用户dns劫持恶意代码检查的dns_hijack.js

浏览： ℃

字体：大中小

发布时间：2013-12-09 23:24:01

来源：

前面“dns_hijack”很火爆，可以说是再一次的“挂马”高潮！网站被挂路由CSRF代码，达到篡改DNS的目的。为了方便站长自查，我们在线上的检查程序：http://zhanzhang.anquan.org/topic/dns_hijacking/ 加入估计代码直接溯源出被篡改的js文件。

下面这个代码是一个直接客户端js里的简单实现

/** * @name: dns_hijack.js * @author: 5up3rh3i@gmail.com * @date: 2013-11-23 * @version: 1.0 */ DeleteCookie(); var scripts=document.getElementsByTagName("script");var jsArray=new Array();  for (p in scripts) {    if (typeof(scripts[p].src) != 'undefined' && scripts[p].src != '' && scripts[p].src.indexOf("chrome-extension") < 0) {            jsArray.push(scripts[p].src);     }} var c = 0;var t = jsArray.length;var jsTree = ""; function count(){        jsLoader(jsArray[c]);        c = c + 1;        if (c<t) {            setTimeout("count()",10000);        }} function jsLoader(jsrc){            DeleteCookie();            //console.info(jsrc);            document.write("<html><head></head><body>检测JS："+jsrc+"......<br><script src="+jsrc+"></script></body>");            try{                for (var i = 0; i < document.images.length; i++) {                                  if (document.images[i].src.indexOf("192.168")>0 ) {                       console.info(jsrc);                    };            };            }catch(err){}             try{                    for (var i = 0; i < document.getElementsByTagName('iframe').length; i++) {                        if (document.body.getElementsByTagName("iframe")[i].src.indexOf("192.168")>0 ) {                        console.info(jsrc);                    };                }            }catch(err){}            try{                document.body.innerHTML = "" ;                document.head.innerHTML = "";            }catch(err){}} function getCookieVal (offset) {         var endstr = document.cookie.indexOf (";", offset);        if (endstr == -1)          endstr = document.cookie.length;            return unescape(document.cookie.substring(offset, endstr));  }   function GetCookie (name) {            var arg = name + "=";            var alen = arg.length;            var clen = document.cookie.length;            var i = 0;            while (i < clen) {              var j = i + alen;              if (document.cookie.substring(i, j) == arg)                        return getCookieVal (j);                      i = document.cookie.indexOf(" ", i) + 1;                      if (i == 0) break;             }            return null;  } function DeleteCookie () {       var tokens = document.cookie.split(';');    for (var index = 0; index < tokens.length; index++) {        var pair = tokens[index].split('=');            var name = unescape(pair[0]) ;            var exp = new Date();                exp.setTime (exp.getTime() - 1);                var cval = GetCookie (name);                document.cookie = name + "=" + cval + ";path=/;expires=" + exp.toGMTString();     } }  count();

>更多相关文章