https://blog.xpdbk.com/en/categories/website/Recent content in website on LEl_FENG BlogHugo -- gohugo.ioenLEl_FENG CopyrightTue, 29 Aug 2023 13:58:11 +0700https://blog.xpdbk.com/en/posts/ddos-blog-1/Tue, 29 Aug 2023 13:58:11 +0700https://blog.xpdbk.com/en/posts/ddos-blog-1/<blockquote> <p><strong>TL;DR / Geek Summary:</strong></p> <ul> <li>Threat Intel: Sustained 4-day malicious DDoS/CC assault consuming 75GB+ bandwidth in hours.</li> <li>Attack Vector: Mirror link injection via shortcode service and volumetric HTTP floods.</li> <li>Mitigation: Deployed Cloudflare CDN (Orange Cloud) and WAF firewall rules to neutralize traffic.</li> </ul> </blockquote> <h2 id="introduction"> <a href="#introduction" class="heading-anchor" aria-label="Anchor for Introduction">#</a> Introduction </h2> <p>Because I originally built my blog using <code>wordpress</code>, I am very familiar with DDoS and CC attacks and have always paid close attention to them. Later on, I successively tried dynamic frameworks like <code>typecho</code> and <code>Halo</code>, then moved from <code>jekyll</code> to <code>Hexo</code>, before finally settling on <code>Hugo</code>, a static blog framework. After that, I stopped worrying about server and DDoS protection issues and remained in a completely worry-free state. That is, until a certain <code>person</code> recently launched a malicious 4-day attack on my website, which forced me to take DDoS and CC protection seriously again.</p> <h2 id="how-it-started"> <a href="#how-it-started" class="heading-anchor" aria-label="Anchor for How It Started">#</a> How It Started </h2> <p>Around 11 PM, while I was scrolling through my phone, an email arrived telling me my website had already used <code>75GB</code> of bandwidth. I thought to myself: what on earth used up so much bandwidth?</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/2.webp" width="697" height="427" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/2_hu61035c777cd25ad0569fb020cc1e0b45_18466_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/2_hu61035c777cd25ad0569fb020cc1e0b45_18466_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Email Alert" class="gallery-image" data-flex-grow="163" data-flex-basis="391px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/3.webp" width="912" height="491" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/3_hu7af1aaf68db1dc93fc049848a022485f_14362_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/3_hu7af1aaf68db1dc93fc049848a022485f_14362_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Bandwidth Exceeded 1" class="gallery-image" data-flex-grow="185" data-flex-basis="445px" ></p> <p>Then I clicked in to take a look, and it literally gave me a jump scare.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/3123.webp" width="923" height="493" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/3123_hu0123f6b66a6ab32b027fa7fb52d57284_28416_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/3123_hu0123f6b66a6ab32b027fa7fb52d57284_28416_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Bandwidth Exceeded 2" class="gallery-image" data-flex-grow="187" data-flex-basis="449px" ></p> <p>If I ignored this, my site would definitely be forced to shut down. And once it&rsquo;s shut down, I would lose all my search engine indexing.</p> <h2 id="interlude"> <a href="#interlude" class="heading-anchor" aria-label="Anchor for Interlude">#</a> Interlude </h2> <p>This attacker also stuffed a ton of gray-market (illicit) links into my URL shortening service. However, thanks to my HTML modifications to hide the input form, visiting <code>https://l.xpdbk.com</code> doesn&rsquo;t allow anyone to add links; only I can add them from the backend. I originally intended to make the service available for public use, but because people like this exist, I had no choice but to make it private.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/42434234.webp" width="1017" height="563" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/42434234_hud03e8a81990fb7f7046ae308445b0da1_23936_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/42434234_hud03e8a81990fb7f7046ae308445b0da1_23936_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Short Link Bandwidth Exceeded" class="gallery-image" data-flex-grow="180" data-flex-basis="433px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/4234234.webp" width="1001" height="380" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/4234234_hu6063fff67e2df29716fcd8bcb1ea4618_7504_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/4234234_hu6063fff67e2df29716fcd8bcb1ea4618_7504_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Short Link