请看看这个js(7楼有新)[status:ok][by qigang]

sam.to

31/1/2009 16:36:29        hxxp://jk0.info/includes/main.js        Firefox        已偵測: Exploit.JS.Agent.abm

[ 本帖最后由 sam.to 于 2009-2-1 16:09 编辑 ]

qigang

siteURL=ginf.url+'/'+ginf.script;ignore='';base64chars='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'.split('');function base64_encode(s){var r="";var p="";var c=s.length%3;if(c>0){for(;c<3;c++){p+='=';s+="\0"}}for(c=0;c<s.length;c+=3){var n=(s.charCodeAt(c)<<16)+(s.charCodeAt(c+1)<<8)+s.charCodeAt(c+2);n=[(n>>>18)&63,(n>>>12)&63,(n>>>6)&63,n&63];r+=base64chars[n[0]]+base64chars[n[1]]+base64chars[n[2]]+base64chars[n[3]]}return r.substring(0,r.length-p.length)+p}function substr_replace(a,b,c,d){return a.substr(0,c)+b+a.substr(c+d)}function strpos(a,b,c){var i=a.indexOf(b,c);return i>=0?i:false}function strspn(a,b,c,d){var d=d?c+d:a.length;var i=c?c:0;var e=0;while(i<d){if(b.indexOf(a.charAt(i))==-1){return e}++e;++i}return e}function fetchAjaxObject(){var a;try{a=new XMLHttpRequest}catch(e){try{a=new ActiveXObject("Msxml2.XMLHTTP")}catch(e){try{a=new ActiveXObject("Microsoft.XMLHTTP")}catch(e){return false}}}return a}function parseURL(a,b){if(!a){return''}a=a.toString();if(a.charAt(0)=='#'){return a}if(a.toLowerCase().indexOf('javascript:')===0){return parseJS(a)}if(a==='about:blank'){return a}if(a.indexOf(siteURL)===0){return a}if(a.indexOf('http://')!==0&&a.indexOf('https://')!==0){if(a=='.'){a=''}if(a.charAt(0)=='/'){if(a.length>0&&a.charAt(1)=='/'){a='http:'+a}else{a=ginf.target.h+a}}else if(ginf.target.b){a=ginf.target.b+a}else{a=ginf.target.h+ginf.target.p+a}}a=a.replace('/./','/');if(a.length>8&&a.substr(8).indexOf('//')){a=a.replace(/[^:]\/\//g,'/')}if(a.indexOf('/..')>0){var c=a.substring(targetHost.length).split(/\//);for(var i in c){if(c=='..'){a=a.replace('/'+c[i-1]+'/..','')}}}var d='';var e=a.indexOf('#');if(e>=0){d=a.substr(e);a=a.substr(0,e)}if(ginf.enc.e){a=a.substr(4);a=base64_encode(a);if(ginf.enc.u){a=ginf.enc.u+a}}a=encodeURIComponent(a);if(ginf.enc.p&&ginf.enc.e){a=a.replace(/%/g,'_');return siteURL+'/'+a+'/b'+ginf.b+'/'+(b?'f'+b+'/':'')+d}return siteURL+'?u='+a+'&b='+ginf.b+(b?'&f='+b:'')+d}function updateLocation(a){ginf.b=0;var b=new Array();for(i=0;i<a.elements.length;i++){if(a.elements.name=='u'){url=a.elements.value}else if(a.elements.type=='checkbox'){b.push(a.elements);if(a.elements.name=='encodeURL'){ginf.enc.e=a.elements.checked}}}if(!url){return false}for(i=0;i<b.length;i++){if(b.checked==true){ginf.b=ginf.b|Math.pow(2,i)}}if(url.indexOf('http')!==0){url='http://'+url}window.location=parseURL(url);return false}function parseHTML(a){if(typeof(a)!='string'){return a}if((parser=/<base href(?==)=["']?([^"' >]+)['"]?(>|\/>|<\/base>)/i.exec(a))){ginfo.target.b=parser[1];if(ginfo.target.b.charAt(ginfo.target.b.length-1)!='/')ginfo.target.b+='/';a=a.replace(parser[0],'')}if(parser=/content=(["'])?([0-9]+)\s*;\s*url=(['"]?)([^"'>]+)\3\1(.*?)(>|\/>)/i.exec(a))a=a.replace(parser[0],parser[0].replace(parser[4],parseURL(parser[4])));a=a.replace(/\.(action|src|location|href)\s*=\s*([^;}]+)/ig,'.$1=parseURL($2)');a=a.replace(/\.innerHTML\s*(\+)?