这是一个创建于 4979 天前的主题,其中的信息可能已经有所发展或是发生改变。
我的机器最近有两次莫名其妙弹出广告,还有的时候,随机的网站第一次打开是空白,刷新才加载。于是空白的时候,我看了下源代码,是一段脚本,我猜可能是js,想请懂的人帮我分析下,谢谢了!
<script>var d="=iunm?=ifbe?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#?gvodujpo!mpbeBuusjcvuf)*|wbs!g>epdvnfou/hfuFmfnfouCzJe)#g#*<wbs!tfswfs>#iuuq;0069/67/2:/7;91#<wbs!sfrvjsfe>#beje>311221'uddb>ckB2N{F5O{lyNEJ4OR>>'vsjq>2:15351834'psmv>bIS1dEpwM4[q[HWwdz66bYqpZX6{c4VvZ3:u'tqje>2313185297'bsfb>2'ut>2441165585#<jg)tfmg/epdvnfou/mpdbujpo>>xjoepx/epdvnfou/VSM!''!epdvnfou/cpez/dmjfouXjeui?>611!''!epdvnfou/cpez/dmjfouIfjhiu?>611*|g/tsd>tfswfs,";function i(_,__){_+=__;var $="";for(var u=0;u<_.length;u++){var r=_.charCodeAt(u);$+=String.fromCharCode(r-1);}return $;} var c="#0b0t@g>betuzmf`ud/iunm'#,sfrvjsfe,#'bpsmv>bIS1dEpwM{V5MkV3MkF6MkZ7PEBwNkBxNUFxMx>>'q2bsn>725'q3bsn>611'q4bsn>71'q5bsn>4'q6bsn>4'q7bsn>2'bqqe>1'ibtDpvou>1'ibtXijufVtfs>1#<~fmtf|g/tsd>tfswfs,#0b0q@#,sfrvjsfe,#'qvtiGmbh>1#<~~=0tdsjqu?=0ifbe?=cpez!pompbe>#mpbeBuusjcvuf)*#!sjhiuNbshjo>1!upqNbshjo>1!mfguNbshjo>1!tdspmm>op?=jgsbnf!je>#g#!gsbnfCpsefs>1!xjeui>211&!ifjhiu>211&!tdspmmjoh>bvup!tsd>##?=0jgsbnf?=0cpez?=0iunm?";document.write(i(d,c));</script>
<script>var d="=iunm?=ifbe?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#?gvodujpo!mpbeBuusjcvuf)*|wbs!g>epdvnfou/hfuFmfnfouCzJe)#g#*<wbs!tfswfs>#iuuq;0069/67/2:/7;91#<wbs!sfrvjsfe>#beje>311221'uddb>ckB2N{F5O{lyNEJ4OR>>'vsjq>2:15351834'psmv>bIS1dEpwM4[q[HWwdz66bYqpZX6{c4VvZ3:u'tqje>2313185297'bsfb>2'ut>2441165585#<jg)tfmg/epdvnfou/mpdbujpo>>xjoepx/epdvnfou/VSM!''!epdvnfou/cpez/dmjfouXjeui?>611!''!epdvnfou/cpez/dmjfouIfjhiu?>611*|g/tsd>tfswfs,";function i(_,__){_+=__;var $="";for(var u=0;u<_.length;u++){var r=_.charCodeAt(u);$+=String.fromCharCode(r-1);}return $;} var c="#0b0t@g>betuzmf`ud/iunm'#,sfrvjsfe,#'bpsmv>bIS1dEpwM{V5MkV3MkF6MkZ7PEBwNkBxNUFxMx>>'q2bsn>725'q3bsn>611'q4bsn>71'q5bsn>4'q6bsn>4'q7bsn>2'bqqe>1'ibtDpvou>1'ibtXijufVtfs>1#<~fmtf|g/tsd>tfswfs,#0b0q@#,sfrvjsfe,#'qvtiGmbh>1#<~~=0tdsjqu?=0ifbe?=cpez!pompbe>#mpbeBuusjcvuf)*#!sjhiuNbshjo>1!upqNbshjo>1!mfguNbshjo>1!tdspmm>op?=jgsbnf!je>#g#!gsbnfCpsefs>1!xjeui>211&!ifjhiu>211&!tdspmmjoh>bvup!tsd>##?=0jgsbnf?=0cpez?=0iunm?";document.write(i(d,c));</script>
 | 1 johnj OP 呃 我搜索了下 貌似是电信插入广告的代码…… |
| 2 johnj OP 解密后代码 <SCRIPT type=text/Javascript>function loadAttribute()else}</SCRIPT> <IFRAME id=f height="100%" src=";tcca=ZmVuZ3Rhb2RsQDE2Mw==&urip=1946357709&orlu=aHR0cDovL2dvb2dsZS5jb20=&spid=1436215891&area=2&ts=1307810387&pushFlag=0" frameBorder=0 width="100%"></IFRAME> |