Repository" class="gallery-image" data-flex-grow="263" data-flex-basis="632px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/25t24t.webp" width="563" height="470" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/25t24t_hue9bc7f51fd3d7e9ef89e1c8ccfd6cfda_24712_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/25t24t_hue9bc7f51fd3d7e9ef89e1c8ccfd6cfda_24712_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Short Link Edit Interface" class="gallery-image" data-flex-grow="119" data-flex-basis="287px" ></p> <h2 id="taking-action"> <a href="#taking-action" class="heading-anchor" aria-label="Anchor for Taking Action">#</a> Taking Action </h2> <p>I quickly rushed to enable <code>CF CDN</code>. I hadn&rsquo;t turned on the little orange cloud for Cloudflare CDN before because I wanted to accommodate loading speeds for users in China. Blocked by the WAF firewall, all of the attacker&rsquo;s traffic was successfully mitigated.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/53535.webp" width="995" height="334" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/53535_hueedac4e5686c85387a92fd68a787b89e_19228_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/53535_hueedac4e5686c85387a92fd68a787b89e_19228_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="WAF Firewall" class="gallery-image" data-flex-grow="297" data-flex-basis="714px" > <img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/5353a5.webp" width="1000" height="220" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/5353a5_hu6e4094afa2e8a5b0820c993b1cd0bbc8_9372_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/5353a5_hu6e4094afa2e8a5b0820c993b1cd0bbc8_9372_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="WAF Firewall 2" class="gallery-image" data-flex-grow="454" data-flex-basis="1090px" ></p> <h2 id="conclusion"> <a href="#conclusion" class="heading-anchor" aria-label="Anchor for Conclusion">#</a> Conclusion </h2> <p>All the malicious traffic was completely neutralized.</p> <p><img src="https://blog.xpdbk.com/en/posts/ddos-blog-1/434324234.webp" width="1020" height="587" srcset="https://blog.xpdbk.com/en/posts/ddos-blog-1/434324234_hu84ca457604e8b561332131fc2dee4026_38880_480x0_resize_q75_h2_box_2.webp 480w, https://blog.xpdbk.com/en/posts/ddos-blog-1/434324234_hu84ca457604e8b561332131fc2dee4026_38880_1024x0_resize_q75_h2_box_2.webp 1024w" loading="lazy" alt="Total Traffic" class="gallery-image" data-flex-grow="173" data-flex-basis="417px" ></p> <p>A word of advice for the attacker: In this world, you can&rsquo;t get something for nothing.</p>https://blog.xpdbk.com/en/posts/web-fake-fandai/Thu, 27 Jul 2023 10:11:14 +0700https://blog.xpdbk.com/en/posts/web-fake-fandai/<img src="https://blog.xpdbk.com/en/posts/web-fake-fandai/photo_2023-07-27_21-08-20.webp" alt="Featured image of post A Record of My Blog Being Reverse Proxied" /><blockquote> <p><strong>TL;DR / Geek Summary:</strong></p> <ul> <li>Incident: Detected a domain hijacking the entire blog via Cloudflare Workers reverse proxy.</li> <li>Defensive Patch: Implemented a JavaScript domain validator in the <code>&lt;head&gt;</code> to force redirects.</li> <li>Obfuscation Hack: Used obfuscator.io to encrypt the JS logic, preventing the proxy from rewriting validation rules.</li> </ul> </blockquote> <p>Yesterday, I was checking my Google Analytics data in my free time and spotted a referral from a domain I had never seen before. Initially, I thought it was just a scraper site or someone referencing my article, so I decided to take a look. However, upon opening the page, I saw my entire blog right there (completely unmodified).</p> <p>I wouldn&rsquo;t just say the content was identical; even the page structure was exactly the same. I&rsquo;ve seen scrapers and I&rsquo;ve seen people referencing my work, but I&rsquo;ve never seen an entire site being reverse-proxied like this before&hellip;</p> <hr> <h2 id="at-first"> <a href="#at-first" class="heading-anchor" aria-label="Anchor for At First">#</a> At First </h2> <p>At first, I thought they had just scraped and downloaded the site, and I wasn&rsquo;t going to care. But later I realized they were directly reverse proxying it using Cloudflare Workers, and they had even modified the host header. Because of this, standard anti-hotlinking measures were basically useless&hellip;</p> <p>After some Googling, I found out that this kind of situation can be handled using a JavaScript script.</p> <p>In the beginning, I just used JS to verify if the window&rsquo;s domain was correct. If it wasn&rsquo;t, it would automatically redirect to the correct domain.