刚上了金山出的网络游戏，剑侠世界，发现被挂马~~~

mangzier

剑侠世界的官方网站。。。。大家小心点，不相信自己杀毒软件别点。。。应该是木马。。。。
微点和瑞星都报了。。。。
http://jxsj.xoyo.com/

mangzier

发上来大家看看哦，如果有违规请斑竹删帖哦


唉，好不容易有个喜欢玩的游戏了。。。可

挪威的冬天

肉眼过滤 source 没看出什么问题

XD 上传份你那边打开的源文件

mangzier

这个是红伞弹出来的4个警告中的一个。。。还有另外三个我没有截屏，如有高手需要，我现在就可以截屏给大家看看哦。。。。

再，并不是红伞一款杀软报了
甚至瑞星报出的命名Trojan.PSW.Win32.LiuMaZi.gz 应该就是木马的命名规则。。。

tanlimo

Log is generated by FreShow.
[wide]http://jxsj.xoyo.com/
    [frame]http://www.xoyo.com/top/top.shtml
        [script]http://s22.cnzz.com/stat.php?id=826430&web_id=826430&show=pic1
    [frame]http://goto.www.xoyo.com/212/2067/scode_index.htm?sid=212&pid=2067
    [script]http://s131.cnzz.com/stat.php?id=827163&web_id=827163
    [script]http://s35.cnzz.com/stat.php?id=875749&web_id=875749
    [script]http://counter.kds.xoyo.com/kds2_record.js


没发现什么？估计修复了，要不就是楼主那里有arp?

http://counter.kds.xoyo.com/kds2_record.js这个有加密

1. 
   
2. eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('3 1r=d C();3 y=d C;3 o=\'\';a Q(X){m 15.1s(15.1q()*X)+1}a 1i(){3 f="-1",n=l;6(n.A&&n.A.8){G(3 7=0;7<n.A.8;7++){6(n.A[7].1p.19(\'1e 1d\')!=-1){f=n.A[7].1m.B(\'1e 1d \')[1];1c}}}D 6(S.17){G(3 7=10;7>=2;7--){1n{3 1g=1o("d 17(\'1b.1b."+7+"\');");6(1g){f=7+\'.0\';1c}}1t(e){}}}6(f=="-1")m f;D m f.w(0,f.19(".")+2)}a 16(){3 F="";3 E=l.M.B(";");6(E.8<4)m"";G(3 i=4;i<E.8;i++){F+=E+","}m F.w(0,F.8-2)}3 j=l.1u()?1:-1;3 5=d 1z();5[0]=l.1l;6(5[0]=="1A"){3 9=l.M;5[1]=9.w(9.P(" ")+1,9.8);5[0]=5[1].w(0,5[1].P("/"));5[1]=9.w(9.P("/")+1,9.8)}D 6(5[0]=="1y 1x 1v"){5[1]=l.M.B(";")[1]}6(!J(\'I\')){o=y.1w()+\'\'+Q(Z);H=1;z(\'I\',o);z(\'O\',H)}D{o=J(\'I\');H=1B(J(\'O\'))+1;z(\'I\',o);z(\'O\',H)}a z(q,L){3 1h=d C();1h=d C(y.1k(),y.1j(),y.1E()+1);3 18=d C(1X,12,14);k.U=q+"="+11(L)+"; Y="+18.20()+";"}a J(q){3 R=k.U.B("; ");G(3 i=0;i<R.8;i++){3 T=R.B("=");6(q==T[0])m 1C(T[1])}}a 1T(q){k.U=q+"="+11(L)+"; Y=1S, 14 1W 21 23:W:W 1Z;"}a 13(1f){3 N="1Y://N.22.1U.1Q/1H.1I";k.1G("<1F 1D=\""+N+"?h="+g(1R.1J.1K)+"&r="+g(S.k.1P)+"&t="+g(S.k.1O)+"&s="+K.1a+"x"+K.V+"&c="+K.1N+"&j="+j+"&f="+1i()+"&1L="+g(16())+"&p="+1f+"&b="+g(5[0])+"&v="+g(5[1])+"&1M"+Q(Z)+"&u="+o+"\" 1a=\"0\" V=\"0\">")}13(1V)',62,128,'|||var||brower|if|ii|length|browerInfo|function|||new|||encodeURIComponent||||document|navigator|return||_kds2_u||sName||||||substring||_kds2_nt|SetCookie|plugins|split|Date|else|ua|plugin|for|_kds2_v|_kds2_uName|GetCookie|screen|sValue|userAgent|counter|_kds2_times|lastIndexOf|rand|aCookie|window|aCrumb|cookie|height|59|num|expires|999999999||escape||sendColection|31|Math|getPlugin|ActiveXObject|expiration|indexOf|width|ShockwaveFlash|break|Flash|Shockwave|pid|fl|_kds2_tt|getFlash|getMonth|getFullYear|appName|description|try|eval|name|random|pageOpen|floor|catch|javaEnabled|Explorer|getTime|Internet|Microsoft|Array|Netscape|parseInt|unescape|src|getDate|img|write|ds2rd|php|location|href|pl|rd|colorDepth|title|referrer|com|top|Fri|DelCookie|xoyo|_kds2_p|Dec|9999|http|GMT|toGMTString|1999|kds|'.split('|'),0,{}))
   
