1

我最近在服务器日志上看到了一些免费文件下载网站,并且在其中一个网站的源代码中有一些可疑的 javascript 代码。我应该担心吗?因为他们可能已经在我们公司的一台计算机中运行或安装了垃圾邮件,

代码

<script type="text/javascript">
var stamp = "0529e8679c27247e794a";
var file = "74109";
var host = "fileice.net";
var _0x6675 = ["\x64\x69\x76\x2E\x6D\x65\x6E\x75\x20\x6C\x69", "\x68\x34", "\x68\x33", "\x68\x32", "\x68\x31", "\x72\x65\x70\x6C\x61\x63\x65", "\x6F\x6E\x6C\x6F\x61\x64", "\x6C\x6F\x63\x61\x74\x69\x6F\x6E", "\x70\x61\x72\x65\x6E\x74", "\x68\x74\x74\x70\x3A\x2F\x2F", "\x2F\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x64\x65\x73\x63", "\x3C\x70\x3E\x54\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x77\x69\x6C\x6C\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x62\x65\x67\x69\x6E\x20\x77\x68\x65\x6E\x20\x79\x6F\x75\x20\x73\x75\x63\x63\x65\x73\x73\x66\x75\x6C\x6C\x79\x20\x66\x69\x6E\x69\x73\x68\x20\x74\x68\x65\x20\x73\x75\x72\x76\x65\x79\x20\x79\x6F\x75\x20\x68\x61\x76\x65\x20\x63\x68\x6F\x73\x65\x6E\x2E\x20\x49\x66\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x20\x64\x6F\x65\x73\x20\x6E\x6F\x74\x20\x61\x75\x74\x6F\x6D\x61\x74\x69\x63\x61\x6C\x6C\x79\x20\x75\x6E\x6C\x6F\x63\x6B\x20\x61\x66\x74\x65\x72\x20\x61\x20\x6D\x69\x6E\x75\x74\x65\x2C\x20\x70\x6C\x65\x61\x73\x65\x20\x63\x68\x6F\x6F\x73\x65\x20\x61\x6E\x6F\x74\x68\x65\x72\x20\x73\x75\x72\x76\x65\x79\x20\x61\x6E\x64\x20\x63\x6F\x6D\x70\x6C\x65\x74\x65\x20\x69\x74\x2E\x3C\x2F\x70\x3E", "\x64\x69\x73\x70\x6C\x61\x79", "\x73\x74\x79\x6C\x65", "\x6C\x6F\x61\x64\x69\x6E\x67\x69\x6D\x67", "\x62\x6C\x6F\x63\x6B", "\x73\x72\x63", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B", "\x6F\x66\x66\x65\x72\x63\x68\x65\x63\x6B\x2E\x70\x68\x70\x3F\x66\x69\x6C\x65\x3D", "\x26\x74\x3D", "\x73\x70\x63\x6E\x67", "\x26\x61\x6A\x61\x78", "\x31", "\x3C\x70\x3E\x59\x6F\x75\x72\x20\x66\x69\x6C\x65\x20\x68\x61\x73\x20\x62\x65\x65\x6E\x20\x75\x6E\x6C\x6F\x63\x6B\x65\x64\x21\x20\x43\x6C\x69\x63\x6B\x20\x6F\x6B\x61\x79\x20\x6F\x6E\x20\x74\x68\x65\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x70\x72\x6F\x6D\x70\x74\x20\x74\x6F\x20\x64\x6F\x77\x6E\x6C\x6F\x61\x64\x20\x74\x68\x65\x20\x66\x69\x6C\x65\x2E\x3C\x2F\x70\x3E", "\x6E\x6F\x6E\x65", "\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E", "\x70\x6F\x73\x74", "\x69\x6E\x66\x6F", "\x3C\x64\x69\x76\x20\x73\x74\x79\x6C\x65\x3D\x22\x70\x61\x64\x64\x69\x6E\x67\x3A\x20\x35\x70\x78\x20\x37\x70\x78\x3B\x20\x62\x6F\x72\x64\x65\x72\x3A\x20\x31\x70\x78\x20\x73\x6F\x6C\x69\x64\x20\x23\x65\x32\x65\x32\x65\x32\x3B\x20\x76\x65\x72\x74\x69\x63\x61\x6C\x2D\x61\x6C\x69\x67\x6E\x3A\x20\x6D\x69\x64\x64\x6C\x65\x3B\x20\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64\x2D\x63\x6F\x6C\x6F\x72\x3A\x20\x23\x46\x37\x46\x37\x46\x37\x3B\x20\x77\x69\x64\x74\x68\x3A\x20\x37\x33\x25\x3B\x22\x3E\x3C\x70\x3E", "\x3C\x2F\x70\x3E\x3C\x2F\x64\x69\x76\x3E"];
Cufon[_0x6675[5]](_0x6675[4])(_0x6675[3])(_0x6675[2])(_0x6675[1])(_0x6675[0]);
var prev = _0x6675[11];