</p> <p>The code is as follows. Please put it inside the <code>&lt;head&gt;</code> tag:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-JavaScript" data-lang="JavaScript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">validDomains</span> <span class="o">=</span><span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;blog.xpdbk.com&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;vlblog.xpdbk.com&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;lelfeng.netlify.app&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;cfblog.xpdbk.com&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="s1">&#39;1x000.github.io&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;adaewfd321fg3.cachefly.net&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;127.0.0.1:1313&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;localhost:1313&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="k">try</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nx">validDomains</span><span class="p">.</span><span class="nx">indexOf</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">hostname</span> <span class="o">+</span><span class="s1">&#39;:&#39;</span><span class="o">+</span> <span class="nb">document</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">port</span><span class="p">)</span> <span class="o">===</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="s1">&#39;http://blog.xpdbk.com&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{}</span> </span></span></code></pre></td></tr></table> </div> </div><p>However, this guy didn&rsquo;t play by the rules. Through the reverse proxy, he replaced all the domains in the files with his own domain, which resulted in an infinite loop.</p> <p>Later, I used <a class="link" href="https://obfuscator.io/" target="_blank" rel="noopener" >https://obfuscator.io/</a> <span style="white-space: nowrap;"><svg width=".7em" height=".7em" viewBox="0 0 21 21" xmlns="http://www.w3.org/2000/svg"> <path d="m13 3l3.293 3.293l-7 7l1.414 1.414l7-7L21 11V3z" fill="currentColor" /> <path d="M19 19H5V5h7l-2-2H5c-1.103 0-2 .897-2 2v14c0 1.103.897 2 2 2h14c1.103 0 2-.897 2-2v-5l-2-2v7z" fill="currentColor"> </svg></span> to obfuscate the JS code. This successfully prevented the domains from being modified and replaced.</p> <p>The obfuscated sample code is as follows:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-JavaScript" data-lang="JavaScript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">_0x43eb42</span><span class="o">=</span><span class="nx">_0x27a7</span><span class="p">;(</span><span class="kd">function</span><span class="p">(</span><span class="nx">_0xafca11</span><span class="p">,</span><span class="nx">_0x40b2b8</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0x35c55e</span><span class="o">=</span><span class="nx">_0x27a7</span><span class="p">,</span><span class="nx">_0x15b338</span><span class="o">=</span><span class="nx">_0xafca11</span><span class="p">();</span><span class="k">while</span><span class="p">(</span><span class="o">!!</span><span class="p">[]){</span><span class="k">try</span><span class="p">{</span><span class="kr">const</span> <span class="nx">_0x517e5b</span><span class="o">=</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x188</span><span class="p">))</span><span class="o">/</span><span class="mh">0x1</span><span class="o">*</span><span class="p">(</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x196</span><span class="p">))</span><span class="o">/</span><span class="mh">0x2</span><span class="p">)</span><span class="o">+-</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x189</span><span class="p">))</span><span class="o">/</span><span class="mh">0x3</span><span class="o">+-</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x18c</span><span class="p">))</span><span class="o">/</span><span class="mh">0x4</span><span class="o">+</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x194</span><span class="p">))</span><span class="o">/</span><span class="mh">0x5</span><span class="o">+</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x1a6</span><span class="p">))</span><span class="o">/</span><span class="mh">0x6</span><span class="o">+-</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x19c</span><span class="p">))</span><span class="o">/</span><span class="mh">0x7</span><span class="o">*</span><span class="p">(</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x1a3</span><span class="p">))</span><span class="o">/</span><span class="mh">0x8</span><span class="p">)</span><span class="o">+-</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x19a</span><span class="p">))</span><span class="o">/</span><span class="mh">0x9</span><span class="o">*</span><span class="p">(</span><span class="o">-</span><span