=\s*([^};]+)\s*/ig,'.innerHTML$1=proxifyHTML($2)');parser=/<iframe\s+([^>]*)\s*src\s*=\s*(["']?)([^"']+)\2/ig;while(match=parser.exec(a))a=a.replace(match[0],'<iframe '+match[1]+' src'+'='+match[2]+parseURL(match[3],'frame')+match[2]);parser=/\s(href|src|background|action)\s*=\s*(["']?)([^"'\s>]+)/ig;while(match=parser.exec(a)){a=a.replace(match[0],' '+match[1]+'='+match[2]+parseURL(match[3]))}parser=/<fo(?=r)rm((?:(?!method)[^>])*)(?:\s*method\s*=\s*(["']?)(get|post)\2)?([^>]*)>/ig;while(match=parser.exec(a))if(!match[3]||match[3].toLowerCase()!='post')a=a.replace(match[0],'<fo'+'rm'+match[1]+' method="post" '+match[4]+'><input type="hidden" name="convertGET" value="1">');parser=/url\s*\(['"]?([^'"\)]+)['"]?\)/ig;while(match=parser.exec(a))a=a.replace(match[0],'url('+parseURL(match[1])+')');parser=/@import\s*['"]([^'"\(\)]+)['"]/ig;while(match=parser.exec(a))a=a.replace(match[0],'@import "'+parseURL(match[1])+'"');return a}function parseJS(h,i){if(typeof(h)!='string'||h==false)return h;function replacer(a,b,c){var d=b.length;if(a.substr(d,5)=='parse'){return a}var e=analyze_js(a,d);b=b.replace(/\s/g,'');var f=(b=='.innerHTML=')?'parseHTML':'parseURL';var g=f+'('+a.substring(d,e)+')';return substr_replace(a,g,d,e-d)}function replaceAll(a,b){for(var c=a;a=a.replace(b,replacer),a!=c;c=a);return a}h=replaceAll(h,/\b(location\s*\.\s*replace\s*\(\s*)[\s\S]{0,500}/g);h=replaceAll(h,/(\.\s*innerHTML\s*=(?!=)\s*)[\s\S]{0,500}/g);if(window.failed.watched){h=replaceAll(h,/\b(location(?:\s*\.\s*href)?\s*=(?!=)\s*)[\s\S]{0,500}/g)}if(window.failed.setters){h=replaceAll(h,/\b(\.href\s*=(?!=)\s*)[\s\S]{0,500}/g);h=replaceAll(h,/\b(\.background\s*=(?!=)\s*)[\s\S]{0,500}/g);h=replaceAll(h,/\b(\.src\s*=(?!=)\s*)[\s\S]{0,500}/g);h=replaceAll(h,/\b(\.action\s*=(?!=)\s*)[\s\S]{0,500}/g)}h=h.replace(/\bdocument\s*\.\s*domain\s*=/g,'ignore=');return h}function analyze_js(a,b,c){var d=1;var i=b;var e=a.length;var f=false;var g=0;var h=0;var j=0;while(f===false&&i<e){var k=a.charAt(i);switch(k){case'"':case"'":while((i=strpos(a,k,i+1))&&a.charAt(i-1)=='\\');if(i===false){f=e}break;case';':f=i;break;case"\n":case"\r":if(g||h||j||c){break}var l=i+strspn(a," \t\r\n",i+1)+1;var m=a.charAt(l);if(l<=e&&(m=='('||m=='+')){i=l;break}f=i;break;case'+':i+=strspn(a," \t\r\n",i+1);break;case'{':++g;break;case'(':++h;break;case'[':++j;break;case'}':g?--g:f=i;break;case')':h?--h:f=i;break;case']':j?--j:f=i;break;case',':if(!c){break}if(g||h||j){break}if(d==c){f=i}++d;if(d==c){var b=i+1}break;default:}++i}if(f===false){f=e}if(c){return[b,f]}return f}if(typeof ginf.override!='undefined'||typeof ginf.first!='undefined'){window.failed={};base_window_open=window.open;window.open=function(a,b,c){arguments[0]=parseURL(arguments[0]);try{base_window_open.apply(window,arguments)}catch(e){base_window_open(parseURL(a),b,c)}};base_eval=eval;eval=function(a){return base_eval(parseJS(a))};try{XMLHttpRequest.prototype.base_open=XMLHttpRequest.prototype.open;XMLHttpRequest.prototype.open=function(a,b,c,d,e){this.base_open(a,parseURL(b,'ajax'),c,d,e)}}catch(e){try{document.write('<scrip'+'t