发现这个讨厌的代码,我想知道它是做什么的?我应该担心......?

时间:2012-08-13 10:32:42

标签: javascript malware cracking

我最近在服务器日志上看到了一些免费文件下载网站,并且在其中一个网站的源代码中有一些可疑的javascript代码。我应该担心吗?因为他们可能已经运行或者可能已经在我们公司的计算机中安装了垃圾邮件,

代码 

<script type="text/javascript">
var stamp = "0529e8679c27247e794a";
var file = "74109";
var host = "fileice.net";
var _0x6675 = ["\x64\x69\x76\x2E\x6D\x65\x6E\x75\x20\x6C\x69", "\x68\x34", "\x68\x33", "\x68\x32", "\x68\x31", "\x72\x65\x70\x6C\x61\x63\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x70\x61\x72\x65\x6E\x74", "\x68\x74\x74\x70\x3A\x2F\x2F", "\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x64\x65\x73\x63", "\x3C\x70\x3E\x54\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x77\x69\x6C\x6C\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x62\x65\x67\x69\x6E\x20\x77\x68\x65\x6E\x20\x79\x6F\x75\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x20\x66\x69\x6E\x69\x73\x68\x20\x74\x68\x65\x20\x73\x75\x72\x76\x65\x79\x20\x79\x6F\x75\x20\x68\x61\x76\x65\x20\x63\x68\x6F\x73\x65\x6E\x2E\x20\x49\x66\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x20\x64\x6F\x65\x73\x20\x6E\x6F\x74\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x75\x6E\x6C\x6F\x63\x6B\x20\x61\x66\x74\x65\x72\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x2C\x20\x70\x6C\x65\x61\x73\x65\x20\x63\x68\x6F\x6F\x73\x65\x20\x61\x6E\x6F\x74\x68\x65\x72\x20\x73\x75\x72\x76\x65\x79\x20\x61\x6E\x64\x20\x63\x6F\x6D\x70\x6C\x65\x74\x65\x20\x69\x74\x2E\x3C\x2F\x70\x3E", "\x64\x69\x73\x70\x6C\x61\x79", "\x73\x74\x79\x6C\x65", "\x6C\x6F\x61\x64\x69\x6E\x67\x69\x6D\x67", "\x62\x6C\x6F\x63\x6B", "\x73\x72\x63", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "\x26\x74\x3D", "\x73\x70\x63\x6E\x67", "\x26\x61\x6A\x61\x78", "\x31", "\x3C\x70\x3E\x59\x6F\x75\x72\x20\x66\x69\x6C\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x75\x6E\x6C\x6F\x63\x6B\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x6F\x6B\x61\x79\x20\x6F\x6E\x20\x74\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x70\x72\x6F\x6D\x70\x74\x20\x74\x6F\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x2E\x3C\x2F\x70\x3E", "\x6E\x6F\x6E\x65", "\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E", "\x70\x6F\x73\x74", "\x69\x6E\x66\x6F", "\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x61\x64\x64\x69\x6E\x67\x3A\x20\x35\x70\x78\x20\x37\x70\x78\x3B\x20\x62\x6F\x72\x64\x65\x72\x3A\x20\x31\x70\x78\x20\x73\x6F\x6C\x69\x64\x20\x23\x65\x32\x65\x32\x65\x32\x3B\x20\x76\x65\x72\x74\x69\x63\x61\x6C\x2D\x61\x6C\x69\x67\x6E\x3A\x20\x6D\x69\x64\x64\x6C\x65\x3B\x20\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x46\x37\x46\x37\x46\x37\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x37\x33\x25\x3B\x22\x3E\x3C\x70\x3E", "\x3C\x2F\x70\x3E\x3C\x2F\x64\x69\x76\x3E"];
Cufon[_0x6675[5]](_0x6675[4])(_0x6675[3])(_0x6675[2])(_0x6675[1])(_0x6675[0]);
var prev = _0x6675[11];

function _(_0x2391x4) {
    return document[_0x6675[12]](_0x2391x4)
};