class="nb">parseInt</span><span class="p">(</span><span class="nx">_0x35c55e</span><span class="p">(</span><span class="mh">0x19d</span><span class="p">))</span><span class="o">/</span><span class="mh">0xa</span><span class="p">);</span><span class="k">if</span><span class="p">(</span><span class="nx">_0x517e5b</span><span class="o">===</span><span class="nx">_0x40b2b8</span><span class="p">)</span><span class="k">break</span><span class="p">;</span><span class="k">else</span> <span class="nx">_0x15b338</span><span class="p">[</span><span class="s1">&#39;push&#39;</span><span class="p">](</span><span class="nx">_0x15b338</span><span class="p">[</span><span class="s1">&#39;shift&#39;</span><span class="p">]());}</span><span class="k">catch</span><span class="p">(</span><span class="nx">_0x6c5198</span><span class="p">){</span><span class="nx">_0x15b338</span><span class="p">[</span><span class="s1">&#39;push&#39;</span><span class="p">](</span><span class="nx">_0x15b338</span><span class="p">[</span><span class="s1">&#39;shift&#39;</span><span class="p">]());}}}(</span><span class="nx">_0x17e0</span><span class="p">,</span><span class="mh">0x5e4df</span><span class="p">));</span><span class="kr">const</span> <span class="nx">_0x130d92</span><span class="o">=</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span><span class="kd">let</span> <span class="nx">_0x2e53a6</span><span class="o">=!!</span><span class="p">[];</span><span class="k">return</span> <span class="kd">function</span><span class="p">(</span><span class="nx">_0x323b74</span><span class="p">,</span><span class="nx">_0x490435</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0x1c497f</span><span class="o">=</span><span class="nx">_0x2e53a6</span><span class="o">?</span><span class="kd">function</span><span class="p">(){</span><span class="k">if</span><span class="p">(</span><span class="nx">_0x490435</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0x33bf80</span><span class="o">=</span><span class="nx">_0x490435</span><span class="p">[</span><span class="s1">&#39;apply&#39;</span><span class="p">](</span><span class="nx">_0x323b74</span><span class="p">,</span><span class="nx">arguments</span><span class="p">);</span><span class="k">return</span> <span class="nx">_0x490435</span><span class="o">=</span><span class="kc">null</span><span class="p">,</span><span class="nx">_0x33bf80</span><span class="p">;}}</span><span class="o">:</span><span class="kd">function</span><span class="p">(){};</span><span class="k">return</span> <span class="nx">_0x2e53a6</span><span class="o">=!</span><span class="p">[],</span><span class="nx">_0x1c497f</span><span class="p">;};}()),</span><span class="nx">_0x4b63bb</span><span class="o">=</span><span class="nx">_0x130d92</span><span class="p">(</span><span class="k">this</span><span class="p">,</span><span class="kd">function</span><span class="p">(){</span><span class="kr">const</span> <span class="nx">_0x982257</span><span class="o">=</span><span class="nx">_0x27a7</span><span class="p">;</span><span class="k">return</span> <span class="nx">_0x4b63bb</span><span class="p">[</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x184</span><span class="p">)]()[</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x192</span><span class="p">)](</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x198</span><span class="p">))[</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x184</span><span class="p">)]()[</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x19f</span><span class="p">)](</span><span class="nx">_0x4b63bb</span><span class="p">)[</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x192</span><span class="p">)](</span><span class="nx">_0x982257</span><span class="p">(</span><span class="mh">0x198</span><span class="p">));});</span><span class="nx">_0x4b63bb</span><span class="p">();</span><span class="kr">const</span> <span class="nx">_0x3f0a06</span><span class="o">=</span><span class="p">(</span><span class="kd">function</span><span class="p">(){</span><span class="kd">let</span> <span class="nx">_0x2f2ee3</span><span class="o">=!!</span><span class="p">[];</span><span class="k">return</span> <span class="kd">function</span><span class="p">(</span><span class="nx">_0xf1a2dc</span><span class="p">,</span><span class="nx">_0x12daa7</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0x2c78dc</span><span class="o">=</span><span class="nx">_0x2f2ee3</span><span class="o">?