我的ReCaptcha网站正在拉google.com/js/th/something.js。我被黑了?

时间:2014-04-23 13:55:42

标签: javascript recaptcha

我注意到我的一个ReCaptcha提交页面正在提取此文件:

http://www.google.com/js/th/tCBzJRqneV5tJFCAUdKmLPYTyVH8SN5m5IZzuhnsVzY.js

当然,在Google上托管,我想假设这一定很好。虽然文件内容以此开头:

/* Anti-spam. Questions? Write to (rot13) guvagvary-dhrfgvbaf@tbbtyr.pbz */

...后跟一个很长的eval()语句。这是它的开始(编辑:现在是整个代码块):

(function(){eval('var f=function(a,b,c){if(b=typeof a,"object"==b)if(a){if(a instanceof Array)return"array";if(a instanceof Object)return b;if(c=Object.prototype.toString.call(a),"[object Window]"==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if("[object Function]"==c||"undefined"!=typeof a.call&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null";else if("function"==b&&"undefined"==typeof a.call)return"object";return b},n=function(a,b,c,d,e){c=a.split("."),d=g,c[0]in d||!d.execScript||d.execScript("var "+c[0]);for(;c.length&&(e=c.shift());)c.length||b===k?d=d[e]?d[e]:d[e]={}:d[e]=b},p=Date.now||function(){return+new Date},r=/&/g,t=/</g,u=/>/g,w=/"/g,x=/\'/g,k=void 0,g=this,z,A="".oa?"".ma():"",E=(/[&<>"\']/.test(A)&&(-1!=A.indexOf("&")&&(A=A.replace(r,"&amp;")),-1!=A.indexOf("<")&&(A=A.replace(t,"&lt;")),-1!=A.indexOf(">")&&(A=A.replace(u,"&gt;")),-1!=A.indexOf(\'"\')&&(A=A.replace(w,"&quot;")),-1!=A.indexOf("\'")&&(A=A.replace(x,"&#39;"))),new function(){p()},function(a,b,c,d,e,h){try{if(this.j=2048,this.c=[],B(this,this.b,0),B(this,this.l,0),B(this,this.p,0),B(this,this.h,[]),B(this,this.d,[]),B(this,this.H,"object"==typeof window?window:g),B(this,this.I,this),B(this,this.r,0),B(this,this.F,0),B(this,this.G,0),B(this,this.f,C(4)),B(this,this.o,[]),B(this,this.k,{}),this.q=true,a&&","==a[0])this.m=a;else{if(window.atob){for(c=window.atob(a),a=[],e=d=0;e<c.length;e++){for(h=c.charCodeAt(e);255<h;)a[d++]=h&255,h>>=8;a[d++]=h}b=a}else b=null;(this.e=b)&&this.e.length?(this.K=[],this.s()):this.g(this.U)}}catch(l){D(this,l)}}),G=(E.prototype.g=function(a,b,c,d){d=this.a(this.l),a=[a,d>>8&255,d&255],c!=k&&a.push(c),0==this.a(this.h).length&&(this.c[this.h]=k,B(this,this.h,a)),c="",b&&(b.message&&(c+=b.message),b.stack&&(c+=":"+b.stack)),3<this.j&&(c=c.slice(0,this.j-3),this.j-=c.length+3,c=F(c),G(this,this.f,H(c.length,2).concat(c),this.$))},function(a,b,c,d,e,h){for(e=a.a(b),b=b==a.f?function(b,c,d,h){if(c=e.length,d=c-4>>3,e.ba!=d){e.ba=d,d=(d<<3)-4,h=[0,0,0,a.a(a.G)];try{e.aa=I(J(e,d),J(e,d+4),h)}catch(s){throw s;}}e.push(e.aa[c&7]^b)}:function(a){e.push(a)},d&&b(d&255),d=c.length,h=0;h<d;h++)b(c[h])}),K=function(a,b,c,d,e,h,l,q,m){return c=function(a,s,v){for(a=d[e.D],s=a===b,a=a&&a[e.D],v=0;a&&a!=h&&a!=l&&a!=q&&a!=m&&20>v;)v++,a=a[e.D];return c[e.ga+s+!(!a+(v>>2))]},d=function(){return c()},e=E.prototype,h=e.s,l=e.Q,m=e.g,q=E,d[e.J]=e,c[e.fa]=a,a=k,d},L=function(a,b,c){if(b=a.a(a.b),!(b in a.e))throw a.g(a.Y),a.u;return a.t==k&&(a.t=J(a.e,b-4),a.B=k),a.B!=b>>3&&(a.B=b>>3,c=[0,0,0,a.a(a.p)],a.Z=I(a.t,a.B,c)),B(a,a.b,b+1),a.e[b]^a.Z[b%8]},F=function(a,b,c,d,e){for(a=a.replace(/\\r\\n/g,"\\n"),b=[],d=c=0;d<a.length;d++)e=a.charCodeAt(d),128>e?b[c++]=e:(2048>e?b[c++]=e>>6|192:(b[c++]=e>>12|224,b[c++]=e>>6&63|128),b[c++]=e&63|128);return b},B=function(a,b,c){if(b==a.b||b==a.l)a.c[b]?a.c[b].V(c):a.c[b]=M(c);else if(b!