type="text/javascript">'+(function(p,a,c,k,e,d){for(k=a[d[33]]-1;k>=0;k--)c+=e[d[69]][d[74]](a[d[75]](k)-1);a=c[d[73]](' ');for(k=a[d[33]]-1;k>=0;k--)p=p[d[72]](e[d[71]](k%10+(e[d[69]][d[74]](122-e[d[70]][d[76]](k/10))),'g'),a[k]);e[d[3]]('_',p)(d)})("8y s=6x8x109x;8y b=6w6x8x209x,c=6x8x249x8x149x3w!6x8x449x;9z e2w{5x.a5=s?2y s:2y 6x8x09x(_[7]);5x.a4=0w};0y(b3ws8x679x)e8x679x=s8x679x;e8x99x=0;e8x89x=1;e8x49x=2;e8x59x=3;e8x29x=4;e8x489x8x509x=e8x99x;e8x489x8x539x=\"\";e8x489x8x549x=2x;e8x489x8x599x=0;e8x489x8x609x=\"\";e8x489x8x409x=2x;e8x409x=2x;e8x399x=2x;e8x419x=2x;e8x389x=2x;e8x489x8x439x=9z(t,w,a,x,v){0y(4x8x339x<3)a=3x;5x.a2=a;8y r=5x,m=5x8x509x;0y(c){8y i=9z2w{0y(r.a58x509x7we8x29x){f(r);r8x129x2w}};0y(a)6x8x179x(_[42],i)}5x.a58x409x=9z2w{0y(b3w!a)3y;r8x509x=r.a58x509x;k(r);0y(r.a1){r8x509x=e8x99x;3y}0y(r8x509x5we8x29x){f(r);0y(c3wa)6x8x229x(_[42],i)}0y(m7wr8x509x)j(r);m=r8x509x};0y(e8x399x)e8x399x8x169x(5x,4x);5x.a58x439x(t,w,a,x,v);0y(!a3wb){5x8x509x=e8x89x;j(5x)}};e8x489x8x559x=9z(z){0y(e8x419x)e8x419x8x169x(5x,4x);0y(z3wz8x369x){z=6x8x119x?2y 6x8x119x2w8x569x(z):z8x689x;0y(!5x.a38x19x)5x.a58x579x(_[1],_[15])}5x.a58x559x(z);0y(b3w!5x.a2){5x8x509x=e8x89x;k(5x);9y(5x8x509x<e8x29x){5x8x509x0v;j(5x);0y(5x.a1)3y}}};e8x489x8x129x=9z2w{0y(e8x389x)e8x389x8x169x(5x,4x);0y(5x8x509x>e8x99x)5x.a1=3x;5x.a58x129x2w;f(5x)};e8x489x8x279x=9z2w{3y 5x.a58x279x2w};e8x489x8x289x=9z(u){3y 5x.a58x289x(u)};e8x489x8x579x=9z(u,y){0y(!5x.a3)5x.a3=1w;5x.a3=y;3y 5x.a58x579x(u,y)};e8x489x8x139x=9z(u,h,d){8z(8y l=0,q;q=5x.a4[l];l0v)0y(q[0]5wu3wq[1]5wh3wq[2]5wd)3y;5x.a48x499x([u,h,d])};e8x489x8x529x=9z(u,h,d){8z(8y l=0,q;q=5x.a4[l];l0v)0y(q[0]5wu3wq[1]5wh3wq[2]5wd)1z;0y(q)5x.a48x589x(l,1)};e8x489x8x239x=9z(p){8y p={'type':p8x669x,'target':5x,'currentTarget':5x,'eventPhase':2,'bubbles':p8x189x,'cancelable':p8x199x,'timeStamp':p8x649x,'stopPropagation':9z2w1w,'preventDefault':9z2w1w,'0zitEvent':9z2w1w};0y(p8x669x5w_[51]3w5x8x409x)(5x8x409x8x299x4w5x8x409x)8x169x(5x,[p]);8z(8y l=0,q;q=5x.a4[l];l0v)0y(q[0]5wp8x669x3w!q[2])(q[1]8x299x4wq[1])8x169x(5x,[p])};e8x489x8x659x=9z2w{3y '['+_[37]+' '+_[10]+']'};e8x659x=9z2w{3y '['+_[10]+']'};9z j(r){0y(e8x409x)e8x409x8x169x(r);r8x239x({'type':_[51],'bubbles':1x,'cancelable':1x,'timeStamp':2y Date+0})};9z g(r){8y o=r8x549x;0y(c3wo3w!o8x259x3wr8x289x(_[1])8x359x(/[^\\/]+\\/[^\\+]+\\+xml/)){o=2y 6x8x09x(_[6]);o8x349x(r8x539x)}0y(o)0y((c3wo8x459x7w0)4w(o8x259x3wo8x259x8x629x5w_[46]))3y 2x;3y o};9z k(r){7y{r8x539x=r.a58x539x}3z(e)1w7y{r8x549x=g(r.a5)}3z(e)1w7y{r8x599x=r.a58x599x}3z(e)1w7y{r8x609x=r.a58x609x}3z(e)1w};9z f(r){r.a58x409x=2y 6x8x39x;6z r.a3};0y(!6x8x39x8x489x8x169x){6x8x39x8x489x8x169x=9z(r,n){0y(!n)n=0w;r.a0=5x;r.a0(n[0],n[1],n[2],n[3],n[4]);6z r.a0}};6x8x109x=e;",">?!>=!..!,,!>.!>,!>\"!\"\"!>>!}}!\'\'!*)!~|!^\\!^^!