</span><span class="kd">function</span><span class="p">(){</span><span class="k">if</span><span class="p">(</span><span class="nx">_0x12daa7</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0x1e1bbf</span><span class="o">=</span><span class="nx">_0x12daa7</span><span class="p">[</span><span class="s1">&#39;apply&#39;</span><span class="p">](</span><span class="nx">_0xf1a2dc</span><span class="p">,</span><span class="nx">arguments</span><span class="p">);</span><span class="k">return</span> <span class="nx">_0x12daa7</span><span class="o">=</span><span class="kc">null</span><span class="p">,</span><span class="nx">_0x1e1bbf</span><span class="p">;}}</span><span class="o">:</span><span class="kd">function</span><span class="p">(){};</span><span class="k">return</span> <span class="nx">_0x2f2ee3</span><span class="o">=!</span><span class="p">[],</span><span class="nx">_0x2c78dc</span><span class="p">;};}()),</span><span class="nx">_0x11b84d</span><span class="o">=</span><span class="nx">_0x3f0a06</span><span class="p">(</span><span class="k">this</span><span class="p">,</span><span class="kd">function</span><span class="p">(){</span><span class="kr">const</span> <span class="nx">_0x5958bf</span><span class="o">=</span><span class="nx">_0x27a7</span><span class="p">;</span><span class="kd">let</span> <span class="nx">_0x1c1520</span><span class="p">;</span><span class="k">try</span><span class="p">{</span><span class="kr">const</span> <span class="nx">_0x48284c</span><span class="o">=</span><span class="nb">Function</span><span class="p">(</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x18d</span><span class="p">)</span><span class="o">+</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x18a</span><span class="p">)</span><span class="o">+</span><span class="s1">&#39;);&#39;</span><span class="p">);</span><span class="nx">_0x1c1520</span><span class="o">=</span><span class="nx">_0x48284c</span><span class="p">();}</span><span class="k">catch</span><span class="p">(</span><span class="nx">_0x560e71</span><span class="p">){</span><span class="nx">_0x1c1520</span><span class="o">=</span><span class="nb">window</span><span class="p">;}</span><span class="kr">const</span> <span class="nx">_0x4777cb</span><span class="o">=</span><span class="nx">_0x1c1520</span><span class="p">[</span><span class="s1">&#39;console&#39;</span><span class="p">]</span><span class="o">=</span><span class="nx">_0x1c1520</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x1a5</span><span class="p">)]</span><span class="o">||</span><span class="p">{},</span><span class="nx">_0x10f092</span><span class="o">=</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x1a4</span><span class="p">),</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x1a0</span><span class="p">),</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x187</span><span class="p">),</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x18b</span><span class="p">),</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x19b</span><span class="p">),</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x193</span><span class="p">),</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x185</span><span class="p">)];</span><span class="k">for</span><span class="p">(</span><span class="kd">let</span> <span class="nx">_0x41e094</span><span class="o">=</span><span class="mh">0x0</span><span class="p">;</span><span class="nx">_0x41e094</span><span class="o">&lt;</span><span class="nx">_0x10f092</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x190</span><span class="p">)];</span><span class="nx">_0x41e094</span><span class="o">++</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0xa11f57</span><span class="o">=</span><span class="nx">_0x3f0a06</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x19f</span><span class="p">)][</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x197</span><span class="p">)][</span><span class="s1">&#39;bind&#39;</span><span class="p">](</span><span class="nx">_0x3f0a06</span><span class="p">),</span><span class="nx">_0x5853a5</span><span class="o">=</span><span class="nx">_0x10f092</span><span class="p">[</span><span class="nx">_0x41e094</span><span class="p">],</span><span class="nx">_0x418439</span><span class="o">=</span><span class="nx">_0x4777cb</span><span class="p">[</span><span class="nx">_0x5853a5</span><span class="p">]</span><span class="o">||</span><span class="nx">_0xa11f57</span><span class="p">;</span><span class="nx">_0xa11f57</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x1a1</span><span class="p">)]</span><span class="o">=</span><span class="nx">_0x3f0a06</span><span class="p">[</span><span class="s1">&#39;bind&#39;</span><span class="p">](</span><span class="nx">_0x3f0a06</span><span class="p">),</span><span class="nx">_0xa11f57</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x184</span><span