=a.d&&b!=a.f&&b!=a.h||!a.c[b])a.c[b]=K(c,a.a);b==a.p&&(a.t=k,B(a,a.b,a.a(a.b)+4))},I=function(a,b,c,d){try{for(d=0;76138654016!=d;)a+=(b<<4^b>>>5)+b^d+c[d&3],d+=2379332938,b+=(a<<4^a>>>5)+a^d+c[d>>>11&3];return[a>>>24,a>>16&255,a>>8&255,a&255,b>>>24,b>>16&255,b>>8&255,b&255]}catch(e){throw e;}},N=function(a,b){return b<=a.ca?b==a.h||b==a.d||b==a.f||b==a.o?a.n:b==a.P||b==a.H||b==a.I||b==a.k?a.v:b==a.w?a.i:4:[1,2,4,a.n,a.v,a.i][b%a.da]},O=(E.prototype.la=function(a,b){b.push(a[0]<<24|a[1]<<16|a[2]<<8|a[3]),b.push(a[4]<<24|a[5]<<16|a[6]<<8|a[7]),b.push(a[8]<<24|a[9]<<16|a[10]<<8|a[11])},function(a,b,c,d){for(b={},b.N=a.a(L(a)),b.O=L(a),c=L(a)-1,d=L(a),b.self=a.a(d),b.C=[];c--;)d=L(a),b.C.push(a.a(d));return b}),Q=(E.prototype.ja=function(a,b,c,d){if(3==a.length){for(c=0;3>c;c++)b[c]+=a[c];for(d=[13,8,13,12,16,5,3,10,15],c=0;9>c;c++)b[3](b,c%3,d[c])}},function(a,b,c,d){return c=a.a(a.b),a.e&&c<a.e.length?(B(a,a.b,a.e.length),P(a,b)):B(a,a.b,b),d=a.s(),B(a,a.b,c),d}),H=(E.prototype.ka=function(a,b,c,d){d=a[(b+2)%3],a[b]=a[b]-a[(b+1)%3]-d^(1==b?d<<c:d>>>c)},function(a,b,c,d){for(d=b-1,c=[];0<=d;d--)c[b-1-d]=a>>8*d&255;return c}),M=function(a,b,c){return b=function(){return c()},b.V=function(b){a=b},c=function(){return a},b},R=function(a,b,c,d){return function(){if(!d||a.q)return B(a,a.P,arguments),B(a,a.k,c),Q(a,b)}},P=(E.prototype.a=function(a,b){if(b=this.c[a],b===k)throw this.g(this.ea,0,a),this.u;return b()},function(a,b){a.K.push(a.c.slice()),a.c[a.b]=k,B(a,a.b,b)}),J=function(a,b){return a[b]<<24|a[b+1]<<16|a[b+2]<<8|a[b+3]},C=function(a,b){for(b=Array(a);a--;)b[a]=255*Math.random()|0;return b},D=function(a,b){a.m=("E:"+b.message+":"+b.stack).slice(0,2048)};z=E.prototype,z.M=[function(){},function(a,b,c,d,e){b=L(a),c=L(a),d=a.a(b),b=N(a,b),e=N(a,c),e==a.i||e==a.n?d=""+d:0<b&&(1==b?d&=255:2==b?d&=65535:4==b&&(d&=4294967295)),B(a,c,d)},function(a,b,c,d,e,h,l,q,m){if(b=L(a),c=N(a,b),0<c){for(d=0;c--;)d=d<<8|L(a);B(a,b,d)}else if(c!=a.v){if(d=L(a)<<8|L(a),c==a.i)if(c="",a.c[a.w]!=k)for(e=a.a(a.w);d--;)h=e[L(a)<<8|L(a)],c+=h;else{for(c=Array(d),e=0;e<d;e++)c[e]=L(a);for(d=c,c=[],h=e=0;e<d.length;)l=d[e++],128>l?c[h++]=String.fromCharCode(l):191<l&&224>l?(q=d[e++],c[h++]=String.fromCharCode((l&31)<<6|q&63)):(q=d[e++],m=d[e++],c[h++]=String.fromCharCode((l&15)<<12|(q&63)<<6|m&63));c=c.join("")}else for(c=Array(d),e=0;e<d;e++)c[e]=L(a);B(a,b,c)}},function(a){L(a)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),c=a.a(c),b=a.a(b),B(a,d,b[c])},function(a,b,c){b=L(a),c=L(a),b=a.a(b),B(a,c,f(b))},function(a,b,c,d,e){b=L(a),c=L(a),d=N(a,b),e=N(a,c),c!=a.h&&(d==a.i&&e==a.i?(a.c[c]==k&&B(a,c,""),B(a,c,a.a(c)+a.a(b))):e==a.n&&(0>d?(b=a.a(b),d==a.i&&(b=F(""+b)),c!=a.d&&c!=a.f&&c!=a.o||G(a,c,H(b.length,2)),G(a,c,b)):0<d&&G(a,c,H(a.a(b),d))))},function(a,b,c){b=L(a),c=L(a),B(a,c,function(a){return eval(a)}(a.a(b)))},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)-a.a(b))},function(a,b){b=O(a),B(a,b.O,b.N.apply(b.self,b.C))},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)%a.a(b))},function(a,b,c,d,e){b=L(a),c=a.a(L(a)),d=a.a(L(a)),e=a.a(L(a)),a.a(b).addEventListener(c,R(a,d,e,true),false)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),a.a(b)[a.a(c)]=a.a(d)},function(){},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)+a.a(b))},function(a,b,c){b=L(a),c=L(a),0!