function _(_0x2391x4) {
    return document[_0x6675[12]](_0x2391x4)
};

function launch() {
    var _0x2391x6 = 0;
    _(_0x6675[14])[_0x6675[13]] = _0x6675[15];
    _(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[19];
    _(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
    prev = curr;
    _(_0x6675[24])[_0x6675[13]] = _0x6675[11];
    setInterval(function () {
        if (_0x2391x6 == 0) {
            $[_0x6675[30]](_0x6675[22] + file + _0x6675[25], function (_0x2391x7) {
                if (_0x2391x7 == _0x6675[26]) {
                    _(_0x6675[14])[_0x6675[13]] = _0x6675[27];
                    _(_0x6675[18])[_0x6675[17]][_0x6675[16]] = _0x6675[28];
                    _(_0x6675[21])[_0x6675[20]] = _0x6675[11];
                    _(_0x6675[21])[_0x6675[20]] = _0x6675[22] + file + _0x6675[23] + stamp;
                    _0x2391x6 = 1;
                    prev = _0x6675[11];
                    clearinfo();
                    _(_0x6675[24])[_0x6675[13]] = _0x6675[29]
                }
            })
        } else {
            clearInterval()
        }
    }, 10000)
};

function showinfo(_0x2391x9) {
    prev = _(_0x6675[31])[_0x6675[13]];
    _(_0x6675[31])[_0x6675[13]] = _0x6675[32] + _0x2391x9 + _0x6675[33];
    curr = _(_0x6675[31])[_0x6675[13]]
};

function clearinfo() {
    _(_0x6675[31])[_0x6675[13]] = prev
};
</script>

网址

http:\\www.fileice.net/download.php?t=regular&file=rfve

4

4 回答 4

4

解密_0x6675数组产生:

["div.menu li","h4","h3","h2","h1","replace","onload","location","parent","http://","/download.php?file=","","getElementById","innerHTML","desc","<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>","display","style","loadingimg","block","src","offercheck","offercheck.php?file=","&t=","spcng","&ajax","1","<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>","none","<br/><br/>","post","info","<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>","</p></div>"]

在我看来没有什么太壮观了。

看起来只是一些混淆的 JavaScript 代码,以防止复制他们的脚本。

于 2012-08-13T10:42:01.000 回答
3

您正在托管代码,但您不知道它来自哪里?

是的。担心。

将服务器拉下线并对其进行安全审计。

于 2012-08-13T10:35:36.100 回答
3 
<script type="text/javascript">
var stamp = "9bdcac6591542d17c8ff";
var file = "126640";
var host = "fileice.net";

var prev = "";

// see: https://github.com/sorccu/cufon/wiki/API
Cufon.replace("h1")("h2")("h3")("h4")("div.menu li");

window.onload = function () {
    // Make sure page is in a frame
    if (window.location == window.parent.location) {
        window.location = "http://" + host + "/download.php?file=" + file;
    }
}

function _(id) {
    return document.getElementById(id);
}

function launch() {
    var offerFinished = 0;

    _("desc").innerHTML. = "<p>The download will automatically begin when you successfully finish the survey you have chosen. If the file does not automatically unlock after a minute, please choose another survey and complete it.</p>";
    _("loadingimg").style.display = "block";
    _("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;
    _("spcng").innerHTML = "";

    prev = curr;

    setInterval(function () {
        if (offerFinished == 0) {
            // JQuery Ajax POST request
            $.post("offercheck.php?file=" + file + "&ajax", function (data) {
                if (data == "0") {
                    _("desc")["innerHTML"] = "<p>Your file has been unlocked! Click okay on the download prompt to download the file.</p>";

                    _("loadingimg").style.display = "none";
                    _("offercheck").src = "";
                    _("offercheck").src = "offercheck.php?file=" + file + "&t=" + stamp;

                    _("spcng").innerHTML = "<br/><br/>";

                    offerFinished = 1;
                    prev = "";
                    clearinfo(); 
                }
            })
        } else {
            clearInterval()
        }
    }, 10000)
};

function showinfo(info) {
    prev = _("info").innerHTML;
    _("info").innerHTML = "<div style=\"padding: 5px 7px; border: 1px solid #e2e2e2; vertical-align: middle; background-color: #F7F7F7; width: 73%;\"><p>" + info + "</p></div>";
    curr = _("info").innerHTML;
}

function clearinfo() {
    _("info").innerHTML = prev;
}
</script>
于 2012-09-25T15:43:45.377 回答
0

只需将代码文本粘贴到单元格中,然后点击此处的“解码”按钮(不是本网站的促销,我也不拥有它等)> http://ddecode.com/hexdecoder/

于 2014-06-01T05:20:22.060 回答