\\`\\!uofnvdpe!xpeojx!tjiu!tuofnvhsb!fvsu!mmvo!ftmbg!iujx!fmjix!sbw!zsu!idujxt!gpfqzu!xpsiu!osvufs!xfo!gpfdobutoj!gj!opjudovg!spg!ftmf!fufmfe!umvbgfe!fvojuopd!idubd!ftbd!lbfsc!oj",'',0,this,'ActiveXObject Content-Type DONE Function HEADERS_RECEIVED LOADING Microsoft.XMLDOM Microsoft.XMLHTTP OPENED UNSENT XMLHttpRequest XMLSerializer abort addEventListener all application/xml apply attachEvent bubbles cancelable controllers currentTarget detachEvent dispatchEvent document documentElement eventPhase getAllResponseHeaders getResponseHeader handleEvent http://www.w3.org/XML/1998/namespace http://www.w3.org/ns/xbl initEvent length loadXML match nodeType object onabort onopen onreadystatechange onsend onunload open opera parseError parsererror preventDefault prototype push readyState readystatechange removeEventListener responseText responseXML send serializeToString setRequestHeader splice status statusText stopPropagation tagName target timeStamp toString type wrapped xml String Math RegExp replace split fromCharCode charCodeAt floor'.split(' '))+'<'+'/script>');XMLHttpRequest.prototype.base_open=XMLHttpRequest.prototype.open;XMLHttpRequest.prototype.open=function(a,b,c,d,e){this.base_open(a,parseURL(b,'ajax'),c,d,e)}}catch(e){failed.ajax=true}}base_document_write=document.write;base_document_writeln=document.writeln;document.write=function(a){try{base_document_write.call(document,parseHTML(a))}catch(e){try{base_document_write(parseHTML(a))}catch(e){document.body.innerHTML+=parseHTML(a)}}};document.writeln=function(a){try{base_document_writeln.call(document,parseHTML(a))}catch(e){try{base_document_writeln(parseHTML(a))}catch(e){document.body.innerHTML+=parseHTML(a)+"\n"}}};try{function locationWatcher(a,b,c){return parseURL(c)};location.watch('href',locationWatcher);window.watch('location',locationWatcher);parent.watch('location',locationWatcher);self.watch('location',locationWatcher);top.watch('location',locationWatcher);document.watch('location',locationWatcher)}catch(e){failed.watched=true}try{var intercept=[HTMLElement,HTMLHtmlElement,HTMLHeadElement,HTMLLinkElement,HTMLStyleElement,HTMLBodyElement,HTMLFormElement,HTMLSelectElement,HTMLOptionElement,HTMLInputElement,HTMLTextAreaElement,HTMLButtonElement,HTMLLabelElement,HTMLFieldSetElement,HTMLLegendElement,HTMLUListElement,HTMLOListElement,HTMLDListElement,HTMLDirectoryElement,HTMLMenuElement,HTMLLIElement,HTMLDivElement,HTMLParagraphElement,HTMLHeadingElement,HTMLQuoteElement,HTMLPreElement,HTMLBRElement,HTMLBaseFontElement,HTMLFontElement,HTMLHRElement,HTMLAnchorElement,HTMLImageElement,HTMLObjectElement,HTMLParamElement,HTMLAppletElement,HTMLMapElement,HTMLModElement,HTMLAreaElement,HTMLScriptElement,HTMLTableElement,HTMLTableCaptionElement,HTMLTableColElement,HTMLTableSectionElement,HTMLTableRowElement,HTMLTableCellElement,HTMLFrameSetElement,HTMLFrameElement,HTMLIFrameElement];newSrc=function(a){try{this.base_setAttribute('src',parseURL(a))}catch(ignore){}};newAction=function(a){try{this.base_setAttribute('action',parseURL(a))}catch(ignore){}};newHref=function(a){try{this.base_setAttribute('href',parseURL(a))}catch(ignore){}};newBackground=function(a){try{this.base_setAttribute('background',parseURL(a))}catch(ignore){}};mySetAttribute=function(a,b){try{type=a.toLowerCase();if(type=='src'||type=='href'||type=='background'||type=='action'){b=parseURL(b)}this.base_setAttribute(a,b)}catch(ignore){}};for(i=0,len=intercept.length;i<len;i++){if(typeof intercept.prototype=='undefined'){continue}obj=intercept.prototype;obj.base_setAttribute=obj.setAttribute;obj.setAttribute=mySetAttribute;obj.