=a.a(b)&&B(a,a.b,a.a(c))},function(a,b,c,d){b=L(a),c=L(a),d=L(a),a.a(b)==a.a(c)&&B(a,d,a.a(d)+1)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),a.a(b)>a.a(c)&&B(a,d,a.a(d)+1)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)<<c)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)|a.a(c))},function(a,b){b=a.a(L(a)),P(a,b)},function(a,b,c,d){if(b=a.K.pop()){for(c=L(a);0<c;c--)d=L(a),b[d]=a.c[d];a.c=b}else B(a,a.b,a.e.length)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,(a.a(b)in a.a(c))+0)},function(a,b,c,d){b=L(a),c=a.a(L(a)),d=a.a(L(a)),B(a,b,R(a,c,d))},function(a,b,c){b=L(a),c=L(a),B(a,c,a.a(c)*a.a(b))},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)>>c)},function(a,b,c,d){b=L(a),c=L(a),d=L(a),B(a,d,a.a(b)||a.a(c))},function(a,b,c,d,e){b=O(a),c=b.C,d=b.self,e=b.N;switch(c.length){case 0:c=new d[e];break;case 1:c=new d[e](c[0]);break;case 2:c=new d[e](c[0],c[1]);break;case 3:c=new d[e](c[0],c[1],c[2]);break;case 4:c=new d[e](c[0],c[1],c[2],c[3]);break;default:a.g(a.A);return}B(a,b.O,c)},function(a,b,c,d,e,h){if(b=L(a),c=L(a),d=L(a),e=L(a),b=a.a(b),c=a.a(c),d=a.a(d),a=a.a(e),"object"==f(b)){for(h in e=[],b)e.push(h);b=e}for(h=b.length,e=0;e<h;e+=d)c(b.slice(e,e+d),a)}],z.b=0,z.p=1,z.h=2,z.l=3,z.d=4,z.w=5,z.P=6,z.L=8,z.H=9,z.I=10,z.r=11,z.F=12,z.G=13,z.f=14,z.o=15,z.k=16,z.ca=17,z.R=253,z.$=254,z.S=248,z.T=216,z.da=6,z.i=-1,z.n=-2,z.v=-3,z.U=17,z.W=21,z.A=22,z.ea=30,z.Y=31,z.X=33,z.u={},z.D="caller",z.J="toString",z.ga=34,z.fa=36,E.prototype.ia=function(a){return(a=window.performance)&&a.now?function(){return a.now()|0}:function(){return+new Date}}(),E.prototype.Q=function(a,b,c,d,e,h,l,q,m,y,s){if(this.m)return this.m;try{if(this.q=false,b=this.a(this.d).length,c=this.a(this.f).length,d=this.j,this.c[this.L]&&Q(this,this.a(this.L)),e=this.a(this.h),0<e.length&&G(this,this.d,H(e.length,2).concat(e),this.R),h=this.a(this.F)&255,h-=this.a(this.d).length+4,l=this.a(this.f),4<l.length&&(h-=l.length+3),0<h&&G(this,this.d,H(h,2).concat(C(h)),this.S),4<l.length&&G(this,this.d,H(l.length,2).concat(l),this.T),q=[241].concat(this.a(this.d)),window.btoa?(y=window.btoa(String.fromCharCode.apply(null,q)),m=y=y.replace(/\\+/g,"-").replace(/\\//g,"_").replace(/=/g,"")):m=k,m)m=","+m;else for(m="",e=0;e<q.length;e++)s=q[e][this.J](16),1==s.length&&(s="0"+s),m+=s;this.a(this.d).length=b,this.a(this.f).length=c,this.j=d,this.q=true,a=m}catch(v){D(this,v),a=this.m}return a},E.prototype.s=function(a,b,c,d,e,h){try{for(a=this.e.length,b=2001,c=k,d=0;--b&&(d=this.a(this.b))<a;)try{B(this,this.l,d),e=L(this)%this.M.length,(c=this.M[e])?c(this):this.g(this.W,0,e)}catch(l){l!=this.u&&((h=this.a(this.r))?(B(this,h,l),B(this,this.r,0)):this.g(this.A,l))}b||this.g(this.X)}catch(q){try{this.g(this.A,q)}catch(m){D(this,m)}}return this.a(this.k)},E.prototype.ha=function(a,b){return b=this.Q(),a&&a(b),b};try{window.addEventListener("unload",function(){},false)}catch(S){}n("thintinel.th",E),n("thintinel.th.prototype.exec",E.prototype.ha);')})()

