发现这个讨厌的代码,我想知道它有什么作用?我应该担心吗..
Found this nasty code, I wonder what it does? Should I be worried...?
我最近在服务器日志上看到了一些免费的文件下载网站,并且在其中一个网站的源代码中有一些可疑的javascript代码。我应该担心吗?因为他们可能已经运行或可能已经在我们公司的一台计算机中安装了垃圾邮件,
法典
<script type="text/javascript">
var stamp = "0529e8679c27247e794a";
var file = "74109";
var host = "fileice.net";
var _0x6675 = ["'x64'x69'x76'x2E'x6D'x65'x6E'x75'x20'x6C'x69", "'x68'x34", "'x68'x33", "'x68'x32", "'x68'x31", "'x72'x65'x70'x6C'x61'x63'x65", "'x6F'x6E'x6C'x6F'x61'x64", "'x6C'x6F'x63'x61'x74'x69'x6F'x6E", "'x70'x61'x72'x65'x6E'x74", "'x68'x74'x74'x70'x3A'x2F'x2F", "'x2F'x64'x6F'x77'x6E'x6C'x6F'x61'x64'x2E'x70'x68'x70'x3F'x66'x69'x6C'x65'x3D", "", "'x67'x65'x74'x45'x6C'x65'x6D'x65'x6E'x74'x42'x79'x49'x64", "'x69'x6E'x6E'x65'x72'x48'x54'x4D'x4C", "'x64'x65'x73'x63", "'x3C'x70'x3E'x54'x68'x65'x20'x64'x6F'x77'x6E'x6C'x6F'x61'x64'x20'x77'x69'x6C'x6C'x20'x61'x75'x74'x6F'x6D'x61'x74'x69'x63'x61'x6C'x6C'x79'x20'x62'x65'x67'x69'x6E'x20'x77'x68'x65'x6E'x20'x79'x6F'x75'x20'x73'x75'x63'x63'x65'x73'x73'x66'x75'x6C'x6C'x79'x20'x66'x69'x6E'x69'x73'x68'x20'x74'x68'x65'x20'x73'x75'x72'x76'x65'x79'x20'x79'x6F'x75'x20'x68'x61'x76'x65'x20'x63'x68'x6F'x73'x65'x6E'x2E'x20'x49'x66'x20'x74'x68'x65'x20'x66'x69'x6C'x65'x20'x64'x6F'x65'x73'x20'x6E'x6F'x74'x20'x61'x75'x74'x6F'x6D'x61'x74'x69'x63'x61'x6C'x6C'x79'x20'x75'x6E'x6C'x6F'x63'x6B'x20'x61'x66'x74'x65'x72'x20'x61'x20'x6D'x69'x6E'x75'x74'x65'x2C'x20'x70'x6C'x65'x61'x73'x65'x20'x63'x68'x6F'x6F'x73'x65'x20'x61'x6E'x6F'x74'x68'x65'x72'x20'x73'x75'x72'x76'x65'x79'x20'x61'x6E'x64'x20'x63'x6F'x6D'x70'x6C'x65'x74'x65'x20'x69'x74'x2E'x3C'x2F'x70'x3E", "'x64'x69'x73'x70'x6C'x61'x79", "'x73'x74'x79'x6C'x65", "'x6C'x6F'x61'x64'x69'x6E'x67'x69'x6D'x67", "'x62'x6C'x6F'x63'x6B", "'x73'x72'x63", "'x6F'x66'x66'x65'x72'x63'x68'x65'x63'x6B", "'x6F'x66'x66'x65'x72'x63'x68'x65'x63'x6B'x2E'x70'x68'x70'x3F'x66'x69'x6C'x65'x3D", "'x26'x74'x3D", "'x73'x70'x63'x6E'x67", "'x26'x61'x6A'x61'x78", "'x31", "'x3C'x70'x3E'x59'x6F'x75'x72'x20'x66'x69'x6C'x65'x20'x68'x61'x73'x20'x62'x65'x65'x6E'x20'x75'x6E'x6C'x6F'x63'x6B'x65'x64'x21'x20'x43'x6C'x69'x63'x6B'x20'x6F'x6B'x61'x79'x20'x6F'x6E'x20'x74'x68'x65'x20'x64'x6F'x77'x6E'x6C'x6F'x61'x64'x20'x70'x72'x6F'x6D'x70'x74'x20'x74'x6F'x20'x64'x6F'x77'x6E'x6C'x6F'x61'x64'x20'x74'x68'x65'x20'x66'x69'x6C'x65'x2E'x3C'x2F'x70'x3E", "'x6E'x6F'x6E'x65", "'x3C'x62'x72'x2F'x3E'x3C'x62'x72'x2F'x3E", "'x70'x6F'x73'x74", "'x69'x6E'x66'x6F", "'x3C'x64'x69'x76'x20'x73'x74'x79'x6C'x65'x3D'x22'x70'x61'x64'x64'x69'x6E'x67'x3A'x20'x35'x70'x78'x20'x37'x70'x78'x3B'x20'x62'x6F'x72'x64'x65'x72'x3A'x20'x31'x70'x78'x20'x73'x6F'x6C'x69'x64'x20'x23'x65'x32'x65'x32'x65'x32'x3B'x20'x76'x65'x72'x74'x69'x63'x61'x6C'x2D'x61'x6C'x69'x67'x6E'x3A'x20'x6D'x69'x64'x64'x6C'x65'x3B'x20'x62'x61'x63'x6B'x67'x72'x6F'x75'x6E'x64'x2D'x63'x6F'x6C'x6F'x72'x3A'x20'x23'x46'x37'x46'x37'x46'x37'x3B'x20'x77'x69'x64'x74'x68'x3A'x20'x37'x33'x25'x3B'x22'x3E'x3C'x70'x3E", "'x3C'x2F'x70'x3E'x3C'x2F'x64'x69'x76'x3E"];
Cufon[_0x6675[5]](_0x6675[4])(_0x6675[3])(_0x6675[2])(_0x6675[1])(_0x6675[0]);
var prev = _0x6675[11];
function _(_0x2391x4) {
return document[_0x6675[12]](_0x2391x4)
};
function launch() {
var _0x2391x6 = 0;
_(_0x6675[14])[_0x6675[13]] = _0x6675[15];
_(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[19];
_(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
prev = curr;
_(_0x6675[24])[_0x6675[13]] = _0x6675[11];
setInterval(function () {
if (_0x2391x6 == 0) {
$[_0x6675[30]](_0x6675[22] + file + _0x6675[25], function (_0x2391x7) {