__defineSetter__('src',newSrc);obj.__defineSetter__('action',newAction);obj.__defineSetter__('href',newHref);obj.__defineSetter__('background',newBackground)}}catch(e){failed.setters=true}if(typeof ginf.first!='undefined'){var req=fetchAjaxObject();var failures='';if(failed.ajax)failures+='&ajax=1';if(failed.watched)failures+='&watch=1';if(failed.setters)failures+='&setters=1';req.base_open('GET',ginf.url+'/includes/process.php?action=jstest&'+failures,true);req.send('')}window.overrideOn=true}function disableOverride(){if(!window.overrideOn){return false}window.myParseHTML=parseHTML;window.myParseJS=parseJS;window.parseHTML=noChange;window.parseJS=noChange;window.overrideOn=false}function enableOverride(){if(window.overrideOn){return false}window.parseHTML=window.myParseHTML;window.parseJS=window.myParseJS;window.overrideOn=true}function noChange(a){return a}var offsetx=12;var offsety=8;function newelement(a){if(document.createElement){var b=document.createElement('div');b.id=a;with(b.style){display='none';position='absolute'}b.innerHTML='&nbsp;';document.body.appendChild(b)}}var ie5=(document.getElementById&&document.all);var ns6=(document.getElementById&&!document.all);var ua=navigator.userAgent.toLowerCase();var isapple=(ua.indexOf('applewebkit')!=-1?1:0);function getmouseposition(e){if(document.getElementById){var a=(document.compatMode&&document.compatMode!='BackCompat')?document.documentElement:document.body;pagex=(isapple==1?0:(ie5)?a.scrollLeft:window.pageXOffset);pagey=(isapple==1?0:(ie5)?a.scrollTop:window.pageYOffset);mousex=(ie5)?event.x:(ns6)?clientX=e.clientX:false;mousey=(ie5)?event.y:(ns6)?clientY=e.clientY:false;var b=document.getElementById('tooltip');b.style.left=(mousex+pagex+offsetx)+'px';b.style.top=(mousey+pagey+offsety)+'px'}}function tooltip(a){if(!document.getElementById('tooltip'))newelement('tooltip');var b=document.getElementById('tooltip');b.innerHTML=a;b.style.display='block';document.onmousemove=getmouseposition}function exit(){document.getElementById('tooltip').style.display='none'}window.domReadyFuncs=new Array();window.addDomReadyFunc=function(a){window.domReadyFuncs.push(a)};function init(){if(arguments.callee.done)return false;arguments.callee.done=true;if(_timer)clearInterval(_timer);for(var i=0;i<window.domReadyFuncs.length;++i){try{window.domReadyFuncs()}catch(ignore){}}};if(document.addEventListener){document.addEventListener("DOMContentLoaded",init,false)}/*@cc_on@*//*@if(@_win32)var proto="src='javascript:void(0)'";if(location.protocol=="https:")proto="src=//0";document.write("<scr"+"ipt id=__ie_onload defer "+proto+"><\/scr"+"ipt>");var script=document.getElementById("__ie_onload");script.onreadystatechange=function(){if(this.readyState=="complete"){init()}};/*@end@*/if(/WebKit/i.test(navigator.userAgent)){var _timer=setInterval(function(){if(/loaded|complete/.test(document.readyState)){init()}},10)}window.onload=init;