class="p">)]</span><span class="o">=</span><span class="nx">_0x418439</span><span class="p">[</span><span class="nx">_0x5958bf</span><span class="p">(</span><span class="mh">0x184</span><span class="p">)][</span><span class="s1">&#39;bind&#39;</span><span class="p">](</span><span class="nx">_0x418439</span><span class="p">),</span><span class="nx">_0x4777cb</span><span class="p">[</span><span class="nx">_0x5853a5</span><span class="p">]</span><span class="o">=</span><span class="nx">_0xa11f57</span><span class="p">;}});</span><span class="nx">_0x11b84d</span><span class="p">();</span><span class="kr">const</span> <span class="nx">validDomains</span><span class="o">=</span><span class="p">[</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x191</span><span class="p">),</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x195</span><span class="p">),</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x18e</span><span class="p">),</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x18f</span><span class="p">),</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x19e</span><span class="p">),</span><span class="s1">&#39;adaewfd321fg3.cachefly.net&#39;</span><span class="p">,</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x186</span><span class="p">),</span><span class="s1">&#39;localhost:1313&#39;</span><span class="p">];</span><span class="kd">function</span> <span class="nx">_0x27a7</span><span class="p">(</span><span class="nx">_0x30b2be</span><span class="p">,</span><span class="nx">_0x27f11a</span><span class="p">){</span><span class="kr">const</span> <span class="nx">_0x2f8ec1</span><span class="o">=</span><span class="nx">_0x17e0</span><span class="p">();</span><span class="k">return</span> <span class="nx">_0x27a7</span><span class="o">=</span><span class="kd">function</span><span class="p">(</span><span class="nx">_0x11b84d</span><span class="p">,</span><span class="nx">_0x3f0a06</span><span class="p">){</span><span class="nx">_0x11b84d</span><span class="o">=</span><span class="nx">_0x11b84d</span><span class="o">-</span><span class="mh">0x183</span><span class="p">;</span><span class="kd">let</span> <span class="nx">_0x2ded53</span><span class="o">=</span><span class="nx">_0x2f8ec1</span><span class="p">[</span><span class="nx">_0x11b84d</span><span class="p">];</span><span class="k">return</span> <span class="nx">_0x2ded53</span><span class="p">;},</span><span class="nx">_0x27a7</span><span class="p">(</span><span class="nx">_0x30b2be</span><span class="p">,</span><span class="nx">_0x27f11a</span><span class="p">);}</span><span class="kd">function</span> <span class="nx">_0x17e0</span><span class="p">(){</span><span class="kr">const</span> <span class="nx">_0x30092e</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;__proto__&#39;</span><span class="p">,</span><span class="s1">&#39;http://blog.xpdbk.com&#39;</span><span class="p">,</span><span class="s1">&#39;248mjjPBK&#39;</span><span class="p">,</span><span class="s1">&#39;log&#39;</span><span class="p">,</span><span class="s1">&#39;console&#39;</span><span class="p">,</span><span class="s1">&#39;2331390Rbmidg&#39;</span><span class="p">,</span><span class="s1">&#39;location&#39;</span><span class="p">,</span><span class="s1">&#39;toString&#39;</span><span class="p">,</span><span class="s1">&#39;trace&#39;</span><span class="p">,</span><span class="s1">&#39;127.0.0.1:1313&#39;</span><span class="p">,</span><span class="s1">&#39;info&#39;</span><span class="p">,</span><span class="s1">&#39;1hGmVnj&#39;</span><span class="p">,</span><span class="s1">&#39;511494uNxHBt&#39;</span><span class="p">,</span><span class="s1">&#39;{}.constructor(\x22return\x20this\x22)(\x20)&#39;</span><span class="p">,</span><span class="s1">&#39;error&#39;</span><span class="p">,</span><span class="s1">&#39;1689000vVCMXN&#39;</span><span class="p">,</span><span class="s1">&#39;return\x20(function()\x20&#39;</span><span class="p">,</span><span class="s1">&#39;lelfeng.netlify.app&#39;</span><span class="p">,</span><span class="s1">&#39;cfblog.xpdbk.com&#39;</span><span class="p">,</span><span class="s1">&#39;length&#39;</span><span class="p">,</span><span class="s1">&#39;blog.xpdbk.com&#39;</span><span class="p">,</span><span class="s1">&#39;search&#39;</span><span class="p">,</span><span class="s1">&#39;table&#39;</span><span class="p">,</span><span class="s1">&#39;2697315oyIMgb&#39;</span><span class="p">,</span><span class="s1">&#39;vlblog.xpdbk.com&#39;</span><span class="p">,</span><span class="s1">&#39;405444fEnPtY&#39;</span><span class="p">,</span><span class="s1">&#39;prototype&#39;</span><span class="p">,</span><span class="s1">&#39;(((.