function launch() {
    var _0x2391x6 = 0;
    _(_0x6675[14])[_0x6675[13]] = _0x6675[15];
    _(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[19];
    _(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
    prev = curr;
    _(_0x6675[24])[_0x6675[13]] = _0x6675[11];
    setInterval(function () {
        if (_0x2391x6 == 0) {
            $[_0x6675[30]](_0x6675[22] + file + _0x6675[25], function (_0x2391x7) {
                if (_0x2391x7 == _0x6675[26]) {
                    _(_0x6675[14])[_0x6675[13]] = _0x6675[27];
                    _(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[28];
                    _(_0x6675[21])[_0x6675[20]] = _0x6675[11];
                    _(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
                    _0x2391x6 = 1;
                    prev = _0x6675[11];
                    clearinfo();
                    _(_0x6675[24])[_0x6675[13]] = _0x6675[29]
                }
            })
        } else {
            clearInterval()
        }
    }, 10000)
};

function showinfo(_0x2391x9) {
    prev = _(_0x6675[31])[_0x6675[13]];
    _(_0x6675[31])[_0x6675[13]] = _0x6675[32] + _0x2391x9 + _0x6675[33];
    curr = _(_0x6675[31])[_0x6675[13]]
};

function clearinfo() {
    _(_0x6675[31])[_0x6675[13]] = prev
};
</script>

网址

  

HTTP:\\ www.fileice.net/download.php?t=regular&file=rfve

4 个答案:

答案 0 :(得分:4)

解密_0x6675数组产生:

["div.menu li","h4","h3","h2","h1","replace","onload","location","parent","http://","/download.php?file=","","getElementById","innerHTML","desc","<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>","display","style","loadingimg","block","src","offercheck","offercheck.php?file=","&t=","spcng","&ajax","1","<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>","none","<br/><br/>","post","info","<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>","</p></div>"]

在我看来,没什么太壮观的。

看起来只是一些模糊的JavaScript代码,以防止复制他们的脚本。

答案 1 :(得分:3)

您正在托管代码而您不知道它来自哪里?

是。担心。

将服务器拉出并进行安全审核。

答案 2 :(得分:3)

<script type="text/javascript">
var stamp = "9bdcac6591542d17c8ff";
var file = "126640";
var host = "fileice.net";

var prev = "";

// see: https://github.com/sorccu/cufon/wiki/API
Cufon.replace("h1")("h2")("h3")("h4")("div.menu li");

window.onload = function () {
    // Make sure page is in a frame
    if (window.location == window.parent.location) {
        window.location = "http://" + host + "/download.php?file=" + file;
    }
}

function _(id) {
    return document.getElementById(id);
}

function launch() {
    var offerFinished = 0;

    _("desc").innerHTML. = "<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>";
    _("loadingimg").style.display = "block";
    _("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
    _("spcng").innerHTML = "";

    prev = curr;

    setInterval(function () {
        if (offerFinished == 0) {
            // JQuery Ajax POST request
            $.post("offercheck.php?file=" + file + "&ajax", function (data) {
                if (data == "0") {
                    _("desc")["innerHTML"] = "<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>";

                    _("loadingimg").style.display = "none";
                    _("offercheck").src = "";
                    _("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;

                    _("spcng").innerHTML = "<br/><br/>";

                    offerFinished = 1;
                    prev = "";
                    clearinfo(); 
                }
            })
        } else {
            clearInterval()
        }
    }, 10000)
};

function showinfo(info) {
    prev = _("info").innerHTML;
    _("info").innerHTML = "<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>" + info + "</p></div>";
    curr = _("info").innerHTML;
}

function clearinfo() {
    _("info").innerHTML = prev;
}
</script>

答案 3 :(得分:0)

只需将代码文本粘贴到单元格中,然后点击此处的“解码”按钮(不是此网站的宣传片,我也不拥有它等)&gt; http://ddecode.com/hexdecoder/

相关问题
最新问题