 | 3 imzrh 2012-02-24 11:44:15 +08:00 首先你的在贴代码时建议先用http://jsbeautifier.org/格式化一下你的代码,格式化后可读性会比较好,我格式化完后代码是这样的: <script> var d = "=iunm?=ifbe?=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#?gvodujpo!mpbeBuusjcvuf)*|wbs!g>epdvnfou/hfuFmfnfouCzJe)#g#*<wbs!tfswfs>#iuuq;0069/67/2:/7;91#<wbs!sfrvjsfe>#beje>311221'uddb>ckB2N{F5O{lyNEJ4OR>>'vsjq>2:15351834'psmv>bIS1dEpwM4[q[HWwdz66bYqpZX6{c4VvZ3:u'tqje>2313185297'bsfb>2'ut>2441165585#<jg)tfmg/epdvnfou/mpdbujpo>>xjoepx/epdvnfou/VSM!''!epdvnfou/cpez/dmjfouXjeui?>611!''!epdvnfou/cpez/dmjfouIfjhiu?>611*|g/tsd>tfswfs,"; function i(_, __) { _ += __; var $ = ""; for (var u = 0; u < _.length; u++) { var r = _.charCodeAt(u); $ += String.fromCharCode(r - 1); } return $; } var c = "#0b0t@g>betuzmf`ud/iunm'#,sfrvjsfe,#'bpsmv>bIS1dEpwM{V5MkV3MkF6MkZ7PEBwNkBxNUFxMx>>'q2bsn>725'q3bsn>611'q4bsn>71'q5bsn>4'q6bsn>4'q7bsn>2'bqqe>1'ibtDpvou>1'ibtXijufVtfs>1#<~fmtf|g/tsd>tfswfs,#0b0q@#,sfrvjsfe,#'qvtiGmbh>1#<~~=0tdsjqu?=0ifbe?=cpez!pompbe>#mpbeBuusjcvuf)*#!sjhiuNbshjo>1!upqNbshjo>1!mfguNbshjo>1!tdspmm>op?=jgsbnf!je>#g#!gsbnfCpsefs>1!xjeui>211&!ifjhiu>211&!tdspmmjoh>bvup!tsd>##?=0jgsbnf?=0cpez?=0iunm?"; document.write(i(d, c)); </script> 程序的思路是作者先把自己要输入的真实代码的每个字符code都+1,这样在源码里你看到的就是一些无意义的乱码,d,c变量的文本现在我们读起来是无意义的,不知道什么意思。然后document.write(i(d,c));会在页面加载时调用,输入解码(即每个字符的code-1)后的字符串,如下: <html> <head> <script type="text/Javascript"> function loadAttribute() { var f = document.getElementById("f"); var server = "http://58.56.19.6:80"; var required = "adid=200110&tcca=bjA1MzE4NzkxMDI3NQ==&urip=1904240723&orlu=aHR0cDovL3ZpZGVvcy55aXpoYW5zb3UuY29t&spid=1202074186&area=1&ts=1330054474"; if (self.document.location == window.document.URL && document.body.clientWidth >= 500 && document.body.clientHeight >= 500) { f.src = server + "/a/s?f=adstyle_tc.html&" + required + "&aorlu=aHR0cDovLzU4LjU2LjE5LjY6ODAvMjAwMTEwLw==&p1arm=614&p2arm=500&p3arm=60&p4arm=3&p5arm=3&p6arm1&appd=0&hasCount=0&hasWhiteUser=0"; } else { f.src = server + "/a/p?" + required + "&pushFlag=0"; } } </script> </head> <body Onload="loadAttribute()" rightmargin="0" topmargin="0" leftmargin="0" scroll="no"> <iframe id="f" frameborder="0" width="100%" height="100%" scrolling="auto" src=""></iframe> </body> </html> 基本目的是在一个iframe里显示广告。 |
 | 4 chenshaoju 2012-02-24 11:44:54 +08:00 代码里面有两段内容,一个是一个电子邮箱: fengtaodl@163 ,另一个是 http://google.com ,这是Base64编码。 我Google了一下,这个电子邮箱“可能”对应一个身份。 一个是在Google上的个人信息: https://profiles.google.com/fengtaodl/about 另一个是腾讯微博: http://t.qq.com/Fengtaodl |
| 5 chenshaoju 2012-02-24 11:48:26 +08:00 三楼提供了一些信息。 我发现了更多对应的Base64编码: aHR0cDovLzU4LjU2LjE5LjY6ODAvMjAwMTEwLw== -> http://58.56.19.6:80/200110/ bjA1MzE4NzkxMDI3NQ== -> ???????(这个是你的宽带帐号?) aHR0cDovL3ZpZGVvcy55aXpoYW5zb3UuY29t -> http://videos.yizhansou.com |
| 6 johnj OP 看了下 他是学金融的 不知道怎么会出现在这个代码里呢 |
| 7 johnj OP @chenshaoju 那个确实是我的宽带账号……呃,这能不能就证明是运行商加的啊?最后的网址是我要访问的网站。这个应该是根据网站来变的。不知道为什么,他没做好,非得我再刷新下页面,真正的网页才会加载,可能是个bug。 |
| 8 johnj OP @chenshaoju 麻烦把那个账号删一下……是我家电话……谢谢:) |
| 9 johnj OP 我现在换了opendns 不知道有效么 用一天试试 |
| 10 chenshaoju 2012-02-24 12:03:02 +08:00 @johnj 那个……非常抱歉,好像删不了。我建议你删掉这个帖子,或者我联系管理员要求他删除五楼? |
 | 12 m1a0 2012-02-24 12:31:22 +08:00 擦, 这伙计住在金马路。。。 |
| 13 johnj OP @chenshaoju 现在已经变问号了,多谢~ |
 | 14 wangg800 2012-02-24 17:14:27 +08:00 电信dns污染, 很可恶, 很常见. |
Select Language