Ricevo la posta da cron ogni giorno e non riesco a identificare la fonte

Question

Ricevo la posta da cron ogni giorno e non riesco a identificare la fonte

#1 da (3 voti)

3

Ricevo una mail da crontab e non riesco a identificarne l'origine.

Il mio sito è nuovo di zecca quindi non sono sicuro di cosa stia facendo o del suo scopo. È un qualche trucco?

<html>
<head>
<META NAME="robots" CONTENT="noindex,nofollow">
<script>
(function() {  function getSessionCookies() {   cookieArray = new Array();   var cName = /^\s?incap_ses_/;   var c = document.cookie.split(";");   for (var i = 0; i < c.length; i++) {    key = c[i].substr(0, c[i].indexOf("="));    value = c[i].substr(c[i].indexOf("=") + 1, c[i].length);    if (cName.test(key)) {     cookieArray[cookieArray.length] = value    }   }   return cookieArray  }  function setIncapCookie(vArray) {   try {    cookies = getSessionCookies();    digests = new Array(cookies.length);    for (var i = 0; i < cookies.length; i++) {     digests[i] = simpleDigest((vArray) + cookies[i])    }    res = vArray + ",digest=" + (digests.join())   } catch (e) {    res = vArray + ",digest=" + (encodeURIComponent(e.toString()))   }   createCookie("___utmvc", res, 20)  }  function simpleDigest(mystr) {   var res = 0;   for (var i = 0; i < mystr.length; i++) {    res += mystr.charCodeAt(i)   }   return res  }  function createCookie(name, value, seconds) {   if (seconds) {    var date = new Date();    date.setTime(date.getTime() + (seconds * 1000));    var expires = "; expires=" + date.toGMTString()   } else {    var expires = ""   }   document.cookie = name + "=" + value + expires + "; path=/"  }  function test(o) {   var res = "";   var vArray = new Array();   for (var j = 0; j < o.length; j++) {    var test = o[j][0]    switch (o[j][1]) {    case "exists_boolean":     try {         if(typeof(eval(test)) != "undefined"){                 vArray[vArray.length] = encodeURIComponent(test + "=true")       }       else{          vArray[vArray.length] = encodeURIComponent(test + "=false")      }     } catch (e) {      vArray[vArray.length] = encodeURIComponent(test + "=false")     }     break;    case "exists":     try {      vArray[vArray.length] = encodeURIComponent(test + "=" + typeof(eval(test)))     } catch (e) {      vArray[vArray.length] = encodeURIComponent(test + "=" + e)     }     break;    case "value":     try {      vArray[vArray.length] = encodeURIComponent(test + "=" + eval(test).toString())     } catch (e) {      vArray[vArray.length] = encodeURIComponent(test + "=" + e)     }     break;     case "plugins":     try{         p=navigator.plugins         pres=""         for (a in p){pres+=(p[a]['description']+" ").substring(0,20)}         vArray[vArray.length] = encodeURIComponent("plugins=" + pres);         }     catch(e){         vArray[vArray.length] = encodeURIComponent("plugins=" +e);         }     break;      case "plugin":     try {      a = navigator.plugins;      for (i in a) {       f = a[i]["filename"].split(".");       if (f.length == 2) {        vArray[vArray.length] = encodeURIComponent("plugin=" + f[1]);        break       }      }     } catch (e) {      vArray[vArray.length] = encodeURIComponent("plugin=" + e)     }     break    }   }   vArray = vArray.join();   return vArray  }  var