Drupal site received url request embedding suspicious codes presuming attempt of hacking

情到浓时终转凉″ 提交于 2019-12-25 04:11:50

问题


I found a url request having suspicious code to one of my Drupal site. Will someone explain what will be the depth of this code and advise any precautions to be taken. Code:

function (){try{var _0x5757=["/x6C/x65/x6E/x67/x74/x68","/x72/x61/x6E/x64/x6F/x6D","/x66/x6C/x6F/x6F/x72"],_0xa438x1=this[_0x5757[0]],_0xa438x2,_0xa438x3;if(_0xa438x1==0){return};while(--_0xa438x1){_0xa438x2=Math[_0x5757[2]](Math[_0x5757[1]]()*(_0xa438x1 1));_0xa438x3=this[_0xa438x1];this[_0xa438x1]=this[_0xa438x2];this[_0xa438x2]=_0xa438x3;};}catch(e){}finally{return this}}

Site returned page not found error and I observed no issues.


回答1:


Run this code through a beatifier and you will receive:

function () {
    try {
        var _0x5757 = ["/x6C/x65/x6E/x67/x74/x68", "/x72/x61/x6E/x64/x6F/x6D", "/x66/x6C/x6F/x6F/x72"],
            _0xa438x1 = this[_0x5757[0]],
            _0xa438x2, _0xa438x3;
        if (_0xa438x1 == 0) {
            return
        };
        while (--_0xa438x1) {
            _0xa438x2 = Math[_0x5757[2]](Math[_0x5757[1]]() * (_0xa438x1 1));
            _0xa438x3 = this[_0xa438x1];
            this[_0xa438x1] = this[_0xa438x2];
            this[_0xa438x2] = _0xa438x3;
        };
    } catch (e) {} finally {
        return this
    }
}

First, let's rename some variables and decrypt the array of strings in the third line. I've renamed _0x5757 to arr and escaped the hex-chars within the array. That gives you:

    var arr = ["length", "random", "floor"],

So here we have a list of functions that will be used shortly. Substitute the strings in and rename the variables and you will receive:

function () {
    try {
        var arr = ["length", "random", "floor"],
            length_func = "length",
            rand_number, temp;
        if (length_func == 0) {
            return
        };
        while (--length_func) {
            rand_number = Math["floor"](Math["random"]() * (length_func 1));
            temp = this[length_func];
            this[length_func] = this[rand_number];
            this[rand_number] = temp;
        };
    } catch (e) {} finally {
        return this
    }
}

Notice how there is a syntax error in the script when generating a random number.

* (length_func 1)

with length_func = "length" is not valid JavaScript syntax, so the code is actually not functional. I can still make a guess on what it was supposed to do: If we remove the obfuscation of calling a function by doing Math["floor"] instead of Math.floor() the important lines are

        while (--length_func) {
            rand_number = Math.floor( Math.random() * ( length 1 ));
            temp = this.length_func;
            this.length_func = this.rand_number;
            this.rand_number = temp;
        };

It seems that it tries to compute a random integer using Math.random() and Math.floor(), then swaps the contents of the variables length_func and rand_numerber, all wrapped in a while(--length_func) loop. There's nothing functional here or anything that makes sense. An attempt at an infinte loop hanging the browser maybe? The code is, as it stands, non-functional. It even fails to generate a random number, because Math.floor() will always round-down the inputted float, and Math.rand() will generate a number within 0.0 to 1.0, so nearly always something slightly below 1.0, therefore rand_number = 0 for most of the time. The multiplication with the rand() output with the length_func 1 maybe should have made the number bigger, but the syntax is invalid. When I use my browser's console to execute length, it gives me 0, when I try to do length(1), then length is not a function, the only length that makes sense here is a string-length or array length, but then it would have to explicitly be "someString".length. Hope this helps you.



来源:https://stackoverflow.com/questions/33186634/drupal-site-received-url-request-embedding-suspicious-codes-presuming-attempt-of

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!