3. 
   

复制代码

[ 本帖最后由 tanlimo 于 2008-8-26 23:58 编辑 ]

angela

var pageOpen=new Date();var _kds2_nt=new Date;var _kds2_u='';function rand(num){return Math.floor(Math.random()*num)+1}function getFlash(){var f="-1",n=navigator;if(n.plugins&&n.plugins.length){for(var ii=0;ii<n.plugins.length;ii++){if(n.plugins[ii].name.indexOf('Shockwave Flash')!=-1){f=n.plugins[ii].description.split('Shockwave Flash ')[1];break}}}else if(window.ActiveXObject){for(var ii=10;ii>=2;ii--){try{var fl=eval("new ActiveXObject('ShockwaveFlash.ShockwaveFlash."+ii+"');");if(fl){f=ii+'.0';break}}catch(e){}}}if(f=="-1")return f;else return f.substring(0,f.indexOf(".")+2)}function getPlugin(){var plugin="";var ua=navigator.userAgent.split(";");if(ua.length<4)return"";for(var i=4;i<ua.length;i++){plugin+=ua+","}return plugin.substring(0,plugin.length-2)}var j=navigator.javaEnabled()?1:-1;var brower=new Array();brower[0]=navigator.appName;if(brower[0]=="Netscape"){var browerInfo=navigator.userAgent;brower[1]=browerInfo.substring(browerInfo.lastIndexOf(" ")+1,browerInfo.length);brower[0]=brower[1].substring(0,brower[1].lastIndexOf("/"));brower[1]=browerInfo.substring(browerInfo.lastIndexOf("/")+1,browerInfo.length)}else if(brower[0]=="Microsoft Internet Explorer"){brower[1]=navigator.userAgent.split(";")[1]}if(!GetCookie('_kds2_uName')){_kds2_u=_kds2_nt.getTime()+''+rand(999999999);_kds2_v=1;SetCookie('_kds2_uName',_kds2_u);SetCookie('_kds2_times',_kds2_v)}else{_kds2_u=GetCookie('_kds2_uName');_kds2_v=parseInt(GetCookie('_kds2_times'))+1;SetCookie('_kds2_uName',_kds2_u);SetCookie('_kds2_times',_kds2_v)}function SetCookie(sName,sValue){var _kds2_tt=new Date();_kds2_tt=new Date(_kds2_nt.getFullYear(),_kds2_nt.getMonth(),_kds2_nt.getDate()+1);var expiration=new Date(9999,12,31);document.cookie=sName+"="+escape(sValue)+"; expires="+expiration.toGMTString()+";"}function GetCookie(sName){var aCookie=document.cookie.split("; ");for(var i=0;i<aCookie.length;i++){var aCrumb=aCookie.split("=");if(sName==aCrumb[0])return unescape(aCrumb[1])}}function DelCookie(sName){document.cookie=sName+"="+escape(sValue)+"; expires=Fri, 31 Dec 1999 23:59:59 GMT;"}function sendColection(pid){var counter="http://counter.kds.xoyo.com/ds2rd.php";document.write("<img src=\""+counter+"?h="+encodeURIComponent(top.location.href)+"&r="+encodeURIComponent(window.document.referrer)+"&t="+encodeURIComponent(window.document.title)+"&s="+screen.width+"x"+screen.height+"&c="+screen.colorDepth+"&j="+j+"&f="+getFlash()+"&pl="+encodeURIComponent(getPlugin())+"&p="+pid+"&b="+encodeURIComponent(brower[0])+"&v="+encodeURIComponent(brower[1])+"&rd"+rand(999999999)+"&u="+_kds2_u+"\" width=\"0\" height=\"0\">")}sendColection(_kds2_p)










加密的东西不是毒

spaceplane

以后遇上这样的事，先move to quarantine，打包传上来

玄蜗

我的小红伞没报

电影结束了

没毒。。。~

mangzier

好的，第一次知道move to quarantine 的功能~~~