o = [   ["navigator", "exists_boolean"],   ["navigator.vendor", "value"],   ["opera", "exists_boolean"],   ["ActiveXObject", "exists_boolean"],   ["navigator.appName", "value"],   ["platform", "plugin"],   ["webkitURL", "exists_boolean"],   ["navigator.plugins.length==0", "value"],   ["_phantom", "exists_boolean"] ];  try {   setIncapCookie(test(o));   document.createElement("img").src = "/_Incapsula_Resource?SWKMTFSR=1&e=" + Math.random()  } catch (e) {   img = document.createElement("img");   img.src = "/_Incapsula_Resource?SWKMTFSR=1&e=" + e  } })();
</script>
<script>
(function() {
var z="";var b="7472797B766172207868723B76617220743D6E6577204461746528292E67657454696D6528293B766172207374617475733D227374617274223B7661722074696D696E673D6E65772041727261792833293B77696E646F772E6F6E756E6C6F61643D66756E6374696F6E28297B74696D696E675B325D3D22723A222B286E6577204461746528292E67657454696D6528292D74293B646F63756D656E742E637265617465456C656D656E742822696D6722292E7372633D222F5F496E63617073756C615F5265736F757263653F4553324C555243543D363726743D373826643D222B656E636F6465555249436F6D706F6E656E74287374617475732B222028222B74696D696E672E6A6F696E28292B222922297D3B69662877696E646F772E584D4C4874747052657175657374297B7868723D6E657720584D4C48747470526571756573747D656C73657B7868723D6E657720416374697665584F626A65637428224D6963726F736F66742E584D4C4854545022297D7868722E6F6E726561647973746174656368616E67653D66756E6374696F6E28297B737769746368287868722E72656164795374617465297B6361736520303A7374617475733D6E6577204461746528292E67657454696D6528292D742B223A2072657175657374206E6F7420696E697469616C697A656420223B627265616B3B6361736520313A7374617475733D6E6577204461746528292E67657454696D6528292D742B223A2073657276657220636F6E6E656374696F6E2065737461626C6973686564223B627265616B3B6361736520323A7374617475733D6E6577204461746528292E67657454696D6528292D742B223A2072657175657374207265636569766564223B627265616B3B6361736520333A7374617475733D6E6577204461746528292E67657454696D6528292D742B223A2070726F63657373696E672072657175657374223B627265616B3B6361736520343A7374617475733D22636F6D706C657465223B74696D696E675B315D3D22633A222B286E6577204461746528292E67657454696D6528292D74293B6966287868722E7374617475733D3D323030297B706172656E742E6C6F636174696F6E2E72656C6F616428297D627265616B7D7D3B74696D696E675B305D3D22733A222B286E6577204461746528292E67657454696D6528292D74293B7868722E6F70656E2822474554222C222F5F496E63617073756C615F5265736F757263653F535748414E45444C3D34333535313230313036373534333635382C333232323436343739313335393039303132362C373638333038363331313835353338393137332C343234353633222C66616C7365293B7868722E73656E64286E756C6C297D63617463682863297B7374617475732B3D6E6577204461746528292E67657454696D6528292D742B2220696E6361705F6578633A20222B633B646F63756D656E742E637265617465456C656D656E742822696D6722292E7372633D222F5F496E63617073756C615F5265736F757263653F4553324C555243543D363726743D373826643D222B656E636F6465555249436F6D706F6E656E74287374617475732B222028222B74696D696E672E6A6F696E28292B222922297D3B";for (var i=0;i<b.length;i+=2){z=z+parseInt(b.substring(i, i+2), 16)+",";}z = z.substring(0,z.length-1); eval(eval('String.fromCharCode('+z+')'));})();
</script></head>
<body>
<iframe style="display:none;visibility:hidden;" src="//content.incapsula.com/jsTest.html" id="gaIframe"></iframe>
</body></html>