我花了一个小时试图对此进行反混淆,但放弃了。然后我通过Googling尝试了相关的信息,通过上面第一条评论行中的文字和.js文件的URL,但没有太多相关内容。

然后我尝试了其他使用ReCaptcha的网站,并检查他们是否在拉类似的东西。找到使用ReCaptcha的网站并不像我想象的那么容易(我确定有很多,这不是一个简单的搜索)。我发现的少数确实从google.com/js/th路径中提取了一个类似命名的文件,但是它们的代码往往比我的少得多。

如果这是ReCaptcha的合法部分,似乎他们可以做得更好,不要让它看起来很可疑。没有任何迹象表明它到底是什么,或者它甚至与ReCaptcha有任何关系。

现在我不太担心,因为我认为它是合法的。我主要是想把这个问题提升到其他可能已经注意到并且担心的人身上。如果没有答案,我可能会自己回答“是的,这可能很好”。

2 个答案:

答案 0 :(得分:4)

它在全局范围内创建一个名为thintinel的对象,该对象由/recaptcha/api/js/recaptha_ajax.js直接引用。

它几乎肯定是合法的,我最好的猜测是它检查传统的交互式浏览器而不是瘦机器人控制的客户端。

答案 1 :(得分:0)

给出了这段代码所具有的混淆程度,以及它与“卸载”事件绑定的事实,我认为这不是好事。

通常合法的代码以某种方式为自己辩护,这段代码是个谜。

可以在http://pastebin.com/AQxkh7E0读取代码(新粘贴,更易于阅读)

修改:我在https://reverseengineering.stackexchange.com/questions/4129/suspicios-obfuscated-javascript-file

上创建了一个帖子