flash挂马攻击<\/h3>
攻击特征：<\/h4>

攻击者篡改了loginPreview.js文件<\/li>
创建了同名的loginPreview.js1文件作为备份<\/li>
植入的恶意代码会强制用户下载伪装成Flash更新的恶意程序<\/li>
使用base64编码的图片增加伪装性<\/li>
<\/ul>
植入代码分析：<\/h4>
var<\/span> config<\/span> =<\/span> {
<\/span><\/span>    downloadUrl<\/span>:<\/span> 'install.exe'<\/span>,
<\/span><\/span>    cookieName<\/span>:<\/span> 'xxxxxx'<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> render_installer<\/span>(file_url<\/span>) {
<\/span><\/span>    \/\/ 创建弹窗样式
<\/span><\/span><\/span><\/span>    var<\/span> css<\/span> =<\/span> '...'<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 添加样式到页面
<\/span><\/span><\/span><\/span>    var<\/span> head<\/span> =<\/span> document.head<\/span> ||<\/span> document.getElementsByTagName<\/span>('head'<\/span>)[0<\/span>];
<\/span><\/span>    var<\/span> style<\/span> =<\/span> document.createElement<\/span>('style'<\/span>);
<\/span><\/span>    head<\/span>.appendChild<\/span>(style<\/span>);
<\/span><\/span>    style<\/span>.type<\/span> =<\/span> 'text\/css'<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 创建弹窗HTML
<\/span><\/span><\/span><\/span>    var<\/span> htmldoc<\/span> =<\/span> '<div class="notice">......<\/div>'<\/span>;
<\/span><\/span>    document.body<\/span>.insertBefore<\/span>(div<\/span>, document.body<\/span>.firstElementChild<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、排查分析方法<\/h2>
1. 前端定位法<\/h3>

通过页面显示的异常内容（如"【重要通知】"）定位被篡改的文件<\/li>
检查相关JSP文件内容<\/li>
注意模板文件可能被篡改的情况<\/li>
<\/ul>
2. 文件时间戳比对<\/h3>

检查文件修改时间，寻找异常时间点的修改<\/li>
对比备份文件与当前文件差异<\/li>
<\/ul>
3. 全局搜索关键内容<\/h3>

对全量文件进行关键词搜索（如弹窗中的特定字符串）<\/li>
使用工具批量下载文件进行内容分析<\/li>
<\/ul>
4. 恶意文件追踪<\/h3>

根据代码中的下载链接定位恶意文件存放位置<\/li>
分析恶意文件的行为和危害<\/li>
<\/ul>
五、恢复与防护建议<\/h2>
1. 应急恢复措施<\/h3>

立即隔离被篡改的文件<\/li>
恢复干净的备份文件<\/li>
清除植入的恶意代码<\/li>
删除服务器上的恶意文件<\/li>
重置相关账户密码<\/li>
<\/ul>
2. 安全加固建议<\/h3>

定期检查文件完整性（使用文件完整性监控工具）<\/li>
实施严格的访问控制（最小权限原则）<\/li>
及时修补系统漏洞<\/li>
部署Web应用防火墙(WAF)<\/li>
启用文件上传和修改的审计日志<\/li>
<\/ul>
3. 安全监测建议<\/h3>

部署入侵检测系统(IDS)<\/li>
设置文件变更告警<\/li>
定期进行安全扫描和渗透测试<\/li>
<\/ul>
六、总结<\/h2>
水坑攻击具有高度隐蔽性和针对性，防御需要从技术和管理多个层面入手。重点在于：<\/p>

及时发现文件异常变更<\/li>
严格控制文件修改权限<\/li>
建立完善的备份恢复机制<\/li>
提高员工安全意识，不轻易下载运行不明文件<\/li>
建立全面的安全监测体系<\/li>
<\/ol>

应急响应记录之水坑挂马事件分析与恢复<\/h1>

二、事件背景<\/h2> 客户反映用户访问应用首页时出现异常弹窗，诱导用户下载伪装成"弱口令"扫描工具的恶意文件。已有用户下载并安装，杀毒软件提示恶意文件告警。<\/p>

三、攻击手法分析<\/h2>

1. JSP文件篡改攻击<\/h3>

2. JS篡改+Flash挂马攻击<\/h3>

四、排查分析方法<\/h2>

五、恢复与防护建议<\/h2>

二、事件背景<\/h2>
客户反映用户访问应用首页时出现异常弹窗，诱导用户下载伪装成"弱口令"扫描工具的恶意文件。已有用户下载并安装，杀毒软件提示恶意文件告警。<\/p>