email

posta iVaibhav 19.01.2016 - 18:41

fonte

1 risposta

Leggi altre domande sui tag email

Qualcuno potrebbe spiegare come il sito ASDA è vulnerabile? CA di emissione compromessa

score 3 · Accepted Answer

Non posso aiutare con perché questo sta accadendo. Ci potrebbero essere troppe ragioni. Tuttavia, posso dirti cosa sta facendo:

Ha una grande lista di numeri ( var b ) che sono in realtà codici di caratteri memorizzati. Il programma li divide in var z in questo modo:

116,114,121,123,118,97,114,32,120,104,114,59,118,97,114,32,116,61,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,59,118,97,114,32,115,116,97,116,117,115,61,34,115,116,97,114,116,34,59,118,97,114,32,116,105,109,105,110,103,61,110,101,119,32,65,114,114,97,121,40,51,41,59,119,105,110,100,111,119,46,111,110,117,110,108,111,97,100,61,102,117,110,99,116,105,111,110,40,41,123,116,105,109,105,110,103,91,50,93,61,34,114,58,34,43,40,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,41,59,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,109,103,34,41,46,115,114,99,61,34,47,95,73,110,99,97,112,115,117,108,97,95,82,101,115,111,117,114,99,101,63,69,83,50,76,85,82,67,84,61,54,55,38,116,61,55,56,38,100,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,115,116,97,116,117,115,43,34,32,40,34,43,116,105,109,105,110,103,46,106,111,105,110,40,41,43,34,41,34,41,125,59,105,102,40,119,105,110,100,111,119,46,88,77,76,72,116,116,112,82,101,113,117,101,115,116,41,123,120,104,114,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,125,101,108,115,101,123,120,104,114,61,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,34,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,34,41,125,120,104,114,46,111,110,114,101,97,100,121,115,116,97,116,101,99,104,97,110,103,101,61,102,117,110,99,116,105,111,110,40,41,123,115,119,105,116,99,104,40,120,104,114,46,114,101,97,100,121,83,116,97,116,101,41,123,99,97,115,101,32,48,58,115,116,97,116,117,115,61,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,43,34,58,32,114,101,113,117,101,115,116,32,110,111,116,32,105,110,105,116,105,97,108,105,122,101,100,32,34,59,98,114,101,97,107,59,99,97,115,101,32,49,58,115,116,97,116,117,115,61,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,43,34,58,32,115,101,114,118,101,114,32,99,111,110,110,101,99,116,105,111,110,32,101,115,116,97,98,108,105,115,104,101,100,34,59,98,114,101,97,107,59,99,97,115,101,32,50,58,115,116,97,116,117,115,61,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,43,34,58,32,114,101,113,117,101,115,116,32,114,101,99,101,105,118,101,100,34,59,98,114,101,97,107,59,99,97,115,101,32,51,58,115,116,97,116,117,115,61,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,43,34,58,32,112,114,111,99,101,115,115,105,110,103,32,114,101,113,117,101,115,116,34,59,98,114,101,97,107,59,99,97,115,101,32,52,58,115,116,97,116,117,115,61,34,99,111,109,112,108,101,116,101,34,59,116,105,109,105,110,103,91,49,93,61,34,99,58,34,43,40,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,41,59,105,102,40,120,104,114,46,115,116,97,116,117,115,61,61,50,48,48,41,123,112,97,114,101,110,116,46,108,111,99,97,116,105,111,110,46,114,101,108,111,97,100,40,41,125,98,114,101,97,107,125,125,59,116,105,109,105,110,103,91,48,93,61,34,115,58,34,43,40,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,41,59,120,104,114,46,111,112,101,110,40,34,71,69,84,34,44,34,47,95,73,110,99,97,112,115,117,108,97,95,82,101,115,111,117,114,99,101,63,83,87,72,65,78,69,68,76,61,52,51,53,53,49,50,48,49,48,54,55,53,52,51,54,53,56,44,51,50,50,50,52,54,52,55,57,49,51,53,57,48,57,48,49,50,54,44,55,54,56,51,48,56,54,51,49,49,56,53,53,51,56,57,49,55,51,44,52,50,52,53,54,51,34,44,102,97,108,115,101,41,59,120,104,114,46,115,101,110,100,40,110,117,108,108,41,125,99,97,116,99,104,40,99,41,123,115,116,97,116,117,115,43,61,110,101,119,32,68,97,116,101,40,41,46,103,101,116,84,105,109,101,40,41,45,116,43,34,32,105,110,99,97,112,95,101,120,99,58,32,34,43,99,59,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,105,109,103,34,41,46,115,114,99,61,34,47,95,73,110,99,97,112,115,117,108,97,95,82,101,115,111,117,114,99,101,63,69,83,50,76,85,82,67,84,61,54,55,38,116,61,55,56,38,100,61,34,43,101,110,99,111,100,101,85,82,73,67,111,109,112,111,110,101,110,116,40,115,116,97,116,117,115,43,34,32,40,34,43,116,105,109,105,110,103,46,106,111,105,110,40,41,43,34,41,34,41,125,59