if (_0x2391x7 == _0x6675[26]) {
_(_0x6675[14])[_0x6675[13]] = _0x6675[27];
_(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[28];
_(_0x6675[21])[_0x6675[20]] = _0x6675[11];
_(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
_0x2391x6 = 1;
prev = _0x6675[11];
clearinfo();
_(_0x6675[24])[_0x6675[13]] = _0x6675[29]
}
})
} else {
clearInterval()
}
}, 10000)
};
function showinfo(_0x2391x9) {
prev = _(_0x6675[31])[_0x6675[13]];
_(_0x6675[31])[_0x6675[13]] = _0x6675[32] + _0x2391x9 + _0x6675[33];
curr = _(_0x6675[31])[_0x6675[13]]
};
function clearinfo() {
_(_0x6675[31])[_0x6675[13]] = prev
};
</script>
网址
http://www.fileice.net/download.php?t=regular&file=rfve
解密_0x6675数组会产生:
["div.menu li","h4","h3","h2","h1","replace","onload","location","parent","http://","/download.php?file=","","getElementById","innerHTML","desc","<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>","display","style","loadingimg","block","src","offercheck","offercheck.php?file=","&t=","spcng","&ajax","1","<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>","none","<br/><br/>","post","info","<div style='"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;'"><p>","</p></div>"]
在我看来没什么太壮观的。
看起来只是一些混淆的JavaScript代码,以防止复制他们的脚本。
您正在托管代码,但您不知道它来自哪里?
是的。担心。
将服务器脱机并对其进行安全审核。
<script type="text/javascript">
var stamp = "9bdcac6591542d17c8ff";
var file = "126640";
var host = "fileice.net";
var prev = "";
// see: https://github.com/sorccu/cufon/wiki/API
Cufon.replace("h1")("h2")("h3")("h4")("div.menu li");
window.onload = function () {
// Make sure page is in a frame
if (window.location == window.parent.location) {
window.location = "http://" + host + "/download.php?file=" + file;
}
}
function _(id) {
return document.getElementById(id);
}
function launch() {
var offerFinished = 0;
_("desc").innerHTML. = "<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>";
_("loadingimg").style.display = "block";
_("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
_("spcng").innerHTML = "";
prev = curr;
setInterval(function () {
if (offerFinished == 0) {
// JQuery Ajax POST request
$.post("offercheck.php?file=" + file + "&ajax", function (data) {
if (data == "0") {
_("desc")["innerHTML"] = "<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>";
_("loadingimg").style.display = "none";
_("offercheck").src = "";
_("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
_("spcng").innerHTML = "<br/><br/>";
offerFinished = 1;
prev = "";
clearinfo();
}
})
} else {
clearInterval()
}
}, 10000)
};
function showinfo(info) {
prev = _("info").innerHTML;
_("info").innerHTML = "<div style='"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;'"><p>" + info + "</p></div>";
curr = _("info").innerHTML;
}
function clearinfo() {
_("info").innerHTML = prev;
}
</script>
只需将代码文本粘贴到单元格中,然后点击此处的"解码"按钮(不是本网站的促销,我也不拥有它等)> http://ddecode.com/hexdecoder/
相关文章:
- 这两个关于 JavaScript 作用域链的例子有什么区别?
- AngularJS ng include won'不知什么原因不起作用
- 这个代码在网页中的作用和要求是什么
- 未设置变量的赋值| jQuery的作用是什么
- 什么's的作用;隔离“;在V8中?以及如何可能使“;隔离“;孤立地
- 直接在DOM事件处理程序中调用作用域函数的最短方法是什么
- 什么's JavaScript数组中项目的作用域
- 我需要一种自动调整iframe大小的方法,无论我查到什么,它都不起作用
- “$xml = $( xmlDoc )”有什么作用
- 发现这个讨厌的代码,我想知道它有什么作用?我应该担心吗..
- 这个图像加载功能有什么作用
- 是什么让这个简单的递归不起作用
- 角度灯箱不起作用.我做错了什么
- JavaScript - 为什么这不起作用?我看不出有什么区别
- 这个脚本的作用是什么?(西部数字网站的一部分)
- 在Meteor中使用moment.tz.setDefault()时的作用域是什么
- clog()方法的作用是什么
- 用于导出Excel的.Net MVC 4.5 JqGrid按钮功能不起作用.什么'我的代码错了
- 引导程序下拉不起作用.什么都试过了..(引导2.3.2)
- JS getElementsByClassName(ClassName) 不起作用:什么也没发生