+)+)+)+$&#39;</span><span class="p">,</span><span class="s1">&#39;hostname&#39;</span><span class="p">,</span><span class="s1">&#39;422352iCyGvT&#39;</span><span class="p">,</span><span class="s1">&#39;exception&#39;</span><span class="p">,</span><span class="s1">&#39;119035WNGFBa&#39;</span><span class="p">,</span><span class="s1">&#39;80LiPhiY&#39;</span><span class="p">,</span><span class="s1">&#39;1x000.github.io&#39;</span><span class="p">,</span><span class="s1">&#39;constructor&#39;</span><span class="p">,</span><span class="s1">&#39;warn&#39;</span><span class="p">];</span><span class="nx">_0x17e0</span><span class="o">=</span><span class="kd">function</span><span class="p">(){</span><span class="k">return</span> <span class="nx">_0x30092e</span><span class="p">;};</span><span class="k">return</span> <span class="nx">_0x17e0</span><span class="p">();}</span><span class="k">try</span><span class="p">{</span><span class="nx">validDomains</span><span class="p">[</span><span class="s1">&#39;indexOf&#39;</span><span class="p">](</span><span class="nb">document</span><span class="p">[</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x183</span><span class="p">)][</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x199</span><span class="p">)]</span><span class="o">+</span><span class="s1">&#39;:&#39;</span><span class="o">+</span><span class="nb">document</span><span class="p">[</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x183</span><span class="p">)][</span><span class="s1">&#39;port&#39;</span><span class="p">])</span><span class="o">===-</span><span class="mh">0x1</span><span class="o">&amp;&amp;</span><span class="p">(</span><span class="nb">window</span><span class="p">[</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x183</span><span class="p">)][</span><span class="s1">&#39;href&#39;</span><span class="p">]</span><span class="o">=</span><span class="nx">_0x43eb42</span><span class="p">(</span><span class="mh">0x1a2</span><span class="p">));}</span><span class="k">catch</span><span class="p">(</span><span class="nx">_0x573349</span><span class="p">){}</span> </span></span></code></pre></td></tr></table> </div> </div><p>By taking this encrypted code and randomly inserting it into one of the scripts referenced on your site, you&rsquo;ll leave the trash running those mirror sites with no way to bypass it.</p> <p><strong>With this, the problem is basically solved. Let those jerks go cry about it.</strong></p>https://blog.xpdbk.com/en/posts/web-hax/Fri, 11 Nov 2022 00:00:00 +0700https://blog.xpdbk.com/en/posts/web-hax/<img src="https://blog.xpdbk.com/en/posts/web-hax/hax.webp" alt="Featured image of post Uninstall Apache Advanced Edition" /><blockquote> <p><strong>TL;DR / [Geek Summary]:</strong></p> <ul> <li>Clean Slate: Completely purge redundant Apache2 services to reclaim occupied port 80/443 resources.</li> <li>Deep Scrub: Use <code>apt-get --purge</code> to wipe binaries/configs and <code>find | xargs rm</code> to hunt down and eliminate lingering fragments.</li> <li>Geek Goal: Clear the deck for Nginx or custom web stacks, keeping your server environment lightweight and manageable.</li> </ul> </blockquote> <h2 id="delete-apache"> <a href="#delete-apache" class="heading-anchor" aria-label="Anchor for Delete apache">#</a> Delete apache </h2> <p>Apache2 is installed by default. Now uninstall this service.</p> <h2 id="1-find-web-services"> <a href="#1-find-web-services" class="heading-anchor" aria-label="Anchor for 1. Find web services">#</a> 1. Find web services </h2> <p>Use the following command:</p> <blockquote> <p><code>dpkg -l | grep apache2</code></p> </blockquote> <h2 id="2-delete-apache2"> <a href="#2-delete-apache2" class="heading-anchor" aria-label="Anchor for 2. Delete apache2">#</a> 2. Delete apache2 </h2> <p>The deletion command is as follows:</p> <p><code>apt-get --purge remove apache2</code></p> <p><code>apt-get --purge remove apache2-doc</code></p> <p><code>apt-get --purge remove apache2-utils</code></p> <p><code>apt-get --purge remove apache2-bin</code></p> <p><code>apt-get --purge remove apache2-data</code></p> <h2 id="3-delete-redundant-files"> <a href="#3-delete-redundant-files" class="heading-anchor" aria-label="Anchor for 3. Delete redundant files">#</a> 3. <strong>Delete redundant files</strong> </h2> <p>After the above execution, execute the following command:</p> <p><code>find /etc -name &quot;apache&quot; |xargs rm -rf</code></p> <p><code>rm -rf /var/www</code></p> <p><code>rm -rf /etc/libapache2-mod-jk</code></p> <h2 id="4-finally"> <a href="#4-finally" class="heading-anchor" aria-label="Anchor for 4. Finally">#</a> 4. Finally </h2> <p>Port 80 is released, no problem.</p>