Dopo, cerca di ottenere il codice del carattere per ogni numero nella stringa. Ad esempio, carattere 32 = spazio. Questo produce il seguente output:

   try {
       var xhr;
       var t = new Date().getTime();
       var status = "start";
       var timing = new Array(3);
       window.onunload = function() {
           timing[2] = "r:" + (new Date().getTime() - t);
           document.createElement("img").src = "/_Incapsula_Resource?ES2LURCT=67&t=78&d=" + encodeURIComponent(status + " (" + timing.join() + ")")
       };
       if (window.XMLHttpRequest) {
           xhr = new XMLHttpRequest
       } else {
           xhr = new ActiveXObject("Microsoft.XMLHTTP")
       }
       xhr.onreadystatechange = function() {
           switch (xhr.readyState) {
               case 0:
                   status = new Date().getTime() - t + ": request not initialized ";
                   break;
               case 1:
                   status = new Date().getTime() - t + ": server connection established";
                   break;
               case 2:
                   status = new Date().getTime() - t + ": request received";
                   break;
               case 3:
                   status = new Date().getTime() - t + ": processing request";
                   break;
               case 4:
                   status = "complete";
                   timing[1] = "c:" + (new Date().getTime() - t);
                   if (xhr.status == 200) {
                       parent.location.reload()
                   }
                   break
           }
       };
       timing[0] = "s:" + (new Date().getTime() - t);
       xhr.open("GET", "/_Incapsula_Resource?SWHANEDL=43551201067543658,3222464791359090126,7683086311855389173,424563", false);
       xhr.send(null)
   } catch (c) {
       status += new Date().getTime() - t + " incap_exc: " + c;
       document.createElement("img").src = "/_Incapsula_Resource?ES2LURCT=67&t=78&d=" + encodeURIComponent(status + " (" + timing.join() + ")")
   }

... e poi prova a inviare informazioni a un sito web.

[segue l'hattery di tinfoil

Questo sembra essere legittimo, ma ...

Sei un utente normale o sei l'amministratore? Se sei l'amministratore e non sai perché questo è lì, allora non mi fiderei di questo. fa riconduce a una società apparentemente legittima che fornisce soluzioni di sicurezza IT, Incapsula. Tuttavia, metto in discussione qualsiasi società che trova la necessità di andare a tali lunghezze per offuscare il loro javascript. Secondo me, qualsiasi azienda degna di questo nome non proverebbe a fare ciò in quanto mi ci sono voluti solo 30 secondi per sbrogliare.

Questo però non funziona affatto. Sembra che stia cercando di incorporare un'immagine, che può anche essere utilizzata come cookie di tracciamento per ogni email che invii . Ogni volta che carichi o scarichi la pagina, incorpora un'immagine di tracciamento.

Troppo lungo, non letto

Converte una stringa di numeri lunghi in una stringa di numeri separati.
Converte una stringa di numeri separati da virgola in codici carattere ASCII
tenta di eseguire uno script utilizzando eval() incorporato. Sembra indirizzare l'utente in base al proprio browser web specifico (primi tag <script></script> ).
Crea un XMLHttpRequest, o oggetto ActiveX (!)
Ogni volta che l'utente carica il file, visualizza i contenuti come un'immagine. Questo può essere utilizzato per scopi di monitoraggio.
Ogni volta che chiudi la finestra, fa lo stesso. Sanno quando apri la finestra e quando chiudi la finestra.