sam.to

那我上报卡巴

sam.to

https://www.virustotal.com/reana ... 3f79d9ab7b12d691b67



Antivirus          Version          Last Update          Result
a-squared        4.0.0.93        2009.01.31        -
AhnLab-V3        5.0.0.2        2009.01.30        -
AntiVir        7.9.0.60        2009.01.30        HEUR/HTML.Malware
Authentium        5.1.0.4        2009.01.31        -
Avast        4.8.1281.0        2009.01.30        -
AVG        8.0.0.229        2009.01.30        -
BitDefender        7.2        2009.01.31        -
CAT-QuickHeal        10.00        2009.01.31        -
ClamAV        0.94.1        2009.01.31        PUA.Script.Packed-2
Comodo        954        2009.01.30        -
DrWeb        4.44.0.09170        2009.01.31        -
eSafe        7.0.17.0        2009.01.29        -
eTrust-Vet        31.6.6335        2009.01.29        -
F-Prot        4.4.4.56        2009.01.30        -
F-Secure        8.0.14470.0        2009.01.31        Exploit.JS.Agent.abm
Fortinet        3.117.0.0        2009.01.31        -
GData        19        2009.01.31        -
Ikarus        T3.1.1.45.0        2009.01.31        -
K7AntiVirus        7.10.611        2009.01.30        -
Kaspersky        7.0.0.125        2009.01.31        Exploit.JS.Agent.abm
McAfee        5511        2009.01.30        -
McAfee+Artemis        5511        2009.01.30        -
Microsoft        1.4306        2009.01.31        -
NOD32        3815        2009.01.31        -
Norman        6.00.02        2009.01.30        -
nProtect        2009.1.8.0        2009.01.30        -
Panda        9.5.1.2        2009.01.31        -
PCTools        4.4.2.0        2009.01.31        -
Prevx1        V2        2009.01.31        -
Rising        21.13.42.00        2009.01.23        -
SecureWeb-Gateway        6.7.6        2009.01.30        Heuristic.HTML.Malware
Sophos        4.38.0        2009.01.31        -
Sunbelt        3.2.1835.2        2009.01.16        -
Symantec        10        2009.01.31        -
TheHacker        6.3.1.5.241        2009.01.31        -
TrendMicro        8.700.0.1004        2009.01.30        -
VBA32        3.12.8.12        2009.01.30        -
ViRobot        2009.1.31.1583        2009.01.31        -
VirusBuster        4.5.11.0        2009.01.30        -

[ 本帖最后由 sam.to 于 2009-1-31 22:14 编辑 ]

qianwenxiang

估计报的他的JSPacker

sam.to

KL:
Hello,

This is not false alarm

sam.to

39b7066ff534cef5f8c9245997f3b847   main.js3


to kl

qianwenxiang

汗 那它的加密就太bt了点 jspacker去掉之后 可能瞄准最后一段能继续解下去 他的代码我看晕了。。
只发现个这个。。
http://jk0.info/includes/process.php?action=jstest&

sam.to

main.js3

No malicious code was found in this file.