Method of Trojan mounting

Webpage Trojans are a common intrusion method by attackers, and their impact is extremely bad. It not only brings shame to site managers, but also affects site viewers. Whether it is a website maintainer or an individual user, it is necessary to master and understand certain webpage Trojans and their defense technologies.

1. webpage Trojans

When a webpage is infected with a Trojan, an attacker inserts a segment in a normal page (usually the homepage of a website ).Code. When the browser opens the page, the code is executed, and then the server that downloads and runs a TrojanProgramTo control the host of the browser.

2. Obtain webshell

Attackers must obtain the modification permission for the website files to conduct webpage Trojans, which is the most common practice.

In fact, there are many attack methods available for attackers, such as injection vulnerabilities, cross-site vulnerabilities, bypass vulnerabilities, upload vulnerabilities, brute-force database vulnerabilities, and program vulnerabilities. The following is a demonstration and Analysis of a popular online HTML editor upload vulnerability in ewebeditor.

1). Website Intrusion Analysis

Ewebeditor is an online HTML editor. Many websites integrate this editor to facilitate information publishing. An upload vulnerability exists in the online HTML editor of the earlier version of ewebeditor. After hackers use this vulnerability to obtain the webshell (webpage management permission), they modify the website and mount the website.

The principle is: the default Administrator page of ewebeditor is not changed, and the default user name and password are not changed. After logging on to ewebeditor, an attacker adds a new style type, sets the File Upload type, and adds the ASP file type to upload a webpage Trojan.

2) determine and analyze Web Vulnerabilities

(1). Attackers can determine whether the website adopts the ewebeditor method. Generally, They browse the website to view related pages or search for "ewebeditor. asp" through a search engine? Id = "statement. If a similar statement exists, you can determine that the website actually uses the Web Editor.

(2) security vulnerabilities that may be exploited by hackers in the ewebeditor:

A. the Administrator has not modified the path and name of the database. As a result, hackers can directly download the website database using the default path of the editor.

B. The administrator has not modified the background management path of the editor. As a result, hackers can log on to the editor using the username and password obtained by the database. Or the default password. Directly go to the editor background.

C. The web editor upload program has a security vulnerability.

The analysis report shows that Cer. ASP Webpage Trojans are found in the admin path of the website, which is analyzed as webpage Trojans of veterans. (The encrypted data can still be identified by the signature. We recommend that the website administrator use the Security Assistant of leike ASP webmaster to check whether the website has been illegally modified .)

3. Uncover several major Trojan-related technologies

(1). IFRAME Trojan

Attackers can use IFRAME statements to attach Trojans to any webpage. This is the earliest and most effective network Trojan technology. The common Trojan code is as follows:

Explanation: After the webpage for inserting the code is opened, the phrase is opened. The following example shows how to insert the following code into a webpage:

Embedded the "IT expert network security section" page in "Baidu"

(2). js script Trojan

JS Trojan is a webpage Trojan hidden Trojan technology that uses the calling principle of JS script files. For example, a hacker must first create one. JS file, and then use the JS Code to call the webpage of the Trojan. The Code is as follows:
Http://www.xxx.com/gm.js a JS script file, which allows you to use and execute Trojan Files. These JS files can generally be generated using tools. Attackers only need to enter related options. 3 is the code of a JS Trojan.

(3). Picture camouflage and Trojan

With the development of anti-virus technology, black techniques are constantly updated. The image Trojan technology evades anti-virus monitoring. attackers will include:/article/uploadfiles/201008/20100803084025824 .gif image files, all the Images embedded in the code can be generated using tools. Attackers only need to enter relevant options. After the image Trojan is generated, the code can be called for execution, is a novel method for hiding Trojans. The instance code is as follows:

Note: when the user opens/article/uploadfiles/201008/20100803084025188 .jpg, the HTTP ://www.xxx.com/test.htmpage Code also runs as needed.